An Architecture for PrivacySensitive Ubiquitous Computing

1
An Architecture for Privacy-Sensitive Ubiquitous
Computing

• Jason I. Hong
• HCI Institute
• Carnegie Mellon University

James A. Landay Computer Science and
Eng. University of Washington
2
Ubicomp Privacy is a Serious Concern

• From a nurse required to wear active badge
• It could tell when you were in the
• bathroom, when you left the unit, and
• how long and where you ate your lunch.
• EXACTLY what you are afraid of.
• allnurses.com

3
Ubicomp Presents Range of Privacy Risks

• How to maximize real benefit of ubicomp while
  minimizing perceived and actual privacy risks?

4
Approach Confab Privacy Toolkit Informed by
End-User Needs

• Hard to analyze privacy
• Analysis of end-user needs for ubicomp privacy
• Interviews, surveys, postings on message boards
• Hard to implement privacy-sensitive systems
• Confab toolkit for privacy-sensitive ubicomp apps
• Capture, processing and presentation of personal
  info
• Focus on location privacy
• Evaluation thru building apps
• Location-enhanced messenger
• Location-enhanced web proxy

5
Outline

• Motivation
• End-user Privacy Needs
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Applications Built

6
An HCI Perspective on Privacy

• The problem, while often couched in terms of
  privacy, is really one of control. If the
  computational system is invisible as well as
  extensive, it becomes hard to know
• what is controlling what
• what is connected to what
• where information is flowing
• how it is being used

• Empower people so they can
• choose to share
• the right information
• with the right people or services
• at the right time

The Origins of Ubiquitous Computing Research at
PARC in the Late 1980s Weiser, Gold, Brown
7
Analysis of End-User Privacy Needs

• Lots of speculation about ubicomp privacy, little
  data
• Published Sources
• Examined papers describing usage of ubicomp
  systems
• Examined existing and proposed privacy protection
  laws
• Surveys and Interviews
• Analyzed survey data of 130 people on ubicomp
  privacy prefs
• Interviewed 20 people on location-based services
• Existing Systems
• Analyzed postings on nurse message board on
  locator systems

8
Summary of End-User Privacy Needs

• Clear value proposition
• Simple and appropriate control and feedback
• Plausible deniability
• Limited retention of data
• Decentralized control
• Special exceptions for emergencies

Alices Location
Bobs Location
9
Outline

• Motivation
• End-user Privacy Needs
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Applications Built

10
Confab Toolkit for Privacy-Sensitive Ubicomp

• Confab for privacy-sensitive ubicomp apps
• Cover end-user privacy needs
• Provide solid technical foundation for
  privacy-sensitive ubicomp
• A toolkit needs to support all three of these
  layers
• Must capture, store, process, share in
  privacy-sensitive manner

but not help developers process it safely or
provide visibility to end-users
I might present choices well to users
Presentation
Infrastructure
but not have control over how the info was
acquired or processed
I might acquire information privately
Physical / Sensor
11
Past Work Addresses at Most One Layer

• Today, building privacy-sensitive apps would have
  to be done in an ad hoc manner

Presentation
P3P, Privacy Mirrors
Infrastructure
ParcTab System, Context Toolkit
Physical / Sensor
Cricket Location Beacons, Active Bats
12
Confab High-Level Architecture

• Capture, store, and process personal data on my
  computer as much as possible (laptops and PDAs)
• Provide greater control and feedback over sharing

Loc
Name
My Computer
InfoSpace Data Store
App
13
Example Built-in Confab OperatorFlow Control

• Goal Disclose different info to different
  requestors
• Conditions
• Age of data Data Format
• Requestor Domain Data Type
• Requestor ID Current Time
• Requestor Location
• Actions
• Lower Precision Allow
• Set (fake value) Hide (data is removed)
• Invisible (no out data) Timeout (fake network
  load)
• Interactive Deny (forbidden)

14
Outline

• Motivation
• End-user Privacy Needs
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Physical layer for acquiring location
• Infrastructure layer
• Presentation layer
• Applications Built

15
Physical / Sensor LayerIntels Place Lab
Location Source

• Determine location via local database of WiFi
  Access Points
• Unique WiFi MAC Address -gt Latitude, Longitude
• Periodically update your local copy

• Works indoors and
• in urban canyons
• Works with encrypted nodes
• No special equipment
• Privacy-sensitive
• Rides the WiFi wave

16
PlaceLab Data at SF Bay Area
SF Bay Area 60000 Nodes (4 Megs)
17
PlaceLab Data at UC Berkeley
University of California Berkeley
Berkeley Campus 1000 Nodes
18
Outline

• Motivation
• End-user Privacy Needs
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Physical layer for acquiring location
• Infrastructure layer
• Presentation layer
• Applications Built

19
Infrastructure LayerConfabs Built-in MiniGIS
Operator

• People and apps need semantically useful names
• Meet me at 37.875, -122.257
• MiniGIS operator transforms location info locally
• Using network-based services would be privacy
  hole
• Whittled down to 30 megs from public sources
• Places hardest to get, 3 ugrads me scouring
  Berkeley

Country Name United States Region Name
California City Name Berkeley ZIP Code
94709 Place Name Soda Hall Latitude/Longitude
37.875, -122.257
20
Confab Architecture
My Computer
Loc
Name
InfoSpace Data Store
Tourguide
How to make users aware of and be able to
control the flow of personal info?
21
Outline

• Motivation
• End-user Privacy Needs
• Pitfalls in User Interfaces for Privacy
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Physical layer for acquiring location
• Infrastructure layer
• Presentation layer
• Applications Built

22
Presentation Layer Notifications

• Notification UI when others request your location
  (pull)
• Default is always unknown (plausible
  deniability)

23
Presentation Layer PlaceBar

• PlaceBar UI used when you send to others (push)
• If you give me city location, I can offer
  events, museum lines

24
Confab Architecture
My Computer
Loc
Name
InfoSpace Data Store
Tourguide
How to control personal info once it leaves your
computer?
25
Privacy Tags

• Digital Rights Management for Privacy
• Like adding note to email, Please dont forward
• Notify address - notify-abc_at_cs.berkeley.edu
• Time to live - 5 days
• Max number of sightings - last 5 sightings of my
  location
• Provide libraries for making it easy for app
  developers
• Requires non-technical solutions for deployment
• Market support thru TrustE, Consumer Reports
• Legal support thru data retention laws

26
Outline

• Motivation
• Analysis of End-user Privacy Needs
• Confab Toolkit for Privacy-Sensitive Ubicomp
• Applications Built

27
Putting it Together 1Location-Enhanced Messenger
28
Putting it Together 1Location-Enhanced Messenger
29
Putting it Together 2Location-Enhanced Web Proxy

• Auto-fills location information on existing web
  sites

PageModification URL http//www.starbucks.com/ tx
tCity CityName txtState RegionCode txtZip ZIPCo
de
MapQuest
Starbucks
30
Putting it Together 2Location-Enhanced Web Proxy

• Location-aware web sites
• Different content based on your current location

31
Application Details

• Location-enhanced Instant Messenger
• Uses Hamsam library for cross-platform IM
• 2500 LOCs across 23 classes, about 5 weeks
  (mostly GUI)
• Acquiring location, InfoSpace store (and prefs),
  location queries, automatic updates, access
  notifications, MiniGIS dataset
• Location-enhanced web proxy
• Added 800 LOCs to existing 800 LOCs, about 1
  week
• Location queries, automatic updates, MiniGIS
  dataset, PlaceBar
• Other apps
• Emergency Response app, distributed querying app
• Confab reduces what would be a lot of duplicated
  work

32
Other Parts of this Work

• Common risks to design for in privacy-sensitive
  systems?
• Hong, Ng, Lederer, Landay DIS2004
• Privacy Risk Models for Designing
  Privacy-Sensitive Ubiquitous Computing Systems
• Common mistakes to avoid in the user interface?
• Lederer, Hong, Dey, Landay PUC 2004
• Personal Privacy through Understanding and
  Action Five Pitfalls for Designers
• Design rationale at presentation layer
• User evaluations of the apps

33
Conclusions

• Confab toolkit for facilitating construction of
  privacy-sensitive ubicomp applications
• Privacy at physical, infrastructure, and
  presentation layers
• Push architecture towards local capture,
  processing, storage
• Couple w/ better UIs for greater choice, control,
  and feedback
• Use technology correctly to enhance life. It is
  important that people have a choice in how much
  information can be disclosed. Then the technology
  is useful.

34
Thanks to DARPA Expeditions NSF ITR
Intel Fellowship Siebel Systems Fellowship
PARC Intel Research
Acknowledgements
John CannyAnind DeyScott LedererJennifer
NgBill SchilitDoug TygarMany, many others

• Jason I. Hong
• jasonh_at_cs.berkeley.edu
• http//guir.berkeley.edu/confab

http//placelab.org
35
Hypothesis The Privacy Hump
Pessimistic Many legitimate concerns Many
alarmist rants Right way to deploy? Value
proposition? Rules on fair use?
fears
Optimistic Things have settled down Few fears
materialized Market, Social, Legal, Tech We get
tangible value
time
36
Missing Pieces of the Privacy Puzzle

• How do privacy perceptions change over time?
• Ecommerce studies suggest experience important,
  privacy hump
• How do privacy perceptions vary across cultures?
• Western cultures tend to be more individualistic
• Metrics for privacy?
• Specific data types (location) or problems (price
  discrimination)
• Economic incentives for companies to do the
  right thing?
• Other kinds of protection at the physical layer?
• How perfect do we want our ubicomp systems to be?
• Accurate and reliable -gt harder to lie