Understanding and Capturing Peoples Privacy Policies in a People Finder ApplicationMadhu Prabaker, Jinghai Rao, Ian Fette, Patrick Kelley, Lorrie Cranor, Jason Hong, Norman Sadeh

Carnegie Mellon University

OverviewCase study of People Finder applicationWhat it isHow it worksLab studies and field trialsLessons Learned / Opinions and Conjectures

User-Controllable Privacy and SecurityProject OverviewOverall Goal: Better UIs for managing privacy and security for pervasive computingSimple ways of specifying policiesClear notifications and explanations of what happenedBetter visualizations to summarize resultsMachine learning for learning preferencesStart with small evaluations, continue with large-scale ones

Large multi-disciplinary team and projectSix faculty, 2 postdocs, five studentsRoughly 2 years into project

User-Controllable Privacy and SecurityProject OverviewApplicationsPeople FinderContextual Instant Messaging (later at Ubicomp)Grey: Access Control to resources

Some ChallengesNot being burdensome or annoyingRight balance of expressiveness and simplicityProviding enough value so people will use our apps!Security & privacy our main concern, but not users

People FinderLets you find other peoples location, subject to any specified rulesOkayness checkingRendezvous

Requestors have a list of buddies whose location they can request via web, system tray, or mobile phone

Web Interface

System Tray and Mobile Phone

Plausible Deniability Built in

Found a Person

Found Another Person

Some Architectural DetailsLaptop version uses Skyhook for positioningSkyhook based on Intel Place Lab, uses WiFi localizationWe also use a database provided by CMU to determine name of locationEach WiFi access point has an associated place nameNewell-Simon Hall 2504

Mobile phone version uses Intel POLS for positioningPOLS uses GSM towers for localizationDoesnt work well in Pittsburgh, not enough GSM towers

Users can Specify RulesAlso generates human-readable description of rule

More Rules

Can Also Specify Places in Rules

User FeedbackBalloon Pop-UpBasic feedback (currently only for laptops)

User FeedbackRequest History

User FeedbackRequest History

History Also Used for Audits and ML

History Also Used for Audits and ML

System Architecture

System ArchitectureCentralized architectureLocation stored in a server rather than on end-user devicesDoesnt this go against design goals of Place Lab, POLS, and your dissertation, Jason?

Some Musings on PrivacyNo users even asked about this issueWould likely only be small subset of tech-savvy usersEasier upgrades (think service vs app)Made it very easy to add laptop functionalityMakes Last seen feature possibleBetter performance for some features (ex. querying groups)

Lab StudiesGoal: how well does Machine Learning work for learning prefs?

Setup19 participantsAsked to create initial rule setGo thru a 30 scenarios where someone requested locationWhat their rule would doWhether they agreed with ruleOption to change their rules

Lab StudiesUsers not very accurate~5 min to create rules, 8 min if include refining rules#Rules ranged 1-10, ~5 rulesWeak correlation between time spent and accuracy

Case-based reasoning yielded pretty good resultsCaveat: scenarios probed unusual situations, may not mirror actual practice

Field TrialsThree different groups (not simultaneous)15 team members amongst ourselves, 6 wks7 MBA students, 2 wks6 people involved in organizing Spring Carnival, 9 daysAsked or paid people to audit, to see accuracy

Usage uneven#Requests ranged from single digits to 100s Looking at top 12 heavy users, accuracy of rules ~79%

People tended to relax rules over timeInitially were conservative, allowed more use later on

Lessons Thus FarSurprisingly few concerns about privacyNo user expressed strong privacy concernsFeature requests were always non-privacy relatedIf low usage, due to not enough utility, not due to privacy

Does this mean our privacy is good enough, or is this because of users attitudes and behaviors?Hard to tell

Users Attitudes and BehaviorsWestin identified three clusters of people wrt attitudes toward commercial entitiesFundamentalists (~25%)Unconcerned (~10%)Pragmatists (~65%)

We need something like this for ubicompBut for personal privacy rather than for commercial entitiesWith more fine-grained segmentation Fundamentalists include techno-libertarians and ludditesPragmatists include too busy, not enough value, etcBetter segmentation would help us understand if our privacy is good enough

Users Attitudes and BehaviorsNeed to tie better with adoption models

Lessons Thus FarAlso need to consider cost-benefit issues

Lowering CostsMaking rule creation easier and fasterFacebook widget, avoid yet another social network problemLinking with instant messagingPhone with GPS built-in rather than separate deviceIncreasing BenefitsSpeed of getting someones locationGetting multiple peoples locationsFinding location of people not on listQuality of location (accuracy, place names)

Lessons Thus FarCritical mass a huge problemStarted with mobile phones, but high-end phones so we could only deploy a few at a timeLaptop version helped address this problemBelieve Facebook widget will overcome this problem

People did not use history and auditing features oftenPrimarily because we asked or paid themIMBuddy: But seemed to feel better knowing it was there!Other features to assuage concerns, even if not used?

Our Next StepsFacebook widget and larger studyAdding more featuresMore contextual info, interruptibility and window nameSimplified user interfaceSimplifying the privacy modelSupporting common patterns (co-workers only when at work, family and close friends always, etc)

End-User Privacy in HCI137 page article surveying privacy in HCI and CSCWForthcoming in the new Foundations and Trends journal, in a few weeks

AcknowledgementsNSF Cyber Trust CNS-0627513NSF IIS CNS-0433540ARO DAAD19-02-0389France TelecomNokiaIBMSkyhook

Need BruceNeed LujoNeed Mike Reiter