SlideShare a Scribd company logo

A Case for Expectation Informed Design - Full

gloriakt
gloriakt

The full-view version presentation.

Technology
1 of 25
Download to read offline
A Case for Expectation Informed Design Presented by: Marie Joan Kristine T. Gloria Ph.D. Student in Cognitive Science at RPI & in affiliation with the Cybersecurity & Internet Policy Initiative at MIT-CSAIL Tetherless World Constellation at Rensselaer Polytechnic Institute PrivOn Workshop | ISWC 2015 | October 2015
Agenda I. Problem & Motivation II. Expectations: understanding choice & consent III. Eliciting Expectation Project IV. Preliminary Analysis & Insights V. Future Work
Pew Internet Studies. 2015. “AMERICANS’ ATTITUDES ABOUT PRIVACY, SECURITY AND SURVEILLANCE”. 19 May 2015. http://pewrsr.ch/ 1MhwUFI
From data breaches (e.g. Anthem, Home Depot, etc.) to unauthorized surveillance, consumer privacy is plagued by violations. Yet, the amount of data online continues to increase. ! The thesis is motivated by this divergence between our collective understanding of its value in society and our individual ability to protect it. Problem & Motivation
What expectation? Problem & Motivation
Expectations: understanding choice & consent Technical Social (legal)* Behavioral *This talk centers around U.S. legal standards and public policies
Vroom’s (1964) expectancy theory postulates how an individual chooses between alternative forms of behavior within a decision-making scenario. The theory has three main components:1 [1] Vroom, V.H. Work and Motivation. New York: Wiley, 1964. Expectations: cognitive psychology POV Expectancy [effort] x Instrumentality [performance] x Valence [rewards] = Motivational Force ! When multiplied together, these three components result in a “motivational force,” which directs specific behavioral alternatives.
Expectations: cognitive psychology POV Vroom (1964) “Work & Motivation” Laufer & Wolfe (1977) “calculus - the cognitive trade off among situational constraints” Culnan & Armstrong (1999) decisions are negatively affected by anticipated costs of potential privacy violation Dinev & Hart (2006) “privacy calculus - frames information disclosure as a tradeoff of benefits and risks” McCarthy (2010) Xu & Gupta (2009) Acquisti & Grossklags (2007) Norgberg & Horne (2007) Keith et. al (2013)
• Individuals act in ways that they expect will maximize positive outcomes and minimize negative ones. • Expected Utility Hypothesis (Friedman and Savage, 1952) • Individuals are assumed to be “rational” because they make decisions based on a cost/benefit tradeoff, engaging in “utility maximization” decision making • Perceived privacy risks reduce disclosure intentions while perceived benefits of information disclosure increase intentions (Dinev & Hart, 2006) • Privacy paradox: individuals who claim to disclose information still demonstrate relatively higher levels of actual information disclosure (Acquisti & Grossklags, 2006) Information Privacy Studies: Traditional Approaches to Contemporary Hypotheses
Expectations: U.S. Legal POV The notion of privacy trade-offs and consumer expectation permeates both legal scholarship as well as corporate technology management practices.2 [2] Bamberger, K. A., & Mulligan, D. K. (2011). Privacy on the Books and on the Ground. Stanford Law Review, 63. Federal ! (e.g. 1st Amendment, 4th Amendment, HIPAA, COPPA, ECPA, GLBA, FCRA, FERPA, CISA, DMCA, ECPA, CFAA, etc.) State ! (e.g. State Constitutions, statue - CA SB 568 “Privacy Rights for California Minors in the Digital World”, CalECPA, etc.) Layers of legal protection
Expectations: U.S. Legal POV Ex: Fourth Amendment: surveillance issues: police and government search “expectation of privacy” legal test Subjective expectation of privacy – a certain individual's opinion that a certain location or situation is private; demonstrating actions to ensure evidence was meant to be private ! Objective, legitimate, reasonable expectation of privacy – An expectation of privacy generally recognized by society (e.g. garbage cans)
Expectations: U.S. Legal POV Ex: Consumer Privacy Bill of Rights3 [3] White House. 2015. Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015. Last accessed 2 May 2015. https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf The Principle, Respect for Context (Sec. 103), states that “consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” ! It outlines for companies a required set of considerations including “research on consumers’ attitudes and understandings”. ! The principle also suggests that context should “help determine which personal data uses are likely to raise the greatest consumer privacy concerns.”
Expectations: Technical manifestation Privacy as Confidentiality “Hiding” ! • Autonomous (digital) sphere ! • Data about persons is protected so that unauthorized others cannot access it Three Privacy Research Paradigms in Computer Science4 Privacy as Control “Information Self- Determination” ! • User control - what is shared and how it is used ! • Identity Management Systems Privacy as Practice “Identity Construction” ! • Intervene in the flows of existing data; re- negotiate boundaries ! • Require: feedback, intervention [4] Gurses, S. (2010). “Multilateral Privacy Requirements Analysis.” Dissertation. Arenberg Doctoral School of Science, Engineering & Technology. Faculty of Engineering Department of Computer Science
Q1: If an individual has no expectation of privacy, then what type of information disclosure behaviors manifest online? and why?
Eliciting Expectations Project We simply ask: What are these expectations of privacy? if any; and How do we measure for them? what we learned from the pilot study & focus groups: •administered the pilot study using a snowball sample on Facebook and email •two focus groups (consisting of freshman to senior RPI undergrads) were also queried about the survey and its structure changes made: •discarded the “digital natives” sample due to lack of responses to the two case scenarios •health device: not interested in tracking health & lack of expendable income to purchase device •mobile payment systems: skewed heavily towards older students/participants; lack of access to personal income thus no need for such apps •likert scale was adjusted to a 4pt scale in order to force participant answer beyond neutral •discarded “health device application” scenario in order to focus only on mobile payment systems
Eliciting Expectations Project v2 Survey Basics: [ IRB Approved 1422 ] • Comprised of 3 main sections • Section 1: evaluates expert vs. novice participants • Section 2: explores across three levels of expectations • Section 3: demographics • Participant will answer 51 questions (approx. 20mins to complete) • Dependencies: expert vs. novice • Two case studies: • location based services (e.g. Google Maps, FourSquare etc.) • mobile payment systems (e.g. Square Cash, Apple Pay, etc.) • Upon completing the survey, participants may be asked to volunteer in a semi-structured interview • Utilizes Qualtrics survey platform • Sampling: convenience QR: To what extent does a user’s knowledge of and preference for how data is used impact his or her own information disclosure behaviors?
section I Determines “expert” vs. “novice” participants. Borrows from Rogers (2003), the following measurement categories of Internet Expertise5: ! Conative: What users “do” online - time and habits online Cognitive: What users “thinks” online - technical and privacy knowledge Affect: What the user “feels” online - feeling and attitudes while online Conative Cognitive Affective High Activity level Mid-Activity level Low Activity level A C F Positive Neutral Negative [5] Rogers, B.L. Measuring Online Experience: It’s About More Than Time! Usability News, 5.2, 2003. Last accessed 1 April 2015. http:// psychology.wichita.edu/surl/usabilitynews/52/experience.htm alpha- grading similar to quizzes
Explores the three level of privacy expectations Grounded in legal theory and prior survey items: •Expectations of privacy (EP): What a person’s expectations of privacy is and what privacy rights should be expected. •Expectations of violations (EV): What a person thinks will /can happen when privacy rights are violated. •Expectations of agency (EA): What a person thinks he/she can do to control or protect his/her privacy rights. section II
Hypothesis: Expectations are non-conditional of expertise or novice level traits.6, 7 Informant Group Expectation of Privacy (E Expectation of Violation (E Expectation of Agency (E Experts no effect no effect no effect Novice no effect no effect no effect [6] Kang, R., Dabbish, L., Fruchter, N., & Kiesler, S. (2015). “My Data Just Goes Everywhere”: User Mental Models of the Internet and Implications for Privacy & Security. 11th Annual Symposium on Usable Privacy and Security. Ottawa, Canada. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-kang.pdf [7] Monteleone, S., van Bavel, R., Rodríguez-Priego, N., & Esposito, G. (2015). “Nudges to Privacy Behaviour: Exploring an Alternative Approach to Privacy Notices?” JRC Science and Policy Report. EU Commission. http:// publications.jrc.ec.europa.eu/repository/bitstream/JRC96695/jrc96695.pdf
Informant Group Expectation of Privacy (E Expectation of Violation (E Expectation of Agency (E Legal Professionals (e.g. lawyers, policymakers, etc.) HIGH HIGH Neutral • First batch of informants: legal practitioners, policymakers, etc. • Survey distribution: • Convenience: via email & surveillance-coalition mailing list • 11 total survey responses as of Aug 2015 • 10 chose the location- based mobile scenario • 1 chose the mobile payment system • Descriptive statistical analysis for the location-based respondents Preliminary Analysis & Insights
Expectation of Privacy (EP) When asked to indicate a level of agreement with the following statement: “I agree that my location data should be collected and shared by third parties in order to. . ” Respondents disagreed or strongly disagreed with four of the five conditions with the fifth condition receiving 5 “agree” responses.
Expectation of Violations (EV) When asked to indicate a level of agreement with the following statement: “My personal identity is private and cannot be discovered and or used in nefarious ways by unauthorized persons.”
Preliminary Analysis & Insights •CAVEAT: small dataset & not representative - still gathering data •What we’ve learned so far. . • a) transparency and openness overlook concerns of exposure; • b) a continued and problematic underestimation of the consumer8 ; and, • c) the need for relevance, respect and integrity as elements of context. [8] Turow, J., Hennessy, M., and Drape, N. The Tradeoff Fallacy: How Marketers Are Misrepresenting American Consumers and Opening Them up to Exploitation. Annenberg School for Communication University of Pennsylvania. (2015). https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf
FUTURE WORK • Continued data gathering for general survey • Drill-down experiment: behavioral tracking on mobile devices • Open questions: •How confident are we of the methods used to evaluate user expectations are fit for purpose? •How can this be helpful in shaping public policy regarding the purpose and use of data?
Thank You & Questions? Email: glorim@rpi.edu @gloriakt

Recommended

A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
gloriakt
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
Konstantinos Demertzis
 
June2014 brownbag privacy
June2014 brownbag privacyJune2014 brownbag privacy
June2014 brownbag privacy
Micah Altman
 
Data ethics
Data ethicsData ethics
Data ethics
Mathieu d'Aquin
 
Big Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTPBig Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTP
Micah Altman
 
Comments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data PrivacyComments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data Privacy
Micah Altman
 
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
IJCNCJournal
 
Ethics and Data
Ethics and DataEthics and Data
Ethics and Data
Catherine D'Ignazio
 

Recommended

A Case for Expectation Informed Design
A Case for Expectation Informed DesignA Case for Expectation Informed Design
A Case for Expectation Informed Design
gloriakt
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
Konstantinos Demertzis
 
June2014 brownbag privacy
June2014 brownbag privacyJune2014 brownbag privacy
June2014 brownbag privacy
Micah Altman
 
Data ethics
Data ethicsData ethics
Data ethics
Mathieu d'Aquin
 
Big Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTPBig Data & Privacy -- Response to White House OSTP
Big Data & Privacy -- Response to White House OSTP
Micah Altman
 
Comments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data PrivacyComments to FTC on Mobile Data Privacy
Comments to FTC on Mobile Data Privacy
Micah Altman
 
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
IJCNCJournal
 
Ethics and Data
Ethics and DataEthics and Data
Ethics and Data
Catherine D'Ignazio
 
Data ethics for developers
Data ethics for developersData ethics for developers
Data ethics for developers
anilramnanan
 
Niso library law
Niso library lawNiso library law
Niso library law
Micah Altman
 
SemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital ProvenanceSemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital Provenance
gvj4v
 
Managing Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and ApproachesManaging Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and Approaches
Micah Altman
 
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
Kato Mivule
 
‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...
eraser Juan José Calderón
 
Ethics in Data Science and Machine Learning
Ethics in Data Science and Machine LearningEthics in Data Science and Machine Learning
Ethics in Data Science and Machine Learning
HJ van Veen
 
A foundation for breach data analysis
A foundation for breach data analysisA foundation for breach data analysis
A foundation for breach data analysis
Alexander Decker
 
Me and My Big Data Project
Me and My Big Data Project Me and My Big Data Project
Me and My Big Data Project
DIPRC2019
 
Data and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs OneData and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs One
Tim Rich
 
Reproducibility from an infomatics perspective
Reproducibility from an infomatics perspectiveReproducibility from an infomatics perspective
Reproducibility from an infomatics perspective
Micah Altman
 
Driving Digital Health in the Thai Society (September 13, 2019)
Driving Digital Health in the Thai Society (September 13, 2019)Driving Digital Health in the Thai Society (September 13, 2019)
Driving Digital Health in the Thai Society (September 13, 2019)
Nawanan Theera-Ampornpunt
 
Philosophical Aspects of Big Data
Philosophical Aspects of Big DataPhilosophical Aspects of Big Data
Philosophical Aspects of Big Data
Nicolae Sfetcu
 
State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and... State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and...
Micah Altman
 
A Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessA Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation Process
Editor IJCATR
 
интернет
интернетинтернет
интернет
Булахтин Владислав
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Editor IJCATR
 
2013: The Connected Workplace
2013: The Connected Workplace2013: The Connected Workplace
2013: The Connected Workplace
mkeane
 
Future%20of%20internet%202010%20 %20 Aaas%20paper
Future%20of%20internet%202010%20 %20 Aaas%20paperFuture%20of%20internet%202010%20 %20 Aaas%20paper
Future%20of%20internet%202010%20 %20 Aaas%20paper
Marketingfacts
 
Pew Study: The Future Of The Internet
Pew Study: The Future Of The InternetPew Study: The Future Of The Internet
Pew Study: The Future Of The Internet
David O'Reilly
 
[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois
AIIM International
 
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
Pranav Godse
 

More Related Content

What's hot

Managing Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and ApproachesManaging Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and Approaches
Micah Altman
 
‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...
eraser Juan José Calderón
 
A foundation for breach data analysis
A foundation for breach data analysisA foundation for breach data analysis
A foundation for breach data analysis
Alexander Decker
 
A Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessA Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation Process
Editor IJCATR
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Editor IJCATR
 
Pew Study: The Future Of The Internet
Pew Study: The Future Of The InternetPew Study: The Future Of The Internet
Pew Study: The Future Of The Internet
David O'Reilly
 

What's hot (20)

Data ethics for developers
Data ethics for developersData ethics for developers
Data ethics for developers
 
Niso library law
Niso library lawNiso library law
Niso library law
 
SemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital ProvenanceSemTech West 2011 - Digital Provenance
SemTech West 2011 - Digital Provenance
 
Managing Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and ApproachesManaging Confidential Information – Trends and Approaches
Managing Confidential Information – Trends and Approaches
 
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
Kato Mivule: COGNITIVE 2013 - An Overview of Data Privacy in Multi-Agent Lear...
 
‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...‘Personal data literacies’: A critical literacies approach to enhancing under...
‘Personal data literacies’: A critical literacies approach to enhancing under...
 
Ethics in Data Science and Machine Learning
Ethics in Data Science and Machine LearningEthics in Data Science and Machine Learning
Ethics in Data Science and Machine Learning
 
A foundation for breach data analysis
A foundation for breach data analysisA foundation for breach data analysis
A foundation for breach data analysis
 
Me and My Big Data Project
Me and My Big Data Project Me and My Big Data Project
Me and My Big Data Project
 
Data and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs OneData and Ethics: Why Data Science Needs One
Data and Ethics: Why Data Science Needs One
 
Reproducibility from an infomatics perspective
Reproducibility from an infomatics perspectiveReproducibility from an infomatics perspective
Reproducibility from an infomatics perspective
 
Driving Digital Health in the Thai Society (September 13, 2019)
Driving Digital Health in the Thai Society (September 13, 2019)Driving Digital Health in the Thai Society (September 13, 2019)
Driving Digital Health in the Thai Society (September 13, 2019)
 
Philosophical Aspects of Big Data
Philosophical Aspects of Big DataPhilosophical Aspects of Big Data
Philosophical Aspects of Big Data
 
State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and... State of the Art Informatics for Research Reproducibility, Reliability, and...
State of the Art Informatics for Research Reproducibility, Reliability, and...
 
A Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessA Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation Process
 
интернет
интернетинтернет
интернет
 
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...Integration of Bayesian Theory and Association Rule Mining in Predicting User...
Integration of Bayesian Theory and Association Rule Mining in Predicting User...
 
2013: The Connected Workplace
2013: The Connected Workplace2013: The Connected Workplace
2013: The Connected Workplace
 
Future%20of%20internet%202010%20 %20 Aaas%20paper
Future%20of%20internet%202010%20 %20 Aaas%20paperFuture%20of%20internet%202010%20 %20 Aaas%20paper
Future%20of%20internet%202010%20 %20 Aaas%20paper
 
Pew Study: The Future Of The Internet
Pew Study: The Future Of The InternetPew Study: The Future Of The Internet
Pew Study: The Future Of The Internet
 

Similar to A Case for Expectation Informed Design - Full

ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
Pranav Godse
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Ted Myerson
 
Evidence Based Healthcare Design
Evidence Based Healthcare DesignEvidence Based Healthcare Design
Evidence Based Healthcare Design
Carmen Martin
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
mihinpr
 
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
ProductNation/iSPIRT
 
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
The Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics
 

Similar to A Case for Expectation Informed Design - Full (20)

[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois
 
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTIONETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
ETHICAL ISSUES WITH CUSTOMER DATA COLLECTION
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
 
Participant Consent and Withdrawal when using publicly archived data
Participant Consent and Withdrawal when using publicly archived dataParticipant Consent and Withdrawal when using publicly archived data
Participant Consent and Withdrawal when using publicly archived data
 
Evidence Based Healthcare Design
Evidence Based Healthcare DesignEvidence Based Healthcare Design
Evidence Based Healthcare Design
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Review questions
Review questionsReview questions
Review questions
 
Ethics and Big Data
Ethics and Big Data Ethics and Big Data
Ethics and Big Data
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
A Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information PrivacyA Lifecycle Approach to Information Privacy
A Lifecycle Approach to Information Privacy
 
Data set Legislation
Data set Legislation Data set Legislation
Data set Legislation
 
From Law to Code: Translating Legal Principles into Digital Rules
From Law to Code: Translating Legal Principles into Digital RulesFrom Law to Code: Translating Legal Principles into Digital Rules
From Law to Code: Translating Legal Principles into Digital Rules
 
IT risk discusion qustion.pdf
IT risk discusion qustion.pdfIT risk discusion qustion.pdf
IT risk discusion qustion.pdf
 
Privacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen CullyerPrivacy in the Digital Age, Helen Cullyer
Privacy in the Digital Age, Helen Cullyer
 
INFORMATION WANTS SOMEONE ELSE TO PAY FOR IT : AS SCIENCE AND SCHOLARSHIP EVO...
INFORMATION WANTS SOMEONE ELSE TO PAY FOR IT : AS SCIENCE AND SCHOLARSHIP EVO...INFORMATION WANTS SOMEONE ELSE TO PAY FOR IT : AS SCIENCE AND SCHOLARSHIP EVO...
INFORMATION WANTS SOMEONE ELSE TO PAY FOR IT : AS SCIENCE AND SCHOLARSHIP EVO...
 
Data and ethics Training
Data and ethics TrainingData and ethics Training
Data and ethics Training
 
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
iSPIRT's Response on Digital Information Security in Healthcare Act (DISHA)
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systems
 
AI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security CommonsAI and Legal Tech in Context: Privacy and Security Commons
AI and Legal Tech in Context: Privacy and Security Commons
 
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
Marcus Comiter, "Data Policy for Internet of Things Healthcare Devices: Align...
 

More from gloriakt

More from gloriakt (7)

Big Data: A Survey of Technical and Sociotechnical Concepts
Big Data: A Survey of Technical and Sociotechnical ConceptsBig Data: A Survey of Technical and Sociotechnical Concepts
Big Data: A Survey of Technical and Sociotechnical Concepts
 
Building A Web Observatory Extension: Schema.org
Building A Web Observatory Extension: Schema.orgBuilding A Web Observatory Extension: Schema.org
Building A Web Observatory Extension: Schema.org
 
Studying Cybercrime: Raising Awareness of Objectivity & Bias
Studying Cybercrime: Raising Awareness of Objectivity & BiasStudying Cybercrime: Raising Awareness of Objectivity & Bias
Studying Cybercrime: Raising Awareness of Objectivity & Bias
 
Issues: What the Web Can Tell us About Human Behavior
Issues: What the Web Can Tell us About Human BehaviorIssues: What the Web Can Tell us About Human Behavior
Issues: What the Web Can Tell us About Human Behavior
 
Performativity of Data
Performativity of Data Performativity of Data
Performativity of Data
 
Multiple Truths of the Semantic Web - Web Science 2013
Multiple Truths of the Semantic Web - Web Science 2013Multiple Truths of the Semantic Web - Web Science 2013
Multiple Truths of the Semantic Web - Web Science 2013
 
WOW13_RPITWC_Web Observatories
WOW13_RPITWC_Web ObservatoriesWOW13_RPITWC_Web Observatories
WOW13_RPITWC_Web Observatories
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

A Case for Expectation Informed Design - Full

  • 1. A Case for Expectation Informed Design Presented by: Marie Joan Kristine T. Gloria Ph.D. Student in Cognitive Science at RPI & in affiliation with the Cybersecurity & Internet Policy Initiative at MIT-CSAIL Tetherless World Constellation at Rensselaer Polytechnic Institute PrivOn Workshop | ISWC 2015 | October 2015
  • 2. Agenda I. Problem & Motivation II. Expectations: understanding choice & consent III. Eliciting Expectation Project IV. Preliminary Analysis & Insights V. Future Work
  • 3. Pew Internet Studies. 2015. “AMERICANS’ ATTITUDES ABOUT PRIVACY, SECURITY AND SURVEILLANCE”. 19 May 2015. http://pewrsr.ch/ 1MhwUFI
  • 4. From data breaches (e.g. Anthem, Home Depot, etc.) to unauthorized surveillance, consumer privacy is plagued by violations. Yet, the amount of data online continues to increase. ! The thesis is motivated by this divergence between our collective understanding of its value in society and our individual ability to protect it. Problem & Motivation
  • 6. Expectations: understanding choice & consent Technical Social (legal)* Behavioral *This talk centers around U.S. legal standards and public policies
  • 7. Vroom’s (1964) expectancy theory postulates how an individual chooses between alternative forms of behavior within a decision-making scenario. The theory has three main components:1 [1] Vroom, V.H. Work and Motivation. New York: Wiley, 1964. Expectations: cognitive psychology POV Expectancy [effort] x Instrumentality [performance] x Valence [rewards] = Motivational Force ! When multiplied together, these three components result in a “motivational force,” which directs specific behavioral alternatives.
  • 8. Expectations: cognitive psychology POV Vroom (1964) “Work & Motivation” Laufer & Wolfe (1977) “calculus - the cognitive trade off among situational constraints” Culnan & Armstrong (1999) decisions are negatively affected by anticipated costs of potential privacy violation Dinev & Hart (2006) “privacy calculus - frames information disclosure as a tradeoff of benefits and risks” McCarthy (2010) Xu & Gupta (2009) Acquisti & Grossklags (2007) Norgberg & Horne (2007) Keith et. al (2013)
  • 9. • Individuals act in ways that they expect will maximize positive outcomes and minimize negative ones. • Expected Utility Hypothesis (Friedman and Savage, 1952) • Individuals are assumed to be “rational” because they make decisions based on a cost/benefit tradeoff, engaging in “utility maximization” decision making • Perceived privacy risks reduce disclosure intentions while perceived benefits of information disclosure increase intentions (Dinev & Hart, 2006) • Privacy paradox: individuals who claim to disclose information still demonstrate relatively higher levels of actual information disclosure (Acquisti & Grossklags, 2006) Information Privacy Studies: Traditional Approaches to Contemporary Hypotheses
  • 10. Expectations: U.S. Legal POV The notion of privacy trade-offs and consumer expectation permeates both legal scholarship as well as corporate technology management practices.2 [2] Bamberger, K. A., & Mulligan, D. K. (2011). Privacy on the Books and on the Ground. Stanford Law Review, 63. Federal ! (e.g. 1st Amendment, 4th Amendment, HIPAA, COPPA, ECPA, GLBA, FCRA, FERPA, CISA, DMCA, ECPA, CFAA, etc.) State ! (e.g. State Constitutions, statue - CA SB 568 “Privacy Rights for California Minors in the Digital World”, CalECPA, etc.) Layers of legal protection
  • 11. Expectations: U.S. Legal POV Ex: Fourth Amendment: surveillance issues: police and government search “expectation of privacy” legal test Subjective expectation of privacy – a certain individual's opinion that a certain location or situation is private; demonstrating actions to ensure evidence was meant to be private ! Objective, legitimate, reasonable expectation of privacy – An expectation of privacy generally recognized by society (e.g. garbage cans)
  • 12. Expectations: U.S. Legal POV Ex: Consumer Privacy Bill of Rights3 [3] White House. 2015. Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015. Last accessed 2 May 2015. https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf The Principle, Respect for Context (Sec. 103), states that “consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” ! It outlines for companies a required set of considerations including “research on consumers’ attitudes and understandings”. ! The principle also suggests that context should “help determine which personal data uses are likely to raise the greatest consumer privacy concerns.”
  • 13. Expectations: Technical manifestation Privacy as Confidentiality “Hiding” ! • Autonomous (digital) sphere ! • Data about persons is protected so that unauthorized others cannot access it Three Privacy Research Paradigms in Computer Science4 Privacy as Control “Information Self- Determination” ! • User control - what is shared and how it is used ! • Identity Management Systems Privacy as Practice “Identity Construction” ! • Intervene in the flows of existing data; re- negotiate boundaries ! • Require: feedback, intervention [4] Gurses, S. (2010). “Multilateral Privacy Requirements Analysis.” Dissertation. Arenberg Doctoral School of Science, Engineering & Technology. Faculty of Engineering Department of Computer Science
  • 14. Q1: If an individual has no expectation of privacy, then what type of information disclosure behaviors manifest online? and why?
  • 15. Eliciting Expectations Project We simply ask: What are these expectations of privacy? if any; and How do we measure for them? what we learned from the pilot study & focus groups: •administered the pilot study using a snowball sample on Facebook and email •two focus groups (consisting of freshman to senior RPI undergrads) were also queried about the survey and its structure changes made: •discarded the “digital natives” sample due to lack of responses to the two case scenarios •health device: not interested in tracking health & lack of expendable income to purchase device •mobile payment systems: skewed heavily towards older students/participants; lack of access to personal income thus no need for such apps •likert scale was adjusted to a 4pt scale in order to force participant answer beyond neutral •discarded “health device application” scenario in order to focus only on mobile payment systems
  • 16. Eliciting Expectations Project v2 Survey Basics: [ IRB Approved 1422 ] • Comprised of 3 main sections • Section 1: evaluates expert vs. novice participants • Section 2: explores across three levels of expectations • Section 3: demographics • Participant will answer 51 questions (approx. 20mins to complete) • Dependencies: expert vs. novice • Two case studies: • location based services (e.g. Google Maps, FourSquare etc.) • mobile payment systems (e.g. Square Cash, Apple Pay, etc.) • Upon completing the survey, participants may be asked to volunteer in a semi-structured interview • Utilizes Qualtrics survey platform • Sampling: convenience QR: To what extent does a user’s knowledge of and preference for how data is used impact his or her own information disclosure behaviors?
  • 17. section I Determines “expert” vs. “novice” participants. Borrows from Rogers (2003), the following measurement categories of Internet Expertise5: ! Conative: What users “do” online - time and habits online Cognitive: What users “thinks” online - technical and privacy knowledge Affect: What the user “feels” online - feeling and attitudes while online Conative Cognitive Affective High Activity level Mid-Activity level Low Activity level A C F Positive Neutral Negative [5] Rogers, B.L. Measuring Online Experience: It’s About More Than Time! Usability News, 5.2, 2003. Last accessed 1 April 2015. http:// psychology.wichita.edu/surl/usabilitynews/52/experience.htm alpha- grading similar to quizzes
  • 18. Explores the three level of privacy expectations Grounded in legal theory and prior survey items: •Expectations of privacy (EP): What a person’s expectations of privacy is and what privacy rights should be expected. •Expectations of violations (EV): What a person thinks will /can happen when privacy rights are violated. •Expectations of agency (EA): What a person thinks he/she can do to control or protect his/her privacy rights. section II
  • 19. Hypothesis: Expectations are non-conditional of expertise or novice level traits.6, 7 Informant Group Expectation of Privacy (E Expectation of Violation (E Expectation of Agency (E Experts no effect no effect no effect Novice no effect no effect no effect [6] Kang, R., Dabbish, L., Fruchter, N., & Kiesler, S. (2015). “My Data Just Goes Everywhere”: User Mental Models of the Internet and Implications for Privacy & Security. 11th Annual Symposium on Usable Privacy and Security. Ottawa, Canada. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-kang.pdf [7] Monteleone, S., van Bavel, R., Rodríguez-Priego, N., & Esposito, G. (2015). “Nudges to Privacy Behaviour: Exploring an Alternative Approach to Privacy Notices?” JRC Science and Policy Report. EU Commission. http:// publications.jrc.ec.europa.eu/repository/bitstream/JRC96695/jrc96695.pdf
  • 20. Informant Group Expectation of Privacy (E Expectation of Violation (E Expectation of Agency (E Legal Professionals (e.g. lawyers, policymakers, etc.) HIGH HIGH Neutral • First batch of informants: legal practitioners, policymakers, etc. • Survey distribution: • Convenience: via email & surveillance-coalition mailing list • 11 total survey responses as of Aug 2015 • 10 chose the location- based mobile scenario • 1 chose the mobile payment system • Descriptive statistical analysis for the location-based respondents Preliminary Analysis & Insights
  • 21. Expectation of Privacy (EP) When asked to indicate a level of agreement with the following statement: “I agree that my location data should be collected and shared by third parties in order to. . ” Respondents disagreed or strongly disagreed with four of the five conditions with the fifth condition receiving 5 “agree” responses.
  • 22. Expectation of Violations (EV) When asked to indicate a level of agreement with the following statement: “My personal identity is private and cannot be discovered and or used in nefarious ways by unauthorized persons.”
  • 23. Preliminary Analysis & Insights •CAVEAT: small dataset & not representative - still gathering data •What we’ve learned so far. . • a) transparency and openness overlook concerns of exposure; • b) a continued and problematic underestimation of the consumer8 ; and, • c) the need for relevance, respect and integrity as elements of context. [8] Turow, J., Hennessy, M., and Drape, N. The Tradeoff Fallacy: How Marketers Are Misrepresenting American Consumers and Opening Them up to Exploitation. Annenberg School for Communication University of Pennsylvania. (2015). https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf
  • 24. FUTURE WORK • Continued data gathering for general survey • Drill-down experiment: behavioral tracking on mobile devices • Open questions: •How confident are we of the methods used to evaluate user expectations are fit for purpose? •How can this be helpful in shaping public policy regarding the purpose and use of data?
  • 25. Thank You & Questions? Email: glorim@rpi.edu @gloriakt