research-article

From privacy methods to a privacy toolbox: Evaluation shows that heuristics are complementary

Authors:

Giovanni Iachello,

Gregory D. AbowdAuthors Info & Claims

ACM Transactions on Computer-Human Interaction (TOCHI), Volume 15, Issue 2

Article No.: 8, Pages 1 - 30

https://doi.org/10.1145/1375761.1375763

Published: 07 July 2008 Publication History

Abstract

We describe the two-year-long development and evaluation of the Proportionality Method, a design method intended to aid HCI practitioners in designing advanced IT applications with complex privacy implications. The method is inspired by Data Protection Authorities' (DPA) and Courts' practice and proposes to balance the impact on privacy of IT applications with their usefulness. We discuss the results of an evaluation of the design method to verify its usability, usefulness and effectiveness vis-à-vis other design methods proposed in the HCI literature to address similar issues. Results suggest that different design methods for privacy highlight different sets of issues and a combination of methods should be employed in a comprehensive design process. We propose to judge design methods based on their overall quantitative and qualitative merits, including the type of application and technology for which they are most fit and their methodological approach. We finally propose to develop a privacy toolbox, that is, a set of heuristic methods that designers can choose from with knowledge and understanding of their relative advantages and limitations.

References

[1]

Ackerman, M. S. and Mainwaring, S. D. 2005. Privacy issues and human-computer interaction. In Security and Usability: Designing Secure Systems That People Can Use, S. Garfinkel and L. Cranor, Eds. O'Reilly, Sebastopol, CA, 381--400.

[2]

Ackerman, M. S., Starr, B., Hindus, D., and Mainwaring, S. D. 1997. Hanging on the ‘wire: A field study of an audio-only media space. ACM Trans. Comput.-Hum. Interact. 4, 1.

Digital Library

[3]

Ahmed, S., Wallace, K., and Blessing, L. 2003. Understanding the differences between how novice and experienced designers aapproach design tasks. Resear. Engin. Design 14, 1, 1--11.

[4]

Alexander, C. 1977. A Pattern Language: Towns, Buildings, Construction. Oxford University Press.

[5]

Altman, I. 1975. The Environment and Social Behavior—Privacy, Personal Space, Territory, Crowding. Brooks/Cole Publishing Company, Monterey, CA.

[6]

Altman, I. 1977. Privacy regulation: Culturally universal or culturally specific&quest;. J. Soc. Iss. 33, 3, 66--84.

[7]

Association for Computing Machinery. ACM code of ethics. http://www.acm.org/serving/ethics.html.

[8]

Baskerville, R. 1993. Information systems security design methods: Implications for information systems development. ACM Comput. Surv. 25, 4, 375--414.

Digital Library

[9]

Bellotti, V. and Sellen, A. 1993. Design for privacy in ubiquitous computing environments. In Proceedings of the 3rd European Conference on Computer Supported Cooperative Work (ECSCW'93). Kluwer Academic Publishers.

Digital Library

[10]

Berleur, J. and Brunnstein, K., Eds. 1996. Ethics of Computing: Codes, Spaces for Discussion and Law. Chapman & Hall, London, UK.

Digital Library

[11]

Boehm, B. W., Bose, P., Horowitz, E., and Lee, M. J. 1994. Software requirements as negotiated win conditions. In Proceedings of the 1st International Conference on Requirements Engineering. IEEE Press, 74--83.

[12]

Chung, E., Hong, J., Lin, J., Prabaker, M., Landay, J., and Liu, A. 2004. Development and evaluation of emerging design patterns for ubiquitous computing. In Proceedings of the Conference on Designing Interactive Systems. ACM Press, 233--242.

Digital Library

[13]

Computer Science and Technology Board. 1990. Scaling up: A research agenda for software engineering. Com. ACM 33, 3, 281--293.

Digital Library

[14]

Council of Europe 1950. The European Convention on Human Rights. Rome, Italy.

[15]

Deitz, P. and Yerazunis, W. 2001. Real-time audio buffering for telephone applications. In Proceedings of the Annual ACM Symposium on User Interface Software and Technology. ACM Press, 193--194.

Digital Library

[16]

Dourish, P. and Anderson, K. 2005. Privacy, Security … and Risk and Danger and Secrecy and Trust and Morality and Identity and Power: Understanding Collective Information Practices. Tech. rep. UCI-ISR-05-1. Institute for Software Research, University of California at Irvine.

[17]

Etzioni, A. 1999. The Limits of Privacy. Basic Books, NY.

[18]

EU Directive. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Official Journal of the European Communities L281, 31--50.

[19]

European Commission Article 29 Working Party. 2004. Opinion 4/2004 on the Processing of Personal Data by Means of Video Surveillance. 11750/02/EN WP 89.

[20]

Fallman, D. 2003. Design-oriented human-computer interaction. In Proceedings of the Conference on Human Factors in Computing Systems (CHI'03). ACM Press, 225--232.

Digital Library

[21]

Friedman, B. 1996. Value-sensitive design. Interac.: New Visions Hum.-Comput. Interact. 3, 6, 17--23.

Digital Library

[22]

Garfinkel, S. 2002. Adopting fair information practices to low cost RFID systems. In Proceedings of the Ubiquitous Computing Privacy Workshop.

[23]

Gemmell, J., Williams, L., Wood, K., Lueder, R., and Bell, G. 2004. Passive capture and ensuing issues for a personal lifetime store. In Proceedings of the ACM Workshop on Continous Archival and Retrieval of Personal Experiences (CARPE'04). ACM Press, 48--55.

Digital Library

[24]

Greene, T. C. 2005. Lexis Nexis data breach far worse than reported. The Register, 4/13/05.

[25]

Hayes, G. R., Patel, S. N., Truong, K. N., Iachello, G., Kientz, J. A., Farmer, R., and Abowd, G. D. 2004. The personal audio loop: Designing a ubiquitous audio-based memory aid. In Proceedings of Mobile HCI. Lecture Notes in Computer Science, vol. 3160, Springer Verlag, 168--179.

[26]

Hilty, L. M., Som, C., and Köhler, A. 2004. Assessing the human, social and environmental risks of pervasive computing. Hum. Ecolog. Risk Assess. 10, 853--874.

[27]

Hindus, D. and Schmandt, C. 1992. Ubiquitous audio: Capturing spontaneous collaboration. In Proceedings of the ACM Conference on Computer-Supported Cooperative Work (CSCW'92). ACM Press, 210--217.

Digital Library

[28]

HIPAA. 1999. United States Health Insurance Portability and Accountability Act. 42 USC 1179.

[29]

Hong, J., Ng, J. D., Lederer, S., and Landay, J. A. 2004. Privacy risk models for designing privacy-sensitive ubiquitous computing systems. In Proceedings of the Symposium on Designing Interactive Systems (DIS'04). ACM Press, 91--100.

Digital Library

[30]

Iachello, G. 2006. Privacy and proportionality. PhD Dissertation. College of Computing, Georgia Institute of Technology, Atlanta, GA. http://etd.gatech.edu.

Digital Library

[31]

Iachello, G. and Abowd, G. D. 2005a. An evaluation of the comprehensibility and usability of a design method for ubiquitous computing applications. GVU Tech. rep. GIT-GVU-05-32, Georgia Institute of Technology, Atlanta, GA.

[32]

Iachello, G. and Abowd, G. D. 2005b. Privacy and proportionality: Adapting legal evaluation techniques to inform design in ubiquitous computing. In Proceedings of the Conference on Human Factors in Computer System (CHI'05). ACM Press, 91--100.

Digital Library

[33]

Iachello, G., Smith, I., Consolvo, S., Chen, M., and Abowd, G. D. 2005. Developing privacy guidelines for social location disclosure applications and services. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). ACM Press, 65--76.

Digital Library

[34]

Iachello, G., Truong, K. N., Abowd, G. D., Hayes, G. R., and Stevens, M. 2006. Experience prototyping and sampling to evaluate ubicomp privacy in the real world. In Proceedings of the Conference on Human Factors in Computer System (CHI'06). ACM Press.

Digital Library

[35]

International Organization for Standardization/International Electrotechnical Commission 2000a. IS 15408: Common Criteria for Information Technology Security Evaluation.

[36]

International Organization for Standardization/International Electrotechnical Commission 2000b. IS 17799:2000 Information Technology—Code of Practice for Information Security Management.

[37]

Jensen, C. 2005. Designing for privacy in interactive systems. PhD. Dissertation. Georgia Institute of Technology, College of Computing, Atlanta, GA. http://etd.gatech.edu.

Digital Library

[38]

Jensen, C., Tullio, J., Potts, C., and Mynatt, E. D. 2005. Strap: A structured analysis framework for privacy. GVU Tech. rep. 05-02. Georgia Institute of Technology, Atlanta, GA.

[39]

Junestrand, S., Keijer, U., and Tollmar, K. 2001. Private and public digital domestic spaces. Int. J. Hum.-Comput. Studi. 54, 5, 753--778.

Digital Library

[40]

Knapp, K. J., Marshall, T. E., Rainer, R. K., and Morrow, D. W. 2004. Top Ranked Information Security Issues: The 2004 International Information Systems Security Certification Consortium (Isc)² Survey Results. Auburn University, Auburn, AL.

[41]

Langheinrich, M. 2001. Privacy by design—Principles of privacy-aware ubiquitous systems. Lecture Notes in Computer Science, vol. 2201, Springer Verlag, 273--291.

Digital Library

[42]

MacLean, A., Young, R. M., and Moran, T. P. 1989. Design rationale: The argument behind the artifact. In Proceedings of the Conference on Human Factors in Computing Systems (CHI'89). ACM Press, 247--252.

Digital Library

[43]

Nielsen, J. 1993. Usability Engineering. Academic Press, Boston, MA.

Digital Library

[44]

Nielsen, J. and Mack, R. L., Eds. 1994. Usability Inspection Methods. John Wiley & Sons, New York, NY.

Digital Library

[45]

Norman, D. 1990. The Design of Everyday Things. Currency Press.

[46]

Organization for Economic Co-operation and Development 1980. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[47]

Palen, L. and Dourish, P. 2003. Unpacking “privacy” for a networked world. CHI Lett. 5, 1, 129--136.

Digital Library

[48]

Patrick, A. S. and Kenny, S. 2003. From privacy legislation to interface design: Implementing information privacy in human-computer interactions. Lecture Notes in Computer Science, vol. 2760. Springer Verlag, 107--124.

[49]

Privacy & American Business 2003. Consumer privacy attitudes: A major shift since 2000 and why. Privacy Amer. Bus. News. 10, 6.

[50]

Rannenberg, K. 1993. Recent development in information technology security evaluation—the need for evaluation criteria for multilateral security. In Proceedings of the Conference on Security and Control of Information Technology in Society—Proceedings of the IFIP TC9/WG 9.6 Working Conference. North-Holland, Amsterdam, 113--128.

Digital Library

[51]

Regli, W. C., Hu, X., Atwood, M., and Sun, W. 2000. A survey of design rationale systems: Approaches, representation capture and retrieval. Eng. Comput. 16, 209--235.

Digital Library

[52]

Scalet, S. D. 2005. The five most shocking things about the choice point debacle. CSO Mag. 5/01/05.

[53]

Smith, A. D. and Offodile, F. 2002. Information management of automatic data capture: An overview of technical developments. Inform. Manag. Comput. Secur. 10, 3, 109--118.

[54]

Song, X. and Osterweil, L. J. 1992. Toward objective, systematic design-method comparisons. IEEE Softw. 9, 3, 43--53.

Digital Library

[55]

Sutcliffe, A. 2000. On the effective use and reuse of hci knowledge. In Human-Computer Interaction in the New Millennium. J. M. Carroll, Ed. ACM Press, 3--29.

Digital Library

[56]

Treasury Board of the Government of Canada. 2002. Privacy impact assessment policy. http://www.tbs-sct.gc.ca/pubs_pol/ciopubs/pia-pefr/siglist_e.asp. Last accessed: 8/1/2006.

[57]

United States Department of Health Education and Welfare. 1973. Records, computers and the rights of Citizens, Report of the Secretary's Advisory Committee on Automated Personal Data Systems.

[58]

Vemuri, S., Schmandt, C., Bender, W., Tellex, S., and Lassey, B. 2004. An audio-based personal memory aid. Lecture Notes in Computer Science, vol. 3205, Springer Verlag, 400--417.

[59]

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. 2003. User acceptance of information technology: Toward a unified view. MIS Quarterly 27, 3, 425--478.

Cited By

Al Muhander BWiese JRana OPerera C(2023)Interactive Privacy Management: Toward Enhancing Privacy Awareness and Control in the Internet of ThingsACM Transactions on Internet of Things10.1145/36000964:3(1-34)Online publication date: 21-Sep-2023
https://dl.acm.org/doi/10.1145/3600096
Pérez Fernández ASindre G(2019)Mitigating the Impact on Users’ Privacy Caused by over Specifications in the Design of IoT ApplicationsSensors10.3390/s1919431819:19(4318)Online publication date: 6-Oct-2019
https://doi.org/10.3390/s19194318
Marca D(2013)SADT/IDEF0 for Augmenting UML, Agile and Usability Engineering MethodsSoftware and Data Technologies10.1007/978-3-642-36177-7_3(38-55)Online publication date: 2013
https://doi.org/10.1007/978-3-642-36177-7_3
Show More Cited By

Index Terms

From privacy methods to a privacy toolbox: Evaluation shows that heuristics are complementary

Recommendations

Privacy and proportionality: adapting legal evaluation techniques to inform design in ubiquitous computing
CHI '05: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

We argue that an analytic proportionality assessment balancing usefulness and burden on individual or group privacy must be conducted throughout the design process to create acceptable ubiquitous computing (ubicomp) applications and services. We ...
Early Privacy: Approximating Mental Models in the Definition of Privacy Requirements in Systems Design
IHC '18: Proceedings of the 17th Brazilian Symposium on Human Factors in Computing Systems

Privacy is a relevant concern in the intelligent systems environment, Internet of Things and Ubiquitous Computing, because of indiscriminate data collection and sharing practices, and the distancing of mental models between users and software designers. ...
Privacy risk models for designing privacy-sensitive ubiquitous computing systems
DIS '04: Proceedings of the 5th conference on Designing interactive systems: processes, practices, methods, and techniques

Privacy is a difficult design issue that is becoming increasingly important as we push into ubiquitous computing environments. While there is a fair amount of theoretical work on designing for privacy, there are few practical methods for helping ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computer-Human Interaction

ACM Transactions on Computer-Human Interaction Volume 15, Issue 2

July 2008

81 pages

ISSN:1073-0516

EISSN:1557-7325

DOI:10.1145/1375761

Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 July 2008

Accepted: 01 December 2007

Revised: 01 November 2007

Received: 01 October 2006

Published in TOCHI Volume 15, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

IRB

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
1,406
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)6

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Al Muhander BWiese JRana OPerera C(2023)Interactive Privacy Management: Toward Enhancing Privacy Awareness and Control in the Internet of ThingsACM Transactions on Internet of Things10.1145/36000964:3(1-34)Online publication date: 21-Sep-2023
https://dl.acm.org/doi/10.1145/3600096
Pérez Fernández ASindre G(2019)Mitigating the Impact on Users’ Privacy Caused by over Specifications in the Design of IoT ApplicationsSensors10.3390/s1919431819:19(4318)Online publication date: 6-Oct-2019
https://doi.org/10.3390/s19194318
Marca D(2013)SADT/IDEF0 for Augmenting UML, Agile and Usability Engineering MethodsSoftware and Data Technologies10.1007/978-3-642-36177-7_3(38-55)Online publication date: 2013
https://doi.org/10.1007/978-3-642-36177-7_3
Hayes GHirano SMarcu GMonibi MNguyen DYeganyan M(2010)Interactive visual supports for children with autismPersonal and Ubiquitous Computing10.1007/s00779-010-0294-814:7(663-680)Online publication date: 1-Oct-2010
https://dl.acm.org/doi/10.1007/s00779-010-0294-8
Ovaska SRäihä KFoth MKjeldskov JPaay J(2009)Teaching privacy with ubicomp scenarios in HCI classesProceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group: Design: Open 24/710.1145/1738826.1738844(105-112)Online publication date: 23-Nov-2009
https://dl.acm.org/doi/10.1145/1738826.1738844
Klasnja PConsolvo SChoudhury TBeckwith RHightower J(2009)Exploring Privacy Concerns about Personal SensingProceedings of the 7th International Conference on Pervasive Computing10.1007/978-3-642-01516-8_13(176-183)Online publication date: 11-May-2009
https://dl.acm.org/doi/10.1007/978-3-642-01516-8_13

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents