Visualizing privacy Aleecia M. McDonald. Overview The Gramm-Leach-Bliley (GLB) Act Selected...
-
Upload
barbara-locker -
Category
Documents
-
view
215 -
download
1
Transcript of Visualizing privacy Aleecia M. McDonald. Overview The Gramm-Leach-Bliley (GLB) Act Selected...
Visualizing privacy
Aleecia M. McDonald
Overview
The Gramm-Leach-Bliley (GLB) Act Selected portions from An Evaluation of the Effect of US Financial Privacy
Legislation Through the Analysis of Privacy Policies
Privacy text is hard Privacy Mad Libs example Privacy bingo cards
Making GLB more useable Evolution of a Prototype Financial Privacy Notice
What happens in practice? Privacy practices of Internet users: Self-reports versus observed behavior
Privacy images are hard Privacy Pictionary / Time’s Up
What is the Gramm-Leach-Bliley (GLB) Act?
What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas)
What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas) Representative Leach (R, Iowa)
What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas) Representative Leach (R, Iowa) Representative Bliley (R, Virginia)
What is the Gramm-Leach-Bliley (GLB) Act? Enacted November 12, 1999 Effective November 13, 2000 Not primarily privacy legislation
A.K.A. Financial Services Modernization Act of 1999 Modernization = ?
What is the Gramm-Leach-Bliley (GLB) Act? Enacted November 12, 1999 Effective November 13, 2000 Not primarily privacy legislation
A.K.A. Financial Services Modernization Act of 1999 Modernization = Mergers Financial services includes: banks, stock brokerage companies,
and insurance companies
Why does the GLB address privacy? New privacy concerns arise from future mergers
What happens when your mortgage company talks to your health insurance company?
Existing privacy issues November 1997, Charter Pacific Bank sold millions of credit card
numbers to an adult website company. 1998, NationsBank shared information with affiliated stock brokerage.
Sold high-risk investments to senior citizens. 1999 - 2000, Memberworks telemarketers. 19/25 top banks.
International issues 1995, the EU passed the Data Protection Directive. Initial Safe Harbor proposal did not include the financial industry.
Privacy provisions in GLB
Must store personal information securely ensure security and confidentiality protect against anticipated threats protect against unauthorized access that could substantially
harm or inconvenience customers
Must give notice of policies about sharing personal financial information
Must give option to opt-out of some sharing No sale of specific data for marketing Pretexting banned
Privacy provisions in GLB
Must store personal information securely ensure security and confidentiality protect against anticipated threats protect against unauthorized access that could substantially
harm or inconvenience customers
Must give notice of policies about sharing personal financial information
Must give option to opt-out of some sharing No sale of specific data for marketing Pretexting banned
Privacy protection exceptions
Disclosure to affiliates No notice required No ability to opt out Free information flow within entire “corporate family” -
can be 1000+ companies, not all financial
Joint marketing disclosure No notice required No ability to opt out Can flow all through the second “corporate family”
What is in a GLB Privacy Notice?
Clear, conspicuous, and accurate statement of the company's privacy practices
What information the company collects about its consumers and customers
With whom it shares the information How it protects or safeguards the information Applies to "nonpublic personal information"
Who Gets Notice?
Have you seen a GLB notice? Have you read a GLB notice?
Who Gets Notice?
Have you seen a GLB notice? Have you read a GLB notice? Goes to all new customers Goes out annually to all customers
Who Gets Notice?
Have you seen a GLB notice? Have you read a GLB notice? Goes to all new customers Goes out annually to all customers Do notices get noticed? How does this compare to privacy indicators in
web browsers?
Did GLB help? Part I: More clarity
C o m p l e t e n e s s o f P r i v a c y P o l i c i e s i n t h e R a n d o m 3 0 b a n k s
6 3 %
8 3 %
7 3 %
1 3 %
7 7 %
2 0 %
1 0 %
1 7 % 1 7 %
0 %
3 0 %
0 %
A f f i l i a t e
S h a r i n g
A f f i l i a t e
D i s c l o s u r e
A f f i l i a t e
C h o i c e
T h i r d P a r t y
S h a r i n g
T h i r d P a r t y
D i s c l o s u r e
T h i r d P a r t y
C h o i c e
Percentage Unkown
P r e - G L B ( 2 0 0 0 )
P o s t - G L B ( 2 0 0 5 )
I n f o r m a t i o n S h a r e d w i t h A f f i l i a t e d C o m p a n i e s
6 0 %
1 0 0 %
1 3 %
5 0 % 5 0 %
9 0 %
1 0 %
1 0 %
3 0 %
8 3 %
1 7 %
5 0 %
2 3 %
3 %
1 0 %
2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5
T o p 1 0 R a n d o m 3 0 C r e d i t C a r d
A l l I n f o r m a t i o n T r a n s a c t i o n a l I n f o r m a t i o n D o n o t s h a r e U n c l e a r
Did GLB help? Part II: Sharing alike
Did GLB help? Part III: Joint market increase
T h i r d p a r t y s h a r i n g + j o i n t m a r k e t i n g
7 0 %
8 0 %
5 0 %
8 0 %
5 0 %
8 0 %
2 0 %
2 0 %
3 7 %
2 0 %
2 0 %
2 0 %
1 0 %1 3 %
3 0 %
2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5
T o p 1 0 R a n d o m 3 0 C r e d i t C a r d
y e s n o u n c l e a r
Are notices readable?
85% of adults have a high school degree 25% have one or more college degrees Reading level usually three grade levels lower 8th grade recommended for general population July, 2001: Privacy Rights Clearinghouse study, average
is 15.6 GLB legislated policies must be “reasonably
understandable” yet policies are at college reading level
Are notices readable?
Readability of Privacy Notices
13.4 13.3
13.9
12.5
14.814.5
13.413 13 13.1
12.912.7
12.713
11
11.5
12
12.5
13
13.5
14
14.5
15
15.5
16
1999 2000 2001 2002 2003 2004 2005
Readability (Grade Level)
Top 10 banks
Random 30 Sample
GLB enacted July 2001
Source: An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy PoliciesSteve Sheng and Lorrie Faith Cranor
What makes notices harder to read? Complexity
Long line length with lots of clauses Big words
Jargon “But I don’t want to default”
Legal writing When is the last time you read a contract for fun? Being informal can create legal liability
Corporate incentive for “weasel words” Passive voice endemic
Privacy Mad Libs
A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.
Privacy Mad Libs
A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.
A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.
Privacy Mad Libs
A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.
A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.
Privacy Mad Libs
A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.
A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer. Source: The Federal Trade Commission’s
explanation of the Gramm-Leach-Bliley Act
Maybe it’s just the FTC…
Perhaps it’s hard to write about writing policies but the policies themselves are clear and useable.
Perhaps the FTC hired exceptionally bad staff.
Maybe it’s just the FTC…
"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)
Maybe it’s just the FTC…
"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)
"We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust)
Maybe it’s just the FTC…
"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)
"We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust)
"In the opt-out election, you will have the option of including or excluding the Credit Union from your opt-out election." (UniTrust)
Privacy Buzzword Bingo
Making GLB more useable
Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project (February 28, 2006, Kleimann Communications Group, Inc.)
Six federal agencies’ project to do better Board of Governors of the Federal Reserve System, Federal Deposit Insurance
Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and the Securities and Exchange Commission.
Explore why consumers don’t read and understand privacy notices Develop notices that are easier for consumers to understand and use
Phase I: complete 8 test sites 16 month iterative cycle for prototype
Phase II: quantitative study to assess the prototype
Project Goals: Paper Prototype
Comprehension. The prototype must enable consumers to understand the basic concepts behind the privacy notices and understand what to do with the notices. It must be clear and conspicuous as a whole and readily accessible in its parts.
Comparison. The prototype must allow consumers to compare information sharing practices across financial institutions and to identify the differences in sharing practices.
Compliance. The content and design of the alternative privacy notices must include the elements required by the GLBA and the affiliate marketing provision of the Fair and Accurate Credit Transactions Act.
Good design: necessary but not sufficient Table design worked best Two page design with more details available for
those who want them (definitions and GLB mandated notices)
“We learned that we needed to include an educational component in the notice as consumers had no prior understanding of information sharing practices.”
Four Parts of the Design
Title Frame Disclosure Table Opt-out Form
The Title
Attract consumers’ attention so that they will read the notice
Avoids inflammatory language Helps consumers understand that the information is
from their own financial institution Their personal information is currently being
collected and used by the bank Does not explicitly mention consumer rights
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
The Frame
Problem: customers uninformed about financial privacy
Need basic information about financial sharing practices to understand the notice
The Frame provides context and supports the core information about a financial institution’s sharing practices Key frame: heart of ensuring comprehension Secondary frame: nice to have (FAQs, details, mandates)
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
The Disclosure Table
Goals: Understand information about financial sharing policies and their
personal information Can compare sharing practices across financial institutions
Seven basic reasons a financial institution can share information What is being shared What can customers opt-out of Enables direct comparison between companies
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
The Opt-out Form
On a separate page to make it easy to mail in Designed to help consumers understand how to
opt-out Structured by type of sharing consumers can opt-
out of Given the GLB: does this seem to do a good job?
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Four testing methods
Focus groups What a group of consumers thinks about privacy notices What they see as barriers to understanding them Do not tell the researcher what a consumer will actually do with a notice
Preference testing In-depth one-on-one interviews Preferences for vocabulary, headings, notice components, and ordering
Pretests Dry run of the diagnostic usability test Validates the methodology
Diagnostic usability testing (structured + unstructured) how the individual participant actually works with a document elicits reaction to the information to target and diagnose problems iterative process; adjustment with successive test rounds
Lessons Learned: Focus Group
People did not read the old style notices Type was too small, particularly for seniors Small font signaled unimportant information Important information was grey on black Four pages was too much to read Customers expect banks are trying to conceal information
People believed that all privacy notices were the same Regulations mean uniformity Can change at any time so meaningless Did not understand there are opt-out choices Choose a bank for free checking and not privacy policies
Lessons Learned: Pretest
Customers did not understand the purpose of notices In essence: wrong mental model Thought notice was requesting personal information Lacked context to understand the text
Opt-out was confusing Unexpected Did not have the context to understand the choices Too much information
Lessons Learned: Pretest“None of the designs worked”
“In the end, it did not matter if we changed the test scenario, provided them with more time to ‘study’ the information, or tutored them during the session. Participants had too little of their own context about financial sharing information to understand the content of the notices. Since they had no basis for or understanding of the information in the notices, the designs simply weren’t working in their current format or with their current content.”
Lessons Learned: Usability Testing
Customers do care what happens to their information Indicated they would read the new notices Understood why they got the notice and “much of” the
content Recognized opt-out form as an action item Layout improved comprehension Word choice matters Could compare side-by-side policies Standardization can actually be confusing
Are we there yet?
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
In closing: Six meta-themes
Keep it simple Good design matters Can design to avoid bias Whole-to-part design is critical
“Without context, they understood virtually nothing”
Standardization is effective Disclosure table is critical
Overview revisited: We are here The Gramm-Leach-Bliley (GLB) Act
Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies
Privacy text is hard Privacy Mad Libs example Privacy bingo cards
Making GLB more useable Evolution of a Prototype Financial Privacy Notice
What happens in practice? Privacy practices of Internet users:
Self-reports versus observed behavior
Privacy images are hard Privacy Pictionary / Time’s Up
Essential tension
In survey after survey, people say they are very concerned about privacy and it is a decision making factor
Other forms of data analysis suggest this is not true (log files, for instance)
Is there a gap between what people say and what people do?
Four part study
175 participants recruited via email and web in 2005. No compensation. 45-60 minutes, topic known.
Basic demographic survey Survey of privacy values and attitudes Knowledge test Pair-wise comparisons of privacy indicators
Basic demographic survey
2/3rds in education More highly educated than Internet population (16.2 v.
14.4 years of school) Self-selected More men than women (74% v. 26%)
Women reported lower levels of computer expertise
Comfortable with e-commerce and computers Installed software (38%) or taken other steps (43%) to
protect online privacy
Survey of privacy values and attitudes Motivation: was Westin right?
Privacy fundamentalists Privacy pragmatists Privacy unconcerned
Five questions on a five-point Likert-scale: I am concerned about online identity theft I am concerned about my privacy online I am concerned about my privacy in everyday life I am likely to read the privacy policy of an ecommerce site before buying
anything Privacy policies accurately reflect what companies do
Knowledge test
Perception gap: subjects over-report their understanding of privacy issues as well as willingness to act
Tested knowledge of three areas: Cookies Web bugs P3P and third party cookies
Asked to rate level of concern Asked why the technology matters (two correct, three
incorrect reasons)
Knowledge test
Cookies Web bugs P3P
Claim knowledge
90% 35% 21%
False claim 85% 83% 75%
Overall knowledge
14% 5% 5%
Fundamentalists do not know more - they just worry more
Pair-wise comparisons of privacy indicators
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Pair-wise comparisons of privacy indicators
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Twelve factors for decision making
Price 20% discount = $5
SSL indicator Use of 3-party cookies
and P3P IE blocked cookie icon
An email address A phone number A postal address
TRUSTe privacy seal Credit card symbols Four different privacy
policies: User centered - good User centered - bad Company centered - good Company centered - bad
Regression model of factors
1. TRUSTe seal2. User centered - good policy3. Company centered - good policy4. Company centered - bad policy5. User centered - bad policy6. Phone number7. Address8. Price discount9. Credit card symbols10. SSL indicator11. Email address
Factors, a deeper look
There is a preference for good policies over bad Under 30% of participants looked at the privacy policies
Not much difference between Westin groups Policy itself serves as a trust mark
TRUSTe dominates in part because people do not read privacy policies Even more significant for women
Do subjects even see the P3P/third party cookie and SSL indicators? Or understand them?
No fit at all for a regression model for Fundamentalists
Any questions before we play?
David Brin’s Happy World of Equals
Competing Views of Online Privacy “Privacy is dead, deal with it”
Scott McNealy, CEO of Sun MicroSystems
“My aim all along has been to suggest that the promoters of anonymity and secrecy are basing their zeal on untested assumptions and bear a burden of proof before we consign our destiny to their transcendental vision of salvation through encryption.” David Brin, The Transparent Society
“A full-on privacy rebellion won't be pretty, it won't be non-violent and people will get hurt.” Brock N. Meeks, opinion piece for MSNBC