privacy interfaces for location sharing: when is too much transparency a bad thing?

Privacy Interfaces for Location Sharing: when is too much transparency a bad thing? Blaine Price

Upload: miller

Post on 23-Feb-2016




0 download


Privacy Interfaces for Location Sharing: when is too much transparency a bad thing?. Blaine Price. The PRiMMA Team. Bashar Nuseibeh Yvonne Rogers Arosha Bandara Clara Mancini Lukasz Jedrzejczyk Keerthi Thomas. Morris Slowman Alessandra Russo Emil Lupu Naranker Dulay - PowerPoint PPT Presentation


Page 1: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Privacy Interfaces for Location Sharing: when is too much transparency

a bad thing?

Blaine Price

Page 2: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

The PRiMMA Team...

Bashar NuseibehYvonne RogersArosha BandaraClara ManciniLukasz JedrzejczykKeerthi Thomas

Morris SlowmanAlessandra RussoEmil LupuNaranker DulayDomenico CorapiRyan Wishart

Adam Joinson

Page 3: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


• Methods for understanding mobile privacy• Some experiments on Methodology• A Location Tracking User Study with Families• A Privacy Feedback Interface User Study• Some Lessons Learned, Future Directions• Questions/Discussion/Watch Videos...

Page 4: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

The Problem With Asking People About Privacy is...

But it is (largely) not their fault•People are bad at judging the future value of their privacy•People are bad at judging how they will react to using new systems they have never used before

Page 5: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

New Methods for Studying Mobile Privacy Behaviour

•Privacy Practices of Mobile Facebook Users

•Experience Sampling with Memory Phrase

•Found Mobile Contexts were multi-faceted, including individual perceptions, and different physical/virtual world interconnections

•Places, defined by emerging social cultural knowledge, are a major determinant of privacy needs, so effort at defining rules for automation can be based on a location/context pairing

Page 6: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Studying Privacy Behaviour with Future Technologies

• People find it difficult to imagine privacy risks in a technology they have never used

• Video (and written scenarios) can be powerful tools to allow participants to immerse themselves in unfamiliar tech and vicariously experience it

• Corporate Concept Videos• Videos• Apple Knowledge Navigator 1988• Microsoft Future Healthcare 2008

Page 7: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


• Semi-Professional video of a 6 scene story shot twice with subtle difference between versions

• In one version, protagonist has positive attitude and everything works perfectly

• Alternative verison, protagonist has negative attitude, technology has problems

• Participants watch one version without being told which one

• Wider range of privacy concerns elicited

Page 8: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

User Study 1: Tracking in Families

tracking and

Why Familes?

Page 9: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Some implicit assumptions

close knit tracking is


Page 10: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


the tracked is the vulnerable

Page 11: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


Enough controls will set you

Page 12: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Study Design

F1 F2

Mother & fatherDaughter1 & partnerDaughter2 & boyfriendDaughter3

Mother & fatherSon & friendDaughter

3 weeks, 1092 unique tracking events

Page 13: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Interface examples

Page 14: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Conditions and Questions

complete visibility run/chase?


Page 15: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


“I don’t think it makes me a better person checking up on people…so I try to stay out of it as I possibly can as it’s none of my business, but this technology makes it a little bit too easy, you are only human”

Page 16: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Conditions and Questions

tracking tasks uneasy/keen?

Page 17: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


“It was easier to [check on others] when I was asked to do so…I didn’t feel like it was my responsibility…it wasn’t me doing it, I was just carrying out a task”

delegating responsibility

Page 18: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Conditions and Questions

real-time feedback reassured/deterred?

Page 19: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


“I would prefer not to know, or I would have to start asking myself why they are checking on me…have I done something wrong…are they after something?”

questioning others’ motives

Page 20: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Unexpectedness and destabilisation

“I looked him up…he was last tracked four hours ago…I thought oh did he turn his phone off…or did he turn the tracker off and why did he do that… why didn’t he tell me? Who is he with? And why is he there?”

F1-Daughter2 F1-Boyfriend

Page 21: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Closeness and control

“At times I’d rather she didn’t track

me…but I wouldn’t use privacy

preferences [as] I know that would

hurt her feelings”

F2-Mother F2-Son

Page 22: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Breach and predation

“I feel because [they] have shown in the past that [they] are not trustworthy, that kind of [they] started it…it means I can check up on [them] and not feel too bad…[they] are unlikely to do what [they] say the do, so anything you see [on the tracker] is probably just going to confirm that”

Page 23: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Close knit tracking is not safer

Tracking affects both parties

The closer the less in control


Page 24: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Inspiration for Study 2

• Pervasive systems allow collection of data about individuals– Increasing proliferation and dependence on these systems– Threats to privacy

Users informed and manually manage privacy settings– Impractical ! Too many controls..

Pervasive systems need automated mechanisms for governing privacy behaviours that,– Reflect user preferences,– Adapt to changes in circumstances, context and user behaviours


Page 25: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?


Develop automated mechanisms for governing privacy behaviours– Reflect user preferences,– Adapt to changes in circumstances, context and user behaviours– Use Social Translucence as Privacy Interface mechanism

•Example:Privacy Management for Location Based Applications– Share location information with appropriate precision to

the appropriate people, at the appropriate times– Provide awareness of information access.

How can we learn policies from user behaviours?


Page 26: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?



Build a system capable of learning mobile privacy policies enforceable on mobile devices to reduce intervention in privacy management.

User Agent

Phone call

Current credit

Current location

Requirements:User should be able to understand and modify the learned rules.Existing structured information and constraints should be used. Rules should be learned incrementally.Learned rules should be revisable (minimally) depending on changing conditions.

Page 27: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Scenario: Real-time Feedback for LBS



New /RevisedRules







“Show location lookup using {mode} if {context}”

Co-location Location(GPS, name)

Social Network

In meeting, Alice requests

Driving, Bob requests

Web browsing, Alice requests

We can learn sets of policy rules: Concept invention Recursion Inter-related

concepts Tailor the search

(customised search heuristics)

Use probabilities to handle noise in the data

Page 28: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

User Study 2: Automatic Privacy Feedback Preference Detection

• Surveys, Interviews and Focus groups to find range of Privacy Feedback interfaces:– Dialog Box, Toast, Notification Bar, Vibration, LED,

Sound, Flashlight, Natural Language• New version of Buddy Track pre-seeded with

context sensitive rules on which methods to use

• Feedback interface using experience sampling to teach engine which policies are correct

Page 29: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

How it works: Example



Page 30: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Scenario: Real-time Feedback for LBS


At homeH H H


Lookup fromAt location

Day 1 07:30

Learning new user behavior rules….

Context: in_group(alice, home). in_group(bob, home). happens(gps(57,10),07:00). at_location(home, W, N) ← Conditions,….phone_position(in_hand) ← Conditions,….

Examples: not do(rtf_toast(alice), 07:00). do(rtf_toast(bob), 07:30). do(rtf_toast(bob), 11:00).New policy:

do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30

Page 31: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Scenario: Real-time Feedback for LBS


At home At homeAt ImperialNear desktop

H C C H F CF H H07:30

Lookup fromAt locationNear device

Day 2

…. and revising existing rules incrementally

Context: ……….. do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) ∧T ≥ 07:30

Revised policy: do(rtf_toast(Req_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30

∧ in_group(From, college) do(rtf_toast(Req_Id, From), T ) ← phone_position(in_hand) ∧ T ≥ 07:30

∧ ¬holdsAt(location(Imperial)), T )

Page 32: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Using privacy policies


Privacy policies; do(rtf_toast(Call_Id, From), T ) ← phone_position(in_hand) T ≥ 07:30 ∧ ∧ in_group(From, college). do(rtf_toast(CallId, From), T ) ← phone_position(in_hand) T ≥ 07:30 ∧ ∧

¬holdsAt(status(bluetooth_near(desktop)), T ).

Context…in_group(charles, college).….

1) Location request made2) do(rtf_toast(charles),T) ? YES

3) Toast notification of location lookup

Querying rules….

Page 33: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

User Study & Findings

• 15 participants, loosely knit groups, 3 weeks• 2 phases (learning, evaluation)• Predefined rules used in the phase 1• Interviews

• Increased accuracy (appropriateness of notifications).• Greater Trust and Comfort.• Awareness of notifications contributes towards the

acceptance of the technology.• “Invisibility” of the interface.

Page 34: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?



• State-of-the-art learning system able to learn– Properties about the data, even if not directly

observed– Recursive and inter-dependent policies– (Revised) policies from negative and positive examples– Incrementally– Minimal revisions of existing policies

• Demonstrated utility of learning for adaptive awareness for privacy management.

Page 35: Privacy Interfaces for Location Sharing:  when is too much transparency  a bad thing?

Future Directions

• Domain-specific heuristics– Apply to other lifelogging domains

• Application to (large) real data sets• Scalability and efficiency• Privacy Interface Controls too complicated– Apply learning to data from groups of users to

derive ‘default’ privacy configurations– Learn privacy threats and requirements