Editor's Note:

This is the first in a series of Privacy Tech posts focused on privacy engineering and UX design from Humu Chief Privacy Officer Lea Kissner. 

Who/what/where is a simple mnemonic for user interface design. I’ve had fantastic results teaching it to product managers and user experience designers. The user interfaces they designed had far fewer privacy issues, and the privacy features in those interfaces were more smoothly designed into the product experience. Simple mnemonics (plus reinforcement when someone makes a mistake) can have a huge impact on privacy issues that have to be handled by humans but function best when they fit into the flow of daily work.

The rule: Every time that a user takes an action, there are three things that they need to know: who, what and where.

Let’s take these in turn.

Who: The user needs to know who they are — that is, the identity that they’re using.

First, they need to know which account they’re using. While this might seem simple, people use multiple accounts in many cases. They might have a personal email account, a work email account and one for running a volunteer organization. They might have a social media account they use with family and another one they very much want to keep separate, perhaps because they are transgender and have not yet come out, they do not share the rest of the family’s religious identity, or they are ashamed of their secret love for jazz drumming. Many people share mobile devices or laptop/desktop computers and so someone might have changed the active account since the current user was last using the device.

Do not cross the streams. Help people understand which account they are currently using (for example, by prominently placing their name on the page) and how to switch to another account, either by supporting multiple concurrent accounts or by inviting the user to log out.

What: The user needs to know what action they are taking.

“What” is the most intuitively obvious requirement: The user needs to understand what action they are taking with regard to what object(s). Are they deleting a photo? Are they submitting a college application? Is all the data controlled by that action visible, and is it clear what data is affected by that action?

Where: The user needs to know where the relevant data is visible, especially to which people on what surfaces.

Understanding of “where” is most relevant when the user is taking some kind of sharing action. If the user is sharing a photo, which other people will be able to see the photo? Let’s say that they are posting a social media post about a restaurant for anyone on the internet to be able to see (and potentially copy). Will it be posted only on that social media site, or will the site operator post it also on secondary sites, like a restaurant review site? This will give the post a new audience; some of that new audience may come back to make the original writer uncomfortable. Will people on that restaurant review site be able to easily interact with the person who wrote about the restaurant? That lowers the amount of energy needed for that new audience to come back and interact.

That may make the writer happy or unhappy, but they need to understand the surfaces on which their data will end up in order to make that judgment.