Introduction to Ubicomp Privacy or Is Privacy the Achilles’ Heel of Ubicomp?

Protection from spam, identity theft, mugging Discomfort over surveillance –Lack of trust in work environments –Might affect performance, mental health –May contribute to feeling of lack of control over life Starting over –Something stupid you did as a kid Creativity and freedom to experiment –Protection from total societies –Room for each person to develop individually Lack of adoption of ubicomp tech Why Care About Privacy? End-User Perspective Everyday RisksExtreme Risks Stalkers, Muggers _________________________________ Well-being Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

Ubicomp envisions –lots of sensors for gathering data –rich world models describing people, places, things –pervasive networks for sharing This data can be used for good and for bad The Fundamental Tension Find FriendsSmart HomesSmart Stores

Most obvious problem with ubicomp by outsiders Why Care? Designer and App Developer Perspective

“Do I wear badges? No way. I am completely against wearing badges. I don't want management to know where I am. No. I think the people who made them should be taken out and shot... it is stupid to think that they should research badges because it is technologically interesting. They (badges) will be used to track me around. They will be used to track me around in my private life. They make me furious.” Ubicomp “might lead directly to a future of safe, efficient, soulless, and merciless universal surveillance” – Rheingold Why Care? Designer and App Developer Perspective

What is Privacy? No standard definition, many different perspectives Different kinds of privacy –Bodily, Territorial, Communication, Information

What is Information Privacy? Many different philosophical views on info privacy –Different views -> different values -> different designs –Note that these are not necessarily mutually exclusive

Principles vs Common Interest Principled view -> Privacy as a fundamental right –Embodied by constitutions, longstanding legal precedent –Government not given right to monitor people Common interest -> Privacy wrt common good –Emphasizes positive, pragmatic effects for society Examples: –National ID cards, mandatory HIV testing

Self-determination vs Personal Privacy Self-determination (aka data protection) –Arose due to increasing number of databases in 1970s –“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin) –Led to Fair Information Practices (more shortly) –More of individual with respect to government and orgs Personal privacy –How I express myself to others and control access to myself –More of individual with respect to other individuals

Self-determination vs Personal Privacy Examples: –Facebook –Cell phone communication –Instant messaging

Privacy as Solitude “The right to be let alone” People tend to devise strategies “to restrict their own accessibility to others while simultaneously seeking to maximize their ability to reach people” –(Darrah et al 2001) Example: –Spam protection, undesired social obligations Ubicomp: –Able to turn system off, invisible mode

Privacy as Anonymity Hidden among a crowd Example: –Web proxy to hide actual web traffic Ubicomp: –Location anonymity –“a person” vs “Asian person” vs “Jason Hong”

Transparent Society –Multi-way flow of info (vs one-way to govts or corporations) Don’t care –I’ve got nothing to hide –We’ve always adapted –"You have zero privacy anyway. Get over it." Fundamentalist –Don’t understand the tech –Don’t trust others to do the right thing Pragmatist –Cost-benefit –Communitarian benefit to society as well as individual Other Views on Privacy

You know it when you lose it

Hard to define until something bad happens –“Well, of course I didn’t mean to share that” Risks not always obvious –Burglars went to airports to collect license plates –Credit info used by kidnappers in South America Change in comfort with time and/or experience Cause and effect may be far in time and space Malleable depending on situation –Still use credit cards to buy online –Benefit outweighs cost Why is Privacy Hard?

Data getting easier to store –Think embarrassing facts from a long time ago (ex. big hair) –Think function creep (ex. SSNs) Hard to predict effect of disclosure –Hard to tell what credit card companies, Amazon are doing Market incentives not aligned Easy to misinterpret –Went to drug rehabilitation clinic, why? Bad data can be hard to fix –Sen. Ted Kennedy on TSA watch list Why is Privacy Hard?

Fair Information Practices (FIPs) Based on Self-determination / Data Protection view Set of principles stating how organizations should handle personal information Note: many variants of FIPs

Fair Information Practices (FIPs) Openness and transparency Individual participation Collection limitation Data quality Use limitation Reasonable security Accountability

Adapting FIPs for Ubicomp Presents a method for analyzing ubicomp systems Assume designers trying to do “the right thing” ™ –Versus evil people actively trying to intrude Notice –Physical beacons beaming out P3P policies –Personal system that logs policies Issues –Overwhelmed by notifications? –Understandability of notifications?

Adapting FIPs for Ubicomp Choice and consent –Need a way to confirm that a person has consented –Can digitally sign a “contract” notification Issues –How can people specify their policies? –Can policies match what people really want? –How to make people aware of auto-accepts? –What if people don’t have a real choice

Adapting FIPs for Ubicomp Anonymity and Pseudonymity –Try to eliminate any trace of identity –Or have a disposable identifier not linked to actual identity Issues –What kinds of services can be offered anonymously? –Business models for anonymous services?

Adapting FIPs for Ubicomp Proximity –Limit behavior of smart objects based on proximity Ex. “Record voice only if owner nearby” –Simple mental model, could be hard to implement though –Weakness: could be easy to subvert Locality –Information tied to places it was collected –Require physical proximity to query –Weakness: limits some utility (ex. Find friend)

Adapting FIPs for Ubicomp Access and Recourse –How to know what the system knows about you? –What mechanisms for recourse? Suggests minimizing information collected to avoid this issue (possible in practice?)

Design for Privacy in Ubiquitous Computing Environments Presents a method for analyzing ubicomp systems –Looks primarily at control and feedback –Looks at networked media spaces, audio-video connections between two locations –More of a personal privacy approach One point they briefly mention is value proposition –At EuroPARC people generally do not worry much about privacy. They feel that the benefits of RAVE outweigh their concerns. This is because the design has evolved together with a culture of trust and acceptable practices relating to its use. Individual freedom was fostered to use, customise, or ignore the technology.

Framework Capture –What kind of information? –Video? Identity? Activity (documents, keypresses, etc) Construction –How is information processed? Stored? Accessibility –Who can see the information? Purpose –How is information used? Might be used?

(Some) Criteria for Evaluating Systems Appropriate timing Perceptibility Unobtrusiveness Low effort Meaningful Low Cost

Discussion Points Is Privacy Always Good?

Can be used as a shield for abusive behavior Supermarket loyalty cards –Gauge effect of marketing, effects of price and demand –Market to best customers Can streamline economic transactions –Easy credit Reputation management EU – “Regulators prosecuted an animal rights activist who published a list of fur producers and a consumer activist who criticized a large bank on a Web page that named the bank’s directors.” Discussion Points Is Privacy Always Good?

Discussion Points Ways of Simplifying Privacy for People? Lots of effort across various systems –Mobile Phone, TiVo, Smart Car, Smart Home, Workplace –Analogy: privacy across various web sites Ways of making it easier for people? –What kinds of tools? –Third party organizations? (MedicAlert)

Breakout Groups Group A: Is privacy always good? –In what cases not? –Too much privacy? (ie get used to it, like security cams?) Group B: How to simplify privacy for people in ubicomp? –Core technologies? –Third parties? –User interfaces?

What is the role of tech? How much should it do? –With respect to Market, Law, and Social Norms? What values should we embody in tech? –And how to design for those values? –Is privacy always good to have? How to assess risks better beforehand? Better h/w and s/w architectures? –Physical layer of privacy? Better UIs? Understandable mental models? Metrics for privacy? Third parties / companies that manage your privacy? Discussion Points

Make it easy for organizations to do the right thing –Detecting abuse (ex. honeypots, audits) –Better database aggregation and anonymization –Better org-wide policies and enforcement Make it easy for individuals to share right info with right people at right times –Better ubicomp architectures that put end-users in control Can’t just flip a switch Make it easier for app developers to do right thing –Better UIs (awareness, disclosures, decision-making) –Better design and evaluation methods Fundamental Tech Challenges

Scope and scale –Everyone, everywhere, any time More personal –Location, activities, habits, hobbies, people with Breaks existing notions of how world works –Close the door –Whisper to people Connected –Easy to share with others Machine readable and searchable How Ubicomp Changes the Landscape