Data protection risks play a major role in data protection laws and have shown to be suitable means for accountability in designing for usable privacy. Especially in the legal realm, risks are typically collected heuristically or deductively, e.g., by referring to fundamental right violations. Following a user-centered design credo, research on usable privacy has shown that a user-perspective on privacy risks can enhance system intelligibility and accountability. However, research on mapping the landscape of user-perceived privacy risks is still in its infancy. To extend the corpus of privacy risks as users perceive them in their daily use of technology, we conducted 9 workshops collecting 91 risks in the fields of web browsing, voice assistants and connected mobility. The body of risks was then categorized by 11 experts from the legal and HCI-domain. We find that, while existing taxonomies generally fit well, a societal dimension of risks is not yet represented. Discussing our empirically backed taxonomy including the full list of 91 risks, we demonstrate roads to use user-perceived risks as a mechanism to foster accountability for usable privacy in connected devices.Keywords
Accountability, Usable Privacy, User-perceived risks, Risk-Based Approach, GDPR
