Privacy, Security, and Ubiquitous Computing Jason I. Hong

Overview Privacy and Security Today –Supporting Trust Decisions Privacy and Security Tomorrow –Privacy and Usability in Pervasive Environments –Location-enhanced Web –Whisper

Everyday Security Problems

Everyday Security is Important People increasingly asked to make trust decisions –Install this software? –Trust expired certificate? (“what the is a certificate?”) –Enter username and password? Consequence of wrong trust decision can be dramatic –Spyware –Malware (viruses, worms) –Identity theft

Project: Supporting Trust Decisions Computers can’t make all trust decisions for you Goal here is to help people make better decisions –Context here is anti-phishing –Multidisciplinary team Approach 1: Design Patterns –Extract UI design patterns that work well Approach 2: Embedded Training –Surreptitiously train people to be better at discriminating scams from the real thing Approach 3: Public Health System –Back-end system + UIs for marking scams

Overview Privacy and Security Today –Supporting Trust Decisions Privacy and Security Tomorrow –Privacy and Usability in Pervasive Environments –Location-enhanced Web –Whisper

Ubicomp Presents New Benefits Find FriendsIncident CommandRFID Advances in wireless networking, sensors, devices –Greater awareness of and interaction with physical world Ubicomp can help in efficiency, coordination, safety

Ubicomp Also Presents New Risks Some potential new risks: –Commit fraud –Draw embarrassing or inaccurate inferences –Discriminate against users Everyday RisksExtreme Risks Stalkers, Muggers _________________________________ Well-being Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” -allnurses.com Ubicomp Privacy is a Serious Concern

Project: Privacy and Usability in Pervasive Environments Group project split into two major parts: 1. Decentralized trust management infrastructure for enforcing policies –Project Grey, MyCampus, Pervasive Access Control 2. User interfaces for helping people elucidate their privacy preferences –When to get notifications? –When to share personal information?

You think you are in one context, actually overlapped in many others Without this understanding, cannot act appropriately Optionally, useful to specify when it’s okay to broadcast Project: Privacy and Usability in Pervasive Environments

Pessimistic, Optimistic, and Mixed-mode privacy –Pessimistic:setup prefs beforehand –Optimistic:detect problems and fix afterwards –Mixed:ask me Extend Privacy Bird Conversational Case Based Reasoning (CCBR) –Major component, help people use similar past situations Empirical user studies to compare these UIs –Correctness, desirability, predictability, time on task, …

Project: Location-Enhanced Web Three big problems with location-based services: 1. Need a high level of expertise to create location- enhanced content and services –Lots of programming and/or hardware expertise –Significantly stifles innovation 2. Difficult to deploy location-enhanced content and services –No location app works on multiple phones –Haphazard wireless connectivity 3. Location privacy

Web + Location = Location-Enhanced Web Evolve existing web infrastructure to support location-awareness –Minimal re-design and re-deployment –Leverage existing web browsers, web servers Co-opt existing location-enhanced content –Transparently make web sites that already have location- enhanced content part of the location-enhanced web –Ex. Restaurant guides, bus schedules, tour guides, etc –Anything with street address info Make it easy to create location-enhanced content –Authoring of web pages vs programming apps

Underlying Design Philosophy Capture, store, and process personal data on my computer as much as possible (laptops and PDAs) Provide greater control and feedback over sharing

How It Will Work Overview (1) Determine location locally on device –Listen to “beacons” to calculate location locally (2) Use local proxies to transparently add new features –Let users use existing web browsers (3) Local services –Geocoders, maps, etc (4) Occasionally-connected computing –Cache content like a madman, periodically update (5) Better user interfaces –Provide better UIs for sharing info (6) Provide authoring tools for new content and services

How It Will Work Usage Scenario (1/5) ABC –Works indoors and in urban canyons –Works with encrypted nodes –No special equipment –Privacy-sensitive –Rides the WiFi wave Alice does a one-click install for her laptop Place Lab WiFi positioning system calculates location –Unique WiFi MAC Address  Latitude, Longitude

How It Will Work Usage Scenario (2/5) Regular web browser starts auto-filling in web forms for location-unaware sites –Local geocoder service looks up address info –Uses publicly available data about countries, states, ZIP, etc

How It Will Work Usage Scenario (3/5) Alice can also go to a location-aware site that uses our extensions –Web-based tour guide of CMU Alice gets a Place Bar UI to control what level of location info she is willing to disclose –Selectively trade privacy for services

How It Will Work Usage Scenario (4/5) Local proxy transparently processes new location- enhanced features –Triggers to auto-load new content Ex. show this page when user enters this building –Context-sensitive links Ex. “Map” link shows indoor map when indoors, etc –Active map

How It Will Work Usage Scenario (5/5) Alice can also download content for use when not connected to network –Too expensive, roaming, poor coverage, etc Every morning, her laptop downloads location+ information about Pittsburgh –Community events like talks, concerts, book signings –Restaurant guides (download and geocode entire site) –Locally filter and examine Can also block-fetch info –Ex. Travel to Seattle, download all info for that week –Service knows you are in Seattle, that’s it –If linked with calendar, can do this when you’re in Pittsburgh

Authoring Tools

Advantages of this Approach This approach leverages: –Familiar user model (links, pages, web sites, submit button) –Lots of existing content –Lots of authoring and debugging tools –Lots of content creators Icing on the cake –Simple user model: everything private unless you choose –Software only extensions, no new hardware –Minimal changes to existing web browsers, proxies, servers –Don’t have to wait for widespread cheap wireless networking –Can do this today!

Can Address Key Research Problems Need a high level of expertise to create location- enhanced content and services –Shift problem from programming to authoring –Provide libraries and templates for advanced features Difficult to deploy location-enhanced content and services –Local proxy, local services, local storage –Occasionally connected computing Privacy –OCC (use data offline) –Better user interfaces for when and what to share

Lots of Research Issues OCC and block-fetching algorithms –How much to download? When to refresh? –Privacy metric: level of privacy vs cpu, bandwidth, disk, power –Pre-fetch: plausible deniability, potentially useful info Will work for laptops, what about phones and PDAs? –Start with local, push back into infrastructure as needed –Ex. Trusted proxies, a for-pay service that honors privacy User interfaces –Place Bar okay but hard to use in user evals –What is live vs cached?

Apps to Build Towards (1/2) Web page autofill Virtual post-it notes (geonotes) Location-enhanced tourguide Map-It –Map from current location to address on page

Apps to Build Towards (2/2) Location dashboard –Subscribe to Starbucks coffee, crime database, and geonotes server –As you move around, you can see: Nearest Starbucks Crime “thermometer” Previews of notes your friends have posted –Like an RSS feed for the real world! Whisper Community Event Service –Crawl web for community events –Use location, social networks, and keywords to filter –“Notify me when Yo-Yo Ma will play a concert in Pittsburgh”

Project Whisper Community event service –Foster sociability within community –Get people away from TV First iteration done –(Before location-enhanced web though) User evaluations –Useful but… –I want to know who else is going –Too many events shown! Make it easier for people to coordinate –Lightweight, minimal social obligations Make it easy to see what’s going on

Project Whisper Use location information, preferences, and social networking to filter –Location: “Shadyside art festival” –Preferences: “Yo-Yo Ma” –Social Networking: “I’m going to this concert, anyone else?” Hypothesis: instigators –N% of population who really like to organize outings –Subscribe to events these people are interested in Provide personalized events as lightweight RSS feed –RSS a simple way of subscribing to things

Project Whisper Wed (Today): Talk on privacy (3:30PM) Fri Churchbrew (Lorrie, 6:30PM) Weekend Shadyside art festival (all day) Garage sale Squirrel Hill Future Yo-Yo Ma (Oct 28)

Project Whisper Wed (Today): Talk on privacy (3:30PM) Fri Churchbrew (Lorrie, 6:30PM) Weekend Shadyside art festival (all day) Garage sale Squirrel Hill Future Yo-Yo Ma (Oct 28) I get this because of simple keyword matching on “privacy”

Project Whisper Wed (Today): Talk on privacy (3:30PM) Fri Churchbrew (Lorrie, 6:30PM) Weekend Shadyside art festival (all day) Garage sale Squirrel Hill Future Yo-Yo Ma (Oct 28) I get this because I subscribe to Lorrie’s personal RSS feed

Project Whisper Wed (Today): Talk on privacy (3:30PM) Fri Churchbrew (Lorrie, 6:30PM) Weekend Shadyside art festival (all day) Garage sale Squirrel Hill Future Yo-Yo Ma (Oct 28) I get these two because I live in Shadyside Rather than current location, leverage where we spend a lot of our time (ie, home, work, etc)

Project Whisper Wed (Today): Talk on privacy (3:30PM) Fri Churchbrew (Lorrie, 6:30PM) Weekend Shadyside art festival (all day) Garage sale Squirrel Hill Future Yo-Yo Ma (Oct 28) I get this because of keyword “Yo Yo Ma”. I can also publish this as part of my personal RSS feed, so my friends can also see this event. Whisper can then help with who’s going, carpools, etc.

Summary of Projects Privacy, security, and ubiquitous computing Supporting Trust Decisions –Design patterns, Embedded Training, Public Health Privacy and Usability in Pervasive Environments –Design, implement, and eval multiple UIs Location-enhanced web –Systems and UI issues for combining location and web Whisper Community Event Service –Make it easier for people to find interesting events and coordinate who’s going

Future of Ubiquitous Computing? Jason I. Hong NSH 2504D

Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used The Origins of Ubiquitous Computing Research at PARC in the Late 1980s Weiser, Gold, Brown Empower people so they can choose to share: the right information with the right people or services at the right time

Computers Are Becoming Ubiquitous…

… and Integrated with Real World

Client- Centered Architectures Basic idea: –Local sensing, local storage, local processing –Provide better control and feedback over sharing Examples: –Anonymous Broadcast Satellites (GPS, Sirius or XM), Radio (AM / FM), WiFi AP –Sensing: GPS, Cricket, Place Lab –Storage: Occasionally Connected Computing Sync up lots of potentially useful info beforehand –Services Geocoding, maps, etc These services would also be OCC services

Weaknesses of Client-Centered Approach Only useful for certain kinds of apps –Default is not to share info, some apps hard to build –Personal mobile apps vs Place-oriented apps (cameras) –Best for read-only data Requires really high-end devices –Invoke Moore’s Law –Fundamental tradeoff Centralized / decentralized tradeoff –Like hotmail vs cmu IMAP vs own IMAP –Decentralized probably scales better –But users are own sysadmins, viruses, spyware –Again, fundamental tradeoff