A Case for Expectation Informed Design

A Case for Expectation Informed DesignPresented by: Marie Joan Kristine T. Gloria Ph.D. Student in Cognitive Science at RPI & in affiliation with the Cybersecurity & Internet Policy Initiative at MIT-CSAIL

Tetherless World Constellation at Rensselaer Polytechnic Institute

PrivOn Workshop | ISWC 2015 | October 2015

Agenda

I. Problem & Motivation II. Expectations: understanding choice & consent III. Eliciting Expectation Project IV. Preliminary Analysis & Insights V. Future Work

Pew Internet Studies. 2015. “AMERICANS’ ATTITUDES ABOUT PRIVACY, SECURITY AND SURVEILLANCE”. 19 May 2015. http://pewrsr.ch/1MhwUFI

From data breaches (e.g. Anthem, Home Depot, etc.) to unauthorized surveillance, consumer privacy is plagued by violations. Yet, the amount of data online continues to increase. !The thesis is motivated by this divergence between our collective understanding of its value in society and our individual ability to protect it.

Problem & Motivation

What expectation?

Problem & Motivation

Expectations: understanding choice & consent

Technical

Social (legal)*

Behavioral

*This talk centers around U.S. legal standards and public policies

Vroom’s (1964) expectancy theory postulates how an individual chooses between alternative forms of behavior within a decision-making scenario. The theory has three main components:1

[1] Vroom, V.H. Work and Motivation. New York: Wiley, 1964.

Expectations: cognitive psychology POV

Expectancy [effort] x Instrumentality [performance] x Valence [rewards] = Motivational Force

!When multiplied together, these three components result in a “motivational force,” which directs specific behavioral alternatives.

Expectations: cognitive psychology POV

Vroom (1964) “Work & Motivation”

Laufer & Wolfe (1977) “calculus - the cognitive trade off among situational constraints”

Culnan & Armstrong (1999) decisions are negatively affected by anticipated costs of potential privacy violation

Dinev & Hart (2006) “privacy calculus - frames information disclosure as a tradeoff of benefits and risks”

McCarthy (2010)

Xu & Gupta (2009)

Acquisti & Grossklags (2007)

Norgberg & Horne (2007)

Keith et. al (2013)

• Individuals act in ways that they expect will maximize positive outcomes and minimize negative ones.

• Expected Utility Hypothesis (Friedman and Savage, 1952)

• Individuals are assumed to be “rational” because they make decisions based on a cost/benefit tradeoff, engaging in “utility maximization” decision making

• Perceived privacy risks reduce disclosure intentions while perceived benefits of information disclosure increase intentions (Dinev & Hart, 2006)

• Privacy paradox: individuals who claim to disclose information still demonstrate relatively higher levels of actual information disclosure (Acquisti & Grossklags, 2006)

Information Privacy Studies: Traditional Approaches to Contemporary Hypotheses

Expectations: U.S. Legal POV

The notion of privacy trade-offs and consumer expectation permeates both legal scholarship as well as corporate technology management practices.2

[2] Bamberger, K. A., & Mulligan, D. K. (2011). Privacy on the Books and on the Ground. Stanford Law Review, 63.

Federal !

(e.g. 1st Amendment, 4th Amendment, HIPAA, COPPA, ECPA, GLBA, FCRA, FERPA, CISA, DMCA, ECPA, CFAA, etc.)

State !

(e.g. State Constitutions, statue - CA SB 568 “Privacy Rights for California Minors in the Digital World”, CalECPA, etc.)

Layers of legal protection

Expectations: U.S. Legal POV

Ex: Fourth Amendment: surveillance issues: police and government search “expectation of privacy” legal test

Subjective expectation of privacy – a certain individual's opinion that a certain location or situation is private; demonstrating actions to ensure evidence was meant to be private

!Objective, legitimate, reasonable expectation of privacy – An expectation of privacy generally recognized by society (e.g. garbage cans)

Expectations: U.S. Legal POV

Ex: Consumer Privacy Bill of Rights3

[3] White House. 2015. Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015. Last accessed 2 May 2015. https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf

The Principle, Respect for Context (Sec. 103), states that “consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” !It outlines for companies a required set of considerations including “research on consumers’ attitudes and understandings”. !The principle also suggests that context should “help determine which personal data uses are likely to raise the greatest consumer privacy concerns.”

Expectations: Technical manifestation

Privacy as Confidentiality

“Hiding” !• Autonomous (digital)

sphere !• Data about persons is

protected so that unauthorized others cannot access it

Three Privacy Research Paradigms in Computer Science4

Privacy as Control “Information Self-Determination”

!• User control - what is

shared and how it is used

!• Identity Management

Systems

Privacy as Practice “Identity Construction” !• Intervene in the flows

of existing data; re-negotiate boundaries

!• Require: feedback,

intervention

[4] Gurses, S. (2010). “Multilateral Privacy Requirements Analysis.” Dissertation. Arenberg Doctoral School of Science, Engineering & Technology. Faculty of Engineering Department of Computer Science

Q1: If an individual has no expectation of privacy, then what type of information disclosure behaviors manifest online? and why?

implicit in this is are the potential effects it may have on public policy and technical design

Eliciting Expectations ProjectWe simply ask:

What are these expectations of privacy? if any; and How do we measure for them?

what we learned from the pilot study & focus groups: •administered the pilot study using a snowball sample on Facebook and email •two focus groups (consisting of freshman to senior RPI undergrads) were also

queried about the survey and its structure

changes made: •discarded the “digital natives” sample due to lack of responses to the two case

scenarios •health device: not interested in tracking health & lack of expendable income to

purchase device •mobile payment systems: skewed heavily towards older students/participants; lack of

access to personal income thus no need for such apps •likert scale was adjusted to a 4pt scale in order to force participant answer beyond

neutral •discarded “health device application” scenario in order to focus only on mobile

payment systems

Eliciting Expectations Project v2

Survey Basics: [ IRB Approved 1422 ] • Comprised of 3 main sections

• Section 1: evaluates expert vs. novice participants • Section 2: explores across three levels of expectations • Section 3: demographics

• Participant will answer 51 questions (approx. 20mins to complete) • Dependencies: expert vs. novice • Two case studies:

• location based services (e.g. Google Maps, FourSquare etc.) • mobile payment systems (e.g. Square Cash, Apple Pay, etc.)

• Upon completing the survey, participants may be asked to volunteer in a semi-structured interview

• Utilizes Qualtrics survey platform • Sampling: convenience

QR: To what extent does a user’s knowledge of and preference for how data is used impact his or her own information disclosure behaviors?

section IDetermines “expert” vs. “novice” participants.

Borrows from Rogers (2003), the following measurement categories of Internet Expertise5:

!Conative: What users “do” online - time and habits online Cognitive: What users “thinks” online - technical and privacy knowledge Affect: What the user “feels” online - feeling and attitudes while online

Conative

Cognitive

Affective

High Activity level Mid-Activity level Low Activity level

A C F

Positive Neutral Negative

[5] Rogers, B.L. Measuring Online Experience: It’s About More Than Time! Usability News, 5.2, 2003. Last accessed 1 April 2015. http://psychology.wichita.edu/surl/usabilitynews/52/experience.htm

alpha-grading similar to

quizzes

Explores the three level of privacy expectations

Grounded in legal theory and prior survey items:

• Expectations of privacy (EP): What a person’s expectations of privacy is and what privacy rights should be expected.

• Expectations of violations (EV): What a person thinks will /can happen when privacy rights are violated.

• Expectations of agency (EA): What a person thinks he/she can do to control or protect his/her privacy rights.

section II

Hypothesis: Expectations are non-conditional of expertise or novice level traits.6, 7

Informant GroupExpectation of

Privacy (E

Expectation of Violation

(E

Expectation of Agency (E

Experts no effect no effect no effect

Novice no effect no effect no effect

[6] Kang, R., Dabbish, L., Fruchter, N., & Kiesler, S. (2015). “My Data Just Goes Everywhere”: User Mental Models of the Internet and Implications for Privacy & Security. 11th Annual Symposium on Usable Privacy and Security. Ottawa, Canada. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-kang.pdf

[7] Monteleone, S., van Bavel, R., Rodríguez-Priego, N., & Esposito, G. (2015). “Nudges to Privacy Behaviour: Exploring an Alternative Approach to Privacy Notices?” JRC Science and Policy Report. EU Commission. http://publications.jrc.ec.europa.eu/repository/bitstream/JRC96695/jrc96695.pdf

Informant GroupExpectation of

Privacy (E

Expectation of Violation

(E

Expectation of Agency (E

Legal Professionals (e.g. lawyers,

policymakers, etc.)HIGH HIGH Neutral

• First batch of informants: legal practitioners, policymakers, etc. • Survey distribution:

• Convenience: via email & surveillance-coalition mailing list • 11 total survey responses as of Aug 2015

• 10 chose the location- based mobile scenario • 1 chose the mobile payment system

• Descriptive statistical analysis for the location-based respondents

Preliminary Analysis & Insights

Expectation of Privacy (EP)When asked to indicate a level of agreement with the following statement:

“I agree that my location data should be collected and shared by third parties in order to. . ”

Respondents disagreed or strongly disagreed with four of the five conditions with the fifth condition receiving 5 “agree” responses.

Expectation of Violations (EV)When asked to indicate a level of agreement with the following statement:

“My personal identity is private and cannot be discovered and or used in nefarious ways by unauthorized persons.”

Preliminary Analysis & Insights

•CAVEAT: small dataset & not representative - still gathering data

•What we’ve learned so far. . • a) transparency and openness overlook concerns of

exposure; • b) a continued and problematic underestimation of the

consumer8; and, • c) the need for relevance, respect and integrity as elements

of context.

[8] Turow, J., Hennessy, M., and Drape, N. The Tradeoff Fallacy: How Marketers Are Misrepresenting American Consumers and Opening Them up to Exploitation. Annenberg School for Communication University of Pennsylvania. (2015). https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf

Follow-up interviews suggest that the “volume of data out there” inevitably leads to over-exposure. For example, one participant noted: “Since the dawn of the internet, we always have known that literally nothing that goes on the web is safe / untraceable; so what you don’t want on the web, don’t put on the web.” Another participant responded with: “It depends on the type of data being shared; but sharing more data (especially by the government) sounds like a bad idea.” For policymakers, this underscores the need for better policies that communicate not just efforts for security and privacy; but, also clearly outline system actors and their actions. For technologists, this poses a bigger question of whether and how decoupling efforts for transparency and openness from concerns of over-exposure can be achieved. !!A continued underestimation of what consumers understand and expect may contribute to what Turow et. al suggest to be a sense of “consumer resignation” to control of their own data within a data-economy [16]. For technologists, the imperative is to reassess system designs in order to empower the user, allowing for increased agency and control. We suggest this goes beyond affordances of “user privacy control settings” but to also extend throughout the data processing pipeline.!!Need for relevance, respect and integrity as elements of context. As our exploratory findings show, what data is shared and to whom for what purposes are critical distinctions to consumers for preserving privacy. We urge the community to consider if and how these elements may be operationalized on the data level (e.g. ontological).!

FUTURE WORK

• Continued data gathering for general survey • Drill-down experiment: behavioral tracking on mobile

devices • Open questions:

•How confident are we of the methods used to evaluate user expectations are fit for purpose?

•How can this be helpful in shaping public policy regarding the purpose and use of data?

Thank You & Questions?

Email: [email protected] @gloriakt