Post Job Free
Sign in

Information Design

Location:
Irvine, CA
Posted:
November 14, 2012

Contact this candidate

Resume:

Privacy Critics: UI Components to Safeguard Users Privacy

Mark S. Ackerman Lorrie Cranor

Information and Computer Science AT&T Labs-Research

University of California, Irvine Shannon Laboratory

Irvine, CA 92697 USA Florham Park, NJ 07932

********@***.***.*** ******@********.***.***

http://www.ics.uci.edu/CORPS/ackerman.html http://www.research.att.com/~lorrie

allows Web sites to make statements ( proposals ) about

ABSTRACT

their privacy policies and request data using a standardized

Creating usable systems to protect online privacy is an

vocabulary and protocol [2]. Thus users will be able to

inherently difficult problem. Privacy critics are semi-

make informed decisions about releasing personal

autonomous agents that help people protect their online

information.

privacy by offering suggestions and warnings. Two sample

critics are presented. Unfortunately, P3P user interfaces suffer from a particular

class of interface problem. The HCI restatement of the

privacy, World Wide Web, critics, agent

KEYWORDS:

privacy problem reveals it to be wicked (in the computer

architectures, CSCW, collaboration, P3P.

science sense): The problem is inherently complex, ill-

INTRODUCTION

defined, and seemingly insolvable. This is true for not just

Online privacy is a growing problem for Internet users. Of

one reason, but several.

particular concern is the unanticipated release (and

If a person wishes to control what information she presents

subsequent use or misuse) of personal information. As

to whom, this results in an enormous information space (i.e.

Goffman [5] noted, every individual wishes to present an

each datum a person has about herself against each person

appropriate "face" to the myriad of audiences: One may

or organizational entity with which she comes into contact).

wish to be the dutiful worker to managers, but an unhappy

Moreover, the space is actually more complex, since there

employee to fellow union members. Everyday life requires

are additional dimensions (e.g., what the organization

that only the proper information be released at the proper

wishes to do with the data, the degree of trust the individual

time, and people do this seemingly without thinking about

has in the requesting entity). Clearly a matrix-style user

it. To lose control over this process is very disconcerting.

interface for P3P over each of its ten dimensions would be

Currently Internet users have little knowledge about how

overwhelming. On the other hand, simplified interfaces

information they release online will be used. Users who

remove important detail for some users.

wish to engage in electronic commerce must often release

Furthermore, we noted above that an individual does not, in

personal information to complete transactions. However

fact, deliberate within each social encounter. Therefore, the

few web sites explain how that information will be used or

user's interaction with an interface for controlling private

whether it will be linked with other personal information

information must be nearly transparent and minimal during

[1], and in many countries (e.g., the US), few legal privacy

the actual social engagement.

protections exist.

Privacy, then, poses a very difficult HCI problem. Not only

Users would benefit from systems to assist them in

must a program present an extremely complex information

identifying situations where their privacy might be at risk.

and decision space, it must do so seamlessly and without

However, as we shall explain, many aspects of privacy

interference in the natural progression of social

make it difficult to design usable systems. These usability

engagements.

issues have led us to construct privacy critics, agents that

help users protect their privacy online. These critics Simply put, we do not know how to design these kinds of

currently work with the World Wide Web Consortium's interfaces. Yet, if this problem must be solved currently

Platform for Privacy Preferences Project (P3P). (and there are ample reasons to believe that it must be),

then the resulting HCI challenge must be to find approxima-

PRIVACY AS AN INFORMATION INTERFACE PROBLEM

tions for the problem that provide sufficient functionality as

P3P is one attempt to address the desire for personal

well as ameliorations to the secondary problems that will

privacy along with the needs of electronic commerce. P3P

naturally occur from using approximations. The following

discussion introduces privacy critics, semi-autonomous

agents that help users protect their private information. We

believe that privacy critics are both approximations and

ameliorations to the privacy problem.

PRIVACY CRITICS

Critic-based architectures were first introduced by Fischer

[3]. A critic, a type of intelligent agent, provides feedback

and suggestions as users go about their ordinary tasks. For

example, the HYDRA critics [4] provided design feedback

for kitchen architects as they laid out kitchens.

Two important features of critics should be noted. First,

they provide feedback to users - they do not necessarily

take action on their own. This is an important distinction

from other types of intelligent agents. Privacy critics, then,

would help (rather than attempt to automate) the user's IMPLEMENTATION AND FUTURE WORK

control over private information. They might offer The construction of these critics, if they are to be viable,

suggestions or warnings to users, watching over their must occur at two levels. In addition to the critics

shoulders in a manner of speaking. themselves, a critic-based architecture must be implemented.

Second, a critic-based environment might have hundreds of The current implementation of the sample privacy critics uses

different critics. Each would check on a different facet of a client-side proxies for prototyping. These proxies either

problem domain and user goal. There need not be (and intercept HTTP requests for URLs and simulate going to a

usually will not be) one "true" privacy critic. The third-party verifier, or they intercept simulated P3P proposals

independent nature of the numerous critics allows one to and make decisions on behalf of the user. (In P3P parlance,

consider an ecology of critics (to be discussed further the proxy serves as a P3P user agent, incorporating a

below). Users are, of course, free to turn these critics off rudimentary trust engine to decide which proposals should be

and on, set threshold levels, and decide what aspects of accepted.) Each critic has been separately implemented,

privacy they wish to guard most closely. using Java. While limited, these initial prototypes have been

valuable for informal user testing. Feedback from users

SAMPLE CRITICS

(college students) indicates that the idea of a privacy critic is

Privacy critics, then, are agents that watch the user's actions

relatively straightforward to explain and understand, and that

and make privacy suggestions. We have implemented

once understood, the idea is even exciting to users.

prototypes of six sample critics; two are presented here.

The second level of implementation is a general user agent

These six are merely the beginning of what can be done.

architecture that allows a range of critics. In order to have a

The first critic checks the simulated CyberPrivacy

flourishing ecology of privacy critics, third parties must be

Advocacy Group s database for consumer complaints about

able to create new critics. As mentioned, we would like

a Web site. We imagine a number of third-party databases

users to be able to add or remove critics, and to be able to

collecting claims or problems about different kinds of sites.

obtain new critics as situations demand. For example, as

For example, a Better Business Bureau database could

new information scams spread across the Internet, it will be

report that sites have had privacy complaints against them;

important to obtain the latest critics. Vendors of browsers

other databases might report sites participating in data

may provide user agents with limited protection for users;

scams. This critic does not currently learn to categorize

users could then obtain additional privacy critics from

sites or learn about user preferences; these would be

consumer advocacy groups, trusted third parties, small

potential extensions.

companies, or hobbyists. This ecology of critics can occur,

The second critic watches the type of information being however, only if the architecture for the P3P user agent is

released and warns users when a P3P proposal requests data suitably open. We are currently designing the necessary

elements that can be used in combination to identify the support services for such an architecture.

user. For example, many people do not know that specific

REFERENCES

demographic data (e.g., race, birth date) can be used with

1. Cranor, L. Internet privacy, a public concern.

zip code to uniquely identify individuals or households.

netWorker: The Craft of Network Computing, June/July

1998, 13-18.

2. Cranor, L. and J. Reagle. The Platform for Privacy

Preferences. Commun. ACM, 42(2), in press.

3. Fischer, G., A. Lemke, T. Mastaglio and A. Morch.

Using Critics to Empower Users. CHI'90, 337-347.

4. Fischer, G., K. Nakakoji, J. Ostwald, G. Stahl and T.

Sumner. Embedding Computer-based Critics in the

Contexts of Design. INTERCHI'93, 157-164.

5. Goffman, E. Presentation of Self in Everyday Life.

Anchor, 1959.



Contact this candidate