Privacy - PowerPoint PPT Presentation

Loading...

PPT – Privacy PowerPoint presentation | free to download - id: 5abcdd-ZmRiY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Privacy

Description:

Title: Usable Privacy and Security Author: Jason Hong Last modified by: xin liu Created Date: 6/7/2004 12:23:39 AM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:200
Avg rating:3.0/5.0
Slides: 73
Provided by: JasonH173
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Privacy


1
Privacy
Acknowledgement Jason Hong, CMU
2
Overview of Privacy
  • Why care?
  • Why is it hard?
  • Thinking about and Designing for Privacy
  • Specific HCI issues and designs
  • Why privacy might not matter
  • Very broad look at privacy
  • Social aspects, legal aspects, philosophical,
    user interface

3
Why Care About Privacy? End-User Perspective
  • Protection from spam, identity theft, mugging
  • Discomfort over surveillance
  • Lack of trust in work environments
  • Might affect performance, mental health
  • May contribute to feeling of lack of control over
    life
  • Starting over
  • Something stupid you did as a kid
  • Creativity and freedom to experiment
  • Protection from total societies
  • Room for each person to develop individually
  • Lack of adoption of tech

4
The Fundamental Tension
  • More information can be used for good and for bad
  • Facebook
  • Keeping in touch with friends
  • But embarrassing photos or breakups recorded for
    all time?
  • Google search reveals significant amount of
    information, especially over time and scross
    applications

5
The Fundamental Tension
  • More information can be used for good and for bad
  • Facebook
  • Keeping in touch with friends
  • But embarrassing photos or breakups recorded for
    all time?
  • People Finder
  • Okayness checking and coordination
  • But also stalking, monitoring at work, or
    embarrassment
  • Amazon (or any ecommerce site)
  • Can improve search results, personalized content
  • Price discrimination, selling your info to
    others, not keeping your info safe from hackers

6
Why is Privacy Hard?
  • Characteristics
  • Real-time, distributed
  • Invisibility of sensors
  • Potential scale
  • What data? Who sees it?
  • Design Issues
  • No control over system
  • No feedback, cannot act appropriately
  • You think you are in one context, actually in
    many
  • No value proposition

7
Why is Privacy Hard?
  • Devices becoming more intimate
  • Call record, SMS messages
  • Calendar, Notes, Photos
  • History of locations, People nearby,
    Interruptibility
  • With us nearly all the time
  • Portable and automatic diary
  • Accidental viewing, losing device, hacking
  • Protection from interruptions
  • Calls at bad times, other peoples (annoying)
    calls
  • Projecting a desired persona
  • Accidental disclosures of location, plausible
    deniability

8
Why is Privacy Hard?
  • Your stories / thoughts?

9
Why is Privacy Hard? Definition problem
  • Hard to define until something bad happens
  • Well, of course I didnt mean to share that
  • Risks not always obvious up front
  • Burglars went to airports to collect license
    plates
  • Credit info used by kidnappers in South America

10
Why is Privacy Hard? Social Perspective
  • Expectations and levels of comfort change with
    time and/or experience
  • Both individual and societal
  • Many people objected to having phones in their
    homes because it permitted intrusion by
    solicitors, purveyors of inferior music,
    eavesdropping operators, and even
    wire-transmitted germs

11
Why is Privacy Hard? Social Perspective
  • The appearance of Eastmans cameras was so sudden
    and so pervasive that the reaction in some
    quarters was fear. A figure called the camera
    fiend began to appear at beach resorts, prowling
    the premises until he could catch female bathers
    unawares.
  • One resort felt the trend so heavily that it
    posted a notice PEOPLE ARE FORBIDDEN TO USE
    THEIR KODAKS ON THE BEACH. Other locations were
    no safer. For a time, Kodak cameras were banned
    from the Washington Monument. The Hartford
    Courant sounded the alarm as well, declaring the
    the sedate citizen cant indulge in any
    hilariousness without the risk of being caught in
    the act and having his photograph passed around
    among his Sunday School children.

12
Why is Privacy Hard? Individual perspective
  • Cause and effect may be far in time and space
  • Think politicians and actions they did when young
  • Video might appear on YouTube years later
  • Privacy is highly malleable depending on
    situation
  • Still use credit cards to buy online
  • Benefit outweighs cost
  • Power or social imbalances
  • Employees may not have many choices
  • Easy to misinterpret
  • Went to drug rehabilitation clinic, why?

13
Why is Privacy Hard? Technical Perspective
  • Easier to capture data
  • Video cameras, camera phones, microphones,
    sensors
  • Break natural boundaries of physics
  • Easier to store and retrieve data
  • LifeLog technologies
  • Googling a potential date

14
Why is Privacy Hard? Technical Perspective
  • Data getting easier to store and retrieve
  • LifeLog technologies
  • Googling a potential date

15
Why is Privacy Hard? Technical Perspective
  • Easier to capture data
  • Video cameras, camera phones, microphones,
    sensors
  • Break natural boundaries of physics
  • Easier to store and retrieve data
  • LifeLog technologies
  • Googling a potential date
  • Easier to share data
  • Ubiquitous wireless networking
  • Blogs, wikis, YouTube, Flickr, FaceBook
  • Inferences and Machine Learning
  • Humidity to detect presence

16
Why is Privacy Hard? Organizational Perspective
  • Bad data can be hard to fix
  • Sen. Ted Kennedy on TSA no-fly list
  • Market incentives not aligned well
  • More info can market better
  • Can sell your info
  • Many activities are hidden
  • What are credit card companies, Amazon doing?
  • What is NSA doing?

17
Why is Privacy Hard? Purely HCI Perspective
  • Few tools
  • Few evaluation techniques
  • Lack of clear metrics

18
Why is Privacy Hard? Meta-Research Perspective
  • Privacy is a large umbrella term
  • Lots of different groups and schools of thought
    that dont always interact or agree with each
    other
  • Tools and methods for one school of thought
    doesnt necessarily work well for others
  • Privacy as anonymity
  • Cypherpunks, database researchers, machine
    learning
  • Privacy as a rational process for organizations
  • Privacy as organic process / Personal privacy
  • A lot of HCI, CSCW, CMC work falls here
  • Ubicomp 2003
  • Workshop on Privacy (mostly men)
  • Workshop on Intimate Computing (mostly women)

19
What is Privacy?
  • No standard definition, many different
    perspectives
  • Different kinds of privacy
  • Bodily, Territorial, Communication, Information
  • Many different philosophical views on info
    privacy
  • Different views -gt different values -gt different
    designs
  • Note next few slides not mutually exclusive

20
Principles vs Common Interest
  • Principled view -gt Privacy as a fundamental right
  • Embodied by constitutions, longstanding legal
    precedent
  • Government not given right to monitor people
  • Common interest -gt Privacy wrt common good
  • Emphasizes positive, pragmatic effects for
    society
  • Examples
  • National ID cards, mandatory HIV testing

21
Self-determination vs Personal Privacy
  • Self-determination (aka data protection)
  • Arose due to increasing number of databases in
    1970s
  • Privacy is the claim of individuals, groups or
    institutions to determine for themselves when,
    how, and to what extent information about them is
    communicated to others (Westin)
  • Led to Fair Information Practices (more shortly)
  • More of individual with respect to governments,
    organizations, and commercial entities
  • Personal privacy
  • How I express myself to others and control access
    to myself
  • More of individual with respect to other
    individuals

22
Self-determination vs Personal Privacy
  • Examples
  • Cell phone communication
  • Data protection view
  • Telecoms record about who I called
  • How long keep the data?
  • Personal privacy
  • Caller ID
  • What I choose to say on phone
  • Instant messaging
  • Data protection view
  • Store messages? Google Talk
  • Privacy policy
  • Personal privacy
  • Who your buddies are
  • Invisible mode
  • Logs
  • Facebook

23
Privacy as Solitude / Isolation
  • The right to be let alone
  • People tend to devise strategies to restrict
    their own accessibility to others while
    simultaneously seeking to maximize their ability
    to reach people (Darrah et al 2001)
  • Protection from interruptions and undesired
    social obligations
  • Examples
  • Spam protection
  • Do-not call list, not answering mobile phone
  • Invisible mode, ignoring an IM
  • IPod cocooning on public transit

24
Privacy as Anonymity
  • Hidden among a crowd
  • Examples
  • Web proxy to hide actual web traffic
  • Someone in this room who is over 30 and once
    broke his right arm vs a female
  • Location k-anonymity
  • This view is highly popular among technical
    people
  • Measurable
  • Limitations?
  • Crowd
  • Not Turag

25
Privacy as Projecting a Desired Persona
  • People see you the way you want them to see you
  • Examples
  • Cleaning up your place before visitors
  • Putting the right books and CDs out
  • Having desirable Facebook groups, hobbies,
    politics, etc on your profile

26
Privacy as a Process
  • Controlled, rationalistic process
  • Bank and web site privacy policies
  • Many rules governing how personal information
    gathered and used
  • Organic and fluid process
  • Adjusting window blinds
  • Opening or closing my office door
  • Choosing what I do or dont disclose during a
    conversation

27
Privacy as Protection of Self vs Others
  • Protecting Self
  • Protecting Others?
  • Mandatory privacy, wearing clothes
  • Cell phones going off in theaters

28
Overview of Privacy
  • Why care?
  • Why is it hard?
  • Thinking about and Designing for Privacy
  • Specific HCI issues and designs
  • Why privacy might not matter

29
Legal Differences for Privacy
  • America tends to have sector-by-sector privacy
    laws
  • HIPAA, CALEA, COPPA, FERPA, finance, video
    rentals
  • Much of the legal rulings on privacy happens in
    judiciary
  • Wiretapping, advanced sensing tech
  • Cynically, wait until a disaster happens, then
    try to fix
  • Europe has comprehensive privacy laws
  • European Union Data Protection Directive
  • Stronger focus on prevention
  • Working party that will issue rulings on
    biometrics, privacy policies, etc

30
Fair Information Practices (FIPs)
  • Many laws based on Fair Information Practices
  • Set of principles stating how organizations
    should handle personal information
  • Based on Self-determination / Data Protection
    view
  • Privacy is the claim of individuals, groups or
    institutions to determine for themselves when,
    how, and to what extent information about them is
    communicated to others (Westin)
  • Note many variants of FIPs
  • Will discuss Organization for Economic
    Cooperation and Development, one of the
    strictest sets

31
Fair Information Practices (FIPs)
  • Collection limitation
  • Data quality
  • Purpose specification
  • Use limitation
  • Reasonable security
  • Openness and transparency
  • Individual participation
  • Accountability

32
Implications for Design
  • Data protection perspective on privacy
  • Organizations collecting lots of data
  • Hospitals, financial institutions, etc
  • However, few tools for helping organizations do
    the right thing in HCI or elsewhere

33
SPARCLE
  • Can author privacy policies in natural language

34
SPARCLE
  • Parses those policies

35
SPARCLE
  • Attaches those policies to data collected
  • Enforced by some policy engine

36
Privacy Policies
  • Evidence strongly suggests people dont read
    privacy policies (unless assigned as homework ?)
  • Carlos Jensen et al, CHI 2004
  • Problems with privacy policies?
  • Too hard to read
  • Privacy policy changed, can I challenge?
  • This policy can change at any time, come back
    often
  • Cover youre _at_
  • No market or perhaps legal interest

37
Multi-Level Privacy Policies
  • http//www.pg.com/privacy/english/privacy_notice.h
    tml

38
Multi-Level Privacy Policies
  • Idea from EU Working group on privacy
  • Short - Few sentences, for mobile phone
  • Condensed - Half page summary
  • Full - Details

39
Platform for Privacy Preferences Protocol (P3P)
  • A machine-readable way for web sites to state
    their privacy policies
  • One of the original scenarios
  • Users could define what info willing to share
    with web sites
  • Name, address, email, etc
  • Could download P3P from web site
  • What they collect, why they collect, who they
    share, etc
  • Web browser could then share or not share info
  • Thoughts?
  • Incentives for people to participate, adoption
  • Like buying insurance, dont want to do it until
    have to
  • Vendors have to make P3P, users have to create
    policies

40
(No Transcript)
41
Segmenting Users
  • Westin and others have been running surveys over
    the past few years looking at individuals wrt
    orgs
  • Dont care (10)
  • Ive got nothing to hide
  • Weve always adapted
  • "You have zero privacy anyway. Get over it."
  • Fundamentalist (25)
  • Dont understand the tech
  • Dont trust others to do the right thing
  • Pragmatist (65)
  • Cost-benefit
  • Communitarian benefit to society as well as
    individual

42
Segmenting Users
  • Best to focus your designs on dont care and
    pragmatist segments
  • Huge caveat this only applies to individuals and
    organizations, not individuals to individuals
  • There still is not a good survey instrument for
    this
  • Literature suggests that Westin survey does not
    have strong correlation with what people share
    with others
  • May also mean that privacy studies have unknown
    bias in them

43
Contextual Instant Messaging
  • Facilitate coordination and communication by
    letting people request contextual information via
    IM
  • Interruptibility (via SUBTLE toolkit)
  • Location (via Place Lab WiFi positioning)
  • Active window
  • Developed a custom client and robot on top of AIM
  • Client (Trillian plugin) captures and sends
    context to robot
  • People can query imbuddy411 robot for info
  • howbusyis username
  • Robot also contains privacy rules governing
    disclosure

44
Control Setting Privacy Policies
  • Web-based specification of privacy preferences
  • Users can create groups and put screennames into
    groups
  • Users can specify what each group can see

45
Control System Tray
  • Coarse grain controls plus access to privacy
    settings

46
Feedback Notifications
47
Feedback Social Translucency
48
Feedback Offline Notification
49
Feedback Summaries
50
Feedback Audit Logs
51
Evaluation
  • Recruited fifteen people for four weeks
  • Selected people highly active in IM (ie
    undergrads ?)
  • 120 buddies, 1580 messages / week (sent and
    received)
  • 3.3 groups created per person
  • Notified other parties of imbuddy411 service
  • Update AIM profile to advertise
  • Would notify other parties at start of
    conversation

52
Results of Evaluation
  • 321 queries
  • 1 query / person / day
  • 61 distinct screennames, 15 repeat users
  • 67 interruptibility, 175 location, 79 active
    window
  • Added Stalkerbot near end of study
  • A stranger making 2 queries per person per day

53
Results Controls
  • Controls easy to use (4.5 / 5, s0.7)
  • I really liked the privacy settings the way
    they are. I thought they were easy to use,
    especially changing between privacy settings.
  • I felt pretty comfortable with using it because
    you can just easily modify the privacy settings.
  • However, can be lots of effort
  • Its time consuming, if you have a long
    buddylist, to set up for each person.
  • Asked for more location disclosure levels
  • Around or near a certain place

54
Results Comfort Level
  • Comfort level good (4 / 5, s0.9)
  • 12 participants noticed stalkerbot, 3 didnt
    until debriefing
  • However, no real concerns
  • Reasoned that our stalkerbot was a buddy or old
    friend
  • Also confident in their privacy control settings
  • I know they wont get any information, because I
    set to the default so they wont be able to see
    anything.

55
Results Appropriateness of Disclosures
  • Mostly appropriate (2.47 / 5, where 3 is
    appropriate)
  • Useful information for requester? Right level of
    info?
  • Two people increased privacy settings, one after
    experimentation, other after too many requests
    from specific person
  • However, more complaints about accuracy
  • Ex. Left a laptop in a room to get food, person
    wasnt there

56
Results Usefulness of Feedback
  • Bubble notification, 1.6 / 6 (s0.6)

57
Results Usefulness of Feedback
  • Bubble notification, 1.6 / 6 (s0.6)
  • Disclosure log, 1.8 (s1.3)

58
Results Usefulness of Feedback
  • Bubble notification, 1.6 / 6 (s0.6)
  • Disclosure log, 1.8 (s1.3)
  • Mouse-over notification, 3.7 (s1.0)
  • Offline statistic notification, 4 (s1.4)
  • Social translucency Trillian tooltip popup, 4.8
    (s1.1)
  • Peripheral red-dot notification, 5.4 (s0.7)

59
Discussion
  • Disclosure log not used heavily
  • Though people liked knowing that it was there
    just in case
  • Surprisingly few concerns about privacy
  • No user expressed strong privacy concerns
  • Feature requests were all non-privacy related
  • If low usage, due to not enough utility, not due
    to privacy
  • Does this mean our privacy is good enough, or is
    this because of users attitudes and behaviors?

60
Understanding Adoption
  • Need to tie attitudes and behavior with adoption
    models

Teens
61
Optimistic vs Pessimistic Privacy
  • How to tell computer when and when not to
    disclose information to others?
  • Most privacy controls pessimistic, prevent bad
  • Setting up rules
  • An alternative design is optimistic
  • Assume bad things rare
  • Detect and fix after the fact
  • Pros and cons?
  • Have to predict in advance disclosures
  • Cant fix everything after the fact

62
Several UIs Combine Aspects of Both
  • ATT Find Friends
  • Add friends (pessimistic)
  • They have unlimited queries but you also see each
    query (optimistic)
  • Interactive mode possible too

Always Allow (Optimistic)
Ask
Bozo (Pessimistic)
Allow today (Limited Optimistic)
Just this once
63
Conjecture Concerns Relax Over Time
64
Privacy Placebos?
  • Privacy policies
  • IMBuddy audit logs
  • CareNet display

65
Is Privacy always Good?
  • Reputation management
  • Can be used as a shield for abusive behavior
  • Supermarket loyalty cards
  • Gauge effect of marketing, effects of price and
    demand
  • Market to best customers
  • Can streamline economic transactions
  • Easy credit
  • EU Regulators prosecuted an animal rights
    activist who published a list of fur producers
    and a consumer activist who criticized a large
    bank on a Web page that named the banks
    directors.

66
Lessigs Framework
  • Most of the HCI privacy work falls under
    understanding Norms and building Architecture
  • Tom Erickson argues that we should help
    facilitate norms through translucent systems

67
Social Translucency
  • Make participants and their activities apparent
    to others
  • Ex. Alice is unlikely to repeatedly query for
    Bobs location if she knows Bob can see each
    request
  • Erickson is implicitly arguing for optimistic
    privacy

68
Plausible Deniability
  • Another example of supporting a norm
  • If I dont answer my phone
  • Busy, shower, driving, bozo
  • Ambiguity is good here
  • How to build into systems?
  • Natural part of most asynchronous communication
    systems
  • Unclear in general
  • How reliable should our systems be?
  • Spam filters
  • Location granularity

69
(No Transcript)
70
Panopticon
  • Subtle way of controlling prisoners
  • Idea first observed by Jeremy Bentham
  • Popularized by Michel Foucault
  • Modern day versions?

71
Subtle Control
  • The Active Badge could tell when you were in
    the bathroom, when you left the unit, and how
    long and where you ate your lunch. EXACTLY what
    you are afraid of.
  • allnurses.com

72
One Taxonomy
During
After
Before
  • Go / no go decision
  • Better interactive feedback
  • Detection
  • Audits
  • Rules
  • Testing rules
  • Anonymizing your data
About PowerShow.com