Designing Privacy Interfaces Design Patterns for Understanding and Control 

Designing Privacy Interfaces Design Patterns for Understanding and Control Patrick Gage Kelley Thesis Proposal Computation, Organizations & Society School of Computer Science Carnegie Mellon University December 7th 2010 Thesis Committee Lorrie Faith Cranor, co-chair Norman Sadeh, co-chair Alessandro Acquisti Sunny Consolvo 3 

4 

Girl Expects 20000+ At Party • A 14 year old in Britain makes the details of her party (including address) public • Thousands RSVP, the party is cancelled, and police patrols are set up 5 “She did not realise that she was creating a public event and should have done. She is going to have to change her mobile phone SIM card because of the number of calls she has been getting about it. Rebecca did not understand the privacy settings and she has lost her internet as a result of that – I’ve taken away her computer so she won’t make that mistake again.” 

Insurance pulled over Facebook pics • “[she received] monthly sick leave checks as part of her benefit package—until Blanchard posted photos to her private Facebook profile depicting her having fun at her own birthday party.” • “Manulife confirmed that it does, in fact, use social networking sites to investigate clients.” 6 http://arstechnica.com/web/news/2009/11/creepy-insurance-company-pulls- coverage-due-to-facebook-pics.ars 

Thesis Statement • The goal of this work is to explore how a series of design patterns help consumers better understand data practices, take more active control of their information, and can compel them to behave in a more privacy-protecting manner. • The design patterns I will explore include: simplified design, standardization, explanation, automation, nudging, and holistic views. 7 

Domains 1. Privacy Labels 2. Friend Grouping 3. Twitter 8 

Privacy Labels 

Privacy Policies • Inform consumers about privacy practices • Consumers can decide whether practices are acceptable, when to opt-out • Most policies require college-level skills to understand, long, change without notice • Few people read privacy policies • Existing privacy policies are not an effective way to inform consumers or give them privacy controls 10 

Privacy Policies Format Study • Participants answered reading-comprehension and opinion questions about privacy policies in various formats • Accurate answers to questions where they could find the answer by scanning or key-words • Does Acme use cookies? (98%) • People had trouble with more reading comprehension • Does this policy allow Acme to put you on an email marketing list? (71%) • Does this policy allow Acme to share your email address with a marketing company that might put you on their email marketing list? (52%) • Even well-written policies are not well-liked and difficult to use 11 A.M. McDonald, R.W. Reeder, P.G. Kelley, and L.F. Cranor. A comparative study of online privacy policies and formats. Privacy Enhancing Technologies Symposium 2009. http://lorrie.cranor.org/pubs/authors-version-PETS-formats.pdf 

12 Can more intentionally designed, standardized privacy policy formats benefit consumers? 

13 Can more intentionally designed, standardized privacy policy formats benefit consumers? • Ease of understanding • Speed of information-finding • Ability to make comparisons • Consumer opinion 

14 

15 Laboratory Study • 24 participants • within subjects design to compare label and text policies • 8 tasks, measured time and accuracy • 6 opinion questions Iterative Design Approach 5 focus groups • 7-11 participants each • explored attitudes towards privacy policies • tested understanding of labels and symbols 

Design Evolution 16 Final Proposed Design Design Evolution Acme Privacy Policy Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. A "Nutrition Label" for Privacy. SOUPS 2009. 

Standardized Label 17 

18 Removes wiggle room and complicated terminology by using four standard symbols 

19 Allows for quick high- level visual feedback by looking at the overall intensity of the page 

20 Allows for information to be found in the same place every time 

21 Legend & Definitions 

Five Formats Compared 22 Std. Table Std. Short Table Std. Short Text Full Policy Text Layered Text 

23 Overall Accuracy Results 

Why Design Patterns? • I can keep designing new interfaces, saying look at these good things that will make interfaces better, and applying them • Or I can abstract them, detail them, explain how and why they work, and help other designers and developers 24 

Domains 1. Privacy Labels 2. Friend Grouping 3. Twitter 25 

26 Friend Grouping 

Friends vs. Friends 27 Paul Adams. e Real Life Social Network http://www.slideshare.net/padday/the-real-life-social-network-v2 

28 

29 

Grouping Exploration 30 

Domains 1. Privacy Labels 2. Friend Grouping 3. Twitter 31 

Twitter 32 

33 

How violations occur Something terribly embarrassing or private 34 

How violations occur Something terribly embarrassing or private RT @privateuser: Something terribly embarrassing or private 35 

How violations occur Something terribly embarrassing or private RT @privateuser: Something terribly embarrassing or private 36 

Privacy on Twitter 37 RT@ IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. B. Meeder, J Tam, P.G. Kelley, L. F. Cranor. Web 2.0 Privacy and Security Workshop, IEEE Symposium on Security and Privacy. (PDF) 

Privacy on Twitter 38 RT@ IWantPrivacy: Widespread Violation of Privacy Settings in the Twitter Social Network. B. Meeder, J Tam, P.G. Kelley, L. F. Cranor. Web 2.0 Privacy and Security Workshop, IEEE Symposium on Security and Privacy. (PDF) 

Twitter 39 

Twitter 40 

Twitter 41 

Design Patterns standardization explanation automation nudging holistic views simplified design 42 

A Design Patterns Introduction • Began in Architecture • Adopted by Software Engineers • Migrated into the HCI community 43 ■ Alexander, C. (1977). A Pattern Language: Towns, Buildings, Construction. USA: Oxford University Press. 978-0-19-501919-3. ■ Tidwell, J. (2005). Designing Interfaces: Patterns for Effective Interaction Design. O’Reilly. 978-0596008031 

Standardization • Standardized terms, layouts, interface design patterns, and user options will be used to simplify and clarify • both the information presented • and the methods for users interaction 44 

Standardization Example 45 Please keep in mind that any opt-out choices you make will not apply in situations where (a) you either have made, simultaneously make, or later make a specific request for information from a member of e Bell Group, (b) e Bell Group uses your personal information for either “Operational Uses” or “Fulfillment Uses” (as described above in A3), (c) you either have engaged, simultaneously engage, or later engage in either Non-Registered Transactions or Sponsored Activities (as described above in A3), or (d) e Bell Group shares your personal information under the provisions of A3 above with respect to “Companies at Facilitate Communications and Transactions With You,” “Companies at You Previously 

46 Allows for information to be found in the same place every time 

Explanation • Definitions, additional explanation, and potential outcomes/impacts • So users seeking a deeper understanding can learn more • These additional layers of education will often be revealed only after a user shows an interest for more 47 

Explanation Example 48 

Automation • If applicable an automated computer system should learn and repeat a users preferred behaviors • Taking decisions away from users through automation (or moving them to advanced setting screens) can simplify the choices users must make • Given they understand the places where automation is used, and the impact it has 49 

Automation Example 50 

Automation Example 51 

Nudging • Where a preferred behavior is recognized: • The interface will leverage graphic design principles to make this action more likely (e.g., increased size, emphasized text, color, prominent placement, etc.) • Or modify the user experience through system messages, time delays, or other interactions 52 

Nudging Example 53 • “RT @PUN Come to my birthday tonight at DBA Gallery & Wine Bar. The address is 256 S Main St Pomona, CA 91766.. No cover or dresscode..” • “RT @PUN: If you need to reach me tonight, I’ll be at (###) ###-#### Where is that?” • “Haha! Don’t hurt ‘em! RT @PUN: I’m about to use company time to look for a new job.” • “Lol I agrere RT @PUN: I wish my boss would grow some f*cking testicles and quit being a c*nt” 

Holistic Views • Finally, privacy interfaces should have a single, comprehensive, high-level view of the complete system • While much detail will need to be abstracted away, the holistic view should show users an overall state 54 

Holistic views example 55 

Simplified Design • Throughout, good communication/information design principles are applied: • simplified interfaces • removed clutter (text and graphic), • high level overviews and current status • clear labels • clear demarcations between sections • few colors, few text styles • repetition 56 

Thesis Statement • The goal of this work is to explore how a series of design patterns help consumers better understand data practices, take more active control of their information, and can compel them to behave in a more privacy-protecting manner. • The design patterns I will explore include: simplified design, standardization, explanation, automation, nudging, and holistic views. 57 

58 Privacy Label Twitter Friend Grouping Standardization ✓ ✓ Explanation ✓ ✓ Automation ✓ ✓ Nudging ✓ ✓ Holistic views ✓ ✓ ✓ Simplified design ✓ ✓ ✓ 

Contributions • A series of design patterns • Defined and detailed to help developers and designers dealing with real privacy concerns • Not just observed, but tested and verified across three domains • Three proposal “apps” across domains that solve real privacy problems, and people can actually use 59 

Timeline 60 Study Description Timeline A Label Design Work Done A Large Scale Label Study Done A Label Design Pattern Isolation Summer 2011 B Grouping Exploration Done B Social Network Sharing Spring/Summer 2011 B Grouping Test Application Fall 2011 C Privacy Leaks on Twitter Done C Mental Models of Status Privacy Ongoing C Privatweet Test Spring/Summer 2011 C Privatweet Mobile Fall 2011 

Timeline 61 

CyLab&Usable&Privacy&and&Security&Laboratory&&&&&&&&&&&&&&h7p://cups.cs.cmu.edu/& & & & & & & & http://cups.cs.cmu.edu Patrick Gage Kelley patrickgage.com [email protected] twitter.com/patrickgage Janice Tsai, Robert Reeder, Aleecia McDonald, Steve Won, Steve Sheng, PK, Robert McGuire, Cristian Bravo-Lillo, Joanna Bresee, Lucian Cesca, Clare-Marie Karat, Jason Hong, Lujo Bauer, Golan Levin, Paul Hankes-Drielsma, Robin Brewer, Yael Mayer, Michelle Mazurek, Kami Vaniea, Michael Benisch & everyone at the Mobile Commerce Lab and the CyLab Usable Privacy and Security Lab & Sunny Consolvo, Alessandro Acquisti, Norman Sadeh, and Lorrie Cranor 62 ese slides and the proposal at: http://patrickgagekelley.com/dpi/