Design, data protection and decision making

The origin of the PbD concept appeared worldwide officially for the first time in the 32nd International Conference of Data Protection and Privacy Commissioners, when Ann Cavoukian proposed it in order to take into account privacy throughout the engineering process. PbD extends to a trilogy of encompassing applications: IT systems, accountable business practices, and physical design and networked infrastructure. We are focusing now on the physical design.

Interface design has long been influenced our lives for decades: the underground turnstyles, the highly studied pathways of supermarkets, the way to request assistance in a hospital, the form we file the income tax returns or the log page at our favorite social network are modeling the ways their users think and act. When we access our trusted supermarket to buy some bread, we are also unconsciously biased by smells, colors, misaligned shopping carts, and well placed chewing-gums at checkout lines. In this respect, relating to digital technology environment, there are a lot of design and interface techniques to hook us, control our attention and manipulate our own behavior.

As an example, it is unquestionable that social networks encourage social engagement, but there is another side of the coin. The mostly known technique of social networks tries to promote the Fear of Missing Out, “FOMO”. FOMO is a social anxiety that experiences people who are absent in a social meeting. This anxiety forces users to check the mobile phone thousands of times to continue scrolling and consuming information in order to be socially updated and involved. The objective is to avoid the feeling of missing out relevant episodes of the social circle of the user/consumer/product.

Behind all these techniques there is a huge engineering effort to design interfaces and design how information is served to users. It does not matter if the psychological dependence on social networks leads to FOMO and other serious disorders, the important thing is sells that serve the purposes of consumption, and this effort, sometimes seeks the opposite effect: achieve users’ rejection.

This is the case of data protection; who has not received a notice declaring "your privacy is important to us…" while being immersed in a passionate reading of an interesting article? This is a clear example of a rude practice that interferes in our day-to-day habits to create aversion to privacy regulations, among other practices.

A growing body of work has risen related to this matter since the boom of internet worldwide use. In behavioral experiments, Jens Grossklags and Alessandro Acquisti in 2007 concluded that when people feel in possession of their personal information they value it more, but when they feel they have already lost it, they value it less. Another study of Haidong Xia and José Carlos Brustoloni in 2005 revealed that the optimism bias and personal overconfidence influence in cyberattacks, were “internet users often accept unjustified risks that enable successful attacks”. Another interesting bias in human behavior reveals that an opt-in approach organ donation results in significantly fewer donors relative an opt-out approach, in which the default is to be an organ donor (Eric Johnson and Daniel Goldstein, 2004).

There are multiple experiments that yield revealing data about the extent to which people can be influenced and how our biases incline us to make decisions. We feel we have lost our personal information by giving consent to some operators and thinking that privacy regulations do not apply, so we do not care about our personal data, we can skip by accepting every cookie of a cookie wall to continue reading or we can trust blindly in our antivirus software and be overconfident when installing the antivirus, all this information, among other, can be used to transform our internal process related to decision making.

Régis Chatellier et al. in their article, “Shaping choices in the Digital World” stated that the “architectures of choice will perhaps be one of the most important regulatory fields of the digital society for the next 10 years, extending well beyond data protection and privacy”. Today, the Natural Users Interface, for example, is taking over markets and the user is changing the way the relation is constructed between users and the goods or services. We can order a cinema ticket just saying the magic words to our smart device, even driving, at home or running.

All these technological developments are not considered cutting-edge technology, in fact, is technology that we use on a daily basis. But is shocking how, on the other hand, the Privacy and Cookie Policies are not just difficult to read and appear at the worst moment, in fact, they are sometimes construed following deceptive design practices. This is what some current designs and interfaces often try to do, in fact “in the context of privacy and security some interventions exploit decision hurdles to nudge users to disclose more information or behave detrimentally to their interests” (Christoph Bösch et al, 2016). A good example of the mentioned hurdles is the “cookie walls”, recently declared as not in compliance with the privacy regulations, as states the updated “Cookie Guide” updated by the Spanish Supervisory Authority.

Of course there are good examples of practices following user-friendly interface designs and the thought that privacy is good for business: “the business case for privacy focuses on gaining and maintaining customer trust, breeding loyalty, and generating repeat business” (Ann Cavoukian, 2010). We must change the paradigm of hindering users' decisions, since regulations are here to stay. Incorporating friendly interfaces and designs so that users make their decisions in accordance with the spirit and requirements of the regulations should not be a desire of those of us who advocate protecting the fundamental right to privacy but an obligation of businesses.

-------------