Article

Evaluating interfaces for privacy policy rule authoring

Authors:

Clare-Marie Karat,

Carolyn Brodie,

Jinjuan FengAuthors Info & Claims

CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 83 - 92

https://doi.org/10.1145/1124772.1124787

Published: 22 April 2006 Publication History

Abstract

Privacy policy rules are often written in organizations by a team of people in different roles. Currently, people in these roles have no technological tools to guide the creation of clear and implementable high-quality privacy policy rules. High-quality privacy rules can be the basis for verifiable automated privacy access decisions. An empirical study was conducted with 36 users who were novices in privacy policy authoring to evaluate the quality of rules created and user satisfaction with two experimental privacy authoring tools and a control condition. Results show that users presented with scenarios were able to author significantly higher quality rules using either the natural language with a privacy rule guide tool or a structured list tool as compared to an unguided natural language control condition. The significant differences in quality were found in both user self-ratings of rule quality and objective quality scores. Users ranked the two experimental tools significantly higher than the control condition. Implications of the research and future research directions are discussed.

References

[1]

Ackerman, M., Darrell, T., and Weitzner, D. Privacy in context, Human Computer Interaction, 2001, 16, 2, 167--176.

Digital Library

[2]

Adams, A. and Sasse, A. Privacy in multimedia communications: Protecting users, not just data . In A. Blandford, J. Vanderdonkt & P. Gray {Eds.}: People and Computers XV - Interaction without frontiers. Joint Proceedings of HCI2001 and ICM2001, Springer, Lille, 2001, 49--64.

[3]

Altman, I. The Environment and Social Behavior, Privacy, Personal Space, Territory and Crowding. Brooks/Cole Pub. Co., Inc., Monterey, CA, 1975.

[4]

Anton, A., He, Q., and Baumer, D. Inside JetBlue's privacy policy violations, IEEE Security & Privacy, 2004, 2, 6, 12--18.

Digital Library

[5]

Ashley, P., Hada, S., Karjoth, G., Powers, C. and Schunter, M. Enterprise Privacy Architecture Language (EPAL 1.2). W3C Member Submission, 2003, http://www.w3.org/Submission/EPAL/

[6]

Ball, E. Patient privacy in electronic prescription transfer. IEEE Security and Privacy, 2003, 1, 2, 77--80.

Digital Library

[7]

Baumer, D., Earp, J.B. and Payton, F.C. Privacy in medical records: IT implications of HIPAA. Computers and Society, December, 2000, 40--47.

Digital Library

[8]

Breaux, T.D., and Anton, A.I. Analyzing Goal Semantics for Rights, Permissions, and Obligations. Technical Report #TR-2005-08, North Carolina State University, Department of Computer Science, February 15, 2005.

Digital Library

[9]

CRA Conference on Grand Research Challenges in Information Security and Assurance. http://www.cra.org/Activities/grand.challenges/security/. November 16-19, 2003.

[10]

Cranor, L. Web Privacy with P3P, Cambridge: O'Reilly, 2003.

Digital Library

[11]

Flesch, M. The Art of Readable Writing, MacMillan Publishing, 1949.

[12]

Hagen, P. Personalization versus privacy, The Forrester Report, Nov., 2000, 1--19.

[13]

Jensen, C. and Potts, C. Privacy polices as decision-making tools: An evaluation of online privacy notices, Human Factors in Computing Systems: CHI 2004 Conference Proceedings, ACM Press, 2004, 471--478.

Digital Library

[14]

Jupiter Research. Security and Privacy Data, Presentation to the Federal Trade Commission Consumer Information Security Workshop, 2002,Online: http://www.ftc.gov/bcp/workshops/security/020520leathern.pdf

[15]

Karat, C., Blom, J., and Karat, J. (Eds.). Designing Personalized User Experiences in eCommerce, Kluwer Academic Publishers, Dordrecht, 2004.

Digital Library

[16]

Karat, C., Karat, J., and Brodie, C. Why HCI research in privacy and security is critical now, International Journal of Human Computer Interaction, 2005, 63, 1, 1--4.

Digital Library

[17]

Karat, J., Karat, C., Brodie, C., and Feng, J. Privacy in information technology: Designing to enable privacy policy management in organizations, International Journal of Human Computer Studies, 2005, 63, 1, 153--174.

Digital Library

[18]

Kobsa, A. Personalized hypermedia and international privacy, Communications of the ACM, 2002, 45, 5, 64--67.

Digital Library

[19]

Malin, B. and Sweeney, L. How (not) to protect genomic data privacy in a distributed network: Using trail re-identification to evaluate and design anonymity protection systems, Journal of Biomedical Informatics, 2004, 37, 3, 179--192.

Digital Library

[20]

Manny, C.H. European and American privacy: Commerce, rights, and justice. Computer Law and Security Report, 2003, 19, 1, 4--10.

[21]

Michael, J.B., Ong, V.L., and Rowe, N.C. Natural-language processing support for developing policy-governed software systems, 39th International Conference on Technology for Object-Oriented Languages and Systems, IEEE Computer Society Press, 2001, 263--274.

Digital Library

[22]

National Research Council, Who goes there? Authentication through the lens of privacy, National Academies Press, Washington, D.C, 2003.

[23]

Neff, M., Byrd, R., and Boguraev, B. The Talent system: Tex-Tract architecture and data model, In Proceedings of HLT-NAACL Workshop on Software Engineering and Architectures of Language Technology Systems, Edmonton, Alberta, Canada, 2003.

Digital Library

[24]

OASIS, Privacy Policy Profile of XACML draft 01, 2004. http://docs.oasis-open.org/xacml/access_control-xacml-2_0-privacy_profile-spec-cd-01.pdf

[25]

OECD, OECD guidelines on the protection of privacy and transborder flows of personal data, 1980, http://www.oecd.org/home/

[26]

Office of the Federal Privacy Commissioner of Australia. Privacy and Business, 2000, http://www.privacy.gov.au

[27]

Palen, L. and Dourish, P. Unpacking 'privacy' for a networked world, Human Factors in Computing Systems: CHI 2002 Conference Proceedings, ACM Press, 2002, 129--136.

Digital Library

[28]

Ponemon Institute and IAPP, 2003 Benchmark Study of Corporate Privacy Practices, 2004.

[29]

Smith, J. Privacy policies and practices: Inside the organizational maze, Communications of the ACM, 1993, 36, 12, 105-122.

Digital Library

[30]

Warren, S.A. and Brandeis, L.D. The right to privacy, Harvard Business Review, 1890, Dec, 4, 195.

[31]

U.S. Fair and Accurate Credit Transaction Act. H.R. 2622, 108th Congress, July 24, 2003.

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Javed YSajid A(2024)A Systematic Review of Privacy Policy LiteratureACM Computing Surveys10.1145/369839357:2(1-43)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1145/3698393
Sun YSong QGui XMa FWang T(2023)AutoML in The Wild: Obstacles, Workarounds, and ExpectationsProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581082(1-15)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581082
Show More Cited By

Index Terms

Evaluating interfaces for privacy policy rule authoring
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Social and professional topics
  1. Computing / technology policy

Recommendations

An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational ...
Privacy in information technology: designing to enable privacy policy management in organizations
Special isssue: HCI research in privacy and security is critical now

As information technology continues to spread, we believe that there will be an increasing awareness of a fundamental need to address privacy concerns, and that doing so will require an understanding of policies that govern information use accompanied ...
Evaluating assistance of natural language policy authoring
SOUPS '08: Proceedings of the 4th symposium on Usable privacy and security

The goal of the research study reported here was to investigate policy authors' ability to take descriptions of changes to policy situations and author high-quality, complete policy rules that would parse with high accuracy. As a part of this research, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2006

1353 pages

ISBN:1595933727

DOI:10.1145/1124772

Editors:
Rebecca Grinter
Georgia Institute of Technology, USA
,
Thomas Rodden
University of Nottingham, UK
,
Paul Aoki
Intel, USA
,
Ed Cutrell
Microsoft, USA
,
Robin Jeffries
Google, USA
,
Gary Olson
University of Michigan, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 April 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CHI06

Sponsor:

CHI06: CHI 2006 Conference on Human Factors in Computing Systems

April 22 - 27, 2006

Québec, Montréal, Canada

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,488
Total Downloads

Downloads (Last 12 months)20
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Javed YSajid A(2024)A Systematic Review of Privacy Policy LiteratureACM Computing Surveys10.1145/369839357:2(1-43)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1145/3698393
Sun YSong QGui XMa FWang T(2023)AutoML in The Wild: Obstacles, Workarounds, and ExpectationsProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581082(1-15)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581082
Bahrini MZargham NWolff AKipker DSohr KMalaka R(2022)It’s Long and Complicated! Enhancing One-Pager Privacy Policies in Smart Home ApplicationsNordic Human-Computer Interaction Conference10.1145/3546155.3546657(1-13)Online publication date: 8-Oct-2022
https://dl.acm.org/doi/10.1145/3546155.3546657
Ichario AMaarek M(2020)Vision: Investigating Web API Developer Experience in Relation to Terms of Service and Privacy Policies2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00030(166-171)Online publication date: Sep-2020
https://doi.org/10.1109/EuroSPW51379.2020.00030
Bouros PMamoulis N(2019)Spatial joinsSIGSPATIAL Special10.1145/3355491.335549411:1(13-21)Online publication date: 5-Aug-2019
https://dl.acm.org/doi/10.1145/3355491.3355494
Wong RMulligan DBrewster SFitzpatrick GCox AKostakos V(2019)Bringing Design to the Privacy TableProceedings of the 2019 CHI Conference on Human Factors in Computing Systems10.1145/3290605.3300492(1-17)Online publication date: 2-May-2019
https://dl.acm.org/doi/10.1145/3290605.3300492
Soumelidou ATsohou A(2019)Effects of privacy policy visualization on users’ information privacy awareness levelInformation Technology & People10.1108/ITP-08-2017-024133:2(502-534)Online publication date: 30-Aug-2019
https://doi.org/10.1108/ITP-08-2017-0241
Li XQian JWang X(2018)Can China lead the development of data trading and sharing markets?Communications of the ACM10.1145/323954261:11(50-51)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3239542
Ierusalimschy RDe Figueiredo LCeles W(2018)A look at the design of LuaCommunications of the ACM10.1145/318627761:11(114-123)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3186277
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten