690 likes | 995 Views
Visualizing privacy. Aleecia M. McDonald. Overview. The Gramm-Leach-Bliley (GLB) Act Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies Privacy text is hard Privacy Mad Libs example Privacy bingo cards
E N D
Visualizing privacy Aleecia M. McDonald
Overview • The Gramm-Leach-Bliley (GLB) Act • Selected portions from An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies • Privacy text is hard • Privacy Mad Libs example • Privacy bingo cards • Making GLB more useable • Evolution of a Prototype Financial Privacy Notice • What happens in practice? • Privacy practices of Internet users: Self-reports versus observed behavior • Privacy images are hard • Privacy Pictionary / Time’s Up
What is the Gramm-Leach-Bliley (GLB) Act? • Senator Gramm (R, Texas)
What is the Gramm-Leach-Bliley (GLB) Act? • Senator Gramm (R, Texas) • Representative Leach (R, Iowa)
What is the Gramm-Leach-Bliley (GLB) Act? • Senator Gramm (R, Texas) • Representative Leach (R, Iowa) • Representative Bliley (R, Virginia)
What is the Gramm-Leach-Bliley (GLB) Act? • Enacted November 12, 1999 • Effective November 13, 2000 • Not primarily privacy legislation • A.K.A. Financial Services Modernization Act of 1999 • Modernization = ?
What is the Gramm-Leach-Bliley (GLB) Act? • Enacted November 12, 1999 • Effective November 13, 2000 • Not primarily privacy legislation • A.K.A. Financial Services Modernization Act of 1999 • Modernization = Mergers • Financial services includes: banks, stock brokerage companies, and insurance companies
Why does the GLB address privacy? • New privacy concerns arise from future mergers • What happens when your mortgage company talks to your health insurance company? • Existing privacy issues • November 1997, Charter Pacific Bank sold millions of credit card numbers to an adult website company. • 1998, NationsBank shared information with affiliated stock brokerage. Sold high-risk investments to senior citizens. • 1999 - 2000, Memberworks telemarketers. 19/25 top banks. • International issues • 1995, the EU passed the Data Protection Directive. • Initial Safe Harbor proposal did not include the financial industry.
Privacy provisions in GLB • Must store personal information securely • ensure security and confidentiality • protect against anticipated threats • protect against unauthorized access that could substantially harm or inconvenience customers • Must give notice of policies about sharing personal financial information • Must give option to opt-out of some sharing • No sale of specific data for marketing • Pretexting banned
Privacy provisions in GLB • Must store personal information securely • ensure security and confidentiality • protect against anticipated threats • protect against unauthorized access that could substantially harm or inconvenience customers • Must give notice of policies about sharing personal financial information • Must give option to opt-out of some sharing • No sale of specific data for marketing • Pretexting banned
Privacy protection exceptions • Disclosure to affiliates • No notice required • No ability to opt out • Free information flow within entire “corporate family” - can be 1000+ companies, not all financial • Joint marketing disclosure • No notice required • No ability to opt out • Can flow all through the second “corporate family”
What is in a GLB Privacy Notice? • Clear, conspicuous, and accurate statement of the company's privacy practices • What information the company collects about its consumers and customers • With whom it shares the information • How it protects or safeguards the information • Applies to "nonpublic personal information"
Who Gets Notice? • Have you seen a GLB notice? • Have you read a GLB notice?
Who Gets Notice? • Have you seen a GLB notice? • Have you read a GLB notice? • Goes to all new customers • Goes out annually to all customers
Who Gets Notice? • Have you seen a GLB notice? • Have you read a GLB notice? • Goes to all new customers • Goes out annually to all customers • Do notices get noticed? • How does this compare to privacy indicators in web browsers?
Are notices readable? • 85% of adults have a high school degree • 25% have one or more college degrees • Reading level usually three grade levels lower • 8th grade recommended for general population • July, 2001: Privacy Rights Clearinghouse study, average is 15.6 • GLB legislated policies must be “reasonably understandable” yet policies are at college reading level
GLB enacted July 2001 Are notices readable? Source: An Evaluation of the Effect of US Financial Privacy Legislation Through the Analysis of Privacy Policies Steve Sheng and Lorrie Faith Cranor
What makes notices harder to read? • Complexity • Long line length with lots of clauses • Big words • Jargon • “But I don’t want to default” • Legal writing • When is the last time you read a contract for fun? • Being informal can create legal liability • Corporate incentive for “weasel words” • Passive voice endemic
Privacy Mad Libs • A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >.
Privacy Mad Libs • A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >. • A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.
Privacy Mad Libs • A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >. • A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.
Privacy Mad Libs • A "< X >" is a < Y > who has a "< X > relationship" with a financial institution. A "< X > relationship" is a continuing relationship with a < Y >. • A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer. • Source: The Federal Trade Commission’s explanation of the Gramm-Leach-Bliley Act
Maybe it’s just the FTC… • Perhaps it’s hard to write about writing policies but the policies themselves are clear and useable. • Perhaps the FTC hired exceptionally bad staff.
Maybe it’s just the FTC… • "An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank)
Maybe it’s just the FTC… • "An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank) • "We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust)
Maybe it’s just the FTC… • "An affiliate is a company we own or control, a company that owns or controls us, or a company that is owned or controlled by the same company that owns or controls us. Ownership does not mean complete ownership, but means owning enough to have control." (Seattle Savings Bank) • "We share your non-public personal public information only with contractual safeguards to protect the confidentiality of your information." (UniTrust) • "In the opt-out election, you will have the option of including or excluding the Credit Union from your opt-out election." (UniTrust)
Making GLB more useable • Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project (February 28, 2006, Kleimann Communications Group, Inc.) • Six federal agencies’ project to do better • Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and the Securities and Exchange Commission. • Explore why consumers don’t read and understand privacy notices • Develop notices that are easier for consumers to understand and use • Phase I: complete • 8 test sites • 16 month iterative cycle for prototype • Phase II: quantitative study to assess the prototype
Project Goals: Paper Prototype • Comprehension. The prototype must enable consumers to understand the basic concepts behind the privacy notices and understand what to do with the notices. It must be clear and conspicuous as a whole and readily accessible in its parts. • Comparison. The prototype must allow consumers to compare information sharing practices across financial institutions and to identify the differences in sharing practices. • Compliance. The content and design of the alternative privacy notices must include the elements required by the GLBA and the affiliate marketing provision of the Fair and Accurate Credit Transactions Act.
Good design: necessary but not sufficient • Table design worked best • Two page design with more details available for those who want them (definitions and GLB mandated notices) • “We learned that we needed to include an educational component in the notice as consumers had no prior understanding of information sharing practices.”
Four Parts of the Design • Title • Frame • Disclosure Table • Opt-out Form
The Title • Attract consumers’ attention so that they will read the notice • Avoids inflammatory language • Helps consumers understand that the information is from their own financial institution • Their personal information is currently being collected and used by the bank • Does not explicitly mention consumer rights
The Frame • Problem: customers uninformed about financial privacy • Need basic information about financial sharing practices to understand the notice • The Frame provides context and supports the core information about a financial institution’s sharing practices • Key frame: heart of ensuring comprehension • Secondary frame: nice to have (FAQs, details, mandates)
The Disclosure Table • Goals: • Understand information about financial sharing policies and their personal information • Can compare sharing practices across financial institutions • Seven basic reasons a financial institution can share information • What is being shared • What can customers opt-out of • Enables direct comparison between companies
The Opt-out Form • On a separate page to make it easy to mail in • Designed to help consumers understand how to opt-out • Structured by type of sharing consumers can opt-out of • Given the GLB: does this seem to do a good job?
Four testing methods • Focus groups • What a group of consumers thinks about privacy notices • What they see as barriers to understanding them • Do not tell the researcher what a consumer will actually do with a notice • Preference testing • In-depth one-on-one interviews • Preferences for vocabulary, headings, notice components, and ordering • Pretests • Dry run of the diagnostic usability test • Validates the methodology • Diagnostic usability testing (structured + unstructured) • how the individual participant actually works with a document • elicits reaction to the information to target and diagnose problems • iterative process; adjustment with successive test rounds
Lessons Learned: Focus Group • People did not read the old style notices • Type was too small, particularly for seniors • Small font signaled unimportant information • Important information was grey on black • Four pages was too much to read • Customers expect banks are trying to conceal information • People believed that all privacy notices were the same • Regulations mean uniformity • Can change at any time so meaningless • Did not understand there are opt-out choices • Choose a bank for free checking and not privacy policies
Lessons Learned: Pretest • Customers did not understand the purpose of notices • In essence: wrong mental model • Thought notice was requesting personal information • Lacked context to understand the text • Opt-out was confusing • Unexpected • Did not have the context to understand the choices • Too much information
Lessons Learned: Pretest“None of the designs worked” “In the end, it did not matter if we changed the test scenario, provided them with more time to ‘study’ the information, or tutored them during the session. Participants had too little of their own context about financial sharing information to understand the content of the notices. Since they had no basis for or understanding of the information in the notices, the designs simply weren’t working in their current format or with their current content.”
Lessons Learned: Usability Testing • Customers do care what happens to their information • Indicated they would read the new notices • Understood why they got the notice and “much of” the content • Recognized opt-out form as an action item • Layout improved comprehension • Word choice matters • Could compare side-by-side policies • Standardization can actually be confusing