SlideShare une entreprise Scribd logo

Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004

Télécharger en tant que PPT, PDF
Jason Hong
Jason Hong
TechnologieActualités & Politique
1  sur  41
Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay Group for UserInterface Research University of California Berkeley
Mar 05 2004 2 The Origins of Ubiquitous Computing What’s wrong with Personal Computers? – Too complex and hard to use – Too demanding of attention – Too isolating from other people – Too dominating of our desktops and our lives Ubiquitous Computing Project at Xerox PARC – Advances in wireless networking, sensors, devices – Observations of how people use tools in practice – Make computers a natural part of everyday interactions
Mar 05 2004 3 The Origins of Ubiquitous Computing
Mar 05 2004 4 Emerging Examples of Ubicomp Never Get Lost Find Friends Emergency Response
Mar 05 2004 5 “But What About My Privacy?” Never Get Lost – You walk past a restaurant and your cellphone rings with the specials of the day Find Friends – “Family is already very close to you, so if they’re checking up on you…sort of already smothering and this is one step further.” – “[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” Emergency Response – “I don’t see how a government or an organization will not come up with an excuse to use [location info] for another purpose.” Flood of Location-Based Spam Never Hide From Friends and Co-Workers Constant Surveillance
Mar 05 2004 6 Our Research in Ubicomp Privacy Fundamental Tension – Ubiquitous Computing can be used for great benefit – Ubiquitous Computing can be used for great harm – Privacy may be greatest barrier to long-term success Our approach – What are the privacy concerns in ubicomp? – How can we design better user interfaces? – Are there better ways of building privacy-sensitive apps? Privacy is an area easy to make mistakes in – Will discuss lessons learned throughout
Mar 05 2004 7 What is Privacy? Lots of perspectives on privacy – US Constitution, UN Decl. Human Rights, Hippocratic Oath – Influenced by Legal, Market, Social, and Technical forces Privacy is not just Orwell – From “Big Brother” to “Little Sisters” – Media sensationalization of worst-case scenarios Privacy is not just computer security – Adversaries? Friends, family, co-workers, acquaintances – Anonymity? Friends already know your identity – Secrecy? We share personal info with friends all the time – Damage? Risk may be undesired social obligations We are approaching privacy from an HCI perspective
Mar 05 2004 8 An HCI Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used – what is broken (vs what is working correctly)” The O rig ins o f Ubiq uito us Co m puting Re se arch at PARC in the Late 1 9 8 0 s We ise r, Go ld, Bro wn Make it easy to share: • the right information • with the right people (orservice) • at the right time
Mar 05 2004 9 What are End-User Privacy Needs? Lots of speculation about privacy, little data out there Analyzed survey of 130 people on ubicomp privacy prefs Analyzed nurse message board on locator systems – http://allnurses.com Examined papers describing usage of ubicomp systems Examined existing and proposed privacy protection laws – EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2004 Interviewed 20 people on various location-based services – Did not mention the word “privacy” unless they did first
Mar 05 2004 10 End-User Privacy Needs Value proposition Simple and appropriate control and feedback Plausible deniability Limited retention of data Decentralized architectures Special exceptions for emergencies Alice’s Location Bob’s Location
Mar 05 2004 11 How to Design for Privacy? What are good privacy-sensitive user interfaces? – Knowing what is needed does not say how to do it well
Mar 05 2004 12 Five Pitfalls for Designers Understanding Obscuring potential information flow Obscuring actual information flow Action Configuration over action Lacking coarse-grained control Inhibiting established practices
Mar 05 2004 13 #1 – Obscuring Potential Flow Users can make informed use of a system only when they understand the scope of its privacy implications
Mar 05 2004 14 #2 – Obscuring Actual Flow Users should understand what information is being disclosed to whom Who is querying my location? How often? Requestor informed of disclosure Requestee sees each request
Mar 05 2004 15 #3 – Configuration Over Action Designs should not require excessive configuration to manage privacy – “Right” configuration hard to predict in advance – Make privacy a natural part of the interaction flow
Mar 05 2004 16 #4 – Lacking Coarse-Grain Control Designs should not forego an obvious, top-level mechanism for halting and resuming disclosure “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Protecting the Cellphone User's Right to Hide NYTimes Feb 5 2004 Did I set it right? How do I know?
Mar 05 2004 17 #5 – Inhibiting Established Practices Designs should not inhibit users from transferring established social practices to emerging technologies Rather than getting an immediate ring, an answering machine comes on the line and says, "Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message." 1. University and Ramona 2. Palo Alto 3. Custom… 9. Ignore fornow
Mar 05 2004 18 How to Build Applications Better? Develop a toolkit to make it easier to build privacy- sensitive ubicomp apps – Prevent – Strong guarantees on your personal data – Avoid – Better user interfaces for managing privacy – Detect – Finding over-monitoring or accidental disclosures – Need all three for effective systems Key architectural points of Context Fabric – Locality – InfoSpace Diary – Access Descriptions – Privacy Tags
Mar 05 2004 19 Locality Keep personal data “close” to end-users – Move from centralized systems to decentralized ones – Capture, store, and process personal data on my computer PlaceLab A B C –Works indoors and in urban canyons –No special equipment –Privacy-sensitive
Mar 05 2004 20 PlaceLab ~52000 Nodes
Mar 05 2004 21 PlaceLab ~500 Nodes
Mar 05 2004 22 Locality MiniGis Server for processing location locally Country Name = United States Region Name = California City Name = Berkeley ZIPCode = 94709 Place Name = Soda Hall Lat Lon = 37.8756, -122.25711
Mar 05 2004 23 Locality MiniGis Server data sources USGS State Gazetteer – Names in USA – 2m records ~650 megs – States, Cities, Places “Places” hardest to get – Airports & schools useful, “hammocks”, “lava”, “quicksand” less so – 2 undergrads scouring Berkeley – Research opportunity here in open, distributed naming of places GEOnet Names Server – Names outside USA – 5.5m records ~700megs – Regions, Cities, Places
Mar 05 2004 24 InfoSpace Diary InfoSpace stores your personal information – Static info, like name and phone# – Dynamic info, like current location and activity Runs on your personal device or on a trusted service – Local sources (ex. PlaceLab) can update dynamic info – Can choose to expose different parts to different people & services – Can also see who can see what about you
Mar 05 2004 25 Confab Architecture InfoSpace Diary InfoSpace Diary LocName PlaceLab Tourguide Find Friend MiniGis How to control when and how much personal info is disclosed? Request
Mar 05 2004 26 Access Notifications One possibility: “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Problems: – People are not good at defining rules beforehand – Tradeoff between fine-grained control and understandability
Mar 05 2004 27 Observations on Setting Preferences Who is requesting information is most important factor – “Either I trust someone with my information or I don't – it doesn't depend on where I am.” Time is an essential aspect for maintaining control – Access described in terms of “always”, “never”, or “work hours” – “Work people can know my information during work hours. Home/SO people can know my information always.” Can set prefs before, during, or after a request – Before case can lead to configuration pitfall – During case easier to understand, but can overwhelm – After case easy to setup, but can lead to accidental disclosures
Mar 05 2004 28 Access Notifications Explain d Time cam What are My origin IP Lo Ti Pr “I So Se Two diffe Persons Push and Push not Pull hard
Mar 05 2004 29 Access Notifications Initial Evaluations – Tested with 4 people for understandability and reactions – Location-enhanced messenger, tourguide, emergency response
Mar 05 2004 30 Access Notifications Initial Evaluations – Tested with 4 people for understandability and reactions – Location-enhanced messenger, tourguide, emergency response Results – Distinction between Push vs Pull, Continuous vs Discrete “Giving a GPS location once or twice does not provide enough information for an invasion of privacy… [but] if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy.” “No need for continuous update of location. Only in a race or a marathon (where staying on track is essential) would continuous update be helpful.”
Mar 05 2004 31 Access Notifications PlaceBar Continuous Discrete Push ??? Pull Access Notifications
Mar 05 2004 32 Confab Architecture InfoSpace Diary InfoSpace Diary LocName PlaceLab Tourguide Find Friend MiniGis How to control what happens to yourinfo once it leaves yourInfoSpace? Access Access Pull Push
Mar 05 2004 33 Privacy Tags Digital Rights Management for Privacy – Like adding note to email, “Please don’t forward” – Notify address - notify-abc@cs.berkeley.edu – Time to live - 5 days – Max number of sightings - last 5 sightings of my location Libraries for making it easy for app developers
Mar 05 2004 34 Analysis Prevent – Capture and process personal information locally – PlaceLab, MiniGis – Minimizes risk of mission creep (ex. SSNs) Avoid – Interfaces for helping people make good decisions – Access Notifications / PlaceBar Detect – Finding cases of over-monitoring – Access Notifications – Privacy Tags (processed on requestor’s side)
Mar 05 2004 35 Implementation Confab, PlaceLab, MiniGis – Java 1.5, Tomcat Web Server, MySql, Jaxen XPath Data – WiFi from wigle.net and undergrads – MiniGis from USGS, GeoNET, and undergrads – ~35 megs of data (30 megs of place data) #Classes Lines of code Confab 320 17000 PlaceLab 10 800 MiniGis 15 3000 Shared Libs 230 12000
Mar 05 2004 36 Putting it Together Lemming Location-enhanced Messenger
Mar 05 2004 37 Putting it Together BEARS Emergency Response Server Field studies and interviews with firefighters [CHI2004] Finding victims in a building – “You bet we’d definitely want that.” – “It would help to know what floor they are on.” But emergencies are rare – How to balance privacy constraints with utility when needed?
Mar 05 2004 38 Putting it Together BEARS Emergency Response Server Trusted third party (MedicAlert++) Medic Alert++ Medic Alert++ Loc “ABC” “ABC” On Emergency
Mar 05 2004 39 Requirements Check Value proposition Simple and appropriate control and feedback – Access Notifications (pull) and PlaceBar (push) Plausible deniability – No action, “Ignore for now”, and “Never Allow” appear same Limited retention of data – Privacy Tags Decentralized architectures – Capture and process information locally Special exceptions for emergencies
Mar 05 2004 40 Contributions Investigated ubicomp privacy from many perspectives – What are end-user needs? How to design? How to build? Context Fabric architecture for privacy-aware apps – Prevent / Avoid / Detect – Suggests a way of architecting privacy-sensitive ubicomp Services on devices, local processing, presentation to end-users – Evaluation with two applications – Starting deployment of Lemming instant messenger “Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”
Jason I. Hong jasonh@cs.berkeley.edu http://guir.berkeley.edu/confab Group for UserInterface Research University of California Berkeley Thanks to: DARPA Expeditions NSF ITR PARC Intel Fellowship Siebel Systems Fellowship http://placelab.org

Recommandé

Issues related to ict
Issues related to ictIssues related to ict
Issues related to ictMohan Palaniandy
 
N3275466 - Final Presentation Advance network (1)
N3275466 - Final Presentation Advance network (1)N3275466 - Final Presentation Advance network (1)
N3275466 - Final Presentation Advance network (1)Christopher Lisasi
 
Ethical Issues In ICT
Ethical Issues In ICTEthical Issues In ICT
Ethical Issues In ICTkelly kusmulyono
 
Chapter4 issues with ict2016
Chapter4 issues with ict2016Chapter4 issues with ict2016
Chapter4 issues with ict2016asiara
 
Ethical and Social Issues in ICT
Ethical and Social Issues in ICTEthical and Social Issues in ICT
Ethical and Social Issues in ICTRoshanMaharjan13
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicspoonam.rwalia
 
Computer Ethics
Computer EthicsComputer Ethics
Computer EthicsKodok Ngorex
 
Introduction to World Wide Web
Introduction to World Wide WebIntroduction to World Wide Web
Introduction to World Wide WebMarlon Jamera
 

Recommandé

Issues related to ict
Issues related to ictIssues related to ict
Issues related to ictMohan Palaniandy
 
N3275466 - Final Presentation Advance network (1)
N3275466 - Final Presentation Advance network (1)N3275466 - Final Presentation Advance network (1)
N3275466 - Final Presentation Advance network (1)Christopher Lisasi
 
Ethical Issues In ICT
Ethical Issues In ICTEthical Issues In ICT
Ethical Issues In ICTkelly kusmulyono
 
Chapter4 issues with ict2016
Chapter4 issues with ict2016Chapter4 issues with ict2016
Chapter4 issues with ict2016asiara
 
Ethical and Social Issues in ICT
Ethical and Social Issues in ICTEthical and Social Issues in ICT
Ethical and Social Issues in ICTRoshanMaharjan13
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicspoonam.rwalia
 
Computer Ethics
Computer EthicsComputer Ethics
Computer EthicsKodok Ngorex
 
Introduction to World Wide Web
Introduction to World Wide WebIntroduction to World Wide Web
Introduction to World Wide WebMarlon Jamera
 
Minding your Messages Presentation
Minding your Messages PresentationMinding your Messages Presentation
Minding your Messages PresentationAshley Miller
 
Social and professional issuesin it
Social and professional issuesin itSocial and professional issuesin it
Social and professional issuesin itRushana Bandara
 
Computer ethics
Computer ethicsComputer ethics
Computer ethicsSKS
 
Working with ict ethical social and legal issues
Working with ict ethical social and legal issuesWorking with ict ethical social and legal issues
Working with ict ethical social and legal issuesMaher Al Beshlawy
 
Ethics Presentation
Ethics PresentationEthics Presentation
Ethics PresentationUniversity of Calgary, School of Creative and Performing Arts
 
Computer ethics
Computer ethicsComputer ethics
Computer ethicsAnkitTripathi159
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicsiallen
 
Computer ethics
Computer ethicsComputer ethics
Computer ethicsafolabidare
 
Legal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud ComputingLegal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud ComputingNeal Axton
 
Computer ethics & copyright
Computer ethics & copyrightComputer ethics & copyright
Computer ethics & copyrightAdyns
 
Impact of computers on society
Impact of computers on societyImpact of computers on society
Impact of computers on societyMiddle East International School
 
Computer Ethics
Computer EthicsComputer Ethics
Computer EthicsRanaAbuHuraira
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online securityPaul Berryman
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computermanju rani
 
Social & professional issues in IT
Social & professional issues in ITSocial & professional issues in IT
Social & professional issues in ITRohana K Amarakoon
 
Computer ethics
Computer ethicsComputer ethics
Computer ethicsFaraz Ahmed
 
Globalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsGlobalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsAcademic Research Paper Writing Services
 
Bus ethics and tech
Bus ethics and techBus ethics and tech
Bus ethics and techwtidwell
 
Computer ethics
Computer ethics Computer ethics
Computer ethics Aglaia Connect
 
Introduction to computer
Introduction to computerIntroduction to computer
Introduction to computerRoshanMaharjan13
 
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004Jason Hong
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyJason Hong
 

Contenu connexe

Tendances

Minding your Messages Presentation
Minding your Messages PresentationMinding your Messages Presentation
Minding your Messages PresentationAshley Miller
 
Social and professional issuesin it
Social and professional issuesin itSocial and professional issuesin it
Social and professional issuesin itRushana Bandara
 
Computer ethics
Computer ethicsComputer ethics
Computer ethicsSKS
 
Working with ict ethical social and legal issues
Working with ict ethical social and legal issuesWorking with ict ethical social and legal issues
Working with ict ethical social and legal issuesMaher Al Beshlawy
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethicsiallen
 
Legal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud ComputingLegal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud ComputingNeal Axton
 
Computer ethics & copyright
Computer ethics & copyrightComputer ethics & copyright
Computer ethics & copyrightAdyns
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online securityPaul Berryman
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computermanju rani
 
Social & professional issues in IT
Social & professional issues in ITSocial & professional issues in IT
Social & professional issues in ITRohana K Amarakoon
 
Bus ethics and tech
Bus ethics and techBus ethics and tech
Bus ethics and techwtidwell
 

Tendances (20)

Minding your Messages Presentation
Minding your Messages PresentationMinding your Messages Presentation
Minding your Messages Presentation
 
Social and professional issuesin it
Social and professional issuesin itSocial and professional issuesin it
Social and professional issuesin it
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Working with ict ethical social and legal issues
Working with ict ethical social and legal issuesWorking with ict ethical social and legal issues
Working with ict ethical social and legal issues
 
Ethics Presentation
Ethics PresentationEthics Presentation
Ethics Presentation
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethics
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Legal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud ComputingLegal Research in the Age of Cloud Computing
Legal Research in the Age of Cloud Computing
 
Computer ethics & copyright
Computer ethics & copyrightComputer ethics & copyright
Computer ethics & copyright
 
Impact of computers on society
Impact of computers on societyImpact of computers on society
Impact of computers on society
 
Computer Ethics
Computer EthicsComputer Ethics
Computer Ethics
 
Internet privacy ethics and online security
Internet privacy ethics and online securityInternet privacy ethics and online security
Internet privacy ethics and online security
 
Postive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computerPostive & Nagetive impacts & Applications of computer
Postive & Nagetive impacts & Applications of computer
 
Social & professional issues in IT
Social & professional issues in ITSocial & professional issues in IT
Social & professional issues in IT
 
Computer ethics
Computer ethicsComputer ethics
Computer ethics
 
Globalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethicsGlobalcompose.com sample essay paper on cyber ethics
Globalcompose.com sample essay paper on cyber ethics
 
Bus ethics and tech
Bus ethics and techBus ethics and tech
Bus ethics and tech
 
Computer ethics
Computer ethics Computer ethics
Computer ethics
 
Introduction to computer
Introduction to computerIntroduction to computer
Introduction to computer
 

Similaire à Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004

An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004Jason Hong
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyJason Hong
 
Helping Developers with Privacy
Helping Developers with PrivacyHelping Developers with Privacy
Helping Developers with PrivacyJason Hong
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesAdam Thierer
 
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...Jason Hong
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy RegulationMercatus Center
 
Intelect ppt arpanpal_security
Intelect ppt arpanpal_securityIntelect ppt arpanpal_security
Intelect ppt arpanpal_securityArpan Pal
 
Ethical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemEthical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemFaHaD .H. NooR
 
Are Computer Hacker Break-ins Ethical -- Spafford
Are Computer Hacker Break-ins Ethical -- SpaffordAre Computer Hacker Break-ins Ethical -- Spafford
Are Computer Hacker Break-ins Ethical -- SpaffordMia Eaker
 
Englishmain12classix 131025065953-phpapp01
Englishmain12classix 131025065953-phpapp01Englishmain12classix 131025065953-phpapp01
Englishmain12classix 131025065953-phpapp01Harsh Tripathi
 
E-Discovert Ethhics CLE April 25 2010
E-Discovert Ethhics CLE April 25 2010E-Discovert Ethhics CLE April 25 2010
E-Discovert Ethhics CLE April 25 2010Suzanne Meehle
 
E-Discovery Ethics CLE
E-Discovery Ethics CLE E-Discovery Ethics CLE
E-Discovery Ethics CLE Suzanne Meehle
 
Icse 2013-tutorial-data-science-for-software-engineering
Icse 2013-tutorial-data-science-for-software-engineeringIcse 2013-tutorial-data-science-for-software-engineering
Icse 2013-tutorial-data-science-for-software-engineeringCS, NcState
 
Security and Privacy Challenges for IoT
Security and Privacy Challenges for IoTSecurity and Privacy Challenges for IoT
Security and Privacy Challenges for IoTJason Hong
 
data mining privacy concerns ppt presentation
data mining privacy concerns ppt presentationdata mining privacy concerns ppt presentation
data mining privacy concerns ppt presentationiWriteEssays
 
Ubiquitous Computing: Privacy Issues
Ubiquitous Computing: Privacy IssuesUbiquitous Computing: Privacy Issues
Ubiquitous Computing: Privacy IssuesHongseok Kim
 
Copy of Managing Your Digital Footprint
Copy of Managing Your Digital FootprintCopy of Managing Your Digital Footprint
Copy of Managing Your Digital FootprintJames Webb
 

Similaire à Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004 (20)

An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
An Architecture for Privacy-Sensitive Ubiquitous Computing at Mobisys 2004
 
Fostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone PrivacyFostering an Ecosystem for Smartphone Privacy
Fostering an Ecosystem for Smartphone Privacy
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Helping Developers with Privacy
Helping Developers with PrivacyHelping Developers with Privacy
Helping Developers with Privacy
 
Privacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key IssuesPrivacy & the Internet: An Overview of Key Issues
Privacy & the Internet: An Overview of Key Issues
 
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Syst...
 
Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia Privacy
 
Thierer Internet Privacy Regulation
Thierer Internet Privacy RegulationThierer Internet Privacy Regulation
Thierer Internet Privacy Regulation
 
Intelect ppt arpanpal_security
Intelect ppt arpanpal_securityIntelect ppt arpanpal_security
Intelect ppt arpanpal_security
 
Ethical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information SystemEthical And Social Issues in MIS - Management Information System
Ethical And Social Issues in MIS - Management Information System
 
Are Computer Hacker Break-ins Ethical -- Spafford
Are Computer Hacker Break-ins Ethical -- SpaffordAre Computer Hacker Break-ins Ethical -- Spafford
Are Computer Hacker Break-ins Ethical -- Spafford
 
CBSE Open Textbook English
CBSE Open Textbook EnglishCBSE Open Textbook English
CBSE Open Textbook English
 
Englishmain12classix 131025065953-phpapp01
Englishmain12classix 131025065953-phpapp01Englishmain12classix 131025065953-phpapp01
Englishmain12classix 131025065953-phpapp01
 
E-Discovert Ethhics CLE April 25 2010
E-Discovert Ethhics CLE April 25 2010E-Discovert Ethhics CLE April 25 2010
E-Discovert Ethhics CLE April 25 2010
 
E-Discovery Ethics CLE
E-Discovery Ethics CLE E-Discovery Ethics CLE
E-Discovery Ethics CLE
 
Icse 2013-tutorial-data-science-for-software-engineering
Icse 2013-tutorial-data-science-for-software-engineeringIcse 2013-tutorial-data-science-for-software-engineering
Icse 2013-tutorial-data-science-for-software-engineering
 
Security and Privacy Challenges for IoT
Security and Privacy Challenges for IoTSecurity and Privacy Challenges for IoT
Security and Privacy Challenges for IoT
 
data mining privacy concerns ppt presentation
data mining privacy concerns ppt presentationdata mining privacy concerns ppt presentation
data mining privacy concerns ppt presentation
 
Ubiquitous Computing: Privacy Issues
Ubiquitous Computing: Privacy IssuesUbiquitous Computing: Privacy Issues
Ubiquitous Computing: Privacy Issues
 
Copy of Managing Your Digital Footprint
Copy of Managing Your Digital FootprintCopy of Managing Your Digital Footprint
Copy of Managing Your Digital Footprint
 

Dernier

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004

  • 1. Privacy in the Age of Ubiquitous Computing Jason I. Hong Scott Lederer Jennifer Ng Anind K. Dey James A. Landay Group for UserInterface Research University of California Berkeley
  • 2. Mar 05 2004 2 The Origins of Ubiquitous Computing What’s wrong with Personal Computers? – Too complex and hard to use – Too demanding of attention – Too isolating from other people – Too dominating of our desktops and our lives Ubiquitous Computing Project at Xerox PARC – Advances in wireless networking, sensors, devices – Observations of how people use tools in practice – Make computers a natural part of everyday interactions
  • 3. Mar 05 2004 3 The Origins of Ubiquitous Computing
  • 4. Mar 05 2004 4 Emerging Examples of Ubicomp Never Get Lost Find Friends Emergency Response
  • 5. Mar 05 2004 5 “But What About My Privacy?” Never Get Lost – You walk past a restaurant and your cellphone rings with the specials of the day Find Friends – “Family is already very close to you, so if they’re checking up on you…sort of already smothering and this is one step further.” – “[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” Emergency Response – “I don’t see how a government or an organization will not come up with an excuse to use [location info] for another purpose.” Flood of Location-Based Spam Never Hide From Friends and Co-Workers Constant Surveillance
  • 6. Mar 05 2004 6 Our Research in Ubicomp Privacy Fundamental Tension – Ubiquitous Computing can be used for great benefit – Ubiquitous Computing can be used for great harm – Privacy may be greatest barrier to long-term success Our approach – What are the privacy concerns in ubicomp? – How can we design better user interfaces? – Are there better ways of building privacy-sensitive apps? Privacy is an area easy to make mistakes in – Will discuss lessons learned throughout
  • 7. Mar 05 2004 7 What is Privacy? Lots of perspectives on privacy – US Constitution, UN Decl. Human Rights, Hippocratic Oath – Influenced by Legal, Market, Social, and Technical forces Privacy is not just Orwell – From “Big Brother” to “Little Sisters” – Media sensationalization of worst-case scenarios Privacy is not just computer security – Adversaries? Friends, family, co-workers, acquaintances – Anonymity? Friends already know your identity – Secrecy? We share personal info with friends all the time – Damage? Risk may be undesired social obligations We are approaching privacy from an HCI perspective
  • 8. Mar 05 2004 8 An HCI Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: – what is controlling what – what is connected to what – where information is flowing – how it is being used – what is broken (vs what is working correctly)” The O rig ins o f Ubiq uito us Co m puting Re se arch at PARC in the Late 1 9 8 0 s We ise r, Go ld, Bro wn Make it easy to share: • the right information • with the right people (orservice) • at the right time
  • 9. Mar 05 2004 9 What are End-User Privacy Needs? Lots of speculation about privacy, little data out there Analyzed survey of 130 people on ubicomp privacy prefs Analyzed nurse message board on locator systems – http://allnurses.com Examined papers describing usage of ubicomp systems Examined existing and proposed privacy protection laws – EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2004 Interviewed 20 people on various location-based services – Did not mention the word “privacy” unless they did first
  • 10. Mar 05 2004 10 End-User Privacy Needs Value proposition Simple and appropriate control and feedback Plausible deniability Limited retention of data Decentralized architectures Special exceptions for emergencies Alice’s Location Bob’s Location
  • 11. Mar 05 2004 11 How to Design for Privacy? What are good privacy-sensitive user interfaces? – Knowing what is needed does not say how to do it well
  • 12. Mar 05 2004 12 Five Pitfalls for Designers Understanding Obscuring potential information flow Obscuring actual information flow Action Configuration over action Lacking coarse-grained control Inhibiting established practices
  • 13. Mar 05 2004 13 #1 – Obscuring Potential Flow Users can make informed use of a system only when they understand the scope of its privacy implications
  • 14. Mar 05 2004 14 #2 – Obscuring Actual Flow Users should understand what information is being disclosed to whom Who is querying my location? How often? Requestor informed of disclosure Requestee sees each request
  • 15. Mar 05 2004 15 #3 – Configuration Over Action Designs should not require excessive configuration to manage privacy – “Right” configuration hard to predict in advance – Make privacy a natural part of the interaction flow
  • 16. Mar 05 2004 16 #4 – Lacking Coarse-Grain Control Designs should not forego an obvious, top-level mechanism for halting and resuming disclosure “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Protecting the Cellphone User's Right to Hide NYTimes Feb 5 2004 Did I set it right? How do I know?
  • 17. Mar 05 2004 17 #5 – Inhibiting Established Practices Designs should not inhibit users from transferring established social practices to emerging technologies Rather than getting an immediate ring, an answering machine comes on the line and says, "Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message." 1. University and Ramona 2. Palo Alto 3. Custom… 9. Ignore fornow
  • 18. Mar 05 2004 18 How to Build Applications Better? Develop a toolkit to make it easier to build privacy- sensitive ubicomp apps – Prevent – Strong guarantees on your personal data – Avoid – Better user interfaces for managing privacy – Detect – Finding over-monitoring or accidental disclosures – Need all three for effective systems Key architectural points of Context Fabric – Locality – InfoSpace Diary – Access Descriptions – Privacy Tags
  • 19. Mar 05 2004 19 Locality Keep personal data “close” to end-users – Move from centralized systems to decentralized ones – Capture, store, and process personal data on my computer PlaceLab A B C –Works indoors and in urban canyons –No special equipment –Privacy-sensitive
  • 20. Mar 05 2004 20 PlaceLab ~52000 Nodes
  • 21. Mar 05 2004 21 PlaceLab ~500 Nodes
  • 22. Mar 05 2004 22 Locality MiniGis Server for processing location locally Country Name = United States Region Name = California City Name = Berkeley ZIPCode = 94709 Place Name = Soda Hall Lat Lon = 37.8756, -122.25711
  • 23. Mar 05 2004 23 Locality MiniGis Server data sources USGS State Gazetteer – Names in USA – 2m records ~650 megs – States, Cities, Places “Places” hardest to get – Airports & schools useful, “hammocks”, “lava”, “quicksand” less so – 2 undergrads scouring Berkeley – Research opportunity here in open, distributed naming of places GEOnet Names Server – Names outside USA – 5.5m records ~700megs – Regions, Cities, Places
  • 24. Mar 05 2004 24 InfoSpace Diary InfoSpace stores your personal information – Static info, like name and phone# – Dynamic info, like current location and activity Runs on your personal device or on a trusted service – Local sources (ex. PlaceLab) can update dynamic info – Can choose to expose different parts to different people & services – Can also see who can see what about you
  • 25. Mar 05 2004 25 Confab Architecture InfoSpace Diary InfoSpace Diary LocName PlaceLab Tourguide Find Friend MiniGis How to control when and how much personal info is disclosed? Request
  • 26. Mar 05 2004 26 Access Notifications One possibility: “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” Problems: – People are not good at defining rules beforehand – Tradeoff between fine-grained control and understandability
  • 27. Mar 05 2004 27 Observations on Setting Preferences Who is requesting information is most important factor – “Either I trust someone with my information or I don't – it doesn't depend on where I am.” Time is an essential aspect for maintaining control – Access described in terms of “always”, “never”, or “work hours” – “Work people can know my information during work hours. Home/SO people can know my information always.” Can set prefs before, during, or after a request – Before case can lead to configuration pitfall – During case easier to understand, but can overwhelm – After case easy to setup, but can lead to accidental disclosures
  • 28. Mar 05 2004 28 Access Notifications Explain d Time cam What are My origin IP Lo Ti Pr “I So Se Two diffe Persons Push and Push not Pull hard
  • 29. Mar 05 2004 29 Access Notifications Initial Evaluations – Tested with 4 people for understandability and reactions – Location-enhanced messenger, tourguide, emergency response
  • 30. Mar 05 2004 30 Access Notifications Initial Evaluations – Tested with 4 people for understandability and reactions – Location-enhanced messenger, tourguide, emergency response Results – Distinction between Push vs Pull, Continuous vs Discrete “Giving a GPS location once or twice does not provide enough information for an invasion of privacy… [but] if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy.” “No need for continuous update of location. Only in a race or a marathon (where staying on track is essential) would continuous update be helpful.”
  • 31. Mar 05 2004 31 Access Notifications PlaceBar Continuous Discrete Push ??? Pull Access Notifications
  • 32. Mar 05 2004 32 Confab Architecture InfoSpace Diary InfoSpace Diary LocName PlaceLab Tourguide Find Friend MiniGis How to control what happens to yourinfo once it leaves yourInfoSpace? Access Access Pull Push
  • 33. Mar 05 2004 33 Privacy Tags Digital Rights Management for Privacy – Like adding note to email, “Please don’t forward” – Notify address - notify-abc@cs.berkeley.edu – Time to live - 5 days – Max number of sightings - last 5 sightings of my location Libraries for making it easy for app developers
  • 34. Mar 05 2004 34 Analysis Prevent – Capture and process personal information locally – PlaceLab, MiniGis – Minimizes risk of mission creep (ex. SSNs) Avoid – Interfaces for helping people make good decisions – Access Notifications / PlaceBar Detect – Finding cases of over-monitoring – Access Notifications – Privacy Tags (processed on requestor’s side)
  • 35. Mar 05 2004 35 Implementation Confab, PlaceLab, MiniGis – Java 1.5, Tomcat Web Server, MySql, Jaxen XPath Data – WiFi from wigle.net and undergrads – MiniGis from USGS, GeoNET, and undergrads – ~35 megs of data (30 megs of place data) #Classes Lines of code Confab 320 17000 PlaceLab 10 800 MiniGis 15 3000 Shared Libs 230 12000
  • 36. Mar 05 2004 36 Putting it Together Lemming Location-enhanced Messenger
  • 37. Mar 05 2004 37 Putting it Together BEARS Emergency Response Server Field studies and interviews with firefighters [CHI2004] Finding victims in a building – “You bet we’d definitely want that.” – “It would help to know what floor they are on.” But emergencies are rare – How to balance privacy constraints with utility when needed?
  • 38. Mar 05 2004 38 Putting it Together BEARS Emergency Response Server Trusted third party (MedicAlert++) Medic Alert++ Medic Alert++ Loc “ABC” “ABC” On Emergency
  • 39. Mar 05 2004 39 Requirements Check Value proposition Simple and appropriate control and feedback – Access Notifications (pull) and PlaceBar (push) Plausible deniability – No action, “Ignore for now”, and “Never Allow” appear same Limited retention of data – Privacy Tags Decentralized architectures – Capture and process information locally Special exceptions for emergencies
  • 40. Mar 05 2004 40 Contributions Investigated ubicomp privacy from many perspectives – What are end-user needs? How to design? How to build? Context Fabric architecture for privacy-aware apps – Prevent / Avoid / Detect – Suggests a way of architecting privacy-sensitive ubicomp Services on devices, local processing, presentation to end-users – Evaluation with two applications – Starting deployment of Lemming instant messenger “Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”
  • 41. Jason I. Hong jasonh@cs.berkeley.edu http://guir.berkeley.edu/confab Group for UserInterface Research University of California Berkeley Thanks to: DARPA Expeditions NSF ITR PARC Intel Fellowship Siebel Systems Fellowship http://placelab.org

Notes de l'éditeur

  1. Not impressive by modern standards, but have to keep in mind that this was in the late 1980s!
  2. Emergency Response E911, also see SIREN paper Safety – firefighters, personal location, Alzheimer’s patients, children, public health (ex. SARS) Efficiency – traffic routing, traffic fleet allocation, supply chain management Fairness – better allocation of resources, better environmental monitoring, better information gathering and transparency Convenience – Micro-coordination, useful reminders
  3. Cute “ I would use [friend finder] for spy work and find out if my brother was up to no good. Then I would track him down.” Family [interview] “For a parent, this would be a great spying tool. I just don’t like it at all.” Workplace Abuse / Lack of Respect [survey] “ I don‘t want to be under direct surveillance of my husband or boss no matter what i am doing ” [survey] “this scheme could be used by a boss to constantly track an employee's location without the employee knowing“ [nurses] “These things give me the creeps. George Orwell never thought of this but he should have.” [nurses] “So---are these devices going to be used to track how much time nurses spend in the bathroom during their shift???” [nurses] “The stupid monitoring could tell when you where in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of. Nurses are not prisoners of the state who need to be monitored every second of every day. ” Tradeoffs CYA (liability, garbage collectors, nurses) Efficiency
  4. On one hand, ubicomp can be used for great benefit, in terms of safety, efficiency, quality of life On the other hand, ubicomp can also be used for constant surveillance, loss of control over personal life First two, privacy concerns and better design, informed the third, the toolkit
  5. We all have intuitive notions of what privacy is My focus is on information privacy Privacy is a very difficult topic b/c it is such a pervasive part of our lives Privacy is a very difficult topic b/c it cuts across so many different areas, does not fit nicely in these boundaries we call academic departments Point is that, while security is useful and an integral part of privacy, we need new ways of thinking here UN Universal Declaration of Human Rights http://www.unhchr.ch/udhr/lang/eng.htm “ No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. ” Setup rules? Geopriv mailing list, Bell Labs, Faces UI
  6. Lots of speculation, lots of worst-case scenarios, but what are real needs? Survey done by Scott Lederer, I did further analysis on freeform comments Active Badge, PARCTab “ I would use it for spy work and find out if my brother was up to no good. Then I would track him down.” “ Family is already very close to you, so if they’re checking up on you…sort of already smothering, and this is one step further” Find Friend, Active Map, Find Place, Mobile Commerce, Emergency Theoretical work on Designing for Privacy Adams, Bellotti & Sellen, Jiang et al, Palen & Dourish
  7. Concerns were wide-ranged. Very little voiced concerns about government, more about over-monitoring by boss, friends, family (if young), spouses, and intrusion by advertisers Interesting thing here is that people didn’t seem to have concerns about the telecom or service providing location, more about who was using the information In other words, people cared about the endpoint, not the intermediaries Want control and feedback to prevent over-monitoring
  8. Faces work based on Erving Goffman’s notion of how we present ourselves in everyday life This interface didn’t work. Why? And did we make mistakes that others have made as well?
  9. Common traps to fall into
  10. One concerned nurse wrote, erroneously, “They've placed it in the nurses' lounge and kitchen. Somebody can click it on and listen to the conversation. You don't need a Big Brother overlooking your shoulder”
  11. This one is especially important for computer scientists and software developers Pre-configuration is a “design pattern” that in many cases is an “anti-design pattern” b/c it doesn’t work that well
  12. Some systems make it hard to do white lies, hard for plausible deniability Err on the side of safety (less info usually better), ie be conservative wrt privacy and automatically disclosing information
  13. Observation: Majority of past work has focused on preventing privacy problems Ex. anonymity, encryption, access control, rule-based systems
  14. Wifi wave = sales + #wardrivers
  15. Image from MapPoint, perhaps the coolest piece of Microsoft software ever written (though they did buy it from someone else, so…)
  16. Telling your friends your GPS location is not useful
  17. Whittled down data to about 30 megs, 25 megs of which are “places” local to the bay area Undergrads working with me are like the Verizon wireless guy, “Can you hear me now?” Research opportunity would be great in bootstrapping location-based services, in terms of making this kind of info widely available for anyone to build services on top of
  18. Protecting the Cellphone User's Right to Hide NYTimes Feb 5 2004 One possibility is lots of fine-grained rules. Problem is: Time, hard to define rules beforehand Fine-grained controls aren’t always good (can be confusing)
  19. Quotes on Who is Requesting Info See Lederer 2003 in CHI Shorts [survey] Who receives my info is the more important one. My significant others can know where I am at any time, but for my boss, a random person on the street, and a vendor, tis none of their business [ survey ] Context isn't that important, because I trust the person to know how to exercise discretion. [ survey ] Either I trust someone with my information or I don't--it doesn't depend on where I am. [survey] I didn't want people in either a position of power over me (the boss) or with the ability to annoy me (marketers) to access my info. [survey] 1 is more important that 2. Family comes first, followed by business, then potential business. Lastly strangers are greeted if the situation permits. [survey] some people have priority, either because of a trust relationship (family & friends) or an economic one (boss). [ survey ] For me, "who" is all that matters. If I don't trust the person with personal information, I wouldn't want to give them any information at any time. If I do trust the person, I'm willing to give out information freely. [survey] If my spouse were looking, I have nothing to hide from them, my privacy is not an issue. However, a friend or boss does not need to know "everything" about me, and I would likely use a "vague" face. [ ed. ie less information - jih ] [survey] I wouldn't want to give them any information at any time. If I do trust the person, I'm willing to give out information freely. [ survey ] The relationships that I establish with individuals (or companies, in the examples above) tend to transcend the activities in which I am engaged; once I choose to trust someone with my information, it's less important to me to be able to change it moment to moment than to maintain and protect that information consistently. [survey] Who the person is defines my relationship with them. The level of trust is determined by the relationship, the possible motives they have for finding me etc... [interview] Close friends. I don’t want professor or TAs to know. No coworkers/bosses. They will know if you’re goofing off. [interview] [interview] [interview] Quotes on using Time [survey] during the work day, or after-hours during crunch time, I'd want my boss/coworkers to find my - after hours I'd rather be more anonymous [survey] most employer-employee relationships end at 5PM, hence the blank face [ ed – ie anonymous - jih ] to the boss after hours [survey] It depends: for my signicant other, I would always allow any information to be accessible. For my boss, I would allow him/her to know where I am, but only during work related situations (work hours). [survey] I would, of course, only be OK with this if his queries were during business hours and relevant to a work related issue) [survey] for example I would not have a problem with a boss seeing my "truefaceface" face during working hours but during my lunch and on the weekends, a boss has no right to this information. [interview] Temporary access to people: “If friends are in town…if there is a researcher I want to know…if there is a conference in town…” only people see from time to time [interview] If had the device, would be useful to locate family. It would be easier to locate them in a larger area.” Same group of people. Relatives of friends. Wouldn’t want to share with coworkers/bosses. “If it’s during a work day and we are trying to get something done, then it’s useful.” When I leave for the day, that the device is off. Groups. Turn on and off based on time and date. “I like to know exactly [where they are located].” An exact location. Quotes on set and forget [survey] Work people can know my information during work hours. Home/SO people can know my information always, though not to the point of keeping tabs. [survey] My signifcant other should see my truefacefaceface always. The evil national chains should see my blank face always. The people between these two extremes will see different faces depending on the situation. [survey] I would never want a retailer to contact me unasked, but always want my spouse to find me. Business contacts might be an exception - during the work day, or after-hours during crunch time, I'd want my boss/coworkers to find my - after hours I'd rather be more anonymous [survey] I would always allow any information to be accessible for my boss, I would allow him/her to know where I am, but only during work related situations (work hours). for other, unknown random people/business, in general, I would not let them know anything [survey] Home/SO people can know my information always, though not to the point of keeping tabs. Random people might have access to enough information to help start up a conversation, but nothing beyond that. Random businesses should never get any personal-indentifying information (vague might be ok if the business can't figure out who I am - though I'd be skeptical).
  20. Set-and-forget In-situ Configuration of time based on interviews and surveys Common theme was that people said they wanted only at workplace Another one was just temporary access, b/c acquaintances or tax attorney (temporary) Next “14” days useful for temporary access Can set prefs in situ and then can forget about it, don’t have to constantly check
  21. giving a GPS location once or twice does not provide enough information for an invasion of privacy – why would someone stay in the same place for a long time. if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy
  22. Describe push / pull here What am I disclosing? What am I getting in return? Discrete push, on each transaction
  23. Why location-instant messenger? Already a set of trusted friends / co-workers Most common question on SMS is “where are you?” [survey] For example, my friends should always be able to see my truefacefacename and primary email address because they already know that, but depending on what I am doing, I may or may not want them to know what I'm doing or where I am. If I am not available, I would want to be able to leave an away message as in IM.
  24. An example setup of the BEARS emergency response service. A data sharer obtains their location (1) and shares it with a trusted third-party (2). The end-user gets a link (3) that can be sent to others, in this case to a building (4). If there is an emergency, responders can traverse all known links, getting up-to-date information about who is in the building (with the trusted third-party notifying data sharers what has happened).
  25. An example setup of the BEARS emergency response service. A data sharer obtains their location (1) and shares it with a trusted third-party (2). The end-user gets a link (3) that can be sent to others, in this case to a building (4). If there is an emergency, responders can traverse all known links, getting up-to-date information about who is in the building (with the trusted third-party notifying data sharers what has happened).
  26. Quote is from an interviewee