panel: prototyping and building systems four rants on privacy and ubicomp
DESCRIPTION
Panel: Prototyping and Building Systems Four Rants on Privacy and Ubicomp. Jason I. Hong jasonh at cs cmu edu Intel Usable Privacy Forum. Rant Overview. We should push client-centered ubicomp more We should examine how people already manage their privacy today - PowerPoint PPT PresentationTRANSCRIPT
Panel: Prototyping and Building Systems Four Rants on Privacy and Ubicomp
Jason I. Hong
jasonh at cs cmu edu
Intel Usable Privacy Forum
Rant Overview
• We should push client-centered ubicomp more• We should examine how people already manage
their privacy today• We need to develop better privacy risk models• We need better ways of aligning all stakeholders
Rant #1
We should push client-centered ubicomp more
• Find nearby “interesting” events– Notify me whenever Yo-Yo Ma is in town
– Pull out in a bar to find next thing to go to
• How Whisper works– Crawls web for events
– Every morning, download all events in “Portland” onto PDA
– Calculate location locally (ex. Place Lab)
– Filter events locally based on interests and location
– Whisper only knows you are in “Portland”
Whisper Event Service
• Useful location-based service in privacy-sensitive way
• Basic idea:– Local sensing, local storage, local processing
– Provide better control and feedback over sharing
• Examples:– Sensing: GPS, Cricket, Place Lab
– Storage: Occasionally Connected Computing• Sync up lots of potentially useful info beforehand
– Anonymous Broadcast• Satellites (GPS, Sirius or XM), Radio (AM / FM)
• Research issues:– Range of services possible? Tradeoffs?
– What kinds of mental models? User interfaces?
– Client-centered arch is structural, combine with algorithmic?
Client- Centered Architectures
Rant #2
We should examine how people already
manage their privacy today
Projecting Personas
How Do People Manage Privacy Today?
• What we wear, how we talk, who we eat with, etc– Not just secrecy
– Not just control and feedback
– Not just informed consent
Interaction is a “performance” shaped by environment and audience, constructed to project an “impression” consonant with desired goals of the actor
How Do We Manage Impressions?
• Spatial boundaries– Ex. closing door, seeing who else is around
– Leverages our understanding of physics
• Temporal boundaries– Ex. Big Hair in the 80s
• Social and Organizational boundaries– Ex. student and advisor, student and peers
– Leverages our understanding of social roles and power
• “Place / Activity” boundaries– Ex. “at work”, “at home”, “in the car”, “on my way”
But Ubicomp Disrupts Our Understanding
• You think you are in one context, actually overlapped in many others
• Without this understanding, cannot act appropriately and project desired persona
Possible Research Directions
• Foster better mental models– Sensor notifications, ex. beeps at new people to see– Make sensing viscerally clear at the physical layer
• Match people’s existing mental models– Be mostly harmless, ex. reduce identifiability– Locality, ex. limit queries or broadcast by location– Minimize boundary crossings at deploy-time– Sense bounds and adapt (possible??)
• Leverage other existing techniques– Plausible deniability, ex. missed cell phone call
• Ex. How good / reliable do we want infrastructure to be?– Incremental steps with familiar tech, ex. web browser or IM– Make risky things look scary, “hair standing on back of neck”
But a Word of Caution…
Lederer, MS Thesis, UC Berkeley, 2004
Rant #3
We need to develop better privacy risk models
Privacy Risk Model AnalogySecurity Threat Model
“[T]he first rule of security analysis is this: understand your threat model. Experience teaches that if you don’t have a clear threat model – a clear idea of what you are trying to prevent and what technical capabilities your adversaries have – then you won’t be able to think analytically about how to proceed. The threat model is the starting point of any security analysis.”
- Ed Felten
• Example privacy risks– Overzealous parents, “friendly stalkers”
– Undesired social obligations
– Location-based spam
– Employer monitoring
– Identity theft, spyware, viruses, phishing
– Muggers, domestic abusers, not-so-friendly stalkers
– 1984 governments
• No system can account for every conceivable risk• Need methods and tools for assessing and prioritizing
risks to provide a reasonable level of privacy against foreseeable risks
Why Privacy Risk Models?
• Getting it right the first time is hard• Need better support for going quickly around this loop
Iterative Design for Assessing Risks
Design
Prototype
Evaluate
• Basic Idea:– Get feedback from real users early on
– Go thru multiple iterations quickly and easily before actually building and deploying apps
– Involve people beyond application developers• Ex. Interaction designers, sociologists, lawyers, etc
• Examples:– Topiary
Li, Hong, Landay, UIST2005
Idea #1: Rapid Prototyping Tools
• Basic Idea:– Get feedback from real users early on
– Go thru multiple iterations quickly and easily before actually building and deploying apps
– Involve people beyond application developers• Ex. Interaction designers, sociologists, lawyers, etc
• Examples:– Topiary
• Research issues:– How far can we go with prototyping tools for ubicomp?
• Ex. How much sensing can we fake? Range of apps? Space and time issues?
– How to support larger-scale prototypes?
Idea #1: Rapid Prototyping Tools
• More dissemination of risks with specific data types– Case studies
– Design patterns
• Task analysis / Checklist analogy– Social: Relationship between people?
– Tech: Where is data stored? – Interaction: Optimistic / Interactive / Pessimistic (Povey
2002)
(Hong, Ng, Lederer, Landay, DIS2004)
• Extreme programming analogy– One team builds, another attacks or subverts
Idea #2: Methods for Analyzing Risks
• Can we measure a system’s level of privacy?– Could compare designs systematically
– Crystallize idea of privacy in app developer minds
– Hopefully lead to an “arms race” (MHz, GB, and “Westins”)
• Example: location data– How precisely / how often can a service ID your location?
– Privacy vs. bandwidth (ex. requesting chunks of data)
– Privacy vs. timeliness (ex. use cached data)
– Defend vs specific scenarios (ex. price discrimination)
• Possible approaches:– TREC bakeoffs on corpus of location data
– TREC bakeoffs on architectures
Idea #3: Information Privacy Metrics
Rant #4
We need better ways of aligning all stakeholders
• Aligning stakeholder interests– Government – homeland security / accountability
– Market – making money
– App developers – scalable, robust, and “cool”
– …
• Few incentives for doing the right thing– Why make sensors obvious? Extra cost in manufacturing
– Why program it that way? Extra cost in learning and programming for app developers
– Why not collect info? Lowers opportunities for marketing
Hardest Part of Ubicomp Privacy
• Service: payment support for ubicomp– Cross-subsidization, ex. mall tour guide
– Ad-based, ex. radio
– Public service, ex. GPS
– Service per use, ex. credit card, micropayments
• Third parties for managing your privacy?– Only disclose your location info in emergencies (MedicAlert)
– Warn you about bad services
– You’ve already disclosed A and B, don’t disclose C
– Privacy Angel, Private Computation
Idea #1: Figure out sustainable biz models
(Boddupalli et al. WMCSA2003)
• Develop better toolkits, infrastructures, etc• Market them to app developers
– Easy to learn (leverage existing tech, ex. http?)
– Easy to create cool apps
– Scalable, robust
– Oh yeah, and privacy too (for free)
• Probably not best approach, but might get us 80% of the way there– Surreptitiously sneak privacy into the core ubicomp fabric
– Popularize it to become the de facto standard
Idea #2: Bottom-up with App Developers
Rant Summary
• Push client-centered ubicomp first– Local sensing, local storage, local processing
– Better user interfaces when sharing personal info
• How people already manage their privacy today– Projecting personas
– Plausible deniability
• Better privacy risk models– Rapid prototyping tools
– Analysis methods
– Metrics
• Better ways of aligning all stakeholders– Biz models
– App developers
• Payment Support in Ubiquitous Computing Environments, by Boddupalli et al. (WMCSA2003)
• Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems, by Hong et al. Designing Interactive Systems (DIS2004).
• Topiary: A Tool for Prototyping Location-Enhanced Applications, by Li, Hong, and Landay. (UIST2004)
Some Relevant Papers
Bonus Slides
• Scope and scale– Everywhere, any time
• Easier to collect and share info– Location, activities, habits, hobbies, people with
• Breaks existing notions of space and time– Close the door
– Whisper to people
• Machine readable and searchable
How Ubicomp Changes the Landscape
• Basic Idea:
• Examples:
• Research Issues
Privacy-Sensitive Ubicomp ArchitecturesMultiple Layers of Privacy
Physical / Sensor
Infrastructure
Presentation
Cricket Location Beacons, Active Bats
P3P, Privacy Mirrors
ParcTab System, Context Toolkit
Privacy Perspective #1Control and Feedback
“The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know:
– what is controlling what
– what is connected to what
– where information is flowing
– how it is being used
The Origins of Ubiquitous Computing Research at PARC in the Late 1980s
Weiser, Gold, Brown
Empower people so they can choose to share:
• the right information• with the right people or services• at the right time
• Make it easy for organizations to do the right thing– Detecting abuse (ex. honeypots, audits)
– Better database aggregation and anonymization
– Better org-wide policies and enforcement
• Make it easy for organizations to do the right thing– Detecting abuse (ex. honeypots, audits)
– Better database aggregation and anonymization
– Better org-wide policies and enforcement
Challenges
• Basic idea:– Local sensing, local storage, local processing
– Provide better control and feedback over sharing
• Examples:– Sensing: GPS, Cricket, Place Lab
Client- Centered Architectures
A B
C