Security and Privacy Software Creators' Perspectives on Unintended Consequences

Security & Privacy (S&P) software is created to have positive impacts on people: to protect them from surveillance and attacks, enhance their privacy, and keep them safe. Despite these positive intentions, S&P software can have unintended consequences, such as enabling and protecting criminals, mis-leading people into using the software with a false sense of security, and being inaccessible to users without strong tech-nical backgrounds or with specific accessibility needs. In this study, through 14 semi-structured expert interviews with S&P software creators, we explore whether and how S&P soft-ware creators foresee and mitigate unintended consequences. We find that unintended consequences are often overlooked and ignored. When addressed, they are done in unstructured ways—often ad hoc and just based on user feedback—thereby shifting the burden to users. To reduce this burden on users and more effectively create positive change, we recommend S&P software creators to proactively consider and mitigate un-intended consequences through increasing awareness and edu-cation, promoting accountability at the organizational level to mitigate issues, and using systematic toolkits for anticipating impacts.

Harshini Sri Ramulu, Helen Schmitt, Dominik Wermke, Yasemin Acar