Introduction to Ubicomp Privacy

or

Is Privacy the Achilles’ Heel of Ubicomp?

• Protection from spam, identity theft, mugging• Discomfort over surveillance

– Lack of trust in work environments

– Might affect performance, mental health

– May contribute to feeling of lack of control over life

• Starting over– Something stupid you did as a kid

• Creativity and freedom to experiment– Protection from total societies

– Room for each person to develop individually

• Lack of adoption of ubicomp tech

Why Care About Privacy?End-User Perspective

Everyday Risks Extreme Risks

Stalkers, Muggers_________________________________

Well-beingPersonal safety

Employers_________________________________

Over-monitoringDiscrimination

Reputation

Friends, Family_________________________________

Over-protectionSocial obligationsEmbarrassment

Government__________________________

Civil liberties

• Ubicomp envisions– lots of sensors for gathering data

– rich world models describing people, places, things

– pervasive networks for sharing

• This data can be used for good and for bad

The Fundamental Tension

Find Friends

Smart Homes

Smart Stores

• Most obvious problem with ubicomp by outsiders

Why Care?Designer and App Developer Perspective

• “Do I wear badges? No way. I am completely against wearing badges. I don't want management to know where I am. No. I think the people who made them should be taken out and shot... it is stupid to think that they should research badges because it is technologically interesting. They (badges) will be used to track me around. They will be used to track me around in my private life. They make me furious.”

• Ubicomp “might lead directly to a future of safe, efficient, soulless, and merciless universal surveillance” – Rheingold

Why Care?Designer and App Developer Perspective

What is Privacy?

• No standard definition, many different perspectives

• Different kinds of privacy– Bodily, Territorial, Communication, Information

What is Information Privacy?

• Many different philosophical views on info privacy– Different views -> different values -> different designs

– Note that these are not necessarily mutually exclusive

Principles vs Common Interest

• Principled view -> Privacy as a fundamental right– Embodied by constitutions, longstanding legal precedent

– Government not given right to monitor people

• Common interest -> Privacy wrt common good– Emphasizes positive, pragmatic effects for society

• Examples:– National ID cards, mandatory HIV testing

Self-determination vs Personal Privacy

• Self-determination (aka data protection)– Arose due to increasing number of databases in 1970s

– “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin)

– Led to Fair Information Practices (more shortly)

– More of individual with respect to government and orgs

• Personal privacy– How I express myself to others and control access to myself

– More of individual with respect to other individuals

Self-determination vs Personal Privacy

• Examples: – Facebook

– Cell phone communication

– Instant messaging

Privacy as Solitude

• “The right to be let alone”• People tend to devise strategies “to restrict their own

accessibility to others while simultaneously seeking to maximize their ability to reach people” – (Darrah et al 2001)

• Example: – Spam protection, undesired social obligations

• Ubicomp: – Able to turn system off, invisible mode

Privacy as Anonymity

• Hidden among a crowd• Example:

– Web proxy to hide actual web traffic

• Ubicomp: – Location anonymity

– “a person” vs “Asian person” vs “Jason Hong”

• Transparent Society– Multi-way flow of info (vs one-way to govts or corporations)

• Don’t care– I’ve got nothing to hide – We’ve always adapted– "You have zero privacy anyway. Get over it."

• Fundamentalist– Don’t understand the tech– Don’t trust others to do the right thing

• Pragmatist– Cost-benefit– Communitarian benefit to society as well as individual

Other Views on Privacy

Other Views on Privacy

You know it when you lose it

• Hard to define until something bad happens– “Well, of course I didn’t mean to share that”

• Risks not always obvious– Burglars went to airports to collect license plates

– Credit info used by kidnappers in South America

• Change in comfort with time and/or experience• Cause and effect may be far in time and space• Malleable depending on situation

– Still use credit cards to buy online

– Benefit outweighs cost

Why is Privacy Hard?

• Data getting easier to store– Think embarrassing facts from a long time ago (ex. big hair)

– Think function creep (ex. SSNs)

• Hard to predict effect of disclosure– Hard to tell what credit card companies, Amazon are doing

• Market incentives not aligned• Easy to misinterpret

– Went to drug rehabilitation clinic, why?

• Bad data can be hard to fix– Sen. Ted Kennedy on TSA watch list

Why is Privacy Hard?

Fair Information Practices (FIPs)

• Based on Self-determination / Data Protection view• Set of principles stating how organizations

should handle personal information• Note: many variants of FIPs

Fair Information Practices (FIPs)

• Openness and transparency• Individual participation• Collection limitation• Data quality• Use limitation• Reasonable security• Accountability

Adapting FIPs for Ubicomp

• Presents a method for analyzing ubicomp systems• Assume designers trying to do “the right thing” ™

– Versus evil people actively trying to intrude

• Notice– Physical beacons beaming out P3P policies

– Personal system that logs policies

• Issues– Overwhelmed by notifications?

– Understandability of notifications?

Adapting FIPs for Ubicomp

• Choice and consent– Need a way to confirm that a person has consented

– Can digitally sign a “contract” notification

• Issues– How can people specify their policies?

– Can policies match what people really want?

– How to make people aware of auto-accepts?

– What if people don’t have a real choice

Adapting FIPs for Ubicomp

• Anonymity and Pseudonymity– Try to eliminate any trace of identity

– Or have a disposable identifier not linked to actual identity

• Issues– What kinds of services can be offered anonymously?

– Business models for anonymous services?

Adapting FIPs for Ubicomp

• Proximity– Limit behavior of smart objects based on proximity

• Ex. “Record voice only if owner nearby”

– Simple mental model, could be hard to implement though

– Weakness: could be easy to subvert

• Locality– Information tied to places it was collected

– Require physical proximity to query

– Weakness: limits some utility (ex. Find friend)

Adapting FIPs for Ubicomp

• Access and Recourse– How to know what the system knows about you?

– What mechanisms for recourse?

• Suggests minimizing information collected to avoid this issue (possible in practice?)

Design for Privacy in Ubiquitous Computing Environments

• Presents a method for analyzing ubicomp systems– Looks primarily at control and feedback– Looks at networked media spaces,

audio-video connections between two locations– More of a personal privacy approach

• One point they briefly mention is value proposition– At EuroPARC people generally do not worry much about privacy.

They feel that the benefits of RAVE outweigh their concerns. This is because the design has evolved together with a culture of trust and acceptable practices relating to its use. Individual freedom was fostered to use, customise, or ignore the technology.

Framework

• Capture– What kind of information?

– Video? Identity? Activity (documents, keypresses, etc)

• Construction– How is information processed? Stored?

• Accessibility– Who can see the information?

• Purpose– How is information used? Might be used?

(Some) Criteria for Evaluating Systems

• Appropriate timing• Perceptibility• Unobtrusiveness• Low effort• Meaningful• Low Cost

Discussion Points Is Privacy Always Good?

• Can be used as a shield for abusive behavior• Supermarket loyalty cards

– Gauge effect of marketing, effects of price and demand

– Market to best customers

• Can streamline economic transactions– Easy credit

• Reputation management• EU – “Regulators prosecuted an animal rights activist

who published a list of fur producers and a consumer activist who criticized a large bank on a Web page that named the bank’s directors.”

Discussion Points Is Privacy Always Good?

Discussion PointsWays of Simplifying Privacy for People?

• Lots of effort across various systems– Mobile Phone, TiVo, Smart Car, Smart Home, Workplace

– Analogy: privacy across various web sites

• Ways of making it easier for people?– What kinds of tools?

– Third party organizations? (MedicAlert)

Breakout Groups

• Group A: Is privacy always good?– In what cases not?

– Too much privacy? (ie get used to it, like security cams?)

• Group B: How to simplify privacy for people in ubicomp? – Core technologies?

– Third parties?

– User interfaces?

• What is the role of tech? How much should it do?– With respect to Market, Law, and Social Norms?

• What values should we embody in tech?– And how to design for those values?– Is privacy always good to have?

• How to assess risks better beforehand?• Better h/w and s/w architectures?

– Physical layer of privacy?• Better UIs? Understandable mental models? • Metrics for privacy?• Third parties / companies that manage your privacy?

Discussion Points

• Make it easy for organizations to do the right thing– Detecting abuse (ex. honeypots, audits)– Better database aggregation and anonymization– Better org-wide policies and enforcement

• Make it easy for individuals to share right info with right people at right times– Better ubicomp architectures that put end-users in control

• Can’t just flip a switch• Make it easier for app developers to do right thing

– Better UIs (awareness, disclosures, decision-making)– Better design and evaluation methods

Fundamental Tech Challenges

• Scope and scale– Everyone, everywhere, any time

• More personal– Location, activities, habits, hobbies, people with

• Breaks existing notions of how world works– Close the door

– Whisper to people

• Connected– Easy to share with others

• Machine readable and searchable

How Ubicomp Changes the Landscape