A value-centered approach to data privacy decisions

Abstract

There are a host of data privacy decisions we must make every day – and it is exceedingly difficult, if not impossible, for us to make meaningful decisions about all of them. In this thesis, I define, conceptualize, interrogate, and design for value-centered privacy decision making – that is, decisions that are focused on who we are and what we value – as a means of respecting and promoting user autonomy. To achieve this, this work utilizes philosophical theory to understand value-centered privacy decisions and translates this theory into a system that promotes such decisions. In summary, this work has two major contributions. Firstly, I conceptualize and define value-centered privacy decision-making using a value-centered theory of autonomy. I explore how we can create the space for value-centered privacy decisions by applying the Four-Dimensional Theory of Self Governance (4DT). I first conceptualize privacy decisions in terms of these four dimensions – self-definition, self-realization, self-unification, and self-constitution – and explore existing data privacy challenges through this lens. In particular, I conceptualize notice fatigue in terms self-realization, self-unification, and self-constitution; a lack of relevant privacy controls in terms of self-realization and self-unification; and nudges in terms of self-realization and self-unification. I then present and discuss results from a mixed-methods investigation into how values are involved in privacy decisions – in particular, app choice. We found that they were related in a highly individualized, context specific manner, observing different values that were more relevant based on the app in question. This suggests that the value-privacy relationship is largely informed by individual preferences and understandings of values. However, the values of Use, Control, and Community were quite prevalent, with Use and Control in particular spanning contexts and individual participants. They were also frequently perceived as in conflict with each other. This suggests that these three values are the most relevant to consider when designing for value-centered privacy decisions. The participants’ experiences can also be explained using 4DT, providing empirical support for our conceptualization of value centered privacy. However, the study results also provide insights into how existing systems – such as surveillance capitalism and the attention economy – frustrate value centered privacy decisions. Secondly, I use the 4DT-based understanding of value-centered privacy decisions to establish the usability and effectiveness of the value-centered approach, designing a privacy assistant to help users make app choices that are in more accordance with their personal values. To inform the design of a smartphone assistant that creates this space for users, I examine an existing technology – personalized privacy assistants (PPAs) – using the 4DT lens. Using insights from this examination, I propose a value-centered, smartphone privacy assistant (VcPA) to help users make more value-centered decisions at one privacy decision point: smartphone app choices. This VcPA consists of three features: selective notices, exploratory notices, and a “suggest alternative apps” feature. I then present the results from testing a prototype VcPA system with users, serving as a proof-of concept that a value-centered privacy assistant, designed using privacy preferences and values, could help users when making privacy decisions such as choosing apps. In particular, we found that the VcPA prototype helped users download value-consistent apps, with the “suggest alternatives” feature especially well-received. We also identified places where the VcPA could be improved – for example, profiles could be improved by being made more customizable; VcPA notices could be made easier to understand; and the “suggest alternatives” feature could be more streamlined. This thesis lays the groundwork for future researchers to design systems that promote value-centered privacy decisions. To guide this future work, I lastly present prospective research avenues to advance the value-centered approach to data privacy decision-making. In particular, I discuss limitations of the studies in this work, including engagement with a wider range of demographic groups; touch upon how the identified VcPA improvements, such as improved VcPA profiles, might be accomplished; briefly explore the possibility of applying the value-centered understanding to other privacy contexts; and consider how both system-wide regulation and individual autonomy enhancing interventions, such as the VcPA, can empower us to shape a technological future based on our values.