UsersFirst: A User-Centric Privacy Threat Modeling Framework for Notice and Choice

Authors: 

Tian Wang, Xinran Alexandra Li, Miguel Rivera-Lanas, Yash Maurya, Hana Habib, Lorrie Faith Cranor, and Norman Sadeh, Carnegie Mellon University

Abstract: 

In today’s data-driven economy, the rapid adoption of AI amplifies our dependence on personal data across complex dataflows. In response, emerging data privacy regulations demand usable privacy notice and choice mechanisms, in addition to more stringent data collection and usage practices. Organizations seek guidance to systematically identify and mitigate privacy risks, as penalties for non-compliance have intensified. Privacy threat modeling frameworks like LINDDUN, NIST Privacy Framework, and MITRE’s PANOPTIC framework offer structured methodologies for analyzing and addressing privacy risks, but these frameworks only provide limited guidance on effective privacy notices and choices. This poster introduces UsersFirst, a user-centric framework designed to supplement existing frameworks by helping organizations enhance their privacy notices and choices. UsersFirst emphasizes the need for notices and choices to be noticeable, usable, unambiguous, and free from deceptive designs, reflecting emerging trends in privacy regulations. This framework provides a systematic methodology for identifying and mitigating potential threats, enabling organizations to determine their acceptable risk thresholds and objectives.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.