"Am I Private and If So, how Many?" -- Using Risk Communication Formats for Making Differential Privacy Understandable

Mobility data is essential for cities and communities to identify areas for necessary improvement. Data collected by mobility providers already contains all the information necessary, but privacy of the individuals needs to be preserved. Differential privacy (DP) defines a mathematical property which guarantees that certain limits of privacy are preserved while sharing such data, but its functionality and privacy protection are difficult to explain to laypeople. In this paper, we adapt risk communication formats in conjunction with a model for the privacy risks of DP. The result are privacy notifications which explain the risk to an individual's privacy when using DP, rather than DP's functionality. We evaluate these novel privacy communication formats in a crowdsourced study. We find that they perform similarly to the best performing DP communications used currently in terms of objective understanding, but did not make our participants as confident in their understanding. We also discovered an influence, similar to the Dunning-Kruger effect, of the statistical numeracy on the effectiveness of some of our privacy communication formats and the DP communication format used currently. These results generate hypotheses in multiple directions, for example, toward the use of risk visualization to improve the understandability of our formats or toward adaptive user interfaces which tailor the risk communication to the characteristics of the reader

"Am I Private and If So, how Many?" - Communicating Privacy Guarantees of Differential Privacy with Risk Communication Formats

Decisions about sharing personal information are not trivial, since there are many legitimate and important purposes for such data collection, but often the collected data can reveal sensitive information about individuals. Privacy-preserving technologies, such as differential privacy (DP), can be employed to protect the privacy of individuals and, furthermore, provide mathematically sound guarantees on the maximum privacy risk. However, they can only support informed privacy decisions, if individuals understand the provided privacy guarantees. This article proposes a novel approach for communicating privacy guarantees to support individuals in their privacy decisions when sharing data. For this, we adopt risk communication formats from the medical domain in conjunction with a model for privacy guarantees of DP to create quantitative privacy risk notifications. We conducted a crowd-sourced study with 343 participants to evaluate how well our notifications conveyed the privacy risk information and how confident participants were about their own understanding of the privacy risk. Our findings suggest that these new notifications can communicate the objective information similarly well to currently used qualitative notifications, but left individuals less confident in their understanding. We also discovered that several of our notifications and the currently used qualitative notification disadvantage individuals with low numeracy: these individuals appear overconfident compared to their actual understanding of the associated privacy risks and are, therefore, less likely to seek the needed additional information before an informed decision. The promising results allow for multiple directions in future research, for example, adding visual aids or tailoring privacy risk communication to characteristics of the individuals.Comment: Accepted to ACM CCS 2022. arXiv admin note: substantial text overlap with arXiv:2204.0406

New Differential Privacy Communication Pipeline and Design Framework

Organizations started to adopt differential privacy (DP) techniques hoping to persuade more users to share personal data with them. However, many users do not understand DP techniques, thus may not be willing to share. Previous research suggested that the design of DP mechanism communication could influence users' willingness to share data. Based on the prior work, we propose a new communication pipeline that starts by asking users about their privacy concerns and then provides a customized DP mechanism and communication. We also propose a design framework that systemically explores effective communication designs ranging from a text-based high-level description to a step-by-step interactive storyboard. Based on the framework, we created 17 designs and recruited five people to evaluate. Our user study showed that text-based descriptions have the highest clarity in all scenarios, while the step-by-step interactive storyboards have the potential to persuade users to trust central DP. Our future work will optimize the design and conduct a large-scale efficacy study.Comment: poste

"I need a better description'': An Investigation Into User Expectations For Differential Privacy

Despite recent widespread deployment of differential privacy, relatively little is known about what users think of differential privacy. In this work, we seek to explore users' privacy expectations related to differential privacy. Specifically, we investigate (1) whether users care about the protections afforded by differential privacy, and (2) whether they are therefore more willing to share their data with differentially private systems. Further, we attempt to understand (3) users' privacy expectations of the differentially private systems they may encounter in practice and (4) their willingness to share data in such systems. To answer these questions, we use a series of rigorously conducted surveys (n=2424). We find that users care about the kinds of information leaks against which differential privacy protects and are more willing to share their private information when the risks of these leaks are less likely to happen. Additionally, we find that the ways in which differential privacy is described in-the-wild haphazardly set users' privacy expectations, which can be misleading depending on the deployment. We synthesize our results into a framework for understanding a user's willingness to share information with differentially private systems, which takes into account the interaction between the user's prior privacy concerns and how differential privacy is described

Choose your words wisely! Understanding the strategic communication of differential privacy

As a possible solution addressing the growing tension for companies on wanting to collect data and not upset their customers through adverse events simultaneously, differential privacy (DP), an approach that allows the collection of data while ensuring privacy, is gaining in popularity. As many companies increasingly engage in deploying DP, they consequently try to communicate such efforts to their consumers. However, compared to traditional measures, DP has unique characteristics which pose special challenges in its communication. Despite this, prior research did not sufficiently address the user-perspective on DP. Consequently, we adopt an elaboration likelihood lens to investigate how two prevalent descriptions of DP are perceived. By conducting a between-subjects experiment (n=264) we identify powerful mediating effects in the perception of DP, not known before. We contribute to literature by demonstrating the full-mediation of these effects, and to practice by depicting how these can be incorporated in a successful communication strategy

Evaluating the Usability of Differential Privacy Tools with Data Practitioners

Differential privacy (DP) has become the gold standard in privacy-preserving data analytics, but implementing it in real-world datasets and systems remains challenging. Recently developed DP tools aim to ease data practitioners' burden in implementing DP solutions, but limited research has investigated these DP tools' usability. Through a usability study with 24 US data practitioners with varying prior DP knowledge, we comprehensively evaluate the usability of four Python-based open-source DP tools: DiffPrivLib, Tumult Analytics, PipelineDP, and OpenDP. Our results suggest that DP tools can help novices learn DP concepts; that Application Programming Interface (API) design and documentation are vital for learnability and error prevention; and that user satisfaction highly correlates with the effectiveness of the tool. We discuss the balance between ease of use and the learning curve needed to appropriately implement DP and also provide recommendations to improve DP tools' usability to broaden adoption.Comment: 29 pages, 8 figure

How WeChat, the Most Popular Social Network in China, Cultivates Wellbeing

Social media sites like Facebook have recently been blamed for their negative impact on wellbeing, with support from recent research. However, certain features and mechanisms of social media sites may actually increase their users’ wellbeing, and the sites may serve as platforms for positive interventions to reach large populations and improve their lives. This paper examines China’s leading Social Network, WeChat, and its potential effectiveness in cultivating wellbeing among Chinese users, through a review of the literature. The paper has six sections. Part 1 presents a brief summary of Positive Psychology and Positive Interventions. Part 2 reviews research findings regarding the impact of social media on wellbeing. Part 3 introduces WeChat’s design features and how they may affect the users’ behaviors. Part 4 suggests six hypotheses on how WeChat may improve user wellbeing. Part 5 proposes possible ways to apply positive interventions on WeChat which would enable users to actively improve their wellbeing. Finally, Part 6 reviews how datasets from various social networks have assisted psychological and developmental research. The last section also outlines a quantitative research proposal to validate the hypothesis that WeChat makes a positive impact on users’ wellbeing, and offers limitations and implications for future work

Training of Crisis Mappers and Map Production from Multi-sensor Data: Vernazza Case Study (Cinque Terre National Park, Italy)

This aim of paper is to presents the development of a multidisciplinary project carried out by the cooperation between Politecnico di Torino and ITHACA (Information Technology for Humanitarian Assistance, Cooperation and Action). The goal of the project was the training in geospatial data acquiring and processing for students attending Architecture and Engineering Courses, in order to start up a team of "volunteer mappers". Indeed, the project is aimed to document the environmental and built heritage subject to disaster; the purpose is to improve the capabilities of the actors involved in the activities connected in geospatial data collection, integration and sharing. The proposed area for testing the training activities is the Cinque Terre National Park, registered in the World Heritage List since 1997. The area was affected by flood on the 25th of October 2011. According to other international experiences, the group is expected to be active after emergencies in order to upgrade maps, using data acquired by typical geomatic methods and techniques such as terrestrial and aerial Lidar, close-range and aerial photogrammetry, topographic and GNSS instruments etc.; or by non conventional systems and instruments such us UAV, mobile mapping etc. The ultimate goal is to implement a WebGIS platform to share all the data collected with local authorities and the Civil Protectio