410 likes | 588 Views
Privacy. Acknowledgement: Jason Hong, CMU. Overview of Privacy. Why care? Why is it hard? Thinking about and Designing for Privacy Why privacy might not matter Very broad look at privacy Social aspects, legal aspects, philosophical, user interface. Everyday Risks. Extreme Risks.
E N D
Privacy Acknowledgement: Jason Hong, CMU
Overview of Privacy • Why care? • Why is it hard? • Thinking about and Designing for Privacy • Why privacy might not matter • Very broad look at privacy • Social aspects, legal aspects, philosophical, user interface
Everyday Risks Extreme Risks Friends, Family _________________________________ Over-protection Social obligations Embarrassment Employers _________________________________ Over-monitoring Discrimination Reputation Government __________________________ Civil liberties Stalkers, Muggers _________________________________ Well-being Personal safety Why Care About Privacy?End-User Perspective • Protection from spam, identity theft, mugging • Discomfort over surveillance • Lack of trust in work environments • Might affect performance, mental health • May contribute to feeling of lack of control over life • Starting over • Something stupid you did as a kid • Creativity and freedom to experiment • Protection from total societies • Room for each person to develop individually • Lack of adoption of tech
The Fundamental Tension • More information can be used for good and for bad • Facebook • Keeping in touch with friends • But embarrassing photos or breakups recorded for all time?
The Fundamental Tension • More information can be used for good and for bad • Facebook • Keeping in touch with friends • But embarrassing photos or breakups recorded for all time? • People Finder • Okayness checking and coordination • But also stalking, monitoring at work, or embarrassment • Amazon (or any ecommerce site) • Can improve search results, personalized content • Price discrimination, selling your info to others, not keeping your info safe from hackers
Why is Privacy Hard? • Characteristics • Real-time, distributed • Invisibility of sensors • Potential scale • What data? Who sees it? • Design Issues • No control over system • No feedback, cannot act appropriately • You think you are in one context, actually in many • No value proposition
Why is Privacy Hard? • Devices becoming more intimate • Call record, SMS messages • Calendar, Notes, Photos • History of locations, People nearby, Interruptibility • With us nearly all the time • Portable and automatic diary • Accidental viewing, losing device, hacking • Protection from interruptions • Calls at bad times, other people’s (annoying) calls • Projecting a desired persona • Accidental disclosures of location, plausible deniability
Internet • ISP • Employer • Search engine • Large e-commerce sites • Cookies • “accessible in theory” vs. “accessible in a click”
Chrome privacy When you type URLs or queries in the address bar, the letters you type are sent to Google so the Suggest feature can automatically recommend terms or URLs you may be looking for. If you choose to share usage statistics with Google and you accept a suggested query or URL, Google Chrome will send that information to Google as well. You can disable this feature as explained here. "Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates. If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well."
Web applications • Google search reveals significant amount of information, especially over time and across applications • Amazon has a significant amount of user information
Why is Privacy Hard? • Your stories / thoughts?
Why is Privacy Hard?Definition problem • Hard to define until something bad happens • “Well, of course I didn’t mean to share that” • Risks not always obvious up front • Burglars went to airports to collect license plates • Credit info used by kidnappers in South America
Why is Privacy Hard?Social Perspective • Expectations and levels of comfort change with time and/or experience • Both individual and societal • Many people objected to having phones in their homes because it “permitted intrusion… by solicitors, purveyors of inferior music, eavesdropping operators, and even wire-transmitted germs”
Why is Privacy Hard?Social Perspective The appearance of Eastman’s cameras was so sudden and so pervasive that the reaction in some quarters was fear. A figure called the “camera fiend” began to appear at beach resorts, prowling the premises until he could catch female bathers unawares. One resort felt the trend so heavily that it posted a notice: “PEOPLE ARE FORBIDDEN TO USE THEIR KODAKS ON THE BEACH.” Other locations were no safer. For a time, Kodak cameras were banned from the Washington Monument. The “Hartford Courant” sounded the alarm as well, declaring the “the sedate citizen can’t indulge in any hilariousness without the risk of being caught in the act and having his photograph passed around among his Sunday School children.”
Why is Privacy Hard?Individual perspective • Cause and effect may be far in time and space • Think politicians and actions they did when young • Video might appear on YouTube years later • Privacy is highly malleable depending on situation • Still use credit cards to buy online • Benefit outweighs cost • Power or social imbalances • Employees may not have many choices • Easy to misinterpret • Went to drug rehabilitation clinic, why?
Why is Privacy Hard?Technical Perspective • Easier to capture data • Video cameras, camera phones, microphones, sensors • Break “natural” boundaries of physics • Easier to store and retrieve data • LifeLog technologies • Googling a potential date
Why is Privacy Hard?Technical Perspective • Easier to capture data • Video cameras, camera phones, microphones, sensors • Break “natural” boundaries of physics • Easier to store and retrieve data • LifeLog technologies • Googling a potential date • Easier to share data • Ubiquitous wireless networking • Blogs, wikis, YouTube, Flickr, FaceBook • Inferences and Machine Learning • Humidity to detect presence
Why is Privacy Hard?Organizational Perspective • Bad data can be hard to fix • Sen. Ted Kennedy on TSA no-fly list • Market incentives not aligned well • More info can market better • Can sell your info • Many activities are hidden • What are credit card companies, Amazon doing? • What is NSA doing?
Why is Privacy Hard?Purely HCI Perspective • Few tools • Few evaluation techniques • Lack of clear metrics
Why is Privacy Hard?Meta-Research Perspective • Privacy is a large umbrella term • Lots of different groups and schools of thought that don’t always interact or agree with each other • Tools and methods for one school of thought doesn’t necessarily work well for others • Privacy as anonymity • Cypherpunks, database researchers, machine learning • Privacy as a rational process for organizations • Privacy as organic process / Personal privacy • A lot of HCI, CSCW, CMC work falls here
What is Privacy? • No standard definition, many different perspectives • Different kinds of privacy • Bodily, Territorial, Communication, Information • Many different philosophical views on info privacy • Different views -> different values -> different designs • Note: next few slides not mutually exclusive
Principles vs Common Interest • Principled view -> Privacy as a fundamental right • Embodied by constitutions, longstanding legal precedent • Government not given right to monitor people • Common interest -> Privacy wrt common good • Emphasizes positive, pragmatic effects for society • Examples: • National ID cards, mandatory HIV testing
Self-determination vs Personal Privacy • Self-determination (aka data protection) • Arose due to increasing number of databases in 1970s • “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin) • Led to Fair Information Practices • More of individual with respect to governments, organizations, and commercial entities • Personal privacy • How I express myself to others and control access to myself • More of individual with respect to other individuals
Self-determination vs Personal Privacy • Examples: • Cell phone communication • Data protection view • Telecoms record about who I called • How long keep the data? • Personal privacy • Caller ID • What I choose to say on phone • Instant messaging • Data protection view • Store messages? Google Talk • Privacy policy • Personal privacy • Who your buddies are • Invisible mode • Logs • Facebook
Privacy as Solitude / Isolation • “The right to be let alone” • People tend to devise strategies “to restrict their own accessibility to others while simultaneously seeking to maximize their ability to reach people” (Darrah et al 2001) • Protection from interruptions and undesired social obligations • Examples: • Spam protection • Do-not call list, not answering mobile phone • Invisible mode, ignoring an IM • IPod cocooning on public transit
Privacy as Anonymity • Hidden among a crowd • Examples: • Web proxy to hide actual web traffic • “Someone in this room who is over 30 and once broke his right arm” vs “a female” • Location k-anonymity • This view is highly popularamong technical people • Measurable • Limitations? • Crowd
Privacy as Projecting a Desired Persona • People see you the way you want them to see you • Examples: • Cleaning up your place before visitors • Putting the right books and CDs out • Having “desirable” Facebook groups,hobbies, politics, etc on your profile
Privacy as a Process • Controlled, rationalistic process • Bank and web site privacy policies • Many rules governing how personal information gathered and used • Organic and fluid process • Adjusting window blinds • Opening or closing my office door • Choosing what I do or don’t disclose during a conversation
Privacy as Protection of Self vs Others • Protecting Self • Protecting Others? • Mandatory privacy, wearing clothes • Cell phones going off in theaters
Overview of Privacy • Why care? • Why is it hard? • Thinking about and Designing for Privacy • Why privacy might not matter
Legal Differences for Privacy • America tends to have sector-by-sector privacy laws • HIPAA, CALEA, COPPA, FERPA, finance, video rentals • Much of the legal rulings on privacy happens in judiciary • Wiretapping, advanced sensing tech • Cynically, wait until a disaster happens, then try to fix • Europe has comprehensive privacy laws • European Union Data Protection Directive • Stronger focus on prevention • Working party that will issue rulings on biometrics, privacy policies, etc • Keep up with technologies
Privacy Policies • Evidence strongly suggests people don’t read privacy policies (unless assigned as homework ) • Carlos Jensen et al, CHI 2004 • Problems with privacy policies? • Too hard to read • Privacy policy changed, can I challenge? • This policy can change at any time, come back often • Cover you’re @$$ • No market or perhaps legal interest
Segmenting Users • Westin and others have been running surveys over the past few years looking at individuals wrt orgs • Don’t care (~10%) • I’ve got nothing to hide • We’ve always adapted • "You have zero privacy anyway. Get over it." • Fundamentalist (~25%) • Don’t understand the tech • Don’t trust others to do the right thing • Pragmatist (~65%) • Cost-benefit • Communitarian benefit to society as well as individual
Control – Setting Privacy Policies • Web-based specification of privacy preferences • Users can create groups andput screennames into groups • Users can specify what each group can see
Control – System Tray • Coarse grain controls plus access to privacy settings
Is Privacy always Good? • Reputation management • Can be used as a shield for abusive behavior • Supermarket loyalty cards • Gauge effect of marketing, effects of price and demand • Market to best customers • Can streamline economic transactions • Easy credit • EU – “Regulators prosecuted an animal rights activist who published a list of fur producers and a consumer activist who criticized a large bank on a Web page that named the bank’s directors.”
Social Translucency • Make participants and their activities apparent to others • Ex. Alice is unlikely to repeatedly query for Bob’s location if she knows Bob can see each request • Erickson is implicitly arguing for optimistic privacy
Plausible Deniability • Another example of supporting a norm • If I don’t answer my phone: • Busy, shower, driving, bozo • Ambiguity is good here • How to build into systems? • Natural part of most asynchronous communication systems • Unclear in general • How reliable should our systems be? • Spam filters • Location granularity
Subtle Control • “[The Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.” • allnurses.com