Privacy and
Ubiquitous Computing
Jason I. Hong
Ubicomp Privacy is a Serious Concern
“[Active Badge] could tell when you were
in the bathroom, when you left the unit,
and how long and where you ate your
lunch. EXACTLY what you are afraid of.”
- allnurses.com
Why is Ubicomp Privacy Hard?
•
Characteristics
–
–
–
–
•
Real-time, distributed
Invisibility of sensors
Potential scale
What data? Who sees it?
Design Issues
– No control over system
– No feedback, cannot act
appropriately
• You think you are in one
context, actually in many
– No value proposition
Why is Ubicomp Privacy Hard?
•
Devices becoming more intimate
– Call record, SMS messages
– Calendar, Notes, Photos
– History of locations, People nearby,
Interruptibility
– With us nearly all the time
•
Portable and automatic diary
– Accidental viewing, losing device, hacking
•
Protection from interruptions
– Calls at bad times, other people’s (annoying) calls
•
Projecting a desired persona
– Accidental disclosures of location, plausible deniability
Exploring Ubicomp at CMU
•
People Finder
•
Sensor Andrew
•
inTouch
– Better awareness and messaging for small groups
•
Contextual Instant Messaging
– Control and feedback mechanisms for ubicomp privacy
Contextual Instant Messaging
•
Facilitate coordination and communication by letting
people request contextual information via IM
– Interruptibility (via SUBTLE toolkit)
– Location (via Place Lab WiFi positioning)
– Active window
•
Developed a custom client and robot on top of AIM
– Client (Trillian plugin) captures and sends context to robot
– People can query imbuddy411 robot for info
• “howbusyis username”
– Robot also contains privacy rules governing disclosure
Control – Setting Privacy Policies
•
Web-based specification
of privacy preferences
– Users can create groups and
put screennames into groups
– Users can specify what each
group can see
Control – System Tray
•
Coarse grain controls plus access to privacy settings
Feedback – Notifications
Feedback – Social Translucency
Feedback – Offline Notification
Feedback – Summaries
Feedback – Audit Logs
Evaluation
•
Recruited fifteen people for four weeks
– Selected people highly active in IM (ie undergrads )
– ~120 buddies, ~1580 messages / week (sent and received)
– ~3.3 groups created per person
•
Notified other parties of imbuddy411 service
– Update AIM profile to advertise
– Would notify other parties at start of conversation
Results of Evaluation
•
321 queries
– ~1 query / person / day
– 61 distinct screennames, 15 repeat users
– 67 interruptibility, 175 location, 79 active window
•
Added Stalkerbot near end of study
– A stranger making 2 queries per person per day
Results – Controls
•
Controls easy to use (4.5 / 5, σ=0.7)
“I really liked the privacy settings the way they are. I thought
they were easy to use, especially changing between privacy
settings.”
“I felt pretty comfortable with using it because you can just
easily modify the privacy settings.”
•
However, can be lots of effort
“It’s time consuming, if you have a long buddylist, to set up
for each person.”
•
Asked for more location disclosure levels
– Around or near a certain place
Results – Comfort Level
•
Comfort level good (4 / 5, σ=0.9)
–
–
–
–
12 participants noticed stalkerbot, 3 didn’t until debriefing
However, no real concerns
Reasoned that our stalkerbot was a buddy or old friend
Also confident in their privacy control settings
“I know they won’t get any information, because I set to the
default so they won’t be able to see anything.”
Results – Appropriateness of Disclosures
•
Mostly appropriate (2.47 / 5, where 3 is appropriate)
– Useful information for requester? Right level of info?
– Two people increased privacy settings, one after
experimentation, other after too many requests from
specific person
•
However, more complaints about accuracy
– Ex. Left a laptop in a room to get food, person wasn’t there
Results – Usefulness of Feedback
•
Bubble notification, 1.6 / 6 (σ=0.6)
Results – Usefulness of Feedback
•
•
Bubble notification, 1.6 / 6 (σ=0.6)
Disclosure log, 1.8 (σ=1.3)
Results – Usefulness of Feedback
•
•
•
•
•
•
Bubble notification, 1.6 / 6 (σ=0.6)
Disclosure log, 1.8 (σ=1.3)
Mouse-over notification, 3.7 (σ=1.0)
Offline statistic notification, 4 (σ=1.4)
Social translucency Trillian tooltip popup, 4.8 (σ=1.1)
Peripheral red-dot notification, 5.4 (σ=0.7)
Discussion
Discussion
•
Scaling up notifications
– ~1 query / person / day, but just one app, not a lot of users
– Pointing out anomalies more useful
•
Disclosure log not used heavily
– Though people liked knowing that it was there just in case
•
Surprisingly few concerns about privacy
– No user expressed strong privacy concerns
– Feature requests were all non-privacy related
– If low usage, due to not enough utility, not due to privacy
•
Does this mean our privacy is good enough, or is this
because of users’ attitudes and behaviors?
Better understanding of attitudes and
behaviors towards privacy
•
Westin identified three clusters of people wrt
attitudes toward commercial entities
– Fundamentalists (~25%)
– Unconcerned (~10%)
– Pragmatists (~65%)
•
We need something like this for ubicomp
– But for personal privacy rather than for commercial entities
– With more fine-grained segmentation
• Fundamentalists include techno-libertarians and luddites
• Pragmatists include too busy, not enough value, profiling
– Better segmentation would help us understand if our
privacy is good enough for specific audience
Understanding Adoption
•
Need to tie attitudes and behavior with adoption models
Teens
Understanding Adoption
•
Crafting better value propositions
– “Ubiquitous computing” and a focus on technology
really scared the bejeezus out of people
– “Invisible computing” and a focus on how it helps people,
far more palatable
Understanding Adoption
•
Crafting better value propositions
– “Ubiquitous computing” and a focus on technology
really scared the bejeezus out of people
– “Invisible computing” and a focus on how it helps people,
far more palatable
•
Finding and supporting existing practices
– Already using IM, familiar metaphor, adding a few more
features, rather than asking people to take a large step
– Better deployment models
End-User Privacy in HCI
•
•
137 page article
surveying privacy in
HCI and CSCW
Forthcoming in the
new Foundations and
Trends journal, in a
few weeks
Acknowledgements
•
•
•
Gary Hsiesh
Wai-yong Low
Karen Tang
•
•
•
•
•
•
NSF Cyber Trust CNS-0627513
NSF IIS CNS-0433540
ARO DAAD19-02-0389
Motorola
Nokia Research
Skyhook
Open Challenges
Lessons Thus Far
Lessons Thus Far
Lessons Thus Far
Results of First Evaluation
•
Total of 242 requests for contextual information
– 53 distinct screen names, 13 repeat users
120
100
80
60
40
20
0
Interruptibility
Location
Active Window
Results of First Evaluation
•
43 privacy groups, ~4 per participant
– Groups organized as class, major, clubs,
gender, work, location, ethnicity, family
– 6 groups revealed no information
– 7 groups disclosed all information
•
Only two instances of changes to rules
– In both cases, friend asked participant to
increase level of disclosure
Results of First Evaluation
•
Likert scale survey at end
– 1 is strongly disagree, 5 is strongly agree
– All participants agreed contextual information sensitive
• Interruptibility 3.6, location 4.1, window 4.9
– Participants were comfortable using our controls (4.1)
– Easy to understand (4.4) and modify (4.2)
– Good sense of who had seen what (3.9)
•
Participants also suggested improvements
 Notification of offline requests
 Better summaries (“User x asked for location 5 times today”)
 Better notifications to reduce interruptions (abnormal use)
What’s Hard about Ubicomp Privacy?
•
•
•
•
•
•
•
Easier to store lots of data
More kinds of data being collected
Easier to distribute
More sensors, real-time
More devices
Easier to search
More intimate
Five Challenges
•
•
•
•
•
Better ways of helping end-users manage their privacy
A better understanding of people’s attitudes and
behaviors towards privacy
A privacy toolbox
Better organizational support
Understanding adoption