Privacy and Ubiquitous Computing
Jason I. Hong
Ubicomp Privacy is a Serious Concern
“[Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”
- allnurses.com
• Characteristics– Real-time, distributed
– Invisibility of sensors
– Potential scale
– What data? Who sees it?
• Design Issues– No control over system
– No feedback, cannot act appropriately
• You think you are in one context, actually in many
– No value proposition
Why is Ubicomp Privacy Hard?
Why is Ubicomp Privacy Hard?
• Devices becoming more intimate– Call record, SMS messages
– Calendar, Notes, Photos
– History of locations, People nearby, Interruptibility
– With us nearly all the time
• Portable and automatic diary– Accidental viewing, losing device, hacking
• Protection from interruptions– Calls at bad times, other people’s (annoying) calls
• Projecting a desired persona– Accidental disclosures of location, plausible deniability
Exploring Ubicomp at CMU
• People Finder
• Sensor Andrew
• inTouch– Better awareness and messaging for small groups
• Contextual Instant Messaging– Control and feedback mechanisms for ubicomp privacy
Contextual Instant Messaging
• Facilitate coordination and communication by letting people request contextual information via IM– Interruptibility (via SUBTLE toolkit)
– Location (via Place Lab WiFi positioning)
– Active window
• Developed a custom client and robot on top of AIM– Client (Trillian plugin) captures and sends context to robot
– People can query imbuddy411 robot for info• “howbusyis username”
– Robot also contains privacy rules governing disclosure
• Web-based specification of privacy preferences– Users can create groups and
put screennames into groups
– Users can specify what each group can see
Control – Setting Privacy Policies
• Coarse grain controls plus access to privacy settings
Control – System Tray
Feedback – Notifications
Feedback – Social Translucency
Feedback – Offline Notification
Feedback – Summaries
Feedback – Audit Logs
Evaluation
• Recruited fifteen people for four weeks– Selected people highly active in IM (ie undergrads )
– ~120 buddies, ~1580 messages / week (sent and received)
– ~3.3 groups created per person
• Notified other parties of imbuddy411 service– Update AIM profile to advertise
– Would notify other parties at start of conversation
Results of Evaluation
• 321 queries– ~1 query / person / day
– 61 distinct screennames, 15 repeat users
– 67 interruptibility, 175 location, 79 active window
• Added Stalkerbot near end of study– A stranger making 2 queries per person per day
Results – Controls
• Controls easy to use (4.5 / 5, σ=0.7)“I really liked the privacy settings the way they are. I thought they were easy to use, especially changing between privacy settings.”
“I felt pretty comfortable with using it because you can just easily modify the privacy settings.”
• However, can be lots of effort“It’s time consuming, if you have a long buddylist, to set up for each person.”
• Asked for more location disclosure levels– Around or near a certain place
Results – Comfort Level
• Comfort level good (4 / 5, σ=0.9)– 12 participants noticed stalkerbot, 3 didn’t until debriefing
– However, no real concerns
– Reasoned that our stalkerbot was a buddy or old friend
– Also confident in their privacy control settings
“I know they won’t get any information, because I set to the default so they won’t be able to see anything.”
Results – Appropriateness of Disclosures
• Mostly appropriate (2.47 / 5, where 3 is appropriate)– Useful information for requester? Right level of info?
– Two people increased privacy settings, one after experimentation, other after too many requests from specific person
• However, more complaints about accuracy– Ex. Left a laptop in a room to get food, person wasn’t there
Results – Usefulness of Feedback
• Bubble notification, 1.6 / 6 (σ=0.6)
Results – Usefulness of Feedback
• Bubble notification, 1.6 / 6 (σ=0.6)• Disclosure log, 1.8 (σ=1.3)
Results – Usefulness of Feedback
• Bubble notification, 1.6 / 6 (σ=0.6)• Disclosure log, 1.8 (σ=1.3)• Mouse-over notification, 3.7 (σ=1.0)• Offline statistic notification, 4 (σ=1.4)• Social translucency Trillian tooltip popup, 4.8 (σ=1.1)• Peripheral red-dot notification, 5.4 (σ=0.7)
Discussion
Discussion
• Scaling up notifications– ~1 query / person / day, but just one app, not a lot of users
– Pointing out anomalies more useful
• Disclosure log not used heavily– Though people liked knowing that it was there just in case
• Surprisingly few concerns about privacy– No user expressed strong privacy concerns
– Feature requests were all non-privacy related
– If low usage, due to not enough utility, not due to privacy
• Does this mean our privacy is good enough, or is this because of users’ attitudes and behaviors?
Better understanding of attitudes and behaviors towards privacy
• Westin identified three clusters of people wrt attitudes toward commercial entities– Fundamentalists (~25%)– Unconcerned (~10%)– Pragmatists (~65%)
• We need something like this for ubicomp– But for personal privacy rather than for commercial entities– With more fine-grained segmentation
• Fundamentalists include techno-libertarians and luddites• Pragmatists include too busy, not enough value, profiling
– Better segmentation would help us understand if our privacy is good enough for specific audience
Understanding Adoption
• Need to tie attitudes and behavior with adoption models
Teens
Understanding Adoption
• Crafting better value propositions– “Ubiquitous computing” and a focus on technology
really scared the bejeezus out of people
– “Invisible computing” and a focus on how it helps people, far more palatable
Understanding Adoption
• Crafting better value propositions– “Ubiquitous computing” and a focus on technology
really scared the bejeezus out of people
– “Invisible computing” and a focus on how it helps people, far more palatable
• Finding and supporting existing practices– Already using IM, familiar metaphor, adding a few more
features, rather than asking people to take a large step
– Better deployment models
End-User Privacy in HCI
• 137 page article surveying privacy in HCI and CSCW
• Forthcoming in the new Foundations and Trends journal, in a few weeks
Acknowledgements
• NSF Cyber Trust CNS-0627513• NSF IIS CNS-0433540• ARO DAAD19-02-0389• Motorola• Nokia Research• Skyhook
• Gary Hsiesh• Wai-yong Low• Karen Tang
Open Challenges
Lessons Thus Far
Lessons Thus Far
Lessons Thus Far
• Total of 242 requests for contextual information– 53 distinct screen names, 13 repeat users
0
20
40
60
80
100
120
Interruptibility Location Active Window
Results of First Evaluation
• 43 privacy groups, ~4 per participant– Groups organized as class, major, clubs,
gender, work, location, ethnicity, family
– 6 groups revealed no information
– 7 groups disclosed all information
• Only two instances of changes to rules– In both cases, friend asked participant to
increase level of disclosure
Results of First Evaluation
• Likert scale survey at end – 1 is strongly disagree, 5 is strongly agree
– All participants agreed contextual information sensitive• Interruptibility 3.6, location 4.1, window 4.9
– Participants were comfortable using our controls (4.1)
– Easy to understand (4.4) and modify (4.2)
– Good sense of who had seen what (3.9)
• Participants also suggested improvementsNotification of offline requestsBetter summaries (“User x asked for location 5 times today”)Better notifications to reduce interruptions (abnormal use)
Results of First Evaluation
What’s Hard about Ubicomp Privacy?
• Easier to store lots of data• More kinds of data being collected• Easier to distribute• More sensors, real-time• More devices• Easier to search• More intimate
Five Challenges
• Better ways of helping end-users manage their privacy• A better understanding of people’s attitudes and
behaviors towards privacy• A privacy toolbox• Better organizational support• Understanding adoption
Top Related