Limitations of notice

Last week I found myself engaged in a discussion with a lawyer-friend about the great advances that mobile applications have made with respect to privacy. Rather than clicking through a lengthy privacy policy, he told me, you’re now presented with a screen that asks you directly if this application can access your location. You then know this application could get your location, and have given opt-in consent up front in the case that it tracks and stores your whereabouts. Or, alternatively, you can deny that application the ability to access your location (though I’m not certain if applications retain any functionality in this case). I think this analysis misses some of the usability issues here. While I do think these forms of notice are movements forward, I have some thoughts on why they still aren’t enough.

The problem with these forms of notice is the misalignment of incentives. An application has every incentive to get that opt-in consent up front, even if it will only access your location once or not at all. It is a greedy form of opt-in, one that mitigates future risk by covering all possible scenarios. If you were an application developer, why wouldn’t you ask for this agreement upon installation? I admit to not knowing the full technical details, it is possible that a platform only enables this consent process if it knows the application will actually access location, but even then, as a developer why wouldn’t you just build into your application the ability to access location, even if you didn’t necessarily need it?

For the user, the effect is that the notice becomes meaningless. You have no idea which applications are accessing your location when, whether they are storing historical records of it, or what they are doing with your location. This request appears upon startup of a new application, and I at least click through, eager to use the application I just installed. Is this starting to sound familiar? Click through? …you might be thinking that these notices are the new EULA. I might also note that this is, I think, an almost identical structure as what happens with applications on social networking platforms like Facebook. The user consents to the application’s ability to access certain information up-front, or, now, with Facebook generally the user agrees to let any and all applications (none of which may be installed on this account) access certain types of information. It’s a reduction to the lowest common denominator problem: all these forms of opt-in notice create incentives to be as greedy as acceptable, leaving the user with the least necessary amount of notice and choice.

What I’d rather see is a log of the mobile applications that accessed my location, when, and for what purpose. And an icon that appeared along the top of the screen every time an application accessed my location. With both features, I’d notice when an application was doing something suspicious AND be able to dig into the details to see whether I liked what it was doing. In the case of Facebook, I’d like to see a list of applications that have accessed my “Publicly Available Information” that I agreed to make available simply by having an account. Those forms of notice might actually be meaningful for me and assist me in making choices about which platforms and applications to use, whereas the opt-in consent form of notice requires me to make a choice up front without requiring that more information about that choice be made available to me over time. I have a forthcoming paper that explores some challenges that opt-in consent presents, and I think the mobile and social networking application examples are useful in thinking through the consequences of this opt-in privacy architecture. More commentary on this in a month or so.

There has been research done on the effectiveness of privacy policies, much of which seems to me to be targeted at simplifying the method of communication. The hypothesis being, I presume, that lengthy written policies are too difficult for users to work through, but standard policies would be simpler. Here’s where the mobile application example is interesting. The request for location access is not lengthy or hard to understand, I’d say it’s crystal clear. But it is still a click-through policy. Users are presented with one click-through request after another, every time they install an application that wants location information. It’s a pretty standard template, and yet for me, is relatively meaningless. I can’t understand the consequences of having clicked through, because I have no awareness of when any given application is actually accessing my location, or the reasons offered for doing so.

Now, there are some real usability challenges associated with shifting the model to something closer to what I’ve just described. I don’t think there is a solution available and that companies just aren’t implementing it, I think the movement signaled by the simpler privacy notice is a good one and that we have years of innovation in this space ahead of us.  I did find it interesting, though, that my lawyer-friend didn’t seem to agree with this analysis even after some discussion, but instead actually argued the opposite: that this greedy consent was a good thing because it was opt-in and covered all the possible risks. Seen from a contract perspective, this makes a lot of sense. But from a usability perspective, I’m not at all sure I agree.

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Limitations of notice

  1. Andrew says:

    Interesting post. A few years ago, in a project to implement privacy protection in autonomous personal agents, we developed the idea of Just-In-Time Click-Through Agreements (JITCTA). The idea was that dialogue boxes would appear when the user was disclosing particularly sensitive data, and consent would be gained in the current context. This was combined with a logging system so every use of personal information by agents was logged and revocable, as you suggest.

    A preliminary usability test of JITCTAs showed they were somewhat successful, although some people assumed they were advertisements and dismissed them immediately. The idea has been elaborated in more recent projects with some success.

    Some pointers to things to read:

Comments are closed.