Skip to main content

Reconciling Privacy and Usability by Learning Default Privacy Policies (2011)

Researcher: Norman Sadeh

Research Area: Privacy Protection | Mobility

Cross Cutting Thrusts: Usable Privacy and Security

Abstract

Scope: Our research in usable privacy over the past few years has shown that people tend to have complex privacy policies. Yet exposing a large number of privacy settings to users is not the solution. Facebook is a prime example of how exposing too many privacy settings just gets users more confused. In addition, it is well known that users often do not even bother to edit default settings. It is therefore imperative to develop techniques that are capable of generating better default policies or sets of default policies (or “personas”) along with techniques to help users select between these personas. Our work in privacy in the context of mobile social networking scenarios suggests that it is possible to leverage machine learning techniques to identify small sets of privacy personas that are understandable, yet capture important elements of people’s often complex privacy preferences [RBKS09]. We propose to extend the above techniques and evaluate them in the context of several pilots intended to determine how users respond to them in practice. This will involve refining (1) user-oriented clustering techniques aimed at automatically generating a small set of user-understandable privacy personas and (2) dialogues to help users select among these personas the ones that best match their preferences. This will also include deploying and refining new user-oriented machine learning techniques intended to leverage user feedback and provide users with suggestions on how they may want to refine their current privacy policies [KDSC08]. This work will be conducted in the context of Loccacino [SHC+09], a location-sharing application developed by our group and made available to both Android and Symbian phone users (with an iPhone OS4 client expected to be ready by the end of the summer). The results of this research are however expected to apply across a much broader range of security and privacy scenarios, where users are expected to manage security and privacy policies (e.g. social networking privacy policies in general, firewall policies, spam filtering policies, etc.

Outcomes: The results of this project are expected to include user-oriented machine learning techniques and dialogues to: Help generate small sets of default policies (personas) users can chose from; interact with users and help them select from a small number of personas. More generally, this research will help us gain a better understanding of what it takes to effectively deploy these types of solutions – what are the most effective ways of interacting with users (e.g. how many personas they can realistically be expected to handle, how complex these personas can be, how to effectively guide them through the selection process, how to present  suggestions, etc.