X hits on this document





34 / 100

preferences, what the granularity of control is, and what the defaults should be.

The first question can be reframed by deciding when should pessimistic, optimistic, and interactive style user interfaces be used [135, 241]. The goal of a pessimistic style is to prevent security or privacy breakdowns, e.g., denying access to data. For example, some applications ask users to specify privacy preferences immediately after installation. However, defining configurations and policies upfront, before starting to use a product, may be difficult for users because the definition process is taken out of context, when the user does not have sufficient information to take a reasoned decision.

The goal of the optimistic style is to help end-users detect misuses and then fix them afterwards. An employee might allow everyone in her work group to see her location, but may add security and privacy rules if she feels a specific individual is abusing such permissions. This kind of interaction style relies on social translucency to prevent abuses. For example, Alice is less likely to repeatedly query Bob’s location if she knows that Bob can see each of her requests. Section 3.3.8 discusses social translucency in more detail.

The goal of the interactive style is to provide enough information for end-users to make better choices, helping them avoid security and privacy violations as well as overly permissive security policies. An example is choosing whether to answer a phone call given the identity of the caller. Here, people would be interrupted for each request and would make an immediate decision. One refinement of this idea is to let end-users defer making privacy choices until they are more familiar with the system, similar to the notion of safe staging introduced by Whitten and Tygar [310]. A refinement of this concept are Just-In-Time Click-Through Agreements (JITCTA) adopted by the EU PISA project [235], and later by the EU PRIME “PRivacy and Identity Management for Europe” project [236]. JITCTA are presented to the user at a time when he or she can take an informed decision on her privacy preferences. However, Petterson et al. note that users may be induced to automate their “consent clicks” when presented with multiple instances of click through agreements over time, without really reading their contents [236].

It is likely that all three styles are needed in practice, but the optimal mix that balances control, security and ease of use is currently unclear. Furthermore, some domains may have constraints that favor one style over another.

With respect to the granularity of control, Lederer et al. argue that applications should focus more on providing simple coarse-grained controls rather than fine-grained ones, because coarse-grained controls are simpler to understand and use [196]. For example, providing simple ways of turning a system on and off may be more useful than complex controls that provide flexibility at the expense of usability.

Lau et al. take a different path, distinguishing between extensive and intensional privacy interfaces [194]. In the context of sharing web browser histories in a collaborative setting, they defined extensive interfaces as those where individual data items (i.e., each URL) are labeled as private or public. In their prototype, this was done by toggling a “traffic light” widget on the browser. In contrast, intensional privacy interfaces allow the user to define an entire set of objects that should be governed by a single privacy policy. In their prototype, this was accomplished with access control rules indicating public or private pages, based on specific keywords or URLs, with optional wildcards.

end-user-privacy-in-human-computer-interaction-v57.docPage 34 of 85

Document info
Document views283
Page views283
Page last viewedMon Jan 16 11:33:08 UTC 2017