Communications of the ACM

may not capture opportunistic concessions or agreements that may arise in potentially unknown situations.

Game-theoretic approaches. Another approach has been to define negotiation protocols, which are a means of standardizing the communication between participants in the process of negotiating a solution to a MPC by defining how the participants can interact with each other. These protocols are then enacted by users manually15 or automatically by software agents17, 31 to negotiate an agreed sharing decision for a particular item. Participants can follow different strategies when enacting the negotiation protocols, and these strategies are analyzed using well-known game-theoretic solution concepts such as the Nash equilibrium. This allows, for instance, to determine analytically which are the best strategies that participants can play as well as to find strategies that are stable (strategies in which no participant has anything to gain by changing only her own strategy unilaterally). While these proposals provided elegant frameworks from a formal point of view and build upon well-studied analytic tools, they may not work well when used in practice. 13 This is because users’ behavior does not seem perfectly rational in practice (as assumed in these approaches), and even if some are starting to consider other factors like reciprocity17 and social pressure, 25 they are still far from considering the many very social idiosyncrasies that play a role in MP. 18, 40

Fine-grained approaches. The last research stream focuses on preventing MPCs by allowing each user in a photo to independently decide whether some personally identifying objects within the photo are shown or blurred. 14, 36 In particular, one of the first works in this approach allowed users to individually decide whether their face is shown or blurred. 14 The process works as follows: the users in a photo are identified using face recognition algorithms such as Facebook’s DeepFace algorithm; 34 the users recognized are notified and they can suggest the list of friends who can have access to the photo; and when a user wants to access a photo, she will only see the faces of the users that have granted access to her and the other faces in the photo will appear blurred.

However, blurring faces (or other ob-
jects in a photo) may impact the utility
of the photo being shared, negatively
impacting the benefits people get by
sharing in social media, 29 and there
is also the risk that a person can be
reidentified even if her face (or other
objects in a photo) has been blurred. 23
Hence, when a collaboratively agreed
solution to a MPC is possible, that so-
lution might be more desirable than
enforcing access separately, as the
photo will not lose any utility (no object
blurred), but the audience of the photo
will be negotiated to remove access to
any undesired people.

Requirements For MP Tools

Building upon the previous analysis on existing approaches and their limitations, we now outline a set of requirements to develop MP tools that empower users to collectively manage their privacy together with others and overcome these limitations. These tools would aid end users to identify potential MPCs and, when MPCs are identified, provide support for their resolution (for example, in the form of recommendations), allowing an appropriate “boundary regulation process by actively negotiating one’s boundaries with others.” 40 Next, we describe each of the requirements in detail.

Design informed by real-world empiri-
cal data. None of the existing approaches
are grounded in a deep understanding
of MPCs and their optimal solution in
practice. This is in part due to not having
enough empirical evidence about MPCs
yet. Such an empirical base is utterly es-
sential to inform the design of MP tools
that overcome the limitations identified
in the existing literature. As mentioned,
researchers have shed light on how users
are forced online to resort to coping strat-
egies to work around the lack of appro-
priate support for MP, 2, 3, 18, 40 and there is
evidence of how collectively held privacy
boundaries are managed offline. 22 While
this previous research already provides a
very good foundation to build upon, fur-
ther research is needed to better under-
stand when and how often MPCs actual-
ly happen online and, more importantly,
when they become a problem or lead to
potential privacy violations and hence
need a solution. Particular instances of
MPCs users faced could be studied to
understand whether they happened de-
spite coping strategies being used, how
users came up or would come up with
the optimal solution for the MPCs stud-
ied, and the factors that played a role in
the process. Some very recent research
goes in this direction, 33 having contrib-
uted the first empirical and public data-
set of MPCs. Having this empirical base
about MPCs would ultimately underpin
a thorough understanding of MPCs and
the nuanced factors that affect them
from the ground up, which could then
be used as the basis to design MP tools
that offer support to different types of
users, social groups, and relationships
and can recommend optimal solutions
to MPCs. Recent efforts on privacy engi-
neering should be leveraged to easy the
challenging task of going from empirical
evidence to privacy design. 11
User-centric MP controls. The main
challenge here is how to develop usable
MP tools in line with the empirical base
mentioned earlier, so users could effec-
tively manage MP with minimal effort.
However, MP tools should aim for us-
ability without becoming a fully auto-
mated solution, as this may not achieve
satisfactory results when it comes to
privacy in social media. Instead, users
may have to provide some input into
MP tools, which will then provide a rec-
ommendation, as very recent research
has shown that the optimal solution
for an MP conflict could be predicted
given some input from the users, like
the reason for their preferred privacy
policy. 8 However, if users have to inter-
vene to express their individual privacy
preferences and/or to accept/decline
the solution recommended for each
and every co-owned item and potential
conflict, would this not easily become
a burden on the users? How do we find
adequate trade-offs between interven-
tion and automation? There are pre-
vious studies on individual privacy in
social media that could help: Tools like
AudienceView20 could be used to show
and/or modify the suggested solution
or express individual preferences; ap-
proaches similar to Fang et al. 7 could
be used to learn the way users respond
to MP over time; and, approaches like
Watson et al. 38 could be used to create
suitable defaults for MP settings.

Scaled-up and comparable evaluations. The existing approaches for MP presented here were either not evaluated empirically with users, 5, 17, 25, 30, 31, 39 or the user studies conducted were low-scale