An Architecture for Privacy-Sensitive Ubiquitous Computing

Jason I. HongHCI InstituteCarnegie Mellon University

James A. LandayComputer Science and Eng.University of Washington

Ubicomp Privacy is a Serious Concern

From a nurse required to wear active badge

“[It] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”- allnurses.com

Ubicomp Presents Range of Privacy Risks

Everyday Risks Extreme Risks

Stalkers, Muggers_________________________________

Well-beingPersonal safety

Employers_________________________________

Over-monitoringDiscrimination

Reputation

Friends, Family_________________________________

Over-protectionSocial obligationsEmbarrassment

Government__________________________

Civil liberties

How to maximize real benefit of ubicomp while minimizing perceived and actual privacy risks?

Approach Confab Privacy Toolkit Informed by End-User Needs

Hard to analyze privacy– Analysis of end-user needs for ubicomp privacy

Interviews, surveys, postings on message boards

Hard to implement privacy-sensitive systems– Confab toolkit for privacy-sensitive ubicomp apps

Capture, processing and presentation of personal infoFocus on location privacy

– Evaluation thru building appsLocation-enhanced messengerLocation-enhanced web proxy

Outline

Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built

An HCI Perspective on Privacy

“The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know:

– what is controlling what– what is connected to what– where information is flowing– how it is being used

The Origins of Ubiquitous Computing Research at PARC in the Late 1980s

Weiser, Gold, Brown

Empower people so they can choose to share:

• the right information• with the right people or services• at the right time

Analysis of End-User Privacy Needs

Lots of speculation about ubicomp privacy, little data

Published Sources– Examined papers describing usage of ubicomp systems– Examined existing and proposed privacy protection laws

Surveys and Interviews– Analyzed survey data of 130 people on ubicomp privacy

prefs– Interviewed 20 people on location-based services

Existing Systems– Analyzed postings on nurse message board on locator

systems

Summary of End-User Privacy Needs

Clear value proposition

Simple and appropriate control and feedback

Plausible deniability

Limited retention of data

Decentralized control

Special exceptions for emergencies

Alice’sLocation

Bob’sLocation

Outline

Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built

Confab Toolkit for Privacy-Sensitive Ubicomp

Confab for privacy-sensitive ubicomp apps– Cover end-user privacy needs– Provide solid technical foundation for privacy-sensitive

ubicomp

A toolkit needs to support all three of these layers– Must capture, store, process, & share in privacy-sensitive

manner

Physical / Sensor

Infrastructure

Presentation I might present choices well to users……but not have control over how the info was acquired or processed

…but not help developers process it safely or provide visibility to end-usersI might acquire information privately…

Past Work Addresses at Most One Layer

Today, building privacy-sensitive apps would have to be done in an ad hoc manner

Physical / Sensor

Infrastructure

Presentation

Cricket Location Beacons, Active Bats

P3P, Privacy Mirrors

ParcTab System, Context Toolkit

Confab High-Level Architecture

Capture, store, and process personal data on my computer as much as possible (laptops and PDAs)

Provide greater control and feedback over sharing

InfoSpace

Data Store

InfoSpace

Data Store

LocName

App

On Operators

SourceSourcesOut OperatorsIn Operators

My Computer

LoggingCheck Privacy Tag

Invisible ModeEnforce AccessUser Interfaces

Garbage CollectPeriodic Reports

Example Built-in Confab OperatorFlow Control

Goal: Disclose different info to different requestors

Conditions– Age of data – Data Format– Requestor Domain – Data Type– Requestor ID – Current Time– Requestor Location

Actions– Lower Precision – Allow– Set (fake value) – Hide (data is removed)– Invisible (no out data) – Timeout (fake network

load)– Interactive – Deny (forbidden)

Outline

Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp

Physical layer for acquiring location Infrastructure layer Presentation layer

Applications Built

Physical / Sensor LayerIntel’s Place Lab Location Source

Determine location via local database of WiFi Access Points– Unique WiFi MAC Address -> Latitude, Longitude– Periodically update your local copy

A

B

C

–Works indoors and in urban canyons

–Works with encrypted nodes

–No special equipment–Privacy-sensitive–Rides the WiFi wave

PlaceLab Data at SF Bay Area

SF Bay Area~60000 Nodes

(~4 Megs)

PlaceLab Data at UC Berkeley

University of

California Berkeley

Berkeley Campus

~1000 Nodes

Outline

Motivation End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp

Physical layer for acquiring location Infrastructure layer Presentation layer

Applications Built

Infrastructure LayerConfab’s Built-in MiniGIS Operator

People and apps need semantically useful names– “Meet me at 37.875, -122.257”

MiniGIS operator transforms location info locally– Using network-based services would be privacy hole

Whittled down to 30 megs from public sources– Places hardest to get, 3 ugrads + me scouring

Berkeley

Country Name = United StatesRegion Name = CaliforniaCity Name = BerkeleyZIP Code = 94709Place Name = Soda HallLatitude/Longitude = 37.875, -122.257

Confab Architecture

InfoSpace

Data Store

InfoSpace

Data Store

LocName

PlaceLabSource

Tourguide

LocationMessenger

How to make users aware of and be able to control the flow of personal info?

My ComputerOut Operators

• Flow Control• MiniGIS

Outline

Motivation End-user Privacy Needs Pitfalls in User Interfaces for Privacy Confab Toolkit for Privacy-Sensitive Ubicomp

Physical layer for acquiring location Infrastructure layer Presentation layer

Applications Built

Notification UI when others request your location (pull)– Default is always “unknown” (plausible deniability)

Presentation Layer Notifications

Presentation Layer PlaceBar

PlaceBar UI used when you send to others (push)– If you give me “city” location, I can offer “events,

museum lines”

Confab Architecture

InfoSpace

Data Store

InfoSpace

Data Store

LocName

PlaceLabSource

LocationMessenger

How to control personal info once it leaves your computer?

My Computer

Tourguide

Privacy Tags

Digital Rights Management for Privacy– Like adding note to email, “Please don’t forward”– Notify address - notify-

abc@cs.berkeley.edu– Time to live - 5 days– Max number of sightings - last 5 sightings of my

location

Provide libraries for making it easy for app developers

Requires non-technical solutions for deployment– Market support thru TrustE, Consumer Reports– Legal support thru data retention laws

Outline

Motivation Analysis of End-user Privacy Needs Confab Toolkit for Privacy-Sensitive Ubicomp Applications Built

Putting it Together #1Location-Enhanced Messenger

Putting it Together #1Location-Enhanced Messenger

Putting it Together #2Location-Enhanced Web Proxy

Auto-fills location information on existing web sites

Starbucks

MapQuest

PageModificationURL =http://www.starbucks.com/txtCity=CityNametxtState =RegionCodetxtZip =ZIPCode

Location-aware web sites– Different content based on your current location

Putting it Together #2Location-Enhanced Web Proxy

Application Details

Location-enhanced Instant Messenger– Uses Hamsam library for cross-platform IM– ~2500 LOCs across 23 classes, about 5 weeks (mostly GUI)– Acquiring location, InfoSpace store (and prefs), location

queries, automatic updates, access notifications, MiniGIS + dataset

Location-enhanced web proxy– Added ~800 LOCs to existing 800 LOCs, about 1 week– Location queries, automatic updates, MiniGIS + dataset,

PlaceBar

Other apps– Emergency Response app, distributed querying app

Confab reduces what would be a lot of duplicated work

Other Parts of this Work

Common risks to design for in privacy-sensitive systems?Hong, Ng, Lederer, Landay [DIS2004]Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems

Common mistakes to avoid in the user interface?Lederer, Hong, Dey, Landay [PUC 2004]Personal Privacy through Understanding and Action: Five Pitfalls for Designers

Design rationale at presentation layer

User evaluations of the apps

Conclusions

Confab toolkit for facilitating construction of privacy-sensitive ubicomp applications– Privacy at physical, infrastructure, and presentation layers– Push architecture towards local capture, processing,

storage– Couple w/ better UIs for greater choice, control, and

feedback

“Use technology correctly to enhance life. It is important that people have a choice in how much information can be disclosed. Then the technology is useful.”

Thanks to: DARPA Expeditions NSF ITR

Intel Fellowship Siebel Systems Fellowship

PARC Intel Research

John CannyAnind DeyScott LedererJennifer NgBill SchilitDoug TygarMany, many others…

http://placelab.org

Jason I. Hongjasonh@cs.berkeley.edu

http://guir.berkeley.edu/confab

Acknowledgements

Hypothesis: The Privacy Hump

PessimisticMany legitimate concernsMany alarmist rants“Right” way to deploy?Value proposition?Rules on fair use?OptimisticThings have settled downFew fears materializedMarket, Social, Legal, TechWe get tangible value

time

fears

Missing Pieces of the Privacy Puzzle

How do privacy perceptions change over time?– Ecommerce studies suggest experience important, privacy

hump

How do privacy perceptions vary across cultures?– Western cultures tend to be more individualistic

Metrics for privacy?– Specific data types (location) or problems (price

discrimination)

Economic incentives for companies to do “the right thing”?

Other kinds of protection at the physical layer?

How perfect do we want our ubicomp systems to be?– Accurate and reliable -> harder to lie