Panel: Prototyping and Building Systems Four Rants on Privacy and Ubicomp Jason I. Hong jasonh at cs cmu edu Intel Usable Privacy Forum.

Slides:



Advertisements
Similar presentations
Design, prototyping and construction
Advertisements

Joshua Sunshine. Defining Ubiquitous Computing Unique Privacy Problems Examples Exercise 1: Privacy Solution Privacy Tradeoffs Professional Solutions.
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong Group for User Interface Research Computer Science Division University of California.
Beyond Prototypes: Challenges in Deploying Ubiquitous Systems N. Davies and H. Gellersen IEEE pervasive computing, 2002 Presenter: Min Zhang
From requirements to design
Search Engines and Information Retrieval
YOUR INFORMATION YOUR DECISIONS YOUR LIFE. The INDIVIDUAL is the BEST POINT of ORIGINATION and INTEGRATION for DATA RELATING TO THEMSELVES.
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems Jason Hong Carnegie Mellon Jennifer Ng Carnegie Mellon Scott Lederer University.
1 System Needs for Fast Location Aware Application Development Spatial Group Meeting 4/1/2004 shashi-group/
Development and Evaluation of Emerging Design Patterns for Ubiquitous Computing Eric Chung Carnegie Mellon Jason Hong Carnegie Mellon Madhu Prabaker University.
Applications and Privacy Issues with Sensor Nets Jason Hong Carnegie Mellon University.
Techniques for Visual Feedback of Security State Tara Whalen and Kori Inkpen Faculty of Computer Science Dalhousie University whalen at cs dot dal dot.
CSCD 555 Research Methods for Computer Science
March 13, 2004Securing Privacy Conference1 SENSOR NETWORKS & PRIVACY Pamela Samuelson, UC Berkeley, Securing Privacy Conference, March 13, 2004.
Privacy and Security in the Location-enhanced World Wide Web UC Berkeley Intel / UW UW Intel UC Berkeley Jason Hong Gaetano Boriello James Landay David.
Introduction to Ubicomp Privacy or Is Privacy the Achilles’ Heel of Ubicomp?
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Can We Achieve Secure Mobile Computing Anytime Soon? Jason I. Hong WMCSA2006 April
SIMS 213: User Interface Design & Development Marti Hearst Thurs, Jan 22, 2004.
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong HCI Institute Carnegie Mellon University James A. Landay Computer Science and.
SIMS 213: User Interface Design & Development Marti Hearst Thurs, Jan 18, 2007.
Security and Privacy in Ubiquitous Computing. Agenda Project issues? Project issues? Ubicomp quick overview Ubicomp quick overview Privacy and security.
Location Privacy Christopher Pride. Readings Location Disclosure to Social Relations: Why, When, and What People Want to Share Location Disclosure to.
Evaluating Architectures Quality control: rarely fun, but always necessary
WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
A Survey of Mobile Phone Sensing Michael Ruffing CS 495.
Spring break survey how much will your plans suck? how long are your plans? how many people are involved? how much did you overpay? what’s your name? how.
Search Engines and Information Retrieval Chapter 1.
Topiary: A Tool for Prototyping Location-Enhanced Applications Yang Li, Jason I. Hong, James A. Landay, Presented by Daniel Schulman.
Overview Prototyping and construction Conceptual design
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Research Topics in Ubiquitous Computing Jason I. Hong jasonh at cs cmu edu f2004/readings.html
Making the most of social historic data Aleksander Kolcz Twitter, Inc.
One of you play the role of lead system designer. 1 person is a note taker. 1 or 2 customer(s) : based on the feedback you can choose. Based on the prototypes.
Secure Sensor Data/Information Management and Mining Bhavani Thuraisingham The University of Texas at Dallas October 2005.
Russ Housley IETF Chair Internet2 Spring Member Meeting 28 April 2009 Successful Protocol Development.
Chapter 12: Introducing Evaluation. The aims To illustrate how observation, interviews and questionnaires that you encountered in Chapters 7 and 8 are.
CS2003 Usability Engineering Human-Centred Design Dr Steve Love.
Challenges in UbiComp Take 2 Sushmita Subramanian.
Tools for Web Design and for Ubiquitous Computing Jason I. Hong Computer Science Division University of California, Berkeley.
An Architecture for Privacy-Sensitive Ubiquitous Computing By Jason I-An Hong In MobiSYS ’04: Proceedings of the 2nd international conference on mobile.
WIRED Week 3 Syllabus Update (next week) Readings Overview - Quick Review of Last Week’s IR Models (if time) - Evaluating IR Systems - Understanding Queries.
Chapter 12: Introducing Evaluation. The aims To illustrate how observation, interviews and questionnaires that you encountered in Chapters 7 and 8 are.
Mobile and Location-Based Services Jason I. Hong Product Design and Usability April
Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.
Intro to Ubicomp Privacy Jason I. Hong. Ubicomp envisions –lots of sensors for gathering data –rich world models describing people, places, things –pervasive.
Institute for Security Technology Studies Dartmouth College Digital Living 2010: Sensors, Privacy, and Trust David Kotz September 2005.
Design Process … and some design inspiration. Course ReCap To make you notice interfaces, good and bad – You’ll never look at doors the same way again.
Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing Xiaodong Jiang Jason I. Hong James A. Landay G r o u p f o r.
JAMES B. AVEY PHD Identifying Uses for Resources.
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
Ubiquitous Computing Visions Jason I. Hong jasonh at cs cmu edu.
Evaluating Architectures. Quality Control Rarely fun, but always necessary 1.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Collective Information Practice: Exploring Privacy and Security as Social and Cultural.
Usable Privacy and Security and Mobile Social Services Jason Hong
Privacy, Security, and Ubiquitous Computing Jason I. Hong.
WANDERLUST Collaborative exploration for a more interesting world.
Dude, Where's My Car? And Other Questions in Context-Awareness Jason I. Hong James A. Landay Group for User Interface Research University of California.
Design, prototyping and construction(Chapter 11).
A Study of Context-Awareness: The Context Fusion Network, The Context Fabric Presented by Sangkeun Lee IDS Lab., Seoul National University Solar:
Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay G r o u p f o r User Interface Research.
Research Topics in Ubiquitous Computing Jason I. Hong.
The Context Fabric: An Infrastructure for Context-Aware Computing Jason I. Hong Group for User Interface Research, Computer Science Division University.
Prof. James A. Landay University of Washington Spring 2008 Web Interface Design, Prototyping, and Implementation Ubicomp Design Pre-Patterns May 29, 2008.
Information Systems Development
TRUST Area 3 Overview: Privacy, Usability, & Social Impact
Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.
Design, prototyping and construction
Design, prototyping and construction
Presentation transcript:

Panel: Prototyping and Building Systems Four Rants on Privacy and Ubicomp Jason I. Hong jasonh at cs cmu edu Intel Usable Privacy Forum

Rant Overview We should push client-centered ubicomp more We should examine how people already manage their privacy today We need to develop better privacy risk models We need better ways of aligning all stakeholders

Rant #1 We should push client-centered ubicomp more

Find nearby “interesting” events –Notify me whenever Yo-Yo Ma is in town –Pull out in a bar to find next thing to go to How Whisper works –Crawls web for events –Every morning, download all events in “Portland” onto PDA –Calculate location locally (ex. Place Lab) –Filter events locally based on interests and location –Whisper only knows you are in “Portland” Whisper Event Service Web Crawler Whisper Service PDA Useful location-based service in privacy-sensitive way

Basic idea: –Local sensing, local storage, local processing –Provide better control and feedback over sharing Examples: –Sensing: GPS, Cricket, Place Lab –Storage: Occasionally Connected Computing Sync up lots of potentially useful info beforehand –Anonymous Broadcast Satellites (GPS, Sirius or XM), Radio (AM / FM) Research issues: –Range of services possible? Tradeoffs? –What kinds of mental models? User interfaces? –Client-centered arch is structural, combine with algorithmic? Client- Centered Architectures

Rant #2 We should examine how people already manage their privacy today

Projecting Personas

How Do People Manage Privacy Today? What we wear, how we talk, who we eat with, etc –Not just secrecy –Not just control and feedback –Not just informed consent Interaction is a “performance” shaped by environment and audience, constructed to project an “impression” consonant with desired goals of the actor

How Do We Manage Impressions? Spatial boundaries –Ex. closing door, seeing who else is around –Leverages our understanding of physics Temporal boundaries –Ex. Big Hair in the 80s Social and Organizational boundaries –Ex. student and advisor, student and peers –Leverages our understanding of social roles and power “Place / Activity” boundaries –Ex. “at work”, “at home”, “in the car”, “on my way”

But Ubicomp Disrupts Our Understanding You think you are in one context, actually overlapped in many others Without this understanding, cannot act appropriately and project desired persona

Possible Research Directions Foster better mental models –Sensor notifications, ex. beeps at new people to see –Make sensing viscerally clear at the physical layer Match people’s existing mental models –Be mostly harmless, ex. reduce identifiability –Locality, ex. limit queries or broadcast by location –Minimize boundary crossings at deploy-time –Sense bounds and adapt (possible??) Leverage other existing techniques –Plausible deniability, ex. missed cell phone call Ex. How good / reliable do we want infrastructure to be? –Incremental steps with familiar tech, ex. web browser or IM –Make risky things look scary, “hair standing on back of neck”

But a Word of Caution… Lederer, MS Thesis, UC Berkeley, 2004

Rant #3 We need to develop better privacy risk models

Privacy Risk Model Analogy Security Threat Model “[T]he first rule of security analysis is this: understand your threat model. Experience teaches that if you don’t have a clear threat model – a clear idea of what you are trying to prevent and what technical capabilities your adversaries have – then you won’t be able to think analytically about how to proceed. The threat model is the starting point of any security analysis.” - Ed Felten

Example privacy risks –Overzealous parents, “friendly stalkers” –Undesired social obligations –Location-based spam –Employer monitoring –Identity theft, spyware, viruses, phishing –Muggers, domestic abusers, not-so-friendly stalkers –1984 governments No system can account for every conceivable risk Need methods and tools for assessing and prioritizing risks to provide a reasonable level of privacy against foreseeable risks Why Privacy Risk Models?

Getting it right the first time is hard Need better support for going quickly around this loop Iterative Design for Assessing Risks Design Prototype Evaluate

Basic Idea: –Get feedback from real users early on –Go thru multiple iterations quickly and easily before actually building and deploying apps –Involve people beyond application developers Ex. Interaction designers, sociologists, lawyers, etc Examples: –Topiary Li, Hong, Landay, UIST2005 Idea #1: Rapid Prototyping Tools

Basic Idea: –Get feedback from real users early on –Go thru multiple iterations quickly and easily before actually building and deploying apps –Involve people beyond application developers Ex. Interaction designers, sociologists, lawyers, etc Examples: –Topiary Research issues: –How far can we go with prototyping tools for ubicomp? Ex. How much sensing can we fake? Range of apps? Space and time issues? –How to support larger-scale prototypes? Idea #1: Rapid Prototyping Tools

More dissemination of risks with specific data types –Case studies –Design patterns Task analysis / Checklist analogy –Social: Relationship between people? –Tech: Where is data stored? –Interaction: Optimistic / Interactive / Pessimistic (Povey 2002) (Hong, Ng, Lederer, Landay, DIS2004) Extreme programming analogy –One team builds, another attacks or subverts Idea #2: Methods for Analyzing Risks

Can we measure a system’s level of privacy? –Could compare designs systematically –Crystallize idea of privacy in app developer minds –Hopefully lead to an “arms race” (MHz, GB, and “Westins”) Example: location data –How precisely / how often can a service ID your location? –Privacy vs. bandwidth (ex. requesting chunks of data) –Privacy vs. timeliness (ex. use cached data) –Defend vs specific scenarios (ex. price discrimination) Possible approaches: –TREC bakeoffs on corpus of location data –TREC bakeoffs on architectures Idea #3: Information Privacy Metrics

Rant #4 We need better ways of aligning all stakeholders

Aligning stakeholder interests –Government – homeland security / accountability –Market – making money –App developers– scalable, robust, and “cool” –… Few incentives for doing the right thing –Why make sensors obvious? Extra cost in manufacturing –Why program it that way? Extra cost in learning and programming for app developers –Why not collect info? Lowers opportunities for marketing Hardest Part of Ubicomp Privacy

Service: payment support for ubicomp –Cross-subsidization, ex. mall tour guide –Ad-based, ex. radio –Public service, ex. GPS –Service per use, ex. credit card, micropayments Third parties for managing your privacy? –Only disclose your location info in emergencies (MedicAlert) –Warn you about bad services –You’ve already disclosed A and B, don’t disclose C –Privacy Angel, Private Computation Idea #1: Figure out sustainable biz models (Boddupalli et al. WMCSA2003)

Develop better toolkits, infrastructures, etc Market them to app developers –Easy to learn (leverage existing tech, ex. http?) –Easy to create cool apps –Scalable, robust –Oh yeah, and privacy too (for free) Probably not best approach, but might get us 80% of the way there –Surreptitiously sneak privacy into the core ubicomp fabric –Popularize it to become the de facto standard Idea #2: Bottom-up with App Developers

Rant Summary Push client-centered ubicomp first –Local sensing, local storage, local processing –Better user interfaces when sharing personal info How people already manage their privacy today –Projecting personas –Plausible deniability Better privacy risk models –Rapid prototyping tools –Analysis methods –Metrics Better ways of aligning all stakeholders –Biz models –App developers

Payment Support in Ubiquitous Computing Environments, by Boddupalli et al. (WMCSA2003) Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems, by Hong et al. Designing Interactive Systems (DIS2004). Topiary: A Tool for Prototyping Location-Enhanced Applications, by Li, Hong, and Landay. (UIST2004) Some Relevant Papers

Bonus Slides

Scope and scale –Everywhere, any time Easier to collect and share info –Location, activities, habits, hobbies, people with Breaks existing notions of space and time –Close the door –Whisper to people Machine readable and searchable How Ubicomp Changes the Landscape

Basic Idea: Examples: Research Issues Privacy-Sensitive Ubicomp Architectures Multiple Layers of Privacy Physical / Sensor Infrastructure Presentation Cricket Location Beacons, Active Bats P3P, Privacy Mirrors ParcTab System, Context Toolkit

Privacy Perspective #1 Control and Feedback “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used The Origins of Ubiquitous Computing Research at PARC in the Late 1980s Weiser, Gold, Brown Empower people so they can choose to share: the right information with the right people or services at the right time

Make it easy for organizations to do the right thing –Detecting abuse (ex. honeypots, audits) –Better database aggregation and anonymization –Better org-wide policies and enforcement Make it easy for organizations to do the right thing –Detecting abuse (ex. honeypots, audits) –Better database aggregation and anonymization –Better org-wide policies and enforcement Challenges

Basic idea: –Local sensing, local storage, local processing –Provide better control and feedback over sharing Examples: –Sensing: GPS, Cricket, Place Lab Client- Centered Architectures ABC