Interactions - November/December 2017

purchasing is part of a similar genre of practices where we consider the terms and conditions of a policy as best we can, well before we actually need the policy—in fact, it’s required that we have a policy before we need it. We may consider the terms and prices of the policy, if these change, before we renew, and then start shopping around again.

In other words, for many kinds of transactions, we have established practices to review attributes from the transactions as well as the terms and conditions. These reviews fit into a larger mechanism that informs our quality of life, from how we manage debt with financial planning to how we manage risk with insurance provisions.

A key point, however, is that even though not all citizens practice such fiscal hygiene, the data is there to enable those processes. Such is not the case for personal-data transactions on the Internet. Surely in HCI we can draw on these analogous practices to better design our engagement with the terms and conditions of data consent, and with auditing consent transactions?

NEGOTIATION/AUTOMATION

Of course, one of the reasons for reviewing our financial transactions is to see if the terms of service are fair.

After all, when we agree to terms and conditions, we engage in a contract with the supplier. In the data-driven world, however, these contracts are one way and binary: We as the consumers of the services can say only yay or nay. Sometimes, saying nay can feel impossible: If one’s whole community is making use of a service, it’s hard to be the lone holdout.

Once again, if we turn to real-world examples, negotiation is a key part of just about any other agreement of exchange between parties. We negotiate everything from our contract with employers or staff to our fee for network access. Many of us can’t walk out of a shop without either talking a price down or haggling for extras at no cost.

Negotiation is ubiquitous—except on the Internet. Why?

We have been exploring how we
might be able to automate consent
in terms of negotiable data-sharing
preferences using autonomous
agents [ 10], and thus begin to create
richer, non-binary terms for data
exchange and service provision. In
this approach, a person can say under
claims can be explored and tested.

There is a certificate that can be verified regarding the claims made by the S and the padlock. These are signifiers of apparency, seams that can be exposed and tested in terms of semantic and pragmatic transparency. We can decide how far we wish to probe those signfiers, but with them, the resources are there to make a more informed judgment about the channel. The padlock is an elegant, apparent expression that makes the semantic and pragmatic transparency of a binary state richly available.

Apparency for the properties that would inform a consent decision are more nuanced, more variable, and potentially more dynamic. A challenge we set ourselves as a research team is how to raise apparency about one’s current appearance on the Web, in particular to online trackers that have an interest in creating a picture of who you are for various purposes, from targeted ads to offer discrimination, which includes everything from job offers to insurance pricing. These impressions are based on one’s clicks from one Web resource to another. Our challenge has been to find metaphors to express what this tracking means in an apparent, semantically and pragmatically transparent way. The approach we’ve been testing is called the Web Mirror.

AN APPARENCY EXAMPLE:
THE WEB MIRROR

There have been third-party efforts, such as Mozilla Lightbeam and Disconnect.me, to make our traces through the Web and what sites track us more apparent by using network or spring graphs of trackers. In pilot tests with participants, these often engender a “Wow, what a big graph that is!” response, but few people use them, and, interestingly, the follow-up question of how to make it stop rarely comes up.

In an effort to help schools in par-
ticular teach students about protect-
ing themselves online, we have been
piloting a project with teachers called
the Web Mirror (http://mirror.websci.
net/). Here, we show students not an
abstract graph but rather a “Web reflec-
tion of you.” That is, we show them what
the various trackers they’ve touched
see of their Web history. We use topic
extraction to infer what the interests of
someone visiting those websites could
be, and prompt them to ask, “What
could my browsing history say about
me?” Our goal right now is to see if this
mirroring back to students of what
their browsing may portray about them
helps them first to perceive that their
browsing history is their personal data
(apparency); that others are processing
that data as the students move through
the Web (semantic transparency); and
how that data can be used to create a va-
riety of pictures about them (pragmatic
transparency). From this awareness, we
are keen to empower them to control
that reflection—in other words, to ac-
tion consent. This is done by connecting
the students back to how those reflec-
tions can be changed using the current
means for proactive personal-data
management (or consent management),
which means cumbersome tools like ad
blockers and VPNs.

TIMING

As stated earlier, we know from HCI research on interruption that when we’re asked to consider anything that takes us away from our primary task, it’s simply not going to get our full attention, especially when it’s something as abstract as data permissions or terms and conditions. Just get out of our way! Beyond making a reflection of ourselves from our Web travels apparent, a key insight from the Web Mirror work is that there is high apparency value in making the revelation of what personal data is desired by a site/app/service, and whether or not they should have it, its own task in its own time.

When we look, there are multiple examples of such asynchronous transactions all around us in the physical world. Consider making purchases. Each time we withdraw cash from a bank machine or use a debit or credit card, we get a receipt of the transaction—and that’s about it. We are not asked to review our purchasing history at the time of the transaction. Instead, we receive a monthly statement both as a record of our spending and debts, and as a log we are encouraged to review in case of errors. That monthly statement itself is a review process, but it is a data trail of what has happened with our various assets, from cash on hand to credit lines. The statement, however, along with our receipts, fits into a larger practice of personal money management, including tasks like setting a budget, saving for a purchase, investing, and so on. Insurance