Sample Chapter: Design for Privacy
This is a sample chapter from Robert Stribley‘s book Design for Privacy: Keeping Personal Information Private. 2025, Rosenfeld Media.
Chapter 1
A Deluge of Privacy Issues
It’s difficult to articulate our current circumstances without sounding like you’re lapsing into hyperbole: We are currently experiencing an explosion of emerging privacy issues, unparalleled in human history that we can hardly expect the average person with a day job and a family and a mortgage to process, let alone keep up with. These issues are myriad, and they have a cumulative, if often unnoticed, effect upon people everywhere. Before we get to the meat of this book, I want to offer a brief overview of some of these issues we’re experiencing collectively to help highlight the scope of the problem—even if it means noting some issues that you, as a designer, may be incapable of addressing. Then we’ll consider what you as a designer can potentially address.
Issues with Data
Much of the time, when you think of online privacy issues, you’re thinking of data issues. You may find yourself asking, why are they asking for such personal information? Is my data going to be secure? Who is it being shared with? How can I prevent it from being shared if I don’t want it shared? What should I expect if my information is leaked? And so on. You may find yourself cringing a little before joining a new experience and then proceeding with the shaky hope that you can trust the platform. Because there are a lot of problems that you can encounter with data.
Note, too, that some of these issues apply to the security of data but can have alarming subsequent impacts upon privacy, too. Everything is entangled.
Data Leaks and Hacks
Globally, users’ data is increasingly exposed via a preponderance of data leaks. In April 2021, for example, Facebook, the largest, most popular social media platform on the planet was hacked. Subsequently, data for half a billion users—533 million to be specific—was leaked online, including people’s personal information, such as their full names, phone numbers and email addresses, birthdates, and locations. That’s precisely the sort of data that bad actors utilize to commit identity theft and fraud.
Early in 2024, a notorious hacker named USDoD announced that they had stolen the Social Security numbers of every United States citizen, after they hacked the data broker company National Public Data, stealing the records of some 2.9 billion people. A data breach of that scale could also ignite a firestorm of identity theft and fraud crimes.
In July 2024, too, AT&T announced that call records for almost all their customers had been stolen, potentially affecting over 100 million customers, but also anyone whom those customers called or texted. That leak included people’s phone numbers and location data, but not the contents of any calls or messages. AT&T paid the hacker to delete the files. However, no one can be certain that data was completely deleted, and much could be inferred about individuals based upon their call records. As The New York Times pointed out:
Careful analysis might reveal someone’s political affiliations or sexual orientation based on the businesses and organizations they interact with. It could also show if someone has contacted abortion services or gender-affirming health care. That information could then be used for harassment, or possibly legal action depending on where the person lives.
Again, these are security issues that designers can’t necessarily solve for, but you can see how they could also have a profound effect upon people’s privacy once specific elements of data are loosed into the wild.
Those are just three examples among thousands of data breaches that occur annually in the United States alone. Leaks like these are so common now that we almost shrug them off: Their scale may be too great to wrestle with.
What is Q Day?
Imagine if all your passwords suddenly became useless to protect your personal information. In 2019, tech journalist Christopher Mims reported that security experts feared bad actors using quantum computers would break through the existing encryption technology that protects our data within a decade. Those experts hope to pinpoint new ways to protect our personal information—and quickly. Cybersecurity researchers now fear generative AI will be directed to mimic biometrics, too, spoofing your fingerprints or your face, for example, and undermining what has been considered a powerful source of security for personal data.
In early 2025, Amit Katwala reported for Wired on this coming “Q-Day” in his ominously titled piece, “The Quantum Apocalypse Is Coming. Be Very Afraid.” “[On] Q-Day,” he wrote, “everything could become vulnerable, for everyone: emails, text messages, anonymous posts, location histories, bitcoin wallets, police reports, hospital records, power stations, the entire global financial system.
If it came, Q-Day would be a massive security event, but one that would have profound implications for privacy in its aftermath. Contemplating it reinforces the point that companies should have good reasons to request certain personal information from users and that individuals should take care as to what they post online and pay close attention to their privacy settings for any experiences they’re using. Note that designers can help in those two areas, too: Handling how data is requested and providing users with controls for how their data is used.
Data Sharing and Transparency
Perhaps the most common way that people’s privacy is abused happens right under their noses every day: People are often not aware of the degree to which they’re being tracked across the internet and to which their data and browsing behavior is shared with scores of other companies.
In the introduction, you learned how your vacuum cleaner may be watching you, and your car might be sending the data about your sex life to the automobile maker. But the demand for your data is far more pervasive, extending far beyond those two more outrageous examples.
The demand for personalized content fueled by a wealth of personal data seems higher than ever. People say they want personalized ads, so you’d think they’d enjoy sharing their data. If you let a company follow you around the internet, theoretically, you’ll be served up better content and more targeted advertising. But things start to look very different when you ask people if they are OK with how personalization works, exactly.
In 2019, the network security company RSA found that only 17 percent of respondents believed it was ethical for companies to track their online activity to provide them with personalized advertising. As far back as 2014, a Pew Research survey found that 91 percent of adults believed that “consumers have lost control over how personal information is collected and used by companies.” Additionally, 80 percent of respondents who used social networking sites said they were “concerned about third parties like advertisers or businesses accessing the data they share on these sites.”
In 2023, Publishers Clearing House Consumer Insights shared the results of their survey with 45,000 respondents. It showed that 86 percent of Americans were more concerned about their privacy and data security than the state of the U.S. economy. Still two-thirds of Americans either don’t grasp how their data is being used or how many entities have access to that information.
Case Study
Data and Roe v. Wade
In early 2022, critics began voicing concerns that, if Roe v. Wade were overturned, personal data could be reviewed to pinpoint pregnant individuals, who might be considering an abortion. This wasn’t an entirely new concern. For example, in 2019 attorneys found that Missouri regulators had combed through publicly released but anonymized information about patients’ menstrual periods from the last remaining Planned Parenthood clinic in the state hoping to uncover individuals who had undergone failed abortions.
When Roe v. Wade was overturned, these concerns escalated. Within days Planned Parenthood announced they would remove Facebook’s Meta Pixel from their site. This marketing tool allowed Facebook to track any visitors who visited the nonprofit’s website. The online tech news organization, The Markup had been covering the use of the Pixel and other ad trackers since at least 2021. Days before Roe v. Wade was overturned, they released a study of 100 hospitals showing that 33 of them had inadvertently been sharing their patient’s medical information with Facebook. That meant that every time visitors to these sites scheduled an appointment, they unwittingly sent Facebook their data as well. Remarkably, The Markup also found Pixel planted inside several password-protected patient sites. Vice also reported on Placer.ai, a company whose data-enabled heat maps had allowed searchers to discover the approximate locations of people who had visited Planned Parenthood clinics.
Immediately after SCOTUS overturned Roe v. Wade, privacy experts advised women and trans men to delete period tracking apps like Flo and Clue for fear they might eventually surrender sensitive data to law enforcement. The companies behind those apps responded by declaring their safety, promising they would continue to follow existing privacy laws. Flo soon announced they had begun work on an “anonymous mode” within their app to address these spiking privacy concerns.
But deleting period trackers may not be enough. Experts will remind us that emails, texts, internet searches, and website visits have all been used already to convict women on abortion-related charges. Authorities could use the location data from people’s mobile devices to gather evidence against them, too.
This post-Roe fear offers just one reminder of the potential harm that can come to people when their data isn’t handled respectfully or, alarmingly, when data offered by individuals for initially innocuous reasons, can later be used in ways that could prove profoundly harmful to them. It also reveals how privacy issues can emerge suddenly that affect already at-risk or disadvantaged groups. We should also remember that privacy issues can affect anyone, underscoring the need for us to consider specific best practices for both requesting and handling personal data carefully and responsibly.
For example, how many third parties do you think some of the most popular websites people visit would share their data with? Dozens? Hundreds? Wired looked at the top 10,000 websites and found that thousands shared data with hundreds to well over 1,000 third parties. One popular quiz site, JetPunk, shares data with over 1,800 “partners.” Over 20 sites, including Investopedia.com, People.com, and Allrecipes.com, all owned by the publisher Dotdash Meredith, disclose that they may share data with 1,609 partners. Your eyes may glaze over when you see numbers like that as it’s difficult to process the impact. In fact, Midas Nouwens, an associate professor at Aarhus University in Denmark who worked with Wired on the study, suggests that even an indication that data is being shared with more than five to ten partners becomes somewhat useless: “That’s still too many for anybody to really form an opinion on considering how opaque and complex this whole data processing pipeline is.”
If the mass-scale yet largely opaque sharing of data with business partners proves concerning, the practice of data sharing—intentionally or inadvertently—with law enforcement and other government bodies can prove positively alarming.
These data sharing issues impact people in different ways globally, too. For example, Egyptian police have been known to use dating apps like Grindr and WhosHere to entrap LGTBQIA+ people. Human Rights Watch reported dozens of instances where law enforcement in Egypt, Jordan, Lebanon, Iraq, and Tunisia harassed members of the LGTBQIA+ community after monitoring them on social media. Human Rights Watch criticized some social media companies for not providing better moderation and protection within their experiences. And although Grindr warned people in Egypt that law enforcement may try to entrap them, Norway fined the company a record 65 million kroner ($7.16 million) at the time for sending users’ personal information to hundreds of business partners without the user’s consent.
Unfortunately, these examples represent the tip of the tip of the proverbial iceberg where data sharing issues are concerned. You could devote an entire book to this topic alone. Often, companies are not transparent about the data they use or who they’re sharing it with. You can certainly advocate for improvement in this area as designers.
Invasive AI
The increasing use of technology, such as facial recognition and other forms of biometrics, tap into your personal data and enable innumerable companies, agencies, and authorities to monitor you in staggering scale and detail. Increasingly, if you live in a large city or metropolitan area, you may find yourself exposed to these technologies daily without even knowing it.
Facial Recognition
Clearview AI is a facial recognition platform that offers services to law enforcement and other government agencies. The company downloaded over three billion photos of people from social media sites, such as Facebook, Instagram, and LinkedIn, and used those images to build facial recognition models for millions of people globally without their permission. Clearview was hacked in 2020, and the stolen data revealed information about all their customers, including various law enforcement agencies, such as the police, the Department of Homeland Security, and the FBI. The company boasts they have over 50 billion images in their law enforcement database.
Notably then, the use of facial recognition by law enforcement has led to several false arrests. In 2023, for example, police arrested an eight-months pregnant woman, Porcha Woodruff, and accused her of carjacking. They handcuffed her, took her to a detention center, where she spent 11 hours denying the charges, only for law enforcement to find they had made a false arrest due to a false match. At that time, Woodruff was one of six people to say they’d been falsely arrested because of facial recognition failures. All those individuals were Black.
Still, the U.S. government continues to divine new use cases for the technology. In 2024, MIT Technology Review reported that the Department of Homeland Security hoped to use facial recognition to identify migrant children, starting at infancy, in order to track them as they age.
The private sector leverages this technology, too. Stores such as Ace Hardware, Albertsons, Macy’s, and Rite Aid have used facial recognition programs to identify customers. Some use apps to track customers around their stores so they can present them with ads online later. Rite Aid was eventually banned from using facial recognition after the FTC determined they had launched the technology without putting the proper safeguards in place. The company relied on poor quality images, for example, that resulted, not only in false positives, but in false arrests, particularly of women and people of color.
The grocery store chain Kroger came under scrutiny in late 2024, too, for a plan to use both digital price tagging and facial recognition in their stores, which critics feared could lead to price gouging and charging customers varying prices according to their identities. Kroger and Walmart have been experimenting with digital pricing: Both companies claim they would not use it to enable price surging.
Misuse of Biometric Data
In early 2021, Amazon began requiring some 75,000 delivery drivers to sign consent forms that allowed the company to collect those driver’s biometric data and to use AI cameras to monitor their location, movement, and driving patterns. If a driver so much as yawned, it triggered a camera to record their motions. Some drivers quit over this form of “AI surveillance.” “It was both a privacy violation, and a breach of trust,” one driver told Thomson Reuters at the time. “And I was not going to stand for it.” The manager for another driver told Vice, “It’s a heart-breaking conversation when someone tells you that you’re their favorite person they have ever worked for, but Amazon just micromanages them too much.”
Deepfakes and Voice Spoofing
Various forms of generative AI now enable bad actors to spoof your face, your body, and your voice in ways that can prove destructive to your privacy and security, too.
When the war in Ukraine commenced, you may have seen deepfake videos debut featuring both Vladimir Putin and Volodymyr Zelensky. You’ve also likely seen them used for Presidents Joe Biden and Donald Trump, or even Pope Francis (see Figure 1.1), sometimes simply for humorous effect, but often for disseminating propaganda and misinformation, as well.
Figure 1.1
Many early viewers of this AI-generated image of Pope Francis seemingly decked out in a fashionable puffy coat believed it was real.
These deepfakes could, conceivably, trigger disastrous reactions. Increasingly, however, they can create havoc for everyday people, too. The distribution of deepfake nudes has become an increasing problem, and the technology is so readily available that teenagers have been arrested for creating deepfakes of their schoolmates. You may have heard any number of stories now of people receiving phone calls from a distraught relative, asking for ransom money because they’ve been kidnapped, only to discover they had been scammed by crooks using voice
cloning to spoof their child or relative’s voice. The FTC quickly outlawed robocalls using AI-generated voices, but stories like this may make you feel like you’re living in a cyberpunk novel.
We’ll explore some extraordinary examples of how AI is undermining online privacy in Chapter 11, “The Evolving Impact of Privacy Policy,” as well as guidelines for mitigating its impact.
Cyberstalking and Bullying
Implicit with issues such as Amazon’s use of biometrics is the fact that people are being tracked via their mobile devices in ways unprecedented in human history. If you have a mobile phone and you use any apps or websites at all, your movements in the real world are constantly being tracked. So are the fine details of your online behavior.
As the details of our personal lives have become increasingly available online, cyberstalking and cyberbullying have increased, too. It’s not unreasonable to conclude that these forms of harassment have risen along with the growth of social media. A September 2020 Pew Research Center study showed that 41 percent of Americans had experienced some form of online harassment, with about half of those saying they had been harassed due to their political beliefs. Thirteen percent of women said they had been stalked online. Pew confirmed that these forms of online harassment had grown since 2014 and that more severe forms of harassment, including physical threats, stalking, sustained harassment, and sexual harassment had intensified since 2017.
Research also seems to confirm a rise in cyberstalking and cyberbullying among university students and staff during the COVID-19 pandemic. Calls to the National Stalking Helpline related to cyberstalking increased during the pandemic, too.
When you are developing apps that encourage people to share their geographic data—even with family members—you must consider the potential for harm. For example, at Razorfish, our team had to consider what might happen if a couple using a car manufacturer’s app broke up, but both still had access to each other’s geographic location because they could see where a vehicle was at any time.
In Chapters 8, “Provide Tools for Enabling Privacy, and 9, “Cultivating a Culture of Privacy by Design,” we’ll look at two cases where well- known, heavily used apps might inadvertently become “stalkerware” because they debuted features that allowed people’s geographic data to be made public by default.
Note: Safety & Privacy
Just as considerations for privacy and security overlap, so do considerations for safety and privacy. Issues such as harassment, abuse, dogpiling, and online stalking that affect users’ safety online feel like attacks on user’s privacy, as well, especially when they lack tools to keep their accounts private or to block specific users from viewing their content. Safety by design is an approach or process itself with its own set of principles that you may want to investigate.
What Can Designers Address?
I mention all these issues to highlight the growing scale and diversity of the privacy issues we’ve been steeping in and, sadly, acclimatizing to. You can address some of these issues as a designer. Others, such as those more closely related to security breaches, you likely can’t. You can, however, work to create experiences that help ensure users’ security, and you can pledge to warn users about potential security issues involving their data.
And, as this book will show, people consistently bring up an array of specific online privacy concerns that designers can address.
For example, they express frustration and even fear about the following:
- Companies that share opaque privacy policy changes they can’t understand.
- Lack of transparency around how their personal data is collected and what happens with it afterward.
- Deceptive patterns that trick them into accidentally sharing their personal information.
- Experiences sharing their personal, sometimes intimate interests and preferences without their knowledge or consent.
- Apps and websites tracking their online activity and even their geographic location without their knowledge or consent.
- Experiences accessing, sharing, or reaching out to their contacts without their knowledge or consent.
- Experiences failing to offer them tools to control their personal data, delete or export their personal data, or cancel their accounts.
These are incredibly common privacy-related issues you can help prevent, or resolve, or, at least, mitigate in one way or another. They are real issues that affect real people.
The Takeaway
After studying these privacy-related experience issues for several years now, I’ve found that approaches for addressing these issues generally fall into a handful of categories.
Privacy issues can be addressed by considering one or more of the following key practices:
- Handle people’s data responsibly.
- Avoid deceptive experience patterns.
- Advocate for better use of language.
- Provide tools that empower users to maintain their privacy.
Those approaches reflect four pillars for privacy by design. They form the core of this book. The pillars rest upon a foundation, too: a design culture better attuned to privacy concerns. Combined, these pillars and that foundation provide support for stronger, more authentic, and human-centered privacy user experiences.
