In 2014, I began the Privacy Illustrated project in which I asked people to draw pictures of what privacy meant to them. I visited schools and community events and entreated people to draw something, even if they had no artistic skills. I paid crowd workers for drawings of privacy and collected drawings from students in my classes and people attending my talks. I now have a large collection of colorful drawings that includes many elements that do not come of much surprise: locks, doors, windows, eyes, blinds, shields, houses, and cameras.4 And I have more than two dozen drawings featuring what is perhaps the most quintessential example of a private space: the bathroom.
I first noticed the bathroom drawings among the contributions from children: Simply drawn toilets, some with stick figures perched upon them, some with doors and siblings depicted waiting on the other side, others with heads sticking out from shower curtains or hovering above bath water. Accidental intrusions on bathroom privacy are depicted with cartoon bubble screams.
Bathroom privacy resonates with people of all ages. Adults drew feet peeking out from below public bathroom stalls and smiling stick figures enjoying a shower with a locked door (see Figure 1). While children drew the bathroom as a refuge from siblings, adults drew themselves sitting on a toilet and enjoying a break from spouses, children, and pets.a
The association between bathrooms and privacy in these drawings reminded me of a thought experiment carried out at CHI 2014 in which a team of hackathon participantsb posted rather convincing signs around the Toronto Convention Center announcing that the Quantified Toilets company had installed smart toilets that were analyzing biological waste and tracking individual data (Figure 2). An accompanying website displayed a real-time stream of anonymized data, purportedly from the convention center's toilets, including sex, size, and information on odor, blood alcohol, drugs, pregnancy, and infections.
Although the website was a hoax, the thought experiment was an eye-opening experience for many CHI attendees. While it is not difficult to imagine beneficial uses of smart toilets in hospitals and homes, the idea of putting them in public places was a bridge too far for many.
A few months later, as I was writing an exam for my Usable Privacy and Security course at Carnegie Mellon University, I struggled to develop a good question that would force students to go beyond traditional policies and checkboxes when answering questions about usable privacy notices and consent experiences. Recalling Quantified Toilets, I asked my students to propose a usable approach to notice and consent for smart toilets in public bathrooms. The students' responses were thoughtful and creative. Since then, I have used this design problem as a group exercise in my university classes as well as in conference tutorials.
At conferences, I distribute markers and chart paper to attendees at each banquet table. After talking about privacy design, I tell them about some existing smart toilets, smart urinals, and bodily waste surveillance systems. Then I introduce them to the fictitious Quantified Toilets company and explain that in order to sell their toilets for use in public restrooms they need to determine how to provide notice and choice. I ask attendees at each table to develop a design proposal, thinking about how notice is displayed, and considering how the bathroom might be redesigned.
Although most participants have never heard of smart toilets (I expect that will soon change), this is a design problem they can immediately relate to, and each participant tends to come at it from a slightly different angle. After some uncomfortable laughter, the room starts to fill with eager discussion. Some start thinking about legal requirements, others think about ergonomics. Some are concerned that people will not want to touch a physical button and instead design buttons activated by voice or with foot pedals. Others note that people touch toilet flush handles anyway and propose to integrate choice mechanisms into those handles. Some are concerned that when people hang a purse or coat on a bathroom stall hook it might conceal a privacy notice. Others wonder about concerns of transgender people and how visually impaired people might be notified. Still others ponder whether children can legally provide consent and what should be done if someone uses a toilet without making a choice.
After some discussion about where to place notices and buttons, participants often consider the timing of the choice. Do people have to choose before they use the toilet? Can they choose before they flush? Can they revoke consent after they flush? Some wonder why people might be willing to consent and whether people might be interested in seeing their own data. Maybe people would like to take a copy of their data on a receipt or view it on their smartphone. If people decline to consent will they trust their data is not actually being collected? Maybe it would be better to just have two toilets: one with sensors and one without. What if there is a long line and people are coerced into using the toilet with sensors because they do not want to wait for the other one?
Although most participants have never heard of smart toilets, this is a design problem they can relate to immediately and each participant tends to come at it from a slightly different angle.
Some start to question why organizations would install these smart toilets in public restrooms. Will they be effective for monitoring the spread of disease? Indeed, wastewater testing has been used by universities, meat-packing plants, and municipalities to help pinpoint COVID-19 outbreaks.1 In Pune, India, sensors in public toilets will provide early detection of outbreaks of cholera and other diseases as well as information about vitamin deficiencies.2 Might this be used by employers to find out which of their employees are pregnant or on medication? Would law enforcement use data from stadiums and shopping malls to catch illegal-drug users? What other privacy issues might arise?
Some applications of smart toilets require tying toilet sensor data back to individuals. Fingerprint readers could do that, but a 2020 paper by Stanford University researchers suggests that unique anus patterns may be a more foolproof biometric, although one that may not be acceptable to users.5
Putting Notices to the Test
The smart toilet notice design problem also lends itself to a discussion of evaluation methods for privacy notices and consent mechanisms. Unfortunately, such evaluation is not yet the norm. Without evaluation, we are left with privacy notices that people do not understand (and most do not even try to read), and consent mechanisms that are difficult to find and often confuse people.3 Researchers who study consumer notices emphasize the importance of evaluating disclosures through user studies.6
Some applications of smart toilets require tying toilet sensor data back to individuals.
Before evaluating a smart toilet privacy notice and choice mechanism we must identify some goals and metrics. As with most notices, the purpose is to inform consumers, so we can measure the extent to which users understand the key points of the notice, as well as what their choices are. After exercising a choice, we can test whether users understood what they selected and whether their selection matched their actual preferences. These evaluations could be done in a lab or online study by presenting the notice and choice options to users. This will provide insights that will help improve wording and result in better comprehension, but user behavior in such a study may not match user reaction to a privacy notice when nature is calling.
To evaluate the notice and choice mechanisms in context, we may want to set up an experiment in an actual bathroom outfitted with prototypes of the proposed notice and choice mechanisms. The toilets in the bathroom need not have working sensors—indeed, there is less risk for participants if data is not actually collected. Participants could be given an exit survey after they leave the bathroom. They may be told up-front that the smart toilet sensors are hypothetical and asked to behave as they would if they were real, or researchers may use a deceptive approach, as was done in the CHI 2014 thought experiment, and debrief study participants after they finish an exit survey. The logistics of conducting a user study in a bathroom are certainly more complicated than conducting such a study online or in a lab, but an in situ study is likely to reveal real-world factors that otherwise would not be observed. (See Figure 3.)
Pictures Worth 1,000 Words
Besides the examples I described in this column, I have many images of difficult-to-use bathroom fixtures and interesting public restroom features that I include in my usable privacy and security lectures to illustrate the need for usable privacy mechanisms. Example photos include: hotel showers I struggled to turn on and high-tech toilets with icon-laden buttons, illustrating the need for privacy controls that are intuitive or accompanied by clear instructions; sinks full of water with no apparent way to release the stopper, illustrating the need to ensure important privacy features are not hidden; compact but awkward fixtures, reminding us that inconvenient interfaces annoy users and that we should not sacrifice usability to save space; and public restrooms with glass walls that can be turned opaque at the touch of a button, which raise questions about whether people trust technology to protect their privacy.
While it may not be a topic people typically talk about (unless they are parents of young children), bathrooms are surprisingly useful for conveying concepts related to both privacy and usability.
2. Givetash. L. and Gupta, P. India's city of Pune focuses on sanitation system of the future. NBC News (Jan. 10, 2019); https://nbcnews.to/2RSqJmV
3. Habib, H. It's a scavenger hunt: Usability of Websites' opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI '20). ACM, New York, NY, USA, 2020, 1–12; DOI: https://doi.org/10.1145/3313831.3376511
4. Oates, M. Turtles, locks, and bathrooms: Understanding mental models of privacy through illustration. In Proceedings on Privacy Enhancing Technologies 4 (2018), 5–32; https://bit.ly/3y969zd
5. Park, S. et al. A mountable toilet system for personalized health monitoring via the analysis of excreta. Nat. Biomed. Eng. 4, (2020), 624–635; https://doi.org/10.1038/s41551-020-0534-9
6. U.S. Federal Trade Commission. Putting Disclosures to the Test. Staff Summary. (Nov. 2016); https://bit.ly/3hnJ7P6
a. More drawings from the Privacy Illustrated collection are available at https://bit.ly/3olLZxp
The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.