190 likes | 197 Views
Location Privacy. Christopher Pride. Readings. Location Disclosure to Social Relations: Why, When, and What People Want to Share by Sunny Consolvo, et al. Presenting Choices in Context: Approaches to Information Sharing by Jonathan Grudin and Eric Horvitz
E N D
Location Privacy Christopher Pride
Readings • Location Disclosure to Social Relations: Why, When, and What People Want to Share by Sunny Consolvo, et al. • Presenting Choices in Context: Approaches to Information Sharing by Jonathan Grudin and Eric Horvitz • Wireless Location Privacy Protection by Bill Schilit, Jason Hong, and Marco Gruteser • Optional: Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing by Jason Hong, Jennifer Ng, Scott Lederer, and James Landay
Location Disclosure to Social Relations Overview • Three Phases • Phase 1: Initial Interview • Background • Social network data for Phase 2 • Opinions on location disclosure • Phase 2: Experience Sampling Method • Location requests accompanied by surveys over the course of 10 days • Phase 3: Exit Interviews • Took a privacy classification survey • Allowed modifications to the opinions given in Phase 1
Single Request vs Standing Request Location Precision Refusal Messages System Busy, I am Busy, Request Denied, <lie> Current Activities Nightly Voicemail Diary Two week Period 10 Daily Location Requests Only 16 participants All from non-technical position Equally split between male and female 2 Students 14 of 16 had an SO 4 had Children 11 Full time, 3 Part Time, 1 Housemaker All based in Seattle Area Location Disclosure Study: Data Collection
Location Disclosure Study:Findings(1) • What participants’ would disclose • More likely to give detailed information if any • Less specific information was given when details were likely to be less useful • Effect of the relationship of the requester to the participant • Most likely to respond in the order: SO, Friends, Family, Co-Worker, Manager • Opinion of participant towards requester had an effect • Effect of where the requester lived relative to the participant • Effect of the participant’s location when he received the request, • Between 85%-70% response rate at most locations. • Co-workers and Managers much less likely to Get a response outside of work.
Location Disclosure Study:Findings(2) • Effect of the participant’s activity or mood when he received the request • Current Activity had definite effect • Mood has some effect • Effect of the participant’s privacy classification • Seemed to have very little correlation • Why participants rejected requests • Certain Times or Activities were not to be interrupted • When they were doing something that they didn’t want the requester to know about. • What participants wanted to know about the locations of others • Correlation between disclosure and desire to know location • Participants’ privacy and security concerns. • Concern about Social implications of knowledge of location • Worried about what would happen if a third party used the technology to spy on them
Location Disclosure Study:Decision Making • Who is making the request (and how do I feel about that person right now)? • Why does the requester need to know? • What would be most useful to the requester? • Am I willing to disclose that? (Because if I am not willing to disclose what is useful, I will not disclose.) • Is this similar to the decision process you would use?
Approach to Information Sharing(1) • Pessimistic • Privileges for Access set at Creation • Most people don’t like to modify afterwards • Knowledge of Proper permissions at creation is not certain • Optimistic • Allow access with monitoring • Use monitoring to disallow those that you don’t want to have access • Problem – Cat is out of the bag • Interactive • Requests for information arrive with 3 options: • Grant Unconditional Access • Grant One-Time Access • Deny Access
Approach to Information Sharing(2) • Applications: • Calendaring • Parental Controls • How well do these approaches apply to real time information such as Location?
Problems with Readily Available Location Information • Economic Damage • Spam • Social Ramifications • Reputation Harm • Misunderstandings • Other major Problems? Stalkers?
Steps to protect Location Privacy • Intermittent Connectivity • User Interfaces • Network Privacy • These each have an associated problems. What are they?
Privacy Analysis:Social and Organizational Context • Who are the users of the system? • Who are the data sharers, the people sharing personal information? • Who are the data observers, the people that see that personal information? • What kinds of personal information are shared? Under what circumstances? • How does Ubicomp change what can be known? • What information is known explicitly and implicitly? • How often does the data change? • What is the value proposition for sharing personal information? • What does the sharing party gain?
Privacy Analysis:Social and Organizational Context(2) • What are the relationships between data sharers and data observers? • What is the relevant level, nature, and symmetry of trust? • What incentives do data observers have to protect data sharers’ personal information (or not, as the case may be)? • Is there the potential for malicious data observers (e.g., spammers and stalkers)? • What kinds of personal information are they interested in? • Are there other stakeholders or third parties that might be directly or indirectly impacted by the system? • Does this change the purpose of an existing technology?
Privacy Analysis:Technology • How is personal information collected? • Who has control over the computers and sensors used to collect information? • Network-Based, Network-Assisted, Client-Based • How is personal information shared? • Is it opt-in or is it opt-out (or do data sharers even have a choice at all)? • Do data sharers push personal information to data observers? • Or do data observers pull personal information from data sharers? • How much information is shared? • Is it discrete and one-time? • Is it continuous? • Ideally The Minimum amount of data to accomplish the task.
Privacy Analysis:Technology(2) • What is the quality of the information shared? • With respect to space, is the data at the room, building, street, or neighborhood level? • With respect to time, is it real-time, or is it several hours or even days old? • With respect to identity, is it a specific person, a pseudonym, or anonymous? • How long is personal data retained? • Where is it stored? • Who has access to it?
Privacy Analysis:Risk Management • The likelihood L that an unwanted disclosure of personal information occurs • The damage D that will happen on such a disclosure • Scale • The cost C of adequate privacy protection • Continual Cost to user and Development costs • In general situations where C <LD the privacy protections should be implemented
Privacy Analysis:Risk Management • How does the unwanted disclosure take place? • Is it an accident (for example, hitting the wrong button)? • A misunderstanding (for example, the data sharer thinks they are doing one thing, but the system does another)? • A malicious disclosure? • How much choice, control, and awareness do data sharers have over their personal information? • What kinds of control and feedback mechanisms do data sharers have to give them choice, control, and awareness? • Are these mechanisms simple and understandable? • What is the privacy policy, and how is it communicated to data sharers? • What are the default settings? • Are these defaults useful in preserving one’s privacy? • In what cases is it easier, more important, or more cost-effective to prevent unwanted disclosures and abuses? • Detect disclosures and abuses? • Are there ways for data sharers to maintain plausible deniability? • What mechanisms for recourse or recovery are there if there is an unwanted disclosure or an abuse of personal information? • What are the ramifications of the disclosure?
Discussion Points • Are there any questions that have been overlooked (Social, Technological, Risk Management)? • How do these questions work alongside the Location Disclosure studies for a people locator? • Location Privacy is obviously important, are the current protection methodologies even going to sufficient?
Group Work • Split into groups and using the results of the first paper and its decision making process. Attempt to come up with a set of steps that a computer could make to automate as much of the decision making process as possible. • Decision Making Process: • Who is making the request (and how do I feel about that person right now)? • Why does the requester need to know? • What would be most useful to the requester? • Am I willing to disclose that? (Because if I am not willing to disclose what is useful, I will not disclose.)