personal data processing enterprises and have been adapted to novel technologies, both in the technical literature [116, 191] and in the Data Protection Authority community. Similarly, privacy guidelines, patterns, and risk models could help designers in specific, well delimited, circumstances [61, 156, 235].
A precise description of method applicability is essential. Thus, the toolbox should include a selection process, based on the application domain, the deployment context, and the type of privacy and security issues involved (e.g., personal privacy, data protection, sensitive information, etc.). A credible selection process requires the testing of the various methods’ effectiveness and usefulness, which is by far the most challenging aspect of this idea.
With respect to implementation, design teams are sorely lacking tools, frameworks, and reusable UI components and metaphors for creating privacy-sensitive systems. Examining the evolution of the graphical user interface (GUI) may help chart a research agenda to address this need. Similar to GUI components, we could develop reusable privacy tools, services, and toolkits for building privacy-sensitive UIs. Some possibilities include specialized GUI widgets and interaction techniques for helping end-users manage their personal privacy, new visualizations and user interfaces for helping administrators set privacy policies and manage large collections of personal information, and model-based user interfaces for weaving and enforcing privacy throughout the entire UI.
Developers should also pay attention to seemingly innocuous technologies, which may have unintentionally negative privacy implications (e.g., cookies in web browsers). Verification techniques able to identify these issues upfront, before deployment, would be very beneficial. However, the unpredictable nature of emergent use suggests that systematic techniques for identifying these issues may be very difficult to devise.
Finally, regarding evaluation, design teams need techniques specific to privacy, similar to heuristic evaluation and cognitive walkthrough. There is a general lack of understanding on how to evaluate the quality of a design with respect to privacy. This challenge is exacerbated by the rarity of privacy breaches, by the disconnect between the time and place of the actual privacy breach and when the user becomes aware of it, and by the ever-shifting attitudes and behaviors of users becoming familiar with new technologies.
Several techniques have been employed to address these challenges, such as presenting realistic previews of features (e.g., with the scenarios discussed in section 0), sampling people’s reactions to privacy concerns through remote usability tests and remote surveys, etc. Some work has also been already done on adapting QOC and heuristic evaluation (e.g., Bellotti and Sellen’s QOC technique ). Other promising, yet unexplored, approaches are the use of cognitive walkthroughs tailored for privacy, as well as improved methods for conducting user studies to elicit possible privacy concerns. However, work on validating these techniques to assess their effectiveness is necessary before practitioners will be willing to embrace them.
4.4 Better Organizational Practices
The fourth research challenge encompasses the development of tools for managing personal information within organizations.
end-user-privacy-in-human-computer-interaction-v57.docPage 72 of 85