Privacy, Security, and Ubiquitous Computing Jason I. Hong

Privacy, Security, and Ubiquitous Computing

Jason I. Hong

Overview• Privacy and Security Today

– Supporting Trust Decisions

• Privacy and Security Tomorrow– Privacy and Usability in Pervasive Environments– Location-enhanced Web– Whisper

Everyday Security Problems



Everyday Security is Important• People increasingly asked to make trust decisions

– Install this software?– Trust expired certificate? (“what the !@^% is a certificate?”)– Enter username and password?

• Consequence of wrong trust decision can be dramatic– Spyware– Malware (viruses, worms)– Identity theft

Project: Supporting Trust Decisions• Computers can’t make all trust decisions for you• Goal here is to help people make better decisions

– Context here is anti-phishing– Multidisciplinary team

• Approach 1: Design Patterns– Extract UI design patterns that work well

• Approach 2: Embedded Training– Surreptitiously train people to be better at

discriminating scams from the real thing• Approach 3: Public Health System

– Back-end system + UIs for marking scams

Overview• Privacy and Security Today

– Supporting Trust Decisions

• Privacy and Security Tomorrow– Privacy and Usability in Pervasive Environments– Location-enhanced Web– Whisper

Ubicomp Presents New Benefits

Find Friends Incident Command

RFID

• Advances in wireless networking, sensors, devices– Greater awareness of and interaction with physical world

• Ubicomp can help in efficiency, coordination, safety

Ubicomp Also Presents New Risks• Some potential new risks:

– Commit fraud– Draw embarrassing or inaccurate inferences– Discriminate against users

Everyday Risks Extreme Risks

Stalkers, Muggers_________________________________

Well-beingPersonal safety

Employers_________________________________

Over-monitoringDiscrimination

Reputation

Friends, Family_________________________________

Over-protectionSocial obligationsEmbarrassment

Government__________________________

Civil liberties

“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”- allnurses.com

Ubicomp Privacy is a Serious Concern

Project: Privacy and Usability in Pervasive Environments

Group project split into two major parts:

1. Decentralized trust management infrastructure for enforcing policies– Project Grey, MyCampus, Pervasive Access Control

2. User interfaces for helping people elucidate their privacy preferences– When to get notifications?– When to share personal information?

• You think you are in one context, actually overlapped in many others

• Without this understanding, cannot act appropriately

• Optionally, useful to specify when it’s okay to broadcast



• Pessimistic, Optimistic, and Mixed-mode privacy– Pessimistic: setup prefs beforehand– Optimistic: detect problems and fix afterwards– Mixed: ask me

• Extend Privacy Bird

• Conversational Case Based Reasoning (CCBR)– Major component, help people use similar past situations

• Empirical user studies to compare these UIs– Correctness, desirability, predictability, time on task, …

Project: Location-Enhanced Web

Three big problems with location-based services:

1. Need a high level of expertise to create location-enhanced content and services– Lots of programming and/or hardware expertise– Significantly stifles innovation

2. Difficult to deploy location-enhanced content and services– No location app works on multiple phones– Haphazard wireless connectivity

3. Location privacy

Web + Location = Location-Enhanced Web

• Evolve existing web infrastructure to support location-awareness– Minimal re-design and re-deployment– Leverage existing web browsers, web servers

• Co-opt existing location-enhanced content– Transparently make web sites that already have location-

enhanced content part of the location-enhanced web– Ex. Restaurant guides, bus schedules, tour guides, etc– Anything with street address info

• Make it easy to create location-enhanced content– Authoring of web pages vs programming apps

Underlying Design Philosophy

• Capture, store, and process personal data on my computer as much as possible (laptops and PDAs)

• Provide greater control and feedback over sharing

How It Will WorkOverview

• (1) Determine location locally on device– Listen to “beacons” to calculate location locally

• (2) Use local proxies to transparently add new features– Let users use existing web browsers

• (3) Local services– Geocoders, maps, etc

• (4) Occasionally-connected computing– Cache content like a madman, periodically update

• (5) Better user interfaces– Provide better UIs for sharing info

• (6) Provide authoring tools for new content and services

How It Will WorkUsage Scenario (1/5)

AB

C

–Works indoors and in urban canyons

–Works with encrypted nodes

–No special equipment–Privacy-sensitive–Rides the WiFi wave

• Alice does a one-click install for her laptop• Place Lab WiFi positioning system calculates location

– Unique WiFi MAC Address Latitude, Longitude


• Regular web browser starts auto-filling in web forms for location-unaware sites– Local geocoder service looks up address info– Uses publicly available data about countries, states, ZIP, etc


• Alice can also go to a location-aware site that uses our extensions– Web-based tour guide of CMU

• Alice gets a Place Bar UI to control what level of location info she is willing to disclose– Selectively trade privacy for services


• Local proxy transparently processes new location-enhanced features– Triggers to auto-load new content

• Ex. show this page when user enters this building– Context-sensitive links

• Ex. “Map” link shows indoor map when indoors, etc– Active map


• Alice can also download content for use when not connected to network– Too expensive, roaming, poor coverage, etc

• Every morning, her laptop downloads location+ information about Pittsburgh– Community events like talks, concerts, book signings– Restaurant guides (download and geocode entire site)– Locally filter and examine

• Can also block-fetch info– Ex. Travel to Seattle, download all info for that week– Service knows you are in Seattle, that’s it– If linked with calendar, can do this when you’re in Pittsburgh

Authoring Tools

Advantages of this Approach

• This approach leverages:– Familiar user model (links, pages, web sites, submit button)– Lots of existing content– Lots of authoring and debugging tools– Lots of content creators

• Icing on the cake– Simple user model: everything private unless you choose– Software only extensions, no new hardware– Minimal changes to existing web browsers, proxies, servers– Don’t have to wait for widespread cheap wireless networking– Can do this today!

Can Address Key Research Problems

• Need a high level of expertise to create location-enhanced content and services– Shift problem from programming to authoring– Provide libraries and templates for advanced features

• Difficult to deploy location-enhanced content and services– Local proxy, local services, local storage– Occasionally connected computing

• Privacy– OCC (use data offline)– Better user interfaces for when and what to share

Lots of Research Issues

• OCC and block-fetching algorithms– How much to download? When to refresh?– Privacy metric: level of privacy vs cpu, bandwidth, disk,

power– Pre-fetch: plausible deniability, potentially useful info

• Will work for laptops, what about phones and PDAs?– Start with local, push back into infrastructure as needed– Ex. Trusted proxies, a for-pay service that honors privacy

• User interfaces– Place Bar okay but hard to use in user evals– What is live vs cached?

Apps to Build Towards (1/2)

• Web page autofill• Virtual post-it notes (geonotes)• Location-enhanced tourguide • Map-It

– Map from current location to address on page

Apps to Build Towards (2/2)

• Location dashboard– Subscribe to Starbucks coffee, crime database, and

geonotes server– As you move around, you can see:

• Nearest Starbucks• Crime “thermometer”• Previews of notes your friends have posted

– Like an RSS feed for the real world!

• Whisper Community Event Service– Crawl web for community events– Use location, social networks, and keywords to filter– “Notify me when Yo-Yo Ma will play a concert in Pittsburgh”

Project Whisper

• Community event service– Foster sociability within community– Get people away from TV

• First iteration done – (Before location-enhanced web though)

• User evaluations– Useful but…– I want to know who else is going– Too many events shown!

• Make it easier for people to coordinate– Lightweight, minimal social obligations

• Make it easy to see what’s going on

Project Whisper

• Use location information, preferences, and social networking to filter– Location: “Shadyside art festival”– Preferences: “Yo-Yo Ma”– Social Networking: “I’m going to this concert, anyone

else?”

• Hypothesis: instigators– N% of population who really like to organize outings– Subscribe to events these people are interested in

• Provide personalized events as lightweight RSS feed– RSS a simple way of subscribing to things

Project WhisperWed (Today):• Talk on privacy (3:30PM)Fri• Churchbrew (Lorrie, 6:30PM)Weekend• Shadyside art festival (all day)• Garage sale Squirrel HillFuture• Yo-Yo Ma (Oct 28)


I get this because of simple keyword matching on “privacy”


I get this because I subscribe to Lorrie’s personal RSS feed


I get these two because I live in Shadyside

Rather than current location, leverage where we spend a lot of our time (ie, home, work, etc)


I get this because of keyword “Yo Yo Ma”.

I can also publish this as part of my personal RSS feed, so my friends can also see this event.

Whisper can then help with who’s going, carpools, etc.

Summary of Projects Privacy, security, and ubiquitous computing

• Supporting Trust Decisions– Design patterns, Embedded Training, Public Health

• Privacy and Usability in Pervasive Environments – Design, implement, and eval multiple UIs

• Location-enhanced web– Systems and UI issues for combining location and web

• Whisper Community Event Service– Make it easier for people to find interesting events and

coordinate who’s going

Future of Ubiquitous Computing?

Jason I. Hong

NSH 2504D

Perspective on Privacy

“The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know:

– what is controlling what– what is connected to what– where information is flowing– how it is being used

The Origins of Ubiquitous Computing Research at PARC in the Late 1980s

Weiser, Gold, Brown

Empower people so they can choose to share:

• the right information• with the right people or services• at the right time

Computers Are Becoming Ubiquitous…

http://semacode.org/about/apps/cases/2004_08_08/images/cardaction.jpg

… and Integrated with Real World

Client- Centered Architectures

• Basic idea:– Local sensing, local storage, local processing– Provide better control and feedback over sharing

• Examples:– Anonymous Broadcast

• Satellites (GPS, Sirius or XM), Radio (AM / FM), WiFi AP– Sensing: GPS, Cricket, Place Lab– Storage: Occasionally Connected Computing

• Sync up lots of potentially useful info beforehand– Services

• Geocoding, maps, etc• These services would also be OCC services

Weaknesses of Client-Centered Approach

• Only useful for certain kinds of apps– Default is not to share info, some apps hard to build– Personal mobile apps vs Place-oriented apps (cameras)– Best for read-only data

• Requires really high-end devices– Invoke Moore’s Law– Fundamental tradeoff

• Centralized / decentralized tradeoff– Like hotmail vs cmu IMAP vs own IMAP– Decentralized probably scales better– But users are own sysadmins, viruses, spyware– Again, fundamental tradeoff

Documents

Privacy, Security, and Ubiquitous Computing Jason I. Hong