Privacy in the Age of Ubiquitous Computing, Stanford PCD seminar March 2004
1. Privacy in the Age of
Ubiquitous Computing
Jason I. Hong
Scott Lederer
Jennifer Ng
Anind K. Dey
James A. Landay
Group for
UserInterface
Research
University of
California
Berkeley
2. Mar 05 2004 2
The Origins of Ubiquitous
Computing
What’s wrong with Personal Computers?
– Too complex and hard to use
– Too demanding of attention
– Too isolating from other people
– Too dominating of our desktops and our lives
Ubiquitous Computing Project at Xerox PARC
– Advances in wireless networking, sensors, devices
– Observations of how people use tools in practice
– Make computers a natural part of everyday interactions
3. Mar 05 2004 3
The Origins of Ubiquitous
Computing
4. Mar 05 2004 4
Emerging Examples of Ubicomp
Never Get Lost
Find Friends
Emergency Response
5. Mar 05 2004 5
“But What About My Privacy?”
Never Get Lost
– You walk past a restaurant and your cellphone rings with the
specials of the day
Find Friends
– “Family is already very close to you, so if they’re checking up on
you…sort of already smothering and this is one step further.”
– “[It] could tell when you were in the bathroom, when you left the
unit, and how long and where you ate your lunch. EXACTLY
what you are afraid of.”
Emergency Response
– “I don’t see how a government or an organization will not come
up with an excuse to use [location info] for another purpose.”
Flood of Location-Based Spam
Never Hide From Friends and Co-Workers
Constant Surveillance
6. Mar 05 2004 6
Our Research in Ubicomp Privacy
Fundamental Tension
– Ubiquitous Computing can be used for great benefit
– Ubiquitous Computing can be used for great harm
– Privacy may be greatest barrier to long-term success
Our approach
– What are the privacy concerns in ubicomp?
– How can we design better user interfaces?
– Are there better ways of building privacy-sensitive apps?
Privacy is an area easy to make mistakes in
– Will discuss lessons learned throughout
7. Mar 05 2004 7
What is Privacy?
Lots of perspectives on privacy
– US Constitution, UN Decl. Human Rights, Hippocratic Oath
– Influenced by Legal, Market, Social, and Technical forces
Privacy is not just Orwell
– From “Big Brother” to “Little Sisters”
– Media sensationalization of worst-case scenarios
Privacy is not just computer security
– Adversaries? Friends, family, co-workers, acquaintances
– Anonymity? Friends already know your identity
– Secrecy? We share personal info with friends all the time
– Damage? Risk may be undesired social obligations
We are approaching privacy from an HCI perspective
8. Mar 05 2004 8
An HCI Perspective on Privacy
“The problem, while often couched in terms of privacy,
is really one of control. If the computational system is
invisible as well as extensive, it becomes hard to know:
– what is controlling what
– what is connected to what
– where information is flowing
– how it is being used
– what is broken (vs what is working correctly)”
The O rig ins o f Ubiq uito us Co m puting Re se arch at PARC in the Late
1 9 8 0 s
We ise r, Go ld, Bro wn
Make it easy to share:
• the right information
• with the right people (orservice)
• at the right time
9. Mar 05 2004 9
What are End-User Privacy Needs?
Lots of speculation about privacy, little data out there
Analyzed survey of 130 people on ubicomp privacy prefs
Analyzed nurse message board on locator systems
– http://allnurses.com
Examined papers describing usage of ubicomp systems
Examined existing and proposed privacy protection laws
– EU Directive, Location Privacy Act 2001, Wireless Privacy Act
2004
Interviewed 20 people on various location-based services
– Did not mention the word “privacy” unless they did first
10. Mar 05 2004 10
End-User Privacy Needs
Value proposition
Simple and appropriate
control and feedback
Plausible deniability
Limited retention of data
Decentralized architectures
Special exceptions for
emergencies
Alice’s
Location
Bob’s
Location
11. Mar 05 2004 11
How to Design for Privacy?
What are good privacy-sensitive user interfaces?
– Knowing what is needed does not say how to do it well
12. Mar 05 2004 12
Five Pitfalls for Designers
Understanding
Obscuring potential information flow
Obscuring actual information flow
Action
Configuration over action
Lacking coarse-grained control
Inhibiting established practices
13. Mar 05 2004 13
#1 – Obscuring Potential Flow
Users can make informed use of a system only when
they understand the scope of its privacy implications
14. Mar 05 2004 14
#2 – Obscuring Actual Flow
Users should understand what information is being
disclosed to whom
Who is querying my location?
How often?
Requestor informed of disclosure
Requestee sees each request
15. Mar 05 2004 15
#3 – Configuration Over Action
Designs should not require excessive configuration to
manage privacy
– “Right” configuration hard to predict in advance
– Make privacy a natural part of the interaction flow
16. Mar 05 2004 16
#4 – Lacking Coarse-Grain Control
Designs should not forego an obvious, top-level
mechanism for halting and resuming disclosure
“[T]raveling employees may want their bosses to be able
to locate them during the day but not after 5 p.m. Others
may want to receive coupons from coffee shops before 9
a.m. on weekdays but not on weekends when they sleep
in. Some may want their friends alerted only when they
are within one mile, but not 10 miles.”
Protecting the Cellphone User's Right to Hide
NYTimes Feb 5 2004
Did I set it right?
How do I know?
17. Mar 05 2004 17
#5 – Inhibiting Established
Practices
Designs should not inhibit users from transferring
established social practices to emerging technologies
Rather than getting an
immediate ring, an
answering machine comes
on the line and says, "Lee
has been motionless in a
dim place with high ambient
sound for the last 45
minutes. Continue with call
or leave a message."
1. University and Ramona
2. Palo Alto
3. Custom…
9. Ignore fornow
18. Mar 05 2004 18
How to Build Applications Better?
Develop a toolkit to make it easier to build privacy-
sensitive ubicomp apps
– Prevent – Strong guarantees on your personal data
– Avoid – Better user interfaces for managing privacy
– Detect – Finding over-monitoring or accidental disclosures
– Need all three for effective systems
Key architectural points of Context Fabric
– Locality
– InfoSpace Diary
– Access Descriptions
– Privacy Tags
19. Mar 05 2004 19
Locality
Keep personal data “close” to end-users
– Move from centralized systems to decentralized ones
– Capture, store, and process personal data on my computer
PlaceLab
A
B
C
–Works indoors and
in urban canyons
–No special
equipment
–Privacy-sensitive
22. Mar 05 2004 22
Locality
MiniGis Server for processing location locally
Country Name = United States
Region Name = California
City Name = Berkeley
ZIPCode = 94709
Place Name = Soda Hall
Lat Lon = 37.8756, -122.25711
23. Mar 05 2004 23
Locality
MiniGis Server data sources
USGS State Gazetteer
– Names in USA
– 2m records ~650 megs
– States, Cities, Places
“Places” hardest to get
– Airports & schools useful, “hammocks”, “lava”, “quicksand” less so
– 2 undergrads scouring Berkeley
– Research opportunity here in open, distributed naming of places
GEOnet Names Server
– Names outside USA
– 5.5m records ~700megs
– Regions, Cities, Places
24. Mar 05 2004 24
InfoSpace Diary
InfoSpace stores your personal information
– Static info, like name and phone#
– Dynamic info, like current location and activity
Runs on your personal device or on a trusted service
– Local sources (ex. PlaceLab) can update dynamic info
– Can choose to expose different parts to different people & services
– Can also see who can see what about you
25. Mar 05 2004 25
Confab Architecture
InfoSpace
Diary
InfoSpace
Diary
LocName
PlaceLab
Tourguide
Find Friend
MiniGis
How to control when and how
much personal info is disclosed?
Request
26. Mar 05 2004 26
Access Notifications
One possibility:
“[T]raveling employees may want their bosses to be able to locate
them during the day but not after 5 p.m. Others may want to receive
coupons from coffee shops before 9 a.m. on weekdays but not on
weekends when they sleep in. Some may want their friends alerted
only when they are within one mile, but not 10 miles.”
Problems:
– People are not good at defining rules beforehand
– Tradeoff between fine-grained control and understandability
27. Mar 05 2004 27
Observations on Setting
Preferences
Who is requesting information is most important factor
– “Either I trust someone with my information or I don't –
it doesn't depend on where I am.”
Time is an essential aspect for maintaining control
– Access described in terms of “always”, “never”, or “work hours”
– “Work people can know my information during work hours.
Home/SO people can know my information always.”
Can set prefs before, during, or after a request
– Before case can lead to configuration pitfall
– During case easier to understand, but can overwhelm
– After case easy to setup, but can lead to accidental disclosures
28. Mar 05 2004 28
Access Notifications
Explain d
Time cam
What are
My origin
IP
Lo
Ti
Pr
“I
So
Se
Two diffe
Persons
Push and
Push not
Pull hard
29. Mar 05 2004 29
Access Notifications
Initial Evaluations
– Tested with 4 people for understandability and reactions
– Location-enhanced messenger, tourguide, emergency response
30. Mar 05 2004 30
Access Notifications
Initial Evaluations
– Tested with 4 people for understandability and reactions
– Location-enhanced messenger, tourguide, emergency response
Results
– Distinction between Push vs Pull, Continuous vs Discrete
“Giving a GPS location once or twice does not provide
enough information for an invasion of privacy… [but] if
GPS location is shared every 2 seconds, there is a
potential for an invasion of privacy.”
“No need for continuous update of location. Only in a
race or a marathon (where staying on track is essential)
would continuous update be helpful.”
32. Mar 05 2004 32
Confab Architecture
InfoSpace
Diary
InfoSpace
Diary
LocName
PlaceLab
Tourguide
Find Friend
MiniGis
How to control what
happens to yourinfo once
it leaves yourInfoSpace?
Access
Access
Pull
Push
33. Mar 05 2004 33
Privacy Tags
Digital Rights Management for Privacy
– Like adding note to email, “Please don’t forward”
– Notify address - notify-abc@cs.berkeley.edu
– Time to live - 5 days
– Max number of sightings - last 5 sightings of my location
Libraries for making it easy for app developers
34. Mar 05 2004 34
Analysis
Prevent
– Capture and process personal information locally
– PlaceLab, MiniGis
– Minimizes risk of mission creep (ex. SSNs)
Avoid
– Interfaces for helping people make good decisions
– Access Notifications / PlaceBar
Detect
– Finding cases of over-monitoring
– Access Notifications
– Privacy Tags (processed on requestor’s side)
35. Mar 05 2004 35
Implementation
Confab, PlaceLab, MiniGis
– Java 1.5, Tomcat Web Server, MySql, Jaxen XPath
Data
– WiFi from wigle.net and undergrads
– MiniGis from USGS, GeoNET, and undergrads
– ~35 megs of data (30 megs of place data)
#Classes Lines of code
Confab 320 17000
PlaceLab 10 800
MiniGis 15 3000
Shared Libs 230 12000
36. Mar 05 2004 36
Putting it Together
Lemming Location-enhanced Messenger
37. Mar 05 2004 37
Putting it Together
BEARS Emergency Response Server
Field studies and interviews with firefighters [CHI2004]
Finding victims in a building
– “You bet we’d definitely want that.”
– “It would help to know what floor they are on.”
But emergencies are rare
– How to balance privacy constraints with utility when needed?
38. Mar 05 2004 38
Putting it Together
BEARS Emergency Response Server
Trusted third party (MedicAlert++)
Medic
Alert++
Medic
Alert++
Loc
“ABC”
“ABC”
On
Emergency
39. Mar 05 2004 39
Requirements Check
Value proposition
Simple and appropriate control and feedback
– Access Notifications (pull) and PlaceBar (push)
Plausible deniability
– No action, “Ignore for now”, and “Never Allow” appear same
Limited retention of data
– Privacy Tags
Decentralized architectures
– Capture and process information locally
Special exceptions for emergencies
40. Mar 05 2004 40
Contributions
Investigated ubicomp privacy from many perspectives
– What are end-user needs? How to design? How to build?
Context Fabric architecture for privacy-aware apps
– Prevent / Avoid / Detect
– Suggests a way of architecting privacy-sensitive ubicomp
Services on devices, local processing, presentation to end-users
– Evaluation with two applications
– Starting deployment of Lemming instant messenger
“Use technology correctly to enhance life. It is important that
people have a choice in how much information can be
disclosed. Then the technology is useful.”
Not impressive by modern standards, but have to keep in mind that this was in the late 1980s!
Emergency Response E911, also see SIREN paper Safety – firefighters, personal location, Alzheimer’s patients, children, public health (ex. SARS) Efficiency – traffic routing, traffic fleet allocation, supply chain management Fairness – better allocation of resources, better environmental monitoring, better information gathering and transparency Convenience – Micro-coordination, useful reminders
Cute “ I would use [friend finder] for spy work and find out if my brother was up to no good. Then I would track him down.” Family [interview] “For a parent, this would be a great spying tool. I just don’t like it at all.” Workplace Abuse / Lack of Respect [survey] “ I don‘t want to be under direct surveillance of my husband or boss no matter what i am doing ” [survey] “this scheme could be used by a boss to constantly track an employee's location without the employee knowing“ [nurses] “These things give me the creeps. George Orwell never thought of this but he should have.” [nurses] “So---are these devices going to be used to track how much time nurses spend in the bathroom during their shift???” [nurses] “The stupid monitoring could tell when you where in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of. Nurses are not prisoners of the state who need to be monitored every second of every day. ” Tradeoffs CYA (liability, garbage collectors, nurses) Efficiency
On one hand, ubicomp can be used for great benefit, in terms of safety, efficiency, quality of life On the other hand, ubicomp can also be used for constant surveillance, loss of control over personal life First two, privacy concerns and better design, informed the third, the toolkit
We all have intuitive notions of what privacy is My focus is on information privacy Privacy is a very difficult topic b/c it is such a pervasive part of our lives Privacy is a very difficult topic b/c it cuts across so many different areas, does not fit nicely in these boundaries we call academic departments Point is that, while security is useful and an integral part of privacy, we need new ways of thinking here UN Universal Declaration of Human Rights http://www.unhchr.ch/udhr/lang/eng.htm “ No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. ” Setup rules? Geopriv mailing list, Bell Labs, Faces UI
Lots of speculation, lots of worst-case scenarios, but what are real needs? Survey done by Scott Lederer, I did further analysis on freeform comments Active Badge, PARCTab “ I would use it for spy work and find out if my brother was up to no good. Then I would track him down.” “ Family is already very close to you, so if they’re checking up on you…sort of already smothering, and this is one step further” Find Friend, Active Map, Find Place, Mobile Commerce, Emergency Theoretical work on Designing for Privacy Adams, Bellotti & Sellen, Jiang et al, Palen & Dourish
Concerns were wide-ranged. Very little voiced concerns about government, more about over-monitoring by boss, friends, family (if young), spouses, and intrusion by advertisers Interesting thing here is that people didn’t seem to have concerns about the telecom or service providing location, more about who was using the information In other words, people cared about the endpoint, not the intermediaries Want control and feedback to prevent over-monitoring
Faces work based on Erving Goffman’s notion of how we present ourselves in everyday life This interface didn’t work. Why? And did we make mistakes that others have made as well?
Common traps to fall into
One concerned nurse wrote, erroneously, “They've placed it in the nurses' lounge and kitchen. Somebody can click it on and listen to the conversation. You don't need a Big Brother overlooking your shoulder”
This one is especially important for computer scientists and software developers Pre-configuration is a “design pattern” that in many cases is an “anti-design pattern” b/c it doesn’t work that well
Some systems make it hard to do white lies, hard for plausible deniability Err on the side of safety (less info usually better), ie be conservative wrt privacy and automatically disclosing information
Observation: Majority of past work has focused on preventing privacy problems Ex. anonymity, encryption, access control, rule-based systems
Wifi wave = sales + #wardrivers
Image from MapPoint, perhaps the coolest piece of Microsoft software ever written (though they did buy it from someone else, so…)
Telling your friends your GPS location is not useful
Whittled down data to about 30 megs, 25 megs of which are “places” local to the bay area Undergrads working with me are like the Verizon wireless guy, “Can you hear me now?” Research opportunity would be great in bootstrapping location-based services, in terms of making this kind of info widely available for anyone to build services on top of
Protecting the Cellphone User's Right to Hide NYTimes Feb 5 2004 One possibility is lots of fine-grained rules. Problem is: Time, hard to define rules beforehand Fine-grained controls aren’t always good (can be confusing)
Quotes on Who is Requesting Info See Lederer 2003 in CHI Shorts [survey] Who receives my info is the more important one. My significant others can know where I am at any time, but for my boss, a random person on the street, and a vendor, tis none of their business [ survey ] Context isn't that important, because I trust the person to know how to exercise discretion. [ survey ] Either I trust someone with my information or I don't--it doesn't depend on where I am. [survey] I didn't want people in either a position of power over me (the boss) or with the ability to annoy me (marketers) to access my info. [survey] 1 is more important that 2. Family comes first, followed by business, then potential business. Lastly strangers are greeted if the situation permits. [survey] some people have priority, either because of a trust relationship (family & friends) or an economic one (boss). [ survey ] For me, "who" is all that matters. If I don't trust the person with personal information, I wouldn't want to give them any information at any time. If I do trust the person, I'm willing to give out information freely. [survey] If my spouse were looking, I have nothing to hide from them, my privacy is not an issue. However, a friend or boss does not need to know "everything" about me, and I would likely use a "vague" face. [ ed. ie less information - jih ] [survey] I wouldn't want to give them any information at any time. If I do trust the person, I'm willing to give out information freely. [ survey ] The relationships that I establish with individuals (or companies, in the examples above) tend to transcend the activities in which I am engaged; once I choose to trust someone with my information, it's less important to me to be able to change it moment to moment than to maintain and protect that information consistently. [survey] Who the person is defines my relationship with them. The level of trust is determined by the relationship, the possible motives they have for finding me etc... [interview] Close friends. I don’t want professor or TAs to know. No coworkers/bosses. They will know if you’re goofing off. [interview] [interview] [interview] Quotes on using Time [survey] during the work day, or after-hours during crunch time, I'd want my boss/coworkers to find my - after hours I'd rather be more anonymous [survey] most employer-employee relationships end at 5PM, hence the blank face [ ed – ie anonymous - jih ] to the boss after hours [survey] It depends: for my signicant other, I would always allow any information to be accessible. For my boss, I would allow him/her to know where I am, but only during work related situations (work hours). [survey] I would, of course, only be OK with this if his queries were during business hours and relevant to a work related issue) [survey] for example I would not have a problem with a boss seeing my "truefaceface" face during working hours but during my lunch and on the weekends, a boss has no right to this information. [interview] Temporary access to people: “If friends are in town…if there is a researcher I want to know…if there is a conference in town…” only people see from time to time [interview] If had the device, would be useful to locate family. It would be easier to locate them in a larger area.” Same group of people. Relatives of friends. Wouldn’t want to share with coworkers/bosses. “If it’s during a work day and we are trying to get something done, then it’s useful.” When I leave for the day, that the device is off. Groups. Turn on and off based on time and date. “I like to know exactly [where they are located].” An exact location. Quotes on set and forget [survey] Work people can know my information during work hours. Home/SO people can know my information always, though not to the point of keeping tabs. [survey] My signifcant other should see my truefacefaceface always. The evil national chains should see my blank face always. The people between these two extremes will see different faces depending on the situation. [survey] I would never want a retailer to contact me unasked, but always want my spouse to find me. Business contacts might be an exception - during the work day, or after-hours during crunch time, I'd want my boss/coworkers to find my - after hours I'd rather be more anonymous [survey] I would always allow any information to be accessible for my boss, I would allow him/her to know where I am, but only during work related situations (work hours). for other, unknown random people/business, in general, I would not let them know anything [survey] Home/SO people can know my information always, though not to the point of keeping tabs. Random people might have access to enough information to help start up a conversation, but nothing beyond that. Random businesses should never get any personal-indentifying information (vague might be ok if the business can't figure out who I am - though I'd be skeptical).
Set-and-forget In-situ Configuration of time based on interviews and surveys Common theme was that people said they wanted only at workplace Another one was just temporary access, b/c acquaintances or tax attorney (temporary) Next “14” days useful for temporary access Can set prefs in situ and then can forget about it, don’t have to constantly check
giving a GPS location once or twice does not provide enough information for an invasion of privacy – why would someone stay in the same place for a long time. if GPS location is shared every 2 seconds, there is a potential for an invasion of privacy
Describe push / pull here What am I disclosing? What am I getting in return? Discrete push, on each transaction
Why location-instant messenger? Already a set of trusted friends / co-workers Most common question on SMS is “where are you?” [survey] For example, my friends should always be able to see my truefacefacename and primary email address because they already know that, but depending on what I am doing, I may or may not want them to know what I'm doing or where I am. If I am not available, I would want to be able to leave an away message as in IM.
An example setup of the BEARS emergency response service. A data sharer obtains their location (1) and shares it with a trusted third-party (2). The end-user gets a link (3) that can be sent to others, in this case to a building (4). If there is an emergency, responders can traverse all known links, getting up-to-date information about who is in the building (with the trusted third-party notifying data sharers what has happened).
An example setup of the BEARS emergency response service. A data sharer obtains their location (1) and shares it with a trusted third-party (2). The end-user gets a link (3) that can be sent to others, in this case to a building (4). If there is an emergency, responders can traverse all known links, getting up-to-date information about who is in the building (with the trusted third-party notifying data sharers what has happened).