Visualizing privacy Aleecia M. McDonald. Overview The Gramm-Leach-Bliley (GLB) Act Selected...

Visualizing privacy

Aleecia M. McDonald

Overview

The Gramm-Leach-Bliley (GLB) Act Selected portions from An Evaluation of the Effect of US Financial Privacy

Legislation Through the Analysis of Privacy Policies

Privacy text is hard Privacy Mad Libs example Privacy bingo cards

Making GLB more useable Evolution of a Prototype Financial Privacy Notice

What happens in practice? Privacy practices of Internet users: Self-reports versus observed behavior

Privacy images are hard Privacy Pictionary / Time’s Up

What is the Gramm-Leach-Bliley (GLB) Act?

What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas)

What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas) Representative Leach (R, Iowa)

What is the Gramm-Leach-Bliley (GLB) Act? Senator Gramm (R, Texas) Representative Leach (R, Iowa) Representative Bliley (R, Virginia)

What is the Gramm-Leach-Bliley (GLB) Act? Enacted November 12, 1999 Effective November 13, 2000 Not primarily privacy legislation

A.K.A. Financial Services Modernization Act of 1999 Modernization = ?

What is the Gramm-Leach-Bliley (GLB) Act? Enacted November 12, 1999 Effective November 13, 2000 Not primarily privacy legislation

A.K.A. Financial Services Modernization Act of 1999 Modernization = Mergers Financial services includes: banks, stock brokerage companies,

and insurance companies

Why does the GLB address privacy? New privacy concerns arise from future mergers

What happens when your mortgage company talks to your health insurance company?

Existing privacy issues November 1997, Charter Pacific Bank sold millions of credit card

numbers to an adult website company. 1998, NationsBank shared information with affiliated stock brokerage.

Sold high-risk investments to senior citizens. 1999 - 2000, Memberworks telemarketers. 19/25 top banks.

International issues 1995, the EU passed the Data Protection Directive. Initial Safe Harbor proposal did not include the financial industry.

Privacy provisions in GLB

Must store personal information securely ensure security and confidentiality protect against anticipated threats protect against unauthorized access that could substantially

harm or inconvenience customers

Must give notice of policies about sharing personal financial information

Must give option to opt-out of some sharing No sale of specific data for marketing Pretexting banned

Privacy provisions in GLB

Must store personal information securely ensure security and confidentiality protect against anticipated threats protect against unauthorized access that could substantially

harm or inconvenience customers

Must give notice of policies about sharing personal financial information

Must give option to opt-out of some sharing No sale of specific data for marketing Pretexting banned

Privacy protection exceptions

Disclosure to affiliates No notice required No ability to opt out Free information flow within entire “corporate family” -

can be 1000+ companies, not all financial

Joint marketing disclosure No notice required No ability to opt out Can flow all through the second “corporate family”

What is in a GLB Privacy Notice?

Clear, conspicuous, and accurate statement of the company's privacy practices

What information the company collects about its consumers and customers

With whom it shares the information How it protects or safeguards the information Applies to "nonpublic personal information"

Who Gets Notice?

Have you seen a GLB notice? Have you read a GLB notice?

Who Gets Notice?

Have you seen a GLB notice? Have you read a GLB notice? Goes to all new customers Goes out annually to all customers

Who Gets Notice?

Have you seen a GLB notice? Have you read a GLB notice? Goes to all new customers Goes out annually to all customers Do notices get noticed? How does this compare to privacy indicators in

web browsers?

Did GLB help? Part I: More clarity

C o m p l e t e n e s s o f P r i v a c y P o l i c i e s i n t h e R a n d o m 3 0 b a n k s

6 3 %

8 3 %

7 3 %

1 3 %

7 7 %

2 0 %

1 0 %

1 7 % 1 7 %

0 %

3 0 %

0 %

A f f i l i a t e

S h a r i n g

A f f i l i a t e

D i s c l o s u r e

A f f i l i a t e

C h o i c e

T h i r d P a r t y

S h a r i n g

T h i r d P a r t y

D i s c l o s u r e

T h i r d P a r t y

C h o i c e

Percentage Unkown

P r e - G L B ( 2 0 0 0 )

P o s t - G L B ( 2 0 0 5 )

I n f o r m a t i o n S h a r e d w i t h A f f i l i a t e d C o m p a n i e s

6 0 %

1 0 0 %

1 3 %

5 0 % 5 0 %

9 0 %

1 0 %

1 0 %

3 0 %

8 3 %

1 7 %

5 0 %

2 3 %

3 %

1 0 %

2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5

T o p 1 0 R a n d o m 3 0 C r e d i t C a r d

A l l I n f o r m a t i o n T r a n s a c t i o n a l I n f o r m a t i o n D o n o t s h a r e U n c l e a r

Did GLB help? Part II: Sharing alike

Did GLB help? Part III: Joint market increase

T h i r d p a r t y s h a r i n g + j o i n t m a r k e t i n g

7 0 %

8 0 %

5 0 %

8 0 %

5 0 %

8 0 %

2 0 %

2 0 %

3 7 %

2 0 %

2 0 %

2 0 %

1 0 %1 3 %

3 0 %

2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5 2 0 0 0 2 0 0 5

T o p 1 0 R a n d o m 3 0 C r e d i t C a r d

y e s n o u n c l e a r

Are notices readable?

85% of adults have a high school degree 25% have one or more college degrees Reading level usually three grade levels lower 8th grade recommended for general population July, 2001: Privacy Rights Clearinghouse study, average

is 15.6 GLB legislated policies must be “reasonably

understandable” yet policies are at college reading level

Are notices readable?

Readability of Privacy Notices

13.4 13.3

13.9

12.5

14.814.5

13.413 13 13.1

12.912.7

12.713

11

11.5

12

12.5

13

13.5

14

14.5

15

15.5

16

1999 2000 2001 2002 2003 2004 2005

Readability (Grade Level)

Top 10 banks

Random 30 Sample

GLB enacted July 2001

Source: An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy PoliciesSteve Sheng and Lorrie Faith Cranor

What makes notices harder to read? Complexity

Long line length with lots of clauses Big words

Jargon “But I don’t want to default”

Legal writing When is the last time you read a contract for fun? Being informal can create legal liability

Corporate incentive for “weasel words” Passive voice endemic

Privacy Mad Libs

A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.

Privacy Mad Libs

A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.

Privacy Mad Libs

A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.

Privacy Mad Libs

A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer. Source: The Federal Trade Commission’s

explanation of the Gramm-Leach-Bliley Act

Maybe it’s just the FTC…

Perhaps it’s hard to write about writing policies but the policies themselves are clear and useable.

Perhaps the FTC hired exceptionally bad staff.

Maybe it’s just the FTC…

"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)

Maybe it’s just the FTC…

"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)

"We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust)

Maybe it’s just the FTC…

"An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)

"We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust)

"In the opt-out election, you will have the option of including or excluding the Credit Union from your opt-out election." (UniTrust)

Privacy Buzzword Bingo

Making GLB more useable

Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project (February 28, 2006, Kleimann Communications Group, Inc.)

Six federal agencies’ project to do better Board of Governors of the Federal Reserve System, Federal Deposit Insurance

Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and the Securities and Exchange Commission.

Explore why consumers don’t read and understand privacy notices Develop notices that are easier for consumers to understand and use

Phase I: complete 8 test sites 16 month iterative cycle for prototype

Phase II: quantitative study to assess the prototype

Project Goals: Paper Prototype

Comprehension. The prototype must enable consumers to understand the basic concepts behind the privacy notices and understand what to do with the notices. It must be clear and conspicuous as a whole and readily accessible in its parts.

Comparison. The prototype must allow consumers to compare information sharing practices across financial institutions and to identify the differences in sharing practices.

Compliance. The content and design of the alternative privacy notices must include the elements required by the GLBA and the affiliate marketing provision of the Fair and Accurate Credit Transactions Act.

Good design: necessary but not sufficient Table design worked best Two page design with more details available for

those who want them (definitions and GLB mandated notices)

“We learned that we needed to include an educational component in the notice as consumers had no prior understanding of information sharing practices.”

Four Parts of the Design

Title Frame Disclosure Table Opt-out Form

The Title

Attract consumers’ attention so that they will read the notice

Avoids inflammatory language Helps consumers understand that the information is

from their own financial institution Their personal information is currently being

collected and used by the bank Does not explicitly mention consumer rights

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

The Frame

Problem: customers uninformed about financial privacy

Need basic information about financial sharing practices to understand the notice

The Frame provides context and supports the core information about a financial institution’s sharing practices Key frame: heart of ensuring comprehension Secondary frame: nice to have (FAQs, details, mandates)

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

The Disclosure Table

Goals: Understand information about financial sharing policies and their

personal information Can compare sharing practices across financial institutions

Seven basic reasons a financial institution can share information What is being shared What can customers opt-out of Enables direct comparison between companies

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

The Opt-out Form

On a separate page to make it easy to mail in Designed to help consumers understand how to

opt-out Structured by type of sharing consumers can opt-

out of Given the GLB: does this seem to do a good job?

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Four testing methods

Focus groups What a group of consumers thinks about privacy notices What they see as barriers to understanding them Do not tell the researcher what a consumer will actually do with a notice

Preference testing In-depth one-on-one interviews Preferences for vocabulary, headings, notice components, and ordering

Pretests Dry run of the diagnostic usability test Validates the methodology

Diagnostic usability testing (structured + unstructured) how the individual participant actually works with a document elicits reaction to the information to target and diagnose problems iterative process; adjustment with successive test rounds

Lessons Learned: Focus Group

People did not read the old style notices Type was too small, particularly for seniors Small font signaled unimportant information Important information was grey on black Four pages was too much to read Customers expect banks are trying to conceal information

People believed that all privacy notices were the same Regulations mean uniformity Can change at any time so meaningless Did not understand there are opt-out choices Choose a bank for free checking and not privacy policies

Lessons Learned: Pretest

Customers did not understand the purpose of notices In essence: wrong mental model Thought notice was requesting personal information Lacked context to understand the text

Opt-out was confusing Unexpected Did not have the context to understand the choices Too much information

Lessons Learned: Pretest“None of the designs worked”

“In the end, it did not matter if we changed the test scenario, provided them with more time to ‘study’ the information, or tutored them during the session. Participants had too little of their own context about financial sharing information to understand the content of the notices. Since they had no basis for or understanding of the information in the notices, the designs simply weren’t working in their current format or with their current content.”

Lessons Learned: Usability Testing

Customers do care what happens to their information Indicated they would read the new notices Understood why they got the notice and “much of” the

content Recognized opt-out form as an action item Layout improved comprehension Word choice matters Could compare side-by-side policies Standardization can actually be confusing

Are we there yet?

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

In closing: Six meta-themes

Keep it simple Good design matters Can design to avoid bias Whole-to-part design is critical

“Without context, they understood virtually nothing”

Standardization is effective Disclosure table is critical

Overview revisited: We are here The Gramm-Leach-Bliley (GLB) Act

Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies

Privacy text is hard Privacy Mad Libs example Privacy bingo cards

Making GLB more useable Evolution of a Prototype Financial Privacy Notice

What happens in practice? Privacy practices of Internet users:

Self-reports versus observed behavior

Privacy images are hard Privacy Pictionary / Time’s Up

Essential tension

In survey after survey, people say they are very concerned about privacy and it is a decision making factor

Other forms of data analysis suggest this is not true (log files, for instance)

Is there a gap between what people say and what people do?

Four part study

175 participants recruited via email and web in 2005. No compensation. 45-60 minutes, topic known.

Basic demographic survey Survey of privacy values and attitudes Knowledge test Pair-wise comparisons of privacy indicators

Basic demographic survey

2/3rds in education More highly educated than Internet population (16.2 v.

14.4 years of school) Self-selected More men than women (74% v. 26%)

Women reported lower levels of computer expertise

Comfortable with e-commerce and computers Installed software (38%) or taken other steps (43%) to

protect online privacy

Survey of privacy values and attitudes Motivation: was Westin right?

Privacy fundamentalists Privacy pragmatists Privacy unconcerned

Five questions on a five-point Likert-scale: I am concerned about online identity theft I am concerned about my privacy online I am concerned about my privacy in everyday life I am likely to read the privacy policy of an ecommerce site before buying

anything Privacy policies accurately reflect what companies do

Knowledge test

Perception gap: subjects over-report their understanding of privacy issues as well as willingness to act

Tested knowledge of three areas: Cookies Web bugs P3P and third party cookies

Asked to rate level of concern Asked why the technology matters (two correct, three

incorrect reasons)

Knowledge test

Cookies Web bugs P3P

Claim knowledge

90% 35% 21%

False claim 85% 83% 75%

Overall knowledge

14% 5% 5%

Fundamentalists do not know more - they just worry more

Pair-wise comparisons of privacy indicators

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Pair-wise comparisons of privacy indicators

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Twelve factors for decision making

Price 20% discount = $5

SSL indicator Use of 3-party cookies

and P3P IE blocked cookie icon

An email address A phone number A postal address

TRUSTe privacy seal Credit card symbols Four different privacy

policies: User centered - good User centered - bad Company centered - good Company centered - bad

Regression model of factors

1. TRUSTe seal2. User centered - good policy3. Company centered - good policy4. Company centered - bad policy5. User centered - bad policy6. Phone number7. Address8. Price discount9. Credit card symbols10. SSL indicator11. Email address

Factors, a deeper look

There is a preference for good policies over bad Under 30% of participants looked at the privacy policies

Not much difference between Westin groups Policy itself serves as a trust mark

TRUSTe dominates in part because people do not read privacy policies Even more significant for women

Do subjects even see the P3P/third party cookie and SSL indicators? Or understand them?

No fit at all for a regression model for Fundamentalists

Any questions before we play?

David Brin’s Happy World of Equals

Competing Views of Online Privacy “Privacy is dead, deal with it”

Scott McNealy, CEO of Sun MicroSystems

“My aim all along has been to suggest that the promoters of anonymity and secrecy are basing their zeal on untested assumptions and bear a burden of proof before we consign our destiny to their transcendental vision of salvation through encryption.” David Brin, The Transparent Society

“A full-on privacy rebellion won't be pretty, it won't be non-violent and people will get hurt.” Brock N. Meeks, opinion piece for MSNBC