Proportionality Design Method

The principle of Data Quality from the Fair Information Practices insinuates that the information that is obtained from the users should be applied to their benefit:

“Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.”

Giovanni Iachello and Gregory D. Abowd use this as a starting point and elaborate the principle of proportionality:

“Any application, system, tool or process should balance its utility with the rights to privacy (personal, informational, etc.) of the involved individuals”

Based on this principle, they propose the Proportionality design method:

Proportionality Design Method

Proportionality Design Method

During the whole development cycle of the application, the different parts need to verify the legitimacy, appropriateness and adequacy of the application:

  • Legitimacy: Verify that the application is useful to the user. What is the function that the application cover?
  • Appropriateness:Analyse if the alternative implementations with the different technologies satisfy the goal of the application without supposing a risk for the privacy of the users?
  • Adequacy: Analyse if the different alternative technologies are correctly implemented.

Sources:

G. Iachello and G. D. Abowd, “Privacy and proportionality: adapting legal evaluation techniques to inform design in ubiquitous computing,” in Proceedings of the SIGCHI conference on Human factors in computing systems, 2005, pp. 91–100.

Privacy Risk Models

Jason Hong, Jennifer D. Ng, Scott Lederer and James A. Landay present their framework for modelling privacy risks in ubiquitous computing environments.

The privacy risk models framework consists of two parts: privacy risk analysis, that proposes a list of questions to help defining the context of use of the future application and the privacy risk management, which is a cost-benefit analysis that is used to prioritise the privacy risks and develop the system.

Privacy risk analysis

The privacy risk analysis starts with the formulation of the following questions grouped in the categories Social and Organisational Context and Technology:

Social and Organizational Context

  • Who are the users of the system? Who are the data sharers, the people sharing personal information? Who are the data observers, the people that see that personal information?
  • What kinds of personal information are shared? Under what circumstances?
  • What is the value proposition for sharing personal information?
  • What are the relationships between data sharers and data observers? What is the relevant level, nature, and symmetry of trust? What incentives do data observers have to protect data sharers’ personal information (or not, as the case may be)?
  • Is there the potential for malicious data observers (e.g., spammers and stalkers)? What kinds of personal information are they interested in?
  • Are there other stakeholders or third parties that might be directly
    or indirectly impacted by the system?

Technology

  • How is personal information collected? Who has control over the
  • computers and sensors used to collect information?
  • How is personal information shared? Is it opt-in or is it opt-out (or do data sharers even have a choice at all)? Do data sharers push personal information to data observers? Or do data observers pull personal information from data sharers?
  • How much information is shared? Is it discrete and one-time? Is it continuous?
  • What is the quality of the information shared? With respect to space, is the data at the room, building, street, or neighborhood level? With respect to time, is it real-time, or is it several hours or even days old? With respect to identity, is it a specific person, a pseudonym, or anonymous?
  • How long is personal data retained? Where is it stored? Who has access to it?

Privacy Risk Management

This part consists on the prioritisation of privacy risks applying the inequality known as the Hand’s rule.

C < L×D

Being:

  • L: The likelihood that an unwanted disclosure of personal information occurs
  • D: The damage that will happen on such a disclosure
  • C: The cost of protecting this privacy in an adequate manner

References

J. I. Hong, J. D. Ng, S. Lederer, and J. A. Landay, “Privacy risk models for designing privacy-sensitive ubiquitous computing systems,” in Proceedings of the 5th conference on Designing interactive systems: processes, practices, methods, and techniques, 2004, pp. 91–100.

Three-Layer Privacy Responsibility Framework

Sarah Spiekermann and Lorrie Faith Cranor in their work “Engineering Privacy” state that software engineers have a major responsibility when it comes to developing privacy-friendly systems “because they are the ones devising the technical architecture and creating the code”. They present the three-layer model of user privacy concerns and responsibility framework. Based on this model they elaborate a set of guidelines, categorising them in “privacy-by-policy” and “privacy-by-architecture”

Three-Layer Privacy Responsibility Framework

The authors distinguish from three spheres of privacy: User Sphere (constrained to the user environment, i.e. laptop, mobile phone, integrated systems etc), Recipient Sphere (company centric sphere involving their back-ends infrastructure) and Joint Sphere (related to companies that host users information, like email or facebook). For each of the privacy layers, the following table describes where is the data stored, what is the responsibility of the engineer and what are the issues that they need to face.

 

Privacy Spheres Where Data is Stored Engineer’s Responsibility Engineering issues

User Sphere

Users’ desktop personal computers, laptops, mobile phones, RFID chips

  • Give users control over access to themselves (in terms of access to data and attention)
  • What data is transferred from the client to a data recipient?
  • Is the user explicitly involved in the transfer?
  • Is the user aware of remote and/or local application storing data on his system?
  • Is data storage transient or persistent?

Joint Sphere

Web service provider’s servers and databases

  • Give users some control over access to themselves (in terms of access to data and attention)
  • Minimize users’ future privacy risks
  • Is the user fully aware of how his data is used and can he control this?

Recipient Sphere

Any data recipients: servers and databases of network providers, service providers or other parties with whom data recipient shares data

  • Minimize users’ future privacy risks
  • What data is being shared by the data recipient with other parties?
  • Can the user expect or anticipate a transfer of his data by the recipient?
  • Is personal Data adequately secured?
  • Is data storage transient or persistent?
  • Can the processing of personal data be foreseen by the user?
  • Are there secondary uses of data that may not be foreseen by the user?
  • Is there a way to minimize processing? (e.g. by delegating some pre-processing to User Sphere)

Framework for Privacy-Friendly System Design

Spiekermann and Cranor propose a framework to develop privacy friendly systems. There is a rank of privacy levels lowest to highest that corresponds to the degree of identifiability (identified, pseudonymous, anonymous) of a user. In the cases where the user is totally identified, privacy needs to be provided by policy, while, in those cases where users are anonymous or pseudonymous, privacy can also be provided by architecture. The following table matches this attributes with the characteristics of the corresponding systems.

 

Privacy stages identifiability Approach to privacy protection Linkability of data to personal identifiers System Characteristics

0

identified

privacy by policy (notice and choice)

linked

  • unique identifiers across databases
  • contact information stored with profile information

1

pseudonymous

linkable with reasonable & automatable effort

  • no unique identifiers across databases
  • common attributes across databases
  • contact information stored separately from profile or transaction information

2

privacy by architecture

not linkable with reasonable effort

  • no unique identifiers across databases
  • no common attributes across databases
  • random identifiers
  • contact information stored separately from profile or transaction information
  • collection of long term person characteristics on a low level of granularity
  • technically enforced deletion of profile details at regular intervals

3

anonymous

unlinkable

  • no collection of contact information
  • no collection of long term person characteristics
  • k-anonymity with large value of k

References:

S. Spiekermann and L. F. Cranor, “Engineering privacy,” IEEE Transactions on software engineering, vol. 35, no. 1, pp. 67–82, 2009.

 

The Seven Types of Privacy

Rachel L. Finn , David Wright , and Michael Friedewald elaborated a really interesting list of categories of privacy related issues caused by the improvements in different types of technology.

 

  • The Physical Person: This category refers specifically to aspects of the human body, for example: nudity, biometric data, electronic implants and sensing devices, brain signals monitors and any other type of information related to the physical body.
  • Behavior and Action: Any type of information that reflects aspects of a person’s lifestyle, for example: Sexuality, religion, political beliefs or habits.
  • Personal Communications: From traditional wiretap to more advanced email interception or capture and analysis of text from messaging apps like WhatsApp or Facebook.
  • Data and Image: Problems derived from the proliferation of surveillance cameras or the appearance of massive amounts of images and videos in the social networks together with the possibility to apply automated face recognition techniques.
  • Thoughts and Feelings: Technology can be used to estimate people’s mental state by using face/voice/gesture analysis.
  • Location and Space: Related to the information of someone’s location, be it obtained from GPS tracking, cameras surveillance, wifi/bluetooth spoofing.
  • Association and Group Membership: Privacy issues derived from aspects such as belonging to a specific community, following certain groups, individuals or initiatives in the social networks etc.

 

Privacy Facets (PriF)

Keerthi Thomas, Arosha K. Bandara, Blaine A. Price1 and Bashar Nuseibeh propose a process (Requirement distillation) and a framework (PriF) as a way to capture the privacy related requirements for a mobile application development.

Requirements distillation process

The requirements distillation process consists of three main phases: “Structuring of the Qualitative Data”, “Information Flow Modelling” and “Privacy Problem Analysis”.

Privacy Facets Framework

Privacy Facets framework

 

Structuring Qualitative Data: Use Privacy Facets (PriF) framework to structure the qualitative data. The outcome is a set of predefined codes adapted to the identification of privacy-sensitive contexts. The result of completing this phase is a set of Privacy or Threats Concerns from the users.

Information Flow Modeling: In the second phase, the  problem models of information-flows are developed. That is done based on the information-flow problem patterns, which are provided in the PriF framework. These problem models capture the way the information is created and disseminated to other users.

The privacy problem analysis: To elaborate a list of the privacy requirements, the privacy-sensitive context and its privacy threats or concerns are analysed with the information-flow models.

Privacy Facets

The Privacy Facets is a framework that provides:

  • analytical tools such as thematic codes, heuristics, facet questions and extraction rules to structure qualitative data
  • information-flow problem patterns and privacy arguments language to model privacy requirements.

To obtain those assets, the system analyst should structure the qualitative data of the system from the first phase of the process by using some heuristic based categories, for example:

  • Negative Behaviour Patterns (NBP): Situations in which the user chooses not to use an application because of privacy concerns.
  • Negative Emotional Indicators (NEI): These are keywords that indicate that the user might have some concerns about the privacy when using the application.
References:
K. Thomas, A. K. Bandara, B. A. Price, and B. Nuseibeh, “Distilling privacy requirements for mobile applications,” in Proceedings of the 36th International Conference on Software Engineering, 2014, pp. 871–882.

Approximate Information Flows (AIF)

Xiaodong Jiang, Jason I. Hong, and James A. Landay, apply different concepts from economics and information theory to model the exchange of information among the different actors (data owners, data collectors and data users) to minimize the asymmetry of information flow among them.

 

Flow of information

Data Owner, Data Collector and Data User

After identifying the main actors they propose the principle of minimum asymmetry:

 Principle of Minimum Asymmetry

A privacy-aware system should minimize the asymmetry of information between data owners and data collectors and data users, by:

  • Decreasing the flow of information from data owners to data collectors and users
  • Increasing the flow of information from data collectors and users back to data owners

To support this Principle of Minimum Asymmetry they design a space of Privacy solutions in Ubiquitous Computing

Space of Privacy Solutions of Ubiquitous Computing

Space of Privacy Solutions of Ubiquitous Computing

References:
X. Jiang, J. I. Hong, and J. A. Landay, “Approximate information flows: Socially-based modeling of privacy in ubiquitous computing,”

 

Fair Information Practices (FIPS)

The Fair Information Practice Principles (FIPPs) proposed by the Federal Trade Commission (FTC) are the result of an enquiry to promote the adequate handling of personal information in information systems.

Principles

1. Notice/Awareness: Subjects should be given notice of the collection of personal information from them before it takes place.

2. Choice/Consent: Subjects should be given the choice of cancelling the collection of their personal information.

3. Access/Participation: Subjects should be allowed to access their personal information that has been collected.

4. Integrity/Security Information collectors should ensure that the information they collect is accurate and secure.

5. Enforcement/Redress: In order to ensure that the Fair Information Practice Principles are applied, there must be enforcement measures available to the Subjects.

 

More information:

https://en.wikipedia.org/wiki/FTC_Fair_Information_Practice

 

STRuctured Analysis of Privacy (STRAP)

The STRAP Framework is an iterative process that aims at the identification of privacy vulnerabilities throughout all the stages of the software development process.

  1. Design Analysis:  The whole process starts by performing a Goal-oriented analysis of the whole system. The main actors, goals and major system components are identified. They are represented in a tree diagram following a dependency hierarchy (Figure 1). Goals are represented in the circles and actors are represented with colours on each goal. For each goal we ask the following analytical questions: “What information is captured/accessed for this goal?”, “Who are the actors involved in the capture and access?”, “What knowledge is derived from this information?” and “What is done with the information afterward?”
  2. Design refinement: Once all the vulnerabilities are identified, we iterate over them and decide which ones can be eliminated and which ones can be mitigated. For example: if one vulnerability is that personal information needs to be stored in a server and it can be stolen, then the mitigation is to keep the information encrypted.
  3. Evaluation: Elaborate a set of different design that tackle the goals of the system and evaluate them. Choose the design alternative that implies a lesser impact on privacy.
  4. Iteration: As the conceptualisation of the project evolves, repeat the different steps again to make sure that all the vulnerabilities are always documented and identified. Together with the vulnerabilities, it is necessary to document the assumptions taken in the design. Before new features are added to the system, they need to be evaluated and used to update the goal tree, adding new objectives and actors as needed.
STRAP framework process

Diagram with the process of the STRAP framework

References: 

C. Jensen, J. Tullio, C. Potts, and E. D. Mynatt, “STRAP: a structured analysis framework for privacy,” 2005.
The personalization Privacy Paradox

Summary: The personalization Privacy Paradox: An Empirical Evaluation of Information Transparency and Willingness to Be Profiled Online for Personalization

Naveen Farag Awad and M.S. Krishnan analyze in their article the relationship between information transparency and the willingness to partake in personalization. This analysis is done on the basis of the utility maximization theory, identifying the willingness of the user to trade personal information in exchange of some benefits with the microeconomics framework. In this case, the benefit (B) obtained from a certain commodity is the advantage that the user can obtain by using a specific service and the cost (C) which needs to be minimized is a function of different factors, including “consumer privacy concern, previous privacy invasions, consumer-rated importance of information transparency and consumer-rated importance of privacy policies).

The target is the maximization of the Utility (U) function which is as follow:

U(X) = Benefit – Cost

The dependencies among the different factors are studied from the perspective of the following research model:

This model proposes some interesting concepts, for example:

  • Consumer-rated importance of information transparency increases with increased general consumer privacy concern level.
  • Consumer-rated importance of information transparency increased with consumers who have previously had previously had their privacy invaded online.

According to the classification of frameworks proposed by Iachello, this study could be considered as “communitarian”, since the main objective is to provide a set of guidelines to maximize the level of satisfaction of the user, based on the results obtained, as opposed to “principled”, in which the objective is to guarantee the protection of the personal information of the end-user.