A user-tailored approach to privacy decision support Bart P. Knijnenburg @usabart Slides and more: usabart.nl/recsys
Hello, I’m Bart (with Disco) bartk@clemson.edu www.usabart.nl @usabart Clemson University (Asst. Prof.) UC Irvine (PhD) Carnegie Mellon University (M) TU Eindhoven (BS + MS)
Past, Present, Future TU Eindhoven UC Irvine Clemson Inspectability and Control Self-Actualization (NSF) Choice Overload & Diversification Preference Elicitation User-Centric Evaluation User-Tailored Privacy Privacy decision-making for Privacy decision-making Training Systems (DoD) and IoT (Samsung + NSF)
Privacy is everywhere
Motivation How can we help users to balance the benefits and risks of information disclosure in a user-friendly manner, so that they can make good privacy decisions ?
Outline Show that transparency and control do not work Show that privacy nudges are also lacking Argue that privacy decision support needs to be personalized Investigate personalization parameters Demonstrate the potential effects on user experience Implement and test a real privacy adaptation procedure
Why user-tailored privacy? Problems with transparency and control, and with privacy nudges.
Transparency and control Privacy Calculus: People weigh the risks and benefits of disclosure Prerequisites of the privacy calculus are: — being able to control the decision; — having adequate information about the decision. Transparency and control empower users to regulate their privacy at the desired level.
Why this doesn’t work Transparency paradox: Simple privacy notices aren’t useful , but detailed notices are too complex . (Nissenbaum 2011) Control paradox: Consumers claim to want full control over their data, but they eschew the hassle of actually exploiting this control! (Compañò and Lusoli 2010; Knijnenburg et al. 2013)
Alternative: privacy nudges Subtle yet persuasive cues that makes people more likely to decide in one direction or the other. (Thaler and Sunstein 2008) Examples of nudges: — Justification: a succinct reason to disclose or not disclose a certain piece of information. — Default: make the best action the easiest to perform.
Testing justifications 5 justification types — None — Useful for you — Number of others — Useful for others — Explanation
Results Perceived(value(of( disclosure(help( Perceived value of disclosure help: ***" ***" 1,00" **" 3 items, e.g. “The system 0,75" helped me to make a 0,50" tradeoff between privacy 0,25" and usefulness” 0,00" #0,25" Higher for all except #0,50" “number of others” #0,75" #1,00" 0%" none" useful"for"you" #"of"others" useful"for"others" explanaDon"
Results Sa#sfac#on)with)) the)system) Satisfaction with the 1,00" system: 0,75" 6 items, e.g. “Overall, I’m 0,50" satisfied with the system” 0,25" 0,00" Lower for any $0,25" justification! $0,50" 1" **" **" $0,75" ***" $1,00" 0%" none" useful"for"you" #"of"others" useful"for"others" explanaDon"
Why this doesn’t work What is the “right” direction of a nudge? — More disclosure: better personalization, but some may feel tricked. — More private: less threat, but harder to enjoy the benefits of disclosure. — Going for the average (e.g. “smart default”, Smith et al. 2013): impossible, because people vary too much. Solution: move beyond the one-size-fits-all approach!
Towards a user-tailored approach to privacy Exploring the potential for personalization.
Beyond one-size-fits-all Idea: Give people privacy recommendations ! “Figure out what people want, then help them do that.” Step 1: Find determinants of privacy calculus. These can become the “personalization parameters ”. Step 2: Adapt the nudge to the context. Test how this would influence the user experience.
Information (“what”) Type of data ID Items 1 Wall 2 Status updates Facebook activity 3 Shared links 4 Notes 5 Photos “What?” 6 Hometown Location 7 Location (city) = 8 Location (state/province) Four 9 Residence (street address) dimensions Contact info 11 Phone number 12 Email address 13 Religious views Life/interests 14 Interests (favorite movies, etc.) 15 Facebook groups
User (“who”) “Who?” = Five disclosure profiles 159 pps tend to share little information overall (LowD) 26 pps tend to share activities and interests (Act+IntD) 50 pps tend to share location and interests (Loc+IntD) 65 pps tend to share everything but contact info (Hi-ConD) 59 pps tend to share everything
User (“who”) Privacy Maximizers Selective Sharers Privacy Balancers Time Savers/Consumers Self-Censors Privacy Minimalists Limiting Access Control Block Apps/Events Restricting Chat Block People Altering News Feed Reputation Mgmt Friend List Mgmt Withholding Contact Info Withholding Basic Info Selective Sharing Timeline/Wall Moderation
Recipient (“to whom”) Knijnenburg et al. manuscript (social network): Recipients can be grouped into distinct categories. E.g. Knijnenburg and Kobsa 2014 (social network): Five categories seems the most optimal solution in the realm of social networking.
User-tailored privacy Existing work focuses on the accuracy of the preference modeling. E.g. Ravichandran et al. 2009; Sadeh et al. 2009; Fang and LeFevre 2010; Pallapa et al., 2014. But what about the users’ experience ? e.g. satisfaction, perceived threat, ease of use, …
My work Adaptive justifications: What if we gave different types of users different types of justifications?
My work Hiding choice options: What if we showed a subset of location-sharing options based on the user’s evaluation of the activity?
A real privacy adaptation procedure Implementing and testing adaptive request orders in a demographics-based recommender system.
Host: recommender system Attribute weights w a 7 Attributes a Recommendations i Attribute values v i,a Rank by U i , limit to top N MAUT: U i = ∑ w a ∗ v i,a
Preference elicitation Attribute-based PE: users directly indicate the importance of each of the attributes with which choice options are described. Case-based PE: discover attribute weights by analyzing users’ evaluation of exemplary choice options. Needs-based PE: users express their preferences in terms of consumer needs. Implicit PE: infers the attribute weights as a by-product of the user’s browsing behavior. Hybrid PE: combines implicit PE with attribute-based PE. Even simpler: Top-N (items ranked by popularity) and Sort (items ranked by one of the attributes).
Preference elicitation The best preference elicitation method (PE-method) depends on users’ domain knowledge . E.g. energy-saving (Knijnenburg and Willemsen 2009, 2010; Knijnenburg et al. 2011, 2014). Our studies show: — Energy-saving experts prefer systems that allow direct control over attribute weights (attribute-based and hybrid PE). — Novices prefer systems that are tailored to their needs (needs- based PE), provide limited or no control (sort, top-N).
New: demographics-based PE
New: demographics-based PE Demographics are an important determinant of preferences in the domains of energy and health. — Needed: an algorithm that translates answers to demographic questions into attribute weights. — Based on these weights I can then recommend items as usual. Demographics-based PE: — May be most beneficial for domain novices (known and easy to report). — May be more privacy-sensitive than other PE-methods (Ackerman et al. 1999). “Privacy-personalization paradox”
Adaptive request order Which item to ask first? Not all items are equally useful to the recommender. Not all demographic items are equally sensitive . Not everyone is equally private regarding their demographics. Adaptive request order : dynamically weigh predicted privacy and benefit. Learn users’ disclosure tendency (on the fly) Dynamic forecasting of benefit based on changes to the user model Result: ask the most useful question that is not too sensitive.
Three studies Pre-study: — Link demographic answers to attribute weights. — Investigate sensitivity of demographic items. Study 1: — Test demographics-based PE against attribute-based PE. Study 2: — Manipulate demographic question request order to see if we can do better.
Pre-study Goal: link demographic answers to attributes, investigate sensitivity of demographic items. Method: collect data about: — 57 demographic items (multiple choice); — 7-8 recommender attribute weights; perceived privacy risk of 57 items.
Pre-study Outcome 1: An algorithm that translates demographics into preferences: — For each question, for each answer option: calculate the mean attribute weights. — Calculate the deviance of from the grand mean. — If deviance > threshold: “preference update rule”. Outcome 2: Question sensitivity model: — We can model users’ privacy tendency on a single dimension — Advantage: we can use a Rasch model to dynamically track this tendency. (cf. TOEFL, GRE).
Recommend
More recommend