Title: Introduction to Ubicomp Privacy or Is Privacy the Achilles
1Introduction to Ubicomp PrivacyorIs Privacy
the Achilles Heel of Ubicomp?
2Why Care About Privacy?End-User Perspective
- Protection from spam, identity theft, mugging
- Discomfort over surveillance
- Lack of trust in work environments
- Might affect performance, mental health
- May contribute to feeling of lack of control over
life - Starting over
- Something stupid you did as a kid
- Creativity and freedom to experiment
- Protection from total societies
- Room for each person to develop individually
- Lack of adoption of ubicomp tech
3The Fundamental Tension
- Ubicomp envisions
- lots of sensors for gathering data
- rich world models describing people, places,
things - pervasive networks for sharing
- This data can be used for good and for bad
Find Friends
Smart Homes
Smart Stores
4Why Care?Designer and App Developer Perspective
- Most obvious problem with ubicomp by outsiders
5Why Care?Designer and App Developer Perspective
- Do I wear badges? No way. I am completely
against wearing badges. I don't want management
to know where I am. No. I think the people who
made them should be taken out and shot... it is
stupid to think that they should research badges
because it is technologically interesting. They
(badges) will be used to track me around. They
will be used to track me around in my private
life. They make me furious. - Ubicomp might lead directly to a future of safe,
efficient, soulless, and merciless universal
surveillance Rheingold
6What is Privacy?
- No standard definition, many different
perspectives - Different kinds of privacy
- Bodily, Territorial, Communication, Information
7What is Information Privacy?
- Many different philosophical views on info
privacy - Different views -gt different values -gt different
designs - Note that these are not necessarily mutually
exclusive
8Principles vs Common Interest
- Principled view -gt Privacy as a fundamental right
- Embodied by constitutions, longstanding legal
precedent - Government not given right to monitor people
- Common interest -gt Privacy wrt common good
- Emphasizes positive, pragmatic effects for
society - Examples
- National ID cards, mandatory HIV testing
9Self-determination vs Personal Privacy
- Self-determination (aka data protection)
- Arose due to increasing number of databases in
1970s - Privacy is the claim of individuals, groups or
institutions to determine for themselves when,
how, and to what extent information about them is
communicated to others (Westin) - Led to Fair Information Practices (more shortly)
- More of individual with respect to government and
orgs - Personal privacy
- How I express myself to others and control access
to myself - More of individual with respect to other
individuals
10Self-determination vs Personal Privacy
- Examples
- Facebook
- Cell phone communication
- Instant messaging
11Privacy as Solitude
- The right to be let alone
- People tend to devise strategies to restrict
their own accessibility to others while
simultaneously seeking to maximize their ability
to reach people - (Darrah et al 2001)
- Example
- Spam protection, undesired social obligations
- Ubicomp
- Able to turn system off, invisible mode
12Privacy as Anonymity
- Hidden among a crowd
- Example
- Web proxy to hide actual web traffic
- Ubicomp
- Location anonymity
- a person vs Asian person vs Jason Hong
13Other Views on Privacy
- Transparent Society
- Multi-way flow of info (vs one-way to govts or
corporations) - Dont care
- Ive got nothing to hide
- Weve always adapted
- "You have zero privacy anyway. Get over it."
- Fundamentalist
- Dont understand the tech
- Dont trust others to do the right thing
- Pragmatist
- Cost-benefit
- Communitarian benefit to society as well as
individual
14Other Views on Privacy
You know it when you lose it
15Why is Privacy Hard?
- Hard to define until something bad happens
- Well, of course I didnt mean to share that
- Risks not always obvious
- Burglars went to airports to collect license
plates - Credit info used by kidnappers in South America
- Change in comfort with time and/or experience
- Cause and effect may be far in time and space
- Malleable depending on situation
- Still use credit cards to buy online
- Benefit outweighs cost
16Why is Privacy Hard?
- Data getting easier to store
- Think embarrassing facts from a long time ago
(ex. big hair) - Think function creep (ex. SSNs)
- Hard to predict effect of disclosure
- Hard to tell what credit card companies, Amazon
are doing - Market incentives not aligned
- Easy to misinterpret
- Went to drug rehabilitation clinic, why?
- Bad data can be hard to fix
- Sen. Ted Kennedy on TSA watch list
17Fair Information Practices (FIPs)
- Based on Self-determination / Data Protection
view - Set of principles stating how organizations
should handle personal information - Note many variants of FIPs
18Fair Information Practices (FIPs)
- Openness and transparency
- Individual participation
- Collection limitation
- Data quality
- Use limitation
- Reasonable security
- Accountability
19Adapting FIPs for Ubicomp
- Presents a method for analyzing ubicomp systems
- Assume designers trying to do the right thing
- Versus evil people actively trying to intrude
- Notice
- Physical beacons beaming out P3P policies
- Personal system that logs policies
- Issues
- Overwhelmed by notifications?
- Understandability of notifications?
20Adapting FIPs for Ubicomp
- Choice and consent
- Need a way to confirm that a person has consented
- Can digitally sign a contract notification
- Issues
- How can people specify their policies?
- Can policies match what people really want?
- How to make people aware of auto-accepts?
- What if people dont have a real choice
21Adapting FIPs for Ubicomp
- Anonymity and Pseudonymity
- Try to eliminate any trace of identity
- Or have a disposable identifier not linked to
actual identity - Issues
- What kinds of services can be offered
anonymously? - Business models for anonymous services?
22Adapting FIPs for Ubicomp
- Proximity
- Limit behavior of smart objects based on
proximity - Ex. Record voice only if owner nearby
- Simple mental model, could be hard to implement
though - Weakness could be easy to subvert
- Locality
- Information tied to places it was collected
- Require physical proximity to query
- Weakness limits some utility (ex. Find friend)
23Adapting FIPs for Ubicomp
- Access and Recourse
- How to know what the system knows about you?
- What mechanisms for recourse?
- Suggests minimizing information collected to
avoid this issue (possible in practice?)
24Design for Privacy in Ubiquitous Computing
Environments
- Presents a method for analyzing ubicomp systems
- Looks primarily at control and feedback
- Looks at networked media spaces, audio-video
connections between two locations - More of a personal privacy approach
- One point they briefly mention is value
proposition - At EuroPARC people generally do not worry much
about privacy. They feel that the benefits of
RAVE outweigh their concerns. This is because the
design has evolved together with a culture of
trust and acceptable practices relating to its
use. Individual freedom was fostered to use,
customise, or ignore the technology.
25Framework
- Capture
- What kind of information?
- Video? Identity? Activity (documents, keypresses,
etc) - Construction
- How is information processed? Stored?
- Accessibility
- Who can see the information?
- Purpose
- How is information used? Might be used?
26(No Transcript)
27(Some) Criteria for Evaluating Systems
- Appropriate timing
- Perceptibility
- Unobtrusiveness
- Low effort
- Meaningful
- Low Cost
28Discussion Points Is Privacy Always Good?
29Discussion Points Is Privacy Always Good?
- Can be used as a shield for abusive behavior
- Supermarket loyalty cards
- Gauge effect of marketing, effects of price and
demand - Market to best customers
- Can streamline economic transactions
- Easy credit
- Reputation management
- EU Regulators prosecuted an animal rights
activist who published a list of fur producers
and a consumer activist who criticized a large
bank on a Web page that named the banks
directors.
30Discussion PointsWays of Simplifying Privacy for
People?
- Lots of effort across various systems
- Mobile Phone, TiVo, Smart Car, Smart Home,
Workplace - Analogy privacy across various web sites
- Ways of making it easier for people?
- What kinds of tools?
- Third party organizations? (MedicAlert)
31Breakout Groups
- Group A Is privacy always good?
- In what cases not?
- Too much privacy? (ie get used to it, like
security cams?) - Group B How to simplify privacy for people in
ubicomp? - Core technologies?
- Third parties?
- User interfaces?
32(No Transcript)
33Discussion Points
- What is the role of tech? How much should it do?
- With respect to Market, Law, and Social Norms?
- What values should we embody in tech?
- And how to design for those values?
- Is privacy always good to have?
- How to assess risks better beforehand?
- Better h/w and s/w architectures?
- Physical layer of privacy?
- Better UIs? Understandable mental models?
- Metrics for privacy?
- Third parties / companies that manage your
privacy?
34Fundamental Tech Challenges
- Make it easy for organizations to do the right
thing - Detecting abuse (ex. honeypots, audits)
- Better database aggregation and anonymization
- Better org-wide policies and enforcement
- Make it easy for individuals to share right info
with right people at right times - Better ubicomp architectures that put end-users
in control - Cant just flip a switch
- Make it easier for app developers to do right
thing - Better UIs (awareness, disclosures,
decision-making) - Better design and evaluation methods
35How Ubicomp Changes the Landscape
- Scope and scale
- Everyone, everywhere, any time
- More personal
- Location, activities, habits, hobbies, people
with - Breaks existing notions of how world works
- Close the door
- Whisper to people
- Connected
- Easy to share with others
- Machine readable and searchable