Privacy and Mobile Ubiquitous Computing A lecture of sorts by Travis Christian

Agenda Defining some terms What's the big deal? From the user's perspective Privacy concepts Case studies Design guidelines Conclusions

Definitions Privacy:  “The ability of individuals to control the terms under which their personal information is acquired and used.” Mary J. Culnan, “Protecting Privacy Online: Is Self-Regulation Working?” Journal of Public Policy and Marketing 19:1 (2000), 20–26.  “The right to be let alone” Samuel Warren and Louis D. Brandeis

Definitions Ubiquitous Computing  “third wave in computing, just now beginning […] or the age of calm technology, when technology recedes into the background of our lives.” - Mark Weiser,  “ubicomp”  “pervasive computing”  “everyware” “ Computing without computers, where information processing has diffused into everyday life, and virtually disappeared from view.”  Adam Greenfield, Everyware

What's the big deal? UbiComp 11 th Internation Conference  Locaccino, Google Latitude Project Oxygen (MIT) RFID Future: smart homes, wearable computers, embedded devices.... ???

What's the big deal? With all of these potentials come privacy risks.  Location → tracking  Aggregation → activity inference  Networking → data farming  Complexity → lack of understanding  Easy to forget → no informed consent (Chapter 19: Privacy Issues and Human-Computer Interaction)

From the user's perspective How they view privacy  Research on privacy configuration shows that most do not customize settings  It's important, but not a primary task Different concerns  Unauthorized access (security breach)  Sharing without consent  Collection of personal data  Inability to correct errors (Chapter 19: Privacy Issues and Human-Computer Interaction)

From the user's perspective 3 consistently observed levels of concern  Marginal (indifferent)  Fundamentalist (uncompromising)  Pragmatic (will make tradeoffs) Majority across many studies (Chapter 19: Privacy Issues and Human-Computer Interaction)

Privacy concepts Different forms of privacy  Access personal data (conscious decision)  “Exoinformation”: left by interactions Queries, timestamps, IP addresses, etc. Used to build aggregate profiles “Barn Door” property  Once left unprotected, there is no way of knowing whether data has been seen (Chapter 20: A User-Centric Privacy Space Framework)

Privacy Concepts Privacy boundaries  Disclosure boundary  Identity boundary  Temporal boundary  Users need to be aware and manage (Peripheral Privacy Notifications for Wireless Networks)

Case Study: Faces Privacy manager for ubicomp environments Disclosure preferences: user decides rules  WHO sees WHAT info in WHICH situations Metaphor: “faces” represent how users portray themselves to others in a situation  Situation: generic setting for the purpose of establishing a “face”  Ex: Weekend shopping trip (Chapter 21: Five Pitfalls in the Design for Privacy)

Case Study: Faces Levels of precision  Undisclosed, vague, approximate, precise Types of information  Identity, location, activity, nearby people Feedback: log of disclosures used to iteratively define preferences

Case Study: Faces Testing: 5 participants  Created rules for 2 inquirers, 2 situations  Given realistic scenario for each situation  Preferences stated in scenarios did not match settings for associated situations Conclusion: Separating configuration from context is a mistake. Users should mold system behavior through their actions, instead of thinking abstractly about privacy.

Case Study: Reno SMS-based location inquiry tool 3-stage experimental process  Experience Sampling Method (ESM) Who would disclose what information  Pilot study Internal testing  User study Tested with 2 families (Developing Privacy Guidelines for Social Location Disclosure Applications and Services)

Case Study: Reno Results  Responses based on specific goals  Denial and deception  Automation not popular Derived design guidelines Next step: “Boise” map-based successor

Design Guidelines: Faces Don't obscure potential information flow  Users can make informed use of a system only when they understand the scope of its privacy implications. Don't obscure actual information flow  Users should understand what information is being disclosed to whom.

Design Guidelines: Faces Promote user action over configuration  Designs should enable users to practice privacy as a natural consequence of their use of the system. Provide coarse-grained control  Designs should provide an obvious way to halt and resume disclosure. Support established practice

Design Guidelines: Reno Don't start with automation Allow flexible disclosure Support plausible deniability Support deception Support simple evasion (“busy”) Start with person-to-person communication Provide status/away messages

Design Guidelines: Reno Avoid handling user data Consider user groups likely to need privacy Characterize users' use of privacy features Account for long learning curve Account for specific circumstances

Design Guidelines: Proportionality Principle of proportionality:  “any application, system, tool, or process should balance its utility with the rights to privacy (personal, informational, etc) of the involved individuals” Method built on 3 “judgments”  Legitimacy: are the goals useful?  Appropriateness: find the best alternative  Adequacy: justify proper use of parameters

Summary Importance of ubicomp Role of privacy User's perspectives Case studies: prior research Design guidelines

Conclusion Ubicomp is an important concept and will expand rapidly in the near future. Usable privacy plays a vital role in real- world ubicomp systems. Privacy risks are a real threat to end users Design for ubicomp is challenging, but there are guidelines for preserving privacy More research is needed

Sources Security and Usability. Chapter 19 Privacy Issues and Human-Computer Interaction (M. Ackerman and S. Mainwaring) Security and Usability. Chapter 20 A User-Centric Privacy Space Framework (B. Brunk) Security and Usability. Chapter 21 Five Pitfalls in the Design for Privacy (S. Lederer, J. Hong, A. Dey, and J. Landay) Samuel Warren and Louis D. Brandeis, The Right to Privacy, Harvard Law Review, B. Kowitz and L. Cranor. Peripheral Privacy Notifications for Wireless Networks. In Proceedings of the 2005 Workshop on Privacy in the Electronic Society, 7 November 2005, Alexandria, VA, pp G. Iachello, I. Smith, S. Consolvo, M. Chen, and G. Abowd. Developing Privacy Guidelines for Social Location Disclosure Applications and Services. In Proceedings of the Symposium On Usable Privacy and Security 2005, Pittsburgh, PA, July 6-8, Iachello, G. and Abowd, G. D Privacy and proportionality: adapting legal evaluation techniques to inform design in ubiquitous computing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Portland, Oregon, USA, April , 2005). CHI '05. ACM Press, New York, NY,

Questions ?