Privacy and Ubiquitous Computing

Jason I. Hong

Ubicomp Privacy is a Serious Concern

“[Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”

- allnurses.com

• Characteristics– Real-time, distributed

– Invisibility of sensors

– Potential scale

– What data? Who sees it?

• Design Issues– No control over system

– No feedback, cannot act appropriately

• You think you are in one context, actually in many

– No value proposition

Why is Ubicomp Privacy Hard?

Why is Ubicomp Privacy Hard?

• Devices becoming more intimate– Call record, SMS messages

– Calendar, Notes, Photos

– History of locations, People nearby, Interruptibility

– With us nearly all the time

• Portable and automatic diary– Accidental viewing, losing device, hacking

• Protection from interruptions– Calls at bad times, other people’s (annoying) calls

• Projecting a desired persona– Accidental disclosures of location, plausible deniability

Exploring Ubicomp at CMU

• People Finder

• Sensor Andrew

• inTouch– Better awareness and messaging for small groups

• Contextual Instant Messaging– Control and feedback mechanisms for ubicomp privacy

Contextual Instant Messaging

• Facilitate coordination and communication by letting people request contextual information via IM– Interruptibility (via SUBTLE toolkit)

– Location (via Place Lab WiFi positioning)

– Active window

• Developed a custom client and robot on top of AIM– Client (Trillian plugin) captures and sends context to robot

– People can query imbuddy411 robot for info• “howbusyis username”

– Robot also contains privacy rules governing disclosure

• Web-based specification of privacy preferences– Users can create groups and

put screennames into groups

– Users can specify what each group can see

Control – Setting Privacy Policies

• Coarse grain controls plus access to privacy settings

Control – System Tray

Feedback – Notifications

Feedback – Social Translucency

Feedback – Offline Notification

Feedback – Summaries

Feedback – Audit Logs

Evaluation

• Recruited fifteen people for four weeks– Selected people highly active in IM (ie undergrads )

– ~120 buddies, ~1580 messages / week (sent and received)

– ~3.3 groups created per person

• Notified other parties of imbuddy411 service– Update AIM profile to advertise

– Would notify other parties at start of conversation

Results of Evaluation

• 321 queries– ~1 query / person / day

– 61 distinct screennames, 15 repeat users

– 67 interruptibility, 175 location, 79 active window

• Added Stalkerbot near end of study– A stranger making 2 queries per person per day

Results – Controls

• Controls easy to use (4.5 / 5, σ=0.7)“I really liked the privacy settings the way they are. I thought they were easy to use, especially changing between privacy settings.”

“I felt pretty comfortable with using it because you can just easily modify the privacy settings.”

• However, can be lots of effort“It’s time consuming, if you have a long buddylist, to set up for each person.”

• Asked for more location disclosure levels– Around or near a certain place

Results – Comfort Level

• Comfort level good (4 / 5, σ=0.9)– 12 participants noticed stalkerbot, 3 didn’t until debriefing

– However, no real concerns

– Reasoned that our stalkerbot was a buddy or old friend

– Also confident in their privacy control settings

“I know they won’t get any information, because I set to the default so they won’t be able to see anything.”

Results – Appropriateness of Disclosures

• Mostly appropriate (2.47 / 5, where 3 is appropriate)– Useful information for requester? Right level of info?

– Two people increased privacy settings, one after experimentation, other after too many requests from specific person

• However, more complaints about accuracy– Ex. Left a laptop in a room to get food, person wasn’t there

Results – Usefulness of Feedback

• Bubble notification, 1.6 / 6 (σ=0.6)

Results – Usefulness of Feedback

• Bubble notification, 1.6 / 6 (σ=0.6)• Disclosure log, 1.8 (σ=1.3)

Results – Usefulness of Feedback

• Bubble notification, 1.6 / 6 (σ=0.6)• Disclosure log, 1.8 (σ=1.3)• Mouse-over notification, 3.7 (σ=1.0)• Offline statistic notification, 4 (σ=1.4)• Social translucency Trillian tooltip popup, 4.8 (σ=1.1)• Peripheral red-dot notification, 5.4 (σ=0.7)

Discussion

Discussion

• Scaling up notifications– ~1 query / person / day, but just one app, not a lot of users

– Pointing out anomalies more useful

• Disclosure log not used heavily– Though people liked knowing that it was there just in case

• Surprisingly few concerns about privacy– No user expressed strong privacy concerns

– Feature requests were all non-privacy related

– If low usage, due to not enough utility, not due to privacy

• Does this mean our privacy is good enough, or is this because of users’ attitudes and behaviors?

Better understanding of attitudes and behaviors towards privacy

• Westin identified three clusters of people wrt attitudes toward commercial entities– Fundamentalists (~25%)– Unconcerned (~10%)– Pragmatists (~65%)

• We need something like this for ubicomp– But for personal privacy rather than for commercial entities– With more fine-grained segmentation

• Fundamentalists include techno-libertarians and luddites• Pragmatists include too busy, not enough value, profiling

– Better segmentation would help us understand if our privacy is good enough for specific audience

Understanding Adoption

• Need to tie attitudes and behavior with adoption models

Teens

Understanding Adoption

• Crafting better value propositions– “Ubiquitous computing” and a focus on technology

really scared the bejeezus out of people

– “Invisible computing” and a focus on how it helps people, far more palatable

Understanding Adoption

• Crafting better value propositions– “Ubiquitous computing” and a focus on technology

really scared the bejeezus out of people

– “Invisible computing” and a focus on how it helps people, far more palatable

• Finding and supporting existing practices– Already using IM, familiar metaphor, adding a few more

features, rather than asking people to take a large step

– Better deployment models

End-User Privacy in HCI

• 137 page article surveying privacy in HCI and CSCW

• Forthcoming in the new Foundations and Trends journal, in a few weeks

Acknowledgements

• NSF Cyber Trust CNS-0627513• NSF IIS CNS-0433540• ARO DAAD19-02-0389• Motorola• Nokia Research• Skyhook

• Gary Hsiesh• Wai-yong Low• Karen Tang

Open Challenges

Lessons Thus Far

Lessons Thus Far

Lessons Thus Far

• Total of 242 requests for contextual information– 53 distinct screen names, 13 repeat users

0

20

40

60

80

100

120

Interruptibility Location Active Window

Results of First Evaluation

• 43 privacy groups, ~4 per participant– Groups organized as class, major, clubs,

gender, work, location, ethnicity, family

– 6 groups revealed no information

– 7 groups disclosed all information

• Only two instances of changes to rules– In both cases, friend asked participant to

increase level of disclosure

Results of First Evaluation

• Likert scale survey at end – 1 is strongly disagree, 5 is strongly agree

– All participants agreed contextual information sensitive• Interruptibility 3.6, location 4.1, window 4.9

– Participants were comfortable using our controls (4.1)

– Easy to understand (4.4) and modify (4.2)

– Good sense of who had seen what (3.9)

• Participants also suggested improvementsNotification of offline requestsBetter summaries (“User x asked for location 5 times today”)Better notifications to reduce interruptions (abnormal use)

Results of First Evaluation

What’s Hard about Ubicomp Privacy?

• Easier to store lots of data• More kinds of data being collected• Easier to distribute• More sensors, real-time• More devices• Easier to search• More intimate

Five Challenges

• Better ways of helping end-users manage their privacy• A better understanding of people’s attitudes and

behaviors towards privacy• A privacy toolbox• Better organizational support• Understanding adoption