Chapter 5: Usable and Useful Privacy Interfaces

Question 1

How can you reduce opportunities for user regret?

Answer 1

Nudges - to remind users of their privacy choices

Time delays

Question 2

What are best practices when presenting privacy controls to a user?

Answer 2

Offer them a meaningful way to control their preferences in a way that aligns with their needs

Question 3

What is rational choice theory?

Answer 3

A rationally acting person ingests information about companies’ data practices and uses this information to engage in a risk-benefit analysis and make rational decisions
Such decisions are assumed to be consistent with the person’s privacy preferences

Question 4

Are users rational in their privacy decisions?

Answer 4

In practice people’s privacy decisions and behavior are rarely rational or predictable but rather highly context dependent and malleable

Question 5

What is the privacy paradox?

Answer 5

People express certain privacy preferences or intentions but act contrary to them

Question 6

List 4 examples of privacy behaviour that contradict the research showing that people are concerned about their privacy

Answer 6

People:
• share copious personal details on social media
• express regrets about sharing too much information online
• are frequently surprised by the data practices of services they use
• are often unaware of privacy controls and protections available to them

Question 7

Describe self-censorship

Answer 7

Some people may opt not to share personal opinions, political leanings or certain updates about their lives online in order to avoid arguments or to manage their self-presentation

Question 8

What is the chilling effect?

Answer 8

Increased awareness about invasive data practices may lead people to restrict their behaviour (for example not searching for terrorism-related terms after wikileaks)

Question 9

Describe privacy preferences

Answer 9

What the person would prefer to happen in a certain situation, which may be informed by one’s general attitudes towards privacy, sociocultural norms, and prior experience

Question 10

Describe privacy concerns

Answer 10

Privacy risks or potential privacy harm a person is aware of or worried about

Question 11

Describe privacy expectations

Answer 11

What data processing or privacy infringements a person anticipates will occur in a given situation—are shaped by the person’s privacy preferences, concerns and awareness of data practices

Question 12

Why would a person’s privacy decision in a given situation be an inconsistent reflection of their privacy preference?

Answer 12

Subject to both external influences (e.g., incomplete information, context) and internal influences (e.g., bounded rationality, experience)

Question 13

What is privacy regret?

Answer 13

When an individual realizes that their privacy behavior or the actual data practices of a system or an organization were misaligned with their privacy expectations in a way that negatively affected them

Question 14

What assumption do informed consent and informed decision-making rely on?

Answer 14

The person has fully considered all available information

Question 15

List 3 common misconceptions that individuals have about privacy

Answer 15

• Companies securely transfer data
• They are protected by privacy law (depends on country)
• If a company has a privacy policy they don’t share data with 3rd parties

Question 16

What is the control paradox?

Answer 16

Perceived control over privacy may lead to increased sharing, which in turn may increase privacy risks

Question 17

What is bounded rationality?

Answer 17

Humans are limited in their ability and time to acquire, memorize and process all information relevant to making a fully informed and rational decision

Question 18

How do individuals compensate for the effects of bounded rationality?

Answer 18

Humans rely on heuristics in their decision-making to reach a satisfactory solution rather than an optimal one

Question 19

List some common decision heuristics and biases that can affect privacy decisions and behaviour

Answer 19

• Availability heuristic
• Representativeness heuristic
• Anchoring
• Loss aversion
• Hyperbolic discounting
• Optimism bias
• Status quo bias

Question 20

Describe the availability heuristic

Answer 20

Due to uncertainty about privacy risks, people may look for other available cues to judge the probability of risks (store’s visual design, presence of a privacy policy, vendor’s reputation)

Question 21

Describe the representativeness heuristic

Answer 21

People may perceive privacy intrusions as low-probability events

Question 22

Describe anchoring

Answer 22

Available information creates a reference point for future decisions (Survey participants disclose more information when a survey starts with intrusive questions and gradually reduces in sensitivity compared with a survey that increases in sensitivity)

Question 23

Describe loss aversion

Answer 23

Individuals dislike losses more than they like gains

Question 24

Describe hyperbolic discounting

Answer 24

Even if people claim to care about privacy, they may discount less immediate privacy risks in the moment in favor of immediate gratification

Question 25

Describe optimism bias

Answer 25

People systematically underestimate the likelihood of being affected by a negative event

Question 26

Describe status quo bias

Answer 26

People have a general affinity for default choices
People often keep default settings even if they are privacy invasive, because they are not aware of the setting and/or its privacy implications, because of associated transaction costs
It is assumed that the default settings are set to protect them

Question 27

What is context-dependendance?

Answer 27

What information someone considers appropriate to share varies based on contextual factors, such as the nature or source of the information, the activity or transaction as part of which information may be shared, as well as the people involved

Question 28

List the 4 types of boundary that, when breached, can result in a privacy violation

Answer 28

• Natural borders
• Social borders
• Spatial or temporal borders
• Ephemeral or transitory borders

Question 29

What are natural borders?

Answer 29

walls, closed doors, clothing, sealed envelopes and encryption protect information by limiting observation by others

Question 30

What are social borders?

Answer 30

Assumptions or expectations of social norms about confidentiality and respect of one’s privacy, such as confidential relationships with doctors, lawyers or priests; the integrity and confidentiality of personal correspondence; trust in colleagues, friends and family members to not rifle through one’s personal effects; or the assumption that information is not retained longer than required or used for other purposes

Question 31

What are spatial or temporal borders?

Answer 31

Physical distance or the passing of time, separate information from different periods or aspects of a person’s life

Question 32

What are ephemeral or transitory borders?

Answer 32

Based on assumptions that certain interactions or communication only exist in the moment and are not recorded permanently

Question 33

What are dark patterns?

Answer 33

Interface or system designs that purposefully exploit cognitive and behavioral biases

Question 34

List some common dark patterns

Answer 34

• Default settings
• Cumbersome privacy choices
• Framing (how a choice is described)
• Rewards and punishment
• Forced action
• Norm shaping (showing more revealing photographs sets the norm that that’s ok here)
• Distractions and delays

Question 35

List the 5 components that determine a system’s usability

Answer 35

• Learnability
• Efficiency
• Memorability
• Errors (how many do they make)
• Satisfaction

Question 36

What is utility in system design?

Answer 36

Does the system support users in satisfying their needs and accomplishing their goals?

Question 37

What is value-sensitive design?

Answer 37

Design approach that accounts for ethical values, such as privacy, in addition to usability-oriented design goals

Question 38

How do you apply value-sensitive design?

Answer 38

• Clarify project values
• Identify direct and indirect stakeholders
• Identify benefits and harms
• Identify and elicit potential values
• Develop working definitions of key values
• Identify potential value tensions
• Value-oriented design and development

Question 39

Describe the different forms privacy notices can take

Answer 39

• Privacy policies
• Informational privacy resources
• Integrated privacy notices
• Privacy indicators
• Privacy reminders

Question 40

Describe the general types of consent interfaces

Answer 40

• Integrated consent prompt
• Decoupled opt-out
• Integrated opt-out
• Delegated consent

Question 41

Why is an opt-out useless as documentation of informed consent?

Answer 41

It cannot be guaranteed that a user made an actual decision

Question 42

Provide an example of an integrated consent prompt

Answer 42

Checkbox accepting data storage practices before you submit a form containing personal information

Question 43

What is a decoupled opt-out?

Answer 43

Not integrated into the UX

User has to seek them out and may not be aware of their existence or of the data practice they pertain to

Question 44

What is an integrated opt-out?

Answer 44

Opt-out option which is present in the context in which people might need and want to use them
Example: Unsubscribe link in email communication

Question 45

What is delegated consent?

Answer 45

Consent that is not directly obtained by the first party but rather by a different service or platform provider

Question 46

Provide an example of delegated consent

Answer 46

Apps do not directly ask users for access to resources on the smartphone (e.g., location, contacts, text messages), but instead programmatically declare required permissions to the smartphone
The smartphone operating system then generates a respective permission prompt

Question 47

What are the advantages of delegated consent?

Answer 47

Consistent interface which facilitates learnability and reduces cognitive load

Question 48

What are privacy settings?

Answer 48

Privacy settings typically aggregate the privacy choices and controls available to a user of a given product or service in one place

Question 49

List the 2 types of privacy settings

Answer 49

• First-party privacy settings - from the service provider or product manufacturer
• Platform privacy settings - controlled by the platform (ex. a browser)

Question 50

What is typically included in a privacy dashboard?

Answer 50

• Activity timelines
• Data summaries (or access to actual data)
• Viewing privacy settings
• Links to privacy resources

Question 51

What operations should a privacy dashboard support?

Answer 51

• Viewing data
• Enabling data correction
• Export of data
• Delete data
• Update privacy settings

Question 52

What are the 3 properties of meaningful consent?

Answer 52

• Specific
• Informed
• Freely given

Question 53

What is habituation in a privacy context?

Answer 53

Repeated exposure to seemingly irrelevant privacy notices or dialogs results in people paying little attention to them

Question 54

What is poor discoverability in a privacy context?

Answer 54

Decoupling privacy choices from the UX and making them hard to locate
Splitting up privacy settings into multiple locations can also be confusing to users who assume they have found all the relevant controls

Question 55

Provide examples of confusing privacy interfaces

Answer 55

Icons that don’t clearly identify what they mean
Privacy choices or opt-outs whose effects are unclear
Privacy controls that behave contradictory to expectations

Question 56

What is Wogalter’s communication-human information processing (C-HIP) model?

Answer 56

It explains how humans perceive, process and react to warnings

Question 57

What is the Human in the loop (HILP) model?

Answer 57

Adapts the C-HIP model for security (and privacy)

Question 58

What do the C-HIP and HILP models describe?

Answer 58

A similar progression of steps in human information processing, which, if not considered properly, can present a hurdle for a privacy interface in achieving its goal

Question 59

What are the key steps of the information processing model as it pertains to privacy?

Answer 59

• Communication
• Attention
• Comprehension
• Intention
• Behaviour

Question 60

List the 5 privacy design principles

Answer 60

• User centric
• Relevant
• Understandable
• Actionable
• Integrated

Question 61

What are the 6 steps to combine UX, PIA, and value-sensitive design?

Answer 61

• Build on privacy assessment, privacy management and privacy engineering practice to systematically identify a system’s user rights and transparency requirements
• Identify users and their privacy needs by identifying stakeholders and eliciting their privacy expectations and privacy concerns as well as their privacy information needs and privacy control needs
• Identify unexpected data practices, which are those that users are unaware of or might be surprised by, to help prioritize which data practices and controls to highlight
• Integrate privacy interfaces into system’s UX by determining which privacy notices and controls are most relevant to a user at which points in the UX
• Leverage the available design space for privacy notices and controls to develop user-centric privacy interfaces that work within a system’s constraints
• Conduct user testing to evaluate the usability and usefulness of developed privacy interfaces

Question 62

What are the different times when you can include a privacy control?

Answer 62

• At setup
• Just in time
• Context-dependent
• Periodic
• Persistent
• On demand

Question 63

What channels can be used to present privacy information?

Answer 63

Primary - within the actual system
Secondary - within another system (fitbit)
Public - on the manufacturer’s website

Question 64

What are the 3 levels of control you can offer to a user?

Answer 64

• Blocking (forcing the user to interact with the control)
• Non-blocking (do not interrupt the flow)
• Decoupled

Question 65

What are the 2 common underlying challenges that lead to configuration mistakes

Answer 65

Gulf of evaluation

Gulf of execution

Question 66

What is the gulf of evaluation?

Answer 66

Understanding the state of the system

Question 67

What is the gulf of execution?

Answer 67

Taking action to accomplish a specific goal

Question 68

What is the purpose of a formative evaluation?

Answer 68

Used to gain insights into which aspects of a prototype or product could use improvements
Small scale and focus on gathering rich qualitative insights that can be used to improve a product

Question 69

What is the purpose of a summative evaluation?

Answer 69

Used to draw comparisons between a prototype or product and some benchmark (e.g., previous version, competing product)
Generally conducted once the design team believes they are done

Question 70

What is A/B testing?

Answer 70

Refers to tests where some users of a product or service see version A and others see version B

Question 71

What is ecological validity?

Answer 71

Refers to the realism of the methods, materials and setting of a user study or usability test

Question 72

Provide an example situation that lacks ecological validity

Answer 72

If a study participant sitting in a usability lab is shown a privacy policy or any other privacy interface and asked questions about it without being provided with any context or reason for wanting to read the policy, the resulting usability evaluation will lack ecological validity. In this case, participants may pay more attention to the policy than they would in real life, when privacy is likely not their primary concern.

Question 73

Why should you not mention that a study is about privacy when soliciting participants?

Answer 73

To avoid self-selection bias where people who already have an interest or opinion regarding privacy will respond, but those who prefer to ignore the topic won’t

Question 74

What key moral and ethical values are considered in value-sensitive design?

Answer 74

• Trust
• Fairness
• Informed consent
• Courtesy
• Freedom from bias

Question 75

List the 3 types of value-sensitive investigations

Answer 75

• Conceptual
• Empirical
• Technical

Question 76

What is the purpose of a conceptual investigation in value-sensitive design?

Answer 76

Identifies the direct and indirect stakeholders, attempts to establish what those stakeholders might value, and determines how those stakeholders may be affected by the design

Question 77

What is the purpose of an empirical investigation in value-sensitive design?

Answer 77

Focuses on how stakeholders configure, use or are otherwise affected by the technology

Question 78

What is the purpose of a technical investigation in value-sensitive design?

Answer 78

Examines how the existing technology supports or hinders human values and how the technology might be designed to support the values identified in the conceptual investigation

Question 79

List the 14 value-sensitive design methods

Answer 79

• Direct and indirect stakeholder analysis
• Value source analysis
• Co-evolution of technology and social structure
• Value scenarios
• Value sketches
• Value-oriented semi-structured interviews
• Scalable information dimensions
• Value-oriented coding manuals
• Value-oriented mockups, prototypes, or field deployments
• Ethnographically-informed inquiries regarding values and technology
• The model of informed consent online
• Value dams and flows
• The value-sensitive action reflection model
• Envisioning cards

Question 80

List 6 strategies for embedding value-sensitive design into technology

Answer 80

• Clarify project values
• Identify direct and indirect stakeholders
• Identify benefits and harms for stakeholders
• Identify and elicit potential values
• Develop working definitions of key values
• Identify potential value tensions

Question 81

What are the 5 steps of the Design Thinking process?

Answer 81

• Empathize
• Define
• Ideate
• Prototype
• Test