Week 13_Concept refinement & evaluation
April 05 — April 12, 2020
Traditional privacy policy models vs User-centered approach
For this week, we started off by refining the higher-level concept of a user-centric privacy policy. We looked at the current privacy policy models and realized that passive efforts made by the service companies do not provide any agency to the user. While evaluating the policy guidelines for different companies we realized that-
- These policies are in place with the sole purpose of providing protection from law-suits and penalties.
- Policies are unilateral- No user interests are taken into consideration. They provide no agency to the user.
- Policies are difficult to navigate through and understand.
- Thus, making it difficult to track and verify their fulfillment.
User-centered privacy policy
We started developing a user-centric approach to the concept of the privacy policy. A negotiation-based approach where users belonging to the ‘privacy paradox’ exercise control over the types of data shared by them to the service companies.
The concept
- Types of data
Through secondary and primary research, we categorized data into 8 larger blocks of data namely-
a. Demographics (who I am)
b. Location (where I am)
c. Communication (my social connections)
d. Interests (what I like)
e. Health ( my well-being)
f. Cookies and browser data ( my online behaviors)
g. Accounts and devices (that I use)
2. Data collection categories-
Tier 1: Data points integral to the service to provide basic functions
Tier 2: Data points used to provide additional (non-essential) services
Tier 3: Data points used to advertise, analyze, sell or store user data
3. The MLP framework
We did a small exercise by using a multi-level perspective framework to place interventions along an axis of time against the 3 different levels of impact namely-niche, regime, and landscape. We realized that a pathway of smaller milestones or niche level interventions leads to a landscape level mindset shift. For example- a combination of small scale efforts like- privacy bird, data visualizations to increase awareness, plug-ins to manage privacy settings, agency towards selective sharing of data, etc. have the potential pathway to niche level interventions becoming the new norms. However, these small-scale interventions, without a higher-level regulation seldom come to fruition.
We thus realized the need for a system-level framework to support our intervention.
3. Systemic level framework
We propose a system-framework consisting of 3 parties.
a. Data makers- the users of services, data generators
b. Data takers- service providers, data collectors
c. Policy regulators- at a higher level of influence (governmental-specific/ universal)
Now, let us first look at the relationship between Data takers and Policy regulators. The data-takers propose a set of data points belonging to the 3 different tiers. These data-points are vetted by the regulatory body thus situating them in appropriate categories, thus authorizing a set of data points for a particular service company to inform the policy framework.
4. Coming to the relationship between the data-makers and takers, this ‘vetting’ will inform the product-level framework. This relationship is established through a simple 3 step process to generate the user’s privacy policy.
The product-level framework exists as a service at the OS level. The user flow includes-
a. A series of basic and specific questions to inform their policy.
b. A policy review
c. A central platform or hub to access information/ features pertaining to user’s data and policy.
Onboarding
Requires the user to select a privacy preference- low, moderate, high. This sets a basic privacy preference. A set of follow-up questions target the user’s motivation for using the said service. This refines the basic privacy pre-set.
Privacy Overview
Provides an overview of data points and access information for each.
Central platform or privacy hub
Providing controls pertaining to Mydata and Mypolicy. Some of the features are mentioned below-
Mypolicy-
a. Policy overview- Lets the users examine their policy with an option to customize.
b. Privacy conflict- Highlights service companies in conflict with the user’s privacy policy. Suggest alternative policy-compliant services
c. Service requests- Existing services can request for tier upgrade, new services can request for use.
d. Policy sharing- Import/export policy settings from/for family and friends.
Mydata-
a. Data footprint- Provides over-time information about user data and access.
b. Data rectification- Portal to rectify user data online
c. Data erasure- Portal to erase user data from the service data-base
Prototype wireframe
Onboarding
Policy review
Dashboard features-MyPolicy
Dashboard features- MyData
Concept evaluation
We evaluated the concept with a diverse target audience with design, engineering, and finance as professional backgrounds. Some of the insights are listed below-
a. Onboarding: Info pertaining to privacy preference is inadequate
- What is low, moderate, high? Can this be explained to the user with an example?
- When should a user prefer low over high? What are the implications?User needs to know this before making a selection
b. Service provider compliance: Why will service companies comply to this model?
- What are some incentives for the companies to ensure buy-in?
- App store promotes user-policy compliant apps
c. Entry point: How will the service function at different entry-points?
- As a part of device onboarding?
- As a part of app onboarding?
d. Ecosystem extension for users’ other devices and browsers
- How can this feature extend beyond one device to give holistic coverage to the user?
- Would this then be linked to email id or a specific OS?
- What would be the difference in our design with respect to different browsers and devices?
e. Service Requests: From services within the existing categories of use
“It might be good to know about other services, but only if they fall within the same category of apps that I use”
- Can there be an outgoing petition request, or coordinated effort, against unjust policy clauses?
f. Incremental Awareness
For users who might use the feature but might have low awareness
How might we leverage this for increasing awareness in a manner that users understand?
- “Can you dumb down the difference in privacy features of services in a way that I understand?”
- How might visual metaphors help in this?
