Upload
carnegie-mellon-university
View
130
Download
2
Embed Size (px)
DESCRIPTION
Some older research I did looking at one way of building privacy-sensitive apps for ubiquitous computing environments. The core idea is to focus on locality, where all of the data is sensed and processed locally as much as possible. Privacy is the most often-cited criticism of ubiquitous computing, and may be the greatest barrier to its long-term success. However, developers currently have little support in designing software architectures and in creating interactions that are effective in helping end-users manage their privacy. To address this problem, we present Confab, a toolkit for facilitating the development of privacy-sensitive ubiquitous computing applications. The requirements for Confab were gathered through an analysis of privacy needs for both end-users and application developers. Confab provides basic support for building ubiquitous computing applications, providing a framework as well as several customizable privacy mechanisms. Confab also comes with extensions for managing location privacy. Combined, these features allow application developers and end-users to support a spectrum of trust levels and privacy needs. Authors are Jason Hong and James Landay
Citation preview
An Architecture for Privacy-Sensitive Ubiquitous Computing
Jason I. HongHCI InstituteCarnegie Mellon University
James A. LandayComputer Science and Eng.University of Washington
Ubicomp Privacy is a Serious Concern
From a nurse required to wear active badge
“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”- allnurses.com
Ubicomp Presents Range of Privacy Risks
Everyday Risks Extreme Risks
Stalkers, Muggers_________________________________
Well-beingPersonal safety
Employers_________________________________
Over-monitoringDiscrimination
Reputation
Friends, Family_________________________________
Over-protectionSocial obligationsEmbarrassment
Government__________________________
Civil liberties
How to maximize real benefit of ubicomp while minimizing perceived and actual privacy risks?
Approach Confab Privacy Toolkit Informed by End-User Needs
Hard to analyze privacy– Analysis of end-user needs for ubicomp privacy
Interviews, surveys, postings on message boards
Hard to implement privacy-sensitive systems– Confab toolkit for privacy-sensitive ubicomp apps
Capture, processing and presentation of personal infoFocus on location privacy
– Evaluation thru building appsLocation-enhanced messengerLocation-enhanced web proxy
Outline
Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built
An HCI Perspective on Privacy
“The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know:
– what is controlling what– what is connected to what– where information is flowing– how it is being used
The Origins of Ubiquitous Computing Research at PARC in the Late 1980s
Weiser, Gold, Brown
Empower people so they can choose to share:
• the right information• with the right people or services• at the right time
Analysis of End-User Privacy Needs
Lots of speculation about ubicomp privacy, little data
Published Sources– Examined papers describing usage of ubicomp systems– Examined existing and proposed privacy protection laws
Surveys and Interviews– Analyzed survey data of 130 people on ubicomp privacy
prefs– Interviewed 20 people on location-based services
Existing Systems– Analyzed postings on nurse message board on locator
systems
Summary of End-User Privacy Needs
Clear value proposition
Simple and appropriate control and feedback
Plausible deniability
Limited retention of data
Decentralized control
Special exceptions for emergencies
Alice’sLocation
Bob’sLocation
Outline
Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built
Confab Toolkit for Privacy-Sensitive Ubicomp
Confab for privacy-sensitive ubicomp apps– Cover end-user privacy needs– Provide solid technical foundation for privacy-sensitive
ubicomp
A toolkit needs to support all three of these layers– Must capture, store, process, & share in privacy-sensitive
manner
Physical / Sensor
Infrastructure
Presentation I might present choices well to users……but not have control over how the info was acquired or processed
…but not help developers process it safely or provide visibility to end-usersI might acquire information privately…
Past Work Addresses at Most One Layer
Today, building privacy-sensitive apps would have to be done in an ad hoc manner
Physical / Sensor
Infrastructure
Presentation
Cricket Location Beacons, Active Bats
P3P, Privacy Mirrors
ParcTab System, Context Toolkit
Confab High-Level Architecture
Capture, store, and process personal data on my computer as much as possible (laptops and PDAs)
Provide greater control and feedback over sharing
InfoSpace
Data Store
InfoSpace
Data Store
LocName
App
On Operators
SourceSourcesOut OperatorsIn Operators
My Computer
LoggingCheck Privacy Tag
Invisible ModeEnforce AccessUser Interfaces
Garbage CollectPeriodic Reports
Example Built-in Confab OperatorFlow Control
Goal: Disclose different info to different requestors
Conditions– Age of data – Data Format– Requestor Domain – Data Type– Requestor ID – Current Time– Requestor Location
Actions– Lower Precision – Allow– Set (fake value) – Hide (data is removed)– Invisible (no out data) – Timeout (fake network
load)– Interactive – Deny (forbidden)
Outline
Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp
Physical layer for acquiring location Infrastructure layer Presentation layer
Applications Built
Physical / Sensor LayerIntel’s Place Lab Location Source
Determine location via local database of WiFi Access Points– Unique WiFi MAC Address -> Latitude, Longitude– Periodically update your local copy
A
B
C
–Works indoors and in urban canyons
–Works with encrypted nodes
–No special equipment–Privacy-sensitive–Rides the WiFi wave
PlaceLab Data at SF Bay Area
SF Bay Area~60000 Nodes
(~4 Megs)
PlaceLab Data at UC Berkeley
University of
California Berkeley
Berkeley Campus
~1000 Nodes
Outline
Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp
Physical layer for acquiring location Infrastructure layer Presentation layer
Applications Built
Infrastructure LayerConfab’s Built-in MiniGIS Operator
People and apps need semantically useful names– “Meet me at 37.875, -122.257”
MiniGIS operator transforms location info locally– Using network-based services would be privacy hole
Whittled down to 30 megs from public sources– Places hardest to get, 3 ugrads + me scouring
Berkeley
Country Name = United StatesRegion Name = CaliforniaCity Name = BerkeleyZIP Code = 94709Place Name = Soda HallLatitude/Longitude = 37.875, -122.257
Confab Architecture
InfoSpace
Data Store
InfoSpace
Data Store
LocName
PlaceLabSource
Tourguide
LocationMessenger
How to make users aware of and be able to control the flow of personal info?
My ComputerOut Operators
• Flow Control• MiniGIS
Outline
Motivation End-user Privacy Needs Pitfalls in User Interfaces for Privacy Confab Toolkit for Privacy-Sensitive Ubicomp
Physical layer for acquiring location Infrastructure layer Presentation layer
Applications Built
Notification UI when others request your location (pull)– Default is always “unknown” (plausible deniability)
Presentation Layer Notifications
Presentation Layer PlaceBar
PlaceBar UI used when you send to others (push)– If you give me “city” location, I can offer “events,
museum lines”
Confab Architecture
InfoSpace
Data Store
InfoSpace
Data Store
LocName
PlaceLabSource
LocationMessenger
How to control personal info once it leaves your computer?
My Computer
Tourguide
Privacy Tags
Digital Rights Management for Privacy– Like adding note to email, “Please don’t forward”– Notify address - notify-
[email protected]– Time to live - 5 days– Max number of sightings - last 5 sightings of my
location
Provide libraries for making it easy for app developers
Requires non-technical solutions for deployment– Market support thru TrustE, Consumer Reports– Legal support thru data retention laws
Outline
Motivation Analysis of End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built
Putting it Together #1Location-Enhanced Messenger
Putting it Together #1Location-Enhanced Messenger
Putting it Together #2Location-Enhanced Web Proxy
Auto-fills location information on existing web sites
Starbucks
MapQuest
PageModificationURL =http://www.starbucks.com/txtCity=CityNametxtState =RegionCodetxtZip =ZIPCode
Location-aware web sites– Different content based on your current location
Putting it Together #2Location-Enhanced Web Proxy
Application Details
Location-enhanced Instant Messenger– Uses Hamsam library for cross-platform IM– ~2500 LOCs across 23 classes, about 5 weeks (mostly GUI)– Acquiring location, InfoSpace store (and prefs), location
queries, automatic updates, access notifications, MiniGIS + dataset
Location-enhanced web proxy– Added ~800 LOCs to existing 800 LOCs, about 1 week– Location queries, automatic updates, MiniGIS + dataset,
PlaceBar
Other apps– Emergency Response app, distributed querying app
Confab reduces what would be a lot of duplicated work
Other Parts of this Work
Common risks to design for in privacy-sensitive systems?Hong, Ng, Lederer, Landay [DIS2004]Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems
Common mistakes to avoid in the user interface?Lederer, Hong, Dey, Landay [PUC 2004]Personal Privacy through Understanding and Action: Five Pitfalls for Designers
Design rationale at presentation layer
User evaluations of the apps
Conclusions
Confab toolkit for facilitating construction of privacy-sensitive ubicomp applications– Privacy at physical, infrastructure, and presentation layers– Push architecture towards local capture, processing,
storage– Couple w/ better UIs for greater choice, control, and
feedback
“Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”
Thanks to: DARPA Expeditions NSF ITR
Intel Fellowship Siebel Systems Fellowship
PARC Intel Research
John CannyAnind DeyScott LedererJennifer NgBill SchilitDoug TygarMany, many others…
http://placelab.org
Jason I. [email protected]
http://guir.berkeley.edu/confab
Acknowledgements
Hypothesis: The Privacy Hump
PessimisticMany legitimate concernsMany alarmist rants“Right” way to deploy?Value proposition?Rules on fair use?OptimisticThings have settled downFew fears materializedMarket, Social, Legal, TechWe get tangible value
time
fears
Missing Pieces of the Privacy Puzzle
How do privacy perceptions change over time?– Ecommerce studies suggest experience important, privacy
hump
How do privacy perceptions vary across cultures?– Western cultures tend to be more individualistic
Metrics for privacy?– Specific data types (location) or problems (price
discrimination)
Economic incentives for companies to do “the right thing”?
Other kinds of protection at the physical layer?
How perfect do we want our ubicomp systems to be?– Accurate and reliable -> harder to lie