An Architecture for
Privacy-Sensitive
Ubiquitous Computing
Jason I. Hong
HCI Institute
Carnegie Mellon University
James A. Landay
Computer Science and Eng.
University of Washington
Ubicomp Privacy is a Serious Concern
From a nurse required to wear active badge
“[It] could tell when you were in the
bathroom, when you left the unit, and
how long and where you ate your lunch.
EXACTLY what you are afraid of.”
- allnurses.com
Ubicomp Presents Range of Privacy Risks
Everyday Risks
Friends, Family
Extreme Risks
Employers
Government
_________________________________
_________________________________
__________________________
Over-protection
Social obligations
Embarrassment
Over-monitoring
Discrimination
Reputation
Civil liberties
Stalkers, Muggers
_________________________________
Well-being
Personal safety
How to maximize real benefit of ubicomp while
minimizing perceived and actual privacy risks?
Approach
Confab Privacy Toolkit Informed by End-User Needs
Hard to analyze privacy
– Analysis of end-user needs for ubicomp privacy
Interviews, surveys, postings on message boards
Hard to implement privacy-sensitive systems
– Confab toolkit for privacy-sensitive ubicomp apps
Capture, processing and presentation of personal info
Focus on location privacy
– Evaluation thru building apps
Location-enhanced messenger
Location-enhanced web proxy
Outline
 Motivation
 End-user Privacy Needs
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Applications Built
An HCI Perspective on Privacy
“The problem, while often couched in terms of privacy,
is really one of control. If the computational system is
invisible as well as extensive, it becomes hard to know:
– what is controlling what
people
–Empower
what is connected
to what so they
to share:
–choose
where information
is flowing
– how
it is being
used
• the
right
information
can
• with the right people or services
• at the right time
The Origins of Ubiquitous Computing Research at PARC in the Late
1980s
Weiser, Gold, Brown
Analysis of End-User Privacy Needs
Lots of speculation about ubicomp privacy, little data
Published Sources
– Examined papers describing usage of ubicomp systems
– Examined existing and proposed privacy protection laws
Surveys and Interviews
– Analyzed survey data of 130 people on ubicomp privacy prefs
– Interviewed 20 people on location-based services
Existing Systems
– Analyzed postings on nurse message board on locator systems
Summary of End-User Privacy Needs
Clear value proposition
Simple and appropriate
control and feedback
Plausible deniability
Alice’s
Location
Limited retention of data
Decentralized control
Special exceptions for
emergencies
Bob’s
Location
Outline
 Motivation
 End-user Privacy Needs
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Applications Built
Confab Toolkit for
Privacy-Sensitive Ubicomp
Confab for privacy-sensitive ubicomp apps
– Cover end-user privacy needs
– Provide solid technical foundation for privacy-sensitive ubicomp
Presentation
Infrastructure
Physical / Sensor
…but
notpresent
help choices
I might
developers
process it
well to users…
…but
have control
safely not
or provide
Iover
might
acquire
how
info was
visibility
tothe
end-users
information
privately…
acquired or processed
A toolkit needs to support all three of these layers
– Must capture, store, process, & share in privacy-sensitive manner
Past Work Addresses at Most One Layer
Presentation
P3P, Privacy Mirrors
Infrastructure
ParcTab System, Context Toolkit
Physical / Sensor Cricket Location Beacons, Active Bats
Today, building privacy-sensitive apps would have
be done in an ad hoc manner
to
Confab High-Level Architecture
Capture, store, and process personal data on my
computer as much as possible (laptops and PDAs)
Provide greater control and feedback over sharing
Name Loc
Source
Sources
In Operators InfoSpace
Logging
Check Privacy Tag
Data
Store
On Operators
My Computer
Out Operators
App
Invisible Mode
Enforce
Access
Garbage
Collect
User Interfaces
Periodic
Reports
Example Built-in Confab Operator
Flow Control
Goal: Disclose different info to different requestors
Conditions
–
–
–
–
Age of data
Requestor Domain
Requestor ID
Requestor Location
– Data Format
– Data Type
– Current Time
Actions
–
–
–
–
Lower Precision
Set
(fake value)
Invisible (no out data)
Interactive
– Allow
– Hide
(data is removed)
– Timeout (fake network load)
– Deny
(forbidden)
Outline
 Motivation
 End-user Privacy Needs
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Physical layer for acquiring location
 Infrastructure layer
 Presentation layer
 Applications Built
Physical / Sensor Layer
Intel’s Place Lab Location Source
Determine location via local database of WiFi Access Points
– Unique WiFi MAC Address -> Latitude, Longitude
– Periodically update your local copy
A
–Works indoors and
C
in urban
canyons
–Works with encrypted nodes
B
–No
special equipment
–Privacy-sensitive
–Rides the WiFi wave
PlaceLab Data at SF Bay Area
SF Bay Area
~60000 Nodes
(~4 Megs)
PlaceLab Data at UC Berkeley
Berkeley Campus
~1000 Nodes
Outline
 Motivation
 End-user Privacy Needs
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Physical layer for acquiring location
 Infrastructure layer
 Presentation layer
 Applications Built
Infrastructure Layer
Confab’s Built-in MiniGIS Operator
People and apps need semantically useful names
– “Meet me at 37.875, -122.257”
Country Name
Region Name
City Name
ZIP Code
Place Name
Latitude/Longitude
= United States
= California
= Berkeley
= 94709
= Soda Hall
= 37.875, -122.257
MiniGIS operator transforms location info locally
– Using network-based services would be privacy hole
Whittled down to 30 megs from public sources
– Places hardest to get, 3 ugrads + me scouring Berkeley
Confab Architecture
Name
PlaceLab
Source
Loc
InfoSpace
Data
Store
Out Operators
• Flow Control
• MiniGIS
My Computer
Location
Messenger
Tourguide
How to make users aware of
and be able to control the flow
of personal info?
Outline
 Motivation
 End-user Privacy Needs
 Pitfalls in User Interfaces for Privacy
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Physical layer for acquiring location
 Infrastructure layer
 Presentation layer
 Applications Built
Presentation Layer
Notifications
Notification UI when others request your location (pull)
– Default is always “unknown” (plausible deniability)
Presentation Layer
PlaceBar
PlaceBar UI used when you send to others (push)
– If you give me “city” location, I can offer “events, museum lines”
Confab Architecture
My Computer
Name
PlaceLab
Source
Loc
InfoSpace
Data
Store
Location
Messenger
Tourguide
How to control personal info
once it leaves your computer?
Privacy Tags
Digital Rights Management for Privacy
–
–
–
–
Like adding note to email, “Please don’t forward”
Notify address
- notify-abc@cs.berkeley.edu
Time to live
- 5 days
Max number of sightings - last 5 sightings of my location
Provide libraries for making it easy for app developers
Requires non-technical solutions for deployment
– Market support thru TrustE, Consumer Reports
– Legal support thru data retention laws
Outline
 Motivation
 Analysis of End-user Privacy Needs
 Confab Toolkit for Privacy-Sensitive Ubicomp
 Applications Built
Putting it Together #1
Location-Enhanced Messenger
Putting it Together #1
Location-Enhanced Messenger
Putting it Together #2
Location-Enhanced Web Proxy
Auto-fills location information on existing web sites
PageModification
URL
=http://www.starbucks.com/
txtCity =CityName
txtState =RegionCode
txtZip =ZIPCode
MapQuest
Starbucks
Putting it Together #2
Location-Enhanced Web Proxy
Location-aware web sites
– Different content based on your current location
Application Details
Location-enhanced Instant Messenger
– Uses Hamsam library for cross-platform IM
– ~2500 LOCs across 23 classes, about 5 weeks (mostly GUI)
– Acquiring location, InfoSpace store (and prefs), location queries,
automatic updates, access notifications, MiniGIS + dataset
Location-enhanced web proxy
– Added ~800 LOCs to existing 800 LOCs, about 1 week
– Location queries, automatic updates, MiniGIS + dataset, PlaceBar
Other apps
– Emergency Response app, distributed querying app
Confab reduces what would be a lot of duplicated work
Other Parts of this Work
Common risks to design for in privacy-sensitive systems?
Hong, Ng, Lederer, Landay [DIS2004]
Privacy Risk Models for Designing Privacy-Sensitive
Ubiquitous Computing Systems
Common mistakes to avoid in the user interface?
Lederer, Hong, Dey, Landay [PUC 2004]
Personal Privacy through Understanding and Action:
Five Pitfalls for Designers
Design rationale at presentation layer
User evaluations of the apps
Conclusions
Confab toolkit for facilitating construction of privacysensitive ubicomp applications
– Privacy at physical, infrastructure, and presentation layers
– Push architecture towards local capture, processing, storage
– Couple w/ better UIs for greater choice, control, and feedback
“Use technology correctly to enhance life. It is important
that people have a choice in how much information can
be disclosed. Then the technology is useful.”
Acknowledgements
Thanks to:
DARPA Expeditions
NSF ITR
Intel Fellowship
Siebel Systems Fellowship
PARC
Intel Research
http://placelab.org
John Canny
Anind Dey
Scott Lederer
Jennifer Ng
Bill Schilit
Doug Tygar
Many, many others…
Jason I. Hong
jasonh@cs.berkeley.edu
http://guir.berkeley.edu/confab
Hypothesis: The Privacy Hump
fears
Pessimistic
Many legitimate concerns
Many alarmist rants
“Right” way to deploy?
Value proposition?
Rules on fair use?
time
Optimistic
Things have settled down
Few fears materialized
Market, Social, Legal, Tech
We get tangible value
Missing Pieces of the Privacy Puzzle
How do privacy perceptions change over time?
– Ecommerce studies suggest experience important, privacy hump
How do privacy perceptions vary across cultures?
– Western cultures tend to be more individualistic
Metrics for privacy?
– Specific data types (location) or problems (price discrimination)
Economic incentives for companies to do “the right thing”?
Other kinds of protection at the physical layer?
How perfect do we want our ubicomp systems to be?
– Accurate and reliable -> harder to lie