Skip to main content
SpringerLink
Log in

Personal privacy through understanding and action: five pitfalls for designers

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

To participate in meaningful privacy practice in the context of technical systems, people require opportunities to understand the extent of the systems’ alignment with relevant practice and to conduct discernible social action through intuitive or sensible engagement with the system. It is a significant challenge to design for such understanding and action through the feedback and control mechanisms of today’s devices. To help designers meet this challenge, we describe five pitfalls to beware when designing interactive systems—on or off the desktop—with personal privacy implications. These pitfalls are: (1) obscuring potential information flow, (2) obscuring actual information flow, (3) emphasizing configuration over action, (4) lacking coarse-grained control, and (5) inhibiting existing practice. They are based on a review of the literature, on analyses of existing privacy-affecting systems, and on our own experiences in designing a prototypical user interface for managing privacy in ubiquitous computing. We illustrate how some existing research and commercial systems—our prototype included—fall into these pitfalls and how some avoid them. We suggest that privacy-affecting systems that heed these pitfalls can help users appropriate and engage them in alignment with relevant privacy practice.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. We will use the term privacy-affecting as a general description for any interactive system whose use has personal privacy implications. We will use the term privacy-sensitive to describe any privacy-affecting system that—by whatever metrics are contextually relevant—reasonably avoids invading or disrupting personal privacy. This article is intended to help minimize the number of privacy-affecting systems that are not privacy-sensitive.

  2. Some might object here, noting that informing the user about a disagreeable disclosure after the fact is too late to be useful. While this may apply to highly sensitive disclosures, a significant component of privacy maintenance is the regulation of mundane disclosures over time to influence observers’ historical, evolving impressions of one’s self. People are remarkably capable of finessing the consequences of the occasional—and inevitable—disagreeable disclosure, and they learn to minimize repeat occurrences. The Faces disclosure log was intended to help users transfer such iterative behavior refinement to the domain of the sensed environment.

  3. Flaws in the visual and surface-level interaction design of the software also contributed to negative evaluation results. However, we have been careful to focus our interviews with participants and our resulting analysis on problems rooted in the conceptual model behind the interaction design—problems which even optimal interaction and visual design could not sufficiently overcome.

  4. By scenario, we mean a specific activity in a specific context (e.g., buying a pint of chocolate ice cream at the grocery store on Main Street at 10 o’clock on a Saturday night). We chose our scenarios to be specific, somewhat sensitive events that met the constraints of the more general situations created in the Faces UI (e.g., shopping during the weekend).

  5. http://gmail.google.com/gmail/help/about.html (accessed 16 April 2004)

  6. Equally unclear, however, is whether the confusion could have been avoided, since other factors beyond system and interaction design were at play. In particular, Google’s idiosyncratic brand prominence and reputation for innovation, catalyzed by Gmail’s sudden appearance, ensured an immediate—and immediately critical—market of both sophisticated and naïve users.

References

  1. Bellotti V, Sellen A (1993) Design for privacy in ubiquitous computing environments. In: Proceedings of the 3rd European conference on computer supported cooperative work (ECSCW’93), Milano, Italy, September 1993, pp 77–92

  2. Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. In: Proceedings of the 3rd international conference on ubiquitous computing (Ubicomp 2001), Atlanta, Georgia, September/October 2001, pp 273–291

  3. Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003, pp 129–136

  4. Jiang X, Hong JI, Landay JA (2002) Approximate information flows: socially-based modeling of privacy in ubiquitous computing. In: Proceedings of the 4th international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002, pp 176–193

  5. Taylor H (2003) Most people are “privacy pragmatists” who, while concerned about privacy, will sometimes trade it off for other benefits. Harris Interactive Survey, Rochester, New York

    Google Scholar 

  6. Cranor L, Reagle J, Ackerman MS (2000) Beyond concern: understanding net users’ attitudes about online privacy. In: Vogelsang I, Compaine BM (eds) The internet upheaval: raising questions, seeking answers in communications policy. MIT Press, Cambridge, Massachusetts, pp 47–70

    Google Scholar 

  7. Turow J (2003) Americans and online privacy: the system is broken. Annenberg Public Policy Center, University of Pennsylvania, Philadelphia

    Article  CAS  PubMed  Google Scholar 

  8. Harper RHR, Lamming MG, Newman WH (1992) Locating systems at work: implications for the development of active badge applications. Interact Comput 4(3):343–363

    Article  Google Scholar 

  9. Kaasinen E (2003) User needs for location-aware mobile services. Pers Ubiquit Comput 7(1):70–79

    Article  Google Scholar 

  10. Lederer S, Mankoff J, Dey AK (2003) Who wants to know what when? Privacy preference determinants in ubiquitous computing. In: Extended abstracts of the CHI 2003 conference on human factors in computer systems, Fort Lauderdale, Florida, April 2003, pp 724–725

  11. Palen L (1999) Social, individual and technological issues for groupware calendar systems. In: Proceedings of the CHI’99 conference on human factors in computing systems, Pittsburgh, Pennsylvania, May 1999, pp 17–24

  12. Adams A (2000) Multimedia information changes the whole privacy ballgame. In: Proceedings of the conference on computers, freedom, and privacy (CFP 2000), Toronto, Canada, April 2000, pp 25–32

  13. Beckwith R (2003) Designing for ubiquity: the perception of privacy. IEEE Pervasive 2(2):40–46

    Article  Google Scholar 

  14. Whitten A, Tygar JD (1999) Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX security symposium, Washington, DC, August 1999

  15. Good NS, Krekelberg A (2003) Usability and privacy: a study of Kazaa P2P file-sharing. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003, pp 137–144

  16. Lederer S, Mankoff J, Dey AK, Beckmann C (2003) Managing personal information disclosure in ubiquitous computing environments. Technical report CSD-03-1257. University of California, Berkeley, California

  17. Westin A (1995) Privacy in America: an historical and socio-political analysis. In: Proceedings of the national privacy and public policy symposium, Hartford, Connecticut, November 1995

  18. Gellman R (1998) Does privacy law work? In: Agre PE, Rotenberg M (eds) Technology and privacy: the new landscape. MIT Press, Cambridge, Massachusetts, pp 193–218

    Google Scholar 

  19. Westin A (1967) Privacy and freedom. Atheneum, New York

    Google Scholar 

  20. Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. Brooks/Cole Publishing, Monterey, California

    Google Scholar 

  21. Norman DA (1988) The design of everyday things. Basic Books, New York

    Google Scholar 

  22. Weiser M (1991) The computer for the twenty-first century. Sci Am 265(3):94–104

    Google Scholar 

  23. Bellotti V, Back M, Edwards WK, Grinter RE, Henderson A, Lopes C (2002) Making sense of sensing systems: five questions for designers and researchers. In: Proceedings of the CHI 2002 conference on human factors in computing systems, Minneapolis, Minnesota, April 2002, pp 415–422

  24. Goffman E (1956) The presentation of self in everyday life. Doubleday, New York

    Google Scholar 

  25. Langheinrich M (2002) A privacy awareness system for ubiquitous computing environments. In: Proceedings of the 4th international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002, pp 237–245

  26. Adams A, Sasse MA (1999) Taming the wolf in sheep’s clothing: privacy in multimedia communications. In: Proceedings of the 7th ACM international conference on multimedia, Orlando, Florida, October/November 1999, pp 101–107

  27. boyd d (2002) Faceted id/entity: managing representation in a digital world. MS thesis, Massachusetts Institute of Technology, Massachusetts

  28. Phillips DJ (2002) Context, identity, and privacy in ubiquitous computing environments. In: Workshop on socially-informed design of privacy-enhancing solutions in the 3rd international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002

  29. Reang P (2002) Dozens of nurses in Castro Valley balk at wearing locators. Mercury News, San Jose, 6 September 2002

  30. Baertlein L (2004) California lawmaker’s moves to block Google’s gmail. Reuters, 12 April 2004

  31. Millett LI, Friedman B, Felten E (2001) Cookies and Web browser design: toward realizing informed consent online. In: Proceedings of the CHI 2001 conference on human factors in computing systems, Seattle, Washington, April 2001, pp 46–52

  32. Friedman B, Howe DC, Felten EW (2002) Informed consent in the Mozilla browser: implementing value-sensitive design. In: Proceedings of the 35th annual Hawaii international conference on system sciences (HICSS-35 2002), Hawaii, January 2002

  33. Mackay WE (1991) Triggers and barriers to customizing software. In: Proceedings of the CHI’91 conference on human factors in computing systems, New Orleans, Louisiana, April/May 1991, pp 153–160

  34. Jendricke U, Gerd tom Markotten D (2000) Usability meets security—the identity-manager as your personal security assistant for the internet. In: Proceedings of the 16th annual computer security applications conference (ACSAC 2000). New Orleans, Louisiana, December 2000, pp 344–355

  35. Hull R, Kumar B, Lieuwen D, Patel-Schneider P, Sahuguet A, Varadarajan S, Vyas A (2004) Enabling context-aware and privacy-conscious user data sharing. In: Proceedings of the IEEE international conference on mobile data management (MDM 2004), Berkeley, California, January 2004

  36. Dey AK, Salber D, Abowd GD (2001) A conceptual framework and a toolkit for supporting the rapid prototyping of context-aware applications. Hum Comput Interact 16(2–4):97–166

    Article  Google Scholar 

  37. Foucault M (1977) Discipline and punish. Vintage Books, New York

    Google Scholar 

  38. Cadiz J, Gupta A (2001) Privacy interfaces for collaboration. Technical report MSR-TR-2001-82, Microsoft Corporation, Redmond, Washington

  39. Jancke G, Venolia GD, Grudin J, Cadiz JJ, Gupta A (2001) Linking public spaces: technical and social issues. In: Proceedings of the CHI 2001 conference on human factors in computing systems, Seattle, Washington, April 2001, pp 530–537

  40. Nardi BA, Whittaker S, Bradner E (2000) Interaction and outeraction: instant messaging in action. In: Proceedings of the conference on computer supported cooperative work (CSCW 2000), Philadelphia, Pennsylvania, December 2000, pp 79–88

  41. Woodruff A, Aoki PM (2003) How push-to-talk makes talk less pushy. In: Proceedings of the international conference on supporting group work (GROUP 2003), Sanibel Island, Florida, November 2003, pp 170–179

  42. Suchman L (1997) Do categories have politics? The language/action perspective reconsidered. In: Friedman B (ed) Human values and the design of computer technology. Center for the study of language and information, Stanford, California, pp 91–106

  43. Ackerman MS (2000) The intellectual challenge of CSCW: the gap between social requirements and technical feasibility. Hum Comput Interact 15(2/3):181–203

    Google Scholar 

  44. Green N, Lachoee H, Wakeford N (2001) Rethinking queer communications: mobile phones and beyond. In: Proceedings of the sexualities, medias and technologies conference: theorizing old and new practices, Surrey, UK, June 2001

  45. boyd d (2004) Friendster and publicly articulated social networks. In: Extended abstracts of the CHI 2004 conference on human factors in computing systems, Vienna, Austria, April 2004

  46. Siewiorek D, Smailagic A, Furukawa J, Krause A, Moraveji N, Reiger K, Shaffer J, Wong F (2003) SenSay: a context-aware mobile phone. In: Proceedings of the IEEE international symposium on wearable computers, White Plains, New York, October 2003

  47. Boyle M, Edwards C, Greenberg S (2000) The effects of filtered video on awareness and privacy. In: Proceedings of the conference on computer supported cooperative work (CSCW 2000), Philadelphia, Pennsylvania, December 2000, pp 1–10

  48. Hudson SE, Smith I (1996) Techniques for addressing fundamental privacy and disruption tradeoffs in awareness support systems. In: Proceedings of the conference on computer supported cooperative work (CSCW’96), Boston, Massachusetts, November 1996, pp 248–257

Download references

Acknowledgements

This work was funded by grant no. IIS-0205644 of the United States National Science Foundation and by a United States Department of Defense NDSEG fellowship. We are intensely grateful for the assistance and insights of Jennifer Mankoff, Chris Beckmann, danah boyd, Karen Teng, Jeff Huang, Xiaodong Jiang, the anonymous reviewers of this article and an earlier draft, and the participants of the studies mentioned herein.

Author information

Authors and Affiliations

  1. Group for User Interface Research, Computer Science Division, University of California, Berkeley, CA, USA

    Scott Lederer, Jason I. Hong & Anind K. Dey

  2. Intel Research, Berkeley, CA, USA

    Anind K. Dey

  3. DUB Group, Department of Computer Science and Engineering, University of Washington, Seattle, WA, USA

    James A. Landay

  4. Intel Research, Seattle, WA, USA

    James A. Landay

Authors
  1. Scott Lederer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason I. Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anind K. Dey
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. James A. Landay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Scott Lederer.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lederer, S., Hong, J.I., Dey, A.K. et al. Personal privacy through understanding and action: five pitfalls for designers. Pers Ubiquit Comput 8, 440–454 (2004). https://doi.org/10.1007/s00779-004-0304-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-004-0304-9

Keywords

Search

Navigation