[SOUND] In this lecture we're going to be looking at five pitfalls in designing for privacy. The lessons in here are discussed much more in-depth in this paper which is linked in the readings, and which you should take a look at. The five pitfalls for designing for privacy can be broken into two categories. The first is understanding. And in this category, we have two main pitfalls, obscuring potential information flow, and obscuring actual information flow. And we'll get to the details of what these actually mean in a minute. The second category of pitfalls is action. And there's three additional pitfalls in this category. Emphasizing configuration over action, lacking coarse-grained control, and inhibiting established practice. What we are going to do in the rest of this video is look at each of these five pitfalls along with examples of each, when they're done poorly, and when they're done well. So, let's take those first two, obscuring potential information flow and obscuring actual information flow. Both of these require us to understand what information flow is. So, let's look at that. Information flow talks about when people are sharing information. Who is it shared with? What kind of information is it? Who are the kind of observers, who are the people who will see that information? The media through which it's conveyed. The length of the retention of the information. The potential for unintended disclosure of the information. Collection of metadata, and other things that fall in these categories. Essentially, users are creating a lot of information, and they should know what's done with it, and where it's going after it's created. If we're talking about obscuring potential information flow. That means that there's a possible way information can be shared, but it's not made clear to the users how that's actually going to happen. So here is an example of a Gmail account and though there's no messages in the inbox, you can see that there's ads across the top. People have been upset, and there's actually been a lot of press over the fact that, these ads can be targeted based on the content of the messages that you send and receive on gmail. Google doesn't actually show anyone the content of your messages. They automatically analyze them on their servers and take ads where the advertisers have expressed key words, and matched those to the things they've analyzed in your messages. But people were very concerned that the content of their messages were being shared with advertisers, it was just unclear what Google was doing on Gmail, and that made a lot of people concerned. When we're talking about obscuring actual information flow, that means that information is being shared in a specific way, but that's being hidden from the users. Here's an example of that. So here we're looking at the settings section of the iPhone, and if we go to privacy, and then location services, if we scroll all the way to the bottom of this window, you can see system services. System services brings up a long list, and if we scroll down there, we find a section called frequent locations. This is a list of places that I go frequently. It's automatically pulled up the names of these places, I haven't entered it. And if we were to click the first one, College Park, Maryland. You can see it actually has a map, and addresses of places that I go a lot. The three dots on here are the computer science building, the information studies building where my office is, and the Potbelly, where I go for lunch all the time. I haven't checked into these places. I haven't entered it. This is just something that the iPhone picks up because it's constantly tracking location, and it's an example of where information is being sent. And privacy isn't really controlled by the user, because I haven't consented to this kind of information being collected. I wouldn't consent to it if I had control over it. But there's also no obvious way for me to change those privacy settings. Essentially, this kind of data collection and this lack of privacy is concealed by Apple and iPhone, and users don't have any control over it. The next pitfall is emphasizing configuration over action. This is something that happens when privacy management gets all caught up in privacy tools, and users have to control lots of settings. Instead of privacy being just a natural part of workflow, the guideline here is that privacy management should be integrated into the natural workflow of users so that they don't have to think about it. And, remember that this ties back to a guideline that we had for usable security, that security should be built into the natural workflow of users. Privacy and security are really two parts of the same issue, and so it's not surprising that we see that same guideline here. Our next pitfall is lacking coarse-grained control. Lots of systems have fine-grained control, where you can get in and set a lot of preferences, and really do some detailed things with privacy. But it's also really useful to have a high level, obvious control where you can turn sharing on and off. This is useful if, for example on social media, you want to share a post publicly or with friends. There's all kinds of intense control that you can get in to on social media, but having one control where you can just easily switch that privacy level, makes control a lot easier. Similarly, there may be times when you're interacting in a system, and you just want to turn off data collection from yourself. Imagine this like an airplane mode on your phone, but for privacy. Let's look first at an example on Amazon, where it would be really useful to have this kind of control, but is not available. So here's an example of Amazon. Say I want to buy a copy of Harry Potter for my niece. I can search for that, I can click on the book, and then I can either buy it or maybe I change my mind, but when I go back to the Amazon main page. Now I have all of these recommended items for Harry Potter, which I have no interest in actually buying for myself. It would be great to have some sort of control where I can turn off the system here that keeps track of what I'm looking at. In a sense it's a privacy setting and I can use it to improve the way the system interacts with me. But, while you can go in and turn off some things that it has looked at in the past, there's no easy way to simply browse or click a button to turn off tracking of my searches. And thus, I end up often with a lot of irrelevant items being recommended to me. On the other hand, Facebook actually does have some of these coarse-grained top level controls, in addition to the more detailed controls. And we can take a look at that example too. Here's an example user's Facebook profile. If he tries to type a status update, you can see that explicit privacy controls appear to let him change who can see it. This is pretty fine-grained. There's public friends, and if he wants to do something that's more fine-grained, there's more options including a custom options, which brings up a lot of controls. However, as a high-level way of controlling privacy, this switch is pretty easy to deal with. You don't have to do any complicated settings. You don't need to go in and do some system level settings. You're typing a post. It has a default value, but you can always change it in a quick and easy way. Our final pitfall is inhibiting established practice. Essentially this means that we want to ask what do users expect from other experiences. And then we want to let them expect that here too. This ties into mental models, conventions, and other expectations that we talked about in the first week of class. Basically if a user expects and is used to things working in a certain from other systems. Your system should work the same way when it comes to protecting your privacy. For example, when we make phone calls they don't actually identify the location of where we're making a call. But new technology on cell phones that can pinpoint your exact location could share that data. Now is it a good idea to share that information or not? Well, users might expect from their other experiences making calls, that their location isn't shared. And so it can come as quite a shock and feel like a privacy violation if that data is shared. Let's look at a quick sketch that we call Frankie and Nancy to see what this means. >> Hello. >> Frankie? >> Oh, Hi Nancy. >> Where are you? >> I'm at Bob's house. >> No, you're not. Your phone says you are in Paris. >> So, remember, privacy system designers, don't share information like location data or other potentially private information, just because you can. Make sure it's something users would expect to be shared. And if they wouldn't expect it, don't share it. In conclusion what we can take away from these five pitfalls are three really high level rules. First we should make it clear to users how information is being shared. There shouldn't be any ambiguity and we shouldn't try to cloak information sharing that's actually going on. Second, we should make it easy and natural for users to control privacy at all levels as part of their normal workflow, and in both coarse and fine-grained ways. And finally, you should make the default practice match users' expectations.