1 / 19

Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing

G r o u p f o r User Interface Research. University of California Berkeley. Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing. Xiaodong Jiang Jason I. Hong James A. Landay. Designing for Privacy in Ubicomp. What design goals? How to implement?

cooper-kirk
Download Presentation

Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group for User Interface Research University of California Berkeley Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing Xiaodong Jiang Jason I. Hong James A. Landay

  2. Designing for Privacy in Ubicomp • What design goals? • How to implement? • Related work • Fair Information Practices, Westin, Langheinrich • Transparent Society, David Brin • Design Framework for Ubicomp, Bellotti and Sellen • This work • How privacy is affected by more pragmatic forces • Market, Social, Legal, Technical (Lessig) • Principle of Minimum Asymmetry • Approximate Information Flows (AIF) as a way of tying together asymmetry, privacy, and ubicomp systems

  3. Information Asymmetry • Situations in which some actors hold private information relevant to everyone • Akerlof (Nobel Prize 2001) • Ex. Used cars and "Malfunctioning of Markets"

  4. $ $ $ Asymmetry in Ubicomp Map Service (Data Collector) Large potential for asymmetries in information and power Loc-based Advertiser (Data User) Alice (Data Owner)

  5. Forces on Privacy Social Lessig, “Architecture of Privacy” • Practical privacy shaped by four forces • Asymmetry impedes Market, Social, and Legal • How to build Technology to enable other forces? Privacy Market Legal Technology

  6. Operationalizing Privacy Technology Values (Ex. FIP, Transparency) Information Asymmetry • Approximate Information Flows: • Describe and prescribe different levels of • information asymmetry in ubicomp systems Market Social Legal Privacy

  7. Owners Collectors / Users Out In Principle of Minimum Asymmetry Minimize asymmetry of information between data owners and data collectors and data users, by: • Minimizingquality & quantity of info going out • Maximizingquality & quantity of info going back in

  8. Reduce accuracy • Anonymize • Aggregate • Reduce accuracy $ $ • Ask for consent • Notify • Log $ Minimizing Asymmetry in Ubicomp Map Service (Data Collector) Loc-based Advertiser (Data User) Alice (Data Owner)

  9. Implications for Ubicomp • Makes it easier to apply other forces • Market, ex. making informed decisions about personal data transactions • Social, ex. logging and notification to inform people about violations of social norms • Legal, ex. logs that serve as evidence for legal recourse • Minimum asymmetry is a relative notion • Depends on the task, domain, and values

  10. Applying Minimum Asymmetry • What are useful abstractions for thinking about and supporting minimum asymmetry? • Approximate Information Flows • Where does the data live? • When does data flow to others? • What can people do to protect data?

  11. Where Does the Data Live? • Information Spaces, tied to boundaries • Privacy-sensitive data representation • Persistence, how long does data live? • Confidence, sensor property • Ex. 95% vs 25% • Accuracy, usage property • Ex. "Sweden" vs "Göteberg" vs "Draken Cinema" • Basic privacy-sensitive operations • Read / Write • Promote / Demote: persistence, confidence, accuracy • Aggregate: composition, fusion (inference) • Permissions and Logging association all operations

  12. Owner="xyzzy" Loc=“Göteberg" Confidence="80%" TTL="1 week" Notify=“alice@anon.com" Perm=“map service" Log Example Usage of InfoSpaces Map Service InfoSpace Owner="Alice" Loc=“Draken Cinema" Confidence="85%" TTL="forever" Loc-based Advertiser InfoSpace Alice's InfoSpace

  13. When Does Data Flow to Others? • Data Lifecycle • Collection • The point when data is gathered • Ex. When Alice gets her location data (GPS) • Access • The point when data is initially used • Ex. Map Service uses Alice’s location data • Second use • Use and sharing of data after initial access • Ex. Location-based advertiser asks Map Service for location of Alice

  14. What Can People Do to Protect Data? • Themes for Minimizing Asymmetry • Prevent privacy violations from occurring • Ex. Anonymize Alice's data • Minimizing flow out • Avoid potential privacy risks • Ex. Alice asks others if Map Service is reputable • Minimizing flow out & maximizing flow in • Detect privacy violations if there are any • Ex. A third party audits what Map Service is doing • Maximizing flow in

  15. Approximate Information FlowsPutting it all together • Information spaces define “privacy zones” • Incoming & outgoing flows for an InfoSpace determine its degree of asymmetry • (Prevention, avoidance, detection) used to alter asymmetry for that InfoSpace • Apply at (collection, access, second use)

  16. Alice's InfoSpace Detection Minimizing Asymmetry at Different Times RBAC Location Support Anonymization Pseudonymization Prevent Wearables P3P Avoid User Interfaces for Feedback, Notification, and Consent Themes for Minimizing Asymmetry Privacy Mirrors Logging Detect Collection Access Second Use Data Lifecycle

  17. Current & Future Work • Model for privacy control: decentralized info space with unified privacy tagging • IEEE Pervasive Computing, July/Sept, 2002 • Integration into a context infrastructure • Ways to translate end-user privacy prefs to system-level asymmetry-based policies

  18. Conclusions • Asymmetry as a way of tying together Market, Legal, Social, and Technical forces • Principle of Minimum Asymmetry • Approximate Information Flows as a model for implementing minimum asymmetry • Information Spaces • Data Lifecycle • Themes for minimizing asymmetry • Approximate Information Flows for analyzing and minimizing asymmetry in ubicomp systems

  19. Group for User Interface Research University of California Berkeley Thanks to: John Canny Anind Dey Scott Lederer National Science Foundation ITR Xiaodong Jiang Jason I. Hong James A. Landay http://guir.berkeley.edu/groups/privacy

More Related