Usable privacy: from grounded models to new guidelines and heuristics

André de Lima Salgado; Renata Pontin de Mattos Fortes

doi:10.5753/webmedia_estendido.2023.233789

André de Lima Salgado USP / UFLA
Renata Pontin de Mattos Fortes USP

DOI: https://doi.org/10.5753/webmedia_estendido.2023.233789

Resumo

The development of usable interfaces for privacy policies is essential to increase users’ trust in technology and comply with legal requirements. This thesis aimed to design interfaces that allow laypeople to protect their online privacy. A comprehensive analysis was conducted, comprising a literature review, a thematic and cluster analysis, and an empirical evaluation. Six usable privacy heuristics (push) were derived, which effectively detect severe problems in privacy policy interfaces for laypeople. Moreover, initial usable privacy guidelines (pug) were formulated, and a novel process for developing usability criteria was proposed. Future research directions were suggested, such as applying these heuristics and guidelines to domains like human-robot interaction and human-artificial intelligence interaction.

Palavras-chave: usable privacy, heuristic, heuristic evaluation, usability, inspection, security

Referências

Esma Aïmeur, Oluwa Lawani, and Kimiz Dalkir. 2016. When changing the look of privacy policies affects user trust: An experimental study. Computers in Human Behavior 58 (May 2016), 368–379. https://doi.org/10.1016/j.chb.2015.11.014

E. Bertino. 2016. Data Security and Privacy: Concepts, Approaches, and Research Directions. In 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. 400–407. https://doi.org/10.1109/COMPSAC.2016.89

Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (Jan. 2006), 77–101. https://doi.org/10.1191/1478088706qp063oa

Kelly Caine. 2016. Local Standards for Sample Size at CHI. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ’16). ACM, New York, NY, USA, 981–992. https://doi.org/10.1145/2858036.2858498

Victoria Clarke and Virginia Braun. 2014. Thematic Analysis. In Encyclopedia of Critical Psychology, Thomas Teo (Ed.). Springer New York, New York, NY, 1947–1952. https://doi.org/10.1007/978-1-4614-5583-7_311

L. F. Cranor and N. Buchler. 2014. Better Together: Usability and Security Go Hand in Hand. IEEE Security Privacy 12, 6 (Nov. 2014), 89–93. https://doi.org/10.1109/MSP.2014.109

Luca Alexander De and Emanuel von Zezschwitz. 2016. Usable privacy and security. it - Information Technology 58, 5 (2016), 215–216. https://doi.org/10.1515/itit-2016-0034

André de Lima Salgado, Renata Pontin de Mattos Fortes, Ricardo Ramos de Oliveira, and André Pimenta Freire. 2020. Usability heuristics on parental privacy controls for smart toys: From an exploratory map to a confirmatory research. Electronic Commerce Research and Applications 42 (2020), 100984. https://doi.org/10.1016/j.elerap.2020.100984

André de Lima Salgado, Flávia de Souza Santos, Renata Pontin de Mattos Fortes, and Patrick C. K. Hung. 2018. Guiding Usability Newcomers to Understand the Context of Use: Towards Models of Collaborative Heuristic Evaluation. In Behavior Engineering and Applications, Raymond Wong, Chi-Hung Chi, and Patrick C. K. Hung (Eds.). Springer International Publishing, Cham, 149–168. https://doi.org/10.1007/978-3-319-76430-6_7

André de Lima Salgado, Felipe Silva Dias, João Pedro Rodrigues Mattos, Renata Pontin de Mattos Fortes, and Patrick C. K. Hung. 2019. Smart toys and children’s privacy: usable privacy policy insights from a card sorting experiment. In Proceedings of the 37th ACM International Conference on the Design of Communication. ACM, Portland Oregon, 1–8. https://doi.org/10.1145/3328020.3353951

André de Lima Salgado, Fernanda Maciel Federici, Renata Pontin de Mattos Fortes, and Vivian Genaro Motti. 2019. Startup Workplace, Mobile Games, and Older Adults: A Practical Guide on UX, Usability, and Accessibility Evaluation. In Proceedings of the 37th ACM International Conference on the Design of Communication (Portland, Oregon) (SIGDOC ’19). Association for Computing Machinery, New York, NY, USA, Article 15, 9 pages. https://doi.org/10.1145/3328020.3353948

André de Lima Salgado, Sandra Souza Rodrigues, and Renata Pontin M. Fortes. 2016. Evolving Heuristic Evaluation for Multiple Contexts and Audiences: Perspectives from a Mapping Study. In Proceedings of the 34th ACM International Conference on the Design of Communication (SIGDOC ’16). ACM, New York, NY, USA, 19:1–19:8. https://doi.org/10.1145/2987592.2987617

Flávia de Souza Santos, André de Lima Salgado, and Renata Pontin de Mattos Fortes. 2018. Um Mapeamento Sistemático sobre Acessibilidade e Usabilidade no Desenvolvimento de Jogos Digitais para Idosos. iSys-Brazilian Journal of Information Systems 11, 2 (2018), 63–90.

Matthew Demoe, Alvaro Uribe-Quevedo, André L. Salgado, Hidenori Mimura, Kamen Kanev, and Patrick C.K. Hung. 2020. Exploring Data Glove and Robotics Hand Exergaming: Lessons Learned. In 2020 IEEE 8th International Conference on Serious Games and Applications for Health (SeGAH). 1–8. https://doi.org/10.1109/SeGAH49190.2020.9201747

Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. SYNTHESIS LECTURES ON INFORMATION SECURITY, PRIVACY, AND TRUST, Vol. 5. Morgan & Claypool Publishers.

Felipe Tassario Gomes, André de Lima Salgado, Lianna Mara Castro Duarte, Flávia de Souza Santos, and Renata Pontin Fortes. 2018. Um Simulador Visual de Leitor de Telas para Auxílio à Interpretação de Questões de Acessibilidade por Avaliadores Videntes. Revista de Sistemas e Computação-RSC 8, 1 (2018).

Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2020. “It’s a scavenger hunt”: Usability of Websites’ Opt-Out and Data Deletion Choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. ACM, Honolulu HI USA, 1–12. https://doi.org/10.1145/3313831.3376511

Setia Hermawati and Glyn Lawson. 2016. Establishing usability heuristics for heuristics evaluation in a specific domain: Is there a consensus? Applied Ergonomics 56 (2016), 34 – 51. https://doi.org/10.1016/j.apergo. 2015.11.016

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. 2010. Ergonomics of human-system interaction – Part 210: Human-centred design for interactive systems. [link].

INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. 2016. ISO/IEC 25066:2016(en), Systems and software engineering—Systems and software Quality Requirements and Evaluation (SQuaRE) — Common Industry Format (CIF) for Usability — Evaluation Report. Technical Report. [link].

Pooya Jaferian, Kirstie Hawkey, Andreas Sotirakopoulos, Maria Velez-Rojas, and Konstantin Beznosov. 2014. Heuristics for Evaluating IT Security Management Tools. Human–Computer Interaction 29, 4 (July 2014), 311–350. https://doi.org/10.1080/07370024.2013.819198

Julian Jang-Jaccard and Surya Nepal. 2014. A survey of emerging threats in cybersecurity. J. Comput. System Sci. 80, 5 (Aug. 2014), 973–993. https://doi.org/10.1016/j.jcss.2014.02.005

Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. 2017. Research methods in human-computer interaction. Morgan Kaufmann, Cambridge, MA, USA.

Jan Meszaros and Alena Buchalcevova. 2017. Introducing OSSF: A framework for online service cybersecurity risk management. Computers & Security 65 (March 2017), 300–313. https://doi.org/10.1016/j.cose.2016.12.008

Maggie Oates, Yama Ahmadullah, Abigail Marsh, Chelse Swoopes, Shikun Zhang, Rebecca Balebako, and Lorrie Faith Cranor. 2018. Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration. Proceedings on Privacy Enhancing Technologies 2018, 4 (2018). [link].

Federica Paci, Anna Squicciarini, and Nicola Zannone. 2018. Survey on Access Control for Community-Centered Collaborative Systems. ACM Comput. Surv. 51, 1 (Jan. 2018), 6:1–6:38. https://doi.org/10.1145/3146025

Laura Rafferty, Marcelo Fantinato, and Patrick C. K. Hung. 2015. Privacy Requirements in Toy Computing. In Mobile Services for Toy Computing, Patrick C. K. Hung (Ed.). Springer International Publishing, 141–173. [link].

André de Lima Salgado, Patrick C. K. Hung, and Renata P. M. Fortes. 2023. Six usable privacy heuristics. In Anais do XXII Simpósio Brasileiro de Informática na Educação. SBC.

André de Lima Salgado, Renata Pontin de Mattos Fortes, Patrick CK Hung, and Dilvan de Abreu Moreira. 2019. A Method for Classifying Usability Findings to Enhance Validation of New Heuristics. Revista de Sistemas e Computação-RSC 9, 1 (2019).

André de Lima Salgado, Ben Singh, Patrick C. K. Hung, Annie Jiang, Yen-Hung Liu, Anna Priscilla de Albuquerque Wheler, and Hossam A. Gaber. 2020. Preliminary Tendencies of Users’ Expectations about Privacy on Connected-Autonomous Vehicles. In 2020 IEEE International Conference on Systems, Man, and Cybernetics (SMC). 296–301. https://doi.org/10.1109/SMC42975.2020.9282844

M. A. Sasse and M. Smith. 2016. The Security-Usability Tradeoff Myth [Guest editors’ introduction]. IEEE Security Privacy 14, 5 (Sept. 2016), 11–13. https://doi.org/10.1109/MSP.2016.102

F. Schaub, R. Balebako, and L. F. Cranor. 2017. Designing Effective Privacy Notices and Controls. IEEE Internet Computing 21, 3 (May 2017), 70–77. https://doi.org/10.1109/MIC.2017.75

Alec N Slepchuk and George R Milne. 2020. Informing the design of better privacy policies. Current Opinion in Psychology 31 (Feb. 2020), 89–93. https://doi.org/10.1016/j.copsyc.2019.08.007

Jeremiah D. Still. 2016. Cybersecurity Needs You! interactions 23, 3 (April 2016), 54–58. https://doi.org/10.1145/2899383

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. 2016. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Rossouw von Solms and Johan van Niekerk. 2013. From information security to cyber security. Computers & Security 38 (2013), 97–102. https://doi.org/10.1016/j.cose.2013.04.004 Cybercrime in the Digital Economy.

R. Wash and M. E. Zurko. 2017. Usable Security. IEEE Internet Computing 21, 3 (May 2017), 19–21. https://doi.org/10.1109/MIC.2017.69

Alma Whitten and J. D. Tygar. 1999. Why Johnny Can’T Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 (SSYM’99). USENIX Association, Berkeley, CA, USA, 14–14. http://dl.acm.org/citation.cfm?id=1251421.1251435

Benjamin Yankson, Andre L Salgado, and Renata PM Fortes. 2021. Recommendations to Enhance Privacy and Usability of Smart Toys. In Proceedings of the 54th Hawaii International Conference on System Sciences. 1868.