Expandable Grids

Expandable Grids are a conceptual design for displaying privacy policies to policy authors and end-users in a graphical format. Currently, the dominant model for policy-authoring interfaces may be called the list-of-rules model. List-of-rules interfaces are centered around a list of the rules in a policy. Rules may be selected from the list for viewing and editing. The list-of-rules model has at least two major drawbacks. First, group membership information is not displayed in context with the rules. Second, rules may interact with each other, and even conflict with each other. List-of-rules interfaces do not give any indication of these rule interactions; instead it is left to the policy author to figure out which rules will interact and how. In contract, Expandable Grids show precisely what a policy allows or does not allow in a matrix with hierarchical axes that can be expanded or contracted to show more or less policy detail. Expandable Grids do not require policy authors to determine subtle interactions amongst rules; they show the holistic effect of all policy rules, thus relieving the burden on policy authors of figuring out how rules interact with each other.

Expandable Grids for setting file permissions

We have produced policy-authoring user interfaces based on the Expandable Grids idea for several policy-authoring domains. Figure 1 shows our interface design for viewing and editing file permissions policies on a Windows NTFS file system. The tree along the vertical axis at the left of the interface shows the resources—i.e., files and folders—in the system. The rotated tree along the horizontal axis at the top of the interface shows the principals—i.e., users and groups of users—in the system. At the intersection of these two trees is a grid that shows the access each principal has to each resource. Grid cells correspond to one principal and one resource. Each grid cell is further subdivided into a "subgrid", a large square divided into four smaller squares. The subgrids allow the interface to show a third policy dimension—type of access. The upper left square in each group of four squares indicates read access, the upper right square indicates write access, the lower left square indicates execute access, and the lower right square indicates delete access. Green squares indicate access that is allowed, red squares indicate access that is denied, and yellow squares indicate that items lower in one or both trees have a mixture of allowed and denied access.

expandable grid interface

Figure 1. The XP File Permissions Expandable Grid Interface

In the figure, the highlighted grid cell corresponds to the group "TAs 2007" and the file "Bach.ppt". The green squares of the subgrid indicate that read and write access are allowed to all members of the TAs 2007 group, the red square indicates that delete access is denied to all members of the group, and the yellow square indicates that execute access is allowed to some (the Administrator), but not all of the members of the group.

When a rule is set at the group level, its effects are immediately propagated to the members of the group, so that the access indicated in the grid is always the access that will be given.

The Expandable-Grid based interface is a significant improvement over the native list-of-rules interface for setting file permissions in Windows XP. Figure 2 shows the native XP file permissions interface. The left-hand part of the figure shows rules applying to the group ProjectF; the right-hand part of the figure shows rules applying to the user wesley. From the right-hand part of the figure, it appears wesley is allowed read access, but not allowed write access. In fact, he IS allowed write access, because he is a member of the ProjectF group. This interface does not make wesley's actual access clear; users studies we have conducted have confirmed that, in fact, many policy authors misinterpret this policy.

xp file permissions interface

Figure 2. The Current XP File Permissions Interface

Expandable Grids for displaying P3P policies

We have applied the Expandable Grid concept to showing Platform for Privacy Preferences (P3P) policies as well. P3P is a formal language for a website to express its privacy practices. We designed the interface shown in Figure 3 for displaying P3P policies to website users, so that they may understand the policies of websites with which they interact.

p3p expandable grids interface

Figure 3. A P3P Expandable Grid Reader

User studies

We are currently conducting user studies to determine how well people comprehend Expandable Grids interfaces and whether they can perform policy authoring tasks more quickly and accurately with Expandable-Grids-based interfaces than with list-of-rules interfaces.