Visualizing privacy

1
Visualizing privacy

• Aleecia M. McDonald

2
Overview

• The Gramm-Leach-Bliley (GLB) Act
• Selected portions from An Evaluation of the
  Effect of US Financial Privacy Legislation
  Through the Analysis of Privacy Policies
• Privacy text is hard
• Privacy Mad Libs example
• Privacy bingo cards
• Making GLB more useable
• Evolution of a Prototype Financial Privacy Notice
  
• What happens in practice?
• Privacy practices of Internet users Self-reports
  versus observed behavior
• Privacy images are hard
• Privacy Pictionary / Times Up

3
What is the Gramm-Leach-Bliley (GLB) Act?
4
What is the Gramm-Leach-Bliley (GLB) Act?

• Senator Gramm (R, Texas)

5
What is the Gramm-Leach-Bliley (GLB) Act?

• Senator Gramm (R, Texas)
• Representative Leach (R, Iowa)

6
What is the Gramm-Leach-Bliley (GLB) Act?

• Senator Gramm (R, Texas)
• Representative Leach (R, Iowa)
• Representative Bliley (R, Virginia)

7
What is the Gramm-Leach-Bliley (GLB) Act?

• Enacted November 12, 1999
• Effective November 13, 2000
• Not primarily privacy legislation
• A.K.A. Financial Services Modernization Act of
  1999
• Modernization ?

8
What is the Gramm-Leach-Bliley (GLB) Act?

• Enacted November 12, 1999
• Effective November 13, 2000
• Not primarily privacy legislation
• A.K.A. Financial Services Modernization Act of
  1999
• Modernization Mergers
• Financial services includes banks, stock
  brokerage companies, and insurance companies

9
Why does the GLB address privacy?

• New privacy concerns arise from future mergers
• What happens when your mortgage company talks to
  your health insurance company?
• Existing privacy issues
• November 1997, Charter Pacific Bank sold millions
  of credit card numbers to an adult website
  company.
• 1998, NationsBank shared information with
  affiliated stock brokerage. Sold high-risk
  investments to senior citizens.
• 1999 - 2000, Memberworks telemarketers. 19/25 top
  banks.
• International issues
• 1995, the EU passed the Data Protection
  Directive.
• Initial Safe Harbor proposal did not include the
  financial industry.

10
Privacy provisions in GLB

• Must store personal information securely
• ensure security and confidentiality
• protect against anticipated threats
• protect against unauthorized access that could
  substantially harm or inconvenience customers
• Must give notice of policies about sharing
  personal financial information
• Must give option to opt-out of some sharing
• No sale of specific data for marketing
• Pretexting banned

11
Privacy provisions in GLB

• Must store personal information securely
• ensure security and confidentiality
• protect against anticipated threats
• protect against unauthorized access that could
  substantially harm or inconvenience customers
• Must give notice of policies about sharing
  personal financial information
• Must give option to opt-out of some sharing
• No sale of specific data for marketing
• Pretexting banned

12
Privacy protection exceptions

• Disclosure to affiliates
• No notice required
• No ability to opt out
• Free information flow within entire corporate
  family - can be 1000 companies, not all
  financial
• Joint marketing disclosure
• No notice required
• No ability to opt out
• Can flow all through the second corporate family

13
What is in a GLB Privacy Notice?

• Clear, conspicuous, and accurate statement of the
  company's privacy practices
• What information the company collects about its
  consumers and customers
• With whom it shares the information
• How it protects or safeguards the information
• Applies to "nonpublic personal information"

14
Who Gets Notice?

• Have you seen a GLB notice?
• Have you read a GLB notice?

15
Who Gets Notice?

• Have you seen a GLB notice?
• Have you read a GLB notice?
• Goes to all new customers
• Goes out annually to all customers

16
Who Gets Notice?

• Have you seen a GLB notice?
• Have you read a GLB notice?
• Goes to all new customers
• Goes out annually to all customers
• Do notices get noticed?
• How does this compare to privacy indicators in
  web browsers?

17
Did GLB help? Part I More clarity
18
Did GLB help? Part II Sharing alike
19
Did GLB help? Part III Joint market increase
20
Are notices readable?

• 85 of adults have a high school degree
• 25 have one or more college degrees
• Reading level usually three grade levels lower
• 8th grade recommended for general population
• July, 2001 Privacy Rights Clearinghouse study,
  average is 15.6
• GLB legislated policies must be reasonably
  understandable yet policies are at college
  reading level

21
Are notices readable?
Source An Evaluation of the Effect of US
Financial Privacy Legislation Through the
Analysis of Privacy Policies Steve Sheng and
Lorrie Faith Cranor
22
What makes notices harder to read?

• Complexity
• Long line length with lots of clauses
• Big words
• Jargon
• But I dont want to default
• Legal writing
• When is the last time you read a contract for
  fun?
• Being informal can create legal liability
• Corporate incentive for weasel words
• Passive voice endemic

23
Privacy Mad Libs

• A "lt X gt" is a lt Y gt who has a "lt X
  gt relationship" with a financial institution. A
  "lt X gt relationship" is a continuing
  relationship with a lt Y gt.

24
Privacy Mad Libs

• A "lt X gt" is a lt Y gt who has a "lt X
  gt relationship" with a financial institution. A
  "lt X gt relationship" is a continuing
  relationship with a lt Y gt.
• A "customer" is a consumer who has a "customer
  relationship" with a financial institution. A
  "customer relationship" is a continuing
  relationship with a consumer.

25
Privacy Mad Libs

• A "lt X gt" is a lt Y gt who has a "lt X
  gt relationship" with a financial institution. A
  "lt X gt relationship" is a continuing
  relationship with a lt Y gt.
• A "customer" is a consumer who has a "customer
  relationship" with a financial institution. A
  "customer relationship" is a continuing
  relationship with a consumer.

26
Privacy Mad Libs

• A "lt X gt" is a lt Y gt who has a "lt X
  gt relationship" with a financial institution. A
  "lt X gt relationship" is a continuing
  relationship with a lt Y gt.
• A "customer" is a consumer who has a "customer
  relationship" with a financial institution. A
  "customer relationship" is a continuing
  relationship with a consumer.
• Source The Federal Trade Commissions
  explanation of the Gramm-Leach-Bliley Act

27
Maybe its just the FTC

• Perhaps its hard to write about writing policies
  but the policies themselves are clear and
  useable.
• Perhaps the FTC hired exceptionally bad staff.

28
Maybe its just the FTC

• "An affiliate is a company we own or control, a
  company that owns or controls us, or a company
  that is owned or controlled by the same company
  that owns or controls us. Ownership does not mean
  complete ownership, but means owning enough to
  have control." (Seattle Savings Bank)

29
Maybe its just the FTC

• "An affiliate is a company we own or control, a
  company that owns or controls us, or a company
  that is owned or controlled by the same company
  that owns or controls us. Ownership does not mean
  complete ownership, but means owning enough to
  have control." (Seattle Savings Bank)
• "We share your non-public personal public
  information only with contractual safeguards to
  protect the confidentiality of your information."
  (UniTrust)

30
Maybe its just the FTC

• "An affiliate is a company we own or control, a
  company that owns or controls us, or a company
  that is owned or controlled by the same company
  that owns or controls us. Ownership does not mean
  complete ownership, but means owning enough to
  have control." (Seattle Savings Bank)
• "We share your non-public personal public
  information only with contractual safeguards to
  protect the confidentiality of your information."
  (UniTrust)
• "In the opt-out election, you will have the
  option of including or excluding the Credit Union
  from your opt-out election." (UniTrust)

31
Privacy Buzzword Bingo
32
Making GLB more useable

• Evolution of a Prototype Financial Privacy
  Notice A Report on the Form Development Project
  (February 28, 2006, Kleimann Communications
  Group, Inc.)
• Six federal agencies project to do better
• Board of Governors of the Federal Reserve System,
  Federal Deposit Insurance Corporation, Federal
  Trade Commission, National Credit Union
  Administration, Office of the Comptroller of the
  Currency, and the Securities and Exchange
  Commission.
• Explore why consumers dont read and understand
  privacy notices
• Develop notices that are easier for consumers to
  understand and use
• Phase I complete
• 8 test sites
• 16 month iterative cycle for prototype
• Phase II quantitative study to assess the
  prototype

33
Project Goals Paper Prototype

• Comprehension. The prototype must enable
  consumers to understand the basic concepts behind
  the privacy notices and understand what to do
  with the notices. It must be clear and
  conspicuous as a whole and readily accessible in
  its parts.
• Comparison. The prototype must allow consumers to
  compare information sharing practices across
  financial institutions and to identify the
  differences in sharing practices.
• Compliance. The content and design of the
  alternative privacy notices must include the
  elements required by the GLBA and the affiliate
  marketing provision of the Fair and Accurate
  Credit Transactions Act.

34
Good design necessary but not sufficient

• Table design worked best
• Two page design with more details available for
  those who want them (definitions and GLB mandated
  notices)
• We learned that we needed to include an
  educational component in the notice as consumers
  had no prior understanding of information sharing
  practices.

35
Four Parts of the Design

• Title
• Frame
• Disclosure Table
• Opt-out Form

36
The Title

• Attract consumers attention so that they will
  read the notice
• Avoids inflammatory language
• Helps consumers understand that the information
  is from their own financial institution
• Their personal information is currently being
  collected and used by the bank
• Does not explicitly mention consumer rights

37
(No Transcript)
38
The Frame

• Problem customers uninformed about financial
  privacy
• Need basic information about financial sharing
  practices to understand the notice
• The Frame provides context and supports the core
  information about a financial institutions
  sharing practices
• Key frame heart of ensuring comprehension
• Secondary frame nice to have (FAQs, details,
  mandates)

39
(No Transcript)
40
(No Transcript)
41
The Disclosure Table

• Goals
• Understand information about financial sharing
  policies and their personal information
• Can compare sharing practices across financial
  institutions
• Seven basic reasons a financial institution can
  share information
• What is being shared
• What can customers opt-out of
• Enables direct comparison between companies

42
(No Transcript)
43
The Opt-out Form

• On a separate page to make it easy to mail in
• Designed to help consumers understand how to
  opt-out
• Structured by type of sharing consumers can
  opt-out of
• Given the GLB does this seem to do a good job?

44
(No Transcript)
45
(No Transcript)
46
Four testing methods

• Focus groups
• What a group of consumers thinks about privacy
  notices
• What they see as barriers to understanding them
• Do not tell the researcher what a consumer will
  actually do with a notice
• Preference testing
• In-depth one-on-one interviews
• Preferences for vocabulary, headings, notice
  components, and ordering
• Pretests
• Dry run of the diagnostic usability test
• Validates the methodology
• Diagnostic usability testing (structured
  unstructured)
• how the individual participant actually works
  with a document
• elicits reaction to the information to target and
  diagnose problems
• iterative process adjustment with successive
  test rounds

47
Lessons Learned Focus Group

• People did not read the old style notices
• Type was too small, particularly for seniors
• Small font signaled unimportant information
• Important information was grey on black
• Four pages was too much to read
• Customers expect banks are trying to conceal
  information
• People believed that all privacy notices were the
  same
• Regulations mean uniformity
• Can change at any time so meaningless
• Did not understand there are opt-out choices
• Choose a bank for free checking and not privacy
  policies

48
Lessons Learned Pretest

• Customers did not understand the purpose of
  notices
• In essence wrong mental model
• Thought notice was requesting personal
  information
• Lacked context to understand the text
• Opt-out was confusing
• Unexpected
• Did not have the context to understand the
  choices
• Too much information

49
Lessons Learned PretestNone of the designs
worked

• In the end, it did not matter if we changed the
  test scenario, provided them with more time to
  study the information, or tutored them during
  the session. Participants had too little of their
  own context about financial sharing information
  to understand the content of the notices. Since
  they had no basis for or understanding of the
  information in the notices, the designs simply
  werent working in their current format or with
  their current content.

50
Lessons Learned Usability Testing

• Customers do care what happens to their
  information
• Indicated they would read the new notices
• Understood why they got the notice and much of
  the content
• Recognized opt-out form as an action item
• Layout improved comprehension
• Word choice matters
• Could compare side-by-side policies
• Standardization can actually be confusing

51
Are we there yet?
52
In closing Six meta-themes

• Keep it simple
• Good design matters
• Can design to avoid bias
• Whole-to-part design is critical
• Without context, they understood virtually
  nothing
• Standardization is effective
• Disclosure table is critical

53
Overview revisited We are here

• The Gramm-Leach-Bliley (GLB) Act
• Selected portions from An Evaluation of the
  Effect of US Financial Privacy Legislation
  Through the Analysis of Privacy Policies
• Privacy text is hard
• Privacy Mad Libs example
• Privacy bingo cards
• Making GLB more useable
• Evolution of a Prototype Financial Privacy Notice
  
• What happens in practice?
• Privacy practices of Internet users
  Self-reports versus observed behavior
• Privacy images are hard
• Privacy Pictionary / Times Up

54
Essential tension

• In survey after survey, people say they are very
  concerned about privacy and it is a decision
  making factor
• Other forms of data analysis suggest this is not
  true (log files, for instance)
• Is there a gap between what people say and what
  people do?

55
Four part study

• 175 participants recruited via email and web in
  2005. No compensation. 45-60 minutes, topic
  known.
• Basic demographic survey
• Survey of privacy values and attitudes
• Knowledge test
• Pair-wise comparisons of privacy indicators

56
Basic demographic survey

• 2/3rds in education
• More highly educated than Internet population
  (16.2 v. 14.4 years of school)
• Self-selected
• More men than women (74 v. 26)
• Women reported lower levels of computer expertise
• Comfortable with e-commerce and computers
• Installed software (38) or taken other steps
  (43) to protect online privacy

57
Survey of privacy values and attitudes

• Motivation was Westin right?
• Privacy fundamentalists
• Privacy pragmatists
• Privacy unconcerned
• Five questions on a five-point Likert-scale
• I am concerned about online identity theft
• I am concerned about my privacy online
• I am concerned about my privacy in everyday life
• I am likely to read the privacy policy of an
  ecommerce site before buying anything
• Privacy policies accurately reflect what
  companies do

58
Knowledge test

• Perception gap subjects over-report their
  understanding of privacy issues as well as
  willingness to act
• Tested knowledge of three areas
• Cookies
• Web bugs
• P3P and third party cookies
• Asked to rate level of concern
• Asked why the technology matters (two correct,
  three incorrect reasons)

59
Knowledge test
Fundamentalists do not know more - they just
worry more
60
Pair-wise comparisons of privacy indicators
61
Pair-wise comparisons of privacy indicators
62
Twelve factors for decision making

• Price
• 20 discount 5
• SSL indicator
• Use of 3-party cookies and P3P
• IE blocked cookie icon
• An email address
• A phone number
• A postal address

• TRUSTe privacy seal
• Credit card symbols
• Four different privacy policies
• User centered - good
• User centered - bad
• Company centered - good
• Company centered - bad

63
Regression model of factors

• TRUSTe seal
• User centered - good policy
• Company centered - good policy
• Company centered - bad policy
• User centered - bad policy
• Phone number
• Address
• Price discount
• Credit card symbols
• SSL indicator
• Email address

64
Factors, a deeper look

• There is a preference for good policies over bad
• Under 30 of participants looked at the privacy
  policies
• Not much difference between Westin groups
• Policy itself serves as a trust mark
• TRUSTe dominates in part because people do not
  read privacy policies
• Even more significant for women
• Do subjects even see the P3P/third party cookie
  and SSL indicators? Or understand them?
• No fit at all for a regression model for
  Fundamentalists

65
Any questions before we play?
66
(No Transcript)
67
David Brins Happy World of Equals
68
Competing Views of Online Privacy

• Privacy is dead, deal with it
• Scott McNealy, CEO of Sun MicroSystems
• My aim all along has been to suggest that the
  promoters of anonymity and secrecy are basing
  their zeal on untested assumptions and bear a
  burden of proof before we consign our destiny to
  their transcendental vision of salvation through
  encryption.
• David Brin, The Transparent Society
• A full-on privacy rebellion won't be pretty, it
  won't be non-violent and people will get hurt.
• Brock N. Meeks, opinion piece for MSNBC