Transcript Introduction to Ubicomp Privacy or Is Privacy the Achilles’ Heel of Ubicomp? Why Care About Privacy? End-User Perspective • • Protection from spam, identity theft, mugging Discomfort over surveillance –

Introduction to
Ubicomp Privacy
or
Is Privacy the
Achilles’ Heel of Ubicomp?
Why Care About Privacy?
End-User Perspective
•
•
Protection from spam, identity theft, mugging
Discomfort over surveillance
– Lack of trust in work environments
– Might affect performance, mental health
– May contribute to feeling of lack of control over life
• Starting
Everyday
Risks over
– Something stupid you did as a kid
Friends, Family
• Creativity
_________________________________
Government
and Employers
freedom to experiment
_________________________________
__________________________
Extreme Risks
Stalkers, Muggers
_________________________________
Over-protection
Over-monitoring
Well-being
– Protection from
total societiesCivil liberties
Social –obligations
Discrimination
Room for each
person to develop individually Personal safety
Embarrassment
Reputation
• Lack of adoption of ubicomp tech
The Fundamental Tension
•
Ubicomp envisions
– lots of sensors for gathering data
– rich world models describing people, places, things
– pervasive networks for sharing
•
This data can be used for good and for bad
Find Friends
Smart Homes
Smart Stores
Why Care?
Designer and App Developer Perspective
•
Most obvious problem with ubicomp by outsiders
Why Care?
Designer and App Developer Perspective
•
“Do I wear badges? No way. I am completely against
wearing badges. I don't want management to know
where I am. No. I think the people who made them
should be taken out and shot... it is stupid to think
that they should research badges because it is
technologically interesting. They (badges) will be used
to track me around. They will be used to track me
around in my private life. They make me furious.”
•
Ubicomp “might lead directly to a future of safe,
efficient, soulless, and merciless universal
surveillance” – Rheingold
What is Privacy?
•
No standard definition, many different perspectives
•
Different kinds of privacy
– Bodily, Territorial, Communication, Information
What is Information Privacy?
•
Many different philosophical views on info privacy
– Different views -> different values -> different designs
– Note that these are not necessarily mutually exclusive
Principles vs Common Interest
•
Principled view -> Privacy as a fundamental right
– Embodied by constitutions, longstanding legal precedent
– Government not given right to monitor people
•
Common interest -> Privacy wrt common good
– Emphasizes positive, pragmatic effects for society
•
Examples:
– National ID cards, mandatory HIV testing
Self-determination vs Personal Privacy
•
Self-determination (aka data protection)
– Arose due to increasing number of databases in 1970s
– “Privacy is the claim of individuals, groups or institutions to
determine for themselves when, how, and to what extent
information about them is communicated to others” (Westin)
– Led to Fair Information Practices (more shortly)
– More of individual with respect to government and orgs
•
Personal privacy
– How I express myself to others and control access to myself
– More of individual with respect to other individuals
Self-determination vs Personal Privacy
•
Examples:
– Facebook
– Cell phone communication
– Instant messaging
Privacy as Solitude
•
•
“The right to be let alone”
People tend to devise strategies “to restrict their own
accessibility to others while simultaneously seeking to
maximize their ability to reach people”
– (Darrah et al 2001)
•
Example:
– Spam protection, undesired social obligations
•
Ubicomp:
– Able to turn system off, invisible mode
Privacy as Anonymity
•
•
Hidden among a crowd
Example:
– Web proxy to hide actual web traffic
•
Ubicomp:
– Location anonymity
– “a person” vs “Asian person”
vs “Jason Hong”
Other Views on Privacy
•
Transparent Society
– Multi-way flow of info (vs one-way to govts or corporations)
•
Don’t care
– I’ve got nothing to hide
– We’ve always adapted
– "You have zero privacy anyway. Get over it."
•
Fundamentalist
– Don’t understand the tech
– Don’t trust others to do the right thing
•
Pragmatist
– Cost-benefit
– Communitarian benefit to society as well as individual
Other Views on Privacy
You know it when you lose it
Why is Privacy Hard?
•
Hard to define until something bad happens
– “Well, of course I didn’t mean to share that”
•
Risks not always obvious
– Burglars went to airports to collect license plates
– Credit info used by kidnappers in South America
•
•
•
Change in comfort with time and/or experience
Cause and effect may be far in time and space
Malleable depending on situation
– Still use credit cards to buy online
– Benefit outweighs cost
Why is Privacy Hard?
•
Data getting easier to store
– Think embarrassing facts from a long time ago (ex. big hair)
– Think function creep (ex. SSNs)
•
Hard to predict effect of disclosure
– Hard to tell what credit card companies, Amazon are doing
•
•
Market incentives not aligned
Easy to misinterpret
– Went to drug rehabilitation clinic, why?
•
Bad data can be hard to fix
– Sen. Ted Kennedy on TSA watch list
Fair Information Practices (FIPs)
•
•
•
Based on Self-determination / Data Protection view
Set of principles stating how organizations
should handle personal information
Note: many variants of FIPs
Fair Information Practices (FIPs)
•
•
•
•
•
•
•
Openness and transparency
Individual participation
Collection limitation
Data quality
Use limitation
Reasonable security
Accountability
Adapting FIPs for Ubicomp
•
•
Presents a method for analyzing ubicomp systems
Assume designers trying to do “the right thing” ™
– Versus evil people actively trying to intrude
•
Notice
– Physical beacons beaming out P3P policies
– Personal system that logs policies
•
Issues
– Overwhelmed by notifications?
– Understandability of notifications?
Adapting FIPs for Ubicomp
•
Choice and consent
– Need a way to confirm that a person has consented
– Can digitally sign a “contract” notification
•
Issues
–
–
–
–
How can people specify their policies?
Can policies match what people really want?
How to make people aware of auto-accepts?
What if people don’t have a real choice
Adapting FIPs for Ubicomp
•
Anonymity and Pseudonymity
– Try to eliminate any trace of identity
– Or have a disposable identifier not linked to actual identity
•
Issues
– What kinds of services can be offered anonymously?
– Business models for anonymous services?
Adapting FIPs for Ubicomp
•
Proximity
– Limit behavior of smart objects based on proximity
• Ex. “Record voice only if owner nearby”
– Simple mental model, could be hard to implement though
– Weakness: could be easy to subvert
•
Locality
– Information tied to places it was collected
– Require physical proximity to query
– Weakness: limits some utility (ex. Find friend)
Adapting FIPs for Ubicomp
•
Access and Recourse
– How to know what the system knows about you?
– What mechanisms for recourse?
•
Suggests minimizing information collected
to avoid this issue (possible in practice?)
Design for Privacy in
Ubiquitous Computing Environments
•
Presents a method for analyzing ubicomp systems
– Looks primarily at control and feedback
– Looks at networked media spaces,
audio-video connections between two locations
– More of a personal privacy approach
•
One point they briefly mention is value proposition
– At EuroPARC people generally do not worry much about privacy.
They feel that the benefits of RAVE outweigh their concerns. This
is because the design has evolved together with a culture of trust
and acceptable practices relating to its use. Individual freedom
was fostered to use, customise, or ignore the technology.
Framework
•
Capture
– What kind of information?
– Video? Identity? Activity (documents, keypresses, etc)
•
Construction
– How is information processed? Stored?
•
Accessibility
– Who can see the information?
•
Purpose
– How is information used? Might be used?
(Some) Criteria for Evaluating Systems
•
•
•
•
•
•
Appropriate timing
Perceptibility
Unobtrusiveness
Low effort
Meaningful
Low Cost
Discussion Points
Is Privacy Always Good?
Discussion Points
Is Privacy Always Good?
•
•
Can be used as a shield for abusive behavior
Supermarket loyalty cards
– Gauge effect of marketing, effects of price and demand
– Market to best customers
•
Can streamline economic transactions
– Easy credit
•
•
Reputation management
EU – “Regulators prosecuted an animal rights activist
who published a list of fur producers and a consumer
activist who criticized a large bank on a Web page
that named the bank’s directors.”
Discussion Points
Ways of Simplifying Privacy for People?
•
Lots of effort across various systems
– Mobile Phone, TiVo, Smart Car, Smart Home, Workplace
– Analogy: privacy across various web sites
•
Ways of making it easier for people?
– What kinds of tools?
– Third party organizations? (MedicAlert)
Breakout Groups
•
Group A: Is privacy always good?
– In what cases not?
– Too much privacy? (ie get used to it, like security cams?)
•
Group B: How to simplify privacy for people in
ubicomp?
– Core technologies?
– Third parties?
– User interfaces?
Discussion Points
•
What is the role of tech? How much should it do?
– With respect to Market, Law, and Social Norms?
•
What values should we embody in tech?
– And how to design for those values?
– Is privacy always good to have?
•
•
How to assess risks better beforehand?
Better h/w and s/w architectures?
– Physical layer of privacy?
•
•
•
Better UIs? Understandable mental models?
Metrics for privacy?
Third parties / companies that manage your privacy?
Fundamental Tech Challenges
•
Make it easy for organizations to do the right thing
– Detecting abuse (ex. honeypots, audits)
– Better database aggregation and anonymization
– Better org-wide policies and enforcement
•
Make it easy for individuals to share right info with
right people at right times
– Better ubicomp architectures that put end-users in control
• Can’t just flip a switch
• Make it easier for app developers to do right thing
– Better UIs (awareness, disclosures, decision-making)
– Better design and evaluation methods
How Ubicomp Changes the Landscape
•
Scope and scale
– Everyone, everywhere, any time
•
More personal
– Location, activities, habits, hobbies, people with
•
Breaks existing notions of how world works
– Close the door
– Whisper to people
•
Connected
– Easy to share with others
•
Machine readable and searchable