User-Centered Privacy-by-Design: Evaluating the Appropriateness of Design Prototypes

Abstract Privacy-by-Design (PbD) suggests designing the fundamental architecture and features of computing systems with privacy in mind. Although widely adopted by regulatory frameworks, a growing number of critics have questioned whether PbD's focus on compliance with privacy regulation may prevent it from addressing users' specific privacy attitudes and expectations. Motivated to enhance user-centered privacy-by-design processes, we examine what are the consequences of the way privacy questions are framed to crowd users, and how personal characteristics of the crowd users impact their responses. We recruited a total of 665 participants, of which 456 were recruited via Amazon Mechanical Turk (AMT), and 209 were university students. We show that the framing of computing systems' features using data flows results in features' evaluations that are less critical, compared to using descriptions of personal experiences. We also found, based on the student sample, that students with professional engineering experience are less critical than those with no work experience when assessing the features' appropriateness. We discuss how our results can be used to enhance privacy-by-design processes and encourage user-centered privacy engineering.

[1]  Ronald Leenes,et al.  Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law , 2014 .

[2]  Kelly Quinn,et al.  #MyPrivacy: How Users Think About Social Media Privacy , 2018, SMSociety.

[3]  M. Burbach,et al.  Walking in the shoes of others: Experimental testing of dual-interest and empathy in environmental choice , 2012 .

[4]  B. Thornton,et al.  Influence of a Photograph on a Charitable Appeal: A Picture May Be Worth a Thousand Words When It Has to Speak for Itself , 1991 .

[5]  Lujo Bauer,et al.  Self-driving cars and data collection: Privacy perceptions of networked autonomous vehicles , 2017, SOUPS.

[6]  Chris Callison-Burch,et al.  A Data-Driven Analysis of Workers' Earnings on Amazon Mechanical Turk , 2017, CHI.

[7]  Tom Rodden,et al.  Playing the Legal Card: Using Ideation Cards to Raise Data Protection Issues within the Design Process , 2015, CHI.

[8]  Kate Raynes-Goldie,et al.  Aliases, Creeping, and Wall Cleaning: Understanding Privacy in the Age of Facebook , 2010, First Monday.

[9]  Peter Tolmie,et al.  Repacking ‘Privacy’ for a Networked World , 2017, Computer Supported Cooperative Work (CSCW).

[10]  Ariel Rubinstein,et al.  A Sceptic's Comment on the Study of Economics , 2006 .

[11]  Alessandro Acquisti,et al.  Misplaced Confidences , 2013, WEIS.

[12]  Robert M. Entman,et al.  Framing: Toward Clarification of a Fractured Paradigm , 1993 .

[13]  Eran Toch,et al.  How Developers Make Design Decisions about Users' Privacy: The Place of Professional Communities and Organizational Climate , 2017, CSCW Companion.

[14]  J. Slay,et al.  Designing Privacy for You Practical Approach for User-Centric Privacy , 2017 .

[15]  N. Oudshoorn,et al.  Configuring the User as Everybody: Gender and Design Cultures in Information and Communication Technologies , 2004 .

[16]  Mary Beth Rosson,et al.  journal homepage: www.elsevier.com/locate/ecra Privacy as information access and illusory control: The case of the Facebook News Feed privacy outcry , 2022 .

[17]  H. Nissenbaum Protecting Privacy in an Information Age: The Problem of Privacy in Public , 1998, The Ethics of Information Technologies.

[18]  Marjo Kauppinen,et al.  Identifying and selecting users for user-centered design , 2004, NordiCHI '04.

[19]  Naomi B. Lefkovitz,et al.  Privacy Risk Management for Federal Information Systems , 2015 .

[20]  Alfred Kobsa,et al.  Making Decisions about Privacy: Information Disclosure in Context-Aware Recommender Systems , 2013, TIIS.

[21]  Heng Xu,et al.  Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts , 2013, Eur. J. Inf. Syst..

[22]  Lachlan Urquhart,et al.  Ethical dimensions of user centric regulation , 2017, CSOC.

[23]  Jaap-Henk Hoepman,et al.  Privacy Design Strategies (The Little Blue Book) , 2018 .

[24]  Julien Bringer,et al.  Biometric Systems Private by Design: Reasoning about privacy properties of biometric system architectures , 2017, Trans. Data Priv..

[25]  Alfred Kobsa,et al.  The effect of personalization provider characteristics on privacy attitudes and behaviors: An Elaboration Likelihood Model approach , 2016, J. Assoc. Inf. Sci. Technol..

[26]  Frederic Stutzman,et al.  Obscurity by Design , 2013 .

[27]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[28]  Allison Woodruff,et al.  Intuitions, Analytics, and Killing Ants: Inference Literacy of High School-educated Adults in the US , 2016, SOUPS.

[29]  Alessandro Mantelero,et al.  From Group Privacy to Collective Privacy: Towards a New Dimension of Privacy and Data Protection in the Big Data Era , 2017 .

[30]  Chun-Tuan Chang,et al.  Framing Charity Advertising: Influences of Message Framing, Image Valence, and Temporal Framing on a Charitable Appeal1 , 2009 .

[31]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[32]  Walid Maalej,et al.  Us and them: a study of privacy requirements across north america, asia, and europe , 2014, Software Engineering & Management.

[33]  Elissa M. Redmiles,et al.  How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk and Web Panels to the U.S. , 2017 .

[34]  Marc Langheinrich,et al.  Inside the Organization: Why Privacy and Security Engineering Is a Challenge for Engineers , 2018, Proceedings of the IEEE.

[35]  Helen Nissenbaum,et al.  Contextual Integrity through the Lens of Computer Science , 2017, Found. Trends Priv. Secur..

[36]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[37]  Heather Richter Lipford,et al.  Increasing User Attention with a Comic-based Policy , 2018, CHI.

[38]  E. Baumer,et al.  It's the Definition, Stupid! Framing of Online Privacy in the Internet Governance Forum Debates , 2014, Journal of Information Policy.

[39]  Nara L. Newcomer,et al.  User Centered Design , 2014, Encyclopedia of Database Systems.

[40]  Heng Xu,et al.  The Effects of Self-Construal and Perceived Control on Privacy Concerns , 2007, ICIS.

[41]  Eran Toch,et al.  Evaluating Users' Perceptions about a System's Privacy: Differentiating Social and Institutional Aspects , 2019, SOUPS @ USENIX Security Symposium.

[42]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[43]  A. Cavoukian Privacy by Design: Origins, Meaning, and Prospects for Assuring Privacy and Trust in the Information Era , 2012 .

[44]  L. Treviño,et al.  Moral disengagement in ethical decision making: a study of antecedents and outcomes. , 2008, The Journal of applied psychology.

[45]  Eytan Adar,et al.  The PViz comprehension tool for social network privacy settings , 2012, SOUPS.

[46]  T Timpka,et al.  Design Participation as an Insurance: Risk-management and End-user Participation in the Development of Information Systems in Healthcare Organizations , 2002, Methods of Information in Medicine.