Understanding the Privacy Implications of Using Context-based Awareness Cues in Social NetworksVille Antila*^, Jussi Polet*

*VTT Technical Research Centre of Finland, Oulu, Finland^Philips Research, Eindhoven, The Netherlands

Background – Smarcos project

• Smarcos creates solutions to allow devices and services to exchange context information, user actions, and semantic data

• One important part of the work has been to investigate the practical usage of context information and to develop models that can be dynamic and adaptive as well as applicable to different applications

• www.smarcos-project.eu

Outline of the talk

• Introduction and challenges

•ContextCapture -application

•User study

•Results

•Discussion and lessons learned

•Conclusions

Introduction

Information from the physical world is increasingly “digitalized” and shared

Smartphones can be used to provide a wide range of awareness and presence information

Challenges (privacy implications of context-awareness in social networks)

Context (“anything that can characterize the situation of an entity”)

• The notion of ‘context’ can not be objectively defined (a prior) by settings, actions and actors

• Rather, context is the meaning that the actions and actors acquire at any given time from the subjective perspective [Mancini et al., 2009]

• Awareness of ‘consequences’ is important for grasping the effect of actions determining the level of information disclosure

Privacy

• The level of information disclosure can be difficult to manage (awareness of consequences might not be clear)

• People can end-up disclosing more information than they meant to (unwillingly)

• “Privacy is a dynamic and continuously negotiated process” [Palen & Dourish, 2003]

• People tend to appropriate the usage of a service to their own needs [Barkhuus et al, 2008]

Context-based awareness cues

• Sharing context information can create awareness about the user’s situation and thus enhance or make communication more efficient [Oulasvirta, 2008]

• Creating awareness can have multiple purposes...• “Declaring one’s position is perhaps as much about deixis (pointing at and

referencing features of the environment) as it is about telling someone exactly where you are” [Benford et al., 2004]

• Our hypothesis is that in many cases, rather than using exact parameters provided by sensors, people would like to add semantic meaning by using more abstract terms

• Also we claim that people prefer abstraction to ensure a certain level of privacy

• The challenge is to give means for the dynamic abstraction while keeping as brief as possible (cf. interactions in “4-second bursts”)

Research approach

• We developed an experimental mobile application, which allows users to add different types of contextual information to their Facebook status updates in a format of a “story” or a narrative of the situation

• We developed a semantic database which links the abstract, user-defined context labels to the low-level sensor data

• Conducted a two-week user trial exploring the usage of different abstraction levels on different context types (and their privacy implications)

ContextCapture -application (1/4)

• Architecture: A mobile application and a backend service integrated with Facebook and Twitter

• Android and Symbian mobile applications

• Backend using Jena Semantic Web toolkit and a domain context model (using RDF)

ContextCapture -application (2/4)

• Context recognition is based on different sensors• accelerometer, ambient light

detector, GPS data, open applications on the device, the device system information and nearby Wifi access points and Bluetooth devices

• for example:• based on the accelerometer

data, a decision is made whether the user is moving or still by using movement detection algorithm

• nearby Facebook friends can be detected using Bluetooth scanning

ContextCapture -application (3/4)

• Context items in ContextCapture -application

• Activity – physical activity of the user

• Applications – currently open applications

• Device – device information, such as the device type

• Friends – nearby Facebook friends using ContextCapture

• Location – abstrations using GPS, network and Wifi scan data, current street address, cell ID

• Surroundings – abstractions of physical surroundings using ambient light detector, weather etc

(Example)

• Creating a message:

As an example, a status update message generated with the previous rule could be:

“[User-defined message] Sent from [Location] while [Activity] [Description] [Topic] and [Applications Activity] with [Friends].”

“I think this is the killer app for Pervasive Computing! Sent from Conference Room 1 at PerCom 2012, Lugano, Switzerland while listening to an interesting presentation by Dr. Firstname Lastname and using Notepad with 4 conference buddies nearby.”

ContextCapture -application (4/4)

• “Collective” context is gathered from nearby devices (running ContextCapture)• If lacking, the mobile client can ask nearby devices for additional

context information, such as GPS coordinates, address, weather etc.

• Bluetooth communication is used with a simple protocol over RFCOMM

• Request:

• Response:

• CCRAControlProtocol:Client:ClientBluetoothName:WTHR:Request

• CCRAControlProtocol:Server:ServerBluetoothName:WTHR:-3 degrees Celsius,Sunny

User study

• 12 participants used ContextCapture for two weeks using their own mobile phones in their everyday lives

Participants

• …were between 30-46 years, 37.25 years on average, six males and six females

• …used their own mobile devices and personal Facebook accounts during the trial

• …were experienced Facebook users as 25% of them had used the service 1-2 years and the rest for over two years

The study setup

•The participants…

1.…were emailed a short description of the study• Purpose, a short manual, a link with installation instructions and a link to the

initial Web questionnaire

2.…used the application for two (2) weeks• During that time, they could tell their experiences through a Web diary (we

asked them to fill in the diary at least five times)

3.…were interviewed at the end of the trial• The interviews were semi-structured, including questions about the users’

expectations, attitudes, privacy and the most pleasing and unpleasing experiences related to the usage

• The participants also filled a Web questionnaire about their experiences

Findings (1/3)

• Status updates with Location information were seen most informative as people often use location to give further context for their activities

• Weather information, which was related to Surroundings field, was also seen highly interesting

• Application and Device were considered as the least useful fields (average: 2.3/5.0 and 2.4/5.0)

• It seemed that many participants did not want to “advertise” the device they were using; and open applications were often unrelated or uninteresting (with regards of the current situation)

Findings (2/3)

• The participants were clearly aware of their privacy and had thought about it while using the application

• E.g. the participants did not use the addresses of their homes or the kindergarten their children were, even though the audience consisted of Facebook friends

• The accurate location of places was too sensitive to be shared, many of the participants stated that the semantic meaning of the place is enough

• E.g. stating “I’m at home” is adequate enough for the people the message is meant for

• In many participants’ opinion sharing friends’ location without permission is not acceptable, participants preferred to use more abstract words, like “group of friends”, instead of giving the exact names

Findings (3/3)

• One key finding was that people were clearly interested about “context” as a form of communication enabler, especially while communicating to their friends (i.e. social network)

• Context information was seen to add value, but users wanted to have full control in the level of abstraction (and each subsequent time they used the system)

• Abstract labels (with a semantic meaning), such as “home”, “work” and “kindergarten” were seen more useful than more exact terms

• Abstract labels were also considered more privacy preserving in many situations

• Moreover the usage of different abstractions were observed to be dynamic rather than static, therefore users did change the usage of different labels in different situations

Implications for design of context-aware social applications

• With applications dealing with privacy sensitive information, the information disclosure and privacy should be fully controlled by the user

• By giving freedom for users to control the disclosure and abstraction level of contextual information, it creates:• meaningfulness and motivation for the users • and in the same time allows the system to gather a set of user-defined

context labels with different abstraction levels (which can be associated with the gathered low-level sensor data)

• Privacy is indeed a dynamic and continuously negotiated process in which a rigorous set of prior rules can render the application useless• People often appropriate the shared information level according to the

needs of the moment

Discussion

• Through the analysis of contextual information derived from mobile device usage patterns it is possible to infer a lot of potentially privacy-sensitive information

• There has been research in extracting these patterns from large datasets [Eagle & Pentland, 2006; Farrahi & Gatica-Perez, 2008 and 2010]

• In addition there has been an increasing interest of exploring the social-side of context-awareness in pervasive computing [Endler et al., 2011, Hosio et al., 2010]

• We argue that the increased context-awareness is an inevitable step in pervasive computing but the privacy implications of this progress are largely not tested in the “real-world” yet

• Novel approaches for capturing and storing context “labels” are called for..

Conclusions

• We have presented a work investigating the practical use of labeling context information in social computing..

• The main findings include:

• Current location, activity and surroundings were the most relevant context types (in this study)

• Disclosing the nearby friends or colleagues in the status updates was seen as relevant but problematic due to privacy issues

• The context types were seen as most meaningful when the used abstraction level was high

• Participants felt that exact information, such as street address or coordinates, conveyed a too matter-of-fact type description

• Whereas more abstract descriptions, such as “at the movie theatre” or “at the botanical garden” were seen as more illustrative, interesting and meaningful

Something to take away from the talk...

• Avoid using “hard to define” rules for setting privacy preferences for different situations

• Instead, a programming-by-example -approach to let user to label situations with the intended abstraction level “on-the-go” (along with ensuring the privacy)

• Allow to change these settings/labels dynamically, preferably with least effort possible (e.g. one-click selection from a set of recommendations)

• Make the system learnable (learning the contexts and their associated labels/ privacy rules while the user defines and refines these)

Thank you!Questions?

Ville Antila ville.antila@vtt.fi

Jussi Polet jussi.polet@vtt.fi

Understanding the Privacy Implications of Using Context-based Awareness Cues in Social Networks