Show Pdf

MobiLife - Visualisering av ”privacy”

Sammanfattning

Intelligenta och Internetanslutna konsumentprodukter är två moderna trender inom
elektronikbranschen. En framtida vision är att teknik skall kunna underlätta människors vardag
genom att tillåta en ökad mobilitet och flexibilitet vilket förhoppningsvis leder till ökad fritid
och effektivare utnyttjande av den alltmer dyrbara tiden. Detta område är något som det EU-
finansierade forskningsprojektet MobiLife med ett starkt användarfokus forskat kring. Den
viktigaste frågan inom MobiLife har varit hur familjer skall kunna använda sig av mobil
kommunikation som ett stöd i vardagen.

Ökad mobilitet, Internetanslutning och intelligentare teknik innebär inte bara möjligheter. Ända
sedan lanseringen av Internet har s.k ”privacy” fått växande uppmärksamhet bland användarna.
Detta examensarbete har undersökt privacy inom MobiLife och hur de tidigare funna
användarkraven kunde användas för att utveckla en användarvänlig applikation för hantering
och visning av privacy inom MobiLife.

Genom ett användarvänligt grafiskt gränssnitt har denna komponent vid namn the privacy
display widget också försökt fömedla ett viktigt budskap. Att användaren alltid är i kontroll över
ens egen personliga information.

Denna rapport beskriver design och utvecklingsarbetet av denna applikation och presenterar
även rekommendationer för visualisering av privacy baserat på erfarenheter ifrån arbetets gång.

Resultaten visar bland annat att för att kunna designa en användarvänlig komponent som
hanterar privacy måste utvecklarna förstå hur privacy-beslut fattas. Under förstudien och
analysen hittades information som tyder på att sådana beslut är dynamiska och beror på ett
flertal omständigheter. Kontext, hur informationen skall användas och vem som får tillgång till
informationen hör till de viktigaste. Ett annat område som har undersökts är om konceptuella
modeller kan öka användbarheten av den privacy funktionalitet som stöds av MobiLife-
systemet.

MobiLife – The Privacy Display Widget

Abstract

In the last decades, an increased number of devices in our vicinity have become intelligent and
connected to the Internet. In the future, mobile communication with these smart devices is
imagined to facilitate common duties in our everyday life such as grocery shopping, washing
and cooking. The EU-funded research project MobiLife has with a strong user-centric view
focused on future mobile technologies and possibilities for families.

The mobile technology evolution does not only uncover possibilities. Already with the
introduction of the Internet increasingly numbers of people have expressed a general privacy
concern. This thesis project has been exploring privacy within the scope of the MobiLife project
and how the previously found user concerns could be translated into a user-friendly privacy
management component.

This component, referred to as the privacy display widget also had an important role in
visualizing a user’s current privacy situation and letting the user be in control by providing a
graphical privacy management interface.

This report describes the design and development of the privacy display widget and presents
recommendations for privacy visualization based on experiences acquired during this process.

The results suggest that in order to build a user friendly privacy management component
designers need to understand how privacy decisions are made. During this thesis project it was
found that privacy decisions are dynamic and dependant on a variety of key factors such as
context, intended use and perceived information receiver. The approach of using conceptual
models as a starting point for the design has also been explored.

Preface

The assigner of this thesis project in media technology (KTH) has been Ericsson research in
Kista, Sweden. All work has been conducted within the scope of the EU-funded research project
MobiLife.

First of all I would like to thank my supervisor at Ericsson Johan Hjelm for giving constructive
feedback, suggestions and support during the whole project lifecycle. Other persons working in
Ericsson who also have contributed to this thesis report and have been helpful includes Theo
Kanter, Stewart Kowalski, Helena Lind and Göran Schultz. Especially Didier Chincholle and
Cristian Norlin working with interaction design in Ericsson deserve to be thanked and
mentioned since they have provided very valuable feedback and suggestions on the design of
the privacy display widget continuously.

I would also like to thank all MobiLife project members, especially Peter Ebben and Ronald van
Eijk working in Telin, Harri Lehmuskallio and Esko Kurvinen from Helsinki Institute for
Information Technology, Marcin Salacinski with crew and the rest of work package 3.

A special thanks to my supervisor at KTH Ester Appelgren for quick responses, providing great
constructive feedback/suggestions and for always being helpful.

David Almer, Stockholm 19 June 2006

Table of Contents

Introduction ........................................................................................................................... 1

1.1

Background ................................................................................................................... 1

1.2

Problem definition......................................................................................................... 1

1.3

Purpose and Aim ........................................................................................................... 2

1.4

Limitations and scope ................................................................................................... 2

1.5

Contributions................................................................................................................. 3

MobiLife ............................................................................................................................... 5

2.1

Project presentation....................................................................................................... 5

2.2

Concept ......................................................................................................................... 5

2.2.1

The MobiLife vision ............................................................................................. 5

2.2.2

The need for a Privacy Display Widget ................................................................ 6

2.2.3

Privacy and trust.................................................................................................... 6

Theory ................................................................................................................................. 13

3.1

Privacy ........................................................................................................................ 13

3.1.1

History and legislation ........................................................................................ 13

3.2

Requirements .............................................................................................................. 14

3.2.1

Privacy requirements and guidelines from MobiLife user evaluations............... 14

3.3

Identified Privacy Issues ............................................................................................. 14

3.3.1

Perception of privacy .......................................................................................... 15

3.3.2

Usability .............................................................................................................. 16

3.3.3

Dynamic environments and contexts .................................................................. 17

3.3.4

Information overflow .......................................................................................... 17

3.3.5

Socio-technical gap ............................................................................................. 18

3.4

Related research .......................................................................................................... 18

3.4.1

AT&T Privacy Bird............................................................................................. 18

Method ................................................................................................................................ 21

4.1

Description of methods ............................................................................................... 21

4.1.1

User Centric Design ............................................................................................ 21

4.1.2

Iterative design methodology .............................................................................. 22

4.1.3

Heuristic evaluations ........................................................................................... 22

4.1.4

Expert evaluations............................................................................................... 23

4.2

Project process ............................................................................................................ 24

4.2.1

Analysis............................................................................................................... 24

4.2.2

Design phase ....................................................................................................... 24

4.2.3

Implementation phase ......................................................................................... 25

4.2.4

Deployment phase ............................................................................................... 25

Results................................................................................................................................. 27

5.1

Approaches to Privacy Management........................................................................... 27

5.1.1

Accuracy of the Disclosed Information .............................................................. 27

5.1.2

Helping the User Understand Privacy ................................................................. 27

5.1.3

Non-intrusive....................................................................................................... 28

5.1.4

Flexibility of use ................................................................................................. 28

5.1.5

Informing the User of Privacy Implications........................................................ 28

5.1.6

Intuitive Configuration........................................................................................ 28

5.1.7

Policy Management and Control......................................................................... 29

5.2

Design ......................................................................................................................... 29

5.2.1

Brainstorming...................................................................................................... 29

5.2.2

Conceptual models .............................................................................................. 33

5.3

Design concepts .......................................................................................................... 35

5.3.1

Policy cards concept............................................................................................ 35

5.3.2

Matrix concept .................................................................................................... 35

5.3.3

Set theory concept ............................................................................................... 36

5.4

Prototype implementation ........................................................................................... 37

5.4.1

Prototype constraints ........................................................................................... 37

5.4.2

Interaction with the TrustEngine......................................................................... 39

5.4.3

Graphical User Interface ..................................................................................... 39

Evaluation ........................................................................................................................... 41

6.1

Expert evaluation of the design concepts.................................................................... 41

6.1.1

General findings .................................................................................................. 41

6.1.2

Policy cards ......................................................................................................... 41

6.1.3

Matrix.................................................................................................................. 42

6.1.4

Set theory ............................................................................................................ 42

6.1.5

The improved design concept ............................................................................. 42

6.2

Heuristic evaluation .................................................................................................... 43

6.2.1

Findings............................................................................................................... 43

6.3

Expert evaluation of improved design concepts ......................................................... 44

6.3.1

The improved matrix........................................................................................... 44

6.3.2

General findings .................................................................................................. 45

Analysis............................................................................................................................... 47

7.1

Conclusions ................................................................................................................. 47

7.1.1

Privacy visualization to increase usability .......................................................... 47

7.1.2

Using conceptual models as an approach to privacy visualization ..................... 47

7.1.3

Privacy information affecting privacy decisions................................................. 48

7.2

Discussion ................................................................................................................... 48

7.3

Method discussion....................................................................................................... 50

7.3.1

Limited time ........................................................................................................ 50

7.3.2

Literature studies................................................................................................. 50

7.3.3

Heuristic evaluation ............................................................................................ 50

7.3.4

Expert evaluations............................................................................................... 50

7.4

Recommendations ....................................................................................................... 51

7.5

Future work ................................................................................................................. 52

References ........................................................................................................................... 53

8.1

Personal Communication ............................................................................................ 55

8.2

Websites ...................................................................................................................... 56

List of Acronyms and Abbreviations .......................................................................................... 59

Appendix A – Design Concepts .................................................................................................. 61

Policy cards ............................................................................................................................. 61

Matrix...................................................................................................................................... 62

Set theory ................................................................................................................................ 63

Appendix B - Heuristics.............................................................................................................. 65

Appendix C - Heuristic Evaluation ............................................................................................. 67

Appendix D - Results from Expert Evaluations in Finland ........................................................ 71

Findings from the Policy card prototype................................................................................. 71

Findings from the Matrix prototype ........................................................................................ 74

Findings from the Set theory prototype .................................................................................. 76

Introduction

Introduction

In this chapter the background to this thesis is introduced, it also presents the research
questions that have been considered during the project. The chapter ends by specifying
the overall purpose and scope.

1.1

Background

How people communicate evolve as new technologies emerge. Some famous examples include
the art of printing, the telephone and the Internet. But new innovations do not only create
possibilities, there is also a risk dimension.

One of the risks is privacy intrusion. Although the most famous definition of privacy dates back
to 1890, peoples’ privacy concerns have not received much attention until the introduction of the
Internet and the possibility to be online (Cranor, 1998). A possible explanation would be that the
Internet automatically collects and stores a vast amount of personal information. This data is then
being communicated worldwide.

Mobile communication is also an interesting area of research since it allows the users to be on the
move while being online. The EU-funded research project MobiLife is focusing on exploring new
possibilities for families to benefit from future mobile technology as a mean to facilitate their
tasks of everyday life (see MobiLife).

The project has a strong user-centric view which implies that the users should have a central role
in every research activity. Numerous user evaluations have therefore been conducted.
Conforming to the discussion above about online risks, a general user concern about privacy was
quickly exposed during the initial activities of the MobiLife project. Although middleware
handling privacy and secure handling of personal information had been developed, the users did
not find it to be usable enough (MobiLife, 2005).

To address this, a central component handling privacy in a user-friendly way was suggested. It
was also proposed that this component, later referred to as the privacy display widget

(PDW)

had to visually present and manage privacy policies since they define the users’ wishes and
expectations of privacy in the MobiLife system.

This thesis will present the development of the privacy display widget as well as uncover issues,
present results and the authors recommendations based on experiences and knowledge acquired
during the design process of the PDW.

1.2

Problem definition

Since privacy is broadly defined the need to specify what the thesis project would have to focus
on was quickly recognized. The conditions were clear and described in several previous MobiLife
deliverables (MobiLife, 2005b; MobiLife, 2005f) but several ways of approaching privacy
visualization was available at the time. In order to focus the thesis project on the most relevant

In computers, a widget is an element of a graphical user interface (GUI) that displays

information or provides a specific way for a user to interact with the operating system and
application (WhatIs, 2001, para. 2)

Introduction

aspects and issues as well as securing valid results, the following research questions have been
considered during the design of the privacy display widget.

•

How can privacy management and related mechanisms be visualized in order to increase
the usability of the MobiLife (ML) privacy functionality?

•

Which conceptual models can be used to approach privacy visualization within the scope
of the MobiLife project?

•

Which privacy information is necessary to present to the user?

1.3

Purpose and Aim

The purpose of this thesis project is to explore and relatively new research area, privacy
visualization, within the MobiLife project. Although there have been several attempts to address
related issues (Patil & Lai, 2005; Dourish & Redmiles, 2002; Ackerman & Cranor, 1999; Hong et
al., 2004) few concrete findings have been presented in terms of privacy visualization.

The conditions considered in this thesis project make the problem of approaching privacy
visualization even more complex since it considers sharing of personal information between users
linked to different social networks (such as groups) in a ubiquitous mobile environment. The
outcome of the research will be as has been proposed a widget which approaches the identified
privacy requirements uncovered during previous user evaluations within the MobiLife project.
The role of this widget is to provide a graphical user interface in which the users of the MobiLife
system can manage their privacy settings. The outcome of a user’s privacy settings and
preferences is a privacy policy which will be enforced every time someone makes a request for
data owned by this specific user; thus preserving and increasing the trust in the MobiLife system.

To achieve this, the privacy display widget will use different privacy management mechanisms
together with visual components, combined in a graphical user interface. This approach will
hopefully increase the users understanding of the underlying privacy and trust components. The
widget also has an important role in mediating the overall aim of the MobiLife trust model which
state that the user should be in control over all of her personal information. It is important that the
user always feels in control while communicating with other users using the MobiLife system and
its supported applications.

As mentioned above, the development and design should be based on user feedback and
requirements related to privacy and trust, exposed during previous user evaluations and field trials
conducted in the project. This approach is also in line with the overall MobiLife methodology
approach (see Figure 6). Results from previous related research and studies will also be
considered.

1.4

Limitations and scope

The widget and the design concepts presented in this report should not be seen as a product
developed for a commercial purpose. The aim has been on approaching privacy visualization and
related issues within the scope of the MobiLife project. Since MobiLife is focusing on families,
usability has been one of the most important issues. Even though the design concepts can be used
directly, they have to be developed further in order to be used in a commercial setting. Security
and performance have not been considered to any extent during the development.

Introduction

Although this report is written within the scope of the MobiLife project, the results from the
research can be of interest for people working in the telecom industry in general. This, since
privacy is a concern which becomes more relevant with the increasing amount of available
personal information communicated within these types of networks. Safeguarding of privacy is an
important key issue in building users trust relations to a system (Sadeh, Gandon & Kwon, 2005),
which also should vouch for increased usage.

1.5

Contributions

The design and development of the PDW described in this report has been performed in
cooperation with another student, Lisa Boström (2006) from Luleå University of Technology.
Two separate thesis reports have been created. Although these cover the same thesis project they
were written independently, therefore they present the design process, results e.t.c from different
view points.

MobiLife

MobiLife

The following chapter presents MobiLife and how this thesis is linked to that project. The
chapter also describes the privacy and trust functionality within MobiLife, which defines
the underlying functionalities supported by the privacy display widget.

2.1

Project presentation

All European research activities are structured around consecutive four year Framework
Programmes. The MobiLife project is a part of The Sixth Framework Programme (FP6) of the
European Community for research spanning from 2002 to 2006. “FP6 is the European
Community Framework Programme for Research, Technological Development and
Demonstration. It is a collection of the actions at EU level to fund and promote research” (EC,
2002). ML is conducted in the FP6 priority, Information Society Technologies (IST) and has
involved 22 partners from 9 different European countries.

As stated on the MobiLife website, people are used to being able to contact anyone, anywhere, at
anytime. However, the challenge of enabling mass-market-scale ubiquitous services and
applications remains. The aim of the MobiLife project integrated in IST-FP6

is to bring

advances in mobile applications and services within the reach of users in their everyday life by
innovating and deploying new applications and services based on the evolving capabilities of the
3G systems and beyond. The project addresses with a strong user-centric view problematics
related to different end-user devices, available communication networks, interaction modes,
applications and services (MobiLife, 2006, para. 1).

2.2

Concept

2.2.1

The MobiLife vision

The increasing use of mobile communications has had enormous economical and social
consequences both in and outside of Europe (EU, 2004). As mobile devices become more
common the need of usable applications and services increase. According to a Swedish
investigation, people demand practical mobile services rather than the entertainment services
offered today (PTS, 2005).

The ML project reflects this since the vision is that mobile and wireless applications and services
become everyday things (MobiLife, 2006). To achieve this, it is important to focus the research
activities not only on practical services but also on users that are not using mobile applications
and services today. The strategic goal of MobiLife is to bring advances in mobile applications and
services within the reach of users in their everyday life by innovating and deploying new
applications and services based on the evolving capabilities of 3G systems and beyond
(MobiLife, 2004: 7).

Information Society Technology in FP6 of the European Community.

MobiLife

The challenge lies in how to help people, especially families, in making their everyday life easier
(Klemettinen, 2004: 2). Also, since families are not considered to be early adopters

the need for

a user centric design process becomes central.

2.2.2

2.2.3

The need for a Privacy Display Widget

As will be described, privacy in ML is managed by user-controlled policies (see section The Trust
Engine). According to MobiLife (2006b) there was a need to further investigate the visualization
of these policies, how they are set, and how they interact. A problem was that it was very hard for
the users to understand what the policy implied in terms of keeping information private.

Especially in the ML system since it supports sharing of multiple data items to multiple
information receivers using various applications, in a distributed environment. Since information
often has to be retrieved from different data sources where access is protected by a policy,
different policies often communicate with each other. This adds even more complexity and
reduces the probability and chance of understanding the privacy implications even further
(MobiLife, 2005e).

Previous attempts to visualize privacy had been focusing on possible risks to privacy (MobiLife,
2005). But since the emphasis should be on the users’ experience and expectations, there was also
a strong need to investigate how users perceived their privacy and what type of visualization
approaches that could be used to increase their understanding and trust in the MobiLife system.
As stated by Sadeh, Gandon and Kwon (2005), privacy issues are confirmed as being essential to
user acceptance. The need for a Privacy Display Widget was also clear since there was a general
MobiLife user concern about privacy and how personal information was treated. Several research
studies have found similar concerns (Palen & Dourish, 2003; Adams & Sasse, 2001; Hong et al.,
2004; Ackerman, 2000).

Privacy and trust

Privacy and trust is one of the focus areas for the MobiLife project. Privacy is strictly defined by
legal requirements, but it has also the user dimension – lacking privacy, the user will not trust the
system (MobiLife, 2005d).

The MobiLife Trust Model

The trust model inside MobiLife is user centered, meaning that the trust originates from the user
and that the user always should be in control.

The connection to personal data accessible by other components, such as other users and
applications has to be secure in order to maintain the trust of the users. This secure handling of
the trust aspects is handled by an entity in the architecture named the Privacy and Trust Function
(PTF). A component called the Trust Engine (TE) is an implementation of the PTF functionality.
A short description of the TE can be found in the following section.

All information in the system is retrieved through context providers (CP). Usually these are
servers but they could also be any component that has the ability to supply context data such as
sensors. The definition of a context can vary but for the MobiLife project the following technical
description has been defined:

Respectable people, opinion leaders, try out new ideas, but in a careful way (AdoptionCurve, 2006, para. 3)

MobiLife

”Any information that can be used to characterize the situation of an entity. An entity is a person,
place, or object that is considered relevant to the interaction between a user and an application,
including the user and application themselves” (MobiLife, 2005c).

This means that the possible amount of information being handled and communicated within the
system is enormous since there are many possible context providers within a mobile environment.
Every context provider has an own instantiation of a Trust Engine which controls each request for
data, thus maintaining the trust within the system.

Each request for data from a CP is either accepted or denied. Since the user in theory accepts or
denies each request this reveals a new problem; people are not always online in a mobile network
which implies that there should be mechanisms handling situations when the owner of the
requested data is offline.

Sharing of data with groups can be performed in two ways. The user has the opportunity to share
sensitive data with (named) groups or with anybody. When sharing of information is with
anybody a guest policy is used e.g. when the user wants to share less-sensitive information with
all MobiLife users.

The Trust Engine (TE)

MobiLife aims to develop applications and services which assist people in their everyday life by
offering new ways of interaction and communication. When people communicate with each other
personal information is exchanged. Depending on the trust relation different amounts of sensitive
information is shared. The context and current role are also important factors (e.g. you may not
want to talk to your doctor in public). When developing mobile services and applications the user
should have control over her privacy and personal information in the same way as in real life. In
MobiLife the Trust Engine handles the user’s wishes to share or to protect sensitive information
through the use of personal privacy policies.

According to the MobiLife trust model the user should always be in control of her policies, hence
in control over the access to personal information. This is important, since the goal is to build
trust within the system. Personal privacy policies can be described as a set of rules defined by the
user concerning what to share, to whom and under what conditions. An example of a policy
language is shown below:

<data> of <user / group> can <always / never / after approval> be shared with <user / group /
application / anybody>

The Trust Engine works as a negotiator between the requesting user and the user owning the data.
The idea is that the data access should be controlled and defined by the users owning the data
through privacy policies. These are then distributed and enforced by Trust Engines sitting at each
context provider (see Figure 1).

Privacy policies can be altered in real-time meaning that the TE:s reflect the most recent
intentions of the users.

MobiLife

MobiLife

Network

MobiLife User

Context Provider

User Trust Engine

Trust Engine

Figure 1: Overview of the MobiLife privacy & trust system

The approach of using distributed policy enforcement means that data is accessible even if the
owning user is offline. This is an important issue within any mobile environment since users
cannot be considered to always be online due to e.g connectivity problems, intentional offline
status or devices running out of battery.

Group communication is also an important issue within mobile environments. In a sense a group
can be related to as one user with a special trust relation. For all groups special group policies
exist, when a user wants to join or exchange data with this particular group, the Trust Engine
controls all involved policies and permissions (e.g. group membership policy, user policies and
certificates).

Integration between the Privacy Display Widget and the MobiLife system

The idea with the PDW is that the functional features

are based on the underlying system

components/middleware. In this system the TrustEngine which sits on every context provider,
grants or denies each request for data (see Figure 2). Since all privacy decisions should originate
from the user owning the information the privacy display widget has an important role in
communicating the user’s intentions of data sharing throughout the whole distributed MobiLife
system.

Functional features in this case means functionalities supported by the underlying middleware

and MobiLife system components.

MobiLife

Figure 3: A MobiLife user updates her policy

To conclude the PDW act as a seamless link to the underlying privacy and trust components by
providing the user with a user friendly graphical interface inside the client device, thus increasing
the understanding of the underlying system functionalities without the user knowing how they
actually work.

Integration between the Privacy Display Widget and MobiLife applications

The user’s interaction with the widget will not only affect the TrustEngine it will also affect other
running applications since they are dependant on content retrieved from different context
providers. The user should be informed of the fact that actions taken are directly affecting other
applications and users in a way that was intended. This means that there should be some sort of
visual feedback, providing information about the current privacy policies and how certain entities
(users, applications) are affected by this specifically. During initial integration workshops it was
decided that the widget should be a standalone application. The approach of having the widget
running separately rather than being a part of an application means that all privacy settings can be
retrieved and altered from the same place, it should also make the actions consistent and allow the
user to get a quick overview of the privacy situation. This idea can be compared to solutions used
by some of the most common software firewalls for windows such as ZA and Norton.

Privacy Display Widget interaction with the Trust Engine, queries and responses

Conceptually, when a data request is forwarded to the appropriate TE the response is sent to the
requesting entity via the context provider storing the data (see Figure 2). The response is based on
the involved privacy policy. All communication between MobiLife system components such as
the TrustEngines and ContextProviders is based on a machine readable xml-format. This type of
language is not appropriate to display to a user if the aim is to increase the usability and
understanding. In this sense the PDW can be described as working as a translator, parsing the

Theory

Theory

The theory chapter gives a brief overview of privacy. It also presents the most relevant
requirements and identified issues related to the design of the privacy display widget.
These were based on previous MobiLife user evaluations and an analysis of related
research results, mainly found during the literature study.

3.1

Privacy

According to privacy expert Helena Lind working with privacy issues at Ericsson, privacy is
about individual humans’ rights and the violation of these rights. People who do not think that
privacy is an important concern should think about the fact that people (including themselves)
make privacy decisions on a daily basis without even reflecting on it.

A great illustrative example was given by Lind (2006). “A common privacy decision is, when
people choose to close the door when they go to the bathroom”.

3.1.1

History and legislation

In 1890 the two American lawyers Samuel Warren and Louis Brandeis wrote an article published
under the title “The right to Privacy” in the Harvard Law Review (Warren&Brandeis, 1999). This
article proposed that a fundamental human right should be that the individual have full protection
in person and in property. But they also state that it has been found necessary from time to time,
to define anew the exact nature and extent of such protection. The most famous sentence from the
article which often gets quoted in privacy research is Warren’s and Brandeis definition of privacy
as “the right to be left alone”.

Another person that often gets quoted in privacy discussions is public law professor Alan Westin.
His definition of informational privacy is: “Privacy is the claim of individuals, groups, or
institutions to determine for themselves when, how, and to what extent information about
themselves is communicated to others.” Westin, 1967 (in Lind, 2006).

According to Linder Informational privacy was also identified by Rosenberg as one of three
aspects of privacy: Rosenberg, 1992 (in Lind, 2006).

•

Personal privacy: protection against what violates our moral senses

•

Territorial privacy: unsolicited messaging

•

Informational privacy: data protection

Examples of information related to these three are, offensive pictures or texts, spam-mail and
social security numbers. It should be stressed that some privacy intrusions can be categorized into
all or a combination of these three aspects.

In 1980 the Organization for Economic Cooperation and Development (OECD) issued a set of
Guidelines concerning the privacy of personal data. Although the guidelines cover broad aspects
of privacy and flows of personal data they have been setting up standards for future governmental
privacy rules (CDT, 2006). They have also been the starting point for most current international

Theory

agreements and national laws. The guidelines include eight principles which in different
variations often are referred to as the fair information practices.

Based on the OECD guidelines several directives have been derived. The two most important
inside the European Union (EU) with respect to this thesis are:

Directive 95/46/EC – Directive on data protection concerning the protection of
individuals with regard to the processing of personal data and on the free movement of
such data.

Directive 2002/58/EC - Directive on privacy and electronic communications concerning
the processing of personal data and the protection of privacy in the electronic
communications sector. Directed towards telecommunication.

An important fact is that the EU-directives requires explicit consent which means that a user must
unambiguously approve, having their information collected. Although the requirements from
legislation are important they did not have a great direct impact on the visual design, but
indirectly since privacy is partly based on legislation.

3.2

Requirements

3.2.1

Privacy requirements and guidelines from MobiLife user evaluations

As outlined previously, several user studies conducted within the MobiLife project exposed a
general user concern about privacy. The most concrete findings and most relevant user
requirements that were considered during the further development of the privacy display widget
are the following:

•

The user should be in control

•

The user should have easy access to information shared about her

•

Data logging and storage should be at minimum or at least transparent to the user and
access to this must be limited

•

Privacy management systems must be as flexible as possible

•

The context and time of day affect the user’s willingness to share her privacy

3.3

Identified Privacy Issues

Not surprisingly, many issues linked to privacy were found during the literature studies.
In this section some of the most relevant for a mobile setting is being presented. These
include: Perception of privacy, usability, dynamic environments and contexts,
information overflow and the socio-technical gap.

Theory

3.3.1

Perception of privacy

Although interaction researchers within Human Computer Interaction (HCI) have identified the
problem of privacy which relates to technology and situation of use, few attempts have been
focusing on explaining this interdependent relationship in a systematic and analytical way (Palen
& Dourish, 2003). This means that to be able to approach the research questions, a clear
definition of privacy which can be applied in a mobile environment is needed. There is also a
need to identify the most relevant factors that influence privacy decisions and expectations.

Discussions about privacy are often focused on personal information and how to protect this type
of data without specifying what people actually regard as private. Adams and Sasse (2001)
suggests that designers of privacy sensitive systems need to understand what users regard as
private and how this data could be used by whom and how this affects the privacy. To address
this problem and to help these designers, they present a model of user perceptions of privacy in
multimedia environments (see Figure 4). The model helps to determine which information users
regard as private, from whom, and in which context (Adams & Sasse, 2001).

Figure 4: Adams and Sasse’s privacy model (Adams & Sasse, 2001)

The identified key factors for forming a user’s perception of her privacy are the information
receiver, information sensitivity and information usage. Although it is mentioned that user and
context are relevant issues they are not specific to privacy.

Information sensitivity (IS) is the primary factor and is related to a user’s perception of
information being communicated and interpreted. As seen in the model this is based on a
judgment and related to the other key factors and the context.

Information Receiver (IR) is related to the users’ perception of the person (or persons) who
receives the data. It is important to note that these can be represented by an avatar

Information Usage (IU) is related to a user’s perception of how the information will be used now
or in the future.

A digital representation of an individual or group

Theory

Adams and Sasses privacy model has been useful in this thesis since it identifies key factors and
issues that influence privacy in a very similar setting. It also illustrates the different relationships
between these and has worked as an important source in building an information base that was
considered during the further development of the design concepts. The idea of privacy being a
complex issue is supported by a study of context-aware applications at Carnegie Mellon
University. This study has shown that users often have complex and nuanced privacy preferences.
In addition, users often do not even know their privacy preferences until actually confronted with
a situation (Sadeh, Gandon & Kwon, 2005).

In Adams and Sasse’s privacy model (2001) a number of privacy risks users trade-off against the
potential benefits to be gained, from using multimedia applications are identified. This is also
something that is discussed in a study of information revelation in online social networks
(Acquisti, Gross & Heinz, 2005) which introduces the term signaling, the perceived benefit of
selectively revealing data to strangers may appear larger than the perceived costs of possible
privacy invasions.

3.3.2

Usability

Although there is a vast amount of research which focus on identifying privacy and security
weaknesses and how to address this, the need to make these types of technologies usable is
important (Brodie et al., 2005). This is also true for the PDW being considered in this report since
one of the main purposes was to increase the usability of the underlying middleware component
(TE), which manages data access and handles policies. Usability plays an important role in
building an increased trust relation between a system and its users.

This is essential for all activities in the MobiLife project (including this thesis) since the
methodology is user-centric. The need for usability had also been identified during previous
MobiLife user evaluations (MobiLife, 2005b; MobiLife, 2005d; MobiLife, 2005f). Although this
means that a fundamental requirement was that the design should be user friendly, it does not
convey that it is easy to create usable systems that protect online privacy (Ackerman & Cranor,
1999).

To help designers address the usability problem Lederer et al. (2004) presents five pitfalls that
should be avoided when designing interactive systems which affect privacy. It is stated that
systems which ignore these design guidelines face a significant risk of disrupting or inhibiting
users’ abilities to manage their personal privacy. The keywords used are understanding and
action. This means that the design should make people understand the privacy implications in
order to be able to conduct socially meaningful actions.

The five pitfalls are divided using these terms, which are those that primarily shape the users’
understanding of a systems privacy implication. And those that affect the ability to conduct
socially meaningful action through the system.

Understanding

Obscuring potential information flow: Designs should not obscure the nature and extent
of a system’s potential for disclosure. Users can make informed use of a system only
when they understand the scope of its privacy