Table 7. Ubicomp Privacy Risk Analysis Questions .
Social and Organizational Context
Who are the users of the system? Who are the data sharers, the people sharing personal information? Who are the data observers, the people that see that personal information?
What kinds of personal information are shared? Under what circumstances?
What is the value proposition for sharing personal information?
What are the relationships between data sharers and data observers? What is the relevant level, nature, and symmetry of trust? What incentives do data observers have to protect data sharers’ personal information (or not, as the case may be)?
Is there the potential for malicious data observers (e.g., spammers and stalkers)? What kinds of personal information are they interested in?
Are there other stakeholders or third parties that might be directly or indirectly impacted by the system?
How is personal information collected? Who has control over the computers and sensors used to collect information?
How is personal information shared? Is it opt-in or is it opt-out (or do data sharers even have a choice at all)? Do data sharers push personal information to data observers? Or do data observers pull personal information from data sharers?
How much information is shared? Is it discrete and one-time? Is it continuous?
What is the quality of the information shared? With respect to space, is the data at the room, building, street, or neighborhood level? With respect to time, is it real-time, or is it several hours or even days old? With respect to identity, is it a specific person, a pseudonym, or anonymous?
How long is personal data retained? Where is it stored? Who has access to it?
Table 8. Risk Management Questions .
Managing Privacy Risks
How does the unwanted disclosure take place? Is it an accident (for example, hitting the wrong button)? A misunderstanding (for example, the data sharer thinks they are doing one thing, but the system does another)? A malicious disclosure?
What are the default settings? Are these defaults useful in preserving one’s privacy?
In what cases is it easier, more important, or more cost-effective to prevent unwanted disclosures and abuses? Detect disclosures and abuses?
Are there ways for data sharers to maintain plausible deniability?
What mechanisms for recourse or recovery are there if there is an unwanted disclosure or an abuse of personal information?
Risk management has long been used to prioritize and evaluate risks and to develop effective countermeasures. The use of risk analysis is less common in the HCI and Human Factors communities, although it has been employed to evaluate risks in systems where humans and computers interact, e.g., aviation . However, only recently have risk analysis models been developed in the HCI literature specifically to tackle privacy issues in IT.
end-user-privacy-in-human-computer-interaction-v57.docPage 61 of 85