Privacy%20and%20Sensor%20Andrew

1
Privacy and Sensor Andrew
Jason Hong
2
A Personal Story about Privacy

• Characteristics
• Real-time, distributed
• Invisibility of sensors
• Potential scale
• Questions
• What data is collected?
• Who can see it?
• What is it used for?
• How long is data kept?
• Issues
• Unease over surveillance
• Choice in the matter

3
Why Care About Privacy?End-User Perspective

• Protection from spam, identity theft, mugging
• Discomfort over perceived surveillance
• Lack of trust in work environments
• Might affect performance, mental health
• May contribute to feeling of lack of control over
  life
• Lack of adoption of tech

4
Subtle Control

• The Active Badge could tell when you were in
  the bathroom, when you left the unit, and how
  long and where you ate your lunch. EXACTLY what
  you are afraid of.
• allnurses.com

5
Why is Privacy Hard?Definition problem

• Hard to define until something bad happens
• Well, of course I didnt mean to share that
• I know it when I lose it
• No generally agreed upon definition for privacy
• Risks not always obvious up front
• Burglars went to airports to collect license
  plates
• Credit info used by kidnappers in South America
• Humidity sensors used to infer presence (Luk and
  Perrig)

6
Why is Privacy Hard?Individual perspective

• Cause and effect may be far in time and space
• Think politicians and actions they did when young
• Video might appear on YouTube years later
• Privacy is highly malleable depending on
  situation
• Still use credit cards to buy online
• Benefit outweighs cost
• Power or social imbalances
• Employees may not have many choices
• Easy to misinterpret
• Went to drug rehabilitation clinic, why?

7
Why is Privacy Hard?Technical Perspective

• Easier to capture data
• Video cameras, camera phones, microphones,
  sensors
• Break natural boundaries of physics

8
Why is Privacy Hard?Technical Perspective

• Data getting easier to store and retrieve
• LifeLog technologies
• Googling a potential date

9
Why is Privacy Hard?Technical Perspective

• Easier to capture data
• Video cameras, camera phones, microphones,
  sensors
• Break natural boundaries of physics
• Easier to store and retrieve data
• LifeLog technologies
• Googling a potential date
• Easier to share data
• Ubiquitous wireless networking
• Blogs, wikis, YouTube, Flickr, FaceBook
• Inferences and Machine Learning
• Humidity to detect presence
• Work by Microsoft Research predicting where
  youre going

10
Some Useful Ways of Thinking about Privacy

• Privacy is the claim of individuals, groups or
  institutions to determine for themselves when,
  how, and to what extent information about them
  is communicated to others (Westin)
• Led to Fair Information Practices
• Note many variants of FIPs
• Will discuss Organization for Economic
  Cooperation and Development, one of the
  strictest sets
• Useful for organizations collecting lots of data
• Hospitals, financial institutions, etc

11
Fair Information Practices (FIPs)

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

12
Some Suggestions for Sensor Andrew
Have clear privacy policies for data collection
and retention

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

13
Some Suggestions for Sensor Andrew
Make it clear what is being deployed and why
(both on Sensor Andrew web site and signs) No
hidden databases

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

14
Some Suggestions for Sensor Andrew

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

Make sure databases and wireless networks use
basic encryption and have latest patches (might
not be immediate concern though)
15
Some Suggestions for Sensor Andrew

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

Provide some level of choice (opt-in /
opt-out) Value proposition for end-users
16
Some Suggestions for Sensor Andrew

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Reasonable security
• Openness and transparency
• Individual participation
• Accountability

Have someone clearly in charge of privacy (sort
of a Chief Privacy Officer)
17
Privacy Policies

• Evidence strongly suggests people dont read
  privacy policies (unless assigned as homework ?)
• Carlos Jensen et al, CHI 2004
• But probably better to have them for Sensor
  Andrew
• Forces us to have thought through issues
• Somewhat of a placebo effect

18
Multi-Level Privacy Policies

• http//www.pg.com/privacy/english/privacy_notice.h
  tml

19
Multi-Level Privacy Policies

• Idea from EU Working group on privacy
• Short - Few sentences, for mobile phone or sign
• Condensed - Half page summary on web site
• Full - Details on web site
• Overall, privacy policies are a good short-term
  goal

20
Privacy as Projecting a Desired Persona

• People see you the way you want them to see you
• Examples
• Cleaning up your place before visitors
• Putting the right books and CDs out
• Having desirable Facebook groups,hobbies,
  politics, etc on your profile
• This is more about interpersonalprivacy, versus
  privacy with respectto organizations

21
Some Sensor Andrew Scenarios

• Students see when faculty arrive and leave (or
  vice versa)
• Spouse checks if really leaving office right
  now
• Parents try to look up information about children
• Stalker monitors stalkee
• Creepy but cool
• How others use Sensor Andrew
• Want to project a desirable persona, while being
  protected from intrusive queries

22
Long-Term Research Possibilities

• Provide multiple layers of protection

User Interface Layer
Data Layer

• Actual sensors and wireless networking
• Limitations on what is collected
• Some natural ambiguity
• Plausible deniability

Sensor Layer
23
Long-Term Research Possibilities

• Storage and access to sensed data
• Might limit what others can access
• UW RFID project
• Might log all queries for potential audits
• Might have a way of translating privacy policies
  into something that limits queries
• Checks that certain info not released

User Interface Layer
Data Layer
Sensor Layer
24
Long-Term Research Possibilities
User Interface Layer

• Providing controls and feedback to end-users
• Makes people feel in control of system
• Social translucency
• Awareness
• PAWS
• Can at least act right

Data Layer
Sensor Layer
25
Questions?
26
Contextual Instant Messaging

• Facilitate coordination and communication by
  letting people request contextual information via
  IM
• Interruptibility (via SUBTLE toolkit)
• Location (via Place Lab WiFi positioning)
• Active window
• Developed a custom client and robot on top of AIM
• Client (Trillian plugin) captures and sends
  context to robot
• People can query imbuddy411 robot for info
• howbusyis username
• Robot also contains privacy rules governing
  disclosure

27
Control Setting Privacy Policies

• Web-based specification of privacy preferences
• Users can create groups andput screennames into
  groups
• Users can specify what each group can see

28
Control System Tray

• Coarse grain controls plus access to privacy
  settings

29
Feedback Notifications
30
Feedback Social Translucency
31
Feedback Offline Notification
32
Feedback Summaries
33
Feedback Audit Logs
34

• Separate projects into tiers?
• High-risk and low-risk ones
• Or step-by-step guide for all projects
• Permission from office owners
• Informed opt-in
• How long to retain info?
• How long is anonymized data kept?
• How easy to de-anonymize data?
• What makes Sensor Andrew different from other
  systems collecting info that can be inferred?
• Higher standard for us b/c of possible fusion
• Use sensors only in public spaces / hallways
• Dont store anything until we have figured out
  better policies?
• Let individuals see info about themselves
• Participatory design