Carnegie Mellon University

pixelated mobile phone

January 12, 2016

Better Design Improves Understanding Of Online Privacy Notices

Carnegie Mellon Researchers Outline Best Practices

By Byron Spice

Privacy policies for websites, smartphone apps and, especially, components of the emerging Internet of Things are usually ineffective or ignored by users, but Carnegie Mellon University researchers say properly designed privacy notices – pushed out to users at appropriate times – could help remedy that problem.

For instance, a notice to a smartphone user that an app is trying to access her contact list is going to be more effective than just telling the user at the time of installation that the app needs to access a contact list, said Florian Schaub, a post-doctoral researcher in CMU’s Institute for Software Research.

Schaub and his CMU colleagues distilled research on privacy notices to create a set of best practices for designing them. A Washington, D.C., think tank, the Future of Privacy Forum, has named the report one of the top five research papers on privacy in 2015 and has incorporated it into a digest for legislators and regulators, Privacy Papers for Policymakers. The digest will be formally released at an event Wednesday evening in the nation’s capital

“There’s been lots of research on improving privacy notices, but little guidance on how to design effective notices,” Schaub said. “In this work, we’ve compiled the best practices and have provided a taxonomy and common vocabulary so we can start incorporating these design principles into privacy notices and privacy policies.”

Privacy policies disclose how a website or app will gather, use and manage a consumer’s or client’s data. Despite growing concerns about how online information about individuals is used by various entities, few people actually read these policies, Schaub noted. In the case of the Internet of Things (IoT) – interconnected devices such as smart thermostats, appliances and environmental sensors – most users now have few, if any, means to know if such a device has detected them or to find their privacy policies.

Schaub and his colleagues said one solution to the IoT dilemma is to use secondary channels, such as a smartphone, to let users know an IoT device is collecting information and how that information will be stored or used. In other cases, when computer displays aren’t available, the use of audio signals or recordings may provide an alert.

The use of “just in time” notices that are delivered to the user as an app or a website or after such information has been accessed help users better understand what information is being gathered and when.

“A privacy policy is not an effective privacy notice; it is a starting point,” Schaub said.

Federal laws or regulations requiring the use of such notices might be helpful in getting broader adoption of the design principles, Schaub said, but many companies already are motivated to provide better notification. Companies that seek consumer data have come to understand that consumers are more likely to share information if they are confident they understand how the information will be used and that the use will benefit them in some way. The researchers’ work helps those companies to better integrate usable and informative privacy notices into their products and services.

In addition to Schaub, the research team included Lorrie Faith Cranor, professor of computer science and engineering and public policy and now the chief technologist of the Federal Trade Commission (FTC), as well as two former CMU students, Rebecca Balebako, now of the RAND Corp., and Adam Durity, now with Google.

Also this week, eight CMU faculty members, students and alumni will be among the speakers at PrivacyCon, a conference on consumer privacy and data security sponsored by the FTC on Thursday in the Constitution Center in Washington, D.C.