Privacy and Ubiquitous Computing Jason I. Hong

Ubicomp Privacy is a Serious Concern “[Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” -allnurses.com

Characteristics –Real-time, distributed –Invisibility of sensors –Potential scale –What data? Who sees it? Design Issues –No control over system –No feedback, cannot act appropriately You think you are in one context, actually in many –No value proposition Why is Ubicomp Privacy Hard?

Devices becoming more intimate –Call record, SMS messages –Calendar, Notes, Photos –History of locations, People nearby, Interruptibility –With us nearly all the time Portable and automatic diary –Accidental viewing, losing device, hacking Protection from interruptions –Calls at bad times, other people’s (annoying) calls Projecting a desired persona –Accidental disclosures of location, plausible deniability

Exploring Ubicomp at CMU People Finder Sensor Andrew inTouch –Better awareness and messaging for small groups Contextual Instant Messaging –Control and feedback mechanisms for ubicomp privacy

Contextual Instant Messaging Facilitate coordination and communication by letting people request contextual information via IM –Interruptibility (via SUBTLE toolkit) –Location (via Place Lab WiFi positioning) –Active window Developed a custom client and robot on top of AIM –Client (Trillian plugin) captures and sends context to robot –People can query imbuddy411 robot for info “howbusyis username” –Robot also contains privacy rules governing disclosure

Web-based specification of privacy preferences –Users can create groups and put screennames into groups –Users can specify what each group can see Control – Setting Privacy Policies

Coarse grain controls plus access to privacy settings Control – System Tray

Feedback – Notifications

Feedback – Social Translucency

Feedback – Offline Notification

Feedback – Summaries

Feedback – Audit Logs

Evaluation Recruited fifteen people for four weeks –Selected people highly active in IM (ie undergrads ) –~120 buddies, ~1580 messages / week (sent and received) –~3.3 groups created per person Notified other parties of imbuddy411 service –Update AIM profile to advertise –Would notify other parties at start of conversation

Results of Evaluation 321 queries –~1 query / person / day –61 distinct screennames, 15 repeat users –67 interruptibility, 175 location, 79 active window Added Stalkerbot near end of study –A stranger making 2 queries per person per day

Results – Controls Controls easy to use (4.5 / 5, σ=0.7) “I really liked the privacy settings the way they are. I thought they were easy to use, especially changing between privacy settings.” “I felt pretty comfortable with using it because you can just easily modify the privacy settings.” However, can be lots of effort “It’s time consuming, if you have a long buddylist, to set up for each person.” Asked for more location disclosure levels –Around or near a certain place

Results – Comfort Level Comfort level good (4 / 5, σ=0.9) –12 participants noticed stalkerbot, 3 didn’t until debriefing –However, no real concerns –Reasoned that our stalkerbot was a buddy or old friend –Also confident in their privacy control settings “I know they won’t get any information, because I set to the default so they won’t be able to see anything.”

Results – Appropriateness of Disclosures Mostly appropriate (2.47 / 5, where 3 is appropriate) –Useful information for requester? Right level of info? –Two people increased privacy settings, one after experimentation, other after too many requests from specific person However, more complaints about accuracy –Ex. Left a laptop in a room to get food, person wasn’t there

Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6)

Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6) Disclosure log, 1.8 (σ=1.3)

Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6) Disclosure log, 1.8 (σ=1.3) Mouse-over notification, 3.7 (σ=1.0) Offline statistic notification, 4 (σ=1.4) Social translucency Trillian tooltip popup, 4.8 (σ=1.1) Peripheral red-dot notification, 5.4 (σ=0.7)

Discussion

Scaling up notifications –~1 query / person / day, but just one app, not a lot of users –Pointing out anomalies more useful Disclosure log not used heavily –Though people liked knowing that it was there just in case Surprisingly few concerns about privacy –No user expressed strong privacy concerns –Feature requests were all non-privacy related –If low usage, due to not enough utility, not due to privacy Does this mean our privacy is good enough, or is this because of users’ attitudes and behaviors?

Better understanding of attitudes and behaviors towards privacy Westin identified three clusters of people wrt attitudes toward commercial entities –Fundamentalists (~25%) –Unconcerned (~10%) –Pragmatists (~65%) We need something like this for ubicomp –But for personal privacy rather than for commercial entities –With more fine-grained segmentation Fundamentalists include techno-libertarians and luddites Pragmatists include too busy, not enough value, profiling –Better segmentation would help us understand if our privacy is good enough for specific audience

Understanding Adoption Need to tie attitudes and behavior with adoption models Teens

Understanding Adoption Crafting better value propositions –“Ubiquitous computing” and a focus on technology really scared the bejeezus out of people –“Invisible computing” and a focus on how it helps people, far more palatable

Understanding Adoption Crafting better value propositions –“Ubiquitous computing” and a focus on technology really scared the bejeezus out of people –“Invisible computing” and a focus on how it helps people, far more palatable Finding and supporting existing practices –Already using IM, familiar metaphor, adding a few more features, rather than asking people to take a large step –Better deployment models

End-User Privacy in HCI 137 page article surveying privacy in HCI and CSCW Forthcoming in the new Foundations and Trends journal, in a few weeks

Acknowledgements NSF Cyber Trust CNS NSF IIS CNS ARO DAAD Motorola Nokia Research Skyhook Gary Hsiesh Wai-yong Low Karen Tang

Open Challenges

Lessons Thus Far

Total of 242 requests for contextual information –53 distinct screen names, 13 repeat users Results of First Evaluation

43 privacy groups, ~4 per participant –Groups organized as class, major, clubs, gender, work, location, ethnicity, family –6 groups revealed no information –7 groups disclosed all information Only two instances of changes to rules –In both cases, friend asked participant to increase level of disclosure Results of First Evaluation

Likert scale survey at end –1 is strongly disagree, 5 is strongly agree –All participants agreed contextual information sensitive Interruptibility 3.6, location 4.1, window 4.9 –Participants were comfortable using our controls (4.1) –Easy to understand (4.4) and modify (4.2) –Good sense of who had seen what (3.9) Participants also suggested improvements  Notification of offline requests  Better summaries (“User x asked for location 5 times today”)  Better notifications to reduce interruptions (abnormal use) Results of First Evaluation

What’s Hard about Ubicomp Privacy? Easier to store lots of data More kinds of data being collected Easier to distribute More sensors, real-time More devices Easier to search More intimate

Five Challenges Better ways of helping end-users manage their privacy A better understanding of people’s attitudes and behaviors towards privacy A privacy toolbox Better organizational support Understanding adoption