930 likes | 1.04k Views
An Architecture for Privacy-Sensitive Ubiquitous Computing. Jason I. Hong Computer Science Division University of California, Berkeley. Ubicomp Presents New Benefits. Advances in wireless networking, sensors, devices Greater awareness of and interaction with physical world
E N D
An Architecture for Privacy-Sensitive Ubiquitous Computing Jason I. Hong Computer Science Division University of California, Berkeley
Ubicomp Presents New Benefits • Advances in wireless networking, sensors, devices • Greater awareness of and interaction with physical world • Ubicomp can help in coordination, efficiency, safety Find Friends E911 Incident Command
ExampleLocation-enhanced Instant Messenger • Instant messaging used by 250m people, 20% growth / yr • Clients are moving to mobile devices (Phones, PDAs) • Will be capable of determining your location • Potential risks? • Stalking • Constant surveillance by boss • Location-based spam
Everyday Risks Extreme Risks Friends, Family _________________________________ Over-protection Social obligations Embarrassment Employers _________________________________ Over-monitoring Discrimination Reputation Government __________________________ Civil liberties Stalkers, Muggers _________________________________ Well-being Personal safety Ubicomp Presents New Privacy Risks • These ubicomp systems could also be used to: • Commit fraud • Draw embarrassing or inaccurate inferences • Discriminate against users
Ubicomp Privacy is a Serious Concern • “[It] could tell when you were in the • bathroom, when you left the unit, and • how long and where you ate your lunch. • EXACTLY what you are afraid of.” • allnurses.com
What’s Hard about Ubicomp Privacy? • Scope and scale of ubicomp • Past: costly to collect, store, and use info • Future: everywhere, always on, far easier to collect data • New Domains: family, marketplace, workplace, healthcare… • Many issues must be addressed simultaneously • Social and Organizational, Interaction Design, Technical
ProblemHard to Create Privacy-sensitive Ubicomp Apps • Hard to analyze privacy • What concerns do people have? • How to design effective user interfaces for privacy? • Hard to implement privacy-sensitive systems • What are the basic abstractions? • What are the privacy mechanisms?
Solution Confab Privacy Toolkit Informed by End-User Needs • Hard to analyze privacy • Analysis of end-user needs for ubicomp privacy • Interviews, surveys, postings on message boards • Analysis of interaction design for ubicomp privacy • Pitfalls in designing user interfaces for privacy • Hard to implement privacy-sensitive systems • Confab toolkit for privacy-sensitive ubicomp apps • Capture, processing, and presentation of personal info • Evaluation thru building three apps and user studies • Location-enhanced messenger, location-enhanced web proxy, emergency response app Educate Building real apps and see how users react to them can we see how well they work. Key part of HCI research My methodology, why I did it this way
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Applications Built
An HCI Perspective on Privacy “The problem, while often couched in terms of privacy, is really one of control. If the computational system is invisible as well as extensive, it becomes hard to know: • what is controlling what • what is connected to what • where information is flowing • how it is being used • Empower people so they can • choose to share: • the right information • with the right people or services • at the right time The Origins of Ubiquitous Computing Research at PARC in the Late 1980s Weiser, Gold, Brown
Analysis of End-User Privacy Needs • Lots of speculation about ubicomp privacy, little data • Published Sources • Examined papers describing usage of ubicomp systems • Examined existing and proposed privacy protection laws • EU Directive, Location Privacy Act 2001, Wireless Privacy Act 2003 • Theoretical analysis, asymmetric information flows [Ubicomp 2002] • Surveys and Interviews • Analyzed survey data of 130 people on ubicomp privacy prefs • Interviewed 20 people on location-based services • Existing Systems • Analyzed postings on nurse message board on locator systems Teaching slide Lots of different data collection methods, Each give different results. I did three different things More details (who, what looking for) What was the survey (example)? Who were the ppl? What was the interview? 100 postings all from nurses commenting, most negative, some positive Published sources, what was I looking for? Existing laws, what concerns and proposed solutions (ex. limited data retention) And see if those same issues came out in the interviews
Summary of End-User Privacy Needs • Clear value proposition • Simple and appropriate control and feedback • Plausible deniability • Limited retention of data • Decentralized control • Special exceptions for emergencies Alice’s Location Bob’s Location
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Applications Built
I helped in failure analysis and derivation of pitfalls for design of privacy % of people’s prefs, location or situation? Thin backstory (what was the context?) What is this for? They made up their categories Failure of this interface Led to us analyze a large number of apps that failed / succeeded and how they avoided those pitfalls Count the number of apps analyzed Common mistakes still being made Pitfalls in Designing for Privacy • What kinds of user interfaces work? What kinds do not? • Analyzed ~40 apps for common user interface mistakes • Pitfalls in Designing for Privacy [PUC 2004]
Privacy PitfallsObscuring Actual Flow • Users should understand what is being disclosed to whom • Many ubicomp systems are “invisible” by default • Systems should provide appropriate visibility Who is querying my location? How often? “Bob will see this request” “Alice has requested your location”
Privacy PitfallsConfiguration over Action • Designs should not require excessive configuration • Configuration a typical “solution”, but hard to predict right settings • Manage privacy in the actual context of use
Privacy PitfallsLacking Coarse-Grain Control • Fine-grained controls should be secondary, not primary • “[T]raveling employees may want their bosses to be able to locate them during the day but not after 5 p.m. Others may want to receive coupons from coffee shops before 9 a.m. on weekdays but not on weekends when they sleep in. Some may want their friends alerted only when they are within one mile, but not 10 miles.” • Protecting the Cellphone User's Right to Hide • New York Times, Feb 5 2004 Say Bell Labs example Do left/right example Screenshot of rules? Can then do fine-grained Did I set it right? How do I know? This is a lot of work… Simple, does exactly what I think it does
Privacy PitfallsInhibiting Established Practices • University and Shattuck • Berkeley, CA • 3. Ignore for now • Designs should not inhibit established social practices Social practice is to screen calls Ambiguity is good Try to use IM client pic? Show notification Just like an answering machine, Ignore is don’t know if there or not “Smart” Answering Machine “Lee has been motionless in a dim place with high ambient sound for the last 45 minutes. Continue with call or leave a message.”
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Applications Built Part of a toolkit is to avoid making mistakes Repeat why end-user needs Repeat why pitfalls
Confab Toolkit for Privacy-Sensitive Ubicomp • Confab for privacy-sensitive ubicomp apps • Cover end-user privacy needs • Avoid pitfalls in user interface design wrt privacy • Provide solid technical foundation for privacy-sensitive ubicomp • A toolkit needs to support all three of these layers • Must capture, store, process, & share in privacy-sensitive manner …but not help developers process it safely or provide visibility to end-users I might present choices well to users… Presentation Infrastructure …but not have control over how the info was acquired or processed I might acquire information privately… Physical / Sensor
Past Work Addresses at Most One Layer • Today, building privacy-sensitive apps would have to be done in an ad hoc manner Presentation P3P, Privacy Mirrors Infrastructure ParcTab System, Context Toolkit Physical / Sensor Cricket Location Beacons, Active Bats
Architectural Requirements • Low barrier to entry • Make it simple for programmers, admin, end-users • Easy to add or modify app-specific privacy controls • Easy for end-users to control and understand • Easy for end-users to share info at a comfortable level
Source Sources Invisible Mode Enforce Access User Interface Logging Check Privacy Tag Garbage Collect Periodic Reports On Operators Out Operators In Operators Confab High-Level Architecture • Capture, store, and process personal data on my computer as much as possible (laptops and PDAs) • Provide greater control and feedback over sharing Name Loc My Computer Personal Data Store App
Example Built-in Confab OperatorFlow Control • Goal: Disclose different info to different requestors • Conditions • Age of data – Data Format • Requestor Domain – Data Type • Requestor ID – Current Time • Requestor Location • Actions • Lower Precision –Allow • Set (fake value) –Hide (data is removed) • Invisible (no out data) –Timeout (fake network load) • Interactive –Deny (forbidden)
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Physical layer for acquiring location • Infrastructure layer • Presentation layer • Applications Built
A B C Physical / Sensor LayerIntel’s Place Lab Location Source • Determine location via local database of WiFi Access Points • Unique WiFi MAC Address -> Latitude, Longitude • Periodically update your local copy • Works indoors and • in urban canyons • Works with encrypted nodes • No special equipment • Privacy-sensitive • Rides the WiFi wave
PlaceLab Data at SF Bay Area SF Bay Area ~60000 Nodes (~4 Megs)
PlaceLab Data at UC Berkeley Berkeley Campus ~1000 Nodes
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Physical layer for acquiring location • Infrastructure layer • Presentation layer • Applications Built
Highlight what is Being revealed Example of something that can Be done at the infrastructure layer MiniGIS case Network-service case Preferred MapPoint Infrastructure LayerConfab’s Built-in MiniGIS Operator • People and apps need semantically useful names • “Meet me at 37.875, -122.257” • MiniGIS operator transforms location info locally • Using network-based services would be privacy hole • Whittled down to 30 megs from public sources • Places hardest to get, 3 ugrads + me scouring Berkeley Country Name = United States Region Name = California City Name = Berkeley ZIP Code = 94709 Place Name = Soda Hall Latitude/Longitude = 37.875, -122.257
Infrastructure LayerConfab’s InfoSpace Data Store • InfoSpace like a diary that stores your personal info • Static info (ex. name and phone#) • Dynamic info (ex. current location and activity) • Runs on your personal device or on a trusted service • Can choose to expose different parts to people & services
Out Operators • Flow Control • MiniGIS PlaceLab Source Tourguide Location Messenger Confab Architecture My Computer Name Loc InfoSpace Data Store Request How to make users aware of and be able to control the flow of personal info?
Outline • Motivation • End-user Privacy Needs • Pitfalls in User Interfaces for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Physical layer for acquiring location • Infrastructure layer • Presentation layer • Applications Built
Presentation LayerObservations on Disclosure Prefs What are the design alternatives? Who is requesting is key Not the info Not the app used to do it Not how it is xferred Explain design rationale Time came from interviews / surveys What are the alternatives? My original version had lots of fine-grained mechanisms IP Address (Not even CS ppl described it that way) Location Time Problem was that from interviews, people didn’t seem to do things that way “I trust person” or “I trust service” between “these times” Second iteration, organized things by People and Services • Want visibility and control without overwhelming users • IP Address, domain name, current location? • Services • Judged mainly by perceived value and risk • People • Judged mainly by who is making request • “Either I trust someone with my information or I don't.” • Common secondary criteria is time • “Work people can know my information during work hours. Home/SO people can know my information always.” • Prefs should be set during or after a request
Presentation Layer Notification for IM Request from Person Still get ltwt notification tho don’t have to go thru sequence For this specific case, also handles other options Toolkit supports other configuration options as well Location of that person • Four iterations with seven people • Location-enhanced messenger, location-enhanced tourguide • Avoiding the Pitfalls • Actual flow of information • Minimal configuration • Coarse-grain control • Plausible deniability
Presentation Layer PlaceBar for Tourguide Service • People thought of tourguide as discrete push of info • Ex. Information only sent when link is clicked on • PlaceBar for sharing location on per-transaction basis
PlaceLab Source Confab Architecture My Computer Name Loc Location Messenger Pull InfoSpace Data Store Tourguide Push How to control what happens to your info once it leaves your InfoSpace?
Privacy Tags • Digital Rights Management for Privacy • Like adding note to email, “Please don’t forward” • Notify address - notify-abc@cs.berkeley.edu • Time to live - 5 days • Max number of sightings - last 5 sightings of my location • Provide libraries for making it easy for app developers • Requires non-technical solutions for deployment • Market support thru TrustE, Consumer Reports • Legal support thru data retention laws
Implementation • I wrote ~95% of this over ~2.5 years • Uses Java 1.5, Tomcat Web Server, MySql, Jaxen XPath • Distributed querying system (3 grads) [Ubicomp 2003] • Ex. Update “location.occupant.age” as people move in and out • Two course projects outside Berkeley
Outline • Motivation • Analysis of End-user Privacy Needs • Analysis of Interaction Design for Privacy • Confab Toolkit for Privacy-Sensitive Ubicomp • Applications Built
Putting it Together #2Location-Enhanced Web Proxy • Auto-fills location information on existing web sites PageModification URL =http://www.starbucks.com/ txtCity =CityName txtState =RegionCode txtZip =ZIPCode MapQuest Starbucks
Putting it Together #2Location-Enhanced Web Proxy • Location-aware web sites • Different content based on your current location
Putting it Together #3Emergency Response Service • Field studies and interviews with firefighters [CHI2004] • Finding victims in a building • “You bet we’d definitely want that.” • “It would help to know what floor they are on.” • But emergencies are rare • How to balance privacy constraints with utility when needed?
Putting it Together #3Emergency Response Service • Trusted third party (MedicAlert++ or home server) Medic Alert++ Loc “ABC” “ABC” On Emergency Data Sharer 1 Location 2 Link 4 Building BEARS Service Trusted BEARS Third-Party 3 Link Location Link
Application Details • Location-enhanced Instant Messenger • Uses Hamsam library for cross-platform IM • ~2500 LOCs across 23 classes, about 5 weeks (mostly GUI) • Acquiring location, InfoSpace store (and prefs), location queries, automatic updates, access notifications, MiniGIS + dataset • Location-enhanced web proxy • Added ~800 LOCs to existing 800 LOCs, about 1 week • Location queries, automatic updates, MiniGIS + dataset, PlaceBar • Emergency Response • ~200 LOC in 2 days (no GUI, just raw client) • Location queries, update both servers, access notifications • Confab reduces what would be a lot of duplicated work
User Evaluations • Ongoing task-based eval with 9 people • Proficient with web and IM, but not computer experts • Location-enhanced messenger, location-enhanced tourguide • Can they accomplish basic tasks correctly? • Do they understand the choices? • Can they use the interfaces to make the decisions they want? • Is their conceptual model correct? • Does the system work roughly the way they think it does? • Do they still have privacy concerns? • Would they want to use it?
User Evaluations (The Good) • All assumed location information started with them, no third parties involved (even with IM) • Correct for Confab, not always for other systems • Options understandable and could make desired choice • Pretty much everyone chose “Just for now” • Only real issue was what others saw on “Ignore for now” • These apps fit well in users’ existing comfort zone • Request for disclosure options of “work” and “home” • Enthusiastic about new possibilities • Checking length of movie lines, restaurant lines, bus lines • Making sure children are safe