"Am I Private and If So, how Many?" -- Using Risk Communication Formats for Making Differential Privacy Understandable

TL;DR

This paper introduces risk communication formats to explain differential privacy risks to laypeople, evaluating their effectiveness through a crowdsourced study and highlighting the influence of numeracy on understanding.

Contribution

It adapts risk communication formats to make differential privacy understandable and evaluates their effectiveness compared to existing methods.

Findings

Privacy notifications explained to laypeople perform similarly to current methods in understanding.

Participants' confidence in understanding was lower with the new formats.

Numeracy influences the effectiveness of privacy risk communication.

Abstract

Mobility data is essential for cities and communities to identify areas for necessary improvement. Data collected by mobility providers already contains all the information necessary, but privacy of the individuals needs to be preserved. Differential privacy (DP) defines a mathematical property which guarantees that certain limits of privacy are preserved while sharing such data, but its functionality and privacy protection are difficult to explain to laypeople. In this paper, we adapt risk communication formats in conjunction with a model for the privacy risks of DP. The result are privacy notifications which explain the risk to an individual's privacy when using DP, rather than DP's functionality. We evaluate these novel privacy communication formats in a crowdsourced study. We find that they perform similarly to the best performing DP communications used currently in terms of objective understanding, but did not make our participants as confident in their understanding. We also discovered an influence, similar to the Dunning-Kruger effect, of the statistical numeracy on the effectiveness of some of our privacy communication formats and the DP communication format used currently. These results generate hypotheses in multiple directions, for example, toward the use of risk visualization to improve the understandability of our formats or toward adaptive user interfaces which tailor the risk communication to the characteristics of the reader.