participatory privacy in urban sensing katie shilton, jeff burke, deborah estrin, mark hansen, mani...
TRANSCRIPT
![Page 1: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/1.jpg)
Participatory Privacy in Urban Sensing
Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava
MODUS 2008: April 21, 2008
![Page 2: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/2.jpg)
Talked to your IRB today?
• Respect
• Beneficence
• Justice
2
Broad principles balance risk & discovery for many kinds of investigations.
Are there principles like this for urban sensing?
• Confidentiality
• Informed consent
• Statement of risks
![Page 3: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/3.jpg)
Investigations by the public
Close to individuals & intermixed in daily life.
Wide-spread ability to collect & share data.
Pilots: •PEIR•CBE
3
Participatory sensing: Campaigns to help people gather data, make case
![Page 4: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/4.jpg)
InfluencesParticipatory sensing
• Community-based participatory research (CBPR)• Participatory action research (PAR) [1, 2]• Participatory design (PD) [3]
4
Privacy
•Contextual privacy [4]•Information ethics [5-7]
![Page 5: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/5.jpg)
Participatory Privacy Regulation
5
System Designers
Campaign Groups
Participants
Decision about
boundaries Trust & commitment
Process of system
design and use
![Page 6: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/6.jpg)
Where privacy regulation fits
6
Control over
capture
Control over
resolution
Control over
sharing
Control over
retention
Decision about
boundaries
Participation
Campaign goals
Instrument design
Data collection
Data analysis
![Page 7: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/7.jpg)
Technical approaches to privacy
Existing toolbox includes:
• Privacy warning, notification, or feedback systems [8-10];
• User control over data sharing [11];
• Identity management systems [12] ;
• Selective retention systems [8];
• Encryption, privacy-enhancing technologies [13];
• Statistical anonymization of data [4];
• Data retention or its opposite, ‘forgetting’ [14, 15].
7
![Page 8: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/8.jpg)
Participatory privacy regulation design guidelines
1. Participant primacy
2. Participatory design
3. Participant autonomy
4. Minimal, auditable information
5. Synergy between policy & technology
8
![Page 9: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/9.jpg)
Design guideline 1: participant primacy
Feature examples:
• Data visualization, interfaces (where did I go today?)
• Alerts and reminders (it’s 9 pm: turn sensing off!)
9
Challenges:
•Legible interfaces
•Developing effective alert mechanisms that do not disrupt data collection or annoy participants
Help users take role, responsibilities of investigators
![Page 10: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/10.jpg)
Design guideline 2: participatory design
Customizable features:
• Data representation (can you see our houses?)
• Selective sharing (share only with campaign leaders)
• Retention, reuse (we don’t need data after Jan 1, 2009)
10
Challenges:
• Flexible systems to adjust capture, storage, representation of data.
• Flexibility achieved early in the design process.
Customize systems to campaign needs
![Page 11: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/11.jpg)
Design guideline 3: participant autonomy
Feature examples:• Discretion tools
(replace this trip with ‘average’ trip)
• Selective retention (delete from 9 to 10 am)
11
Challenges:• Building discretion tools
• Analyzing incomplete and/or falsified data
• Logging use of discretion tools
Enabling participants to negotiate privacy context
![Page 12: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/12.jpg)
Design guideline 4: minimal, auditable information
Feature examples:• Parsimonious sensors
(collect location using only cell tower triangulation)
• Processing close to source
• Audit mechanisms (log who accesses data)
12
Challenges:• Designing systems that
support and benefit from minimal data collection.
• Building auditing mechanisms viewable, legible, useable by participants.
Parsimonious capture, watchdogs
![Page 13: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/13.jpg)
Design guideline 5: synergy between policy & technology
Achieved through:• Sharing responsibility
• Discussing problems best addressed by policy vs. technology.
13
Challenges:• Authoring policy to
support technology
• Designing technology to support policy.
Software and hardware can’t do everything
![Page 14: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/14.jpg)
In the future: evaluation
How well do these principles – and resultant software – work?
Meet design challenges: negotiating policy, building discretion tools, audit mechanisms, etc.
Log data: measuring use of the privacy regulation features
Interviews: evaluating participant trust of systems
Participant observation: determining when and why participants feel boundary or identity sensitivities; evaluating whether systems adequately address these sensitivities
Participant critique: of design methods, software, and conclusions
14
![Page 15: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/15.jpg)
Conclusions
Participation over restriction
Balance between privacy and participation enables sensing systems to reach research, empowerment , documentary potential.
15
Participation in restriction
Enables participants to limit sensing according to their needs, values.
![Page 16: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/16.jpg)
Citations[1] M. Cargo and S. L. Mercer, "The value and challenges of participatory research:
strengthening its practice," Annual Review of Public Health, vol. 29, 2008. [2] E. Byrne and P. M. Alexander, "Questions of ethics: Participatory information
systems research in community settings," in SAICSIT Cape Winelands, South Africa, 2006, pp. 117-126.
[3] S. Pilemalm and T. Timpka, "Third generation participatory design in health informatics - making user participation applicable to large-scale information system projects," Journal of Biomedial Informatics, 2007 (in press)
[4] H. Nissenbaum, "Privacy as contextual integrity," Washington Law Review, vol. 79, pp. 119–158, 2004.
[5] J. Waldo, H. S. Lin, and L. I. Millett, Engaging privacy and information technology in a digital age. Washington, D.C.: The National Academies Press, 2007.
[6] L. Palen and P. Dourish, "Unpacking "privacy" for a networked world," in CHI 2003. vol. 5 Ft. Lauderdale, FL: ACM, 2003, pp. 129-136.
[7] J. E. Cohen, "Privacy, Visibility, Transparency, and Exposure," University of Chicago Law Review, vol. 75, 2008.
[8] G. R. Hayes, E. S. Poole, G. Iachello, S. N. Patel, A. Grimes, G. D. Abowd, and K. N. Truong, "Physical, social and experiential knowledge in pervasive computing environments," Pervasive Computing, vol. 6, pp. 56-63, 2007.
16
![Page 17: Participatory Privacy in Urban Sensing Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava MODUS 2008: April 21, 2008](https://reader033.vdocuments.site/reader033/viewer/2022042814/551c44465503467b488b4c46/html5/thumbnails/17.jpg)
Citations cont.[9] M. S. Ackerman and L. Cranor, "Privacy critics: UI components to safeguard users‘
privacy," in Conference on Human Factors in Computing Systems CHI’99: ACM Publications, 1999, pp. 258-259.
[10] D. H. Nguyen and E. D. Mynatt, "Privacy mirrors: understanding and shaping socio-technical ubiquitous computing systems," Georgia Institute of Technology GIT-GVU-02-16, 2002.
[11] D. Anthony, D. Kotz, and T. Henderson, "Privacy in location-aware computing environments," Pervasive Computing, vol. 6, pp. 64-72, 2007.
[12] S. Patil and J. Lai, "Who gets to know what when: configuring privacy permissions in an awareness application," in SIGCHI Conf. Human Factors in Computing Systems (CHI 05) Portland, Oregon: ACM Press, 2005, pp. 101–110.
[13] H. Burkert, "Privacy-enhancing technologies: Typology, critique, vision," in Technology and privacy: The new landscape, P. E. Agre and M. Rotenberg, Eds. Cambridge, MA and London: The MIT Press, 1998, pp. 125-142.
[14] L. Bannon, "Forgetting as a feature, not a bug: the duality of memory and implications for ubiquitous computing," CoDesign, vol. 2, pp. 3-15, 2006.
[15] J.-F. Blanchette and D. G. Johnson, "Data retention and the panoptic society: the social benefits of forgetfulness," The Information Society, vol. 18, 2002.
17