Privacy Concerns for Visual Assistance Technologies

3.1.1 Participant Recruitment.

We recruited participants by circulating an IRB-approved announcement on social media, on a listserv managed by organizations serving people who are blind or have visual impairments, and through snowball sampling. To be eligible, participants had to be 18 years or older, blind, and use cameras to collect and share visual media. We aimed to have equal distribution of participants in terms of gender and level of prior visual experience (i.e., born blind versus acquired blindness). We compensated participants with Amazon gift cards ($20/hour).

We interviewed 18 participants (11 female/7 male, ages 22-73 years with an average age of 42). All were located in the United States or Canada and identified as being totally blind. Nine of them were blind from birth, and nine had acquired blindness. Two of those with acquired blindness lost their sight as teenagers, three lost their sight in their 20’s, and one in their late 40’s. The participants’ level of education varied: eight participants had completed high school, four had a bachelors degree, four had a masters degree, and two had a higher degree (e.g., JD or PhD).

3.1.2 Semi-Structured Interview Protocol.

Two researchers conducted all interviews over the phone during Spring 2020. One researcher led the interviews while the other took structured notes. All interviews were audio recorded and lasted from 1-2 hours, covering the semi-structured interview questions (discussed in this section) and a privacy concern rating task (to be discussed in Section 4). The 21 semi-structured questions focused on participants’ use and preferences for different VATs, their understanding and reactions to how the services work, the types of visual content they consider to be private, and their definitions of “privacy” and “privacy concerns”⁴ outside the premise of VATs. This was important in establishing what privacy concerns naturally emerged and the role VATs play in the life of each participant prior to introducing them to the pre-established list of PVC. Similarly, we asked participants about what image and video content they self-identified as private before exposing them to the predefined PVC types during the Privacy Concern Rating Task. We designed the semi-structured interview to take approximately 45 minutes.

3.1.3 Data Analysis.

We analyzed the interview data through thematic analysis [22]. We began by writing analytic memos after each interview to support our reflection and to identify emergent patterns, categories, and concepts [97]. For the first three interviews, two researchers transcribed the interviews, wrote analytical memos, then together compared their memos and resolved any disagreements through iterative discussion. For the subsequent 15 interviews, the two researchers took turns transcribing and writing memos. After each memo was complete, the second researcher reviewed the first researcher’s memo.

After all interviews were complete, we used affinity diagramming [16] to collaboratively identify an initial set of themes that were present across the analytic memos. We drew on these themes when analysing the interview transcripts. Two researchers reviewed each interview transcript, selected and labeled instances where participants reflected about privacy when using VATs, and occasionally refined the theme names and re-coded segments under a different theme. We also applied codes to the segments of interview text when the participants referenced human-powered or AI-powered VATs in their statements, and if their reflections conveyed a risk or benefit to their sense of privacy. Finally, we categorized the themes (factors) according to three broader categories that first became apparent when reviewing the analytic memos:

3.2.1 Use of VATs.

All participants had experience with both human-powered VATs (Aira and/or Be My Eyes) and AI-powered VATs (Seeing AI and/or Envision AI) on iPhones. However, when asked which VAT they use the most and for what purposes, 10 participants reported their primary VAT to be Aira, four reported Be My Eyes, and four reported Seeing AI. Table 1 shows what tasks participants accomplish with each VAT, and the frequency and duration of use.

While participants reported using VATs for reading text in mail, documents, and food packaging, we also observed that some tasks were unique to specific VATs. For example, participants used Aira to interact with live human visual assistants and to complete tasks such as signing documents, selling on eBay, resolving issues on productivity applications, and reading credit cards and documents with social security numbers. Moreover, one participant explained how an Aira agent provided them with assistance to search for and complete a job application (a task that took 90 minutes on a paid account).

The participants who prefer to use Be My Eyes, a VAT that utilizes volunteers to provide visual assistance, highlighted the value they experience when being able to interact with a human assistant that could be located anywhere in the world. The participants use Be My Eyes to fix broken objects, obtain support using productivity applications, find lost items, and read text on objects with curved surfaces—a task that one participant stated was “too hard for AI”. The four participants who preferred Be My Eyes reported using it for five to ten minutes per session.

Those who preferred using Seeing AI indicated that they use it because it is the “most efficient” VAT and that they could accomplish their tasks between two to five minutes, two to five times a week. They use Seeing AI for its variety of features—from the short text reader, object identifier, and barcode reader. These features are useful for reading text in images, learning about the objects in an image, scanning barcodes, and completing tasks like restringing a guitar. Though our data may not comprehensively represent possible uses for VATs, these responses are consistent with prior work (e.g., [19, 46]).

3.2.2 Defining Privacy in the Context of VATs.

We asked participants to describe what ‘privacy’ meant to them in the context of VATs. Participants described privacy in several different ways—as an experience or as related to one’s behavior. For example, several participants focused on privacy being a safeguard. Regarding experience, P16 noted, “So much stuff going on in the world, there needs to be something so people can have a sense a peace, and not isolate or hideout just to protect themselves.” Others spoke about privacy in terms of maintaining a sense of control or ownership of information. P07 said, “Privacy means personal control over information that was not necessarily intended for a wide distributed audience.” Regarding their own behavior of personal management, P08 said, “I need to know who has access to my information and where it’s being stored. I make sure I’m dressed, pay attention to surroundings. Try to use my headphones…I can regulate upfront.”

Others discussed privacy in terms of negative impacts from the loss of privacy: loss of control or the ability to manage what information they share, loss of ownership, loss of peace of mind. In the words of P18, “I am concerned about privacy when my personal life is being intruded on…what I read, what I say online, what meal I ate, who I talk to, where I go. These are all mine.” P05 shared, “Privacy concern [means] that someone takes sensitive information and the use has consequences for me.” Others focused on malicious acts, including P17 who identified “A breach of my personal information…[use by] someone who will go to the effort to delete their tracks” and P03 who said, “Pertinent information that you don’t want anyone else to use involuntarily [without your consent] or use to harm you in some type of way”.

Finally, throughout the interviews participants directly identified their blindness as a factor that increases their need for privacy protections. For example, P04 shared, “I recognize blind people have less [privacy] because we stand out in a crowd. I don’t like it, but I just have to accept that”, and P08 explained, “After interacting with other blind people [in my daily life], I sometimes forget that when interacting with sighted people that I might need to take precautions. I can regulate up front, but it’s hard to know what is out there. My identity is on the line and I need protection too.”

3.2.3 Factors Impacting Users’ Visual Privacy Perceptions.

During the interviews the participants shared their perspectives about what causes visual privacy risks and what provides a sense of visual privacy, i.e. what benefits their sense of privacy in the context of human-powered and AI-powered VAT use (RQ2). Below we share the factors the participants attributed as privacy risks and benefits for both VAT types, which fall under three overarching categories: (1) their understanding of how VATs provide the services, (2) their perceptions of the impact of sharing PVC to their personal well-being or social relationships, and (3) their assessments of how VAT services adhere to their values or raise values-based questions.

Human-powered VAT- Benefits:

Understanding of the Service Offering: Several factors related to participants’ understanding of how VATs provide their services. First, we heard a belief or assumption that human-powered VATs enact practices to maintain professional standing within industry or with their users (professionalism). For instance, P06 stated, “I just assume they are a company that wants clients. Why would they sell your info?” P05 echoed a similar sentiment, “The company reputation would be on the line if word got out they were stealing data.” Several participants indicated that their understanding and trust in the professionalism of the service was due to the human-powered VATs’ corporate messaging. For instance, P06 shared that she had received emails from Aira, which provided her with a sense of trust in the services.

Several participants noted that they perceived human-powered VATs to be professional and trustworthy due to internal and public-facing policies designed to protect users. One policy identified as beneficial was the choice to opt out or not to share personal visual data with the human-powered VAT. For example, P11 said, “With Aira, you can opt out of having your info retained! It’s a nice notion, but I forget about it when I’m actually using the service.” Another policy that participants brought up in the context of Aira related to the companies mandates for its employed agents (sometimes referred to as remote sighted assistants [64]) to self-identify at the beginning of a call. P05 noted, “With Aira, agents identify themselves. I don’t get a full [name], but at least I have a name and a time with my call log if I have to report.” P05 went on to relate the VATs service offerings to other assistive company policies, “Aira is track-able, similar to knowing who your Uber driver is.”

Participants explicitly noted that interacting with trained agents is of great benefit to their sense of privacy because of the specialized training employees receive to handle PVC. For instance, P05 shared, “When I have to get my CC info read, I’d rather do Aira because the service has trained agents and I know where to go back to if I have a problem. I check my statements and they match. They’ve signed whatever they have to contractually, for accountability, whereas with some of the volunteers you wouldn’t have that.” Similarly, P09 expressed, “Part of the reason [I] use Aira is because I feel like it’s a company and they [Aira agents] have training. Someone could be fired, blackballed. There’s a little more implicit trust.”

Values-Based Assessment: Some participants mentioned factors related to values when describing what they consider to be important when using human-powered VAT and/or how the VATs they use uphold or represent their values. Most prominently, we heard statements like “If a human being is doing something, the assumption is they are doing their best. They are trying to do a good job, which is the vast majority of the time” (P02). Participants’ trust in human decency or belief in the inherent good or benevolence of remote sighted assistants reflects why blind people knowingly share their PVC. When discussing the benefit of Be My Eyes [34], a volunteer-based human-powered VAT, P16 expressed, “Volunteers haven’t given me a reason to not trust them.” In fact, for some participants, the opportunity to interact with volunteers from all over the world increased their trust in human decency and in some cases was “a source of joy”. Participants’ also extended a sense of trust from the remote sighted assistants to the companies. For example, P15 said, “From what I’ve heard, Aira is the best way to go. They’re really trustworthy and they won’t pick on you for a high balance.” During the interviews we also learned that some participants use volunteer-based human-powered VATs such as Be My Eyes because these services preserve their anonymity when sharing private visual data. As P07 explained, “The benefit is [that] the anonymous [Be My Eyes volunteers] people…don’t have connections to the blind community.” This participant explained that Be My Eyes alleviates the social stigma he encounters when family or friends access his images containing PVC.

Human-powered VAT- Risks:

Understanding of the Service Offering: Many participants reported a lack of understanding on VAT companies’ data retention practices, which we coded as unknown data handling. For instance, P05 explained, “Well, anytime you have to get something read, are they going to remember it, store it?” They went on to discuss her specific concern with storage of information, “I know Aira stores info, but don’t know what triggers [data] retrieval or if they do. I think I saw someone say on social media that it’s 18 months storage, but I haven’t verified that.” P08 shared specifically about data retention, “I don’t think any [of] them [VATs] try to do that?”

Personal/Social Impact: A risk that participants associated with human-powered VATs is identity theft. Participants expressed concerns that human-powered VATs created opportunities for nefarious actors to access their PVC and illegally use the information for personal gain. Put simply, P10 specifically mentioned identity theft as a privacy concern because they are “Not comfortable with another person reading my information.” Similarly, P18 talked about having trouble setting up an online account and the sensitive information they were concerned about disclosing, “I recently tried to set up an account on the Social Security administration website and I couldn’t, I couldn’t figure it out. It kept kicking me out …when trying to set up the login. I’m sorry, I just do not feel comfortable calling up Aira or Be My Eyes, and saying can you help me create my login for Social Security.”

Some participants expressed a fear of social judgement related to their use of human-powered VATs, including that disclosure of PVC could solicit a negative critique from others, causing personal embarrassment or other negative psychological impact. P17 explained, “There’s certain things I may not want a human actually reading to me, that might be embarrassing, might be too personal, might be beyond the jar of mayonnaise, you know.” Others shared the concern that when using human-powered VATs they were at higher risk for not acting in a socially acceptable manner (not socially acceptable). P06 shared this fear in terms of violating another person’s comfort, “I wouldn’t ask Aira to describe a [picture of a private body part]. It’s inappropriate because you’re disturbing someone.”

Values-based Assessment: Some participants indicated that they were at greater risk when using VATs that involve volunteers as remote sighted assistants because they lack accountability. For example, in the context of Be My Eyes, P09 explained, “If someone isn’t being paid, who knows what mysterious ways they are looking to gain from the system. When someone is being paid there’s a lot less to think about things in that way because to them it’s a job and they have some amount of job security provided they don’t screw up too badly. They are too busy making sure they keep their job.” P05 shared a similar statement on the nature of volunteer-based human-powered VATs: “I haven’t used the volunteer one because you never know what you’re going to get in terms of quality of the volunteer.”

AI-powered VAT- Benefits:

Understanding of the Service Offering: Some participants specified that using AI-powered VATs ensures that there are no human eyes on data, such as a person looking at the image or having access to the image. To this point, P10 said, “I still feel like I have more privacy with Seeing AI, [because there is] not another human on the other end… I don’t have to worry about someone writing down my information and taking it.” She later said, “I have more trust with AI” and though “It [VAT] stores or can store information, it just moves on”. Similarly, P04 indicated she trusts that AI-powered VATs do not focus on or identify an individual, thus ensuring anonymity: “I don’t mind if my data is used in the aggregate.” P13 said, “I’m more likely to use Seeing AI. It’s not necessarily more efficient, but I can plug headphones in and read it and I don’t have to worry about anyone remembering my information or jotting down numbers.” In such statements, we heard participants indicate a benefit of using AI-powered VATs is that their personal visual data is not collected and/or retained by a person (e.g., P13’s case) or by the service itself. P12 explained: “I don’t think of privacy because it’s happening while I’m doing it. It’s not being saved that I can tell.”

Personal/Social Impact: Several study participants indicated that a benefit of AI-powered VATs was that they eliminate the risk or sustained fear of social judgement (which occurs when using human-powered VATs). For instance, P08 stated AI-powered VATs are “Easier and faster and I don’t have someone making a judgement.” P08 went on to explain her belief that people make judgements of others, even during assistance, therefore she values AI-powered services. Accordingly, the primary benefit we heard from participants about AI-powered VATs related to privacy is that these services eliminate the possibility of embarrassment or other psychological impact.

Values-based Assessments: Similar to human-powered VATs, participants indicated that AI-powered VATs offer a sense of anonymity and in turn a sense of assurance that their PVC will not be linked back to them. Yet, we often heard participants state that AI-powered VATs offer more anonymity than human-powered VATs. P11 stated he values anonymity provided by AI-powered VATs, “for speed efficiency and a little more anonymity.”

AI-powered VAT- Risks:

Understanding of the Service Offering: Often, participants discussed their lack of understanding of how AI-powered VATs handle personal visual data once collected or the service’s promised privacy protections (unknown data handling). P02 rhetorically asked, “What happens to the picture after it runs through the database?” Similarly, P04 faced her own lack of understanding, “I never thought to ask until now, but with the AI it makes me wonder if records are kept, who keeps the photographs. Are they kept in the cloud somewhere or are they just kept on my phone?” More optimistically, P08 stated her concern: “Privacy is similar because I don’t know either service…both have the same access of a file to keep, replicate, or share outside” and then followed up with “I don’t think any of them try to do that.” Later in the interview, P08 expressed further concerns, “I don’t like reading some of my mail because now it’s in my phone and I don’t know how it makes it to the cloud.” In response to using Seeing AI, P01 said, “I don’t understand as much as far as where the information goes, I don’t know.”

Some participants had a more nuanced understanding of the VATs’ policies and raised questions about the length of data retention. Regarding Seeing AI, P05 stated, “I just don’t know how long they store information”. It was evident that participants were concerned about how VATs handle their data, and indicated that the lack of transparency creates a lack of trust. P05 went on to discuss his concern, “I don’t know how long they store it [my data]. It’s a concern, but I hope that people are generating so much data they aren’t tracking mine.” Others raised concerns that the AI-powered VAT systems are vulnerable, or in the words of P01, “In the wrong hands someone can do anything with your information.” Some participants raised the explicit concern that their PVC could be exposed by faulty technology, without clarifying how this could arise.

3.2.4 Self-Identified Private Visual Content.

Throughout the semi-structured interview we learned about the types of information the participant’s self-identified as PVC. Here we report on these PVC types, and compare them to the PVC types Gurari et al. [45] identified (through a visual analysis of images taken and shared by blind people with the VizWiz [18]),which we used in the Visual Privacy Concern Rating Task presented in Section 4.

The PVC types that both the participants in our study and Gurari et al. [45] include are: Financial Account Information (credit card, credit report, PIN number, point of sale, financial data, “financial stuff”, debit card information, financial, purchases, and banking information); Medical Information (health data, “health stuff”, medical records, “medical stuff”, pregnancy test, and Medicaid); Identification and Location Information (personal information, ID information, address information, name, phone number, and ID cards); Paperwork, (mail, personal mail, and documents); Computer/Online Access (login information, password, browsing history, and emails); and People (pictures of faces).

Our findings also revealed types of PVC that were not presented in Gurari et al. [45]. Most prominently, eight participants spoke about Social Security Information. For instance, P18 explained that blind people commonly use social security information to apply for Supplemental Security Income (SSI) benefits. Two participants (P02, P13) indicated they consider Information from an Educational Institution (such as transcripts and disciplinary reports) as PVC because disclosure of this information to the wrong parties could cause embarrassment or would betray trust. While a majority of their responses were general enough to categorize, some participants offered very specific content. These responses seemed to be representative of Personal Interests that they considered subject to social judgment. For instance, participants indicated images that showed “guns” or “sexual identity”, would be PVC. P17’s concerns included “books I’ve read.” Finally, participants commonly made statements like that from P07, “It’s hard to know the whole list of things.”

4.1.1 Rating Task Protocol.

The rating task involved 21 PVC types. To establish these PVC types we expanded Gurari et al.’s [45] 19 PVC types by adding two more general types (Name and Location) to observe them as independent PVC types (they were compounded in the original taxonomy). We chose to provide the 21 pre-identified PVC content types to ensure that the PVC types were consistent across all participants, and in anticipation that the task of self-identifying types of PVC on the spot, without context, could be challenging for participants.⁶

For each PVC type, we prompted participants with the following question: “Imagine that [X PVC] was available for anybody to use. How would that make you feel?” When participants expressed a concern, we followed up by asking “In what situations would it be of particular concern to you?” These questions enabled us to learn about participants’ concerns agnostic of how the data became available or the type of VATs they use and share their visual information. We asked participants to rate their level of concern by specifying a score between 1 and 5 (1 = Not Concerned/5 = Extremely Concerned) if the PVC were to be publicly shared.⁷ We then asked participants to rate their level of concern according to four other conditions, shown in Table 3. These four conditions capture how people’s privacy concerns change (1) if the agent providing the description was AI-powered vs. human-powered, and (2) if they share their private data knowingly vs. unknowingly. For each condition, we also asked participants to provide a short explanation of their privacy concern rating. In total, each participant provided 105 responses (i.e., 21 types \( \times \) 5 conditions). We randomized the order of the PVC types for each participant interview, though presented the conditions to them in the same order as shown in Table 3.

4.1.2 Data Analysis.

We: (1) averaged the 18 participants’ privacy concern ratings for each of the 21 PVC types according to the five conditions (Table 3), and (2) ordered and compared the averages for each PVC type. This analysis provided a foundation to address RQ2, Which PVC types are of most concern to people who are blind, generally as well as when using human-powered vs. AI-powered VATs?

The rating task data also contained 1,890 short-answer justifications that participants provided for each of their rating scores (21 PVC types \( \times \) 5 conditions \( \times \) 18 participants). To analyze these short-answer responses, we organized the data into 21 unique spreadsheets (one for each PVC type) and assigned in vivo codes⁸ to each response. When these in vivo codes were reflective of the factors identified during the interview data analysis, re-coded the data accordingly and refined the definitions. Otherwise, we created new codes. After consolidating the coded short-answer data into a single spreadsheet and filtering them according to each code respectively, we merged or reassigned codes for a few responses when they had the same meaning but used different terminology.

This process resulted in 54 unique codes that fit under the parent codes (Understanding of the Service Offering, Value-Based Assessments, and Personal/Social Impacts), with each one attributed as a perceived privacy risk, benefit, or other. Twenty-four of the 54 codes convey risk factors that participants attributed to their privacy concern ratings. All codes and definitions can be found in the Supplementary Materials.

In all, we coded 901 of the responses as risk factors, with the most frequent code (n = 115) being Unknown Data Handling—a participant’s assessment that the person is unaware if or how VAT company accesses, collects, stores, processes, shares, or sells PVC to a third party. We thus further investigated the Unknown Data Handling code through two secondary analyses. First, the lead author counted the responses coded as Unknown Data Handling—across all conditions. They reevaluated whether each of the 115 responses fit under this code, identified which condition and PVC type the short-answer response and code was attributed to, and then used a spreadsheet to sort and create a representation of the data showing how it is distributed across the contextual conditions in which PVC can be shared–i.e., with human-powered or AI-powered VATs, knowingly or unknowingly. Second, we performed a thematic analysis [22] of the 115 Unknown Data Handling responses, and applied codes under the general categories: privacy risk, privacy benefit, and other. We report the findings of these two secondary analyses in Section 4.2.2.

Finally, we performed a three-step analysis to address an emergent hypothesis that a participant’s prior visual experience may be another factor that impacts the person’s privacy concern ratings. First, we segmented the rating data according to whether participants were born totally blind and thus had no prior visual experience (\( N=9 \)) or acquired blindness and thus had prior visual experience (\( N=9 \)) according to each of the PVC types. Next, we averaged all participants’ scores for a given PVC type and for each of the four conditions (sharing PVC with human-powered VATs knowingly and unknowingly, and with AI-powered VATs knowingly and unknowingly). Finally, we compared the average privacy concern ratings from participants with congenital blindness to those with acquired blindness according to each PVC and VAT type.

4.2.1 Rating Results According to PVC Type.

Here we present the results from the Privacy Concern Rating Task, according to seven higher-level PVC clusters. Under each cluster we summarize the privacy concern scores shown in Table 4 and the participants’ rationales for providing the scores. We then present the results from two secondary analysis of the rating task data, including an examination into (1) the top rationale that the participants’ shared as adding a sense of risk to their visual privacy, and (2) the impact of one’s prior visual experience on their concern score.

Table 4.

View Table

Table 4. Results from the Privacy Concern Rating Task

Financial: Reinforcing the interview findings, the participants rated Financial Account Information as the most concerning of the 21 predefined PVC types. We examine this finding based on the context in which the content is shared (Table 3):

Public: On average, participants rated their concern about Financial Account Information being made publicly available as 4.6 out of 5 (Table 4, ID 1). Sixteen participants rated the public availability of their Financial Account Information as extremely concerning, due to the possibility of Financial Theft, an Undefined Threat/Consequence, or Identity Theft. Participants related their concerns to a fear of their Lack of Personal Management over their information (caused by their own actions), a sense of Loss of Control or Agency (caused by others), or Social Judgement. In one instance, a participant indicated that Financial Account Information is an Intimate Personal Experience.

Human-powered VATs: Concern was dramatically lower when sharing financial PVC knowingly with human-powered VAT; i.e., a drop from 4.6 in the public context to an average of 2.8. Those who expressed concern or extreme concern specified Financial Theft, Unwanted Identity Disclosure, and Unknown Data Handling as reasons. We attribute the majority of the responses which indicated lower concern to participants’ Need for Information or their understanding of the Professionalism of the VAT, that their data would be Protected by Policy. That said, participants’ concerns were higher (3.5) when their Financial Account Information would be shared unknowingly with a human-powered VAT. The primary reasons for this increase can be attributed to the participants’ fear of Lack of Personal Management in that the sharing of this information was Outside [the realm of their]Personal Awareness or Control, and can result in Loss of Control or Agency.

AI-powered VATs: On average, participants’ concerns when knowingly sharing PVC with AI-powered VATs was slightly lower than doing so with human-powered VATs. Only two participants expressed extreme concern with AI-powered VATs, based on fear of Financial Theft or Unwanted Identity Disclosure. Other concerns included Unknown Data Handling and Multi-party Privacy Conflict. Those who expressed less concern reasoned that they had a Need for Information or that it was Common Practice to use AI-powered services for this purpose. Moreover, others understood there would be No Human Eyes on Data or Data on Device Only. Still others expressed less concern due to the Professionalism of the service and the understanding they were Protected by the Policies. In the case that data would be shared unknowingly with human-powered and AI-powered VAT, the participants scores were higher then when shared knowingly. This increase in concern can be attributed to participants’ fear of Lack of Personal Management and Unknown Data Handling in addition to many of the aforementioned concerns.

Medical Information: On average, participants were almost as concerned about Medical Information as Financial Account Information (IDs 2-4), though for different reasons. For example, the participants who expressed extreme concern that their Medical Information (ID 2) would be publicly shared offered the following reasons: it reveals a Intimate Personal Experience, Undefined Threat/Consequence, Social Judgement, Against HIPAA⁹, and Multi-party Privacy Conflict. Participants’ concerns were lower when thinking about sharing Medical Information with human-powered or AI-powered VATs than publicly: 4.2 for sharing publicly versus 2.9 and 3.4 for sharing with human-powered VATs knowingly and unknowingly respectively (ID 2). Participants’ considerations for sharing with human-powered VATs included: Professionalism of the service, being Protected by Policy, a Trust of Human Decency, or simply because they have a Needed for Information. Considerations for sharing with AI-powered VATs knowingly included: Data on Device Only, No Human Eyes on Data, or Anonymized Personal Data. Similar to Financial Account Information, the prospect of unknowingly sharing medical PVC with either human-powered VATs or AI-powered VATs was slightly higher concern than when knowingly sharing the same information.

People: When considering images showing a person’s body or face, including a Naked Body, a Face, a Framed Photo of people, or a picture of a Tattoo (IDs 5-8), images showing a Naked Body were of greatest concern—with only slight variation in concerns across the condition that it would be shared publicly (4.1) or with human-powered VATs, knowingly (4.0) or unknowingly (4.1). The concerns participants expressed regarding the disclosure of an image of a Naked body included: Damage to Reputation, Social Judgement, Disclosure of Identity, or would be Grounds for Termination of Use of the VAT. In addition, they expressed the fear of Lack of Personal Management, Multi-Party Privacy Conflicts, along with the fact they would be Unfamiliar with Person providing the description and that they Wouldn’t Share Intentionally. The score for sharing this PVC with an AI-powered VAT knowingly was lower because participants felt there were No Human Eyes on Data or because Computers Can’t Blush, meaning a participant’s actions would not cause embarrassment for the agents providing the description. In cases where participants might unknowingly share an image of a Naked Body, the average score was higher. This can be attributed to fear of Lack of Personal Management in addition to the other reasons noted for this cluster.

Location: This cluster included eight PVC types (IDs 9-16). Publicly sharing paperwork with a Name and/or an Address were of highest concern for participants (IDs 9-10). Participants also understood that sharing an address would be more concerning than one’s Physical Position because an address could be used to locate their homes indefinitely, whereas their physical position may be temporary. As with other PVC clusters, participants were more concerned across all location PVCs about sharing unknowingly with AI-powered VATs rather than knowingly. We also observed that participants’ concern about location-based information was higher when the content was more. For instance, participants showed low concern for newspapers with the name of their city (ID 16) or a local library branch (ID 15) (which were identified as Public Information), whereas Letters, Personal Names, or one’s Address (ID 9-10) were of higher concern.

Identification. In this cluster, the most concerning PVC included a Letter with an Address and/or Name as well as Miscellaneous Papers with an Address and/or Name when shared publicly. While overall the License Plate (ID 18) rating fell between mildly concerning and concerning, some participants rated this License Plate as very or extremely concerning because they understood this information to be a risk if Paired With Other Information/Metadata and that it represented an Unwanted Identity Disclosure or an Undefined Threat or Consequence. We also commonly heard that by sharing License Plate information participants could be violating others’ privacy and that they needed to protect others so that Multi-party Privacy Conflicts do not occur.

Computer/Online Access. On average, participants’ were between mildly concerned and concerned (2.8 out of 5.0) about disclosure of their Username (ID 20), particularly in the case that it was shared publicly or unknowingly with VATs. Participants were concerned sharing their username could result in Unwanted Identity Disclosure, or Unwanted Human Viewing. They also expressed fear of Lack of Personal Management, and that unintentional sharing would be Outside Personal Awareness or Control. We also heard concern about the threat that malicious actors could pose if Username information was Paired With Other Information/Metadata, e.g., passwords or location data.

Affiliation. One PVC type fits here: a piece of Clothing with a Logo (ID 21). In the few instances participants gave a high rating to this PVC, the concerns centered on Damage to Reputation, or Social Judgement. Under the condition of sharing this PVC type unknowingly with human-powered or AI-powered VATs, participants worried the sharing would be Outside Personal Awareness or Control or cause fear related to Lack of Personal Management.

4.2.2 The Most Commonly Considered Risk in Sharing PVC: Unknown Data Handling.

The participants in our study provided 1,890 short-answer responses during the privacy concern rating task. We coded 901 of these as adding a sense of risk to their visual privacy. The most common of these risks are defined in Table 5, with the top one being Unknown Data Handling with 115 or 12.8% of the 901 risk-related responses. In a second round of thematic analysis [22] of the 115 risk responses, we performed a secondary thematic analysis [22]. From this analysis, we found that participants are unaware of (1) what happens to their images and videos once they have been shared, and/or (2) what security precautions VATs take to safeguard their PVC. For example, when talking about unknowingly sharing an image containing a Face with AI-powered VATs (ID 6), P06 reflected “I don’t think they save my information…maybe I have the wrong idea of AI; but I don’t know.” Under the same condition, but with a License Plate (ID 18), P15 asked, “Well, with technology things get out there. How are my images used?”. In the context of a Pregnancy Test (ID 4), P04 reflected, “I don’t know where are they storing it [images] or transmitting it [a computer screen showing a username (ID 20)]…If I knew exactly what the limits are on how the information is used and shared, I would drop it [my score] down low, but I don’t know what their rules are, really”. Similarly, but for Financial Account Information (ID 1), P10 said “I don’t think they are being shared, but I don’t know”.

Those who mentioned not having a clear understanding of VATs’ security precautions, shared statements such as “With an AI app, I have thought about it. I don’t know if it’s saved on a computer. I wouldn’t totally think that there’s NO way it [PVC] could ever be shared or found out by anybody” (P16 reflecting on financial account information, ID 1. Reflecting on how AI is developed, P17 also raised a question about the security of his images containing Misc. Papers w. Address, Name (ID 10): “AI is still made by people, they are using the internet for weapons and I don’t know how it is protected”. Finally, statements demonstrated participants’ awareness of VAT companies’ privacy policies, though not necessarily that they had read those policies. For example, regarding Medical Information (ID 2), P10 said, “I just realized I don’t know their privacy policy because I don’t read it. They could access my health information. I should probably read the statements!”. It is not surprising that P10 (or the other participants in our study reported not read privacy policies; prior works tells us that privacy policies are notoriously difficult to read and inaccessible to most media consumers, e.g., [62].

These findings and the findings shown in Figure 1—the distribution of responses coded as Unknown Data Handling across VAT types and sharing conditions, indicate that VAT users are more concerned and have more questions about how their data is handled for AI-powered VATs than human-powered VATs, particularly under the condition that data is shared with AI unknowingly. A possible reason for blind people’s concerns for sharing data with AI-powered VATs is that they expect for a person to see their data when it is shared with a human-powered VAT but not for AI-powered VATs, i.e., No Eyes on Data, which could be contested as data scientists commonly explore data to develop AI-powered services. All the while, to our understanding, VAT companies do not publicly disclose who within VAT organizations and their affiliated third parties have direct access to PVC. A second reason for blind people’s concerns for sharing data with AI-powered VATs could be related to their knowledge and understanding of VATs data security infrastructure and protocols.

Fig. 1.

View Figure

4.2.3 Impact of Prior Visual Experience on Privacy Concern Ratings.

Throughout the analyses of the semi-structured interview data and the short-answer responses, we began to see evidence that a person’s prior visual experience influences their privacy concerns. As such, we analyzed participants’ privacy concern rating scores according to whether participants had acquired blindness at age 15 or after (n = 9) and thus had prior visual experience or were blind from birth (n = 9) and thus had no prior visual experience.

Figure 2 shows this analysis broken down by human-powered vs. AI-powered VATs, but collapsed across the conditions of knowingly and unknowingly sharing data as these scores followed similar trends to the aggregate scores. For both human-powered and AI-powered VATs, and across all but one PVC type, participants with prior visual experience were more concerned about privacy than those with no prior visual experience. The only exception is for Receipt with an Address (ID 13), where the raw average concern ratings were higher for people with no prior visual experience than those with prior visual experience: 0.3 higher on average for sharing this PVC type with AI-powered VATs and 0.03 higher for human-powered VATs. These findings indicate that prior visual experience is an important factor affecting visual privacy concerns, perhaps because visual experiences provide a stronger sense of information that can be gleaned visually from an object and provide a broader range of reference points—a question we leave to be explored in future research.

Fig. 2.

View Figure

5.1.1 Data Collection.

Our dataset includes privacy policies from 13 companies as listed in Table 6. This set of companies covers popular camera-based applications used by blind people, as represented in the academic literature on visual assistance (e.g., [40, 64, 95]) and based on our experience conducting research with blind people: Aira, Be My Eyes, BeSpecular, KNFB Reader, Lookout, LookTel MoneyReader/Recognizer, OrCam MyEye, Seeing AI, and TapTapSee. These applications support a variety of use cases, types of camera-based devices, and visual data input types (images and videos) as shown in Table 6.

We further expanded the set of privacy policies by identifying companies that have interests in both accessibility and computer vision¹⁰ even if they do not currently have a popular VAT product. We made this choice based on the understanding that AI-powered (automated) visual assistance is a growing trend within industry and accessibility is a key motivator for development¹¹ To do so, we identified two top conferences in accessibility (the CSUN Assistive Technology Conference 2019 [113] and ACM SIGACCESS Conference on Computers and Accessibility (ASSETS) 2019 [10]), and the top conference in computer vision (IEEE Conference on Computer Vision and Pattern Recognition (CVPR) 2019 [36]). For each conference, we reviewed the sponsors as listed on the public website: 107 for CVPR, 12 for CSUN, and 9 for ASSETS. The following companies sponsored both CVPR and at least one of the accessibility conferences: Apple, Adobe, Amazon, Google, Facebook, and Microsoft. While Microsoft and Google were already in our company set because of related VATs (Seeing AI and Lookout, respectively), we added the remaining four companies for a total of 13: Apple, Adobe, Amazon, and Facebook.

For each of these 13 companies, a research team member manually gathered the privacy policy from the company’s website in Fall 2019. When visual assistance was one of many products offered by a company and did not have a unique privacy policy associated with it, we looked to the parent company’s privacy policy; e.g., for Seeing AI we downloaded Microsoft’s privacy policy. Each company’s entire privacy policy was collected for later analysis.

5.1.2 Analysis.

To systematically evaluate what VAT companies communicate to users about how their personal visual data is handled, we first developed an annotation protocol. Two sighted researchers on our team, with post-graduate education and varied experiences reading privacy policies,¹² independently read three companies’ privacy policy statements (Aira, Facebook, and Google) to gain familiarity with the structure and language used within privacy policy documents, and determine whether a systematic review of the policies would yield interesting results. Through several iterations, our team collectively developed, refined, and finalized the coding scheme to annotate the policies in our dataset.

The final schema included a set of prompts Table 7, which focused on what companies communicated to users about the types of data collected, users’ choices to opt out or delete their data, and the retention of visual data including its storage, use for AI development, and use by third parties. Some of these prompts had sub-prompts, which we refer to as sub-prompt ‘A’ and sub-prompt ‘B’. Two researchers (annotators) independently read and located in each of the 13 companies’ privacy policy statements any text that addressed each prompt. Each annotator assigned one of three scores to each prompt: a score of 1 to indicate that the privacy policy “contains information that addresses the question”, a score of 0 to indicate that the policy “explicitly states that the recording of data or privacy protection does NOT occur”, and -1 to indicate that the policy “does not provide information that helps answer the question”. As a result, for each policy, both annotators produced 13 scores to cover all the prompts and sub-prompts. In total, each annotator assigned 169 scores across the 13 policies (i.e., 13 \( \times \) 13 = 169).

Four of the co-authors met to analyze the results, and found that neither annotator had assigned a score of 0 to any prompts across all privacy policies; that is, none of the companies explicitly stated that they did not engage in data handling practices. Consequently, we retrospectively shifted all scores to reflect a binary rating system: 1 to indicate the policy provided information that the data handling occurs, and \( - \)1 to indicate when the annotator could not find any information to address the prompt in the policy.

We calculated Cohen’s kappa to measure inter-rater reliability between the two independent annotators. Across all prompts, we achieved an average inter-rater reliability of 0.84, which signifies a moderate to high degree of agreement (range: .61–1.0). To address the 26 out of 182 instances when the two researchers’ annotations differed (i.e., 14% of all prompts), they collaboratively reviewed the privacy policies, and came to an agreement about the information communicated within.

5.1.3 Policy Validation.

To ensure that the data was current at the time of submitting this journal article, in May 2021 the lead author revisited the source of each policy and collected a new copy as described above. To identify updates to the policies, we first observed if there was a change in the publication date, then compared the initial 2019 dataset to the 2021 policies on the VAT companies websites using the Track Changes->Compare Documents tool in Microsoft Word. Eight of the 13 companies had updated their policies between December 2019 and May 2021.¹³ We observed only one change that corresponded to our annotation protocol: Amazon’s privacy policy now directly specifies that video and image data are collected, e.g., “When you use our voice, image and camera services, we use your voice input, images, videos, and other personal information to respond to your requests, provide the requested service to you, and improve our services.” We account for this change in the presentation of the findings in Table 8 and the corresponding text.

Table 8.

View Table

Table 8. Results of the Privacy Policy Analysis, Showing Whether Companies Provide notice About Collecting Users’ Data (Prompts 1-3), the Length of Data Retention (Prompt 4), the Use of Data to Train AI (Prompt 5), and the Dissemination of Data to Third Parties (Prompt 6), as well as the choice these Companies Provide Users for Deleting Their Data (Prompt 7) and opting-out of having their Data Collected (Prompt 8)

5.2.1 Notice.

Data Collected. All of the companies in our dataset provide notice that general personal data is collected. However, only nine of the 13 policies specified that the personal data collected includes video (Prompt 2) or image (Prompt 3) data. This includes four of the seven companies that have privacy policies specific to a visual assistance applications: Aira, Be My Eyes, BeSpecular, and TapTapSee. The companies with umbrella policies that report on personal visual data collection include Adobe, Amazon, Facebook, Google, and Microsoft, though it is unclear which of their product lines or services collect users’ visual data. If a company indicates in its policy that images are collected, the company also is likely to collect video (with the exception of BeSpecular, who reports on the collection of image data but not video data). Finally, those who do not indicate that they collect images include LookTel, OrCam, Sensotech, and Apple.

Length of Data Retention:. Eight of the 13 companies communicate information about the data retention period for general personal data, including companies with umbrella policies (Adobe, Facebook) and policies specific to a visual assistance technology (Aira, BeSpecular, OrCam, Sensotech, TapTapSee, and Google). However, neither annotator found a single instance mentioning the retention period for visual data specifically.

Use of Data to Train Services:. Prompt 5 centers on whether companies give notice about the use of the data they collect to train AI algorithms. Eight of the 13 companies indicate that they use general personal data to train AI (Aira, BeSpecular, OrCam, Sensotech, TapTapSee, Google, Microsoft), yet only two of these companies specify they use personal visual data. One of the two companies, TapTapSee, has a policy specific to their visual assistance application. The other company (Adobe) has an umbrella privacy policy that does not specify if the data collected is used in this way. The five companies in our dataset that did not provide information about the use of data (general or visual) to train AI include: Be My Eyes, LookTel, Microsoft, Amazon, and Apple.

Sharing of Data with Third Parties. Prompt 6 deals with whether companies disseminate personal visual data to third parties, such as other companies, organizations, independent contractors, or individuals outside of the primary organization. The analysis revealed that two company’s privacy policies clearly indicate that personal visual data are shared with third parties (Be My Eyes and TapTapSee). The two annotators could not find information about whether personal visual data are shared from the other 11 companies’ privacy policies.

5.2.2 Choice.

Deletion of Data. Prompt 7 pertains to whether companies’ privacy policies include information about the choices users have for deleting their personal visual data. Twelve of the 13 companies do not provide such information—Adobe is the only one that does. Ten of the 13 companies communicate that users can delete general personal data.

Opting-out of Data Collection. The final prompt centers on whether the privacy policies include information about users’ choice to opt out of having their data collected. None of the companies provide this information for personal visual data, and only six of the policies communicate that users can opt out of general personal data collection.

5.2.3 Summary.

This study involved an analysis of 13 VAT companies’ privacy policies, motivated by the aim of understanding what companies communicate to users about the collection and processing of their personal visual data. The findings reveal that VAT companies rarely provide clear “Notice and Choice” to users about what happens to their images and videos. Next, we discuss the implications of these findings paired with the those from Sections 3 and 4.

6.4.1 Designing VATs with Non-Visual Consent in Mind.

Despite mounting criticism of the effectiveness of “Notice and Choice” for users (referred to in data regulation as “data subjects”), e.g., [84, 104], this paradigm is still the primary mechanism used to guide entities collecting users’ data to inform users about the collection and processing of personal data [67]. Consent is an enactment of one’s choice, and is one of the main legal basis for the treatment of personal data as outlined in the General Data Protection Regulation (GDPR)—a European Union-based law that demands that companies across all sectors of business adhere to practices that give individuals control over their personal data [67].¹⁴ For consent to be valid in the context of personal data collection: (1) it must be freely given, e.g., “the individual must have a free choice and must be able to refuse or withdraw consent without being at a disadvantage”, (2) users must be informed, e.g., users must receive information about the entity processing the data, the purposes for which the data is processed, the type of data that will be processed, the choice to withdraw consent, the use of the data for automated decision making, and the possible risks if data is transferred to third parties [80].

To the first point—consent must be given freely, results from our study indicate that VAT users may not be positioned to provide informed consent. Blind people use VATs, in the first place, to learn about the content contained within their images and videos, and it is unclear whether they are appropriately supported to know what information they disclose prior to consenting to the terms of service. Moreover, if users are uncertain or do not want to provide consent to the collection or processing of their personal visual data (generally) or for specific PVC types, their access to VATs or specific features may be withheld.

To the second point—users must be informed, results of our Study 1 indicate that VAT users do not consider themselves to be informed about VAT companies’ handling of their data, even when they had read the privacy policies; readability of privacy policies is a well known issue, e.g., [62] that extends beyond the population we study here. Furthermore, our investigation in Study 2 showed that many VAT companies do not explicitly indicate that the personal data they collect comes in the form of images and videos, which reveal extensive amounts of personal data that people consider to be private, e.g., [53, 96]. The VAT companies that do provide notice about the collection of personal visual data indicate that they may not remove PVC from images and videos before they are stored and shared (as evidenced in Section 6.3).

Based on these considerations, we recommend that VAT companies proactively develop approaches to:

• Communicate to users the types of personal visual data VAT users (and others, e.g., [66]) consider to be private and under what conditions, whilst explaining the related risk factors.

• Explain to VAT users the validity of the perceived privacy risks based on the current robustness of their data security infrastructures.

• Communicate with VAT users about how they can successfully manage their environments and PVC before sharing visual media so unwanted disclosure is avoided.

• Provide users with contact information for customer support agents who can address privacy-related concerns.

• Provide VAT users with non-visually accessible tools that enable them to assess whether their images have PVC or not prior to obtaining visual assistance.

• Communicate to users, in real-time, when they have shared images and videos that contain personal data and provide in situ opportunities to provide consent before data is recorded or processed.

• Provide mechanisms to validate whether the consent users provide is informed, prior to the collection of data—from either the users’ device or during a live session with a sighted visual assistant.

These measures may establish new social norms around non-visual, visual privacy that promote transparency and can be directly refined and conveyed by any VAT user. Future efforts may focus on user-centered research to observe VAT users’ reactions to privacy and consent notifications, e.g., whether they would view such an intervention as adding helpful or hindering friction when trying to gain visual assistance, and when and how they would want this notice to be provided by human-powered and AI-powered VATs for different PVC content types. Additional efforts may focus on better understanding the ways in which VAT users want their PVC redacted or obfuscated–prior to gaining visual assistance, storage, or sharing (including use of data by third parties)—and how VATs can be personalized to match users’ preferences.

6.4.2 Promoting Alignment Between VAT Users and VAT Companies through the ’Privacy by Design’ Paradigm.

As noted above, many VAT users commonly do not know what is specified in VAT companies privacy policies nor what is actually done with their personal visual data. Findings from Study 2 show that VAT companies rarely provide comprehensive notice or choice nor ensure that users comprehend their policies. This represents a misalignment between the information that users need for a sense of visual privacy and what information VATs provide. While the aforementioned recommendations (and other methods [59, 68, 98, 103, 112]), may be followed to improve alignment, we advocate that VAT companies shift away from simply following the ‘notice and choice paradigm’ to following the more contemporary ‘Privacy by Design’ paradigm. Privacy by Design is a “a proactive approach, to make occurrences of privacy harms impractical in the first place. It demands that privacy be ‘built in’ during the design process”, Pg. 1 [107].

Our human-centered research takes a Privacy by Design approach by identifying what VAT users consider to benefit their sense of privacy and what they consider to add risks to their privacy (Section 3). Based on these findings, the following recommendations to may be used to design novel VATs that mitigate these privacy risks from the outset:

• Design VATs that eliminate users’ experience of [Social Judgement, Loss of Control or Agency, Lack of Personal Management] when sharing private visual content with VATs.

• Design VATs so that users’ sense of [Autonomy] is increased.

• Design VATs so that they inform users about the risks and benefits related to the collection and processing of personal visual data.

• Design VATs so they that account for users’ changing privacy expectations.

These criteria may also be applied to refining the design of current VATs, and helping VAT users choose which VAT best matches their priorities—whether based on their goals for social and community well-being, their understanding of the service offering, or their underlying values.

6.4.3 Accounting for the Contextual Nature of Privacy in VAT Development.

Another promising approach to developing VATs through the Privacy by Design paradigm is to account for the contextual nature of privacy during the delivery of visual assistance—visual privacy perceptions are greatly influenced by the contexts in which they share their personal data [53, 72, 76]—that result in personalized privacy-preserving services.

Study 1 demonstrates our effort to account for the contextual nature of privacy, during which we investigated (1) the type of VATs (human-powered or AI-powered, and (2) the intention of sharing (unknowingly or unknowingly). We provide new evidence related to the influence these factors on participants’ privacy concerns when sharing 21 types of PVC with VATs, e.g., Table 4, as well as the influence of a person’s prior visual experience on their sense of visual privacy—a factor that emerged during our investigation (Figure 2).

Our approach may be used by VAT companies to develop techniques that preserve users’ visual privacy in a responsive and contextually aware manner, i.e., the ability to determine if an image with a specific PVC type should be collected and how it should be processed, as informed by the type of agent providing the visual assistance (human vs. AI), the intention of the disclosure, and/or the VAT user’s prior visual experience. In the short-term, VAT companies may establish guidelines to inform VAT employees and volunteers how to respond to the presence of PVC to mitigate liability for the end user and the employees. In the long-term, we envision the development of privacy-preserving VATs that offer users the ability to specify which contextual understanding will benefit their sense of privacy the most and personally train VAT systems to handle their PVC accordingly.

6.5.1 Study Design.

Study 1. During the Privacy Concern Rating Task, participants wanted more context for some of the PVC types to provide a confident answer. For instance, under the Information Designation subcategory, we identified 111 instances where participants stated their answer would change based on the specifics of the content, e.g., for images that show a tattoo where it would depend on what the tattoo was of and where on the body it was located. In addition, there were 35 instances where participants indicated their scores would change based on the condition that a PVC was Paired with Other Information, such as in the case that a username was shared alongside the password, or that a picture of a face was paired with location metadata. When such considerations arose, we asked participants to provide a score that reflected their highest level of concern to account for the most sensitive outlier. We recommend validation of the findings we present in Section 4 with a larger sample size prior to being used in practice.

Study 2. There also were limitations to our analysis of the privacy policies for VAT companies. First, we used the “Notice and Choice” paradigm as a conceptual framework for our analysis as many of the companies in our sample are US-based, though should also adhere to GDPR. Second, during our analysis we observed that VAT companies do not communicate in their privacy policies about the collection and processing practices they do NOT engage in, leaving us with a binary approach to annotation. Future research may focus on conducting an in-depth content analysis of VAT companies’ privacy policies to identify the rhetorical choices visual assistance technology companies make when authoring their privacy policies.¹⁵ Future work may also consider an analysis according to the principle of “Privacy by Design” that guide GDPR, e.g., Article 25 data protection by design and by default [80]. Future work may extend our investigation of VAT companies’ privacy policies by exploring how VAT users want VAT companies to author privacy policies—or to design alternative communication methods to provide assurance that their personal visual data is not being collected or processed (and if it is, how and why). Relatedly, it could be interesting to explore whether VAT users are concerned that some VAT companies have not updated their privacy policies since implementation of GDPR in 2018 (Section 5.1.3).

6.5.2 Investigating the Impact of the Identified and Additional Contextual Factors.

Additional user studies will help reveal additional contextual factors that influence blind people’s privacy concerns in the context of VAT use, e.g., camera form factor, image metadata, data regulations, whose personal data is captured in the image, the privacy protective practices VAT users enact at the micro or macro level to preserve their PVC, and remote visual assistants and technology developers adherence to personal data privacy and security measures), and investigate how these contextual factors affect users’ privacy concerns for each PVC type and VAT type and condition. Moreover, additional research can be conducted to study the impact of ones’ prior visual experience on ones’ privacy concerns when using VATs, including whether the age at which a person lost their sight impacts their privacy concerns.

We believe it is important to assess these factors as independent variables as well as compounding. Potential future work includes a Contextual Integrity Analysis [76] to holistically evaluate how current VAT practices adhere to what VAT users deem appropriate, e.g., as having “contextual integrity”, and how different privacy protective features introduce new norms, and/or change information flows to reduce the types of threats blind people deem to be negatively impacting their ability to get equitable access to information. We hypothesize that a structured Contextual Integrity Analysis will serve as a useful tool to evaluate how our findings from VAT users compare with the concerns of personal visual data sharing that occurs for different applications by the general public. Moreover, running fractal factorial vignette studies, e.g., [11] may be useful for determining the weight of various contextual factors VAT users’ privacy preferences.

6.5.3 Applying Findings to Other Camera-Based Technologies and their Users.

Finally, many other types of companies employ camera-based technologies (e.g., life-logging devices, robots, drones, and self-driving vehicles) to collect and process users’ personal visual data. Given the growing collection of images and videos, the absolute number of privacy disclosures is expected to increase. Our research methods may be valuable for formative research into the visual data handling practices of companies that provide other camera-based services.

8.1.1 Demographics.

8.1.2 Semi-Structured Questions.

8.1.3 Ranking Questions.

Ranking Scores

PVD Content Types Applied

• Picture where a face is visible/ Reflection of a face in a mirror or glass

• Picture of a naked body

• Framed photo of people

• Picture of a tattoo

• Pregnancy test result

• Pill bottle with a name, medical information, or address on it

• Letter with an address or name on it

• Business card with contact information on it

• Newspaper with the name of a city shown

• Receipt from a store showing a local address

• Miscellaneous papers with a name or local address visible

• Computer screen showing a username

• License plate number

• A local street sign

• A library book with a local branch’s name on it

• Clothing with a logo of a company, organization, or group you affiliate with

• Location

• Name

• Address

• Medical information

• Financial account information

• Other/Emergent