Implement User-Customisable Multi-View Privacy Notifications
Problem Summary
Single view privacy notification interfaces provide little information to help users understand privacy risks.
Rationale
A multi-view privacy notification interface can help users better understand the privacy information, according to their interests and expertise.
Solution
A user-customisable multi-view privacy notification mechanism that provides customised notification interfaces that help users obtain necessary information about their privacy risk.
Fung, Rashidi and Motti [1] introduced a novel multi-view model for permission notifications that enhance user understanding and decision-making regarding app permissions.
The multi-view model incorporates Control Theory to ensure consistency across views tailored to different user knowledge levels. A chain of control units was developed, each responsible for producing one of the multi-view interfaces. It tailors the presentation of privacy risks based on users' knowledge levels, offering customised interfaces with varying granularity, intricacy, and co-equality. These interfaces range from detailed app activity logs for expert users to simplified risk assessments for novices. Additionally, the model incorporates a user preference system, allowing individuals to select or automatically be assigned views that best match their understanding and comfort level. Beyond information presentation, the solution suggests actionable user recommendations, providing a nuanced approach to app permission management. Actions vary from simple permission denial to app uninstallation, depending on the assessed risk level of the app. This comprehensive approach informs users about potential privacy risks and empowers them with actionable insights to safeguard their privacy effectively.
When combined with privacy choices [2], which actions (block/deny/uninstall, for instance) to recommend for users in each view is an important aspect to consider on a case basis.
Platforms: personal computers, mobile devices
Related guidelines: Enhance Privacy Awareness by Communicating Privacy Risks
Example
Privacy notification view details are reduced from left to bottom right, accounting for different user visualisation choices [1]. (See enlarged)
Use cases
- Implementing privacy risk notification interface for installed apps on devices.
- Implementing privacy risk notification interface for different expertise levels.
- Implementing user-customisable multi-view privacy notification.
Pros
- Consistency among the designed views is critical, so incorporating Control Theory to regulate the consistency of views across different user knowledge levels aims to ensure that despite the diversity in information presentation, the core message remains consistent, aiding in accurate interpretation and informed decision-making. Users can choose the view that they can understand the most and are more comfortable with [1].
- The solution provides actionable insights by recommending specific actions (like block, deny, uninstall) based on the assessed risk level of an app. This approach not only informs users about potential risks but also guides them on how to mitigate these risks, enhancing user security and privacy protection [1].
Cons
- The effectiveness of the multi-view model heavily relies on users actively engaging with and understanding the different views and recommended actions. There's a possibility that users might not invest the time to explore and switch between views, reducing the system's overall impact on privacy and security decision-making. Despite the intention to cater to different user expertise levels, there's a risk of information overload, particularly for users who might find multiple views and detailed action recommendations overwhelming. This could lead to decision fatigue, where users may default to simpler but less secure choices [1].
- The application of Control Theory to ensure view consistency adds a layer of complexity to the system's design and implementation. This could potentially increase development time and resources required, making it challenging to adapt and scale [1].
Privacy Notices
The main purpose of a privacy notice is to inform users about personal data handling. Considering the design space for privacy notices [3], this guideline can be applied to the following dimensions:
- Periodic
According to [2], "periodic reminders of data practices can further help users maintain awareness of privacy-sensitive information flows". This recommendation can be used in such scenarios, allowing users to reassess their privacy risks. The frequency of showing such periodic notices is on a use-case basis.
- Just in time
The proposed guideline can be used to present a privacy notice to users when a data practice is active (data being collected, used or shared, for instance).
According to [2], just-in-time notices precede data collection, often near input fields or with summary dialogues, reducing user interruptions.
Another situation, is when apps are requesting access to sensitive information, which should be accompanied by a just in time privacy notice [2].
- On demand
The proposed guideline can be used to present a privacy notice to users when they actively seek privacy information, for example, in privacy dashboards or privacy settings interfaces.
- Context-dependent
This guideline can be used to present a privacy notice to users triggered by a change in context, like a location or data sharing change.
- At Setup
The proposed guideline can be used to present a privacy notice to users when they are about to engage in a data-sharing situation, like permission granting, so they can choose the level of information they want to see to make informed decisions.
- Decoupled
This guideline can be applied to privacy notices decoupled from privacy choices.
- Blocking
This guideline can be paired with blocking controls (privacy choices), requiring users to make decisions or give consent based on the information in the notice.
- Non-blocking
This guideline can be coupled with non-blocking controls, providing control options (privacy choices) without forcing user interaction.
- Visual
This is the modality of the designed privacy notification view, combining visual resources such as colours, text and icons.
- Secondary
The same designed interfaces can be used for a companion app or website to provide privacy notice.
- Primary
This is the case of the designed interface, as it is a smartphone app. However, it can also be used in other platforms, such as desktops.
Transparency
Transparency [4] is the main privacy attribute. The guideline primarily focuses on ensuring that users can obtain clear and accessible information regarding how their personal data is handled. By offering multiple views with varying levels of detail, the guideline aims to provide a proactive distribution of information, enabling users to make informed decisions. Other related privacy attributes:
Communication of privacy risk level leverages control by allowing users to make self-determined decisions about the sharing of their personal data.
References
[1] Carol Fung, Bahman Rashidi, and Vivian Genaro Motti (2019). Multi-View Permission Risk Notification for Smartphone System. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl. 10.1 (2019): 42-57. https://isyou.info/jowua/papers/jowua-v10n1-3.pdf
[2] Yuanyuan Feng, Yaxing Yao, and Norman Sadeh (2021). A Design Space for Privacy Choices: Towards Meaningful Privacy Control in the Internet of Things. In CHI Conference on Human Factors in Computing Systems (CHI ’21), May 8–13, 2021, Yokohama, Japan. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/3411764.3445148
[3] Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor (2015). A Design Space for Effective Privacy Notices. In: Symposium on Usable Privacy and Security (SOUPS 2015). [S.l.: s.n.], p. 1–17. https://www.usenix.org/system/files/conference/soups2015/soups15-paper-schaub.pdf
[4] Susanne Barth, Dan Ionita, and Pieter Hartel (2022). Understanding Online Privacy — A Systematic Review of Privacy Visualizations and Privacy by Design Guidelines. ACM Comput. Surv. 55, 3, Article 63 (February 2022), 37 pages. https://doi.org/10.1145/3502288