Understanding User Privacy in Internet of Things Environmentshosubl/WF-IoT16_presentation.pdf100 females/99 males (1 unknown), majority (57.5%) are aged 25-40 We educated them about

/ 30

Understanding User Privacyin Internet of Things EnvironmentsHOSUB LEE AND ALFRED KOBSA

DONALD BREN SCHOOL OF INFORMATION AND COMPUTER SCIENCES

UNIVERSITY OF CALIFORNIA, IRVINE

2016-12-13 IEEE WORLD FORUM ON INTERNET OF THINGS 2016 1

/ 30

AgendaIntroduction

Related Work

Privacy Preferences in IoT◦ Privacy Preference Collection

◦ Privacy Preference Analysis

◦ Interpretation of Privacy in IoT

Limitations and Future Work

Conclusion


/ 30

Introduction (1/4)Internet of Things (IoT)◦ Networked computing environment consisting of diverse physical objects

◦ Collection of personal information with minimum user intervention

Privacy in IoT◦ IoT gives benefits, but can compromise user privacy

◦ Privacy is important issue for more widespread use of IoT

◦ Lack of efforts to fully “understand” users’ privacy concerns in IoT


Home Automation in IoT Privacy Concerns in IoT

/ 30

Introduction (2/4)Privacy Preference Collection◦ We collected users’ privacy preferences about IoT scenarios via online survey


Privacy Preferences

IoT scenarios

/ 30

Introduction (3/4)Privacy Preference Analysis◦ We performed a cluster analysis on the collected privacy preferences

◦ We identified 4 distinct clusters of scenarios wrt. potential privacy risks


K-modes clustering algorithm

Privacy Preferences Clustered Preferences(K=4)

IoT scenarios

/ 30

Introduction (4/4)Interpretation of Privacy in IoT◦ We found some relationships btw. IoT contexts and users’ privacy preferences


K-modes clustering algorithm

People have privacy concerns in case …

Privacy-invasive Contexts in IoTPrivacy Preferences Clustered Preferences (K=4)

IoT scenarios

/ 30

Related WorkPrivacy Preference Analysis in UbiComp◦ Privacy preference determinants in ubiquitous computing (ACM CHI ‘03)

◦ A survey of private moments in the home (ACM UbiComp ‘11)

◦ Capturing location-privacy preferences (Personal and Ubiquitous Computing ‘11)

◦ A personal location system with protected privacy in IoT (IEEE BNMT ’11)

Insights◦ Identity of information requester is important

◦ No tracking personal behavior at home

◦ Full control of location sharing

◦ Active location sharing in emergency situations

◦ How people make privacy decisions in “IoT” environments?

◦ More diverse contextual factors need to be considered


/ 30

Privacy Preferences in IoT1. DATA COLLECTION

2. DATA ANALYSIS

3. INTERPRETATION


/ 30

Data Collection (1/5)Previous Works1

◦ We defined contextual parameters that construct IoT scenarios◦ where

◦ what

◦ who

◦ reason

◦ persistence

◦ We defined reaction parameters that indicate users’ privacy preferences◦ _notification

◦ _permission

◦ _comfort

◦ _risk

◦ _appropriateness


1: HCI in Business: A collaboration with academia in IoT privacy (HCIB 2015)

/ 30

Data Collection (2/5)Contextual Parameters


A device of a friend (C3=3) records your voice to check your presence (C2=9). This happens once (C5=0), while you are at semi-public place (C1=2), for your safety (C4=1).

Sample IoT Scenario

/ 30

Data Collection (3/5)Reaction Parameters


Would you want to allow this monitoring?

Sample Question

⃝ allow, always (R2=1)⃝ allow, just this time (R2=2)⃝ reject, just this time (R2=3)⃝ reject, always (R2=4)

Sample Answer Options

/ 30

Data Collection (4/5)Online Survey Study◦ We recruited 200 participants on Amazon Mechanical Turk (MTurk)

◦ US resident, English speaker, high reputation at Amazon MTurk

◦ 100 females/99 males (1 unknown), majority (57.5%) are aged 25-40

◦ We educated them about IoT (e.g., definition, application scenario, etc)


Online Survey System(Amazon MTurk)

IoT

/ 30

Data Collection (5/5)Online Survey Study (Cont’d)◦ We created scenarios via random permutation of contextual parameter values

◦ We individually asked for their reactions and opinions on the given scenarios

◦ We collected privacy preferences for 2,800 IoT scenarios


IoT ScenarioA device of a friend records your voice to check your presence. This happens once, while you are at semi-public place, for your safety.

Privacy PreferenceI’m willing to allow it just this time.

Online Survey System(Amazon MTurk)

Participants

QuestionWould you want to allow this monitoring?

/ 30

Data Analysis (1/5)K-means Clustering Algorithm◦ Most popular data mining technique to partition observations into K clusters

◦ Restricted to continuous numeric values (e.g., 3.2415, 2.1254, …)

K-modes Clustering Algorithm◦ Variant of K-means to directly cluster categorical data

◦ Replacing cluster means with modes

◦ Using the simple matching dissimilarity function instead of the Euclidean distance function

◦ Updating modes with the most frequent categorical attributes in each clustering step


Contextual Parameters Reaction Parameters

C1 C2 C3 C4 C5 R1 R2 R3 R4 R5

3 2 6 4 0 1 1 6 6 6

… … … … … … … … … …

Our Dataset

K-modes

K-means

/ 30

Data Analysis (2/5)Selecting the Number of Clusters◦ We heuristically searched for the optimal K

◦ We computed the sum of errors (SE) of the clustering while increasing K from 2 to 10

◦ SE is the sum of the distance btw. each member of the cluster and the cluster’s centroid

where x is a data point belonging to the ith cluster and ci is the mode of the ith cluster

◦ We found the largest decrease in errors (SEK-1 - SEK) occurs when we increase K from 3 to 4


12000

12500

13000

13500

14000

14500

15000

15500

16000

2 4 6 8 10

SE

K

Sum of Errors

Largest Error Decrease (K=4)

/ 30

Data Analysis (3/5)Clustering Results◦ 4 clusters differ from each other primarily in contextual parameters:

◦ what (C2) and who (C3)

◦ Each mode has unique and identical values for reaction parameters:◦ _comfort (R3), _risk (R4), _appropriateness (R5)


Modes of Clusters

/ 30

Data Analysis (4/5)Labeling of Clusters◦ We labeled each cluster using reaction parameters R3, R4, R5

◦ E.g., cluster 1 as “Acceptable” because its mode has the second highest value for R3, R4, R5

◦ We assigned colors to clusters

◦ green (CL1), yellow (CL2), red (CL3), black (CL4)

◦ Cluster distribution◦ “Acceptable” (12.6%) vs. “Very Unacceptable” (40.8%)


1 Very inappropriate

2 Inappropriate

3 Somewhat inappropriate

4 Neutral

5 Somewhat appropriate

6 Appropriate

7 Very appropriate

_appropriateness (R5)Modes of Clusters

/ 30

Data Analysis (5/5)Verification of Clustering Results◦ Welch’s t-tests on reaction parameters in {CL1, CL2}, {CL2, CL3}, {CL3, CL4}

◦ Reaction parameter values between each pair of clusters are statistically distinct (p < 0.016)

◦ Clusters are distinct from each other in terms of user reactions to the scenarios

◦ Information visualization◦ We projected all data entries onto a 2-d space using R5 values as their coordinates

2016-12-13 HOSUB LEE – ADVANCEMENT TO CANDIDACY 18

0

1

2

3

4

5

6

7

8

0 1 2 3 4 5 6 7 8

"_A

PP

RO

PR

IAT

EN

ES

S"

1:

ver

y i

nap

pri

pri

ate,

4:

neu

tral

, 7

: v

ery

ap

pro

pri

ate)

"_APPROPRIATENESS"

(1: very inappripriate, 2: inappropriate, 3: somewhat inappropriate, 4: neutral, 5: somewhat appropriate, 6: appropriate, 7: very appropriate)

Scenarios that respondents deemed very inappropriate (R5=1) mostly became clustered into CL4 (black)

Scenarios that respondents deemed appropriate (R5=6, 7) mostly became clustered into CL1 (green)

Visualization of Clustering Results

/ 30

Interpretation – whereFindings◦ Monitoring at personal places is very unacceptable

◦ Monitoring at public spaces is unacceptable

◦ Monitoring at semi-public spaces is somewhat unacceptable


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

0: your place

1: someone else's place

2: semi-public space

3: public space

RELATIVE FREQUENCY

"WH

ER

E"

PA

RA

ME

TE

R

[CL4] Very unacceptable [CL3] Unacceptable [CL2] Somewhat unacceptable [CL1] Acceptable

p < .0001, d = 0.4791

p < .0001, d = 0.4921

p < .0001, d = 0.6109

p: chi-square test of associationd: effect size (large if d > 0.6)

/ 30

Interpretation – what (1/2)Findings◦ Gaze monitoring is very unacceptable

◦ Photo-taking or video monitoring is unacceptable


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

RE

LA

TIV

E F

RE

QU

EN

CY

"WHAT" PARAMETER


p = 0.0001, d = 0.3041

p < .0001, d = 0.319

/ 30

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

RE

LA

TIV

E F

RE

QU

EN

CY

"WHAT" PARAMETER


Interpretation – what (2/2)Findings◦ Voice monitoring for gender and location awareness is tolerable

◦ Personally identifiable information (e.g., phone ID) is okay to share


p = 0.0006, d = 0.2713

p < .0001, d = 0.6237

/ 30

Interpretation – who (1/2)Findings◦ Monitoring by unknown entity is very unacceptable

◦ Monitoring by government or nearby business is unacceptable


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1. unknown

2. colleague

3. friend

4. own device

5. business

6. employer/school

7. government

RELATIVE FREQUENCY

"WH

O"

PA

RA

ME

TE

R


p < .0001, d = 0.7268

p < .0001, d = 0.2603

p < .0001, d = 0.5845

/ 30

Interpretation – who (2/2)Findings◦ Monitoring by friends is fine

◦ Monitoring by own devices is acceptable


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1. unknown

2. colleague

3. friend

4. own device

5. business

6. employer/school

7. government

RELATIVE FREQUENCY

"WH

O"

PA

RA

ME

TE

R


p < .0001, d = 0.6305

p < .0001, d = 0.9989

/ 30

Interpretation – reason (1/2)Findings◦ Purposeless IoT services are unacceptable

◦ Some purposeless scenarios are still considered acceptable


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1. safety

2. commercial

3. social

4. convenience

5. health

6. not specified

RELATIVE FREQUENCY

"RE

AS

ON

" P

AR

AM

ET

ER


p < .0001, d = 0.3221

/ 30

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1. safety

2. commercial

3. social

4. convenience

5. health

6. not specified

RELATIVE FREQUENCY

"RE

AS

ON

" P

AR

AM

ET

ER


Interpretation – reason (2/2)Findings◦ Convenience is the most significant reason to allow monitoring

◦ Safety is also a reasonable justification to allow monitoring


/ 30

Interpretation – persistenceFindings◦ No clear tendency was observed

◦ Participants have privacy concerns about continuous monitoring in general


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

0. once

1. continuously

RELATIVE FREQUENCY

"PE

RS

IST

EN

CE

" P

AR

AM

ET

ER


/ 30

Limitations and Future Work (1/2)Out-of-Context Attitudinal Study◦ Some contextual parameters were coarsely defined

◦ E.g., “someone else’s place” might be interpreted differently by participants

◦ Participants responded at a location that has no association w/ the scenarios◦ Decreased sense of realism to the scenarios


A device of a friend (C3=3) records your voice to check your presence (C2=9). This happens once (C5=0), while you are at someone else’s place (C1=1), for your safety (C4=1).

“Where is this?”

IoT Scenario Survey at Home

IoT at School?

/ 30

Limitations and Future Work (2/2)Location-based Survey◦ Simulation of user experience in virtual IoT environments

◦ Creating realistic IoT scenarios mapped to real locations through crowdsourcing

◦ Building wearable system presents the IoT scenarios related to users’ current locations

◦ Asking users to answer questions on the scenarios while walking around a specific area


Wearable Computer Location Awareness Survey

/ 30

ConclusionIn This Paper◦ We aimed to “understand” user privacy in IoT environments

◦ We collected people’s privacy preferences toward IoT via online survey

◦ We analyzed the collected survey responses via data mining technique ◦ IoT scenarios can be grouped into 4 clusters wrt. their potential privacy risks

◦ Clustering results are statistically and visually sound

◦ We uncovered contextual factors impact people’s privacy perceptions◦ who and what are the most important factors

◦ We plan to conduct location-based survey study (field experiments)◦ More suitable for collecting sincere responses from users than a traditional survey


/ 30

Thank You!ANY QUESTIONS?


Documents

Understanding User Privacy in Internet of Things Environmentshosubl/WF-IoT16_presentation.pdf100 females/99 males (1 unknown), majority (57.5%) are aged 25-40 We educated them about