Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay G r o u p f o r User Interface Research.

Slides:



Advertisements
Similar presentations
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong Group for User Interface Research Computer Science Division University of California.
Advertisements

An Architecture for Privacy-Sensitive Ubiquitous Computing 1 Cindy Nguyen An Architecture for Privacy-Sensitive Ubiquitous Computing By: Cindy Nguyen University.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
Social Media: FACEBOOK Kristin Martin Professional Development.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
WEB BROWSER PRIVACY & SECURITY Nan Li Informed Consent in the Mozilla Browser: Implementing Value-Sensitive Design 10/13/ Usability Privacy.
YOUR INFORMATION YOUR DECISIONS YOUR LIFE. The INDIVIDUAL is the BEST POINT of ORIGINATION and INTEGRATION for DATA RELATING TO THEMSELVES.
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems Jason Hong Carnegie Mellon Jennifer Ng Carnegie Mellon Scott Lederer University.
1 System Needs for Fast Location Aware Application Development Spatial Group Meeting 4/1/2004 shashi-group/
Development and Evaluation of Emerging Design Patterns for Ubiquitous Computing Eric Chung Carnegie Mellon Jason Hong Carnegie Mellon Madhu Prabaker University.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.
Privacy and Ubiquitous Computing Jason I. Hong. Ubicomp Privacy is a Serious Concern “[Active Badge] could tell when you were in the bathroom, when you.
Douglas K. van Duyne James A. Landay Jason I. Hong Using Design Patterns to Create Customer-Centered Web Sites.
Privacy and Security in the Location-enhanced World Wide Web UC Berkeley Intel / UW UW Intel UC Berkeley Jason Hong Gaetano Boriello James Landay David.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Privacy and Networks CPS 96 Eduardo Cuervo Amre Shakimov.
SIMS 213: User Interface Design & Development Marti Hearst Thurs, Jan 22, 2004.
Context Awareness System and Service SCENE JS Lee 1 UbiPhone:Human-Centered Ubiquitous Phone System.
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong HCI Institute Carnegie Mellon University James A. Landay Computer Science and.
Security and Privacy in Ubiquitous Computing. Agenda Project issues? Project issues? Ubicomp quick overview Ubicomp quick overview Privacy and security.
Location Privacy Christopher Pride. Readings Location Disclosure to Social Relations: Why, When, and What People Want to Share Location Disclosure to.
In today’s world technological advances are taking place at a rapid pace. One of the goals of everyone is working towards is to satisfy customer needs.
WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
How Do I Find a Job to Apply to?
UML Unified Markup Language Ziya Karakaya Atılım University, Computer Engineering
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD.
Staying Safe Online Keep your Information Secure.
Topiary: A Tool for Prototyping Location-Enhanced Applications Yang Li, Jason I. Hong, James A. Landay, Presented by Daniel Schulman.
MS Tech-Ed 2006 Iron Architect Competition Greg Cogdell Milliken & Co.
NETWORKING ESSENTIALS. 2 PRIOR TO NETWORKING… REMINDER: KNOW YOURSELF Skills Skills Interests Interests Personality Personality Values Values.
Ethics, Technology, and Qualitative Research: Thinking through the Implications of New Technology Sandra Spickard Prettyman Kristi Jackson.
Intro to Context-Aware Computing Jason I. Hong. Context-Aware Computing Shift from explicit to implicit interaction Use this implicit input to adapt systems.
File Upload Competitive Analysis. Catalyst - Browse in-line Of interest:
Ryan Lackey Dynamic Locations: Secure Mobile Services Discovery and Dynamic Group Membership Ryan Lackey
Understanding Networking Joe Cicero Northeast Wisconsin Technical College.
SharePoint document libraries I: Introduction to sharing files Sharjah Higher Colleges of Technology presents:
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
D1 - 25/10/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.
Tools for Web Design and for Ubiquitous Computing Jason I. Hong Computer Science Division University of California, Berkeley.
An Architecture for Privacy-Sensitive Ubiquitous Computing By Jason I-An Hong In MobiSYS ’04: Proceedings of the 2nd international conference on mobile.
Your Roadmap for Success Alice: “Would you tell me, please, which way I ought to go from here?" Cat: "That's depends a good deal on where you want to get.
User Interface Design & Usability for the Web Card Sorting You should now have a basic idea as to content requirements, functional requirements and user.
Mobile and Location-Based Services Jason I. Hong Product Design and Usability April
Intro to Ubicomp Privacy Jason I. Hong. Ubicomp envisions –lots of sensors for gathering data –rich world models describing people, places, things –pervasive.
Design Process … and some design inspiration. Course ReCap To make you notice interfaces, good and bad – You’ll never look at doors the same way again.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing Xiaodong Jiang Jason I. Hong James A. Landay G r o u p f o r.
Energy forms and transformations. What is energy? We use the word all the time – but very few people have a strong understanding what it is It.
Structure and Function: IA for Web Applications. Innovate - For What’s Next™ ©1999 Scient, Proprietary and Confidential Page 2 Structure - IA with content.
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong G r o u p f o r User Interface Research University of California Berkeley.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Dude, Where's My Car? And Other Questions in Context-Awareness Jason I. Hong James A. Landay Group for User Interface Research University of California.
E MAIL Expectations and Assignment. W HY E MAIL ? ( IT ’ S SOOOO OLD !) is a 21 st century business communication tool that is vitally important.
A Study of Context-Awareness: The Context Fusion Network, The Context Fabric Presented by Sangkeun Lee IDS Lab., Seoul National University Solar:
Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay G r o u p f o r User Interface Research.
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
Prof. James A. Landay University of Washington Spring 2008 Web Interface Design, Prototyping, and Implementation Ubicomp Design Pre-Patterns May 29, 2008.
Visibook is instant, simple, and dynamic appointment booking We're headquartered in San Francisco, California "Visibook is awesome. My entire studio was.
UNIT 4 – THE COST OF FREE LESSON 4.
CS 321: Human-Computer Interaction Design
Model-View-Controller Patterns and Frameworks
UNIT 4 – THE COST OF FREE LESSON 6.
Online Safety: Rights and Responsibilities
COMPLETE BUSINESS TEXTING SOLUTION
Presentation transcript:

Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay G r o u p f o r User Interface Research University of California Berkeley

Mar The Origins of Ubiquitous Computing What’s wrong with Personal Computers? –Too complex and hard to use –Too demanding of attention –Too isolating from other people –Too dominating of our desktops and our lives Ubiquitous Computing Project at Xerox PARC –Advances in wireless networking, sensors, devices –Observations of how people use tools in practice –Make computers a natural part of everyday interactions

Mar The Origins of Ubiquitous Computing

Mar Emerging Examples of Ubicomp Never Get Lost Find Friends Emergency Response

Mar “But What About My Privacy?” Never Get Lost –You walk past a restaurant and your cellphone rings with the specials of the day Find Friends –“Family is already very close to you, so if they’re checking up on you…sort of already smothering and this is one step further.” –“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” Emergency Response –“I don’t see how a government or an organization will not come up with an excuse to use [location info] for another purpose.” Flood of Location-Based Spam Never Hide From Friends and Co-Workers Constant Surveillance

Mar Our Research in Ubicomp Privacy Fundamental Tension –Ubiquitous Computing can be used for great benefit –Ubiquitous Computing can be used for great harm –Privacy may be greatest barrier to long-term success Our approach –What are the privacy concerns in ubicomp? –How can we design better user interfaces? –Are there better ways of building privacy-sensitive apps? Privacy is an area easy to make mistakes in –Will discuss lessons learned throughout

Mar What is Privacy? Lots of perspectives on privacy –US Constitution, UN Decl. Human Rights, Hippocratic Oath –Influenced by Legal, Market, Social, and Technical forces Privacy is not just Orwell –From “Big Brother” to “Little Sisters” –Media sensationalization of worst-case scenarios Privacy is not just computer security –Adversaries? Friends, family, co-workers, acquaintances –Anonymity? Friends already know your identity –Secrecy? We share personal info with friends all the time –Damage? Risk may be undesired social obligations We are approaching privacy from an HCI perspective

Mar An HCI Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used – what is broken (vs what is working correctly)” The Origins of Ubiquitous Computing Research at PARC in the Late 1980s Weiser, Gold, Brown Make it easy to share: the right information with the right people (or service) at the right time

Mar What are End-User Privacy Needs? Lots of speculation about privacy, little data out there Analyzed survey of 130 people on ubicomp privacy prefs Analyzed nurse message board on locator systems – Examined papers describing usage of ubicomp systems Examined existing and proposed privacy protection laws –EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2004 Interviewed 20 people on various location-based services –Did not mention the word “privacy” unless they did first

Mar End-User Privacy Needs Value proposition Simple and appropriate control and feedback Plausible deniability Limited retention of data Decentralized architectures Special exceptions for emergencies Alice’s Location Bob’s Location

Mar How to Design for Privacy? What are good privacy-sensitive user interfaces? –Knowing what is needed does not say how to do it well

Mar Five Pitfalls for Designers Understanding Obscuring potential information flow Obscuring actual information flow Action Configuration over action Lacking coarse-grained control Inhibiting established practices

Mar #1 – Obscuring Potential Flow Users can make informed use of a system only when they understand the scope of its privacy implications

Mar #2 – Obscuring Actual Flow Users should understand what information is being disclosed to whom Who is querying my location? How often? Requestor informed of disclosure Requestee sees each request

Mar #3 – Configuration Over Action Designs should not require excessive configuration to manage privacy –“Right” configuration hard to predict in advance –Make privacy a natural part of the interaction flow

Mar #4 – Lacking Coarse-Grain Control Designs should not forego an obvious, top-level mechanism for halting and resuming disclosure “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Protecting the Cellphone User's Right to Hide NYTimes Feb Did I set it right? How do I know?

Mar #5 – Inhibiting Established Practices Designs should not inhibit users from transferring established social practices to emerging technologies Rather than getting an immediate ring, an answering machine comes on the line and says, "Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message." 1. University and Ramona 2. Palo Alto 3. Custom… 9.Ignore for now

Mar How to Build Applications Better? Develop a toolkit to make it easier to build privacy- sensitive ubicomp apps –Prevent – Strong guarantees on your personal data –Avoid – Better user interfaces for managing privacy –Detect – Finding over-monitoring or accidental disclosures –Need all three for effective systems Key architectural points of Context Fabric –Locality –InfoSpace Diary –Access Descriptions –Privacy Tags Show time-based issues Applications tend to have one of three dominant interaction patterns Can do main work of privacy management before, during, or after Which to use depends on the app and community of users Add how the work on previous slides influenced this work Simpler UIs / Architecture Add more technical depth here Hitting this problem at the UI Level and the Systems Level Really need both, can’t do one without other Also, tried to get lots of low-fi user feedback throughout the process Add lo-fi prototype screenshots or mention it Describe distinction between push / pull Push is easier since you control when it’s sent out Need preview of why prevent / avoid / detect is right Vs just Prevent Quote: trust person or not Focus on alternatives and why those didn’t work

Mar Locality Keep personal data “close” to end-users –Move from centralized systems to decentralized ones –Capture, store, and process personal data on my computer PlaceLab ABC Add more placelab guts here Add slide on MiniGis here as well What are the alternatives here? Centralization was an issue early on Also talked to a lawyer about this (Deidre) Closer data is to you, more legal protection – Works indoors and in urban canyons – No special equipment – Privacy-sensitive – Rides the WiFi wave

Mar PlaceLab ~52000 Nodes (3Megs)

Mar PlaceLab ~500 Nodes

Mar Locality MiniGis Server for processing location locally Country Name= United States Region Name= California City Name= Berkeley ZIP Code= Place Name= Soda Hall Lat Lon= ,

Mar Locality MiniGis Server data sources USGS State Gazetteer –Names in USA –2m records ~650 megs –States, Cities, Places “Places” hardest to get –Airports & schools useful, “hammocks”, “lava”, “quicksand” less so –2 undergrads scouring Berkeley –Research opportunity here in open, distributed naming of places GEOnet Names Server –Names outside USA –5.5m records ~700megs –Regions, Cities, Places

Mar InfoSpace Diary InfoSpace stores your personal information –Static info, like name and phone# –Dynamic info, like current location and activity Runs on your personal device or on a trusted service –Local sources (ex. PlaceLab) can update dynamic info –Can choose to expose different parts to different people & services –Can also see who can see what about you Describe guts of InfoSpace more Describe Tuples more Operators too?

Mar Confab Architecture InfoSpace Diary InfoSpace Diary LocNamePlaceLabTourguideFind FriendMiniGis How to control when and how much personal info is disclosed? Request

Mar Access Notifications One possibility: “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Problems: –People are not good at defining rules beforehand –Tradeoff between fine-grained control and understandability

Mar Observations on Setting Preferences Who is requesting information is most important factor –“Either I trust someone with my information or I don't – it doesn't depend on where I am.” Time is an essential aspect for maintaining control –Access described in terms of “always”, “never”, or “work hours” –“Work people can know my information during work hours. Home/SO people can know my information always.” Can set prefs before, during, or after a request –Before case can lead to configuration pitfall –During case easier to understand, but can overwhelm –After case easy to setup, but can lead to accidental disclosures

Mar Access Notifications Describe more rationale here Evaluation of this? Add slide on LOC Explain design rationale Time came from interviews / surveys What are the alternatives? My original version had lots of fine-grained mechanisms IP Address Location Time Problem was that from interviews, people didn’t seem to do things that way “I trust person” or “I trust service” between “these times” So I fell into the pitfall too! Second iteration, organized things by People and Services Two different kinds of Access Descriptions Persons and Services Push and Pull as well Push not too hard (greater control, end-user initiated) Pull harder, since not initiated by end-user

Mar Access Notifications Initial Evaluations –Tested with 4 people for understandability and reactions –Location-enhanced messenger, tourguide, emergency response

Mar Access Notifications Initial Evaluations –Tested with 4 people for understandability and reactions –Location-enhanced messenger, tourguide, emergency response Results –Distinction between Push vs Pull, Continuous vs Discrete “Giving a GPS location once or twice does not provide enough information for an invasion of privacy… [but] if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy.” “No need for continuous update of location. Only in a race or a marathon (where staying on track is essential) would continuous update be helpful.”

Mar Access Notifications PlaceBar Continuous Discrete Push??? PullAccess Notifications

Mar Confab Architecture InfoSpace Diary InfoSpace Diary LocNamePlaceLab Tourguide Find Friend MiniGis How to control what happens to your info once it leaves your InfoSpace? Access Pull Push

Mar Privacy Tags Digital Rights Management for Privacy –Like adding note to , “Please don’t forward” –Notify address- –Time to live- 5 days –Max number of sightings- last 5 sightings of my location Libraries for making it easy for app developers

Mar Analysis Prevent –Capture and process personal information locally –PlaceLab, MiniGis –Minimizes risk of mission creep (ex. SSNs) Avoid –Interfaces for helping people make good decisions –Access Notifications / PlaceBar Detect –Finding cases of over-monitoring –Access Notifications –Privacy Tags (processed on requestor’s side)

Mar Implementation Confab, PlaceLab, MiniGis –Java 1.5, Tomcat Web Server, MySql, Jaxen XPath Data –WiFi from wigle.net and undergrads –MiniGis from USGS, GeoNET, and undergrads –~35 megs of data (30 megs of place data) #Classes Lines of code Confab PlaceLab MiniGis Shared Libs

Mar Putting it Together Lemming Location-enhanced Messenger Describe Rationale as to why location + messenger? Show more guts Describe LOC

Mar Putting it Together BEARS Emergency Response Server Field studies and interviews with firefighters [CHI2004] Finding victims in a building –“You bet we’d definitely want that.” –“It would help to know what floor they are on.” But emergencies are rare –How to balance privacy constraints with utility when needed?

Mar Putting it Together BEARS Emergency Response Server Trusted third party (MedicAlert++) Data Sharer Location Building BEARS Service Link 1 2 Trusted BEARS Third- Party Trusted BEARS Third- Party Location 3 4 Medic Alert++ Medic Alert++ Loc “ABC” On Emergency

Mar Requirements Check Value proposition Simple and appropriate control and feedback –Access Notifications (pull) and PlaceBar (push) Plausible deniability –No action, “Ignore for now”, and “Never Allow” appear same Limited retention of data –Privacy Tags Decentralized architectures –Capture and process information locally Special exceptions for emergencies

Mar Contributions Investigated ubicomp privacy from many perspectives –What are end-user needs? How to design? How to build? Context Fabric architecture for privacy-aware apps –Prevent / Avoid / Detect –Suggests a way of architecting privacy-sensitive ubicomp Services on devices, local processing, presentation to end-users –Evaluation with two applications –Starting deployment of Lemming instant messenger “Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”

Jason I. Hong G r o u p f o r User Interface Research University of California Berkeley Thanks to: DARPA Expeditions NSF ITR PARC Intel Fellowship Siebel Systems Fellowship