Privacy By Designer (PHP.ghent)

Privacy-by-designer: Practical Considerations on UX Design for Trust by Ann Wuyts at PHP.ghent www.keek.be @vintfalken

Privacy by Designer PRACTICAL CONSIDERATIONS ON UX

DESIGN FOR TRUST


“In God we trust all others bring data.” - William Edwards Deming


We all live in the Age of Context

SHAPED BY MOBILE, SOCIAL MEDIA, DATA, SENSORS AND LOCATION-BASED SERVICES


Users expect Personalistation & Personal

EXPERIENCES FOR THE ‘MOST PERSONAL DEVICE EVER’ ARE..

RELEVANT

are you engaging at the right moment?

GLANCEABLE

can you deliver value in milliseconds?

PERSONAL

do you approach people in the right manner?


No other Apple device has ever been so connected to the wearer. It is important to be mindful of this

connection.

Apple Watch Human Interface Design Guidelines, 2015


Machine-to-human relationships are now about human-to-human values

UNDERSTANDING PERSONALISATION

H2H M2H

TRUST PRIVACY


The Privacy Challenge CONCERN ABOUT PRIVACY JUMPED 5 POINTS BETWEEN 2014 AND 2015. 2nd Annual Poll on How Personal

Technology is Changing our Lives - January 2015, Microsoft


Loss of control

PRIVACY CHALLENGE USER POINT OF VIEW

91% of adults ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.

Pew Research Privacy Panel Survey, January 2014


Lack of Transparency


People are fearful of sharing their data largely because companies and government have not been good at clearly explaining how they use it.

Data Dialog, Demos 2012


Lack of Knowledge (aka Privacy and PETs are ‘too difficult’)


54% believe it would be “somewhat” or “very” difficult to find tools and strategies that would help them be more private online and in using their cell phones 13% unaware about search engines that do not keep track of a user’s search history 31% unaware email encryption programs such as PGP exist 31% unaware of privacy-enhancing browser plug-ins 39% unaware about anonymity software such as Tor

Pew Research, 2015


Everyday privacy measures that do catch on

ON THE BRIGHT SIDE LESS TECHNICAL WAYS OF OBTING OUT OF DATA COLLECTION

Clearing cookies or browser history: 59% Refusing to provide information about themselves that wasn’t relevant to the transaction: 57% Set their browser to disable or turn off cookies: 34% Deleted or edited something they posted in the past: 29% Used a temporary username or email address: 25% Giving inaccurate or misleading information about themselves: 24% Decided not to use a website because they asked for their real name: 23% Used a public computer to browse anonymously: 12% Asked someone to remove something that was posted about themselves online: 11%


the Facebook paradox • 91% of adults feel consumers have

lost control over how personal information is collected and used by companies.

• 58% of the entire adult population (and 71% of internet users) is on Facebook.


Privacy VS. User Experience

#FALSE – HOW DO YOU DEFINE A BETTER PRODUCT? CONTEXT? DATA QUALITY?

The truth is that collecting information about people allows you to make significantly better products and the more information you collect,

the better products you can build .

Dustin Curtis, “Privacy VS. User Experience” (2014)


Privacy is a fundamental component of the product experience

BUSINESSES CAN DELIVER A GRAND USER EXPERIENCE AND TREMENDOUS VALUE ONLY IF THEY SAFEGUARD THEIR USERS’ PRIVACY AND SECURITY

BUSINESS VALUE

CONSUMER VALUE

PRIVACY

GREAT UX personalisation


Being credible BEING CREDIBLE HAS ALWAYS BEEN IMPORTANT FOR A GOOD USER EXPERIENCE

useful

usable desirable

credible

valuable

findable accessible

User Experience Honeycomb (Peter Morville)

CREDIBILITY 2004 the information you present to users

CREDIBILITY 2015 taking responsibility to keep personal data safe


Privacy by designer

DELIVER BOTH PERSONALISATION AND TRUST We owe it to both our users and the people who hire us to actively think about privacy, and to implement privacy in the flows and designs we deliver.

B. We need to deliver trustworthy products.

A. We need to deliver great, personal experiences.


What is Privacy?

PRIVACY IS BROAD PRIVACY IS A RIGHT PRIVACY IS NOT DEAD

Personal Data

• The Universal Declaration of Human Rights (Art 12)

• Europe: Directive 95/46/EC

• Belgium: Privacy Act (1992, 1998 & KBs)

• Telecommunication law

• …

LAWS AND SUCH

European Privacy Watchdogs &

Facebook

GDPR New EU legislation

in the works

“If data is the new oil,

privacy is the new green.”

…


Any information

This is not limited to data regarding a an individual’s privacy, also relating to a person's professional or public life. Eg. name, a picture, a telephone number (professional number too), a code, a bank account number, an e-mail address, a fingerprint, … .

PERSONAL DATA IS ANY INFORMATION (RELATING TO)* AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON * OFTEN DEPENDS ON CONTEXT

•  Object data vs personal data (eg license plate) •  Unique biometric data is always personal data (eg

fingerpint, DNA)

DATA SUBJECT

PERSONAL DATA RELATES TO


Identifiable evolves

IDENTIFIABILITY = WHEN VALUE > COST

value of knowing

cost of identifying


IP address

AN IP ADDRESS ON ITSELF WILL UNDER THE GDPR NO LONGER BE ‘PERSONAL DATA’ BY DEFAULT

(UNLESS YOU ARE AN ISP)


Counter measures

Not personal information when measures are taken which reasonably rule out identification of a person

•  Anonymisation •  Key-coded data (clinical research) •  Data masking/obfuscation (for

development) •  Granularity


Beware: location Special data which under the GDPR will require extra safety measures

(as is data on children)

avoid when possible

geohashes

coarse location


Stay clear: sensitive data •  race

•  political opinions

•  religious or philosophical beliefs

•  trade-union membership

•  health

•  sex life

•  prosecutions or criminal or administrative convictions

Prohibited to collect, register or ask to disclose. (exceptions apply, but then additional safeguards are required)


What about republication?

Photographs and personal information published online may only be re-used if given consent. •  different context •  different purpose

=> context & purpose apply to recycling as well

(In case of scraping, copyright and database law are relevant too.)


Your responsibilities as Controller

•  Ensure the quality of the data The data being processed have to be exact and, if necessary, kept up-to-date

•  Ensure the confidentiality of the data Responsibility to inform and make sure that the individuals working under his authority only have access to and make use of the data they need to perform their duties

•  Ensure the protection of the data From unwanted internal or external curiosity, as well as from unauthorised processing operations. Security measures can be organizational (restriction of the number of individuals having access to the data, use of access codes, locking offices with computers and data files, etc.) and technical. (!) The more sensitive the data and the higher the risks for the data subject are, the more precautions have to be taken. (see ‘information security’ on privacycommission.be)

•  Erasure of data Personal data must not be kept in a form allowing for identification of the data subjects any longer than necessary for the purpose aimed at.

+ BEFORE PROCESSING OF DATA: NOTIFICATION


In case of breach CONSIDER A BREACH LIKELY – AND PREPARE ACCORDINGLY

• Do not play the victim •  Be accountable •  Take ownership •  Express regaret

1. What happened? (tell what you know at that time)

crisis communications (works for downtime communication too)

2. What is being done *NOW*? (investigate, take systems offline, ..)

3. How does this affect your customers? (both short- and long term)

4. What are you doing to minimize risk? What can your customers do?

5. How do people get more information or updates?

(folluw up) 6. What are you doing prevent this from happening again?


Design for explicit OPT-IN & COOKIELAW

By signing this contract, you agree we have the right to collect and pass on all your information. In case you do not want your bank to pass on your credit information to third partners and other divisions, please write ‘I do not agree’ on the contract and hand it over to the person behind the till.

EXPLICIT EXPLICIT NOT EXPLICIT (hidden opt-out)

NO YES

IF YOU AGREE, PLEASE CHECK THIS BOX:


Design for informed NO SURPRISES


Design for choice CONSENT

In your designs and flows, take into account both having and not having the data.

Design personalized experiences for when you have data.

Design good alternatives for not having the data.

Today will be sunny

Weather for Olen, Belgium where we know you live.

Check out the weather!

Antwerpen


Privacy as a Trading Function? Customer Data: Designing for Transparancy and Trust – by Timothy Morey, Theodore Forbath, And Allison Schoop, May 2015 (Harvard Business Review)


Design for trust CLEAR & CONSISTENT, SO PEOPLE CAN TRUST YOU TO POINT OUT PRIVACY RELATED FEATURES & SETTINGS.


The EU prosed icons: privacy-by-design taken too literal (how’s that for creepiness factor?)


Design for because EXPLAIN YOUR MAGIC

When users know of the existence of a certain algorithm, their satisfaction with the product increases over time , probably as they start to understand its workings better. Yet when they discovered an algorithm they were previously unaware of, users felt betrayed.


Design for because EXPLAIN YOUR MAGIC

When users know of the existence of a certain algorithm, their satisfaction with the product increases over time , probably as they start to understand its workings better. Yet when they discovered an algorithm they were previously unaware of, users felt betrayed.

WORST CASE SCENARIO “In the extreme case, it may be that whenever a software developer in Menlo Park adjusts a parameter, someone somewhere wrongly starts to believe themselves to be unloved. ”

– Eslami et all.


Because allows people to correct you when you are wrong. Something we best figure out before algorithms get to act on our behalf.


Design for transparency Show people their data selfs

If we are going to allow algorithms and expert rules to steer our behaviour, we must know they understand that correctly. Allow for: -  Correction -  Reset


Reflect all data collected in functionality


Design for forming secure habits BURNER ACCOUNTS

Kinja introduced these for anonymous commenting. They made private keys understandable through metaphor.

“…if you lose the burner key initially issued we will not be able to retrieve this information for you or reset the account. Save your key.”


REWARD SECURE BEHAVIOUR

Users that enable two-step security on their accounts will now receive a 10% discount off their monthly bill Mailchimp bill.


Design to encourage privacy ACCESS DURATION

People forget to ‘revoke’ things. Supply limited time access options:

WeChat: location discoverable for 10 minutes (default)

LinkedIn: access duration settings (weeks -> months -> years)


Design for an exit MAKE IT EASY TO LEAVE BUT CONVINCE THEM TO STAY

Think about WHY people are leaving, and offer alternatives.

“snooze” services less-email-option reset profile/account ..

(and remember data portability!)


Do you want to know if your friends are (action/mood/..) ?

Do you want your friends to know if you are (action/

mood/..) ?

Don’t allow OK

Design with peer-to-peer privacy in mind. Ask the right question: not do you want to see, but are you willing for others to see..


When in doubt… STEP 1: ASK YOUR USER – PRIVACY DOES NOT BENEFIT FROM A “DO FIRST ASK FORGIVENESS LATER” STRATEGY

Build it so a user always has the option to tell

you to go bugger off.


When in doubt… STEP 2: USE COMMON SENSE AND AS LITTLE DATA AS POSSIBLE

PERSONAL DATA Less is more: in quantity and

detail, but also in time


i!When in doubt… STEP 3: ASK THE EXPERTS

Belgian Privacy Commission www.privacycommission.be

Article 29 Working Party Opinions & recommendations


We influence what is acceptable. So let’s make good, proportional stuff.