Abstract
To participate in meaningful privacy practice in the context of technical systems, people require opportunities to understand the extent of the systems’ alignment with relevant practice and to conduct discernible social action through intuitive or sensible engagement with the system. It is a significant challenge to design for such understanding and action through the feedback and control mechanisms of today’s devices. To help designers meet this challenge, we describe five pitfalls to beware when designing interactive systems—on or off the desktop—with personal privacy implications. These pitfalls are: (1) obscuring potential information flow, (2) obscuring actual information flow, (3) emphasizing configuration over action, (4) lacking coarse-grained control, and (5) inhibiting existing practice. They are based on a review of the literature, on analyses of existing privacy-affecting systems, and on our own experiences in designing a prototypical user interface for managing privacy in ubiquitous computing. We illustrate how some existing research and commercial systems—our prototype included—fall into these pitfalls and how some avoid them. We suggest that privacy-affecting systems that heed these pitfalls can help users appropriate and engage them in alignment with relevant privacy practice.
Similar content being viewed by others
Notes
We will use the term privacy-affecting as a general description for any interactive system whose use has personal privacy implications. We will use the term privacy-sensitive to describe any privacy-affecting system that—by whatever metrics are contextually relevant—reasonably avoids invading or disrupting personal privacy. This article is intended to help minimize the number of privacy-affecting systems that are not privacy-sensitive.
Some might object here, noting that informing the user about a disagreeable disclosure after the fact is too late to be useful. While this may apply to highly sensitive disclosures, a significant component of privacy maintenance is the regulation of mundane disclosures over time to influence observers’ historical, evolving impressions of one’s self. People are remarkably capable of finessing the consequences of the occasional—and inevitable—disagreeable disclosure, and they learn to minimize repeat occurrences. The Faces disclosure log was intended to help users transfer such iterative behavior refinement to the domain of the sensed environment.
Flaws in the visual and surface-level interaction design of the software also contributed to negative evaluation results. However, we have been careful to focus our interviews with participants and our resulting analysis on problems rooted in the conceptual model behind the interaction design—problems which even optimal interaction and visual design could not sufficiently overcome.
By scenario, we mean a specific activity in a specific context (e.g., buying a pint of chocolate ice cream at the grocery store on Main Street at 10 o’clock on a Saturday night). We chose our scenarios to be specific, somewhat sensitive events that met the constraints of the more general situations created in the Faces UI (e.g., shopping during the weekend).
http://gmail.google.com/gmail/help/about.html (accessed 16 April 2004)
Equally unclear, however, is whether the confusion could have been avoided, since other factors beyond system and interaction design were at play. In particular, Google’s idiosyncratic brand prominence and reputation for innovation, catalyzed by Gmail’s sudden appearance, ensured an immediate—and immediately critical—market of both sophisticated and naïve users.
References
Bellotti V, Sellen A (1993) Design for privacy in ubiquitous computing environments. In: Proceedings of the 3rd European conference on computer supported cooperative work (ECSCW’93), Milano, Italy, September 1993, pp 77–92
Langheinrich M (2001) Privacy by design—principles of privacy-aware ubiquitous systems. In: Proceedings of the 3rd international conference on ubiquitous computing (Ubicomp 2001), Atlanta, Georgia, September/October 2001, pp 273–291
Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003, pp 129–136
Jiang X, Hong JI, Landay JA (2002) Approximate information flows: socially-based modeling of privacy in ubiquitous computing. In: Proceedings of the 4th international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002, pp 176–193
Taylor H (2003) Most people are “privacy pragmatists” who, while concerned about privacy, will sometimes trade it off for other benefits. Harris Interactive Survey, Rochester, New York
Cranor L, Reagle J, Ackerman MS (2000) Beyond concern: understanding net users’ attitudes about online privacy. In: Vogelsang I, Compaine BM (eds) The internet upheaval: raising questions, seeking answers in communications policy. MIT Press, Cambridge, Massachusetts, pp 47–70
Turow J (2003) Americans and online privacy: the system is broken. Annenberg Public Policy Center, University of Pennsylvania, Philadelphia
Harper RHR, Lamming MG, Newman WH (1992) Locating systems at work: implications for the development of active badge applications. Interact Comput 4(3):343–363
Kaasinen E (2003) User needs for location-aware mobile services. Pers Ubiquit Comput 7(1):70–79
Lederer S, Mankoff J, Dey AK (2003) Who wants to know what when? Privacy preference determinants in ubiquitous computing. In: Extended abstracts of the CHI 2003 conference on human factors in computer systems, Fort Lauderdale, Florida, April 2003, pp 724–725
Palen L (1999) Social, individual and technological issues for groupware calendar systems. In: Proceedings of the CHI’99 conference on human factors in computing systems, Pittsburgh, Pennsylvania, May 1999, pp 17–24
Adams A (2000) Multimedia information changes the whole privacy ballgame. In: Proceedings of the conference on computers, freedom, and privacy (CFP 2000), Toronto, Canada, April 2000, pp 25–32
Beckwith R (2003) Designing for ubiquity: the perception of privacy. IEEE Pervasive 2(2):40–46
Whitten A, Tygar JD (1999) Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the 8th USENIX security symposium, Washington, DC, August 1999
Good NS, Krekelberg A (2003) Usability and privacy: a study of Kazaa P2P file-sharing. In: Proceedings of the CHI 2003 conference on human factors in computing systems, Fort Lauderdale, Florida, April 2003, pp 137–144
Lederer S, Mankoff J, Dey AK, Beckmann C (2003) Managing personal information disclosure in ubiquitous computing environments. Technical report CSD-03-1257. University of California, Berkeley, California
Westin A (1995) Privacy in America: an historical and socio-political analysis. In: Proceedings of the national privacy and public policy symposium, Hartford, Connecticut, November 1995
Gellman R (1998) Does privacy law work? In: Agre PE, Rotenberg M (eds) Technology and privacy: the new landscape. MIT Press, Cambridge, Massachusetts, pp 193–218
Westin A (1967) Privacy and freedom. Atheneum, New York
Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. Brooks/Cole Publishing, Monterey, California
Norman DA (1988) The design of everyday things. Basic Books, New York
Weiser M (1991) The computer for the twenty-first century. Sci Am 265(3):94–104
Bellotti V, Back M, Edwards WK, Grinter RE, Henderson A, Lopes C (2002) Making sense of sensing systems: five questions for designers and researchers. In: Proceedings of the CHI 2002 conference on human factors in computing systems, Minneapolis, Minnesota, April 2002, pp 415–422
Goffman E (1956) The presentation of self in everyday life. Doubleday, New York
Langheinrich M (2002) A privacy awareness system for ubiquitous computing environments. In: Proceedings of the 4th international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002, pp 237–245
Adams A, Sasse MA (1999) Taming the wolf in sheep’s clothing: privacy in multimedia communications. In: Proceedings of the 7th ACM international conference on multimedia, Orlando, Florida, October/November 1999, pp 101–107
boyd d (2002) Faceted id/entity: managing representation in a digital world. MS thesis, Massachusetts Institute of Technology, Massachusetts
Phillips DJ (2002) Context, identity, and privacy in ubiquitous computing environments. In: Workshop on socially-informed design of privacy-enhancing solutions in the 3rd international conference on ubiquitous computing (Ubicomp 2002), Göteborg, Sweden, September/October 2002
Reang P (2002) Dozens of nurses in Castro Valley balk at wearing locators. Mercury News, San Jose, 6 September 2002
Baertlein L (2004) California lawmaker’s moves to block Google’s gmail. Reuters, 12 April 2004
Millett LI, Friedman B, Felten E (2001) Cookies and Web browser design: toward realizing informed consent online. In: Proceedings of the CHI 2001 conference on human factors in computing systems, Seattle, Washington, April 2001, pp 46–52
Friedman B, Howe DC, Felten EW (2002) Informed consent in the Mozilla browser: implementing value-sensitive design. In: Proceedings of the 35th annual Hawaii international conference on system sciences (HICSS-35 2002), Hawaii, January 2002
Mackay WE (1991) Triggers and barriers to customizing software. In: Proceedings of the CHI’91 conference on human factors in computing systems, New Orleans, Louisiana, April/May 1991, pp 153–160
Jendricke U, Gerd tom Markotten D (2000) Usability meets security—the identity-manager as your personal security assistant for the internet. In: Proceedings of the 16th annual computer security applications conference (ACSAC 2000). New Orleans, Louisiana, December 2000, pp 344–355
Hull R, Kumar B, Lieuwen D, Patel-Schneider P, Sahuguet A, Varadarajan S, Vyas A (2004) Enabling context-aware and privacy-conscious user data sharing. In: Proceedings of the IEEE international conference on mobile data management (MDM 2004), Berkeley, California, January 2004
Dey AK, Salber D, Abowd GD (2001) A conceptual framework and a toolkit for supporting the rapid prototyping of context-aware applications. Hum Comput Interact 16(2–4):97–166
Foucault M (1977) Discipline and punish. Vintage Books, New York
Cadiz J, Gupta A (2001) Privacy interfaces for collaboration. Technical report MSR-TR-2001-82, Microsoft Corporation, Redmond, Washington
Jancke G, Venolia GD, Grudin J, Cadiz JJ, Gupta A (2001) Linking public spaces: technical and social issues. In: Proceedings of the CHI 2001 conference on human factors in computing systems, Seattle, Washington, April 2001, pp 530–537
Nardi BA, Whittaker S, Bradner E (2000) Interaction and outeraction: instant messaging in action. In: Proceedings of the conference on computer supported cooperative work (CSCW 2000), Philadelphia, Pennsylvania, December 2000, pp 79–88
Woodruff A, Aoki PM (2003) How push-to-talk makes talk less pushy. In: Proceedings of the international conference on supporting group work (GROUP 2003), Sanibel Island, Florida, November 2003, pp 170–179
Suchman L (1997) Do categories have politics? The language/action perspective reconsidered. In: Friedman B (ed) Human values and the design of computer technology. Center for the study of language and information, Stanford, California, pp 91–106
Ackerman MS (2000) The intellectual challenge of CSCW: the gap between social requirements and technical feasibility. Hum Comput Interact 15(2/3):181–203
Green N, Lachoee H, Wakeford N (2001) Rethinking queer communications: mobile phones and beyond. In: Proceedings of the sexualities, medias and technologies conference: theorizing old and new practices, Surrey, UK, June 2001
boyd d (2004) Friendster and publicly articulated social networks. In: Extended abstracts of the CHI 2004 conference on human factors in computing systems, Vienna, Austria, April 2004
Siewiorek D, Smailagic A, Furukawa J, Krause A, Moraveji N, Reiger K, Shaffer J, Wong F (2003) SenSay: a context-aware mobile phone. In: Proceedings of the IEEE international symposium on wearable computers, White Plains, New York, October 2003
Boyle M, Edwards C, Greenberg S (2000) The effects of filtered video on awareness and privacy. In: Proceedings of the conference on computer supported cooperative work (CSCW 2000), Philadelphia, Pennsylvania, December 2000, pp 1–10
Hudson SE, Smith I (1996) Techniques for addressing fundamental privacy and disruption tradeoffs in awareness support systems. In: Proceedings of the conference on computer supported cooperative work (CSCW’96), Boston, Massachusetts, November 1996, pp 248–257
Acknowledgements
This work was funded by grant no. IIS-0205644 of the United States National Science Foundation and by a United States Department of Defense NDSEG fellowship. We are intensely grateful for the assistance and insights of Jennifer Mankoff, Chris Beckmann, danah boyd, Karen Teng, Jeff Huang, Xiaodong Jiang, the anonymous reviewers of this article and an earlier draft, and the participants of the studies mentioned herein.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lederer, S., Hong, J.I., Dey, A.K. et al. Personal privacy through understanding and action: five pitfalls for designers. Pers Ubiquit Comput 8, 440–454 (2004). https://doi.org/10.1007/s00779-004-0304-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-004-0304-9