Privacy policies are commonly used by service providers to notify users what information is collected, how it will be used and with whom it will be shared. These policies are however known to be notoriously long and hard to understand, and several studies have shown that very few users actually read them. Alternative solutions that accurately communicates the most important parts of the policy in a way that is more enjoyable to read, is therefore needed to aid the users in making informed decisions on whether or not to share information with a provider.
By following a design science strategy we first explore current solutions, and based on an initial evaluation we find the Nutrition Label to be the current approach best suited to base further work on. Through an assess and refine cycle we first evaluate the Nutrition Label based on usability literature, and propose a set of design criteria which is used as a basis for developing an alternative solution, entitled the Privacy Table. By following an iterative design process, we evaluate the Privacy Table in terms of accuracy, time-to-response and likeability through a pre-test, a laboratory experiment with 15 participants, and finally through an Internet experiment with 24 participants, where each iteration results in a re-designed version of the Privacy Table.
While we don't find clear evidence for any difference between the formats, we find indications for that they perform similarly in terms of accuracy and enjoyability. We discover several issues regarding the Nutrition Label where some are related to the terminology used, which could indicate that it would need modifications in order to be usable among non-native English speakers. We also suggest that future research on the Nutrition Label should focus on its usability rather than further expansion, and that it should be considered to base it on a more simplified underlying technology than the P3P language. Finally we find that a merged version of the Privacy Table and the Nutrition Label could be advantageous to use in relation with current and future privacy enhancing technologies, as a top layer to communicate the most important privacy practices.
Place, publisher, year, edition, pages
Institutt for datateknikk og informasjonsvitenskap , 2011. , 239 p.
ntnudaim:6266, MTDT datateknikk, Program- og informasjonssystemer
IdentifiersURN: urn:nbn:no:ntnu:diva-13647Local ID: ntnudaim:6266OAI: oai:DiVA.org:ntnu-13647DiVA: diva2:441346
Røstad, Lillian, Universitetslektor IITøndel, Inger Anne