purchasing is part of a similar genre of
practices where we consider the terms
and conditions of a policy as best we
can, well before we actually need the
policy—in fact, it’s required that we
have a policy before we need it. We may
consider the terms and prices of the
policy, if these change, before we renew,
and then start shopping around again.
In other words, for many kinds
of transactions, we have established
practices to review attributes from
the transactions as well as the terms
and conditions. These reviews fit into
a larger mechanism that informs our
quality of life, from how we manage
debt with financial planning to how we
manage risk with insurance provisions.
A key point, however, is that even
though not all citizens practice such
fiscal hygiene, the data is there to enable
those processes. Such is not the case
for personal-data transactions on the
Internet. Surely in HCI we can draw
on these analogous practices to better
design our engagement with the terms
and conditions of data consent, and with
auditing consent transactions?
NEGOTIATION/AUTOMATION
Of course, one of the reasons for
reviewing our financial transactions
is to see if the terms of service are fair.
After all, when we agree to terms and
conditions, we engage in a contract
with the supplier. In the data-driven
world, however, these contracts are one
way and binary: We as the consumers
of the services can say only yay or
nay. Sometimes, saying nay can feel
impossible: If one’s whole community
is making use of a service, it’s hard to be
the lone holdout.
Once again, if we turn to real-world
examples, negotiation is a key part
of just about any other agreement of
exchange between parties. We negotiate
everything from our contract with
employers or staff to our fee for network
access. Many of us can’t walk out of
a shop without either talking a price
down or haggling for extras at no cost.
Negotiation is ubiquitous—except on
the Internet. Why?
We have been exploring how we
might be able to automate consent
in terms of negotiable data-sharing
preferences using autonomous
agents [ 10], and thus begin to create
richer, non-binary terms for data
exchange and service provision. In
this approach, a person can say under
claims can be explored and tested.
There is a certificate that can be verified
regarding the claims made by the S
and the padlock. These are signifiers of
apparency, seams that can be exposed
and tested in terms of semantic and
pragmatic transparency. We can decide
how far we wish to probe those signfiers,
but with them, the resources are there to
make a more informed judgment about
the channel. The padlock is an elegant,
apparent expression that makes the
semantic and pragmatic transparency of
a binary state richly available.
Apparency for the properties that
would inform a consent decision are
more nuanced, more variable, and
potentially more dynamic. A challenge
we set ourselves as a research team is
how to raise apparency about one’s
current appearance on the Web, in
particular to online trackers that have
an interest in creating a picture of who
you are for various purposes, from
targeted ads to offer discrimination,
which includes everything from job
offers to insurance pricing. These
impressions are based on one’s clicks
from one Web resource to another. Our
challenge has been to find metaphors
to express what this tracking means
in an apparent, semantically and
pragmatically transparent way. The
approach we’ve been testing is called the
Web Mirror.
AN APPARENCY EXAMPLE:
THE WEB MIRROR
There have been third-party efforts,
such as Mozilla Lightbeam and
Disconnect.me, to make our traces
through the Web and what sites track
us more apparent by using network or
spring graphs of trackers. In pilot tests
with participants, these often engender
a “Wow, what a big graph that is!”
response, but few people use them, and,
interestingly, the follow-up question of
how to make it stop rarely comes up.
In an effort to help schools in par-
ticular teach students about protect-
ing themselves online, we have been
piloting a project with teachers called
the Web Mirror (http://mirror.websci.
net/). Here, we show students not an
abstract graph but rather a “Web reflec-
tion of you.” That is, we show them what
the various trackers they’ve touched
see of their Web history. We use topic
extraction to infer what the interests of
someone visiting those websites could
be, and prompt them to ask, “What
could my browsing history say about
me?” Our goal right now is to see if this
mirroring back to students of what
their browsing may portray about them
helps them first to perceive that their
browsing history is their personal data
(apparency); that others are processing
that data as the students move through
the Web (semantic transparency); and
how that data can be used to create a va-
riety of pictures about them (pragmatic
transparency). From this awareness, we
are keen to empower them to control
that reflection—in other words, to ac-
tion consent. This is done by connecting
the students back to how those reflec-
tions can be changed using the current
means for proactive personal-data
management (or consent management),
which means cumbersome tools like ad
blockers and VPNs.
TIMING
As stated earlier, we know from HCI
research on interruption that when
we’re asked to consider anything that
takes us away from our primary task,
it’s simply not going to get our full
attention, especially when it’s something
as abstract as data permissions or terms
and conditions. Just get out of our way!
Beyond making a reflection of ourselves
from our Web travels apparent, a key
insight from the Web Mirror work is
that there is high apparency value in
making the revelation of what personal
data is desired by a site/app/service, and
whether or not they should have it, its
own task in its own time.
When we look, there are multiple
examples of such asynchronous
transactions all around us in the
physical world. Consider making
purchases. Each time we withdraw
cash from a bank machine or use a debit
or credit card, we get a receipt of the
transaction—and that’s about it. We
are not asked to review our purchasing
history at the time of the transaction.
Instead, we receive a monthly statement
both as a record of our spending and
debts, and as a log we are encouraged to
review in case of errors. That monthly
statement itself is a review process, but
it is a data trail of what has happened
with our various assets, from cash on
hand to credit lines. The statement,
however, along with our receipts, fits
into a larger practice of personal money
management, including tasks like
setting a budget, saving for a purchase,
investing, and so on. Insurance
COVER STORY