Presented by: Jennifer Lederer Angela Baker Donna Taldo Chelsea Dullye
Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey...
-
Upload
sibyl-barrett -
Category
Documents
-
view
216 -
download
1
Transcript of Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey...
Privacy in the Age of Ubiquitous Computing
Jason I. Hong
Scott Lederer
Jennifer Ng
Anind K. Dey
James A. Landay
G r o u p f o rUser Interface Research
University of CaliforniaBerkeley
Mar 05 2004 2
The Origins of Ubiquitous Computing
What’s wrong with Personal Computers?– Too complex and hard to use– Too demanding of attention– Too isolating from other people– Too dominating of our desktops and our lives
Ubiquitous Computing Project at Xerox PARC– Advances in wireless networking, sensors, devices– Observations of how people use tools in practice– Make computers a natural part of everyday
interactions
Mar 05 2004 3
The Origins of Ubiquitous Computing
Mar 05 2004 4
Emerging Examples of Ubicomp
Never Get Lost
Find Friends
Emergency Response
Mar 05 2004 5
“But What About My Privacy?”
Never Get Lost– You walk past a restaurant and your cellphone rings with the
specials of the day
Find Friends– “Family is already very close to you, so if they’re checking up
on you…sort of already smothering and this is one step further.”
– “[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”
Emergency Response– “I don’t see how a government or an organization will not
come up with an excuse to use [location info] for another purpose.”
Flood of Location-Based Spam
Never Hide From Friends and Co-Workers
Constant Surveillance
Mar 05 2004 6
Our Research in Ubicomp Privacy
Fundamental Tension– Ubiquitous Computing can be used for great benefit– Ubiquitous Computing can be used for great harm– Privacy may be greatest barrier to long-term success
Our approach– What are the privacy concerns in ubicomp?– How can we design better user interfaces?– Are there better ways of building privacy-sensitive apps?
Privacy is an area easy to make mistakes in– Will discuss lessons learned throughout
Mar 05 2004 7
What is Privacy?
Lots of perspectives on privacy– US Constitution, UN Decl. Human Rights, Hippocratic Oath– Influenced by Legal, Market, Social, and Technical forces
Privacy is not just Orwell– From “Big Brother” to “Little Sisters”– Media sensationalization of worst-case scenarios
Privacy is not just computer security– Adversaries? Friends, family, co-workers, acquaintances– Anonymity? Friends already know your identity– Secrecy? We share personal info with friends all the
time– Damage? Risk may be undesired social obligations
We are approaching privacy from an HCI perspective
Mar 05 2004 8
An HCI Perspective on Privacy
“The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know:
– what is controlling what– what is connected to what– where information is flowing– how it is being used– what is broken (vs what is working correctly)”
The Origins of Ubiquitous Computing Research at PARC in the Late 1980s
Weiser, Gold, Brown
Make it easy to share: • the right information• with the right people (or service) • at the right time
Mar 05 2004 9
What are End-User Privacy Needs?
Lots of speculation about privacy, little data out there
Analyzed survey of 130 people on ubicomp privacy prefs
Analyzed nurse message board on locator systems– http://allnurses.com
Examined papers describing usage of ubicomp systems
Examined existing and proposed privacy protection laws– EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2004
Interviewed 20 people on various location-based services– Did not mention the word “privacy” unless they did first
Mar 05 2004 10
End-User Privacy Needs
Value proposition
Simple and appropriate control and feedback
Plausible deniability
Limited retention of data
Decentralized architectures
Special exceptions for emergencies
Alice’sLocation
Bob’sLocation
Mar 05 2004 11
How to Design for Privacy?
What are good privacy-sensitive user interfaces?– Knowing what is needed does not say how to do it well
Mar 05 2004 12
Five Pitfalls for Designers
Understanding
Obscuring potential information flow
Obscuring actual information flow
Action
Configuration over action
Lacking coarse-grained control
Inhibiting established practices
Mar 05 2004 13
#1 – Obscuring Potential Flow
Users can make informed use of a system only when they understand the scope of its privacy implications
Mar 05 2004 14
#2 – Obscuring Actual Flow
Users should understand what information is being disclosed to whom
Who is querying my location?How often?
Requestor informed of disclosureRequestee sees each request
Mar 05 2004 15
#3 – Configuration Over Action
Designs should not require excessive configuration to manage privacy– “Right” configuration hard to predict in advance– Make privacy a natural part of the interaction flow
Mar 05 2004 16
#4 – Lacking Coarse-Grain Control
Designs should not forego an obvious, top-level mechanism for halting and resuming disclosure
“[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.”
Protecting the Cellphone User's Right to Hide
NYTimes Feb 5 2004
Did I set it right?How do I know?
Mar 05 2004 17
#5 – Inhibiting Established Practices
Designs should not inhibit users from transferring established social practices to emerging technologiesRather than getting an immediate ring, an answering machine comes on the line and says, "Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message."
1. University and Ramona2. Palo Alto3. Custom…
9. Ignore for now
Mar 05 2004 18
How to Build Applications Better?
Develop a toolkit to make it easier to build privacy-sensitive ubicomp apps– Prevent – Strong guarantees on your personal data– Avoid – Better user interfaces for managing privacy– Detect – Finding over-monitoring or accidental
disclosures– Need all three for effective systems
Key architectural points of Context Fabric– Locality– InfoSpace Diary– Access Descriptions– Privacy Tags
Mar 05 2004 19
Locality
Keep personal data “close” to end-users– Move from centralized systems to decentralized ones– Capture, store, and process personal data on my
computer
PlaceLab
AB
C
Add more placelab guts hereAdd slide on MiniGis here as well
What are the alternatives here?Centralization was an issue early on
Also talked to a lawyer about this (Deidre)Closer data is to you, more legal protection
–Works indoors and in urban canyons
–No special equipment
–Privacy-sensitive–Rides the WiFi wave
Mar 05 2004 20
PlaceLab
~52000 Nodes
(3Megs)
Mar 05 2004 21
PlaceLab
~500 Nodes
Mar 05 2004 22
Locality
MiniGis Server for processing location locally
Country Name = United StatesRegion Name = CaliforniaCity Name = BerkeleyZIP Code = 94709Place Name = Soda HallLat Lon = 37.8756, -122.25711
Mar 05 2004 23
Locality
MiniGis Server data sources
USGS State Gazetteer– Names in USA– 2m records ~650 megs– States, Cities, Places
“Places” hardest to get– Airports & schools useful, “hammocks”, “lava”,
“quicksand” less so– 2 undergrads scouring Berkeley– Research opportunity here in open, distributed naming of
places
GEOnet Names Server– Names outside USA– 5.5m records ~700megs– Regions, Cities, Places
Mar 05 2004 24
InfoSpace Diary
InfoSpace stores your personal information– Static info, like name and phone#– Dynamic info, like current location and activity
Runs on your personal device or on a trusted service– Local sources (ex. PlaceLab) can update dynamic info– Can choose to expose different parts to different people &
services– Can also see who can see what about you
Describe guts of InfoSpace moreDescribe Tuples more
Operators too?
Mar 05 2004 25
Confab Architecture
InfoSpace
Diary
InfoSpace
Diary
LocNamePlaceLab
Tourguide
Find Friend
MiniGis
How to control when and how much personal info is disclosed?
Request
Mar 05 2004 26
Access Notifications
One possibility:
“[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.”
Problems:– People are not good at defining rules beforehand– Tradeoff between fine-grained control and
understandability
Mar 05 2004 27
Observations on Setting Preferences
Who is requesting information is most important factor– “Either I trust someone with my information or I don't –
it doesn't depend on where I am.”
Time is an essential aspect for maintaining control– Access described in terms of “always”, “never”, or “work
hours”– “Work people can know my information during work hours.
Home/SO people can know my information always.”
Can set prefs before, during, or after a request– Before case can lead to configuration pitfall– During case easier to understand, but can overwhelm– After case easy to setup, but can lead to accidental
disclosures
Mar 05 2004 28
Access Notifications
Mar 05 2004 29
Access Notifications
Initial Evaluations– Tested with 4 people for understandability and
reactions– Location-enhanced messenger, tourguide, emergency
response
Mar 05 2004 30
Access Notifications
Initial Evaluations– Tested with 4 people for understandability and reactions– Location-enhanced messenger, tourguide, emergency
response
Results
– Distinction between Push vs Pull, Continuous vs Discrete
“Giving a GPS location once or twice does not provide enough information for an invasion of privacy… [but] if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy.”
“No need for continuous update of location. Only in a race or a marathon (where staying on track is essential) would continuous update be helpful.”
Mar 05 2004 31
Access Notifications
PlaceBar
Continuous Discrete
Push ???
Pull Access Notifications
Mar 05 2004 32
Confab Architecture
InfoSpace
Diary
InfoSpace
Diary
LocNamePlaceLab
Tourguide
Find Friend
MiniGis
How to control what happens to your info onceit leaves your InfoSpace?
Access
AccessPull
Push
Mar 05 2004 33
Privacy Tags
Digital Rights Management for Privacy– Like adding note to email, “Please don’t forward”– Notify address - notify-
[email protected]– Time to live - 5 days– Max number of sightings - last 5 sightings of my
location
Libraries for making it easy for app developers
Mar 05 2004 34
Analysis
Prevent– Capture and process personal information locally– PlaceLab, MiniGis– Minimizes risk of mission creep (ex. SSNs)
Avoid– Interfaces for helping people make good decisions– Access Notifications / PlaceBar
Detect– Finding cases of over-monitoring– Access Notifications– Privacy Tags (processed on requestor’s side)
Mar 05 2004 35
Implementation
Confab, PlaceLab, MiniGis– Java 1.5, Tomcat Web Server, MySql, Jaxen XPath
Data– WiFi from wigle.net and undergrads– MiniGis from USGS, GeoNET, and undergrads– ~35 megs of data (30 megs of place data)
#Classes Lines of code
Confab 320 17000
PlaceLab 10 800
MiniGis 15 3000
Shared Libs
230 12000
Mar 05 2004 36
Putting it TogetherLemming Location-enhanced Messenger
Describe Rationale as to why location + messenger?
Show more gutsDescribe LOC
Mar 05 2004 37
Putting it TogetherBEARS Emergency Response Server
Field studies and interviews with firefighters [CHI2004]
Finding victims in a building– “You bet we’d definitely want that.”– “It would help to know what floor they are on.”
But emergencies are rare– How to balance privacy constraints with utility when
needed?
Mar 05 2004 38
Putting it TogetherBEARS Emergency Response Server
Trusted third party (MedicAlert++)
MedicAlert++MedicAlert++
Loc
“ABC”
“ABC”
On Emergency
Mar 05 2004 39
Requirements Check
Value proposition
Simple and appropriate control and feedback– Access Notifications (pull) and PlaceBar (push)
Plausible deniability– No action, “Ignore for now”, and “Never Allow” appear
same
Limited retention of data– Privacy Tags
Decentralized architectures– Capture and process information locally
Special exceptions for emergencies
Mar 05 2004 40
Contributions
Investigated ubicomp privacy from many perspectives– What are end-user needs? How to design? How to build?
Context Fabric architecture for privacy-aware apps– Prevent / Avoid / Detect– Suggests a way of architecting privacy-sensitive ubicomp
Services on devices, local processing, presentation to end-users
– Evaluation with two applications– Starting deployment of Lemming instant messenger
“Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”
Jason I. [email protected]
http://guir.berkeley.edu/confab
G r o u p f o rUser Interface Research
University of CaliforniaBerkeley
Thanks to: DARPA Expeditions NSF ITR PARC Intel Fellowship Siebel Systems Fellowship
http://placelab.org