Privacy and Usability

The Privacy and Usability (Privacy&Us) innovative training network addresses the problem of protecting citizens' privacy, while enabling them to make informed decisions regarding their actions with privacy implications. With the rapid accumulation and processing of personal data by numerous organisations, it is of paramount importance to protect people from adverse uses of their data, while allowing them to enjoy the benefits the use of these data can possibly provide. To achieve that it is key to tackle the problem of usability, including aspects related to models of behavior, interaction design, technology design, and risk analysis and law.

The overall objective of Privacy&Us is to instruct thirteen creative, entrepreneurial and innovative early stage researchers (ESRs) to be able to reason, design and develop innovative solutions to questions related to the protection of citizens' privacy, considering the multidisciplinary and intersectoral aspects of the issue. The ESRs were trained to face both current and future challenges in the area of privacy and usability by offering a combination of research-related and transferable competence skills. These skills enhanced their career perspectives in both the academic and non-academic sectors.

All ESRs successfully completed all planned steps of their training. The ESRs received comprehensive training and engaged in intersectoral collaboration. Through this collaborative effort, Privacy&Us made a significant contribution and impact to the ESRs future careers.

The work carried out in Privacy&Us from its beginning to its end can be summarized as following:

In terms of project management: Privacy&Us hired thirteen ESRs within the planned time frame. All the ESRs were retained until the end of their recruitment period, with the exception of one ESR, who completed his doctoral education before the end of his recruitment period. All planned deliverables were submitted. Both the management board and the supervisory board met regularly during the project duration. The final meeting took place in October 2020.

In terms of training: five Privacy&Us training events were organized, the first in cooperation with the IFIP Summer School 2016. In the second event, the ESRs presented their PhD research proposals to an evaluation committee, which were revisited in all the following training events. In the training events, the ESRs took part in 19 interdisciplinary and professional training modules. Ten additional online training modules were offered to them. A final event was organized for the ESRs to present the results of PhD research work. All ESRs completed their secondments.

In terms of scientific results: ESRs authored peer-reviewed and accepted international publications in proceedings of well-acknowledged conferences and journal articles. The total number of scientific work authored or co-authored by ESRs adds up to 51 publications, where ten result from direct collaborations between the ESRs. Furthermore, five PhD theses have been published and successfully defended.

In terms of dissemination: the project website (https://privacyus.eu) and a Twitter account (@privacyus_itn) were set up, and press releases were disseminated. The ESRs engaged in the participation in, and publication of technical reports and scientific papers at workshops, conferences, and journal articles. Concerning general audience publications, Privacy&Us appeared in newspaper articles, news websites and podcasts and ESRs published blog posts about their research. A public Git repository (https://github.com/PrivacyUs) was set up for the distribution of open source code.

We have successfully trained all the thirteen ESRs to reason, design and develop innovative solutions to questions related to the protection of citizens' privacy and to convert their knowledge and ideas into products and services for economic and social benefit.

Advances of the state of the art produced by the ESRs aim at answering the research problem on how to protect citizens' privacy. The ESRs looked at this research problem with different perspectives. Their results range from socio-psychological and legal perspectives to technical data protection aspects.

We looked into instruments for measuring human attitudes and behaviors related to privacy decision making. We also built mathematical models for the decision making process that aim to better represent the interactive and reinforcing factors involved in deciding when to share or to share not personal data.

The results of our experiments on an individual's emotional state, visual cues and graphical representations of privacy policies, show that individuals can be nudged towards deciding whether to share their personal data or not depending on how the requests are displayed. This finding is important because it shows that it is possible to steer the decision of an individual to share personal data or not. Our results reinforced the idea that privacy decision making is neither purely rational nor purely irrational.

We worked on usability aspects that improve transparency. Hence, individuals can better understand what, when, how, and why their data is collected and later follow up if their personal data is processed accordingly. Better informed individuals can also better perceive and evaluate privacy risks, and we advanced the understanding of risk perception with a series of users studies. We looked into how men engaging in a dating app for meeting other men disclose their HIV status or not and how this decision affected others' perception of them. We proposed a number of design considerations that could mitigate stigmatization of users in these platforms.

We developed usable security and privacy tools following user-centered designs and produced a legal analysis on unfair data practices and proposed legal measures for preserving privacy and the autonomy of individuals. Following field studies on how people use NFC payment terminals, we redesigned the NFC payment experience to improve its usability, security and privacy with an improved screen design and sensory feedback. We also looked into personal data leaks in mobile apps and observed the positive practical impact of the GDPR in reducing the amount personal data leaks.

The general lack of access to graphical interfaces in IoT devices mean that is extremely difficult to understand what, why, how and when personal data is collected by these devices. We proposed the use of nutrition-like privacy labels to be printed on the package of those devices to make it transparent to the users so they would be able to easily compare functionally between similar IoT devices and decide beforehand on the conditions to share their personal data.

Concerning measurable results, the ESRs published 51 peer-reviewed and numerous general audience publications. The project successfully reached out to educate schoolchildren, teenagers and their teachers about privacy, especially in the context of social networks and smartphones, on events at local schools in the UK.