A Case for Privacy Coordination


Something fairly insignificant happened on the train the other day, when it occurred to me there is something wrong with the way we think about (and design for) privacy. It wasn’t long after the introduction of the “OV-chipkaart”: an electronic payment system for public transport in the Netherlands. I was minding my own business, when the train attendant asked a fellow traveler whether she had been on the Schiphol airport two days earlier. She replied that she was; the train attendant said that something had gone wrong with check-in there; my fellow traveler shrugged and this was the end of the conversation. Nothing more happened, but I was stunned. I do not consider public transport travel history as superprivate information but this short exchange showed three privacy flaws in the card and the way it is used.  First, travel information (up to 12 trips) is stored on your travel card for no obvious reason, second, train attendees see this information whenever they scan your card and third, the train attendee in question did not feel inhibited at all to share information this publicly; or at least with travelers nearby. And it is not an exceptional incident. Privacy flaws like these three are becoming more and more common while it is possible to prevent them. In this post I would like to explain how.

I had never considered privacy as something important you could (or should) design for, but I changed my mind because of two PhD theses from co-workers.  At 22 September 2008, Natalia Romero Herrera presented her thesis titled: “Coördination of Interpersonal Privacy in Mediated Communication” at the Eindhoven University of Technology. Less than a year later, May 19th, 2009, her co-worker Evelien van de Garde-Perik followed with her thesis: “Ambient Intelligence & Personalization: peoples perspectives on information privacy”. Both these theses are worth reading, but they are for a specialist audience. Still, I believe there is one bit of knowledge from this work that every designer needs to know about. This is wat it is: every designer should be able to make the distinction between privacy coordination and information privacy. I believe the difference between these two is easy to grasp, but it matters a lot which one you choose to frame the privacy problem: depending on your choice you will ask different design questions.

Let me take a closer look to the distinction between privacy coordination and coordination privacy. Most people think of privacy as an information privacy problem. Van de Garde defines it as ‘the ability of the individual to control the terms under which his or her personal information is acquired and used by others’. If you want to control your information privacy, you need to decide who can have and use information about you.  Van de Garde dates the privacy debates back to the 19th century, when recording equipment such as print and photography emerged. These new technologies made it possible to present information about someone to a new audience after the event was over. To my taste it is this possibility of second hand (mis)use which gives information privacy its ungraspable and ghostly feel. Debates on information privacy are often about situations that do not really happen, or at least not often enough to assess the risks reliably.

This is also why it is difficult to design for information privacy but Van de Garde’s research shows it is important. She shows people do have privacy concerns and show a limited understanding of information about privacy consequences. Also it is difficult to give users control in a manageable way. People would like to know: what information about them is collected or stored (1), who can be the possible recipients of their information (2) and the purpose of use of their information (3). If you want to give users control over all these properties, for several bits of information and multiple possible audiences you end with a combinatorial nightmare. So, Van de Garde evaluated several interaction models which could simplify this task. Users reacted diversely but there are clusters of with similar privacy preferences visible in the data. Van de Garde did not give a full classification of users based on their privacy preferences. Such a classification would be interesting though. Designers privacy sensitive interfaces could create personas out of them. Designing for information privacy is a necessary but difficult task because, also in Evelien van de Garde’s work privacy concerns turn out to be so context specific. It is this finding where design for privacy coordination enters the picture.

Surely the privacy discussion had evolved since the 19th century, but in 1975 a social psychologist called Irwin Altman gave it a radically different twist. According to Altman privacy is “an interpersonal boundary process by which a person or a group regulates interaction with others”. Altman argues that, to understand privacy, we must see it as an ongoing coordination process between people rather than an information problem. In an everyday privacy coordination problem in the office you need to cooperate to set privacy boundaries. You may open your office door when you’re open to talk to colleagues and close it when you are not. You colleagues may barge in, despite the closed door. You may ask them to leave if they do so; and so on. Or, to give a different example: you didn’t really want to tell about an embarrassing situation on that party, but you didn’t want to spoil truth or dare, so you told it anyway. Rather than talking about what might happen to your data in the future, privacy coordination is about telling people to keep distance or come closer here and now, which we do every day – in a myriad of way’s.  When we look at privacy this way – as an everyday coordination problem, information privacy is a special case where we try to capture and arrange many of these problems in a couple of fixed rules. Information privacy stands to privacy coordination as law stands to the resolution of everyday conflicts; it is its sediment.

Thus, Altman’s views bring privacy closer to home, but are they applicable to design? This is the question which Natalia Romero Herrera  explored in her thesis. Apart from Altman, she build on Herbert Clark’s common ground theory and she did extensive fieldwork, both to create a model to describe and understand how people can communicate privacy borders in mediated communication: the privacy grounding model. Most electronic tools are ‘always on’ technologies, and do not offer privacy grounding possibilities, such as the ‘doorpolicy’ which I just discussed. You can close your e-mail client, but there are few tools which allow you to postpone unimportant emails or mails from certain people. Imagine an email clients which allows potential senders to know the settings of your privacy filter and to breach it when it is important enough. In everyday conversation we solve this type of coordination problems almost effortless, and non-verbally.  The design difficulty for electronic privacy coordination support is to keep it as lightweight. It needs to be in the background, it needs to be easy to control and it needs to allow for ambiguity. Using the privacy grounding model, Romero did built tools which support lightweight communication of privacy needs. She thought of a single click and a drag and drop privacy coordination solution for instant messaging applications and she designed a tangible “availability cylinder” to express your general availability level in an easy way. So, Romero did find ways to design for privacy coordination.

So let me go back to the train and the “OV-chipkaart”. There is information privacy design in the card system. Someone has decided that  all cards would store 12 trips and these would be available to all cardreaders . The difficulty of this design decision is that it has to cover all possible usecases of the card and their social contexts. However, what van de Garde and Romero show, is that after the decision about information storage has been made, there is ample room for privacy friendly user experience design. Evelien van de Garde’s, work shows that it would have been possible to give users control over the situations and people with which they were willing to share this information. Natalia Romero’s work suggests to design the interfaces so people can coordinate whether they want to share their information when they need to. Say the travel history would have been on a second screen of the train attendants interface. Let’s also assume the railways would have created a protocol urging train attendants to treat this information with care. This way exchange in my train that day could have been much more pleasant. Attendant: “I see there is something wrong with a previous check-in, would you mind if I see what went wrong”. Traveler: “sure, I would like to know”. Attendant: “There is a failed check-in at Schiphol, probably you flipped your card to fast past the reader”. Traveler: “Al right good to know”.  There is the same information on the card in the example. The difference is that users can coordinate their privacy needs directly when they need to because this process is supported in the interface. Thinking of privacy design as a privacy coordination problem puts privacy concerns in the actual context of use, in the here and now and in the hands of the users. If applied with care this makes the life of the designer easier and the life of the users a lot more private.

Reading more

I haven’t written extensively about privacy before, although my post about Diaspora, the open source alternative for Facebook, touches on the issue and provides some links. Also I briefly discussed Herbert Clark’s theories about language as coordinated action in my post: Does Twitter have a Tempo?

The full text of both Coordination of Interpersonal Privacy in Mediated Communication and Ambient Intelligence and personalization: peoples perspectives on information privacy can be found online.

[1] Cited from Nathalia Romero’s thesis pp28


3 Responses to “A Case for Privacy Coordination”

  1. 1 SxD: Common Ground & Privacy Grounding « tomislav29
  2. 2 Recipient Responsibility in Netiquette « @koenvanturnhout MacroBlog
  3. 3 Avenues for Awareness | @koenvanturnhout MacroBlog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: