Our Vision

Toward more user-centric privacy policies

 
Privacy and Security Nutrition Label for Smart Devices  | Pardis Emami-Naeini, PhD candidate, Yuvraj Agarwal, Assistant Professor, Lorrie Faith Cranor, Professor, Carnegie Mellon University

Privacy and Security Nutrition Label for Smart Devices | Pardis Emami-Naeini, PhD candidate, Yuvraj Agarwal, Assistant Professor, Lorrie Faith Cranor, Professor, Carnegie Mellon University

Collecting design patterns for teams to make more ethical decisions about data  | Grace Annan-Callcott, Press Officer, Projects by IF

Collecting design patterns for teams to make more ethical decisions about data | Grace Annan-Callcott, Press Officer, Projects by IF

Designing for meaningful consent in app permissions  | Becca Ricks, Research Associate, Mozilla Foundation

Designing for meaningful consent in app permissions | Becca Ricks, Research Associate, Mozilla Foundation


 

Context

Technology impacts our lives through all aspects of society: from making comments on photos to the ability to exercise our right to vote. Almost half a century ago, the Privacy Act of 1974 was created in response to the rise in computerized databases concerns about individual privacy rights. It required government agencies to show records kept on any individual and instituted “Fair Information Practices” when handling personal data. With the continued advancement of technology and the proliferation of connected devices, data has become ubiquitous. Companies and government agencies face conflicting incentives: gather human data to make a product or research better while maintaining user data privacy. In 2018 alone, billions of people were affected by data breaches and cyber attacks.

There is a gap between translating privacy principles and legislation to the engineers and designers who create the technology used by millions of end users. Practitioners across academia and industry are working on how to operationalize concepts like Privacy by Design (PbD). There are extensive case studies on how Privacy Impact Assessments (PIA) have been used as a vehicle for privacy policy implementation and outcomes.

Governments and policymakers are struggling to create and enact effective privacy policies that can be enacted to help society adapt to protect user privacy and rights.  They need to anticipate the impact of regulation, standards, and guidelines on the information, communications, and technology (ICT) industries. A deep understanding of existing regimes and systems for data collection, storage, application, retention, and predictive modeling is necessary to respond to consumers’ frustrations with losing control over their personal information, as well as their fears for a future in which massive datasets, feed into Artificial Intelligence (AI) technologies, might be abused to harm society.

Key Research Questions

Mental models + Landscape research:

  • How might we reimagine meaningful, informed consent for sharing personal data?

  • How do end users, practitioners (designers + engineers) and policymakers frame privacy and privacy by design? What interventions are being implemented across industries, disciplines and practices?

Implementation: How might organizations and legislators collaborate to better translate aspirational [privacy] principles to the decisions that go into product design and development? How might an organization better operationalize Privacy by Design (PbD)-like concepts and practice? For example:

  • How might we reimagine meaningful, informed consent for sharing personal data?

  • How might we help consumers and citizens regain control over their personal information?

  • How might we more effectively present risks and benefits to consumers when they provide personal information about their thoughts, activities, and intentions?

 
 

High level themes

Privacy is amorphous. a one size fits all definition does not apply. it is important to clarify user privacy needs in different contexts.

It is complex. There are many definitions depending on context, culture, time and place. In one context, it might mean upholding freedom of choice and the ability manage your state of well-being to avoid surveillance or profit-maximizing efforts. For another person, privacy might be about anonymity, the status quo in which your identity is unknown to a larger population of people. Finn, Wright and Friedewald highlight Seven Types of Privacy which helps conceptualize these meanings: (1) person, (2) behavior and action, (3) communication (4) data and image, (5) thoughts and feelings, (6) location and space (7) association— group privacy.

each concept submitted targets a different level of proactivity for users to manage their online privacy.

Several submissions are focused on populations focus on populations with a high level of tech savviness and proactiveness in managing their online profiles. There is nothing wrong with this approach and this may work for a certain subsection of the population. For those who do not have the same tendencies, it is possible to take a more proactive approach to change a person’s level of “awareness” of what privacy is and how it may impact them based on the context they are in. For example, the Privacy and Security Nutrition Label project allows users to make informed decisions at the “point of sale” while Municipal Alerts actively alert citizens about repercussions when cities acquire new privacy impacting technologies.

we received several privacy and consent related frameworks and toolkit concepts — so what does this mean?

There will be new patterns for experience researchers, designers, and engineers to practice and implement with regard to data collection, consent, and presentation. While some of the examples skew toward a certain topic such as mobile health for biomedical researchers or applying a framework for consent in web forms, these practices may be increasingly applicable across uses cases, industries and practices. More interdisciplinary collaboration will be needed in order to share learnings, initiatives and perspectives. Many of the patterns highlight similar concepts that strive to make the services make it clear to show (1) what minimal data is needed (2) why it is needed and (3) explain how it may be used or managed in the future.

Project Highlights

70+ submission ideas by a range of disciplines and industries:

  • 13 Academic institutions

  • 10 Privacy advocacy organizations

  • 2 Foundations

  • 15 Tech industry / Private sector companies

  • 9 Privacy related non-profit organizations

  • 6 Public sector organizations

Ideas from across the globe:

  • 10 US States: CA, CO, DC, Distributed, GA, MA, MI, NY, PA, TX, WA

  • 8 Countries: Spain, Berlin, Belgium, England, Italy, Israel, Copenhagen, Canada

With data privacy solutions across a variety of topics:

  • Internet browsers

  • Smart devices, hardware

  • City municipal services

  • Mobile health research and personal health data

  • Facial recognition systems

  • Advertisements

  • Field research and interviewing participants

  • Public libraries and education