1. Privacy Acknowledgement: Jason Hong, CMU

2. Overview of Privacy Why care? Why is it hard? Thinking about and Designing for Privacy –Specific HCI issues and designs Why privacy might not matter Very broad look at privacy –Social aspects, legal aspects, philosophical, user interface

3. Protection from spam, identity theft, mugging Discomfort over surveillance –Lack of trust in work environments –Might affect performance, mental health –May contribute to feeling of lack of control over life Starting over –Something stupid you did as a kid Creativity and freedom to experiment –Protection from total societies –Room for each person to develop individually Lack of adoption of tech Why Care About Privacy? End-User Perspective Everyday RisksExtreme Risks Stalkers, Muggers _________________________________ Well-being Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

4. The Fundamental Tension More information can be used for good and for bad Facebook –Keeping in touch with friends –But embarrassing photos or breakups recorded for all time? Google search reveals significant amount of information, especially over time and scross applications

5. The Fundamental Tension More information can be used for good and for bad Facebook –Keeping in touch with friends –But embarrassing photos or breakups recorded for all time? People Finder –Okayness checking and coordination –But also stalking, monitoring at work, or embarrassment Amazon (or any ecommerce site) –Can improve search results, personalized content –Price discrimination, selling your info to others, not keeping your info safe from hackers

6. Characteristics –Real-time, distributed –Invisibility of sensors –Potential scale –What data? Who sees it? Design Issues –No control over system –No feedback, cannot act appropriately You think you are in one context, actually in many –No value proposition Why is Privacy Hard?

7. Devices becoming more intimate –Call record, SMS messages –Calendar, Notes, Photos –History of locations, People nearby, Interruptibility –With us nearly all the time Portable and automatic diary –Accidental viewing, losing device, hacking Protection from interruptions –Calls at bad times, other people’s (annoying) calls Projecting a desired persona –Accidental disclosures of location, plausible deniability

8. Why is Privacy Hard? Your stories / thoughts?

9. Hard to define until something bad happens –“Well, of course I didn’t mean to share that” Risks not always obvious up front –Burglars went to airports to collect license plates –Credit info used by kidnappers in South America Why is Privacy Hard? Definition problem

10. Expectations and levels of comfort change with time and/or experience –Both individual and societal –Many people objected to having phones in their homes because it “permitted intrusion… by solicitors, purveyors of inferior music, eavesdropping operators, and even wire-transmitted germs” Why is Privacy Hard? Social Perspective

11. The appearance of Eastman’s cameras was so sudden and so pervasive that the reaction in some quarters was fear. A figure called the “camera fiend” began to appear at beach resorts, prowling the premises until he could catch female bathers unawares. One resort felt the trend so heavily that it posted a notice: “PEOPLE ARE FORBIDDEN TO USE THEIR KODAKS ON THE BEACH.” Other locations were no safer. For a time, Kodak cameras were banned from the Washington Monument. The “Hartford Courant” sounded the alarm as well, declaring the “the sedate citizen can’t indulge in any hilariousness without the risk of being caught in the act and having his photograph passed around among his Sunday School children.”

12. Cause and effect may be far in time and space –Think politicians and actions they did when young –Video might appear on YouTube years later Privacy is highly malleable depending on situation –Still use credit cards to buy online –Benefit outweighs cost Power or social imbalances –Employees may not have many choices Easy to misinterpret –Went to drug rehabilitation clinic, why? Why is Privacy Hard? Individual perspective

13. Easier to capture data –Video cameras, camera phones, microphones, sensors –Break “natural” boundaries of physics Easier to store and retrieve data –LifeLog technologies –Googling a potential date Why is Privacy Hard? Technical Perspective

14. Data getting easier to store and retrieve –LifeLog technologies –Googling a potential date Why is Privacy Hard? Technical Perspective

15. Easier to capture data –Video cameras, camera phones, microphones, sensors –Break “natural” boundaries of physics Easier to store and retrieve data –LifeLog technologies –Googling a potential date Easier to share data –Ubiquitous wireless networking –Blogs, wikis, YouTube, Flickr, FaceBook Inferences and Machine Learning –Humidity to detect presence Why is Privacy Hard? Technical Perspective

16. Bad data can be hard to fix –Sen. Ted Kennedy on TSA no-fly list Market incentives not aligned well –More info can market better –Can sell your info Many activities are hidden –What are credit card companies, Amazon doing? –What is NSA doing? Why is Privacy Hard? Organizational Perspective

17. Few tools Few evaluation techniques Lack of clear metrics Why is Privacy Hard? Purely HCI Perspective

18. Privacy is a large umbrella term –Lots of different groups and schools of thought that don’t always interact or agree with each other –Tools and methods for one school of thought doesn’t necessarily work well for others Privacy as anonymity –Cypherpunks, database researchers, machine learning Privacy as a rational process for organizations Privacy as organic process / Personal privacy –A lot of HCI, CSCW, CMC work falls here Ubicomp 2003 –Workshop on Privacy (mostly men) –Workshop on Intimate Computing (mostly women) Why is Privacy Hard? Meta-Research Perspective

19. What is Privacy? No standard definition, many different perspectives Different kinds of privacy –Bodily, Territorial, Communication, Information Many different philosophical views on info privacy –Different views -> different values -> different designs –Note: next few slides not mutually exclusive

20. Principles vs Common Interest Principled view -> Privacy as a fundamental right –Embodied by constitutions, longstanding legal precedent –Government not given right to monitor people Common interest -> Privacy wrt common good –Emphasizes positive, pragmatic effects for society Examples: –National ID cards, mandatory HIV testing

21. Self-determination vs Personal Privacy Self-determination (aka data protection) –Arose due to increasing number of databases in 1970s –“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin) –Led to Fair Information Practices (more shortly) –More of individual with respect to governments, organizations, and commercial entities Personal privacy –How I express myself to others and control access to myself –More of individual with respect to other individuals

22. Self-determination vs Personal Privacy Examples: –Cell phone communication Data protection view –Telecoms record about who I called –How long keep the data? Personal privacy –Caller ID –What I choose to say on phone –Instant messaging Data protection view –Store messages? Google Talk –Privacy policy Personal privacy –Who your buddies are –Invisible mode –Logs –Facebook

23. Privacy as Solitude / Isolation “The right to be let alone” People tend to devise strategies “to restrict their own accessibility to others while simultaneously seeking to maximize their ability to reach people” (Darrah et al 2001) –Protection from interruptions and undesired social obligations Examples: –Spam protection –Do-not call list, not answering mobile phone –Invisible mode, ignoring an IM –IPod cocooning on public transit

24. Privacy as Anonymity Hidden among a crowd Examples: –Web proxy to hide actual web traffic –“Someone in this room who is over 30 and once broke his right arm” vs “a female” –Location k-anonymity This view is highly popular among technical people –Measurable –Limitations? Crowd Not “Turag”

25. Privacy as Projecting a Desired Persona People see you the way you want them to see you Examples: –Cleaning up your place before visitors –Putting the right books and CDs out –Having “desirable” Facebook groups, hobbies, politics, etc on your profile

26. Privacy as a Process Controlled, rationalistic process –Bank and web site privacy policies –Many rules governing how personal information gathered and used Organic and fluid process –Adjusting window blinds –Opening or closing my office door –Choosing what I do or don’t disclose during a conversation

27. Privacy as Protection of Self vs Others Protecting Self Protecting Others? –Mandatory privacy, wearing clothes –Cell phones going off in theaters

28. Overview of Privacy Why care? Why is it hard? Thinking about and Designing for Privacy –Specific HCI issues and designs Why privacy might not matter

29. Legal Differences for Privacy America tends to have sector-by-sector privacy laws –HIPAA, CALEA, COPPA, FERPA, finance, video rentals –Much of the legal rulings on privacy happens in judiciary Wiretapping, advanced sensing tech –Cynically, wait until a disaster happens, then try to fix Europe has comprehensive privacy laws –European Union Data Protection Directive –Stronger focus on prevention –Working party that will issue rulings on biometrics, privacy policies, etc

30. Fair Information Practices (FIPs) Many laws based on Fair Information Practices –Set of principles stating how organizations should handle personal information Based on Self-determination / Data Protection view –“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin) Note: many variants of FIPs –Will discuss Organization for Economic Cooperation and Development, one of the strictest sets

31. Fair Information Practices (FIPs) Collection limitation Data quality Purpose specification Use limitation Reasonable security Openness and transparency Individual participation Accountability

32. Implications for Design Data protection perspective on privacy –Organizations collecting lots of data –Hospitals, financial institutions, etc However, few tools for helping organizations “do the right thing” in HCI or elsewhere

33. SPARCLE Can author privacy policies in natural language

34. SPARCLE Parses those policies

35. SPARCLE Attaches those policies to data collected Enforced by some policy engine

36. Privacy Policies Evidence strongly suggests people don’t read privacy policies (unless assigned as homework ) –Carlos Jensen et al, CHI 2004 Problems with privacy policies? –Too hard to read –Privacy policy changed, can I challenge? –This policy can change at any time, come back often –Cover you’re @$$ –No market or perhaps legal interest

37. Multi-Level Privacy Policies http://www.pg.com/privacy/english/privacy_notice.html

38. Multi-Level Privacy Policies Idea from EU Working group on privacy –Short- Few sentences, for mobile phone –Condensed- Half page summary –Full- Details

39. Platform for Privacy Preferences Protocol (P3P) A machine-readable way for web sites to state their privacy policies One of the original scenarios: –Users could define what info willing to share with web sites Name, address, email, etc –Could download P3P from web site What they collect, why they collect, who they share, etc –Web browser could then share or not share info Thoughts? –Incentives for people to participate, adoption –Like buying insurance, don’t want to do it until have to –Vendors have to make P3P, users have to create policies

41. Segmenting Users Westin and others have been running surveys over the past few years looking at individuals wrt orgs Don’t care (~10%) –I’ve got nothing to hide –We’ve always adapted –"You have zero privacy anyway. Get over it." Fundamentalist (~25%) –Don’t understand the tech –Don’t trust others to do the right thing Pragmatist (~65%) –Cost-benefit –Communitarian benefit to society as well as individual

42. Segmenting Users Best to focus your designs on don’t care and pragmatist segments Huge caveat: this only applies to individuals and organizations, not individuals to individuals –There still is not a good survey instrument for this –Literature suggests that Westin survey does not have strong correlation with what people share with others –May also mean that privacy studies have unknown bias in them

43. Contextual Instant Messaging Facilitate coordination and communication by letting people request contextual information via IM –Interruptibility (via SUBTLE toolkit) –Location (via Place Lab WiFi positioning) –Active window Developed a custom client and robot on top of AIM –Client (Trillian plugin) captures and sends context to robot –People can query imbuddy411 robot for info “howbusyis username” –Robot also contains privacy rules governing disclosure

44. Web-based specification of privacy preferences –Users can create groups and put screennames into groups –Users can specify what each group can see Control – Setting Privacy Policies

45. Coarse grain controls plus access to privacy settings Control – System Tray

46. Feedback – Notifications

47. Feedback – Social Translucency

48. Feedback – Offline Notification

49. Feedback – Summaries

50. Feedback – Audit Logs

51. Evaluation Recruited fifteen people for four weeks –Selected people highly active in IM (ie undergrads ) –~120 buddies, ~1580 messages / week (sent and received) –~3.3 groups created per person Notified other parties of imbuddy411 service –Update AIM profile to advertise –Would notify other parties at start of conversation

52. Results of Evaluation 321 queries –~1 query / person / day –61 distinct screennames, 15 repeat users –67 interruptibility, 175 location, 79 active window Added Stalkerbot near end of study –A stranger making 2 queries per person per day

53. Results – Controls Controls easy to use (4.5 / 5, σ=0.7) “I really liked the privacy settings the way they are. I thought they were easy to use, especially changing between privacy settings.” “I felt pretty comfortable with using it because you can just easily modify the privacy settings.” However, can be lots of effort “It’s time consuming, if you have a long buddylist, to set up for each person.” Asked for more location disclosure levels –Around or near a certain place

54. Results – Comfort Level Comfort level good (4 / 5, σ=0.9) –12 participants noticed stalkerbot, 3 didn’t until debriefing –However, no real concerns –Reasoned that our stalkerbot was a buddy or old friend –Also confident in their privacy control settings “I know they won’t get any information, because I set to the default so they won’t be able to see anything.”

55. Results – Appropriateness of Disclosures Mostly appropriate (2.47 / 5, where 3 is appropriate) –Useful information for requester? Right level of info? –Two people increased privacy settings, one after experimentation, other after too many requests from specific person However, more complaints about accuracy –Ex. Left a laptop in a room to get food, person wasn’t there

56. Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6)

57. Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6) Disclosure log, 1.8 (σ=1.3)

58. Results – Usefulness of Feedback Bubble notification, 1.6 / 6 (σ=0.6) Disclosure log, 1.8 (σ=1.3) Mouse-over notification, 3.7 (σ=1.0) Offline statistic notification, 4 (σ=1.4) Social translucency Trillian tooltip popup, 4.8 (σ=1.1) Peripheral red-dot notification, 5.4 (σ=0.7)

59. Discussion Disclosure log not used heavily –Though people liked knowing that it was there just in case Surprisingly few concerns about privacy –No user expressed strong privacy concerns –Feature requests were all non-privacy related –If low usage, due to not enough utility, not due to privacy Does this mean our privacy is good enough, or is this because of users’ attitudes and behaviors?

60. Understanding Adoption Need to tie attitudes and behavior with adoption models Teens

61. Optimistic vs Pessimistic Privacy How to tell computer when and when not to disclose information to others? Most privacy controls pessimistic, prevent bad –Setting up rules An alternative design is optimistic –Assume bad things rare –Detect and fix after the fact Pros and cons? –Have to predict in advance disclosures –Can’t fix everything after the fact

62. Several UIs Combine Aspects of Both AT&T Find Friends –Add friends (pessimistic) –They have unlimited queries but you also see each query (optimistic) Interactive mode possible too Ask Bozo (Pessimistic) Always Allow (Optimistic) Allow today (Limited Optimistic) Just this once

63. Conjecture: Concerns Relax Over Time

64. Privacy Placebos? Privacy policies IMBuddy audit logs CareNet display

65. Reputation management Can be used as a shield for abusive behavior Supermarket loyalty cards –Gauge effect of marketing, effects of price and demand –Market to best customers Can streamline economic transactions –Easy credit EU – “Regulators prosecuted an animal rights activist who published a list of fur producers and a consumer activist who criticized a large bank on a Web page that named the bank’s directors.” Is Privacy always Good?

66. Lessig’s Framework Most of the HCI privacy work falls under understanding Norms and building Architecture Tom Erickson argues that we should help facilitate norms through “translucent” systems

67. Social Translucency Make participants and their activities apparent to others Ex. Alice is unlikely to repeatedly query for Bob’s location if she knows Bob can see each request –Erickson is implicitly arguing for optimistic privacy

68. Plausible Deniability Another example of supporting a norm If I don’t answer my phone: –Busy, shower, driving, bozo –Ambiguity is good here How to build into systems? –Natural part of most asynchronous communication systems –Unclear in general –How reliable should our systems be? Spam filters Location granularity

70. Panopticon Subtle way of controlling prisoners –Idea first observed by Jeremy Bentham –Popularized by Michel Foucault Modern day versions?

71. Subtle Control “[The Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” -allnurses.com

72. One Taxonomy Before DuringAfter Rules Testing rules Anonymizing your data Detection Audits Go / no go decision Better interactive feedback