DL Seminar | Studies of Privacy-, Security-, and Abuse-Related Beliefs and Practices
Updated: May 13, 2019
Post by Kriti Singh | MS Student, Cornell Tech
Presentation by Sunny Consolvo | User Experience Researcher, Google
On April 18, 2019, the Digital Life Seminar welcomed Sunny Consolvo for a talk on peoples' responses to online privacy, security, and abuse across nations and contexts. Consolvo is a user experience researcher at Google, where she leads the Security and Privacy research team, focusing on usable privacy. In her DLI talk, she discussed some of her group's recent research projects, which will be presented at the ACM CHI conference in May 2019.
Study: Digital security and privacy for financially vulnerable people
41% of adults are living in financial hardship, that is to say that they can't afford $400 in case of an emergency. 120 million people are living at the risk of poverty in the EU. This has a huge effect on technology, as these users 1. are limited to using old technology, 2. have limited internet access. The technology currently used by the 'common-people' , focuses on "techno-optimistic" or "aspirational vision" of users. This thought process inherently has inclusivity issues, as this vision may be misaligned with financial challenges.
Consolvo and her team conducted interviews with 15 residents and 3 staff members in a transitional homeless shelter in US bay area. For context, these interviewees were homeless, living in expensive area, on a temporary basis. Some were living in family-style setup. The participants were expected to use tech as core component in everyday life.
She shared some of the key findings of the interviews. They uncovered four 'tough times' challenges that these participants experienced:
The limited financial resources made their lives difficult.
The limited access to reliable devices and internet: participants relied on shared devices or public devices. As a result, they couldn't use security features like 2 factor authentication.
Untrusted relationships: participants couldn't avoid abusive partners, family members and often faced threats from them. Families had easier access to the devices due to physical closeness to participants' devices.
Ongoing Stressors: Coping with security and privacy issues involves careful planning. Stresses like find a job, recovering from addiction, low tech skills, and fear of making mistakes made it harder for participants to employ security and privacy practices.
Study: How Women in South Asia use mobile devices
50% of the world population is female, but women are underrepresented online. Consolvo and her team interviewed 199 women participants from India, Pakistan and Bangladesh. All participants owned mobile phones and were between 18-65 years old. Women in these countries were 70% less likely to own a phone, and connect to the internet.
She shared some of the key findings from the study.
Shared usage: Participants' devices were treated as the 'family phone'. E.g. mom's phone became available for the child's use.
Mediated usage: participants relied on others for technical help in using the device.
Monitored usage: 50% of participants found it ok for others to check their phones as they were not super tech savvy. In cases where they may be facing harassment, this monitoring also helped check harassment.
On the idea of privacy, it emerged as a common notion among the participants that privacy was for other families where social boundaries were acceptable. Participants found it impolite to say 'no' to sharing the (or their) device. But, interestingly, all participants had practices that could be classified as 'privacy preserving'. Some of the privacy practices, ranging from least to most effective, were:
Using phone locks to prevent misuse by strangers, challenged by "shoulder surfing" to reveal pins.
App locks: Locking individual apps preserves privacy but makes participants look like they have something to hide.
Deleting apps or content, but some participants had low awareness of what could be deleted from where.
Private mode on the browser: it emerged that using incognito/private mode was viewed as shady.
Avoiding technology, especially around others.
In another set of interviews, with the same participants from the same countries where gender disparity is high, Consolvo observed high incidence of online abuse and other negative outcomes. In the study's key findings, it emerged that 3/4th of the participants reported online abuse. Online abuses were of many forms, such as cyberstalking or unwanted attention, impersonation or identity theft, and leaking or sharing of personal content.
The online abuse resulted in emotional harm and harm to the victim's (and victim's family's) reputation. The victims employed coping practices like reliance on friends and family, contacting the police, and asking an NGO for help. In their further use of technology, they employed strategies to avoid online stalking. For instance, they looked for trust signals like mutual friends and post history. To avoid impersonation or leaking of personal content, participants reported using non-face photos (eg. a flower) as profile picture.
Study: Intimate partner abuse
In the US, 1 in 4 women and 1 in 10 men have experienced intimate partner abuse. Consolvo discussed how victims experience three stages of abuse and the coping mechanisms they employ.
Phase 1, physical control: In this phase, abusers have regular physical access to people and their devices, allowing monitoring and device hijacking or destruction. Here, victims employed multiple coping strategies, mostly avoidant in nature, such as limiting device use, deleting material from the device and using alternate devices or accounts.
Phase 2, Escape: In this phase, the victim tries to sever ties (both digital and physical) with abuser. Some mechanisms include hiding their escape paths, switching to a new job, joining a support group, blocking contacts, destroying their own devices.
Phase 3, Life apart: In this phase, the victim escapes their abuser but deals with the risk of their abuser finding their information (e.g. phone number, online identities), location etc. Here, survivors limit sharing information online and restrict their children's' online activity to protect themselves.
While we may appreciate a heads up from our service provider if someone attempts to access our account, so that we can change the password, use features like 'log out of all devices' or 'end all active sessions' or even amp up our 2-factor authentication- it is interesting to see how this type of 'technology-design' mindset unfolds to an entirely different strata of users. While these are safety mechanisms for some, for others safety may require abandoning devices or accounts, resulting in lost content, contact information, and opportunities.
During the ending notes of the talk I was overwhelmed with the wide array of problems from the different strata of population. She talked about how you can 'build' the product first, then sprinkle in the security and privacy aspects on top. The needs and use-cases of the huge spectrum of users using digital tools and products should be kept in mind DURING the design and build phase of our software and services. And the onus of this responsibility is not on a particular 'team' in the company- it is upon us all as the inclusive technologists and designers.