Franco Papeschi

One of the major output of the Visible privacy project (of which Denopticon is part of…) is the creation of a set of design principles aimed at creating services that empower people to share data and information with peers and companies.
We wanted to give an overview of some of these principles at the end of our workshop; time constraints have prevented us from describing any of these in more detail, Here some more info….

Privacy is not simply a person’s right to live free from the observation, intrusion and attention of others, but – most importantly – is the power to share personal information as and when s/he wants and with whom s/he wants (friends, enemies, service providers, other companies,…)

In other words, privacy isn’t just about keeping anonymity or personal information safe, it’s about the expectation of being in control of information, data, content, relationships etc, in the present and in the future.

We have identified 5 directions that designers could follow in order to fulfill this expectation; each direction is associated with one or more principles, as you can see in the diagram above:
Give people ownership of their profiles, content and network of people.
Facilitate understanding: writing a privacy policy and ask people to accept it is not enough; most people don’t read it, or – if they do – don’t really understand it.
Reduce disturbance: controlling and choosing the level of openness shouldn’t interrupt the flow of what the people want to achieve. Tools to control privacy should be minimal, simple, contextual.
Fit to context: follow people’s mental models of a system to establish its initial degree of openness; disclose information and controls progressively – from general and simple to the detailed and specific.
Build trust: establish a dialogue with people, rather than targeting them. Invite them to be open and share data and information only if they perceive a benefit in it (therefore, design ways to clearly identify what these benefits are).

Things I liked:

• Energy
• Unpredictability
• Some inventive tactics used during the game
• Some puzzled faces at the beginning transformed into smiles
• Even people who arrived late managed to enjoy the game
• A set of issues that didn’t match exactly with what we thought we’d uncover
• Some of the ideas are brilliantly unexpected.
• Active and interesting discussions from participants
• Good reactions: participants talked about the workshop and the game for a while.

Things I didn’t like:

• Not enough time for a complete and full debrief  (oh well, there is never enough time…)
• The game can be so engrossing that people keep being in ‘game mode’ even after the debrief.

The last bit of the workshop was a bit of brainstorming around how the issues (mentioned in a previous post) could be solved.

This is a quick summary of what came out:

1. Support closed groups, contexts and social norms

Create closed groups and separations to facilitate ‘circles of trust’ in which information can be exchanged.  Exclude those who don`t contribute and block out other unwanted people (walls).

Create social compartments (specific social groups) and share specific types of information with these groups (eg. Private, Professional, NOT valuable information)

2. Build in and facilitate control of data

Ability to ‘Delete ALL!’ to quickly erase all instances of your data (specific piece or a set)

Set a ‘best-before’ date on your data or a constantly changing value for data (eg. credit card number that changes every 5 seconds) to reduce the risk of exposure of valuable information.

DRM or watermarks for personal data

Information made available at different levels of granularity (eg. W2 6BD; Paddington; London; UK) according to context (social, proximity etc)

Data can be faked and rules around data are flexible

3. Provide transparency on what data will be used for, and visibility to track data

Data requestors must specify up front what the data will be used for (the right to ask ‘what are you going to do with this?’)

Reputation is assigned based on crowd-sourced rating and visible to all

Data can be visualised and tracked to show what others do with my data, mapped to show who can see what, and what personal information is currently ‘open’ and visible

4.   Provide independent and monitored 3^rd party control for data

All data is centrally collected by a trusted party and re-distributed openly and freely

3^rd party Mediator for individuals used to govern and negotiate the exchange of my data (eg. Medical data)

Peer-controlled authority to overview / control the service providers, with clear rules & regulation on who owns ‘information’ once shared.

5. Define and establish a value for data

Establish a win-win situation around the exchange of data

Data + context = information = money

Capability to monetise your information if interested parties exist

As mentioned before, the game is nothing more than a tool to explore some issues related to privacy and sharing personal information. During our pilots we discovered that 30 minutes is about the right duration, as the first complex interactions based on memory of previous exchanges appear more prominently after the 20^th minute.

We decided to split the group of participants in 3 sub-groups, and discuss privacy in each one of these. We had 2 basic questions in mind:

• What privacy concerns did the game raise?
• How do these relate to real-life concerns?

Each group had a slightly different take on issues – as is normal. However, this is our attempt at unifying and categorising all the issues and concerns raised during the workshop:

Data violations

Theft of data (overhearing, snooping, …) outrages people and reduces any future element of trust.

What is true? How can I validate it?

Very difficult to verify if information is correct, if a person doesn’t already have access to trusted channels.

What happens if information is not simply false, but simply inaccurate? During the game (and during the first days of Internet), people can falsify information, or make up some data.

Peer pressure

There is a component of individual attitudes to share information.

People with more ‘private’ attitudes, felt the pressure to share information, in order not to be excluded from the game. This led to sub-optimal exchanges, even in moments of embarrassment.

Appropriateness for purpose

“Does a shop need to know when I had my first kiss?”

Age of the first kiss was one of the information to be traded during the game. While asking such a question was perceived as normal and expected during the game, participants were quick to point out that this would be very odd and inappropriate in other situations.

People were feeling uncomfortable if they weren’t able to associate the questions asked by others with the purpose of the game. In general, this can be extended to clarify that the information requested and gathered by a system should be based on the main purpose of the service, and on the idea that people have of its mechanisms.

Each context has unwritten ‘etiquette’

Face to face trading of personal information with new acquaintances generated a bit of anxiety. In these cases, people couldn’t rely on well-defined real-life ‘rules’, or any other form of long-term commitment with their counterparts.

Someone was “not comfortable to ask a woman some specific personal information”.

Overlapping contexts generate fear of loss of control

Some participants considered the questions asked during the game were‘safe enough’: no politics, no job-related questions,… At the same time, other participants noticed the overlapping between private and professional spheres. This is something – they mentioned – that often happens in real life.

The game created a different world, governed by its own rules. This fostered ‘game intimacy’, which is something different from ‘true intimacy’.

Understanding the flow of information and its consequences

Most of the people were not aware that their information would be passed on to others, the first time they gave it to someone. What are the consequences of making something public? They realised it only if and when they had a tangible example of information about themselves that they saw in the hands of some other participants. At that moment, it’s way too late to try and make the information more private.

In the long term, relationships are established and reputation is formed. It happened during the game, after the first 20 minutes. In real life it’sa slower process, but it is the foundation to base any ‘trade’ on.

Affiliation among people based on ‘loose’ commonalities

Building a team was one of the main strategies seen during the game, to share folders full of information about the other participants, and even share money sometimes. This sometimes generated a proper ‘network of trust’. These were far from ‘solid’ groups: participants based their affiliation on gut feelings (“if I like you, I agree to swap info; otherwise not”) or secondary elements (e.g.: “I used the interestingness of responses” [SIC]).

Structural barriers to open sharing

Technological barriers slowed down data sharing, replication, mining. This was true forthe game (e.g. folders are physical, and they are owned by one person). This is less and less true in a digital environment.

The game also presented very rigid time barriers. In a digital context, excess of information is one of the new barriers.

Unbalanced power (AKA: feeling powerless)

There have been cases in the social network space, where rules have changed without any visible notice; this generates frustrations. While confined spaces generate ‘loose’ commonalities and ‘game intimacies’, they also generate tensions with the space keepers, which are perceived as authorities: “ I felt uncomfortable in leaving the information to the facilitators at the end of the game: what are you going to do with it?”.

On the other side, authorities can be useful: “I felt alone: there was no arbiter supervising the game”. All was left to individuals’ ethics, fairness and moral code.

Granularity of information

The possibility to be more or less specific in the way people answered their questions made the game more interesting: some of the participants mentioned it as one of the things that the game allowed and that – on the contrary – is not often allowed in digital interactions.

Real value of data

It is very difficult to identify the value of data and information, as it changes depending on whom is going to get the data (it’s different from person to person, from a person to an organisation,…).

Also, the value of data changes according to the level of intimacy: in the game, the fact that the information wasn’t extremely intimate (e.g. age of first kiss), reduced its value.

Tell me and I will forget /  make me experience it and I will understand

Exposures to the mechanics of how data can be exchanged (e.g. read the rules) was not enough. People understood the ‘real value’ of their information only during the game, by playing and finding themselves in the middle of the action. During one of the pilots we ran, people discovered it only by overhearing others’ conversations, when their own name was mentioned, and information abut them traded by someone else.

Restrictions augment value A.K.A. commoditisation of information

During the course of the game, some participants perceived that data was losing value, as it was becoming so widespread that nobody else was interested anymore: “oh, I already know you – useless”.

My data is more valuable than yours’

“Sharing my profile’s information was more sensitive than sharing information I had gathered about other people; information about me had more value than information about someone slse.

“Trading info about others was much faster”. At a certain point information about others became almost like a commodity.

Symmetry of exchange / what’s in it for me?

The perception that the exchange would benefit both parties was essential to open sharing of information: “Others wanted more from me than they were prepared to give”. In general, participants felt more comfortable when they had a clear understanding of why certain information was being asked for, and when there was a reciprocal commitment (e.g.: “I don’t want to be taken advantage of – even if I am profiting in some way”). Being explicit in the questions (and the motivations behind them) was appreciated: “more comfortable with direct questions, if it’s clear what the trade is”; “theft outraged me”.

Every time we run the Denopticon game, the results are different. That’s why it was exciting and surprising – to a certain extent – for me to walk around the room and hear, observe, highlight some of the interesting techniques and emerging behaviours. Lots of them!  Here are just a few that I still have in my notepad (most of them were written on post-its and were used for the discussion):

One person wrote on a flipchart “let’s be nice, please write your name and number here, and share the information all together”.  A few others followed.  Some just recorded the information on the flipchart and didn`t share their information.

Soon people create small groups and one-to-one dialogues to exchange information.  Some exchanged full profiles between each other, whilst some exchanged only bits of information, trading one bit of information for another.
(Group building strategies – small groups formed early on to trade full profiles between each other, gathering as much information as possible at the start and then trading it on)

People seemed to forget – or not consider – missions as their main way to get most of the points

One participant arrived a bit later, and I forgot to give her money for the first 2 minutes. As soon as she realised it, she commented: “I was using my smile” [to receive information back..]

One person started the game sitting down by herself and waiting for other people to go there. She found – it seems – a very strategic position as all people pass in her proximity

Some people adopted an easy-to-spot form of delayed payments: they request that others leave a ‘coin’ on the side of the flipchart, and write the name of the ‘payer’ on the flipchart (an arrow points at the place where the coin has to be deposited)

One person decided to eat one of the coins ‘because it was a gift’ from another participant

More than one participant was asking if they could guess on the answers from people they know (e.g. their tastes)

One person revealed her latest purchase online to a participant. At the same time she felt compelled to add: “that was for someone else”

People who have the mission of ‘revealing others’ secret missions ask an external person (e.g. one of the facilitators) to write these on the public space, in order to avoid their mission being exposed.

People were trading others’ information, rather than their own

Trickery and promises to help others fulfill their secret mission were used to expose secret missions

People looked over people`s shoulders or eavesdropped to obtain information

One person tried to auction off his data but no-one took the bait.

Denopticon is a 30-minute game where you – as participants – need to discover information about others, who will want to discover information about yourself. Based on an open source game – Guillerme Tows’ Privacy is Dead – the game begins with each player filling a form (the Identity Card), with 9 items of personal information. Each person is in control of their own information at the beginning. Don’t be afraid… what happens in denopticon, stays in denopticon…

The objective of each person is to gain as many points as possible: the basic and simple way to get points is to get a piece of information from another person: one correct info = 1 point. And then, money: 1 coin = 1 point. But it’s long and difficult to get lots of points. So here is where the Secret Missions play a role: each participant has a secret mission, which will help them get many more points (from 3 to 100!!).

Each person is ‘anonymised’: s/he receives a number they will use as a unique identifier for the rest of the game. Name and surname – although publicly available in the conference website – were one of the items of information to discover and trade.

How to get information from others? In many ways: by asking the person, by asking someone else, overhearing a conversation,… In exchange for this information anything can be traded: information, coins, promises for future information,… except something unrelated to the game (e.g. a contract for a future project).

Why a game?

In the past few months I have taken part in many workshops and lectures on privacy. Lots of interesting debates and a variety of positions. After a while, however, I have noticed that none of these debates was actually able to change the point of view of any of the participants in one way or another. As it happens, we all were filtering our ideas according to what we believed already. Very little action, zero ‘transformation’. Also, privacy is one topic where people’s opinions and attitudes are often different from their actions – for many many reasons. Hence the idea of something practical and action-based. By having to share and ‘trade’ personal information (e.g. home postcode, age of first kiss…) we hoped to generate a debate based on what happened during the game. Btw, this is exactly what happened, with all its pros and cons.

Prior to the workshop at Lift, we had tested the game a couple of times, to be sure the dynamics were fluid, and would help generate a discussion afterwards. In our pilots of this game, we saw lots of different tactics used to play the game: people forming groups and lone-stars; people swapping folders and people writing info on post-its; people sharing missions and people hiding names; people using money at the very beginning and people using it at the end. Some of them were effective and some of them not; part of the game is to find the one people? feel more comfortable with…

Privacy is an issue where opinions, attitudes and behaviours differ quite radically. But while people tend to be vocal about their right to privacy, they’re often lax about enforcing it in their daily lives.

Key to establishing an open attitude between a service and its customer base is the development of a trusting relationship.

Privacy is rarely the primary goal for a customer signing up to a service. Lorrie Cranor (Carnegie Mellon CUPS) defines privacy as a secondary task (link: http://cups.cs.cmu.edu/courses/ups-sp08/slides/080218-cranor-design-for-privacy.ppt – page 6: ‘users still want to focus on their primary tasks’). Even if it is secondary, it’s something that could act as a barrier to a continuous engagement with the service, if poorly managed.

If we narrow down the focus and we consider privacy as a way of controlling the flow of communication and information that is shared with other actors in the system, I think we can describe some of the main issues in a clearer way.

The ‘direction’ and the reciprocity of the communication flow is certainly one factor: incoming contacts and information can be perceived as invasive and inappropriate, according to the type of relationship with a person/institution, the context, some expectation of a benefit.
On the other side, outgoing communication presents 2 challenges: is what I shared owned by me? Can I follow the propagation of this information through the meanders of the digitally connected data repositories?

The other factor to consider is the perception of intentions of the other actors involved in sharing. This is usually captured through ‘trust’, ‘reputation’ and other forms of social capital.

With the multiplication of actors and agents that are able to see and capture digital information (as we have seen above), it’s difficult if not impossible to foresee the consequence of sharing data, and map out the intention of people that may search, find or stumble upon certain information.

Privacy is the window through which identity is accessed, shared and manipulated. Identity is defined by the content and data that is shared around. Character is action, and action – in a digital networked environment – is provided by data and information shared with others.
Data can be very ‘static’, like the more permanent identity properties (identifiers,..) or dynamic (updatable identity properties that allow interpretation over time, e.g. status update).

The thing is, some of this information is captured by the system without me being aware, or in control of this. All the traces I leave behind constitute a digital trail I rarely have visibility on. This is one of the most challenging aspects of privacy (probably together with knowing how this information is used by others).

One of the ways to get my head around privacy, is to start thinking about who the people and systems (agents, in general) are – that need to be considered. How many of these are single individuals, rather than communities or collective entities? What is the recognisable identity of these ‘collectives’? Are they ‘faceless entities?  When – as a person – I interact with some digital platform that captures and shares my information, what is their degree of visibility to me?

The level of visibility is becoming a very important factor: sites like Twitter or Facebook are opening a person’s contribution to the world (e.g. twitter comments searchable on Google). But not only: services that aggregate different social networks and propagate user generated content are proliferating (think Vodafone 360, just to name one …). Who is the audience of what I publish, if I have created a chain of services that transmit my content to other platforms? How does it become visible to me?
At a broader scale, hidden services and components are the new cookies.