1 / 54

Hey, That’s Personal!

Hey, That’s Personal!. Lorrie Faith Cranor 28 July 2005 http://lorrie.cranor.org/. Outline. Privacy risks from personalization Reducing privacy risks Personalizing privacy. Privacy risks from personalization. PRIVACY RISKS. Unsolicited marketing.

greta
Download Presentation

Hey, That’s Personal!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hey, That’s Personal! Lorrie Faith Cranor28 July 2005 http://lorrie.cranor.org/

  2. Outline • Privacy risks from personalization • Reducing privacy risks • Personalizing privacy

  3. Privacy risks from personalization

  4. PRIVACY RISKS Unsolicited marketing Desire to avoid unwanted marketing causes some people to avoid giving out personal information

  5. PRIVACY RISKS My computer can “figure things out about me” The little people inside my computer might know it’s me… … and they might tell their friends

  6. PRIVACY RISKS Inaccurate inferences “My TiVo thinks I’m gay!”

  7. PRIVACY RISKS Surprisingly accurate inferences Everyone wants to be understood. No one wants to be known.

  8. PRIVACY RISKS You thought that on the Internet nobody knew you were a dog… …but then you started getting personalized ads for your favorite brand of dog food

  9. PRIVACY RISKS Price discrimination • Concerns about being charged higher prices • Concerns about being treated differently

  10. PRIVACY RISKS Revealing private information to other users of a computer • Revealing info to family members or co-workers • Gift recipient learns about gifts in advance • Co-workers learn about a medical condition • Revealing secrets that can unlock many accounts • Passwords, answers to secret questions, etc.

  11. PRIVACY RISKS The Cranor family’s 25 most frequentgrocerypurchases (sorted by nutritional value)!

  12. PRIVACY RISKS Exposing secrets to criminals • Stalkers, identity thieves, etc. • People who break into account may be able to access profile info • People may be able to probe recommender systems to learn profile information associated with other users

  13. PRIVACY RISKS Subpoenas • Records are often subpoenaed in patent disputes, child custody cases, civil litigation, criminal cases

  14. PRIVACY RISKS Government surveillance • Governments increasingly looking for personal records to mine in the name of fighting terrorism • People may be subject to investigation even if they have done nothing wrong

  15. PRIVACY RISKS Risks may be magnified in future • Wireless location tracking • Semantic web applications • Ubiquitous computing

  16. PRIVACY RISKS If you’re not careful, you may violate data protection laws • Some jurisdictions have privacy laws that • Restrict how data is collected and used • Require that you give notice, get consent, or offer privacy-protective options • Impose penalties if personal information is accidently exposed

  17. Reducing privacy risks

  18. REDUCING PRIVACY RISKS Axes of personalization Tends to be MOREPrivacy Invasive Tends to be LESSPrivacy Invasive Data collection method Explicit Implicit Duration Transient(task or session) Persistent(profile) User involvement User initiated System initiated Reliance on predictions Predication based Content based

  19. REDUCING PRIVACY RISKS A variety of approaches to reducing privacy risks • No single approach will always work • Two types of approaches: • Reduce data collection and storage • Put users in control

  20. REDUCING PRIVACY RISKS Collection limitation: Pseudonymous profiles • Useful for reducing risk and complying with privacy laws when ID is not needed for personalization • But, profile may become identifiable because of unique combinations of info, links with log data, unauthorized access to user’s computer, etc. • Profile info should always be stored separately from web usage logs and transaction records that might contain IP addresses or PII

  21. REDUCING PRIVACY RISKS Collection limitation: Client-side profiles • Useful for reducing risk and complying with laws • Risk of exposure to other users of computer remains; storing encrypted profiles can help • Client-side profiles may be stored in cookies replayed to server that discards them after use • Client-side scripting may allow personalization without ever sending personal info to the server • For some applications, no reason to send data to server

  22. REDUCING PRIVACY RISKS Collection limitation: Task-based personalization • Focus on data associated with current session or task - no user profile need be stored anywhere • May allow for simpler (and less expensive) system architecture too! • May eliminate problem of system making recommendations that are not relevant to current task • Less “spooky” to users - relationship between current task and resultant personalization usually obvious

  23. REDUCING PRIVACY RISKS Putting users in control • Users should be able to control • what information is stored in their profile • how it may be used and disclosed

  24. REDUCING PRIVACY RISKS Developing good user interface to do this is complicated • Setting preferences can be tedious • Creating overall rules that can be applied on the fly as new profile data is collected requires deep understanding and ability to anticipate privacy concerns

  25. REDUCING PRIVACY RISKS Possible approaches • Provide reasonable default rules with the ability to add/change rules or specify preferences for handling of specific data • Up front • With each action • After-the-fact • Explicit privacy preference prompts during transaction process • Allow multiple personae

  26. REDUCING PRIVACY RISKS Example: Google Search History

  27. REDUCING PRIVACY RISKS Amazon.com privacy makeover

  28. REDUCING PRIVACY RISKS Streamline menu navigation for customization

  29. REDUCING PRIVACY RISKS Provide way to set up default rules • Every time a user makes a new purchase that they want to rate or exclude they have to edit profile info • There should be a way to set up default rules • Exclude all purchases • Exclude all purchases shipped to my work address • Exclude all movie purchases • Exclude all purchases I had gift wrapped

  30. REDUCING PRIVACY RISKS Remove excluded purchases from profile • Users should be able to remove items from profile • If purchase records are needed for legal reasons, users should be able to request that they not be accessible online

  31. REDUCING PRIVACY RISKS Better: options for controlling recent history

  32. REDUCING PRIVACY RISKS Use personae • Amazon already allows users to store multiple credit cards and addresses • Why not allow users to create personae linked to each with option of keeping recommendations and history separate (would allow easy way to separate work/home/gift personae)?

  33. REDUCING PRIVACY RISKS Allow users to access all privacy-related options in one place • Currently privacy-related options are found with relevant features • Users have to be aware of features to find the options • Put them all in one place • But also leave them with relevant features

  34. REDUCING PRIVACY RISKS I didn’t buy it for myself How about an “I didn’t buy it for myself” check-off box (perhaps automatically checked if gift wrapping is requested) I didn’t buy it for myself

  35. Personalizing privacy

  36. PERSONALIZING PRIVACY Can we apply user modeling expertise to privacy? • Personalized systems cause privacy concerns • But can we use personalization to help address these concerns?

  37. PERSONALIZING PRIVACY What is privacy? “the claim of individuals… to determine for themselves when, how, and to what extent information about them is communicated to others.”- Alan Westin, 1967

  38. PERSONALIZING PRIVACY Privacy as process “Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” - Alan Westin, 1967

  39. Lack of knowledge about how info is used Lack of knowledge about how to exercise control Too difficult or inconvenient to exercise control Data collectors should inform users Data collectors should provide choices and controls Sounds like a job for a user model! PERSONALIZING PRIVACY But individuals don’t always engage in adjustment process

  40. PERSONALIZING PRIVACY Example: Managing privacy at web sites • Website privacy policies • Many posted • Few read • What if your browser could read them for you? • Warn you not to shop at sites with bad policies • Automatically block cookies at those sites

  41. PERSONALIZING PRIVACY Platform for Privacy Preferences (P3P) • 2002 W3C Recommendation • XML format for Web privacy policies • Protocol enables clients to locate and fetch policies from servers

  42. PERSONALIZING PRIVACY Privacy Bird • P3P user agent originally developed by AT&T • Free download and privacy search service at http://privacybird.com/ • Compares user preferences with P3P policies

  43. PERSONALIZING PRIVACY

  44. PERSONALIZING PRIVACY

  45. PERSONALIZING PRIVACY

  46. PERSONALIZING PRIVACY Link to opt-out page

  47. PERSONALIZING PRIVACY I would like to give the bird some feedback • “I read this policy and actually I think it’s ok” • “I took advantage of the opt-out on this site so there is no problem” • “This site is a banking site and I want to be extra cautious when doing online banking”

  48. PERSONALIZING PRIVACY Especially important if bird takes automatic actions • Not critical when bird is only informational • But if bird blocks cookies, the wrong decision will get annoying

  49. PERSONALIZING PRIVACY Can we learn user’s privacy preferences over time? Bad bird!

More Related