A Deeper Understanding of People’s Attitudes and Behaviors towards Privacy

4.2A Deeper Understanding of People’s Attitudes and Behaviors towards Privacy

One area where research is sorely needed is developing better ways of presenting warnings and notifications to people. There are many difficult forces to balance in creating an effective warning system. Warnings must be visible, comprehensible, understandable, and plausible to end-users [70, 311]. Cranor has also argued that warnings need to be tied to clear actions,¹⁶ and be designed so that users keep doing the right thing (rather than ignoring or turning them off). A counterexample to almost all of the above would be standard warning dialogs, most of which are simply swatted away because they get in the way of the user’s primary goals.

Another needed line of research is in understanding how attitudes and behaviors towards privacy-affecting systems evolve and reconcile over time. For example, recent research has shown that behavior in privacy matters often differs from stated preferences, for a variety of reasons [272]. Acquisti and Gross have also shown that on the Facebook social networking site, people perceived others as revealing too much information despite revealing a great deal of information about themselves.

A third needed line of work is that of understanding how to influence the behavior of users. For example, Jagatic et al. provide a striking instance of how publicly available information gathered from social networking web sites can be used to trick people into giving up personal information, such as passwords. They showed that individuals are more likely to fall for phishing attacks if the sender is from their existing social network [164]. These attacks are known as spear-phishing, or context-aware phishing. By incorporating sender information mined from a social networking site, they showed that scam emails were much more effective in deceiving the targets. Two other examples of research that would fall into this category include convincing people not to abuse other people’s trust (for example, cyber-stalking a person), and persuading people that they can do simple things to protect their privacy online.

Here, one challenge is that the very behaviors under scrutiny are not stable, but evolve with the adoption of new technologies. For example, the surge of identity theft and the enactment of legislation countering it suggests that the public is becoming slowly, if painfully, aware of the risks of combining personal information from multiple data sources. On the other hand, the availability of personal information from multiple sources has transformed the previously difficult task of constructing individuals’ profiles into a fairly trivial activity [232]. It is not uncommon for people to “google” potential dates and prospective employees and find past postings on message boards, photographs, and with some effort, information on political affiliations, social networks, criminal records, and financial standing.

Furthermore, the willingness of people to ultimately accept these technologies despite the intrinsic risks shows that HCI researchers should not trust stated preferences relative to unknown technologies, but analyse the use of the technologies in practice. We discuss this point further below in Section 4.5 in relation to acceptance.

To summarize, we see an increasing role for “behavioral” research in HCI relative to privacy. The cost of this kind of research is higher than traditional survey-based or even lab-based experiments. However, we are convinced that the nature of the issues revolving around privacy demand this additional expense if the goal is to obtain credible and generalizable results.

4.3Developing a “Privacy HCI Toolbox”

With respect to design, we believe that there would be great value in developing an organic privacy toolbox. This privacy toolbox would be a catalog of privacy design methods and models, with an indication of what applications and social settings each is most effective. Practitioners could then choose to use these tools with a competent understanding of their contributions and limitation. We would like to stress that we are not proposing to develop a Software Engineering ‘methodology’ [270]—our proposal is simply a coherent collection that assists practitioners.

An initial catalog of design techniques for privacy and HCI would be relatively easy to devise. For example, we mentioned above that the FIPS are particularly fit for large personal data processing enterprises and have been adapted to novel technologies, both in the technical literature [116, 191] and in the Data Protection Authority community. Similarly, privacy guidelines, patterns, and risk models could help designers in specific, well delimited, circumstances [61, 156, 235].

A precise description of method applicability is essential. Thus, the toolbox should include a selection process, based on the application domain, the deployment context, and the type of privacy and security issues involved (e.g., personal privacy, data protection, sensitive information, etc.). A credible selection process requires the testing of the various methods’ effectiveness and usefulness, which is by far the most challenging aspect of this idea.

With respect to implementation, design teams are sorely lacking tools, frameworks, and reusable UI components and metaphors for creating privacy-sensitive systems. Examining the evolution of the graphical user interface (GUI) may help chart a research agenda to address this need. Similar to GUI components, we could develop reusable privacy tools, services, and toolkits for building privacy-sensitive UIs. Some possibilities include specialized GUI widgets and interaction techniques for helping end-users manage their personal privacy, new visualizations and user interfaces for helping administrators set privacy policies and manage large collections of personal information, and model-based user interfaces for weaving and enforcing privacy throughout the entire UI.

Developers should also pay attention to seemingly innocuous technologies, which may have unintentionally negative privacy implications (e.g., cookies in web browsers). Verification techniques able to identify these issues upfront, before deployment, would be very beneficial. However, the unpredictable nature of emergent use suggests that systematic techniques for identifying these issues may be very difficult to devise.

Finally, regarding evaluation, design teams need techniques specific to privacy, similar to heuristic evaluation and cognitive walkthrough. There is a general lack of understanding on how to evaluate the quality of a design with respect to privacy. This challenge is exacerbated by the rarity of privacy breaches, by the disconnect between the time and place of the actual privacy breach and when the user becomes aware of it, and by the ever-shifting attitudes and behaviors of users becoming familiar with new technologies.

Several techniques have been employed to address these challenges, such as presenting realistic previews of features (e.g., with the scenarios discussed in section ), sampling people’s reactions to privacy concerns through remote usability tests and remote surveys, etc. Some work has also been already done on adapting QOC and heuristic evaluation (e.g., Bellotti and Sellen’s QOC technique [42]). Other promising, yet unexplored, approaches are the use of cognitive walkthroughs tailored for privacy, as well as improved methods for conducting user studies to elicit possible privacy concerns. However, work on validating these techniques to assess their effectiveness is necessary before practitioners will be willing to embrace them.