Six usable privacy heuristics


Enhancing privacy policy interfaces is crucial for improving users' trust in technology and ensuring compliance with legislation. This thesis focused on developing usable interfaces that enable laypeople to protect their online privacy. Through a comprehensive analysis, including literature review, thematic and cluster analysis, and empirical evaluation, six usable privacy heuristics (push#) are established. These heuristics effectively identify catastrophic problems in privacy policy interfaces for laypeople. Additionally, preliminary usable privacy guidelines (pug#) are created, and a new process for developing usability criteria is proposed. Future research directions are suggested, including the application of these heuristics and guidelines to domains like human-robot interaction and human-artificial intelligence interaction.
Palavras-chave: usable privacy, heuristic, heuristic evaluation, usability, inspection, security


Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science 347, 6221 (Jan. 2015), 509–514. DOI: 10.1126/science.aaa1465

Mohd Anwar and Philip W. L. Fong. 2012. A Visualization Tool for Evaluating Access Control Policies in Facebook-style Social Network Systems. In Proceedings of the 27th Annual ACM Symposium on Applied Computing(SAC ’12). ACM, New York, NY, USA, 1443–1450. DOI: 10.1145/2245276.2232007

Esma Aïmeur, Oluwa Lawani, and Kimiz Dalkir. 2016. When changing the look of privacy policies affects user trust: An experimental study. Computers in Human Behavior 58 (May 2016), 368–379. DOI: 10.1016/j.chb.2015.11.014

E. Bertino. 2016. Data Security and Privacy: Concepts, Approaches, and Research Directions. In 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. 400–407. DOI: 10.1109/COMPSAC.2016.89

Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (Jan. 2006), 77–101. DOI: 10.1191/1478088706qp063oa

Kelly Caine. 2016. Local Standards for Sample Size at CHI. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems(CHI ’16). ACM, New York, NY, USA, 981–992. DOI: 10.1145/2858036.2858498

M.A.P. Chamikara, P. Bertok, I. Khalil, D. Liu, and S. Camtepe. 2021. PPaaS: Privacy Preservation as a Service. Computer Communications 173 (May 2021), 192–205. DOI: 10.1016/j.comcom.2021.04.006

Seung-Seok Choi, Sung-Hyuk Cha, and Charles C Tappert. 2010. A Survey of Binary Similarity and Distance Measures. 8, 1 (2010), 6.

Victoria Clarke and Virginia Braun. 2014. Thematic Analysis. In Encyclopedia of Critical Psychology, Thomas Teo (Ed.). Springer New York, New York, NY, 1947–1952. DOI: 10.1007/978-1-4614-5583-7_311

L. F. Cranor and N. Buchler. 2014. Better Together: Usability and Security Go Hand in Hand. IEEE Security Privacy 12, 6 (Nov. 2014), 89–93. DOI: 10.1109/MSP.2014.109

Mariana Cunha, Ricardo Mendes, and João P. Vilela. 2021. A survey of privacy-preserving mechanisms for heterogeneous data types. Computer Science Review 41 (Aug. 2021), 100403. DOI: 10.1016/j.cosrev.2021.100403

Luca Alexander De and Emanuel von Zezschwitz. 2016. Usable privacy and security. it - Information Technology 58, 5 (2016), 215–216. DOI: 10.1515/itit-2016-0034

André de Lima Salgado, Renata Pontin de Mattos Fortes, Ricardo Ramos de Oliveira, and André Pimenta Freire. 2020. Usability heuristics on parental privacy controls for smart toys: From an exploratory map to a confirmatory research. Electronic Commerce Research and Applications 42 (2020), 100984. DOI: 10.1016/j.elerap.2020.100984

André de Lima Salgado, Flávia de Souza Santos, Renata Pontin de Mattos Fortes, and Patrick C. K. Hung. 2018. Guiding Usability Newcomers to Understand the Context of Use: Towards Models of Collaborative Heuristic Evaluation. In Behavior Engineering and Applications, Raymond Wong, Chi-Hung Chi, and Patrick C. K. Hung (Eds.). Springer International Publishing, Cham, 149–168. DOI: 10.1007/978-3-319-76430-6_7

André de Lima Salgado, Felipe Silva Dias, João Pedro Rodrigues Mattos, Renata Pontin de Mattos Fortes, and Patrick C. K. Hung. 2019. Smart toys and children’s privacy: usable privacy policy insights from a card sorting experiment. In Proceedings of the 37th ACM International Conference on the Design of Communication. ACM, Portland Oregon, 1–8. DOI: 10.1145/3328020.3353951

André de Lima Salgado, Fernanda Maciel Federici, Renata Pontin de Mattos Fortes, and Vivian Genaro Motti. 2019. Startup Workplace, Mobile Games, and Older Adults: A Practical Guide on UX, Usability, and Accessibility Evaluation. In Proceedings of the 37th ACM International Conference on the Design of Communication (Portland, Oregon) (SIGDOC ’19). Association for Computing Machinery, New York, NY, USA, Article 15, 9 pages. DOI: 10.1145/3328020.3353948

André de Lima Salgado, Sandra Souza Rodrigues, and Renata Pontin M. Fortes. 2016. Evolving Heuristic Evaluation for Multiple Contexts and Audiences: Perspectives from a Mapping Study. In Proceedings of the 34th ACM International Conference on the Design of Communication(SIGDOC ’16). ACM, New York, NY, USA, 19:1–19:8. DOI: 10.1145/2987592.2987617

Flávia de Souza Santos, André de Lima Salgado, and Renata Pontin de Mattos Fortes. 2018. Um Mapeamento Sistemático sobre Acessibilidade e Usabilidade no Desenvolvimento de Jogos Digitais para Idosos. iSys-Brazilian Journal of Information Systems 11, 2 (2018), 63–90.

Matthew Demoe, Alvaro Uribe-Quevedo, André L. Salgado, Hidenori Mimura, Kamen Kanev, and Patrick C.K. Hung. 2020. Exploring Data Glove and Robotics Hand Exergaming: Lessons Learned. In 2020 IEEE 8th International Conference on Serious Games and Applications for Health (SeGAH). 1–8. DOI: 10.1109/SeGAH49190.2020.9201747

Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. SYNTHESIS LECTURES ON INFORMATION SECURITY, PRIVACY, AND TRUST, Vol. 5. Morgan & Claypool Publishers.

Felipe Tassario Gomes, André de Lima Salgado, Lianna Mara Castro Duarte, Flávia de Souza Santos, and Renata Pontin Fortes. 2018. Um Simulador Visual de Leitor de Telas para Auxílio à Interpretação de Questões de Acessibilidade por Avaliadores Videntes. Revista de Sistemas e Computação-RSC 8, 1 (2018).

Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2020. “It’s a scavenger hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. ACM, Honolulu HI USA, 1–12. DOI: 10.1145/3313831.3376511

Joseph F Hair, Rolph E Anderson, Barry J Babin, and Wiiliam C Black. 2010. Multivariate data analysis: A global perspective. Vol. 7. Pearson Upper Saddle River, NJ.

H Rex Hartson, Terence S Andre, and Robert C Williges. 2001. Criteria for evaluating usability evaluation methods. International journal of human-computer interaction 13, 4 (2001), 373–410.

Setia Hermawati and Glyn Lawson. 2016. Establishing usability heuristics for heuristics evaluation in a specific domain: Is there a consensus?Applied Ergonomics 56 (2016), 34 – 51. DOI: 10.1016/j.apergo.2015.11.016

Hongxin Hu, Gail-Joon Ahn, and Jan Jorgensen. 2011. Detecting and Resolving Privacy Conflicts for Collaborative Data Sharing in Online Social Networks. In Proceedings of the 27th Annual Computer Security Applications Conference(ACSAC ’11). ACM, New York, NY, USA, 103–112. DOI: 10.1145/2076732.2076747

H. Hu, G. J. Ahn, and J. Jorgensen. 2012. Enabling Collaborative data sharing in Google+. In 2012 IEEE Global Communications Conference (GLOBECOM). 720–725. DOI: 10.1109/GLOCOM.2012.6503198

H. Hu, G. J. Ahn, and J. Jorgensen. 2013. Multiparty Access Control for Online Social Networks: Model and Mechanisms. IEEE Transactions on Knowledge and Data Engineering 25, 7 (July 2013), 1614–1627. DOI: 10.1109/TKDE.2012.97

Pooya Jaferian, Kirstie Hawkey, Andreas Sotirakopoulos, Maria Velez-Rojas, and Konstantin Beznosov. 2014. Heuristics for Evaluating IT Security Management Tools. Human–Computer Interaction 29, 4 (July 2014), 311–350. DOI: 10.1080/07370024.2013.819198

Julian Jang-Jaccard and Surya Nepal. 2014. A survey of emerging threats in cybersecurity. J. Comput. System Sci. 80, 5 (Aug. 2014), 973–993. DOI: 10.1016/j.jcss.2014.02.005

Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. 2009. A “Nutrition Label” for Privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security(SOUPS ’09). ACM, New York, NY, USA, 4:1–4:12. DOI: 10.1145/1572532.1572538

John Krumm. 2018. Ubiquitous computing fundamentals. CRC Press.

Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. 2017. Research methods in human-computer interaction. Morgan Kaufmann, Cambridge, MA, USA.

Alessandra Mazzia, Kristen LeFevre, and Eytan Adar. 2012. The PViz Comprehension Tool for Social Network Privacy Settings. In Proceedings of the Eighth Symposium on Usable Privacy and Security(SOUPS ’12). ACM, New York, NY, USA, 13:1–13:12. DOI: 10.1145/2335356.2335374

Vikram Mehta, Daniel Gooch, Arosha Bandara, Blaine Price, and Bashar Nuseibeh. 2021. Privacy Care: A Tangible Interaction Framework for Privacy Management. ACM Transactions on Internet Technology 21, 1 (Feb. 2021), 1–32. DOI: 10.1145/3430506

Jan Meszaros and Alena Buchalcevova. 2017. Introducing OSSF: A framework for online service cybersecurity risk management. Computers & Security 65 (March 2017), 300–313. DOI: 10.1016/j.cose.2016.12.008

Fionn Murtagh and Pierre Legendre. 2014. Ward’s Hierarchical Agglomerative Clustering Method: Which Algorithms Implement Ward’s Criterion?Journal of Classification 31, 3 (Oct. 2014), 274–295. DOI: 10.1007/s00357-014-9161-z

Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, and Lorrie Faith Cranor. 2018. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. Proceedings on Privacy Enhancing Technologies 2018, 4 (2018). [link]

Federica Paci, Anna Squicciarini, and Nicola Zannone. 2018. Survey on Access Control for Community-Centered Collaborative Systems. ACM Comput. Surv. 51, 1 (Jan. 2018), 6:1–6:38. DOI: 10.1145/3146025

Daniela Quiñones and Cristian Rusu. 2017. How to develop usability heuristics: A systematic literature review. Computer Standards & Interfaces 53 (Aug. 2017), 89–122. DOI: 10.1016/j.csi.2017.03.009

Laura Rafferty, Marcelo Fantinato, and Patrick C. K. Hung. 2015. Privacy Requirements in Toy Computing. In Mobile Services for Toy Computing, Patrick C. K. Hung (Ed.). Springer International Publishing, 141–173. [link]

Robert W. Reeder. 2008. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD Thesis. Carnegie Mellon University.

Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong. 2008. Expandable Grids for Visualizing and Authoring Computer Security Policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems(CHI ’08). ACM, New York, NY, USA, 1473–1482. DOI: 10.1145/1357054.1357285

Jennifer Rode, Carolina Johansson, Paul DiGioia, Roberto Silva Filho, Kari Nies, David H. Nguyen, Jie Ren, Paul Dourish, and David Redmiles. 2006. Seeing Further: Extending Visualization As a Basis for Usable Security. In Proceedings of the Second Symposium on Usable Privacy and Security(SOUPS ’06). ACM, New York, NY, USA, 145–155. DOI: 10.1145/1143120.1143138

André de Lima Salgado. 2022. Six Privacy and Usability Heuristics: from grounded models to validated new heuristics of usable privacy. Ph. D. Dissertation. Universidade de São Paulo.

André de Lima Salgado, Renata Pontin de Mattos Fortes, Patrick CK Hung, and Dilvan de Abreu Moreira. 2019. A Method for Classifying Usability Findings to Enhance Validation of New Heuristics. Revista de Sistemas e Computação-RSC 9, 1 (2019).

M. A. Sasse and M. Smith. 2016. The Security-Usability Tradeoff Myth [Guest editors’ introduction]. IEEE Security Privacy 14, 5 (Sept. 2016), 11–13. DOI: 10.1109/MSP.2016.102

F. Schaub, R. Balebako, and L. F. Cranor. 2017. Designing Effective Privacy Notices and Controls. IEEE Internet Computing 21, 3 (May 2017), 70–77. DOI: 10.1109/MIC.2017.75

Roman Schlegel, Apu Kapadia, and Adam J. Lee. 2011. Eyeing Your Exposure: Quantifying and Controlling Information Sharing for Improved Privacy. In Proceedings of the Seventh Symposium on Usable Privacy and Security(SOUPS ’11). ACM, New York, NY, USA, 14:1–14:14. DOI: 10.1145/2078827.2078846

David Silverman. 2016. Qualitative Research. SAGE. Google-Books-ID: 9FALDAAAQBAJ.

Alec N Slepchuk and George R Milne. 2020. Informing the design of better privacy policies. Current Opinion in Psychology 31 (Feb. 2020), 89–93. DOI: 10.1016/j.copsyc.2019.08.007

Jeremiah D. Still. 2016. Cybersecurity Needs You!interactions 23, 3 (April 2016), 54–58. DOI: 10.1145/2899383

Carissa Véliz. 2021. Privacy and digital ethics after the pandemic. Nature Electronics 4, 1 (Jan. 2021), 10–11. DOI: 10.1038/s41928-020-00536-y

Yang Wang, Liang Gou, Anbang Xu, Michelle X. Zhou, Huahai Yang, and Hernan Badenes. 2015. VeilMe: An Interactive Visualization Tool for Privacy Configuration of Using Personality Traits. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems(CHI ’15). ACM, New York, NY, USA, 817–826. DOI: 10.1145/2702123.2702293

R. Wash and M. E. Zurko. 2017. Usable Security. IEEE Internet Computing 21, 3 (May 2017), 19–21. DOI: 10.1109/MIC.2017.69

Claes Wohlin. 2014. Guidelines for Snowballing in Systematic Literature Studies and a Replication in Software Engineering. In Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering(EASE ’14). ACM, New York, NY, USA, 38:1–38:10. DOI: 10.1145/2601248.2601268

Benjamin Yankson, Andre L Salgado, and Renata PM Fortes. 2021. Recommendations to Enhance Privacy and Usability of Smart Toys. In Proceedings of the 54th Hawaii International Conference on System Sciences. 1868.
SALGADO, André de Lima; HUNG, Patrick C. K.; FORTES, Renata P. M.. Six usable privacy heuristics. In: SIMPÓSIO BRASILEIRO SOBRE FATORES HUMANOS EM SISTEMAS COMPUTACIONAIS (IHC), 22. , 2023, Maceió/AL. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 .