Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style COPS Community Studies Presented by Sherley Codio Community-Oriented Privacy and Security

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science The design of individual questionnaire The design of topics and questions for group discussion The analysis of the data 2 Proposed Deliverables

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science The design of individual questionnaire The design of topics and questions for group discussion Comments 3 Deliverables

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Motivation and Goals  What is a Community  Privacy definition  Study Process  Outcome of the study  Comments on interviews and FG  Definition of Important Terms  Future work and Conclusion 4 Outline

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Challenge for group of people sharing sensitive information to control the disclosure Understanding how people in a community think and act about sensitive information to inform design for COPS Sensitive information means any information that has limitation on its disclosure. 5 Motivation and Goals

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science “Community” is defined by three attributes:  collaborative  cooperative  collective 6 Community

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Advantages of community-based control over individual control  Expertise and knowledge on the use of privacy enforcement mechanisms can be shared across the community to ensure better awareness of privacy requirements.  A sense of responsibility to the community may encourage each member to pay more attention to privacy tasks. 7 Why Community?

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 8 Privacy A “boundary regulation” process in which privacy decisions are highly context dependent and cannot be reduced to a fixed set of “rules” or “policies” that are automatically enforced.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Understand the group structure  Learn about the group boundary regulation process  See evidence of privacy behaviors  Use of technology to support the process  Learn about metaphors used to manage sensitive information 9 Outcome Expected From Focus Group

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Plan to conduct focus groups an interviews with members of different communities: industry based community, school community  2 Individual interviews and 1 focus group per community  4 to 5 focus groups (5 to 8 participants)  Preparation and revision of the questionnaire  Preparation of consent form  Submission to the IRB  Conducting the interviews and Focus group 10 Study Process

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 11 Study process Why interviews and Focus Groups? Answers from the interviews can help probe questions for Focus Group

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Good morning. We appreciate your agreeing to meet with us. We are trying to understand how people in a group think and act about sensitive information for which they share responsibility. By sensitive we mean information that, for whatever reason, has limitations on its dissemination or disclosure. We want to understand what actions are taken to achieve these limitations. We also want to learn about the group structure, the role of the group members and how they interact with each other. Your answers will help inform the design and study of systems dealing with sensitive information. Interview Procedure The interview will last about 45 minutes to an hour. We will ask you a series of questions related to the group structure and another series of questions related to the group interaction and the actions taken to control the disclosure of information. For all of these questions there are no right or wrong answers, therefore we encourage you express your opinions freely and openly. Now, we would ask you to read the consent form and sign it before we start the interview. All information and audio will be stored in a password-protected computer. Files will only be named with your participant number that is written at the top right of this form. Do you have any questions before we begin? 12 Questionnaire

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Can you tell us about the group?  Can you tell us about how the group works and makes decisions?  We would like to know how you view information privacy in the context of the group.  Can you tell us about how the group keeps information private?  Can you tell us how the group shares private information with someone outside the group? 13 Questions Sample

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Dealing with human subjects is difficult  Setting up time that works for everyone  Finding people willing to participate in the Study 14 Difficulties Encountered

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  2 Individual Interviews  Members of an industry based Community  Shows clearly that individuals manage privacy differently  being in a community facilitates the share of Knowledge on privacy issues 15 Individual Interviews

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Group Structure:  Hierarchical structure  Become a member of a group based on job description  Collaboration done via video conference or over internal system  Small group  Decision Process:  manager plans and prioritize tasks  privacy policies are already set in place  Disclosure:  In case of privacy violation, report would be made to the manager to decide how big of a threat it is  Security practices:  Monthly rotation of password changes  lock down computer when not at your desk 16 Individual Interviews

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Group Structure  Bigger group in different locations worldwide  No formal protocol for communication due to proximity  Dependent on other group to carry out their task (overlapping groups)  Decision Process:  Indirect higher level of management  Disclosure:  Don’t want certain information to go out because the code is not clean enough (dignitary harm)  Share privacy with someone outside the group: interns have access of repository as part of their job  Privacy Practices  Code is on isolated server on internal network, need to be on company VPN to check in  For sensitive information regarding the company employees depends on manager for advice.  No worry about being so secure because it is not used for sensitive information 17 Individual Interviews

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Group Structure:  Group established by job title and description  Added to a group if profile fits well the group  Type of sensitive information:  Hiring  Compensation  Employee records  Performance review  Ways of communicating: Depends on the sensitivity of the information  Verbally   Videoconference  Internal social network  Other internal system **Level of person determines what kind of information they have access to. 18 Focus Group

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Security concerns:  Information sent via  Accidental typos in the To fields  Legal reasons  Privacy Practices:  Use of prefix in the subject line: confidential, private, urgent  Encryption used to send sensitive information  Use of VPN for remote access of the internal network  HR goes over the handbook with new employees  Lock compute, password to protect workstation, badge 19 Focus Group If it is an important I will stare at it for like 10 minutes before I send it.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Disclosure:  sent to the right recipient with unintended content  Talking about someone’s performance and including that person in the To field  chains  Use video conferencing instead of phone for a better privacy context of the other person 20 Focus Group “There have been times I know there are a certain type of conversation that will only have over the phone because of the nature of the subject.”

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Privacy Behaviors: Activities in response to internal or external stimuli -> Categories: - Avoidance: Not performing an originally intended action because of privacy concerns - Modification: Performing an action not in the intended manner - Alleviatory behavior: Taking action to prevent the spread of information, reducing consequences 21 Important Definitions

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  No conclusion can be drawn yet  Tag of privacy behaviors and boundary regulation  Need of more focus groups and Interviews 22 Future Work and Conclusion

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 23 Questions