Privacy Architectures: Reasoning About Data Minimisation and Integrity

Privacy by design will become a legal obligation in the European Community if the Data Protection Regulation eventually gets adopted. However, taking into account privacy requirements in the design of a system is a challenging task. We propose an approach based on the specification of privacy architectures and focus on a key aspect of privacy, data minimisation, and its tension with integrity requirements. We illustrate our formal framework through a smart metering case study.Comment: appears in STM - 10th International Workshop on Security and Trust Management 8743 (2014

ONE SIZE DOES NOT FIT ALL: INFORMATION SECURITY AND INFORMATION PRIVACY FOR GENOMIC CLOUD SERVICES

Most extant genomic cloud services strive to maximize information security and information privacy protection thereby neglecting the diversity of information practices in genomic research. Such a one-size-fits-all approach is not expedient and decreases the overall system usability and performance. While there is growing awareness that employed information security and information privacy measures must adapt to information security and information privacy requirements inherent to infor-mation practices, limited design knowledge exists on how to actually design genomic cloud services capable to account for differences in information practices in genomic research. In this research-in-progress, we propose a model for genomic cloud services that dynamically adapt to the diverse infor-mation security and information privacy requirements in genomic research. Our research contributes to the scientific knowledge base by capturing design knowledge for secure, privacy-preserving, and usable genomic cloud services, accounting for conflicts between information security and information privacy, and fostering understanding of information privacy as a context-sensitive construct

Privacy Invasion Experiences and Perceptions: a Comparison Between Germany and the Arab World

Similar to research in behavioral psychology, research in privacy and usable security has focused mainly on Western, Educated, Industrialized, Rich, and Democratic (WEIRD) societies. This excludes a large portion of the population affected by privacy implications of technology. In this work, we report on a survey (N=117) in which we studied technology-related privacy concerns of users from different countries, including developing countries such as Egypt, and Saudi Arabia, and developed countries such as Germany. By comparing results from those countries, and relating our findings to previous work, we brought forth multiple novel insights that are specific to privacy of users from under-investigated countries. We discuss the implications of our findings on the design of privacy protection mechanisms

The UX of things: exploring UX principles to inform security and privacy design in the smart home

Smart homes are under attack. Threats can harm both the security of these homes and the privacy of their inhabitants. As a result, in addition to delivering pleasant and aesthetic experiences, smart devices need to protect households from vulnerabilities and attacks. Further, the need for user-centered security and privacy design is particularly important for such an environment, given that inhabitants are demographically-diverse (e.g., age, gender, educational level) and have different skills and (dis)abilities. Prior work has explored different usable security and privacy solutions for smart homes; however, the applicability of user eXperience (UX) principles to security and privacy design is under-explored. This research project aims to address the on-going challenge of security and privacy in the smart home through the lens of UX design. The objective of this thesis is two-fold. First, to investigate how UX factors and principles affect the security and privacy of smart home users. Secondly, to inform product design through the development of an empirically-tested framework for UX design of security and privacy in smart home products. In the first step, we explored the relationship between UX, security, and privacy in smart homes from user and designer perspectives: through (i) conducting a qualitative interview study with smart home users (n=13) and (ii) analyzing an ethnomethodologically informed study of six UK households living in smart homes (n=6); and, we then explored the role of UX in the design of security, privacy and data protection in smart homes through qualitative semi-structured interviews with smart home users, designers and business leaders through two rounds of interviews (n=20, n=20). In the second step, using conceptual framework analysis, we systematically analyzed our previously collected data and the literature to construct a framework of design heuristics for consent and permission in smart homes. We applied these heuristics in four participatory co-design workshops and reported on their use. We further analyzed the use of the heuristics through thematic analysis highlighting how the heuristics were used, their purpose, and their effectiveness. By bringing UX design to the smart home security and privacy table, we believe that this research project will have a significant impact on academia, industry, and government organizations. Our thesis will improve design practices for security and privacy in domestic smart devices while addressing wider challenges, opportunities, and future work

Privacy is a process, not a PET: a theory for effective privacy practice

Privacy research has not helped practitioners -- who struggle to reconcile users' demands for information privacy with information security, legislation, information management and use -- to improve privacy practice. Beginning with the principle that information security is necessary but not sufficient for privacy, we present an innovative layered framework - the Privacy Security Trust (PST) Framework - which integrates, in one model, the different activities practitioners must undertake for effective privacy practice. The PST Framework considers information security, information management and data protection legislation as privacy hygiene factors, representing the minimum processes for effective privacy practice. The framework also includes privacy influencers - developed from previous research in information security culture, information ethics and information culture - and privacy by design principles. The framework helps to deliver good privacy practice by providing: 1) a clear hierarchy of the activities needed for effective privacy practice; 2) delineation of information security and privacy; and 3) justification for placing data protection at the heart of those activities involved in maintaining information privacy. We present a proof-of-concept application of the PST Framework to an example technology -- electricity smart meters