Privacy Acknowledgement: Jason Hong, CMU

Overview of Privacy Why care? Why is it hard? Thinking about and Designing for Privacy Why privacy might not matter Very broad look at privacy Social aspects, legal aspects, philosophical, user interface

Why Care About Privacy? End-User Perspective Protection from spam, identity theft, mugging Discomfort over surveillance Lack of trust in work environments Might affect performance, mental health May contribute to feeling of lack of control over life Starting over Something stupid you did as a kid Creativity and freedom to experiment Protection from total societies Room for each person to develop individually Lack of adoption of tech Everyday Risks Extreme Risks Stalkers, Muggers _________________________________ Well-being Personal safety Employers Over-monitoring Discrimination Reputation Friends, Family Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

The Fundamental Tension More information can be used for good and for bad Facebook Keeping in touch with friends But embarrassing photos or breakups recorded for all time?

The Fundamental Tension More information can be used for good and for bad Facebook Keeping in touch with friends But embarrassing photos or breakups recorded for all time? People Finder Okayness checking and coordination But also stalking, monitoring at work, or embarrassment Amazon (or any ecommerce site) Can improve search results, personalized content Price discrimination, selling your info to others, not keeping your info safe from hackers

Why is Privacy Hard? Characteristics Design Issues Real-time, distributed Invisibility of sensors Potential scale What data? Who sees it? Design Issues No control over system No feedback, cannot act appropriately You think you are in one context, actually in many No value proposition

Why is Privacy Hard? Devices becoming more intimate Call record, SMS messages Calendar, Notes, Photos History of locations, People nearby, Interruptibility With us nearly all the time Portable and automatic diary Accidental viewing, losing device, hacking Protection from interruptions Calls at bad times, other people’s (annoying) calls Projecting a desired persona Accidental disclosures of location, plausible deniability

Internet ISP Employer Search engine Large e-commerce sites Cookies “accessible in theory” vs. “accessible in a click”

Chrome privacy When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for. If you choose to share usage statistics with Google and you accept a suggested query or URL, Google Chrome will send that information to Google as well. You can disable this feature as explained here.   "Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates. If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well."

Web applications Google search reveals significant amount of information, especially over time and across applications Amazon has a significant amount of user information

Why is Privacy Hard? Your stories / thoughts?

Why is Privacy Hard? Definition problem Hard to define until something bad happens “Well, of course I didn’t mean to share that” Risks not always obvious up front Burglars went to airports to collect license plates Credit info used by kidnappers in South America

Why is Privacy Hard? Social Perspective Expectations and levels of comfort change with time and/or experience Both individual and societal Many people objected to having phones in their homes because it “permitted intrusion… by solicitors, purveyors of inferior music, eavesdropping operators, and even wire-transmitted germs”

Why is Privacy Hard? Social Perspective The appearance of Eastman’s cameras was so sudden and so pervasive that the reaction in some quarters was fear. A figure called the “camera fiend” began to appear at beach resorts, prowling the premises until he could catch female bathers unawares. One resort felt the trend so heavily that it posted a notice: “PEOPLE ARE FORBIDDEN TO USE THEIR KODAKS ON THE BEACH.” Other locations were no safer. For a time, Kodak cameras were banned from the Washington Monument. The “Hartford Courant” sounded the alarm as well, declaring the “the sedate citizen can’t indulge in any hilariousness without the risk of being caught in the act and having his photograph passed around among his Sunday School children.” Lindsay, D., The Kodak Camera Starts a Craze. 2004. http://www.pbs.org/wgbh/amex/eastman/peoplevents/pande13.html

Why is Privacy Hard? Individual perspective Cause and effect may be far in time and space Think politicians and actions they did when young Video might appear on YouTube years later Privacy is highly malleable depending on situation Still use credit cards to buy online Benefit outweighs cost Power or social imbalances Employees may not have many choices Easy to misinterpret Went to drug rehabilitation clinic, why?

Why is Privacy Hard? Technical Perspective Easier to capture data Video cameras, camera phones, microphones, sensors Break “natural” boundaries of physics Easier to store and retrieve data LifeLog technologies Googling a potential date Market incentives too

Why is Privacy Hard? Technical Perspective Easier to capture data Video cameras, camera phones, microphones, sensors Break “natural” boundaries of physics Easier to store and retrieve data LifeLog technologies Googling a potential date Easier to share data Ubiquitous wireless networking Blogs, wikis, YouTube, Flickr, FaceBook Inferences and Machine Learning Humidity to detect presence

Why is Privacy Hard? Organizational Perspective Bad data can be hard to fix Sen. Ted Kennedy on TSA no-fly list Market incentives not aligned well More info can market better Can sell your info Many activities are hidden What are credit card companies, Amazon doing? What is NSA doing?

Why is Privacy Hard? Purely HCI Perspective Few tools Few evaluation techniques Lack of clear metrics Market incentives too

Why is Privacy Hard? Meta-Research Perspective Privacy is a large umbrella term Lots of different groups and schools of thought that don’t always interact or agree with each other Tools and methods for one school of thought doesn’t necessarily work well for others Privacy as anonymity Cypherpunks, database researchers, machine learning Privacy as a rational process for organizations Privacy as organic process / Personal privacy A lot of HCI, CSCW, CMC work falls here Market incentives too

What is Privacy? No standard definition, many different perspectives Different kinds of privacy Bodily, Territorial, Communication, Information Many different philosophical views on info privacy Different views -> different values -> different designs Note: next few slides not mutually exclusive

Principles vs Common Interest Principled view -> Privacy as a fundamental right Embodied by constitutions, longstanding legal precedent Government not given right to monitor people Common interest -> Privacy wrt common good Emphasizes positive, pragmatic effects for society Examples: National ID cards, mandatory HIV testing

Self-determination vs Personal Privacy Self-determination (aka data protection) Arose due to increasing number of databases in 1970s “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin) Led to Fair Information Practices More of individual with respect to governments, organizations, and commercial entities Personal privacy How I express myself to others and control access to myself More of individual with respect to other individuals

Self-determination vs Personal Privacy Examples: Cell phone communication Data protection view Telecoms record about who I called How long keep the data? Personal privacy Caller ID What I choose to say on phone Instant messaging Store messages? Google Talk Privacy policy Who your buddies are Invisible mode Logs Facebook All of these examples have elements of both data protection and personal privacy Presence, who you choose to talk to, idle time, screening, invisible, ignore IM company, what info do they collect Friends, hobbies, what your friends can see, what your friends write about you, photos How long is information kept? Plug-ins for facebook, info to 3rd parties, can’t get info off facebook, advertisers

Privacy as Solitude / Isolation “The right to be let alone” People tend to devise strategies “to restrict their own accessibility to others while simultaneously seeking to maximize their ability to reach people” (Darrah et al 2001) Protection from interruptions and undesired social obligations Examples: Spam protection Do-not call list, not answering mobile phone Invisible mode, ignoring an IM IPod cocooning on public transit

Privacy as Anonymity Hidden among a crowd Examples: Web proxy to hide actual web traffic “Someone in this room who is over 30 and once broke his right arm” vs “a female” Location k-anonymity This view is highly popular among technical people Measurable Limitations? Crowd Re-identification Also limited use for HCI (since you often already know who the other party is) Cellular tower privacy

Privacy as Projecting a Desired Persona People see you the way you want them to see you Examples: Cleaning up your place before visitors Putting the right books and CDs out Having “desirable” Facebook groups, hobbies, politics, etc on your profile

Privacy as a Process Controlled, rationalistic process Bank and web site privacy policies Many rules governing how personal information gathered and used Organic and fluid process Adjusting window blinds Opening or closing my office door Choosing what I do or don’t disclose during a conversation

Privacy as Protection of Self vs Others Protecting Self Protecting Others? Mandatory privacy, wearing clothes Cell phones going off in theaters

Overview of Privacy Why care? Why is it hard? Thinking about and Designing for Privacy Why privacy might not matter

Legal Differences for Privacy America tends to have sector-by-sector privacy laws HIPAA, CALEA, COPPA, FERPA, finance, video rentals Much of the legal rulings on privacy happens in judiciary Wiretapping, advanced sensing tech Cynically, wait until a disaster happens, then try to fix Europe has comprehensive privacy laws European Union Data Protection Directive Stronger focus on prevention Working party that will issue rulings on biometrics, privacy policies, etc Keep up with technologies

Privacy Policies Evidence strongly suggests people don’t read privacy policies (unless assigned as homework ) Carlos Jensen et al, CHI 2004 Problems with privacy policies? Too hard to read Privacy policy changed, can I challenge? This policy can change at any time, come back often Cover you’re @$$ No market or perhaps legal interest Tedious to read, get in the way General consensus: designed to protect service providers rather than inform consumers

Segmenting Users Westin and others have been running surveys over the past few years looking at individuals wrt orgs Don’t care (~10%) I’ve got nothing to hide We’ve always adapted "You have zero privacy anyway. Get over it." Fundamentalist (~25%) Don’t understand the tech Don’t trust others to do the right thing Pragmatist (~65%) Cost-benefit Communitarian benefit to society as well as individual

Control – Setting Privacy Policies Web-based specification of privacy preferences Users can create groups and put screennames into groups Users can specify what each group can see

Control – System Tray Coarse grain controls plus access to privacy settings

Feedback – Notifications

Is Privacy always Good? Reputation management Can be used as a shield for abusive behavior Supermarket loyalty cards Gauge effect of marketing, effects of price and demand Market to best customers Can streamline economic transactions Easy credit EU – “Regulators prosecuted an animal rights activist who published a list of fur producers and a consumer activist who criticized a large bank on a Web page that named the bank’s directors.” http://reason.com/0406/fe.dm.database.shtml

Social Translucency Make participants and their activities apparent to others Ex. Alice is unlikely to repeatedly query for Bob’s location if she knows Bob can see each request Erickson is implicitly arguing for optimistic privacy

Plausible Deniability Another example of supporting a norm If I don’t answer my phone: Busy, shower, driving, bozo Ambiguity is good here How to build into systems? Natural part of most asynchronous communication systems Unclear in general How reliable should our systems be? Spam filters Location granularity

Subtle Control “[The Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” allnurses.com

Privacy: an open and challenging issue