understanding user privacy in internet of things environmentshosubl/wf-iot16_presentation.pdf100...
TRANSCRIPT
/ 30
Understanding User Privacyin Internet of Things EnvironmentsHOSUB LEE AND ALFRED KOBSA
DONALD BREN SCHOOL OF INFORMATION AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA, IRVINE
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 1
/ 30
AgendaIntroduction
Related Work
Privacy Preferences in IoT◦ Privacy Preference Collection
◦ Privacy Preference Analysis
◦ Interpretation of Privacy in IoT
Limitations and Future Work
Conclusion
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 2
/ 30
Introduction (1/4)Internet of Things (IoT)◦ Networked computing environment consisting of diverse physical objects
◦ Collection of personal information with minimum user intervention
Privacy in IoT◦ IoT gives benefits, but can compromise user privacy
◦ Privacy is important issue for more widespread use of IoT
◦ Lack of efforts to fully “understand” users’ privacy concerns in IoT
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 3
Home Automation in IoT Privacy Concerns in IoT
/ 30
Introduction (2/4)Privacy Preference Collection◦ We collected users’ privacy preferences about IoT scenarios via online survey
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 4
Privacy Preferences
IoT scenarios
/ 30
Introduction (3/4)Privacy Preference Analysis◦ We performed a cluster analysis on the collected privacy preferences
◦ We identified 4 distinct clusters of scenarios wrt. potential privacy risks
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 5
K-modes clustering algorithm
Privacy Preferences Clustered Preferences(K=4)
IoT scenarios
/ 30
Introduction (4/4)Interpretation of Privacy in IoT◦ We found some relationships btw. IoT contexts and users’ privacy preferences
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 6
K-modes clustering algorithm
People have privacy concerns in case …
Privacy-invasive Contexts in IoTPrivacy Preferences Clustered Preferences (K=4)
IoT scenarios
/ 30
Related WorkPrivacy Preference Analysis in UbiComp◦ Privacy preference determinants in ubiquitous computing (ACM CHI ‘03)
◦ A survey of private moments in the home (ACM UbiComp ‘11)
◦ Capturing location-privacy preferences (Personal and Ubiquitous Computing ‘11)
◦ A personal location system with protected privacy in IoT (IEEE BNMT ’11)
Insights◦ Identity of information requester is important
◦ No tracking personal behavior at home
◦ Full control of location sharing
◦ Active location sharing in emergency situations
◦ How people make privacy decisions in “IoT” environments?
◦ More diverse contextual factors need to be considered
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 7
/ 30
Privacy Preferences in IoT1. DATA COLLECTION
2. DATA ANALYSIS
3. INTERPRETATION
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 8
/ 30
Data Collection (1/5)Previous Works1
◦ We defined contextual parameters that construct IoT scenarios◦ where
◦ what
◦ who
◦ reason
◦ persistence
◦ We defined reaction parameters that indicate users’ privacy preferences◦ _notification
◦ _permission
◦ _comfort
◦ _risk
◦ _appropriateness
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 9
1: HCI in Business: A collaboration with academia in IoT privacy (HCIB 2015)
/ 30
Data Collection (2/5)Contextual Parameters
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 10
A device of a friend (C3=3) records your voice to check your presence (C2=9). This happens once (C5=0), while you are at semi-public place (C1=2), for your safety (C4=1).
Sample IoT Scenario
/ 30
Data Collection (3/5)Reaction Parameters
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 11
Would you want to allow this monitoring?
Sample Question
⃝ allow, always (R2=1)⃝ allow, just this time (R2=2)⃝ reject, just this time (R2=3)⃝ reject, always (R2=4)
Sample Answer Options
/ 30
Data Collection (4/5)Online Survey Study◦ We recruited 200 participants on Amazon Mechanical Turk (MTurk)
◦ US resident, English speaker, high reputation at Amazon MTurk
◦ 100 females/99 males (1 unknown), majority (57.5%) are aged 25-40
◦ We educated them about IoT (e.g., definition, application scenario, etc)
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 12
Online Survey System(Amazon MTurk)
IoT
/ 30
Data Collection (5/5)Online Survey Study (Cont’d)◦ We created scenarios via random permutation of contextual parameter values
◦ We individually asked for their reactions and opinions on the given scenarios
◦ We collected privacy preferences for 2,800 IoT scenarios
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 13
IoT ScenarioA device of a friend records your voice to check your presence. This happens once, while you are at semi-public place, for your safety.
Privacy PreferenceI’m willing to allow it just this time.
Online Survey System(Amazon MTurk)
Participants
QuestionWould you want to allow this monitoring?
/ 30
Data Analysis (1/5)K-means Clustering Algorithm◦ Most popular data mining technique to partition observations into K clusters
◦ Restricted to continuous numeric values (e.g., 3.2415, 2.1254, …)
K-modes Clustering Algorithm◦ Variant of K-means to directly cluster categorical data
◦ Replacing cluster means with modes
◦ Using the simple matching dissimilarity function instead of the Euclidean distance function
◦ Updating modes with the most frequent categorical attributes in each clustering step
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 14
Contextual Parameters Reaction Parameters
C1 C2 C3 C4 C5 R1 R2 R3 R4 R5
3 2 6 4 0 1 1 6 6 6
… … … … … … … … … …
Our Dataset
K-modes
K-means
/ 30
Data Analysis (2/5)Selecting the Number of Clusters◦ We heuristically searched for the optimal K
◦ We computed the sum of errors (SE) of the clustering while increasing K from 2 to 10
◦ SE is the sum of the distance btw. each member of the cluster and the cluster’s centroid
where x is a data point belonging to the ith cluster and ci is the mode of the ith cluster
◦ We found the largest decrease in errors (SEK-1 - SEK) occurs when we increase K from 3 to 4
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 15
12000
12500
13000
13500
14000
14500
15000
15500
16000
2 4 6 8 10
SE
K
Sum of Errors
Largest Error Decrease (K=4)
/ 30
Data Analysis (3/5)Clustering Results◦ 4 clusters differ from each other primarily in contextual parameters:
◦ what (C2) and who (C3)
◦ Each mode has unique and identical values for reaction parameters:◦ _comfort (R3), _risk (R4), _appropriateness (R5)
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 16
Modes of Clusters
/ 30
Data Analysis (4/5)Labeling of Clusters◦ We labeled each cluster using reaction parameters R3, R4, R5
◦ E.g., cluster 1 as “Acceptable” because its mode has the second highest value for R3, R4, R5
◦ We assigned colors to clusters
◦ green (CL1), yellow (CL2), red (CL3), black (CL4)
◦ Cluster distribution◦ “Acceptable” (12.6%) vs. “Very Unacceptable” (40.8%)
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 17
1 Very inappropriate
2 Inappropriate
3 Somewhat inappropriate
4 Neutral
5 Somewhat appropriate
6 Appropriate
7 Very appropriate
_appropriateness (R5)Modes of Clusters
/ 30
Data Analysis (5/5)Verification of Clustering Results◦ Welch’s t-tests on reaction parameters in {CL1, CL2}, {CL2, CL3}, {CL3, CL4}
◦ Reaction parameter values between each pair of clusters are statistically distinct (p < 0.016)
◦ Clusters are distinct from each other in terms of user reactions to the scenarios
◦ Information visualization◦ We projected all data entries onto a 2-d space using R5 values as their coordinates
2016-12-13 HOSUB LEE – ADVANCEMENT TO CANDIDACY 18
0
1
2
3
4
5
6
7
8
0 1 2 3 4 5 6 7 8
"_A
PP
RO
PR
IAT
EN
ES
S"
1:
ver
y i
nap
pri
pri
ate,
4:
neu
tral
, 7
: v
ery
ap
pro
pri
ate)
"_APPROPRIATENESS"
(1: very inappripriate, 2: inappropriate, 3: somewhat inappropriate, 4: neutral, 5: somewhat appropriate, 6: appropriate, 7: very appropriate)
Scenarios that respondents deemed very inappropriate (R5=1) mostly became clustered into CL4 (black)
Scenarios that respondents deemed appropriate (R5=6, 7) mostly became clustered into CL1 (green)
Visualization of Clustering Results
/ 30
Interpretation – whereFindings◦ Monitoring at personal places is very unacceptable
◦ Monitoring at public spaces is unacceptable
◦ Monitoring at semi-public spaces is somewhat unacceptable
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 19
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0: your place
1: someone else's place
2: semi-public space
3: public space
RELATIVE FREQUENCY
"WH
ER
E"
PA
RA
ME
TE
R
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
p < .0001, d = 0.4791
p < .0001, d = 0.4921
p < .0001, d = 0.6109
p: chi-square test of associationd: effect size (large if d > 0.6)
/ 30
Interpretation – what (1/2)Findings◦ Gaze monitoring is very unacceptable
◦ Photo-taking or video monitoring is unacceptable
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 20
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
RE
LA
TIV
E F
RE
QU
EN
CY
"WHAT" PARAMETER
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
p = 0.0001, d = 0.3041
p < .0001, d = 0.319
/ 30
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
RE
LA
TIV
E F
RE
QU
EN
CY
"WHAT" PARAMETER
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
Interpretation – what (2/2)Findings◦ Voice monitoring for gender and location awareness is tolerable
◦ Personally identifiable information (e.g., phone ID) is okay to share
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 21
p = 0.0006, d = 0.2713
p < .0001, d = 0.6237
/ 30
Interpretation – who (1/2)Findings◦ Monitoring by unknown entity is very unacceptable
◦ Monitoring by government or nearby business is unacceptable
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 22
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1. unknown
2. colleague
3. friend
4. own device
5. business
6. employer/school
7. government
RELATIVE FREQUENCY
"WH
O"
PA
RA
ME
TE
R
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
p < .0001, d = 0.7268
p < .0001, d = 0.2603
p < .0001, d = 0.5845
/ 30
Interpretation – who (2/2)Findings◦ Monitoring by friends is fine
◦ Monitoring by own devices is acceptable
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 23
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1. unknown
2. colleague
3. friend
4. own device
5. business
6. employer/school
7. government
RELATIVE FREQUENCY
"WH
O"
PA
RA
ME
TE
R
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
p < .0001, d = 0.6305
p < .0001, d = 0.9989
/ 30
Interpretation – reason (1/2)Findings◦ Purposeless IoT services are unacceptable
◦ Some purposeless scenarios are still considered acceptable
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 24
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1. safety
2. commercial
3. social
4. convenience
5. health
6. not specified
RELATIVE FREQUENCY
"RE
AS
ON
" P
AR
AM
ET
ER
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
p < .0001, d = 0.3221
/ 30
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
1. safety
2. commercial
3. social
4. convenience
5. health
6. not specified
RELATIVE FREQUENCY
"RE
AS
ON
" P
AR
AM
ET
ER
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
Interpretation – reason (2/2)Findings◦ Convenience is the most significant reason to allow monitoring
◦ Safety is also a reasonable justification to allow monitoring
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 25
/ 30
Interpretation – persistenceFindings◦ No clear tendency was observed
◦ Participants have privacy concerns about continuous monitoring in general
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 26
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
0. once
1. continuously
RELATIVE FREQUENCY
"PE
RS
IST
EN
CE
" P
AR
AM
ET
ER
[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable
/ 30
Limitations and Future Work (1/2)Out-of-Context Attitudinal Study◦ Some contextual parameters were coarsely defined
◦ E.g., “someone else’s place” might be interpreted differently by participants
◦ Participants responded at a location that has no association w/ the scenarios◦ Decreased sense of realism to the scenarios
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 27
A device of a friend (C3=3) records your voice to check your presence (C2=9). This happens once (C5=0), while you are at someone else’s place (C1=1), for your safety (C4=1).
“Where is this?”
IoT Scenario Survey at Home
IoT at School?
/ 30
Limitations and Future Work (2/2)Location-based Survey◦ Simulation of user experience in virtual IoT environments
◦ Creating realistic IoT scenarios mapped to real locations through crowdsourcing
◦ Building wearable system presents the IoT scenarios related to users’ current locations
◦ Asking users to answer questions on the scenarios while walking around a specific area
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 28
Wearable Computer Location Awareness Survey
/ 30
ConclusionIn This Paper◦ We aimed to “understand” user privacy in IoT environments
◦ We collected people’s privacy preferences toward IoT via online survey
◦ We analyzed the collected survey responses via data mining technique ◦ IoT scenarios can be grouped into 4 clusters wrt. their potential privacy risks
◦ Clustering results are statistically and visually sound
◦ We uncovered contextual factors impact people’s privacy perceptions◦ who and what are the most important factors
◦ We plan to conduct location-based survey study (field experiments)◦ More suitable for collecting sincere responses from users than a traditional survey
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 29
/ 30
Thank You!ANY QUESTIONS?
2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 30