The Challenges of Complex PET UIs
The problem of developing appropriate interfaces for configuration and action is common to other advanced PETs, such as anonymization tools like JAP, ZeroKnowledge, Anonymizer, and Freenet. Freenet, an anonymizing web browsing and publishing network based on a Mix architecture , was hampered by the lack of a simple interface. Recently, the developers of Tor, another anonymizing network based on onion routing , acknowledged this problem and issued a “grand challenge” to develop a usable interface for the system.7 Whatever their technical merits, anonymization systems—both free and commercial—have not been widely adopted, meeting commercial failure in the case of ZeroKnowledge  and government resistance in other cases (e.g., JAP).
Repeated failures in developing effective user interfaces for advanced PETs may be a sign that these technologies are best embedded in the architecture of the network or product and operated automatically. They should not require installation, maintenance, and configuration. As an example, consider the success of SSL in HTTP protocols versus the failure of email encryption. The underlying technology is quite similar, though email encryption is not automatic and has not seen widespread adoption.
Ubiquitous computing technologies present further challenges for the protection of users’ privacy. Location privacy has been a hot topic on the media and the research community following the development of mobile phone networks and the E911 location requirements. There have been several technological solutions for protecting users’ privacy in mobile networks. For example, Beresford and Stajano propose the idea of Mix zones, where users are not location tracked with their real identity but with a one-time pseudonym . Gruteser and Grunwald also proposed location-based services that guarantee k-anonymity . Beresford and Stajano claim that using Mix technology for cloaking location information enables interesting applications without disclosing the identity or the movement patterns of the user. Tang et al. suggest that many location-based applications can still work in a system where the identities of the disclosing parties are anonymous—e.g., just to compute how “busy” a place is, such as a part of a highway or a café .
Yet, it is not clear whether anonymization technologies will be ever widely adopted. On the one hand, network service providers act as trusted third parties and are bound by contractual and legislative requirements to protect the location information of users, reducing the commercial motivation of strong PETs. In other words, location privacy may already be “good enough.” On the other hand, location-based services are not in widespread use, and privacy frictions could arise as more people use these services. In general, we see a good potential for HCI research in this area.
3.3.5 End-User Awareness of Personal Disclosures
Initially focused on network applications (e.g., World Wide Web and instant messaging), work on disclosure awareness has expanded into areas such as identity management systems, privacy agents, and other advanced PETs.
7 R. Dingledine, personal communication 7/8/2005. See also http://tor.eff.org/gui .
end-user-privacy-in-human-computer-interaction-v57.docPage 38 of 85