Patterns - Privacy Patterns

Protection against Tracking This pattern avoids the tracking of visitors of websites via cookies. It does this by deleting them at regular intervals or by disabling cookies completely.
Location Granularity Support minimization of data collection and distribution. Important when a service is collecting location data from or about a user, or transmitting location data about a user to a third-party.
Minimal Information Asymmetry Prevent users from being disenfranchised by their lack of familiarity with the policies, potential risks, and their agency within processing.
Informed Secure Passwords Ensure that users maintain healthy authentication habits through awareness and understanding.
Awareness Feed Users need to be informed about how visible data about them is, and what may be derived from that data. This allows them to reconsider what they are comfortable about sharing, and take action if desired.
Encryption with user-managed keys Use encryption in such a way that the service provider cannot decrypt the user's information because the user manages the keys.
Federated Privacy Impact Assessment The impact of personal information in a federation is more than the impact in the federated
Use of dummies This pattern hides the actions taken by a user by adding fake actions that are indistinguishable from real.
Who’s Listening Inform users of content where other users or unauthenticated persons having accessed the same content are listed, and may access any further disclosures.
Identity Federation Do Not Track Pattern All information has been extracted from http://blog.beejones.net/the-identity-federation-do-not-track-pattern The Do Not Track Pattern makes sure that neither the Identity Provider nor the Identity Broker can learn the relationship between the user and the Service Providers the user us.
Privacy Policy Display The goal of this display is to provide the user information about why what information by whom is requested. It should be used whenever personal data is required from the user.
Layered Policy Design Make privacy policies easier for users to understand by layering detail behind successively more concise and summarized information.
Discouraging blanket strategies Give users the possibility to define a privacy level from a range of options each time they share content.
Reciprocity Let users benefit according to the contributions they make.
Asynchronous notice Proactively provide continual, recurring notice to consented users of repeating access to their personal data, including tracking, storage, or redistribution.
Abridged Terms and Conditions Enables the user to better understand the Terms and Conditions presented by a system through summarization. The most important elements therein are condensed into a more concise overview.
Policy Matching Display Allow users to specify what privacy preferences they have and non-intrusively bring policy mismatches to their attention.
Incentivized Participation Users are more willing to contribute valuable input when they can do so without leaking personal data, or perceive an equal or greater exchange in value either monetarily or socially.
Outsourcing [with consent] “The controller has to obtain additional specific, informed, explicit, and freely given consent before outsourcing data processing to a third party.“
Ambient Notice Provide unobtrusive, non-modal, continuous notice when personal data is being accessed to increase awareness of real-time tracking.
Dynamic Privacy Policy Display Provide standardized contextual policy information on the nature and risks of disclosure through tooltips.
Privacy Labels Standardize warning labels similar to nutrition information to quickly inform users about privacy policies and preferences.
Data Breach Notification Pattern Ensure that unauthorized access and processing of personal data is detected and reported to the supervisory authority and any sufficiently affected users without any undue delay.
Pseudonymous Messaging A messaging service is enhanced by using a trusted third party to exchange the identifiers of the communication partners by pseudonyms.
Onion Routing This pattern provides unlinkability between senders and receivers by encapsulating the data in different layers of encryption, limiting the knowledge of each node along the delivery path.
Strip Invisible Metadata Strip potentially sensitive metadata that isn't directly visible to the end user.
Psuedonymous Identity Hide the identity by using a pseudonym and ensure a pseudonymous identity that can not be linked with a real identity during online interactions.
Personal Data Store Subjects keep control on their personal data that are stored on a personal device.
Trust Evaluation of Services Sides A visual highlight provided by an authority which signals the extent to which given privacy criteria are fulfilled. It should be clearly placed and easily found, with links to additional information.
Aggregation Gateway Encrypt, aggregate and decrypt at different places.
Privacy icons A privacy policy which is hard to understand by general audience is summarized and translated into commonly agreed visual icons. A privacy icon is worth a thousand-word policy.
Privacy-Aware Network Client Enhance user awareness of privacy policies by automatically converting it into a standardized and easily readable format over a secure channel.
Sign an Agreement to Solve Lack of Trust on the Use of Private Data Context Services of a controller may require users to sign contracts that stipulate their obligations and processing purposes for which users must consent to use the service. This ensures that users can trust the controller as it is bound to the contract it signs.
Single Point of Contact The Single Point of Contact is a security authority who protects the privacy and security of sensitive data stored online by validating the authority of requests and ensuring secure communication channels.
Informed Implicit Consent Controllers must provide unavoidable notice of a users implicit consent to the processing of their data, where reasonable to do so.
Enable/Disable Functions Allow users to decide granularly what functions they consent to before the function is used.
Privacy Color Coding Provide visual cues in standardized colors about privacy policies and preferences to help convey information to users more quickly.
Appropriate Privacy Icons Use consistent icons in place of policy aspects. The icons should convey these aspects reliably, without allowing room for misinterpretation once explained to the user.
User data confinement pattern Avoid the central collection of personal data by shifting some amount of the processing of personal data to the user-trusted environments (e.g. their own devices). Allow users to control the exact data that shares with service providers
Icons for Privacy Policies Icons are capable of conveying information more quickly than a document, and are therefore a useful way to augment policies.
Obtaining Explicit Consent Controllers require consent to be given willingly and specifically when in any way processing the personal data of their users.
Privacy Mirrors Disclosure awareness is needed to adequately manage digital identity. Provide the user of a system with a high level reflection on what personal data the system knows about, what access is given to others, and what kind of personal data can be deduced.
Appropriate Privacy Feedback Supplies the user with privacy feedback, especially concerning that which is monitored and accessed, and by whom.
Impactful Information and Feedback Provide feedback about who a user will disclose their information to using certain privacy settings before that information is actually published.
Decoupling [content] and location information visibility Allow users to retroactively configure privacy for location information with respect to the content's contextual privacy requirements.
Platform for Privacy Preferences Use privacy policies which consist of standardized and extensible vocabulary and data element sets, both of which user agents should be aware of, in order to streamline their review by eliminating redundancies.
Selective access control Allow users to specify who may access the content they generate, both during and after submission.
Pay Back Give users some benefits in exchange for providing information or content.
Privacy dashboard An informational privacy dashboard can provide collected summaries of the collected or processed personal data for a particular user.
Preventing mistakes or reducing their impact Prevent accidental automatic disclosure of personal information.
Obligation Management The pattern allows obligations relating to data sharing, storing and processing to be transferred and managed when the data is shared between multiple parties.
Informed Credential Selection Ensure users are informed of the potential privacy consequences of sharing various authenticating data.
Anonymous Reputation-based Blacklisting Get rid of troublemakers without even knowing who they are.
Negotiation of Privacy Policy Over time, build user preferences from a privacy-preserving default semi-automatically, through opt-in/opt-out, semantics, and informed solicitations.
Reasonable Level of Control Let users share selectively (push) and make available (pull) specific information to predefined groups or individuals.
Masquerade Let users filter out some or all personal information they would otherwise provide to a service.
Buddy List By default, isolate users to a selection of social connections in a user-defined circle of trust. Allow them to expand this circle or create new ones based on the existing members.
Privacy Awareness Panel Establish user awareness of the risks inherent in the disclosure of their data, whether to the controller themselves or to other users.
Lawful Consent A crucial element in privacy protection is ensuring that all sensitive processing is preceded by the acquisition of freely given, informed, specific, and explicit consent.
Privacy Aware Wording Ensure that the content of privacy related information provided to the user is worded carefully, maintaining both attention and understanding.
Sticky Policies Machine-readable policies are sticked to data to define allowed usage and obligations as it travels across multiple parties, enabling users to improve control over their personal information.
Personal Data Table In order for users to see what information a controller has about them, they can be provided with a detailed tabular overview of that data upon request.
Informed Consent for Web-based Transactions This pattern describes how controllers can inform users whenever they intend to collect or otherwise use a user's personal data.
Added-noise measurement obfuscation Add some noise to service operation measurements, but make it cancel itself in the long-term
Increasing awareness of information aggregation Inform users about the potentially identifying effects of information aggregation to prevent them from unknowingly endangering their privacy.
Attribute Based Credentials Attribute Based Credentials (ABC) are a form of authentication mechanism that allows to flexibly and selectively authenticate different attributes about an entity without revealing additional information about the entity (zero-knowledge property).
Trustworthy Privacy Plug-in Aggregate usage records at the user side in a trustworthy manner.
[Support] Selective Disclosure Many services (or products) require the collection of a fixed, often large, amount of personal data before users can use them. Many users, instead, want to freely choose what information they share. This pattern recommends that services Support Selective Disclosure, tailoring functionality to work with the level of data the user feels comfortable sharing.
Private link Enable sharing and re-sharing without wide public visibility or cumbersome authenticated access control.
Anonymity Set This pattern aggregates multiple entities into a set, such that they cannot be distinguished anymore.
Active broadcast of presence Users may actively choose to automatically provide updates when they want to share presence information, to increase both the relevance of, and control over, their sharing.
Unusual Activities Prevent suspicious access to user data through alerts and authenticate through multiple factors upon potential compromise of an account.