Users can increase their awareness about the privacy implications of a technical system:

  • If they understand the extent of the system’s capabilities
  • If they can conduct socially meaningfully actions in the system

Authors have identified five common pitfalls to avoid while designing information system. The pitfalls have been gleaned from the authors’ experience in designing a privacy preferences module for a ubiquitous computing environment called Faces. The five pitfalls have been grouped into two categories as listed below:

1. Obscuring personal information flow. Internet Explorer’s privacy control settings of low, medium, high is ambigious. Users can understand what exactly is being conveyed.
2. Obscuring actual information flow. Eg. Browsers hide information collected in cookies. Users are not aware of what is being stored in cookie.
3. Emphasizing configuration. Software like P2P provide plenty of options to control privacy. Users don’t want to waste time configuring their privacy
4. Lacking coarse grained control. Users should have accesible controls for top level privacy decisions like a large button to turn off broadcasting of any personal information
5. Inhibiting established social/technical practice.

Faces, the privacy preference system built by the authors allowed users to specify who can see what information about the user when. It also logged all the disclosures made by the system, so users can review what personal information was revealed.  In spite of correctly applying the design methodologies, Faces was not a success. When the authors analyzed the reasons for failure, they identified these five pitfalls.

Other interesting points I identified in the paper are:

Norman said that the designer’s goal is to design a system such that the mental model of the system envisaged by the user matches the designer’s mental model of the system. Extending this paradigm to  ubiquitous  systems  –  where there is a observer, user and designer. So now the mental model of all three (observer, user and designer) should match.

Designers can’t provide the option to control a privacy variable to the user and leave it to user to find the right value for the variable. The amount of information users are willing to share depends on the identity of the inquirer. But it is difficult for the user to give a privacy setting to all their contacts.