Understanding and Capturing People

1
Understanding and Capturing Peoples Privacy
Policies in a People Finder Application
Madhu Prabaker, Jinghai Rao, Ian Fette, Patrick
Kelley, Lorrie Cranor, Jason Hong, Norman
SadehCarnegie Mellon University
2
Overview

• Case study of People Finder application
• What it is
• How it works
• Lab studies and field trials
• Lessons Learned / Opinions and Conjectures

3
User-Controllable Privacy and SecurityProject
Overview

• Overall Goal Better UIs for managing privacy and
  security for pervasive computing
• Simple ways of specifying policies
• Clear notifications and explanations of what
  happened
• Better visualizations to summarize results
• Machine learning for learning preferences
• Start with small evaluations, continue with
  large-scale ones
• Large multi-disciplinary team and project
• Six faculty, 2 postdocs, five students
• Roughly 2 years into project

4
User-Controllable Privacy and SecurityProject
Overview

• Applications
• People Finder
• Contextual Instant Messaging (later at Ubicomp)
• Grey Access Control to resources
• Some Challenges
• Not being burdensome or annoying
• Right balance of expressiveness and simplicity
• Providing enough value so people will use our
  apps!
• Security privacy our main concern, but not
  users

5
People Finder

• Lets you find other peoples location, subject to
  any specified rules
• Okayness checking
• Rendezvous
• Requestors have a list of buddies whose location
  they can request via web, system tray, or mobile
  phone

6
Web Interface
7
System Tray and Mobile Phone
8
Plausible Deniability Built in
9
Found a Person
10
Found Another Person
11
Some Architectural Details

• Laptop version uses Skyhook for positioning
• Skyhook based on Intel Place Lab, uses WiFi
  localization
• We also use a database provided by CMU to
  determine name of location
• Each WiFi access point has an associated place
  name
• Newell-Simon Hall 2504
• Mobile phone version uses Intel POLS for
  positioning
• POLS uses GSM towers for localization
• Doesnt work well in Pittsburgh, not enough GSM
  towers

12
Users can Specify Rules

• Also generates human-readable description of rule

13
More Rules
14
Can Also Specify Places in Rules
15
User FeedbackBalloon Pop-Up

• Basic feedback (currently only for laptops)

16
User FeedbackRequest History
17
User FeedbackRequest History
18
History Also Used for Audits and ML
19
History Also Used for Audits and ML
20
System Architecture
21
System Architecture

• Centralized architecture
• Location stored in a server rather than on
  end-user devices
• Doesnt this go against design goals of Place
  Lab, POLS, and your dissertation, Jason?
• Some Musings on Privacy
• No users even asked about this issue
• Would likely only be small subset of tech-savvy
  users
• Easier upgrades (think service vs app)
• Made it very easy to add laptop functionality
• Makes Last seen feature possible
• Better performance for some features (ex.
  querying groups)

22
Lab Studies

• Goal how well does Machine Learning work for
  learning prefs?
• Setup
• 19 participants
• Asked to create initial rule set
• Go thru a 30 scenarios where someone requested
  location
• What their rule would do
• Whether they agreed with rule
• Option to change their rules

23
Lab Studies

• Users not very accurate
• 5 min to create rules, 8 min if include refining
  rules
• Rules ranged 1-10, 5 rules
• Weak correlation between time spent and accuracy
• Case-based reasoning yielded pretty good results
• Caveat scenarios probed unusual situations, may
  not mirror actual practice

24
Field Trials

• Three different groups (not simultaneous)
• 15 team members amongst ourselves, 6 wks
• 7 MBA students, 2 wks
• 6 people involved in organizing Spring Carnival,
  9 days
• Asked or paid people to audit, to see accuracy
• Usage uneven
• Requests ranged from single digits to 100s
• Looking at top 12 heavy users, accuracy of rules
  79
• People tended to relax rules over time
• Initially were conservative, allowed more use
  later on

25
Lessons Thus Far

• Surprisingly few concerns about privacy
• No user expressed strong privacy concerns
• Feature requests were always non-privacy related
• If low usage, due to not enough utility, not due
  to privacy
• Does this mean our privacy is good enough, or is
  this because of users attitudes and behaviors?
• Hard to tell

26
Users Attitudes and Behaviors

• Westin identified three clusters of people wrt
  attitudes toward commercial entities
• Fundamentalists (25)
• Unconcerned (10)
• Pragmatists (65)
• We need something like this for ubicomp
• But for personal privacy rather than for
  commercial entities
• With more fine-grained segmentation
• Fundamentalists include techno-libertarians and
  luddites
• Pragmatists include too busy, not enough value,
  etc
• Better segmentation would help us understand if
  our privacy is good enough

27
Users Attitudes and Behaviors

• Need to tie better with adoption models

28
Lessons Thus Far

• Also need to consider cost-benefit issues
• Lowering Costs
• Making rule creation easier and faster
• Facebook widget, avoid yet another social
  network problem
• Linking with instant messaging
• Phone with GPS built-in rather than separate
  device
• Increasing Benefits
• Speed of getting someones location
• Getting multiple peoples locations
• Finding location of people not on list
• Quality of location (accuracy, place names)

29
Lessons Thus Far

• Critical mass a huge problem
• Started with mobile phones, but high-end phones
  so we could only deploy a few at a time
• Laptop version helped address this problem
• Believe Facebook widget will overcome this
  problem
• People did not use history and auditing features
  often
• Primarily because we asked or paid them
• IMBuddy But seemed to feel better knowing it was
  there!
• Other features to assuage concerns, even if not
  used?

30
Our Next Steps

• Facebook widget and larger study
• Adding more features
• More contextual info, interruptibility and window
  name
• Simplified user interface
• Simplifying the privacy model
• Supporting common patterns (co-workers only when
  at work, family and close friends always, etc)

31
End-User Privacy in HCI

• 137 page article surveying privacy in HCI and
  CSCW
• Forthcoming in the new Foundations and Trends
  journal, in a few weeks

32
Acknowledgements

• NSF Cyber Trust CNS-0627513
• NSF IIS CNS-0433540
• ARO DAAD19-02-0389
• France Telecom
• Nokia
• IBM
• Skyhook