Location Privacy

1
Location Privacy

• Christopher Pride

2
Readings

• Location Disclosure to Social Relations Why,
  When, and What People Want to Share
• by Sunny Consolvo, et al.
• Presenting Choices in Context Approaches to
  Information Sharing
• by Jonathan Grudin and Eric Horvitz
• Wireless Location Privacy Protection
• by Bill Schilit, Jason Hong, and Marco Gruteser
• Optional Privacy Risk Models for Designing
  Privacy-Sensitive Ubiquitous Computing
• by Jason Hong, Jennifer Ng, Scott Lederer, and
  James Landay

3
Location Disclosure to Social Relations Overview

• Three Phases
• Phase 1 Initial Interview
• Background
• Social network data for Phase 2
• Opinions on location disclosure
• Phase 2 Experience Sampling Method
• Location requests accompanied by surveys over the
  course of 10 days
• Phase 3 Exit Interviews
• Took a privacy classification survey
• Allowed modifications to the opinions given in
  Phase 1

4
Location Disclosure Study Data Collection

• Single Request vs Standing Request
• Location Precision
• Refusal Messages
• System Busy, I am Busy, Request Denied, ltliegt
• Current Activities
• Nightly Voicemail Diary
• Two week Period
• 10 Daily Location Requests

• Only 16 participants
• All from non-technical position
• Equally split between male and female
• 2 Students
• 14 of 16 had an SO
• 4 had Children
• 11 Full time, 3 Part Time, 1 Housemaker
• All based in Seattle Area

5
Location Disclosure StudyFindings(1)

• What participants would disclose
• More likely to give detailed information if any
• Less specific information was given when details
  were likely to be less useful
• Effect of the relationship of the requester to
  the participant
• Most likely to respond in the order SO, Friends,
  Family, Co-Worker, Manager
• Opinion of participant towards requester had an
  effect
• Effect of where the requester lived relative to
  the participant
• Effect of the participants location when he
  received the request,
• Between 85-70 response rate at most
• locations.
• Co-workers and Managers much less likely
• to Get a response outside of work.

6
Location Disclosure StudyFindings(2)

• Effect of the participants activity or mood when
  he received the request
• Current Activity had definite effect
• Mood has some effect
• Effect of the participants privacy
  classification
• Seemed to have very little correlation
• Why participants rejected requests
• Certain Times or Activities were not to be
  interrupted
• When they were doing something that they didnt
  want the requester to know about.
• What participants wanted to know about the
  locations of others
• Correlation between disclosure and desire to know
  location
• Participants privacy and security concerns.
• Concern about Social implications of knowledge of
  location
• Worried about what would happen if a third party
  used the technology to spy on them

7
Location Disclosure StudyDecision Making

• Who is making the request (and how do I feel
  about that person right now)?
• Why does the requester need to know?
• What would be most useful to the requester?
• Am I willing to disclose that? (Because if I am
  not willing to disclose what is useful, I will
  not disclose.)
• Is this similar to the decision process you would
  use?

8
Approach to Information Sharing(1)

• Pessimistic
• Privileges for Access set at Creation
• Most people dont like to modify afterwards
• Knowledge of Proper permissions at creation is
  not certain
• Optimistic
• Allow access with monitoring
• Use monitoring to disallow those that you dont
  want to have access
• Problem Cat is out of the bag
• Interactive
• Requests for information arrive with 3 options
• Grant Unconditional Access
• Grant One-Time Access
• Deny Access

9
Approach to Information Sharing(2)

• Applications
• Calendaring
• Parental Controls
• How well do these approaches apply to real time
  information such as Location?

10
Problems with Readily Available Location
Information

• Economic Damage
• Spam
• Social Ramifications
• Reputation Harm
• Misunderstandings
• Other major Problems? Stalkers?

11
Steps to protect Location Privacy

• Intermittent Connectivity
• User Interfaces
• Network Privacy
• These each have an associated problems. What are
  they?

12
Privacy AnalysisSocial and Organizational
Context

• Who are the users of the system?
• Who are the data sharers, the people sharing
  personal information?
• Who are the data observers, the people that see
  that personal information?
• What kinds of personal information are shared?
  Under what circumstances?
• How does Ubicomp change what can be known?
• What information is known explicitly and
  implicitly?
• How often does the data change?
• What is the value proposition for sharing
  personal information?
• What does the sharing party gain?

13
Privacy AnalysisSocial and Organizational
Context(2)

• What are the relationships between data sharers
  and data observers?
• What is the relevant level, nature,
• and symmetry of trust?
• What incentives do data observers have to protect
  data sharers personal information (or not, as
  the case may be)?
• Is there the potential for malicious data
  observers (e.g., spammers and stalkers)?
• What kinds of personal information are they
  interested in?
• Are there other stakeholders or third parties
  that might be directly or indirectly impacted by
  the system?
• Does this change the purpose of an existing
  technology?

14
Privacy AnalysisTechnology

• How is personal information collected?
• Who has control over the computers and sensors
  used to collect information?
• Network-Based, Network-Assisted, Client-Based
• How is personal information shared?
• Is it opt-in or is it opt-out (or do data sharers
  even have a choice at all)?
• Do data sharers push personal information to data
  observers?
• Or do data observers pull personal information
  from data sharers?
• How much information is shared?
• Is it discrete and one-time?
• Is it continuous?
• Ideally The Minimum amount of data to accomplish
  the task.

15
Privacy AnalysisTechnology(2)

• What is the quality of the information shared?
• With respect to space, is the data at the room,
  building, street, or neighborhood level?
• With respect to time, is it real-time, or is it
  several hours or even days old?
• With respect to identity, is it a specific
  person, a pseudonym, or anonymous?
• How long is personal data retained?
• Where is it stored?
• Who has access to it?

16
Privacy AnalysisRisk Management

• The likelihood L that an unwanted disclosure of
  personal information occurs
• The damage D that will happen on such a
  disclosure
• Scale
• The cost C of adequate privacy protection
• Continual Cost to user and Development costs
• In general situations where C ltLD the privacy
  protections should be implemented

17
Privacy AnalysisRisk Management

• How does the unwanted disclosure take place?
• Is it an accident (for example, hitting the wrong
  button)?
• A misunderstanding (for example, the data sharer
  thinks they are doing one thing, but the system
  does another)?
• A malicious disclosure?
• How much choice, control, and awareness do data
  sharers have over their personal information?
• What kinds of control and feedback mechanisms do
  data sharers have to give them choice, control,
  and awareness?
• Are these mechanisms simple and understandable?
• What is the privacy policy, and how is it
  communicated to data sharers?
• What are the default settings?
• Are these defaults useful in preserving ones
  privacy?
• In what cases is it easier, more important, or
  more cost-effective to prevent unwanted
  disclosures and abuses?
• Detect disclosures and abuses?
• Are there ways for data sharers to maintain
  plausible deniability?
• What mechanisms for recourse or recovery are
  there if there is an unwanted disclosure or an
  abuse of personal information?
• What are the ramifications of the disclosure?

18
Discussion Points

• Are there any questions that have been overlooked
  (Social, Technological, Risk Management)?
• How do these questions work alongside the
  Location Disclosure studies for a people locator?
• Location Privacy is obviously important, are the
  current protection methodologies even going to
  sufficient?

19
Group Work

• Split into groups and using the results of the
  first paper and its decision making process.
  Attempt to come up with a set of steps that a
  computer could make to automate as much of the
  decision making process as possible.
• Decision Making Process
• Who is making the request (and how do I feel
  about that person right now)?
• Why does the requester need to know?
• What would be most useful to the requester?
• Am I willing to disclose that? (Because if I am
  not willing to disclose what is useful, I will
  not disclose.)