Introduction to Ubicomp Privacy or Is Privacy the Achilles

1
Introduction to Ubicomp PrivacyorIs Privacy
the Achilles Heel of Ubicomp?
2
Why Care About Privacy?End-User Perspective

• Protection from spam, identity theft, mugging
• Discomfort over surveillance
• Lack of trust in work environments
• Might affect performance, mental health
• May contribute to feeling of lack of control over
  life
• Starting over
• Something stupid you did as a kid
• Creativity and freedom to experiment
• Protection from total societies
• Room for each person to develop individually
• Lack of adoption of ubicomp tech

3
The Fundamental Tension

• Ubicomp envisions
• lots of sensors for gathering data
• rich world models describing people, places,
  things
• pervasive networks for sharing
• This data can be used for good and for bad

Find Friends
Smart Homes
Smart Stores
4
Why Care?Designer and App Developer Perspective

• Most obvious problem with ubicomp by outsiders

5
Why Care?Designer and App Developer Perspective

• Do I wear badges? No way. I am completely
  against wearing badges. I don't want management
  to know where I am. No. I think the people who
  made them should be taken out and shot... it is
  stupid to think that they should research badges
  because it is technologically interesting. They
  (badges) will be used to track me around. They
  will be used to track me around in my private
  life. They make me furious.
• Ubicomp might lead directly to a future of safe,
  efficient, soulless, and merciless universal
  surveillance Rheingold

6
What is Privacy?

• No standard definition, many different
  perspectives
• Different kinds of privacy
• Bodily, Territorial, Communication, Information

7
What is Information Privacy?

• Many different philosophical views on info
  privacy
• Different views -gt different values -gt different
  designs
• Note that these are not necessarily mutually
  exclusive

8
Principles vs Common Interest

• Principled view -gt Privacy as a fundamental right
• Embodied by constitutions, longstanding legal
  precedent
• Government not given right to monitor people
• Common interest -gt Privacy wrt common good
• Emphasizes positive, pragmatic effects for
  society
• Examples
• National ID cards, mandatory HIV testing

9
Self-determination vs Personal Privacy

• Self-determination (aka data protection)
• Arose due to increasing number of databases in
  1970s
• Privacy is the claim of individuals, groups or
  institutions to determine for themselves when,
  how, and to what extent information about them is
  communicated to others (Westin)
• Led to Fair Information Practices (more shortly)
• More of individual with respect to government and
  orgs
• Personal privacy
• How I express myself to others and control access
  to myself
• More of individual with respect to other
  individuals

10
Self-determination vs Personal Privacy

• Examples
• Facebook
• Cell phone communication
• Instant messaging

11
Privacy as Solitude

• The right to be let alone
• People tend to devise strategies to restrict
  their own accessibility to others while
  simultaneously seeking to maximize their ability
  to reach people
• (Darrah et al 2001)
• Example
• Spam protection, undesired social obligations
• Ubicomp
• Able to turn system off, invisible mode

12
Privacy as Anonymity

• Hidden among a crowd
• Example
• Web proxy to hide actual web traffic
• Ubicomp
• Location anonymity
• a person vs Asian person vs Jason Hong

13
Other Views on Privacy

• Transparent Society
• Multi-way flow of info (vs one-way to govts or
  corporations)
• Dont care
• Ive got nothing to hide
• Weve always adapted
• "You have zero privacy anyway. Get over it."
• Fundamentalist
• Dont understand the tech
• Dont trust others to do the right thing
• Pragmatist
• Cost-benefit
• Communitarian benefit to society as well as
  individual

14
Other Views on Privacy
You know it when you lose it
15
Why is Privacy Hard?

• Hard to define until something bad happens
• Well, of course I didnt mean to share that
• Risks not always obvious
• Burglars went to airports to collect license
  plates
• Credit info used by kidnappers in South America
• Change in comfort with time and/or experience
• Cause and effect may be far in time and space
• Malleable depending on situation
• Still use credit cards to buy online
• Benefit outweighs cost

16
Why is Privacy Hard?

• Data getting easier to store
• Think embarrassing facts from a long time ago
  (ex. big hair)
• Think function creep (ex. SSNs)
• Hard to predict effect of disclosure
• Hard to tell what credit card companies, Amazon
  are doing
• Market incentives not aligned
• Easy to misinterpret
• Went to drug rehabilitation clinic, why?
• Bad data can be hard to fix
• Sen. Ted Kennedy on TSA watch list

17
Fair Information Practices (FIPs)

• Based on Self-determination / Data Protection
  view
• Set of principles stating how organizations
  should handle personal information
• Note many variants of FIPs

18
Fair Information Practices (FIPs)

• Openness and transparency
• Individual participation
• Collection limitation
• Data quality
• Use limitation
• Reasonable security
• Accountability

19
Adapting FIPs for Ubicomp

• Presents a method for analyzing ubicomp systems
• Assume designers trying to do the right thing
  
• Versus evil people actively trying to intrude
• Notice
• Physical beacons beaming out P3P policies
• Personal system that logs policies
• Issues
• Overwhelmed by notifications?
• Understandability of notifications?

20
Adapting FIPs for Ubicomp

• Choice and consent
• Need a way to confirm that a person has consented
• Can digitally sign a contract notification
• Issues
• How can people specify their policies?
• Can policies match what people really want?
• How to make people aware of auto-accepts?
• What if people dont have a real choice

21
Adapting FIPs for Ubicomp

• Anonymity and Pseudonymity
• Try to eliminate any trace of identity
• Or have a disposable identifier not linked to
  actual identity
• Issues
• What kinds of services can be offered
  anonymously?
• Business models for anonymous services?

22
Adapting FIPs for Ubicomp

• Proximity
• Limit behavior of smart objects based on
  proximity
• Ex. Record voice only if owner nearby
• Simple mental model, could be hard to implement
  though
• Weakness could be easy to subvert
• Locality
• Information tied to places it was collected
• Require physical proximity to query
• Weakness limits some utility (ex. Find friend)

23
Adapting FIPs for Ubicomp

• Access and Recourse
• How to know what the system knows about you?
• What mechanisms for recourse?
• Suggests minimizing information collected to
  avoid this issue (possible in practice?)

24
Design for Privacy in Ubiquitous Computing
Environments

• Presents a method for analyzing ubicomp systems
• Looks primarily at control and feedback
• Looks at networked media spaces, audio-video
  connections between two locations
• More of a personal privacy approach
• One point they briefly mention is value
  proposition
• At EuroPARC people generally do not worry much
  about privacy. They feel that the benefits of
  RAVE outweigh their concerns. This is because the
  design has evolved together with a culture of
  trust and acceptable practices relating to its
  use. Individual freedom was fostered to use,
  customise, or ignore the technology.

25
Framework

• Capture
• What kind of information?
• Video? Identity? Activity (documents, keypresses,
  etc)
• Construction
• How is information processed? Stored?
• Accessibility
• Who can see the information?
• Purpose
• How is information used? Might be used?

26
(No Transcript)
27
(Some) Criteria for Evaluating Systems

• Appropriate timing
• Perceptibility
• Unobtrusiveness
• Low effort
• Meaningful
• Low Cost

28
Discussion Points Is Privacy Always Good?
29
Discussion Points Is Privacy Always Good?

• Can be used as a shield for abusive behavior
• Supermarket loyalty cards
• Gauge effect of marketing, effects of price and
  demand
• Market to best customers
• Can streamline economic transactions
• Easy credit
• Reputation management
• EU Regulators prosecuted an animal rights
  activist who published a list of fur producers
  and a consumer activist who criticized a large
  bank on a Web page that named the banks
  directors.

30
Discussion PointsWays of Simplifying Privacy for
People?

• Lots of effort across various systems
• Mobile Phone, TiVo, Smart Car, Smart Home,
  Workplace
• Analogy privacy across various web sites
• Ways of making it easier for people?
• What kinds of tools?
• Third party organizations? (MedicAlert)

31
Breakout Groups

• Group A Is privacy always good?
• In what cases not?
• Too much privacy? (ie get used to it, like
  security cams?)
• Group B How to simplify privacy for people in
  ubicomp?
• Core technologies?
• Third parties?
• User interfaces?

32
(No Transcript)
33
Discussion Points

• What is the role of tech? How much should it do?
• With respect to Market, Law, and Social Norms?
• What values should we embody in tech?
• And how to design for those values?
• Is privacy always good to have?
• How to assess risks better beforehand?
• Better h/w and s/w architectures?
• Physical layer of privacy?
• Better UIs? Understandable mental models?
• Metrics for privacy?
• Third parties / companies that manage your
  privacy?

34
Fundamental Tech Challenges

• Make it easy for organizations to do the right
  thing
• Detecting abuse (ex. honeypots, audits)
• Better database aggregation and anonymization
• Better org-wide policies and enforcement
• Make it easy for individuals to share right info
  with right people at right times
• Better ubicomp architectures that put end-users
  in control
• Cant just flip a switch
• Make it easier for app developers to do right
  thing
• Better UIs (awareness, disclosures,
  decision-making)
• Better design and evaluation methods

35
How Ubicomp Changes the Landscape

• Scope and scale
• Everyone, everywhere, any time
• More personal
• Location, activities, habits, hobbies, people
  with
• Breaks existing notions of how world works
• Close the door
• Whisper to people
• Connected
• Easy to share with others
• Machine readable and searchable