1. Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay G r o u p f o r User Interface Research University of California Berkeley

2. Feb 10 20042 The Origins of Ubiquitous Computing What’s wrong with Personal Computers? –Too complex and hard to use –Too demanding of attention –Too isolating from other people –Too dominating of our desktops and our lives Advances in Wireless Networking, Sensors, Devices Ubiquitous Computing Project at Xerox PARC –Move computers into the everyday world –Make computers a natural part of everyday interactions

3. Feb 10 20043 The Origins of Ubiquitous Computing

4. Feb 10 20044 Emerging Examples of Ubicomp Never Get Lost Find Friends Emergency Response

5. Feb 10 20045 “But What About My Privacy?” Never Get Lost –You walk past a restaurant and your cellphone rings with the specials of the day Find Friends –“Family is already very close to you, so if they’re checking up on you…sort of already smothering and this is one step further.” –“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of” Emergency Response –“I don’t see how a government or an organization will not come up with an excuse to use [location info] for another purpose” Flood of Location-Based Spam Never Hide From Friends and Co-Workers Constant Surveillance

6. Feb 10 20046 Our Research in Ubicomp Privacy Fundamental Tension –Ubiquitous Computing can be used for great benefit –Ubiquitous Computing can be used for great harm –Privacy may be greatest barrier to long-term success What are the privacy concerns in ubicomp? –Surveys, interviews, analysis of emerging systems How can we design better user interfaces? –Five Pitfalls in Designing Privacy-Sensitive User Interfaces Are there better ways of building privacy-sensitive apps? –Software support to make it easier to build high-quality apps

7. Feb 10 20047 What is Privacy? Lots of perspectives on privacy –US Constitution, UN Decl. Human Rights, Hippocratic Oath –Influenced by Legal, Market, Social, and Technical forces Privacy is not just Orwell –“Big Brother” vs. “Little Sisters” –Media sensationalization of worst-case scenarios Privacy is not just computer security –Adversaries? Friends, family, co-workers –Anonymity? Friends already know your identity –Secrecy? We share personal info with friends all the time –Damage? Risk may be undesired social obligations We are approaching privacy from an HCI perspective

8. Feb 10 20048 An HCI Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used – what is broken (vs what is working correctly)” The Origins of Ubiquitous Computing Research at PARC in the Late 1980s Weiser, Gold, Brown Make it easy to share: the right information with the right people (or service) at the right time

9. Feb 10 20049 What are End-User Privacy Needs? Lots of speculation about privacy, little data out there Surveyed 130 people on ubicomp privacy preferences Analyzed nurse message board on locator systems –http://allnurses.com Examined papers describing usage of ubicomp systems Examined existing and proposed privacy protection laws –EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2004 Interviewed 20 people on various location-based services –Did not mention the word “privacy” unless they did first

10. Feb 10 200410 End-User Privacy Needs Value proposition Simple and appropriate control and feedback Plausible deniability Limited retention of data Decentralized architectures Special exceptions for emergencies Alice’s Location Bob’s Location

11. Feb 10 200411 How to Design for Privacy? What are good privacy-sensitive user interfaces? –Knowing what is needed does not say how to do it well

12. Feb 10 200412 Five Pitfalls for Designers Understanding Obscuring potential information flow Obscuring actual information flow Action Configuration over action Lacking coarse-grained control Inhibiting established practices

13. Feb 10 200413 #1 – Obscuring Potential Flow Users can make informed use of a system only when they understand the scope of its privacy implications

14. Feb 10 200414 #2 – Obscuring Actual Flow Users should understand what information is being disclosed to whom Who is querying my location? How often? Requestor informed of disclosure Requestee sees each request

15. Feb 10 200415 #3 – Configuration Over Action Designs should not require excessive configuration to manage privacy –“Right” configuration hard to predict in advance –Make privacy a natural part of the interaction flow

16. Feb 10 200416 #4 – Lacking Coarse-Grain Control Designs should not forego an obvious, top-level mechanism for halting and resuming disclosure “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Protecting the Cellphone User's Right to Hide NYTimes Feb 5 2004 Did I set it right? How do I know?

17. Feb 10 200417 #5 – Inhibiting Established Practices Designs should not inhibit users from transferring established social practices to emerging technologies Rather than getting an immediate ring, an answering machine comes on the line and says, "Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message." 1. University and Ramona 2. Palo Alto 3. Custom 9.Ignore for now

18. Feb 10 200418 How to Build Applications Better? Currently difficult to build privacy-sensitive applications Develop a toolkit to make it easier for others to do so –Prevent – Strong guarantees on your personal data –Avoid – Better user interfaces for managing privacy –Detect – Finding privacy violations Locality InfoSpace Diary Access Descriptions

19. Feb 10 200419 Locality Keep personal data “close” to end-users –Move from centralized systems to decentralized ones –Capture, store, and process personal data on my computer PlaceLab ABC

20. Feb 10 200420 InfoSpace Diary InfoSpace stores your personal information –Static info, like name and phone –Dynamic info, like current location and activity –Can expose different parts to different people and services –Can see who can see what about you Runs on your personal device or on a trusted service

21. Feb 10 200421 InfoSpace Diary InfoSpace (Diary) InfoSpace (Diary) LocNamePlaceLabTourguide Access Description Find Friend

22. Feb 10 200422 Access Descriptions

23. Feb 10 200423 Putting it Together Lemming Location-enhanced Messenger

24. Feb 10 200424 Putting it Together BEARS Emergency Response Server Field studies and interviews with firefighters [CHI2004] Finding victims in a building –“You bet we’d definitely want that” –“It would help to know what floor they are on” But emergencies are rare –How to balance privacy constraints with utility when needed?

25. Feb 10 200425 Putting it Together BEARS Emergency Response Server Trusted third party (MedicAlert++) Data Sharer Location Building BEARS Service Link 1 2 Trusted BEARS Third- Party Trusted BEARS Third- Party Location 3 4 Medic Alert++ Medic Alert++ Loc “ABC”

26. Feb 10 200426 Conclusions Privacy is perhaps most important issue for ubicomp Our research group has been investigating privacy –What are end-user needs? –How to design for privacy? –How to build privacy-sensitive applications better? “Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”