Privacy Interests Editors: Fred Cate, [email protected] Ben Laurie, [email protected] Deconstructing the Privacy Experience oday’s privacy dialogue often lacks attention to information is permanently acces- sible on the Web. This mismatch what should be a primary goal: informing the of expectation and reality is at the crux of the privacy design chal- central tenets of product design. Conversations lenges that lay ahead. An example from my personal that center around opt-in versus opt-out, priva- feed illustrates the implications of Twitter’s design for privacy. Tcy policies, sensitive data, encryption, and retention periods On 22 January 2009 at 3:01 p.m., jessicatornwald posted a tweet BETSY tend to fade into a fog of legalese, Web, is a young enough service containing details about both MASIELLO often without tackling fundamen- that it’s undoubtedly still re!ning her sex life and mental health in Google tal design challenges. Privacy today the privacy experience it o"ers. less than 140 characters. jessica- is hard. We need to make it simple. On the surface, this experience tornwald had, at the time, rela- We’ve long focused on trans- is quite simple: users set their ac- tively few followers by Twitter parency and choice as the pillars on counts to be either public or pri- standards (roughly 35), but her which privacy rests because togeth- vate, and that setting covers all tweets are public and thus avail- er they enable informed consent tweets sent from those accounts. able to the entire Internet. Her to data collection. On their own, Nonetheless, in some ways the ex- username is actually her real however, transparency and choice perience is inauthentic—it doesn’t name (although obfuscated here), say nothing about creating a us- always behave as expected, a qual- and she has a photo of herself on able privacy experience. Enabling ity that has rami!cations for aver- her pro!le. Although Twitter is informed consent to data collec- age users’ privacy expectations. a pseudonymous service, jessica- tion isn’t enough; product design- This behavior manifests in tornwald is not tweeting under ers must aspire to this and more: two ways: !rst, public tweets are a pseudonym. And in one quick enable informed consent without permanent, not ephemeral as we instant, she publicly and identi!- burdening user experience. often experience them; second, ably referenced both her sex life Deconstructing the privacy you can’t delete public tweets, and therapy experience, content experiences available on today’s despite the trashcan icon that in- many of us consider private. social Web is a !rst step in engag- dicates otherwise. Two students Ironically and tellingly, jessica- ing in a rich and nuanced dialogue in MIT’s 2008 class, in their tornwald requested that I obfus- about digital privacy. It quickly capstone paper, “Ethics and Law cate her username in this column becomes apparent that the chal- on the Electronic Frontier,” ex- to protect her future job prospects. lenges ahead aren’t focused on data plored these facts; you can easily (As of June 2009, no user by the collection—indeed, the reality is test their assertions yourself.1 name of jessicatornwald actually that we will continue to put data Using Twitter, it’s possible to exists on Twitter.) Her request was online and derive in!nite utility feel like a tweet can be forever surprisingly blunt: “Just keep me from doing so. Instead, the chal- lost as quickly as the digital con- anonymous at all costs.” Clearly, lenge is how to build an authen- versation evolves. This ephemeral jessicatornwald does care about tic experience, enable meaningful nature might inspire users to share privacy, but Twitter has created a choices, and make transparency more information than they oth- medium in which she’s willing to accessible to the average user. erwise would, experiencing the share private information publicly. harsh reality that most of what we Notably, keeping her anonymous The Importance say and do isn’t important enough requires that I not even quote the of Authentic Design to get much attention. Yet, once tweet because doing so would let Twitter, a darling of the social expressed on a public Twitter feed, readers search for her identity. 68 COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/09/$26.00 © 2009 IEEE ■ JULY/AUGUST 2009 Privacy Interests The Paradox of Choice Society (Basic Books, 1999). The of trust in other users. The Inter- Our de!nitions of privacy are lesson seems to be, if you want to net has taken gossip and made it continuously evolving, so it always participate in the social Web, you authoritative on a scale we haven’t seems appropriate to o"er a new are best o" doing so in a com- begun to comprehend. Mark one. I’d like to suggest that the pletely transparent way. Zuckerberg, Facebook’s CEO, right to privacy in the 21st cen- The conclusion that because pri- described the challenge on Face- tury is the right to not be mischar- vacy is hard, we should live com- book’s blog: acterized, unsettled, or surprised pletely transparent lives seems, to by what personal information and say the least, unsatisfying. Worse, People want full ownership communications about you are it strips the burden of innovation and control of their informa- publicly available on the Web. from engineers. Technology’s ob- tion so they can turn o" ac- At the core of enabling priva- jective shouldn’t be to radically cess to it at any time. At the cy in this context is an authentic warp our human qualities but to same time, people also want to privacy experience, one that’s as enhance the ways in which we live be able to bring the informa- expected. Achieving this authen- our fundamentally human lives. tion others have shared with ticity is such a challenge that few I’ve drawn di"erent lessons from them … onto other services products and services, if any, come my own Facebook experience: and grant those services access to mind as having fully done so, !rst, social relationships are #uid, to those people’s information. although equally few products and and privacy must adapt with them These two positions are at services have intentionally lied. as they shift; second, when choice odds with each other. Google, FriendFeed, Facebook, becomes a burden to manage, it MySpace—we can view all these isn’t meaningful and might even This is another undeniable re- companies as having some design create new privacy risks. ality we must face—if someone aspect that’s not authentic, that else puts information about you requires too much work on the Engineering on the Web, it becomes persistent, user’s part to understand. Authen- Meaningful Choice replicable, and searchable almost tic privacy design is elusive not by To address these issues, we need immediately. Self-representation any fault of our own but because to begin a dialogue about mean- is di$cult on the Web: rumors it’s an evergreen problem requir- ingful choice. Engineers and spread fast and are perceived as ing engineering innovation. product designers could apply more trustworthy than in the tra- Take, for example, the array of normative views about which ditional childhood game of “tele- granular privacy controls available choices users should want control phone.” Engineers have looked on Facebook, a service that’s been over and which matter less—this for ways to make information be- both lauded and criticized for its might be one way to simplify come ephemeral or obscured as it privacy design. Facebook users choice. But this seems either a is copied, similar to how a state- can choose to share their personal paternalistic or naïve approach to ment mutates from start to !nish data in numerous ways, a design technology innovation. in a game of telephone, but have choice that causes some to ask if One future might include tools made little progress. Could we at it might be too much of a good that intelligently evolve the pri- the very least make digital infor- thing. The conclusions to this vacy choices available and display mation’s immutable quality more train of thought, however, should them in the least burdensome way. apparent to users, or alternatively be troubling to those of us who Another might include adaptations assure them that what remains be- care about digital privacy. of features such as Gmail Chat’s hind a walled garden today will Randall Stross of the New “o"-the-record” feature. Both remain there forever? York Times made similar observa- futures have #aws: they demand tions in a recent column (www.ny considerable trust in the technol- Enhancing Privacy times.com/2009/03/08/business/ ogy, and we face technical limita- 08digi.html). Stross drew the fol- tions in implementing them. through Intelligible lowing conclusion: “When the To build tools to e"ectively Transparency distinction blurs between one’s neg otiate a trustworthy relation- Finally, any privacy discussion few close friends and the many ship between users will demand must consider the data collection who are not, it seems pointless to attention from the smartest en- that enables much of today’s In- distinguish between private and gineers in the world. Even if a ternet economy to #ourish but is public.” Others have drawn simi- product or service gives users often as obscured as it is pervasive. lar conclusions, most notably Da- meaningful choice, each user must How do we create transparency vid Brin, author of The Transparent still convey an enormous degree that’s accessible to average users, www.computer.org/security 69 Privacy Interests such that their choices are ade- can imminently imagine, technical to date is that we ought to “un- quately informed? There are two security is harder to justify.