Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Interfaces for Location Sharing: when is too much transparency a bad thing? Blaine Price.

Similar presentations


Presentation on theme: "Privacy Interfaces for Location Sharing: when is too much transparency a bad thing? Blaine Price."— Presentation transcript:

1 Privacy Interfaces for Location Sharing: when is too much transparency a bad thing? Blaine Price

2 The PRiMMA Team... Bashar Nuseibeh Yvonne Rogers Arosha Bandara Clara Mancini Lukasz Jedrzejczyk Keerthi Thomas Morris Slowman Alessandra Russo Emil Lupu Naranker Dulay Domenico Corapi Ryan Wishart Adam Joinson

3 Outline Methods for understanding mobile privacy Some experiments on Methodology A Location Tracking User Study with Families A Privacy Feedback Interface User Study Some Lessons Learned, Future Directions Questions/Discussion/Watch Videos...

4 The Problem With Asking People About Privacy is... But it is (largely) not their fault People are bad at judging the future value of their privacy People are bad at judging how they will react to using new systems they have never used before

5 New Methods for Studying Mobile Privacy Behaviour Privacy Practices of Mobile Facebook Users Experience Sampling with Memory Phrase Found Mobile Contexts were multi-faceted, including individual perceptions, and different physical/virtual world interconnections Places, defined by emerging social cultural knowledge, are a major determinant of privacy needs, so effort at defining rules for automation can be based on a location/context pairing

6 Studying Privacy Behaviour with Future Technologies People find it difficult to imagine privacy risks in a technology they have never used Video (and written scenarios) can be powerful tools to allow participants to immerse themselves in unfamiliar tech and vicariously experience it Corporate Concept Videos Videos Apple Knowledge Navigator 1988 Microsoft Future Healthcare 2008

7 Contravision Semi-Professional video of a 6 scene story shot twice with subtle difference between versions In one version, protagonist has positive attitude and everything works perfectly Alternative verison, protagonist has negative attitude, technology has problems Participants watch one version without being told which one Wider range of privacy concerns elicited

8 User Study 1: Tracking in Families tracking and relationships Why Familes?

9 Some implicit assumptions close knit tracking is safer news.bbc.co.uk/cbbcnews/hi/newsid_ /newsid_ / stm

10 Assumptions... the tracked is the vulnerable one imgfave.com/search/someone%20deleted%20my%20tag

11 Assumptions... Enough controls will set you free en.wikipedia.org/wiki/File:STSCPanel.jpg

12 Study Design F1 F2 Mother & father Daughter1 & partner Daughter2 & boyfriend Daughter3 Mother & father Son & friend Daughter 3 weeks, 1092 unique tracking events

13 Interface examples

14 Conditions and Questions complete visibility run/chase? jordanhoffman.com/2007/03/08/ das-experiment-2001-oliver- hirschbiegel-b

15 Findings “I don’t think it makes me a better person checking up on people…so I try to stay out of it as I possibly can as it’s none of my business, but this technology makes it a little bit too easy, you are only human”

16 Conditions and Questions tracking tasks uneasy/keen?

17 Findings “It was easier to [check on others] when I was asked to do so…I didn’t feel like it was my responsibility…it wasn’t me doing it, I was just carrying out a task” delegating responsibility

18 Conditions and Questions real-time feedback reassured/deterred?

19 Findings “I would prefer not to know, or I would have to start asking myself why they are checking on me…have I done something wrong…are they after something?” questioning others’ motives

20 Unexpectedness and destabilisation “I looked him up…he was last tracked four hours ago…I thought oh did he turn his phone off…or did he turn the tracker off and why did he do that… why didn’t he tell me? Who is he with? And why is he there?” F1-Daughter2 F1-Boyfriend

21 Closeness and control “At times I’d rather she didn’t track me…but I wouldn’t use privacy preferences [as] I know that would hurt her feelings” F2-Mother F2-Son

22 Breach and predation “I feel because [they] have shown in the past that [they] are not trustworthy, that kind of [they] started it…it means I can check up on [them] and not feel too bad…[they] are unlikely to do what [they] say the do, so anything you see [on the tracker] is probably just going to confirm that”

23 Close knit tracking is not safer Tracking affects both parties The closer the less in control Conclusions

24 Inspiration for Study 2 Pervasive systems allow collection of data about individuals – Increasing proliferation and dependence on these systems – Threats to privacy Users informed and manually manage privacy settings – Impractical ! Too many controls.. Pervasive systems need automated mechanisms for governing privacy behaviours that, – Reflect user preferences, – Adapt to changes in circumstances, context and user behaviours 24

25 Goals Develop automated mechanisms for governing privacy behaviours – Reflect user preferences, – Adapt to changes in circumstances, context and user behaviours – Use Social Translucence as Privacy Interface mechanism Example: Privacy Management for Location Based Applications – Share location information with appropriate precision to the appropriate people, at the appropriate times – Provide awareness of information access. How can we learn policies from user behaviours? 25

26 Challenge 26 Build a system capable of learning mobile privacy policies enforceable on mobile devices to reduce intervention in privacy management. User Agent … Phone call Current credit Current location Requirements:  User should be able to understand and modify the learned rules.  Existing structured information and constraints should be used.  Rules should be learned incrementally.  Learned rules should be revisable (minimally) depending on changing conditions.

27 Scenario: Real-time Feedback for LBS 27 Context, Constraints Context, Constraints New /Revised Rules New /Revised Rules E+E+ E+E+ E+E+ E+E+ E-E- E+E+ “Show location lookup using {mode} if {context}” Co-location Location (GPS, name) Social Network In meeting, Alice requests Driving, Bob requests Web browsing, Alice requests  We can learn sets of policy rules:  Concept invention  Recursion  Inter-related concepts  Tailor the search (customised search heuristics)  Use probabilities to handle noise in the data

28 User Study 2: Automatic Privacy Feedback Preference Detection Surveys, Interviews and Focus groups to find range of Privacy Feedback interfaces: – Dialog Box, Toast, Notification Bar, Vibration, LED, Sound, Flashlight, Natural Language New version of Buddy Track pre-seeded with context sensitive rules on which methods to use Feedback interface using experience sampling to teach engine which policies are correct

29 How it works: Example 1 2

30 Scenario: Real-time Feedback for LBS 30 At home HHH 07:00 Lookup from At location Day 1 07:30 Learning new user behavior rules…. Context: in_group(alice, home). in_group(bob, home). happens(gps(57,10),07:00). at_location(home, W, N) ← Conditions,…. phone_position(in_hand) ← Conditions,…. Examples: not do(rtf_toast(alice), 07:00). do(rtf_toast(bob), 07:30). do(rtf_toast(bob), 11:00). New policy: do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30

31 Scenario: Real-time Feedback for LBS 31 At home At Imperial Near desktop HCCHFCFH H 07:30 Lookup from At location Near device Day 2 …. and revising existing rules incrementally Context: ……….. do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30 Revised policy: do(rtf_toast(Req_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30 ∧ in_group(From, college) do(rtf_toast(Req_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30 ∧ ¬holdsAt(location(Imperial)), T )

32 Using privacy policies 32 Privacy policies; do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30 ∧ in_group(From, college). do(rtf_toast(CallId, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30 ∧ ¬holdsAt(status(bluetooth_near(desktop)), T ). Context … in_group(charles, college). …. 1) Location request made 2) do(rtf_toast(charles),T) ? YES 3) Toast notification of location lookup Querying rules….

33 User Study & Findings 15 participants, loosely knit groups, 3 weeks 2 phases (learning, evaluation) Predefined rules used in the phase 1 Interviews Increased accuracy (appropriateness of notifications). Greater Trust and Comfort. Awareness of notifications contributes towards the acceptance of the technology. “Invisibility” of the interface.

34 Summary 34 State-of-the-art learning system able to learn – Properties about the data, even if not directly observed – Recursive and inter-dependent policies – (Revised) policies from negative and positive examples – Incrementally – Minimal revisions of existing policies Demonstrated utility of learning for adaptive awareness for privacy management.

35 Future Directions Domain-specific heuristics – Apply to other lifelogging domains Application to (large) real data sets Scalability and efficiency Privacy Interface Controls too complicated – Apply learning to data from groups of users to derive ‘default’ privacy configurations – Learn privacy threats and requirements 35


Download ppt "Privacy Interfaces for Location Sharing: when is too much transparency a bad thing? Blaine Price."

Similar presentations


Ads by Google