Privacy Interests Editors: Fred Cate, [email protected] Ben Laurie, [email protected]

Deconstructing the Privacy Experience

oday’s privacy dialogue often lacks attention to information is permanently acces- sible on the Web. This mismatch what should be a primary goal: informing the of expectation and reality is at the crux of the privacy design chal- central tenets of product design. Conversations lenges that lay ahead. An example from my personal that center around opt-in versus opt-out, priva- feed illustrates the implications of Twitter’s design for privacy. Tcy policies, sensitive data, encryption, and retention periods On 22 January 2009 at 3:01 p.m., jessicatornwald posted a tweet BETSY tend to fade into a fog of legalese, Web, is a young enough service containing details about both MASIELLO often without tackling fundamen- that it’s undoubtedly still re!ning her sex life and mental health in Google tal design challenges. Privacy today the privacy experience it o"ers. less than 140 characters. jessica- is hard. We need to make it simple. On the surface, this experience tornwald had, at the time, rela- We’ve long focused on trans- is quite simple: users set their ac- tively few followers by Twitter parency and choice as the pillars on counts to be either public or pri- standards (roughly 35), but her which privacy rests because togeth- vate, and that setting covers all tweets are public and thus avail- er they enable informed consent tweets sent from those accounts. able to the entire Internet. Her to data collection. On their own, Nonetheless, in some ways the ex- username is actually her real however, transparency and choice perience is inauthentic—it doesn’t name (although obfuscated here), say nothing about creating a us- always behave as expected, a qual- and she has a photo of herself on able privacy experience. Enabling ity that has rami!cations for aver- her pro!le. Although Twitter is informed consent to data collec- age users’ privacy expectations. a pseudonymous service, jessica- tion isn’t enough; product design- This behavior manifests in tornwald is not tweeting under ers must aspire to this and more: two ways: !rst, public tweets are a pseudonym. And in one quick enable informed consent without permanent, not ephemeral as we instant, she publicly and identi!- burdening user experience. often experience them; second, ably referenced both her sex life Deconstructing the privacy you can’t delete public tweets, and therapy experience, content experiences available on today’s despite the trashcan icon that in- many of us consider private. social Web is a !rst step in engag- dicates otherwise. Two students Ironically and tellingly, jessica- ing in a rich and nuanced dialogue in MIT’s 2008 class, in their tornwald requested that I obfus- about digital privacy. It quickly capstone paper, “Ethics and Law cate her username in this column becomes apparent that the chal- on the Electronic Frontier,” ex- to protect her future job prospects. lenges ahead aren’t focused on data plored these facts; you can easily (As of June 2009, no user by the collection—indeed, the reality is test their assertions yourself.1 name of jessicatornwald actually that we will continue to put data Using Twitter, it’s possible to exists on Twitter.) Her request was online and derive in!nite utility feel like a tweet can be forever surprisingly blunt: “Just keep me from doing so. Instead, the chal- lost as quickly as the digital con- anonymous at all costs.” Clearly, lenge is how to build an authen- versation evolves. This ephemeral jessicatornwald does care about tic experience, enable meaningful nature might inspire users to share privacy, but Twitter has created a choices, and make transparency more information than they oth- medium in which she’s willing to accessible to the average user. erwise would, experiencing the share private information publicly. harsh reality that most of what we Notably, keeping her anonymous The Importance say and do isn’t important enough requires that I not even quote the of Authentic Design to get much attention. Yet, once tweet because doing so would let Twitter, a darling of the social expressed on a public Twitter feed, readers search for her identity.

68 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/09/$26.00 © 2009 IEEE ■ JULY/AUGUST 2009 Privacy Interests

The Paradox of Choice Society (Basic Books, 1999). The of trust in other users. The Inter- Our de!nitions of privacy are lesson seems to be, if you want to net has taken gossip and made it continuously evolving, so it always participate in the social Web, you authoritative on a scale we haven’t seems appropriate to o"er a new are best o" doing so in a com- begun to comprehend. Mark one. I’d like to suggest that the pletely transparent way. Zuckerberg, Facebook’s CEO, right to privacy in the 21st cen- The conclusion that because pri- described the challenge on Face- tury is the right to not be mischar- vacy is hard, we should live com- book’s blog: acterized, unsettled, or surprised pletely transparent lives seems, to by what personal information and say the least, unsatisfying. Worse, People want full ownership communications about you are it strips the burden of innovation and control of their informa- publicly available on the Web. from engineers. Technology’s ob- tion so they can turn o" ac- At the core of enabling priva- jective shouldn’t be to radically cess to it at any time. At the cy in this context is an authentic warp our human qualities but to same time, people also want to privacy experience, one that’s as enhance the ways in which we live be able to bring the informa- expected. Achieving this authen- our fundamentally human lives. tion others have shared with ticity is such a challenge that few I’ve drawn di"erent lessons from them … onto other services products and services, if any, come my own Facebook experience: and grant those services access to mind as having fully done so, !rst, social relationships are #uid, to those people’s information. although equally few products and and privacy must adapt with them These two positions are at services have intentionally lied. as they shift; second, when choice odds with each other. Google, FriendFeed, Facebook, becomes a burden to manage, it MySpace—we can view all these isn’t meaningful and might even This is another undeniable re- companies as having some design create new privacy risks. ality we must face—if someone aspect that’s not authentic, that else puts information about you requires too much work on the Engineering on the Web, it becomes persistent, user’s part to understand. Authen- Meaningful Choice replicable, and searchable almost tic privacy design is elusive not by To address these issues, we need immediately. Self-representation any fault of our own but because to begin a dialogue about mean- is di$cult on the Web: rumors it’s an evergreen problem requir- ingful choice. Engineers and spread fast and are perceived as ing engineering innovation. product designers could apply more trustworthy than in the tra- Take, for example, the array of normative views about which ditional childhood game of “tele- granular privacy controls available choices users should want control phone.” Engineers have looked on Facebook, a service that’s been over and which matter less—this for ways to make information be- both lauded and criticized for its might be one way to simplify come ephemeral or obscured as it privacy design. Facebook users choice. But this seems either a is copied, similar to how a state- can choose to share their personal paternalistic or naïve approach to ment mutates from start to !nish data in numerous ways, a design technology innovation. in a game of telephone, but have choice that causes some to ask if One future might include tools made little progress. Could we at it might be too much of a good that intelligently evolve the pri- the very least make digital infor- thing. The conclusions to this vacy choices available and display mation’s immutable quality more train of thought, however, should them in the least burdensome way. apparent to users, or alternatively be troubling to those of us who Another might include adaptations assure them that what remains be- care about digital privacy. of features such as Gmail Chat’s hind a walled garden today will Randall Stross of the New “o"-the-record” feature. Both remain there forever? York Times made similar observa- futures have #aws: they demand tions in a recent column (www.ny considerable trust in the technol- Enhancing Privacy times.com/2009/03/08/business/ ogy, and we face technical limita- 08digi.html). Stross drew the fol- tions in implementing them. through Intelligible lowing conclusion: “When the To build tools to e"ectively Transparency distinction blurs between one’s neg otiate a trustworthy relation- Finally, any privacy discussion few close friends and the many ship between users will demand must consider the data collection who are not, it seems pointless to attention from the smartest en- that enables much of today’s In- distinguish between private and gineers in the world. Even if a ternet economy to #ourish but is public.” Others have drawn simi- product or service gives users often as obscured as it is pervasive. lar conclusions, most notably Da- meaningful choice, each user must How do we create transparency vid Brin, author of The Transparent still convey an enormous degree that’s accessible to average users,

www.computer.org/security 69 Privacy Interests

such that their choices are ade- can imminently imagine, technical to date is that we ought to “un- quately informed? There are two security is harder to justify. And derstand the function of privacy sides to the transaction: !rst, sur- unlike prices for physical goods, in part to remove the burden of facing data collection as it happens understanding what we get in ex- defending private choices” (as Lawrence Lessig told me in a pri- How do we create transparency that’s accessible to vate email correspondence). We could aim to shift the privacy dia- average users, such that their choices are adequately logue through social advocacy or by creating laws to regulate the informed? publicly private. Or, we could put in front of our best and brightest and is used; second, making ap- change for our data is often di$- engineers a series of design prob- parent the value obtained and risk cult. Analogous abstractions exist lems to ease average users’ bur- inherent to sharing data. We’ve on the social Web. Unlike the ex- den of defending private choices. made great progress on former but perience of speaking to others in a The technology community has are only beginning to conceptual- physical room, it isn’t always im- never waited for permission or re- ize the latter. mediately apparent who is “listen- quests to build a new future. Why Google’s Ads Preferences Man- ing” to our communications on should we wait to build a better ager, launched alongside its in- the Web. We must consider how privacy experience? terest-based advertising product, to improve interfaces to the Inter- made leaps forward in transpar- net that enable these experiences Acknowledgments ency in data collection and use. to be as human-interpretable as This article re#ects the opinions of Cookies have in some ways ob- their o%ine equivalents. the author and does not represent scured data collection for average Sherry Turkle, director of the an o$cial opinion on the part of her users—although they’re stored in MIT Initiative on Technology and employer. the browser and accessible, many Self, wisely noted at a recent con- users can’t interpret the meaning ference that, “In democracy today, References of cookie identi!ers and contents. perhaps we need to start with the 1. X. Xiao and Chris Varenhorst, The Ads Preferences Manager has assumption that we all have some- “Stop the Tweet: Preventing made the di$cult easy: users can thing to hide” (as quoted in danah Harm and Embarrassment to see their cookie ID, their opt-out boyd’s Twitter feed on 11 March Twitter Users,” 10 Dec. 2008, status, and the interest catego- 2009; www.twitter.com/zephoria). http://varenhor.st/papers/tweet ries used to serve them ads on the As technologists, we need to re- show.pdf. Google Content Network. We spect this basic tenet as a truth, can imagine that future evolu- and more directly design solutions Betsy Masiello is a policy analyst at tions of this tool might make vis- that enable hidden corners of our Google. Her research interests lie at the ible real-time data collection in a lives. On the social Web, privacy intersection of information technologies browser overlay. is a global and entirely subjective and public policy, including privacy, These are remarkable steps quality—we each perceive dif- economic, and telecommunications pol- forward for transparency, but to ferent threats to it. For some, it’s icies. Masiello has an SM in technology suggest this is all the innovation government surveillance whereas & policy from the Massachusetts Insti- required would be naïve to say others fear social embarrassment. tute of Technology and an MSc in !nan- the least. During the next round Privacy is no longer a wholly legal cial economics from Oxford University, of transparency innovation, we issue but very much a social one, where she was a Rhodes Scholar. Con- should focus on how to make ap- and the design community should tact her at [email protected]. parent the value and risk of shar- tackle it as such. ing data. Companies collect data about users who interact with their Web ’ve suggested that we should sites for good reasons. Many are I understand privacy in part as a security-related, and many more right to not be mischaracterized, Interested in writing for this support business models from surprised, or unsettled by infor- department? Please contact which users derive substantial mation available about us on the editors Fred Cate (fcate@indiana. value. In neither case is the value Web. Among the best rationales edu) and/or Ben Laurie (ben@ immediately apparent to users. I’ve seen put forth for a more nu- links.org). Unlike physical dangers that we anced de!nition than we’ve had

70 IEEE SECURITY & PRIVACY /PONFNCFS
SBUF
PG

GPS
41
NBHB[JOF

*&&&
4FDVSJUZ

1SJWBDZ
JT
5)&
QSFNJFS
NBHB[JOF
GPS
TFDVSJUZ
QSPGFTTJPOBMT

5PQ
TFDVSJUZ
QSPGFTTJPOBMT
JO
UIF
¾
FME
TIBSF
JOGPSNBUJPO
PO
XIJDI
ZPV
DBO
SFMZ

4JMWFS
#VMMFU
QPEDBTUT
BOE
JOUFSWJFXT

*OUFMMFDUVBM
1SPQFSUZ
1SPUFDUJPO

1JSBDZ

%FTJHOJOH
GPS
*OGSBTUSVDUVSF
4FDVSJUZ
1SJWBDZ
*TTVFT

-FHBM
*TTVFT

$ZCFSDSJNF

%JHJUBM
3JHIUT
.BOBHFNFOU
5IF
4FDVSJUZ
1SPGFTTJPO

7JTJU
PVS
8FC
TJUF
BU
XXXDPNQVUFSPSHTFDVSJUZ

4VCTDSJCF
OPX XXXDPNQVUFSPSHTFSWJDFTOPONFNTQCOS