Appropriate Privacy Feedback
Notification on Access of Personal Data
Users are frequently unaware or unsure about what personal data systems collect and otherwise process. When systems fade into the background users are less likely to take notice and adjust what information is collected. Data controllers who provide services (or products) to such users realize that consent is not valid without users first being sufficiently informed. They aim to do so in a manner which is appropriate for the service.
The controller may have relied on op-out mechanics, but now realizes that within the European General Data Protection Regulation (recital 32) 'silence, pre-ticked boxes or inactivity' no longer constitute consent. Unnecessarily disruptive notice is also not permitted.
Many systems are designed to be seamless or ubiquitous. However, this can make personal data risks less apparent to the user.
As a result users may overlook services without fulling understanding the privacy risks involved. Potentially, these users may realize consequences long after, or worse, not realize them at all.
- Controllers want systems to do their tasks in the background without bothering the user, but need the user's informed consent
- Controllers often do not want to process data which users feel uncomfortable about, but uninformed users may provide it
- Users want to get the benefits of a service without having to interact with it, and may not do so at all if they do not have to
- There are users who would avoid these services if they were aware of the privacy risks
Visible feedback loops, which capture the user's attention, are needed to help ensure that users understand what data is being collected, who can see that data, and how might it be used.
Notification should occur before access where possible, and during or shortly after access if earlier notification is not appropriate. In most cases this means preventing a user's use of a service before allowing the core functionality of the service to run at all. Where some features with variable privacy implications are not essential to the service, they may be provided as optional, defaulting to being disabled.
Users should be informed appropriately, providing both concise and understandable explanations of the personal data acquired, and warnings of the risks involved. The service should make a best effort to ensure that the user understands the implications of consent before commencing or resuming functionality. An effort should also be made to make these notifications non-invasive. Using Ambient or Asynchronous Notice is one way to achieve this.
Where users choose to be notified less immediately or less often, and after being warned of the risks involved, then the service may store logs of its privacy affecting activities. The user should then be able to retrieve these logs, in a human readable form, at will. As only the user should be able to access these, unless said user provides informed consent otherwise, it should also be secured. Use state of the art means of encryption to do this. If this functionality cannot be done in this manner, due to technical constraints for example, then do not provide logging functionality.
The user will be informed before using a service, which will cause the user to be more careful according to their personal privacy preference. Those who find the service too invasive will not use it, or provide feedback towards its improvement. The service will not be liable for user activities where it has informed them of the risks those activities involve.
Preventing functionality until consent is acquired lessens the feasibility of various services. However, doing otherwise presents risks of high financial and good-will damages.
When you share some content on Facebook, it sometimes asks you to review your fundamental privacy settings. In the short tour given, you can see what data is accessed by other users or by third party applications.
This pattern is a component of the compound pattern, Awareness Feed. As such, this pattern may be used by it.
Privacy Awareness Panel provides the same information (what, who, and how) as this pattern, while using different mechanisms. Together these patterns cover future, present, and past disclosure. While this could be a similar relationship, complementary aspects are also present. Similar to Privacy Awareness Panel, the complementary relationship with Who's Listening allows for monitoring of access in a more holistic manner.
Trust Evaluation of Services Sides provides visual highlights which alert the user to the estimated trustworthiness of a service. This functionality goes well with the aim to provide the user with useful feedback on risks to their privacy. Together, these patterns can illuminate the trustworthiness of entities which access the user's data, especially third parties.
Increasing Awareness of Information Aggregation aims to solve a different problem, though it may help future disclosure decisions through knowledge of its potential sensitivity when aggregated.
Appropriate Privacy Feedback may be used by Privacy Mirrors as a means to provide feedback on personal data usage. Privacy Dashboard also may use it, as it empowers users to act on detail they have been drawn attention to. Notification may also be facilitated through using Ambient or Asynchronous Notice to reduce intrusiveness.
E. S. Chung, J. I. Hong, J. Lin, M. K. Prabaker, J. a. Landay, and A. L. Liu, “Development and Evaluation of Emerging Design Patterns for Ubiquitous Computing,” DIS ’04 Proceedings of the 5th conference on Designing interactive systems: processes, practices, methods, and techniques, pp. 233–242, 2004.
H. Baraki et al., Towards Interdisciplinary Design Patterns for Ubiquitous Computing Applications. Kassel, Germany, 2014.
G. Iachello and J. Hong, “End-User Privacy in Human-Computer Interaction,” Foundations and Trends® in Human-Computer Interaction, vol. 1, no. 1, pp. 1–137, 2007.