Trustworthy By Design

Trustworthy By Design

CSCW 2014 • The Office

Bran KnowlesLancaster University, Lancaster (acm)
Mike HardingLancaster University, Lancaster  (acm)
Lynne BlairLancaster University, Lancaster (acm)
Nigel Davies – Lancaster University, Lancaster (acm)
James Hannon InTouch Ltd (acm)
Mark Rouncefield – Lancaster University, Lancaster (acm)
John WaldenInTouch Ltd, (acm)


An ethnographic study of gully cleaners ‘Gangers’ and examination of an app that supports their actions and management. Computer-Mediated communication allows for the creation of a trusting environment that supports more flexibility and higher productivity, as opposed to the enforcement of rules, an essentially political approach. Very nicely written and easy to read.

Things to Remember

A key challenge is to collect, at the outset, accurate data in which organizations can place significant trust. This trusted data, as we will show, links with a range of other important qualities to do with successful completion and management of work, and can change for the better the way business process is organized.

We adopt a definition of trust fitting with [D. Gambetta. Can we trust trust. Trust: Making and breaking cooperative relations], i.e. trust is a subjective assessment of reliability, and we explore trust specifically as it relates to ‘trusted data’ in the context of developing quality systems.

In our fieldwork studies we paid attention to the social process of trust production, to specify the social mechanisms which generate trust and to examine and document the various ways in which trust is woven into the fabric of everyday organizational life as part of the taken for granted moral order [15]

What seems especially notable in highway maintenance work, an observably physically demanding job, is the sheer amount of paperwork involved. Documents seem to enable trust in part by creating a ‘stratified trace’ of the orderliness of activities. A document provides history, in this case of a stretch of road; but that historical record is only trustworthy as a result of lower level instantiations of trust: trust in location, trust in the represented order of events, and so on. A document further acts as a coordinating device, and trust placed in that document can be translated into an appropriate organizational formulation.

By allowing workers to add ‘frequency prediction’ information to an asset. More specifically, when a gully is collected/cleaned the user can select from a drop down menu how soon they think it will need to be cleaned again. (Prediction is a great way to develop trust!)

We contend there is an important distinction between accurate data and trusted data. While accuracy is a prerequisite of trusted data, it does not guarantee it; data can be accurate and still not be trusted.

We believe that a similar approach, i.e. trustworthy by design, is required for building trusted data-gathering systems. In ‘The Mechanics of Trust: A Framework for Research and Design,’ Rieselsberger et al [33] argue that: “If we are to realize the potential of new technologies for enabling new forms of interactions without these undesirable consequences, trust and the conditions that affect it must become a core concern of systems development. The role of systems designers and researchers is thus not one of solely increasing the functionality and usability of the systems that are used to transact or communicate, but to design them in such a way that they support trustworthy action and — based on that — well-placed trust.”


Eight key principles:
1) Security: Trusted data capture must necessarily be underpinned by a secure infrastructure, e.g. it must include measures that ensure tamper resistance.
2) Performance: Systems—both devices and web portals—must be quick and easy to use in order to encourage users to amend data as necessary.
3) Provenance: The system must enable users to trace the source of any data capture and amendment activity in a way that aids verification of the validity of that activity.
4) Translucency: Users must be able to see all relevant data that would help them undertake their work, but no more.
5) Flexibility: The system must allow users to adjust data when the device is unable to deliver accuracy, e.g. if an obstruction prevents the user from positioning the device over the asset.
6) Value to users: The system must be designed to deliver value to the user—as opposed to a model that treats users as ‘dumb sensors’—to ensure they benefit from producing accurate data.
7) Empowerment: The system must bring people ‘into the loop’ and engage their knowledge and intelligence toward a shared goal, such as increasing the quality and ease of work.
8) Competence: In empowering people and giving them responsibility, the system must build in assurances that users will succeed, e.g. facilitating the submission of all necessary data.

…little attention has been paid to the quality of data captured by mobile workers. If this data is inaccurate or untrustworthy, serious consequences can ensue. In this paper we study a system targeted at mobile workers in the highways sector that is deliberately designed to increase the accuracy and trustworthiness of the data collected.

This paper explores the elements of design that enable accurate, and above this, trusted data collection in this domain, with a view toward applying these more generally to other mobile data capture domains.

Trusted data is also critical in a wide range of domains such as health, policing, environmental monitoring, surveying and disaster management where inaccurate or untrustworthy data from the field can have serious consequences.

We use trust as an analytical lens for reflecting on lessons learned from our experience in creating a successful mobile asset collection system, and from this, develop several principles of successful system design that can be applied to a range of domains.

In recent years there has been an increased interest in smartphones for data capture, though many of these studies focus on data capture for purposes of crowdsourcing and participatory sensing [6, 20], experience capture [41], feedback [12], etc., in which accuracy and trust play a less critical role.

In the process, is it possible to identify the important role of trust in such organizational work, how people ‘perform’ trust, how it is instantiated in various paper and electronic documents and how it enters into everyday work through aspects of planning, coordination and awareness.

Our exploration of issues of trust in road maintenance began by identifying several different stakeholders or parties (or ‘users’) between whom and for whom issues of trust arise.

The (ongoing) fieldwork reported here was carried out by two ethnographers at seven different sites in the UK over the course of a year and amounted to approximately 70 interviews (of differing durations) and approximately three months worth of observation. Interviews were transcribed and fieldnotes typed up and examined for broad, recurring themes which acted not as precursors to the development of theory but as broad requirements for design.

Like ‘the boy who cried wolf’, contractors may over time be less inclined to take seriously the deadlines set by the council, potentially increasing the chance of instances of unreliability with more damaging consequences to accrued trust. In contrast, were the council to trust contractors, efficiency would result as a natural consequence of empowering people who are best able to make decisions, thereby catalyzing a virtuous circle of trust.

mobile data capture system intended to increase trust between various parties:

    • Supporting the identification and persistent storage of evidence.
    • Understanding and graphing the complexity of interdependent processes and relationships to deliver on organizational assertions.
    • Providing trust warnings in the form of data visualizations and inline user interfaces to involved stakeholders.
    • Visualizing the impact of individuals’ actions throughout the system and process.

Gangers work to a cyclical cleaning regimen, which they follow blindly. While this approach does enable thorough, systematic cleaning of the council’s gullies, it is highly inefficient, since many gullies do not actually require cleaning. Furthermore, and in terms of trust, while it is easy to fall short of expectations, it is not particularly easy to exceed expectations.

The ethnographic fieldwork we conducted for gullies was intended not only to reveal further insight into trust, but also, more fundamentally, to capture requirements for our system design.

In addition to position, users capture a range of data about the state of the gully including reports of any damage and a photograph of the current state of the gully.

This support for reinspections, which is the principle advance from second to third generation asset collection, enables users to recollect that same asset again and again, building a history of data against that asset. Users can also change any data that is incorrect by doing a recollection. They do not have to create a new inspection every time; data is pulled forward — some of which is immutable, some mutable, some blank, as appropriate

The system provides a sophisticated set of filters to enable viewers to hide irrelevant data from view. This combination of filtering and access to all the past data on local assets can transform the way highways maintenance operations are performed. In particular, it provides empowerment to the users, allowing them to be in control of their work and to choose how to carry it out, e.g. inspectors can choose to see all the gullies that they did not have time to check last time.

Some of this success can be put down to the extensive ethnographic research done up front and careful planning to attend to the needs highlighted by this research through iterative ethnographic/development cycles throughout, and the use of photographs to document, to provide a trustable record of, their work. Much of this success, however, we put down to serendipity.

We begin with a brief discussion of the affordances of our mobile data capture system and explore how these affect empowerment. Next we explore additional characteristics that contribute to system success. Finally, we conclude by discussing how all of these factors contribute toward trusted data.

Some of the affordances Inspections capitalizes on include the following:

    • Wizarding’: Collection and recollection both force the user to enter all mandatory data before they are able to move on.
    • Pinpointing location
    • Filtering data: Users can not only view relevant data, but also hide irrelevant data.
    • Gathering asset histories: The system ties data collection to a specific asset, and users can continue to add information to this same asset over time.

As [44] notes, introducing a system into an organization entails a complex emergent dynamic between the system and what that system enables users within the organization to do. “These factors,” the authors write, “go beyond basic functionality, dialogue and representations of a technology and encompass organization culture, changes in organizations, users’ identity and power differences and their emotional, symbolic and functional values related to the technology”.

We argue that Inspections makes possible several further organizational-level affordances: 1) it empowers crews to engage their creative intelligence; 2) it empowers the organization as a whole to shift to an intelligent management model; and 3) this empowerment is enabled by — and in turn perpetuates — the fostering of trust throughout the different levels of the organization.

At the organizational level, researchers differentiate between ‘empowering organizations’ and ‘empowered organizations’: the former serves to foster psychological empowerment for individuals within that organization or otherwise influenced by that organization [47]; whereas the latter (‘empowered’) are those that “influence the larger systems of which they are a part” [29], increasing their own effectiveness in achieving goals.

Inspections makes use of crews’ previously untapped knowledge by asking them to predict the frequency of cleaning required for each gully. But further, it enables them to act on this creatively and independently, giving them the power to craft their maintenance schedules in accordance with their expertise rather than feeling like robots or slaves to inflexible routines, workers can feel competent and engaged.

Inspections, on the other hand, enables the organization to increase efficiency through strategic means while enabling the workforce to operate at a safe, healthy, realistic pace — with the added benefit that this is conducive to data accuracy. Ultimately, this has revolutionized these organizations, freeing them from a blind, cyclical cleaning regimen and enabling them to proactively target the gullies that are likely to cause unsafe road conditions.

Inspections forces users to fill in all mandatory data fields, but because the device (and the UI decisions we have made) make doing so a very quick process, users are able to complete a collection or recollection quickly, knowing that they can recollect again just as quickly if they need to make corrections.

The benefit of these metadata traces is that they enable those that manage the data (whether or not they actively manage personnel) to determine the data’s validity. We are also aware of the closer association between provenance and trust (e.g. [1, 2, 24]), which indicates that ‘provenance’ is in greater alignment with our intended design ambitions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s