Seven Hard Privacy UX Problems

Big Tech has become pretty good at back-end data protection flows, but many problems still remain in the front-end, user-facing aspects of privacy.

Here are some hard problems that I spend my days thinking about

  1. What exactly is good consent, and how do we make sure users are giving it?
  2. How can we give average, non-technical users the agency to manage the trade-off between privacy and functionality, given how insanely complex the data systems and products are?
  3. How do we measure whether we are meeting people's privacy needs and expectations? Can we make these measurements in a way that is actionable in informing how we change our products?
  4. How can we empower particularly vulnerable people to protect themselves? (e.g. victims of domestic abuse, dissidents in repressive regimes, LGBTQ people in non-accepting cultures, people seeking abortion information in certain US states)
  5. How do we avoid adding usability burdens that reduce the product value for the majority of times when people are not particularly concerned about privacy, while still making sure they are empowered to take privacy-protective measures for sensitive user journeys?
  6. What are the privacy threat models, and what are the different ways of adding UI features to counter them? Some of the threat models can be countered by controlling data collection: such as threats from state actors subpoenaing user data. Some of the threat models can be countered by controlling data use, such as threats from people shoulder surfing or compelling physical access to devices or accounts.
  7. How do we avoid the unintended consequences of actually making people more vulnerable with well-meaning trust measures? For example, providing transparency of what we know about a user is good for empowering them to take action, but it also adds a new privacy attack vector by providing a convenient UI for a bad actor who has access to the user account. Or adding controls to allow the the user to specify topics or URLs that they consider sensitive and not to be tracked, is itself a very sensitive list that could be harmful if revealed. Or if we try to protect particularly vulnerable people by noticing they are vulnerable, that detection of their status might be privacy-invasive.