SIGCHI Social Impact Award Talk - Making Privacy and Security More Usable.

As an industry researcher in 1997, I dove head first into the world of privacy when I joined an international working group that was developing a web privacy standard called the Platform for Privacy Preferences Project (P3P). Released in 2002, the P3P standard allowed websites to communicate about privacy in a computer-readable format that could be consumed by web browsers and other user agents to inform users and take actions on their behalf. I worked with (and eventually led) a team of technologists, lawyers, and policy makers, and became familiar with not only technologies for protecting and invading privacy, but also international privacy laws and self-regulatory privacy programs. As the working group debated details such as the precise definitions of data sharing and identifiable information, I came to the realization that we hadn't thought much about how to make P3P tools usable. Indeed, usability issues had been largely ignored in the development of most security and privacy tools at that time. At the end of 2003, I moved on to academia and focused my research on usable privacy and security. Along with my students and colleagues, I conducted empirical studies to evaluate privacy and security tools, and recommended ways to make these tools more usable. We asked study participants to make privacy sensitive purchases (condoms and sex toys), and conducted some of the first Mechanical Turk studies related to privacy. Our research papers provided empirical evidence about how long it would take people if they actually did read privacy policies (too long!), that ad-industry-driven privacy efforts were largely ineffective, that privacy "nutrition labels" could help people compare company privacy practices, and that many people care enough about privacy to actually pay for it. We presented our research at events at the US Federal Trade Commission (FTC) and on Capitol Hill. In 2016 I spent a year in Washington, DC as Chief Technologist at the FTC. Besides advising the chairwoman and staff, I organized an FTC workshop to discuss methods for evaluating the effectiveness of privacy policies and other disclosures. After having my mobile phone account hijacked, I investigated this form of identity theft, and ended up discussing it on a Today Show segment taped in my kitchen. I also wrote blog posts that raised awareness about privacy concerns associated with open police data, and explained why frequent password changes may not be beneficial. In this talk I will discuss my usable privacy and security research and how it has informed policy work. I will highlight empirical studies that provide insights into users' expectations about privacy and security, as well as their use of privacy and security tools. Finally, I will talk about my experiences at the FTC and ways that members of the CHI community can impact public policy.