Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SCCI 2015 - Privacy Icons

SCCI 2015 - Privacy Icons

305d7a2c6345cedd1247628c7c6c26ec?s=128

Patrick Gage Kelley

February 23, 2015
Tweet

Transcript

  1. The Failure of Privacy Icons Patrick Gage Kelley University of

    New Mexico @patrickgage pgk@unm.edu
  2. within the last month… Microsoft says its cloud services are

    first to adopt new privacy standard (ISO 27018) Putting a Price on Privacy: $29 ‘Internet of Things’ Opens New Privacy Litigation Risks Facebook faces fight in Europe over new privacy policy
  3. None
  4. Federal Trade Commission Privacy Online: A Report to Congress June

    1998 In light of the Commission's findings and significant consumer concerns regarding privacy online, it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles. “ ”
  5. The Commission has encouraged industry to address consumer concerns regarding

    online privacy through self-regulation. The Internet is a rapidly changing marketplace. Effective self-regulation remains desirable ... To date, however, the Commission has not seen an effective self-regulatory system emerge. FTC. Privacy Online: A Report to Congress. June 1998. “ ”
  6. Chairman Pitofsky recommended that Congress pass legislation if self- regulation

    failed to produce significant progress. However, by 1999 privacy policies were found on over 80% of top websites. EPIC. Surfer Beware III: Privacy Policies without Privacy Protection. 1999
  7. “ ” Industry progress has been far too slow since

    the Commission first began encouraging the adoption of voluntary fair information practices in 1996. Notice, while an essential first step, is not enough if the privacy practices themselves are toothless. — Commissioner Sheila Anthony Electronic Privacy Information Center (EPIC) Privacy Self Regulation: A Decade of Disappointment March 2005
  8. Notice, while an essential first step, is not enough if

    the privacy practices themselves are toothless... Common to all of these documents [hereinafter referred to as "fair information practice codes"] are five core principles of privacy protection: 8 1. Notice/Awareness 2. Choice/Consent 3. Access/Participation 4. Integrity/Security 5. Enforcement/Redress “ FTC. Privacy Online: A Report to Congress. 1998.
  9. 9 The FTC should work with the banking agencies to

    develop a unified mechanism for opting out under the Gramm-Leach-Bliley and Fair Credit Reporting Acts. Just as it made no sense for individuals to opt-out of every telemarketing call, it currently makes no sense for an individual to have to contact every single financial institution separately to protect privacy. EPIC. Privacy Self Regulation: A Decade of Disappointment. 2005 “
  10. The corpus of privacy policies contains 948 instances of may

    and 123 instances of might, perhaps, sometimes, occasional(ly), and from time to time... Irene Pollach. What’s Wrong With Online Privacy Policies? CACM 2007 “ For example, they state that you receive unsolicited email messages instead of we send them. “ ”
  11. The average Flesch-Kincaid score required for the top 50 internet

    privacy policies (2003) was 34.2 The Wall Street Journal averages a 43 Harvard Law Review averages a 32 11 C. Jensen, C. Potts. Privacy Policies as Decision-Making Tools: An Evaluation of Online Privacy Notices. CHI 2004
  12. Time to read is greater than the time to handle

    spam, and on par with the current time websurfing Value of time to read or skim is several times greater than the cost of broadband access A. McDonald, L. Cranor. The Cost of Reading Privacy Policies. I/S. 2008. “ ” “ ”
  13. Industry Self Regulation in Theory •Website owners voluntarily post online

    privacy policies •FTC enforces policies via deceptive practices and fraud actions •Consumers: • Visit new sites and read their online privacy policies • Compare policies between sites • Buy from sites with the best privacy policies •This creates a market place that efficiently rewards privacy protections Aleecia McDonald. Online Privacy: Industry Self-Regulation in Practice. Tech Talk. 2009
  14. Industry Self Regulation in Practice •Website owners voluntarily post online

    privacy policies •FTC enforces policies via deceptive practices and fraud actions •Consumers: • Visit new sites and read their online privacy policies • Compare policies between sites • Buy from sites with the best privacy policies •This creates a market place that efficiently rewards privacy protections Aleecia McDonald. Online Privacy: Industry Self-Regulation in Practice. Tech Talk. 2009
  15. 250,000 applications 6 billion downloads ...and no application review 15

  16. The market requires users to make two choices when reviewing

    potential applications for their device. 1.Do I believe this application will compromise the security and function of my phone if I install it? 2.Do I trust this developer and their partners with access to my personal information?
  17. Android permissions screens 17

  18. Permissions interface issues 18 - Information is hidden away -

    No clear way to cancel - Unclear terms and concepts - Unclear what app doesn’t do - No sense of importance, necessity, purpose - No way to opt-out
  19. 19 Android permissions screens

  20. 20 Android permissions screens

  21. Outline • A short history of privacy icons • What

    is the point of icons? • Why is there such a wide spectrum of icons? • Where do they overlap? • Which icons have been tested?
  22. A Short History of Privacy Icons

  23. Mary Rundle, 2006

  24. Mary Rundle, 2006

  25. Matthias Mehldau, 2007

  26. Joshua Gomez, Travis Pinnick, and Ashkan Soltani, 2009

  27. Aza Raskin, 2010

  28. Aza Raskin, 2010

  29. Mozilla, 2011

  30. privicons, 2010

  31. Moms with apps, 2011

  32. None
  33. Disconnect, 2013

  34. Disconnect, 2013

  35. None
  36. Outline • A short history of privacy icons • What

    is the point of icons? • Why is there such a wide spectrum of icons? • Where do they overlap? • Which icons have been tested?
  37. 1. The large number of privacy concepts expressed in privacy

    policies/permissions, which leads to a large and often unreasonable number of icons. 2. The difficulty of expressing these abstract concepts in simple icons, is compounded when the concepts themselves are not well understood, even in words. 3. The end need for users to recognize the icons, will require familiarity, standardization, and education, to link the icons to the concepts and to finally facilitate user comparisons.
  38. None
  39. None
  40. None
  41. None
  42. Outline • A short history of privacy icons • What

    is the point of icons? • Why is there such a wide spectrum of icons? • Where do they overlap? • Which icons have been tested?