which is incompatible with the idea of data “decay” proposed by the AIF framework.
Analytic frameworks attempt to answer the question “what is privacy” in a way that is actionable for design purposes. For example, the concept of Multilateral Security is an analysis model for systems with multiple competing security and privacy requirements [214, 247]. One of the innovations of Multilateral Security is that it frames privacy requirements as a special case of security requirements. According to Multilateral Security, security and privacy are elements of the same balancing process among contrasting interests. The aim is to develop technology that is both acceptable to users and profitable for manufacturers and service providers. Multilateral Security asserts that designers must account for all stakeholders’ needs and concerns by:
considering and negotiating conflicting requirements,
respecting individual interests, and
supporting user sovereignty.
Consequently, Multilateral Security highlights the role of designers in producing equitable technology, and that of users who must be “empowered” to set their own security or privacy goals . Multilateral security was applied to several case studies, including a deployment of a prototype mobile application for “reachability” management for medical professionals (i.e., brokering availability to incoming phone calls) .
Table 9. Privacy Dimensions 
Feedback and Control
Different privacy-related systems employ different ratios, degrees, and methods of feedback about and control over the disclosure process.
Surveillance vs. Transaction
Surveillance relates to continuous observation and collection of personal information (e.g., surveillance cameras). Transactions are identifiable events in which personal information is exchanged (e.g., purchase on the internet).
Interpersonal vs. Institutional
Distinction between revealing sensitive information to another person and revealing it to industry or the state. Similar to our distinction of personal privacy and data protection in Section 2.2.2, limited to the recipient of personal information.
The degree of acquaintance of the recipient to the disclosing party and vice-versa.
Persona vs. Activity
Whether the information relates describes the individual (e.g., age, address) or her actions (e.g., crossing an automatic toll booth).
Primary vs. Incidental
Here we distinguish between whether the sensitive information is the primary content or an incidental byproduct of the disclosure.
A different model is offered by Lederer et al.’s deconstruction of the privacy space . According to Lederer et al., privacy issues can be classified along six dimensions (Table
end-user-privacy-in-human-computer-interaction-v57.docPage 66 of 85