“I donʼt necessarily trust my childcare”: Securing

Electronic & Physical Personal Information

Laurian Vega, Tom DeHart, Steve Harrison, Dennis Kafura
Center for Human Computer Interaction, Computer Science
2202 Kraft Drive
Virginia Tech, Blacksburg, VA
{Laurian, SRH, Kafura}@vt.edu, TDehart@gmail.com

There is a need in HCI to study how issues of trust and privacy There is prior work to understand how child and health care can
can and do affect the ad hoc negotiation of security rules and how be designed from a user perspective. The qualitative design work
they are managed by humans in actual practice. In this paper we of Kientz et al. [5] demonstrated the parent’s need to document a
present some initial studies, interviews and observations, to child’s milestones and relevant medical information. They found
examine the physical and electronic security practices of that design issues such as ‘providing a reliable information
childcares and medical offices. We show that the issues of human- source’ were central. Our work builds on this work in that we
mediated monitoring, information redundancy, and the creation of stress the collaborative nature of documenting information about
a community of trust all affect aspects of the human-side of children. In the broad realm of research on healthcare, the work of
security. Reddy and Dourish’s [9] demonstrates how practice can affect
information dissemination and communication in hospitals. In
1. PROBLEM & MOTIVATION their paper temporal rhythms are proposed to explain community
Traditionally, electronic and physical security was thought of as patterns in seeking, providing, and managing information. Our
rules, locks, and passwords. More recently, security research has work is in a similar information area and uses a similar method,
explored how security is part of a larger socio-technical system but our focus extends to how security is affected.
[7] that involves people working with technology and their
environments to create safe systems. When examining security as
3. METHOD
one part, or as a supporting mechanism, of a socio-technical Four studies were conducted using interviews and observations to
system, issues of trust, privacy, and negotiation start to appear. It explore security issues involved in the practice of collaborative
is our goal therefore to look at how these socio-technical factors sensitive information management. Basic dimensions of these
affect actual practice to provide insight into designing effective studies are in Table 1. The summer studies involved interviews
security measures. with the directors along with guided tours of their workplaces.
Four childcare directors were selected for the second study as the
We examine information rich environments that involve representatives of the strongest information practices (i.e. least
significant amounts of collaboration with sensitive information violations, clear information practices). These follow-up
documentation, access, and retrieval. The two domains that we interviews lasted approximately 45 minutes. Two to four
have explored are childcares, where both parents and childcares observation sessions lasting 2- 3 hours each were conducted
provide information about a child’s developmental and physical following the interviews. All interviews and observations were
progress, and small medical practices, where patients and medical transcribed.
staff provide information about the patient’s health. In this poster
we present the initial findings from interviews and observation All participants were from the southwest area of Virginia. This
studies in these domains. area is rural, yet technologically impacted by the proximity to the
University. Waitlists exist for the best childcares and medical
2. BACKGROUND practices. All directors were recruited through a comprehensive
A plethora of research is emerging to explore the human-side of Childcare Medical Parents
security. Bellotti and Sellen [1] created a design framework for Directors Personnel
looking at the security aspects of user feedback and control when
When 5/09 - 12/09 5/09 – 9/09 9/09 – 12/09
creating ubiquitous technologies. Similarly, the work of Flechais
et al. [4] demonstrated the difference between social and technical Number + Sum= 11F, 8W, 4M 18W, 3M
security measures. By their definitions, security measures are Gender 1M; Fall= 4W
progressive and adaptive yet are unreliable due to emotions and Method Interviews: 30 Interviews: 30 Interviews: 30
circumstances. Technical security, on the other hand, works well – 60 min; min min
on repetitive tasks, but is less flexible in unknown cases. In our Observation
studies we explore how security is affected by technical and social Location Place of work Place of work Place of
measures in order to provide insight to design. convenience
Dourish and Anderson [2] approach security from a social science
perspective to emphasize that security is a practical phenomenon Table 1. Dimensions of four studies by participant type,
and discursive practice. Dourish and Anderson’s work is similar when conducted, study, method, and location.
to ours in that it focuses on the idea of practice being central to
understanding how work really gets done securely [6].
list of all area businesses; the response rates were 55% for
childcares, and 26% for medical practices- not including the
hospitals. Parents were recruited through listservs, flyers, and
company newsletters. The only incentives provided to participate
were offered to parents; parents were paid ten dollars.
Grounded theory was used for analysis. Grounded theory is a
method of evaluating ethnographic data through the use of codes
by sorting findings into “themes”. Themes then inform the
research as data findings. (See [3] for a thorough explanation.) All
data from the studies were coded by at least two researchers.
4. RESULTS
Human-Mediated Information Monitoring
The central nucleus of information being stored and managed
about a patient or a child is located in their file. The centers in our
studies kept the files in expansive filing shelves, or in filing
cabinets. The location of the director’s office was either in the
same space as the files, or directly next to the files. Indeed,
accessing, searching, and managing the files is a large part of the
role of the director. However, the role of director also extends to
mediating the access and use of the files by others in the center.
In the case of childcares, there are instances when teachers or
parents want to be able to look at a file. One director said, “When
a teacher comes in and wants access to a file they have to come
through me first and they have to tell me their reason basically,
you know, why do you need to go in there?” This director is
explaining how she monitors access to the files in a method that is
more than simply checking access rights to information. She is
additionally checking the teacher’s goal, which extends into
managing information privacy. The director’s function is to
mediate the information seeker’s goal in a way that is flexible,
negotiated, and determined in a case-by-case fashion to best
balance the need for information for work with need to keep
information private.
Information Redundancy as a Form of Security
Beyond the physical file containing information about a child or
patient, there is information kept in other locations. From a
security perspective having only one instance to protect is the
simplest case. When information, however, becomes dispersed to
better support individual practice, security becomes more difficult
to manage due to numerous access points.
In both medical and child practices there were instances where
information was outside the file. These include having a physical
and an electronic file, having a file for billing and a file for
medical history, having files for one patient between two medical
centers, having information on hand in different spaces, and
having electronic copies stored in an off-site location. One
director explains duplicating information in multiple office
locations, “We fax patient information back and forth... That
happens hundreds of times a day…. Always with the big
disclaimer this is medically protected information, and this is
intended for so-and-so only.” She explains that someone then files
the appropriate information and the remainder is shredded. This
duplication of information functions to make sure that information
is ready at hand when necessary for work and ensures that if the
information is lost it is reproducible. Understanding what
information is going to be kept in what space or form, and who
has access to those instances is something that is determined by
the function of the information and also the context surrounding
the information use.
Community of Trust
To balance the need for access to information with the need to
keep information secure, communities of trust were created within
the centers we studied. One aspect of security that we asked about
was the use of passwords. Computers, when used for accessing
patient information, were generally in the director’s space, or the
doctor’s office. Of those medical centers that used electronic
systems, only seven (29%) had individual passwords. When asked
why, a director said, “They can access anything. That’s their job.”
This statement emphasizes that to be able to do the work required
for the job, levels of security have to become normalized to
function. Another example comes from the locking of physical
filing cabinets. It is the official policy that filing cabinets
containing files should be locked when the director is absent:
“[files are] all kept in here in a cabinet that's locked when I’m not
here and the door is locked as well.” The use of a key was,
however, never observed.
These examples are not work-around security practices. They are,
instead, examples of how communities establish and negotiate
what needs to be made secure. It is a demonstration of contextual
integrity [8] playing its role in facilitating communities of people
trusting one another in situ.
5. Discussion and Design Implications
Security and work practices are not in conflict with one another.
What our research has demonstrated is that practice is what is
enacted after security rules are put in place. It is through creating
a community that values security, that the rules can be understood.
At this stage we are starting to develop the tentative design
implications for creating security solutions. The first involves
understanding how a person-based and space-based hub of
information can still function as a secure place if and when files
become electronic. Will people still work through the human-
mediated monitoring of the files? It is our belief that one person
will still work close with the file system and allow people limited
temporary and decaying access. Access should be negotiated, as it
is now, to still support community standards. The second design
implication is that of reciprocity in knowing whom and when a
patient or child’s files are being accessed; if you can see my files,
I should at least be able to see your information. Additionally, as
technology use grows electronic systems should not obfuscate the
community standards so that the community of trust can continue
to function.
Overall, the major implication for our findings is that electronic
and physical security should be flexible to represent the shifting
context of access and management of information.
6. CONCLUSIONS & CONTRIBUTION
Though our preliminary studies of child and health care practices
we have shown that there is a balance between needing to get
work done with needing to keep information secure. Three themes
were explored to demonstrate how this balance is negotiated in
practice to create functioning secure work places. We believe that
our approach, while preliminary, offers valuable insight to
furthering research on how understanding practice affects the
design of secure systems.
7. REFERENCES
[1] Bellotti, V. and A. Sellen. Design for Privacy in Ubiquitous
Computing Environments. in Proceedings of the Third
Conference on European Conference on Computer-
 Supported Cooperative Work. 1993: Kluwer Academic
Publishers.
[2] Dourish, P. and K. Anderson, Collective Information
Practice: Exploring Privacy and Security as Social and
Cultural Phenomena. Human-Computer Interaction, 2006.
21(3): p. 319-342.
[3] Eisner, E.W., The Enlightened Eye: Qualitative Inquiry and
the Enhancement of Educational Practice. 1997: Prentice
Hall.
[4] Flechais, I., J. Riegelsberger and M.A. Sasse. Divide and
Conquer: The Role of Trust and Assurance in the Design of
Secure Socio-Technical Systems. in Proceedings of the 2005
Workshop on New Security Paradigms. 2005. Lake
Arrowhead, California: ACM.
[5] Kientz, J.A., R.I. Arriaga, M. Chetty, G.R. Hayes, J.
Richardson, S.N. Patel, et al. Grow and know: understanding
record-keeping needs for tracking the development of young
children. in Proceedings of the SIGCHI conference on
Human factors in computing systems. 2007. San Jose,
California, USA: ACM.
[6] Lave, J. and E. Wenger, Situated Learning: Legitimate
Peripheral Participation. 1991: Cambridge University Press.
[7] Mamykina, L., E.D. Mynatt and D.R. Kaufman.
Investigating health management practices of individuals
with diabetes. in Proceedings of the SIGCHI conference on
Human Factors in computing systems. 2006. Montréal,
Québec, Canada: ACM.
[8] Nissenbaum, H., Privacy as Contextual Integrity.
Washington Law Review, 2004. 79(1).
[9] Reddy, M. and P. Dourish. A Finger on the Pulse: Temporal
Rhythms and Information Seeking in Medical Work. in
Proceedings of the 2002 ACM Conference on Computer
Supported Cooperative Work. 2002. New Orleans,
Louisiana, USA: ACM.
[10]