La Infraestructura como bien económico

As an application of the above design ideas, a possible feedback tool for location awareness is considered. Immediate feedback on location exposure consequences is assumed, where the system is able to use captured location information (where the user is at the present time) to project a report on privacy implications based on registering this location in the user’s geo- profile.

Such a feedback tool can be integrated within GeoSNs either by the service provider or as a third-party application. In the first case, the feedback tool would be a built-in feature that is provided by the GeoSNs where users can be notified about their location privacy while using the application as a part of service provided. In the second case, this tool would be implemented independently from the GeoSNs as an application that runs on top of the GeoSNs. Such an application would need to use the GeoSNs APIs with users’ permission to access their accounts in order to retrieved and construct their geo-profiles required for providing the location privacy notifications.

5.3 Feedback Design for Location Awareness 99

form of realisation of a feedback tool, and will be used as a basis to measure some aspects of location awareness in the experiment described below. A more dedicated study of design issues is needed, but is beyond the scope of this work. What follows is the description of a privacy tool which revolves around three main factors: what to present to the user, how, and when. This tool design follows the design properties discussed above in Section 5.3 in addition to these finer design principles:

• Learnability of the tool in which it can be used easily by the user without any overloading. [135, 98, 95]

• Familiarity with the design elements used in the tool (e.g. icons and colour-schemes) [135, 112]

• Minimising distraction from the users’ main task [95, 94]

• Using simplified and succinct language for information presentation [94, 17, 113]

(a) (b)

Figure 5.1: (A potential design of the privacy-enhancing feedback and control tool show- ing the (a) icon design for the privacy indicator, (b) content of the privacy notification tool.

5.3.2.1 What to Present: Information Content

The information presented to the users represents the essence of this tool, and actually shows the user the privacy risks triggered by performing a location-oriented task, mainly in terms

100 5.3 Feedback Design for Location Awareness

of what personal information can be dynamically derived by doing so. A security warning should show the sensitivity of the information entered by a user but not present general warning statements [113]. Basically, the tool dynamically retrieves the information associated with the current check-in from the recently updated user profile. The retrieved privacy-related personal information is presented in three main elements of the tool: Feedback, Privacy Implications, and Visibility that correspond to three main privacy aspects that a user should be aware of [95]. These elements are interconnected to provide complete information about the current privacy situation in order to allow users to make informed decisions about their location sharing actions as recommended by [113]. The tool’s elements are defined as the followings:

1) Feedback element: This provides a summary of the user profile that shows frequency- based information related to the current check-in which represents the data collection aspect. The reasons for showing the feedback to the users is to enable them to recap their history related to the current check-in and to allow them to understand what triggers the presented privacy implications in the tool. Essentially, it presents three main pieces of user information as follows:

• Check-in frequency to a place

• Check-in association with temporal information

• Check-in association with friends

2) Privacy Implications element:This presents a view of the geo-profile that lists possible constructed personal information based on this check-in as a way of presenting the as- sociated privacy threats which represents the data utilisation privacy aspect. The related risks are derived based on the user’s check-in history along with the current check-in task in hand.

3) Visibility element: This shows the visibility permissions granted in terms of who can view this check-in which represents the data accessibility privacy aspect. Although the user check-in is essentially recorded and viewed by the application and its third parties, the user is not necessarily conscious of them. Therefore, to avoid confusing the users with this default, the visibility is presented from the user’s perspective, which involves friends (social connections), other users of the service, and other social networking applications if the user choose to share on them.

5.3.2.2 How to Present: Information Presentation

How the information is presented to the user is responsible for attracting their attention, prop- erly conveying the required information, and enabling them to utilise the tool optimally. Based

5.3 Feedback Design for Location Awareness 101

on examining the findings of relevant work (e.g., [110, 34, 112, 124, 111, 17]) as well as con- sidering the features of GeoSNs, our proposed privacy notification consists of two main parts as follows:

1) The Privacy Indicator:

The privacy indicator is embedded in the GeoSN and offers a simple and direct indication of the user’s current privacy level in the form of a location pin with a “lock” icon, as shown in Figure 5.1(a),which is chosen based on its familiarity and link to privacy and security issues. The level of privacy is indicated by a three-colour scheme using traffic light colours. This scheme is chosen for its familiarity and association with safety and danger in order to simplify perception of the privacy information. It reflects the level of threat estimated by the system, which is based on the threat levelling model presented in Section 5.3.1.

2) The Privacy Notifications:

This part presents the privacy information related to a location-oriented action in detail, including the three main elements discussed previously as well as the privacy control op- tions illustrated in Figure 5.1(b). The notification is shown when the indicator is clicked, allowing the user to explore their content to understand the basis of the threat indicated. In the privacy notifications window, the visibility element is represented by an eye icon. Parties who can view this check-in are also represented using icons. Then, the feedback is presented in the form of a natural language sentence including the three pieces of in- formation in order to simplify the contents. Lastly, the Privacy Implications are shown as a list of labelled tuples. Previous studies have demonstrated presenting privacy informa- tion in the form of labelled short text in an organised manner improves comprehension of the presented information, as well as making it easier and faster to find [17, 113]. Each of the labelled tuples presents single or complex privacy implication including two types of information extracted based on the user’s location profile, along with the information provided in the current check-in, as follows:

• Static Types: This shows type of the personal information that can be inferred such as “Private place”. It provides general warnings that can be shown to other users with similar profiles.

• Dynamic Contents:This shows exactly what information is inferred such as “Home”, which is specific to a particular user.

The labelled tuple is formatted as Static Types (“Dynamic Contents”). In this way, the user can easily perceive the general privacy consequences of this check-in as well as the specific inference in this user’s case. As for the privacy controls offered for the users,