1. D1 - 25/10/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement. France Telecom R&D Division Presence, Privacy and Service Personalization CFP PrivSec WG Launch – August 19, 2005 Edward Mitukiewicz France Telecom (RD/ILAB/BOS)

2. Distribution of this document is subject to France Telecom’s authorization D2 - 25/10/2015 France Telecom R&D Division Outline  Assorted musings to facilitate future CFP PrivSec WG discussions  Focused on the complexities of managing privacy-aware presence  Limited to a few illustrative examples based on some lessons from a particular prototyping project and ideas from recently published research papers  …NOT an attempt to  Develop a general problem statement and/or comprehensive issue list (albeit doing this and/or describing the current landscape seems to be a good idea!)  Consider broader topics of trust/identity management – e.g., in the context of collecting, mining, distributing and protecting sensitive personal data

3. Distribution of this document is subject to France Telecom’s authorization D3 - 25/10/2015 France Telecom R&D Division Privacy Management: Current Practices  Multiple, uncoordinated control points – difficult to manage  Call handling preferences – call waiting: divert or accept  Messaging specific options – IM  Device controls – on/off, sounds/alerts  Control settings – preferences, cookies, tokens  Integrated policy-based solutions – too complex for the user  Who do you want to communicate with and under what circumstances  How do you want to communicate when and where  What information should be shared with whom under what circumstances  Which policy should be activated when …

4. Distribution of this document is subject to France Telecom’s authorization D4 - 25/10/2015 France Telecom R&D Division Personalization: Opportunities & Risks  Users like service personalization, but want control over  What, how and when relevant data is collected, processed and published  How such data is used – e.g., ONLY to provide a better service  Service providers recognize the “added value” potential of personalization – enabled by the availability of data on user interactions with services  Conversion of such data into usable information is difficult – e.g., integration of bits and pieces of data from multiple sources  Using that info to provide a better user experience usually requires  Compliance with the applicable regulations  User consent – often limited to a specific and context dependent purpose

5. Distribution of this document is subject to France Telecom’s authorization D5 - 25/10/2015 France Telecom R&D Division Presence and Privacy: See What?  Value of presence grows with the richness and reliability of the available data (“see/be seen before you communicate” )  e.g., location, availability and communication preferences  Information disclosure restrictions and preferences (e.g., “only to authorized parties and only the minimum required”) – considering  Granularity of the available data – access to all vs. certain subsets  Exact vs. “blurred” responses  Requestor specific vs. ”one-size-fits-all” responses  Personalization requirements add more complexities …

6. Distribution of this document is subject to France Telecom’s authorization D6 - 25/10/2015 France Telecom R&D Division User Location: Intel Study (CHI2005)  Users tend to share their location info selectively  Users decisions depended on who was requesting the location info, why the requester wanted it, and what level of detail would be most useful  Study participants were typically willing to disclose either the most useful detail or nothing about their location  Privacy control becomes a critical issue in the development of location-aware communications  Users want to stay in control of their location information – the challenge is to enable them to do this effectively  Privacy management has to help users to disclose location in order to facilitate interpersonal interactions – without raising any fears of being monitored Source: Intel Research – Consolvo et al. http://guir.berkeley.edu/pubs/chi2005/p486-consolvo.pdf

7. Distribution of this document is subject to France Telecom’s authorization D7 - 25/10/2015 France Telecom R&D Division Privacy Preferences: More Studies  Peoples’ willingness to share information seems to depend primarily on who they are sharing it with  Same privacy preferences are more likely to be applied to the same inquirer in different situations than to different inquirers in the same situation – this could help to reduce the underlying complexities and simplify the UI  Clustering might help to specify and refine over time what users wish to share with whom in what situation  Information items AND peoples’ views of others they wish to share certain types of information with tend to cluster into a manageable set of categories Sources: UCalBerkely and UofMich/Microsoft Research http://guir.berkeley.edu/pubs/chi2003/lederer-chi03.pdf http://research.microsoft.com/~horvitz/privacy_CHI2005.pdf

8. Distribution of this document is subject to France Telecom’s authorization D8 - 25/10/2015 France Telecom R&D Division Presence and Privacy: Illustrative Example  Combining address book info with inferences – based on user’s location, calendar and “context aware” privacy policies – could allow for some see before you communicate and be seen enhancements  Although such presence-aware privacy controls might help users to decide if, when and how others can see their location and/or communicate, user interface complexity becomes a problem… Your friends are there You are here Source: “Friend Tracker”

9. Distribution of this document is subject to France Telecom’s authorization D9 - 25/10/2015 France Telecom R&D Division Privacy Management: Design Pitfalls  Obscuring potential or actual information flow  Users should understand the extent of a system’s potential for disclosure – e.g., privacy implication of Low vs. High settings? – AND  what information is actually being disclosed to whom – e.g., browser cookies?  Emphasizing configuration over action  Designs should not require excessive configuration to manage privacy!  Lacking coarse-grained control  Designs should not forgo a top-level mechanism for halting/resuming disclosure – e.g., simple mechanism for excluding the current purchase from a shopping profile  Inhibiting existing practice  Designs should not inhibit users from transferring established social practice to emerging technologies – e.g., support for a social nuance: there could be value in keeping the caller ignorant of the reason for not answering the phone Source: UCB – Scott Lederer et al. http://www.cs.cmu.edu/~jasonh/publications/puc2004-five-pitfalls.pdf

10. Distribution of this document is subject to France Telecom’s authorization D10 - 25/10/2015 France Telecom R&D Division thanks!