privacy and sensor andrew jason hong. characteristics –real-time, distributed –invisibility of...

Privacy and Sensor Andrew

Jason Hong

• Characteristics– Real-time, distributed

– Invisibility of sensors

– Potential scale

• Questions– What data is collected?

– Who can see it?

– What is it used for?

– How long is data kept?

• Issues– Unease over surveillance

– Choice in the matter

A Personal Story about Privacy

• Protection from spam, identity theft, mugging• Discomfort over perceived surveillance

– Lack of trust in work environments

– Might affect performance, mental health

– May contribute to feeling of lack of control over life

• Lack of adoption of tech

Why Care About Privacy?End-User Perspective

Everyday Risks Extreme Risks

Stalkers, Muggers_________________________________

Well-beingPersonal safety

Employers_________________________________

Over-monitoringDiscrimination

Reputation

Friends, Family_________________________________

Over-protectionSocial obligationsEmbarrassment

Government__________________________

Civil liberties

Subtle Control

“[The Active Badge] could tell when you were in the bathroom, when you left the unit, and how long and where you ate your lunch. EXACTLY what you are afraid of.”

- allnurses.com

• Hard to define until something bad happens– “Well, of course I didn’t mean to share that”

– “I know it when I lose it”

– No generally agreed upon definition for privacy

• Risks not always obvious up front– Burglars went to airports to collect license plates

– Credit info used by kidnappers in South America

– Humidity sensors used to infer presence (Luk and Perrig)

Why is Privacy Hard?Definition problem

• Cause and effect may be far in time and space– Think politicians and actions they did when young

– Video might appear on YouTube years later

• Privacy is highly malleable depending on situation– Still use credit cards to buy online

– Benefit outweighs cost

• Power or social imbalances– Employees may not have many choices

• Easy to misinterpret– Went to drug rehabilitation clinic, why?

Why is Privacy Hard?Individual perspective

• Easier to capture data– Video cameras, camera phones, microphones, sensors

– Break “natural” boundaries of physics

Why is Privacy Hard?Technical Perspective

• Data getting easier to store and retrieve– LifeLog technologies

– Googling a potential date


• Easier to capture data– Video cameras, camera phones, microphones, sensors

– Break “natural” boundaries of physics

• Easier to store and retrieve data– LifeLog technologies

– Googling a potential date

• Easier to share data– Ubiquitous wireless networking

– Blogs, wikis, YouTube, Flickr, FaceBook

• Inferences and Machine Learning– Humidity to detect presence

– Work by Microsoft Research predicting where you’re going


Some Useful Ways of Thinking about Privacy

• “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin)

• Led to Fair Information Practices– Note: many variants of FIPs

– Will discuss Organization for Economic Cooperation and Development, one of the strictest sets

– Useful for organizations collecting lots of data

– Hospitals, financial institutions, etc

Fair Information Practices (FIPs)

• Collection limitation• Data quality• Purpose specification• Use limitation• Reasonable security• Openness and transparency• Individual participation• Accountability

Some Suggestions for Sensor Andrew


Have clear privacy policies for data collection and retention



Make it clear what is being deployed and why (both on Sensor Andrew web site and signs)

No hidden databases



Make sure databases and wireless networks use basic encryption and have latest patches (might not be immediate concern though)



Provide some level of choice (opt-in / opt-out)

Value proposition for end-users



Have someone clearly in charge of privacy (sort of a Chief Privacy Officer)

Privacy Policies

• Evidence strongly suggests people don’t read privacy policies (unless assigned as homework )– Carlos Jensen et al, CHI 2004

• But probably better to have them for Sensor Andrew – Forces us to have thought through issues

– Somewhat of a placebo effect

Multi-Level Privacy Policies

• http://www.pg.com/privacy/english/privacy_notice.html

Multi-Level Privacy Policies

• Idea from EU Working group on privacy– Short - Few sentences, for mobile phone or sign

– Condensed - Half page summary on web site

– Full - Details on web site

• Overall, privacy policies are a good short-term goal

Privacy as Projecting a Desired Persona

• People see you the way you want them to see you• Examples:

– Cleaning up your place before visitors

– Putting the right books and CDs out

– Having “desirable” Facebook groups,hobbies, politics, etc on your profile

• This is more about interpersonalprivacy, versus privacy with respectto organizations

Some Sensor Andrew Scenarios

• Students see when faculty arrive and leave (or vice versa)

• Spouse checks if really leaving office “right now”• Parents try to look up information about children• Stalker monitors stalkee• “Creepy but cool”

• How others use Sensor Andrew• Want to project a desirable persona, while being

protected from intrusive queries

Long-Term Research Possibilities

• Provide multiple layers of protection

Sensor Layer

Data Layer

User Interface Layer

• Actual sensors and wireless networking

• Limitations on what is collected

• Some natural ambiguity• Plausible deniability


Sensor Layer

Data Layer

User Interface Layer

• Storage and access to sensed data

• Might limit what others can access

• UW RFID project• Might log all queries

for potential audits• Might have a way of

translating privacy policies into something that limits queries

• Checks that certain info not released


Sensor Layer

Data Layer

User Interface Layer• Providing controls and

feedback to end-users• Makes people feel in

control of system• Social translucency• Awareness

• PAWS• Can at least act right

Questions?

Contextual Instant Messaging

• Facilitate coordination and communication by letting people request contextual information via IM– Interruptibility (via SUBTLE toolkit)

– Location (via Place Lab WiFi positioning)

– Active window

• Developed a custom client and robot on top of AIM– Client (Trillian plugin) captures and sends context to robot

– People can query imbuddy411 robot for info• “howbusyis username”

– Robot also contains privacy rules governing disclosure

• Web-based specification of privacy preferences– Users can create groups and

put screennames into groups

– Users can specify what each group can see

Control – Setting Privacy Policies

• Coarse grain controls plus access to privacy settings

Control – System Tray

Feedback – Notifications

Feedback – Social Translucency

Feedback – Offline Notification

Feedback – Summaries

Feedback – Audit Logs

• Separate projects into tiers?– High-risk and low-risk ones– Or step-by-step guide for all projects

• Permission from office owners– Informed opt-in– How long to retain info?– How long is anonymized data kept?– How easy to de-anonymize data?

• What makes Sensor Andrew different from other systems collecting info that can be inferred?

• Higher standard for us b/c of possible fusion• Use sensors only in public spaces / hallways• Don’t store anything until we have figured out better policies?• Let individuals see info about themselves• Participatory design

privacy and sensor andrew jason hong. characteristics –real-time, distributed –invisibility of...

Documents

privacy privacy

privacy slide

privacy hard

privacy risks

technical perspective

individual perspective

definition problem slide

data video cameras