View
217
Download
3
Tags:
Embed Size (px)
Citation preview
User- Controllable Privacy and Security
for Pervasive Computing
Jason I. HongCarnegie Mellon University
The Problem
• Mobile devices becoming integrated into everyday life– Mobile communication
– Sharing location information with others
– Remote access to home
– Mobile e-commerce
• Managing security and privacy policies is hard– Preferences hard to articulate
– Policies hard to specify
– Limited input and output
• Leads to new sources of vulnerability and frustration
Difficult to Build Usable Interfaces
(a) (c)
Our Goal
• Develop better UIs for managing privacy and security on mobile devices– Simple ways of specifying policies
– Clear notifications and explanations of what happened
– Better visualizations to summarize results
– Machine learning for learning preferences
– Start with small evaluations, continue with large-scale ones
• Large multi-disciplinary team and project– Six faculty, 1.5 postdocs, six students
– Roughly 1 year into project
Application Domains
• Contextual Instant Messaging• People Finder• Access Control to resources
• Some Challenges– Not being burdensome or annoying
– Finding right balance of expressiveness and simplicity
– Helping users understand capabilities and limitations
– Providing enough value so that people will use our apps!• Security & privacy our main concern, but not to users
Outline
• Motivation• Contextual Instant Messaging• People Finder• Access Control to Resources
Contextual Instant Messaging
• Facilitate coordination and communication by letting people request contextual information via IM– Interruptibility (via SUBTLE toolkit)
– Location (via Place Lab wifi positioning)
– Active window
• Developed a custom client and robot on top of AIM– Client (Trillian plugin) captures and sends context to robot
– People can query imbuddy411 robot for info• “howbusyis username”
– Robot also contains privacy rules governing disclosure
Contextual Instant MessagingPrivacy Mechanisms
• Web-based specification of privacy preferences– Users can create groups and
put screennames into groups
– Users can specify what each group can see
Contextual Instant MessagingPrivacy Mechanisms
• Notifications of requests
Contextual Instant MessagingPrivacy Mechanisms
• Social translucency
Contextual Instant MessagingPrivacy Mechanisms
• Audit logs
Contextual Instant MessagingEvaluation
• Recruited ten people for two weeks– Selected people highly active in IM (ie undergrads )
– Each participant had ~90 buddies and 1300 incoming and outgoing messages per week
• Notified other parties of imbuddy411 service– Update AIM profile to advertise
– Would notify other parties at start of conversation
• Any predictions of results?
Contextual Instant MessagingResults
• Total of 242 requests for contextual information– 53 distinct screen names, 13 repeat users
0
20
40
60
80
100
120
Interruptibility Location Active Window
Contextual Instant MessagingResults
• 43 privacy groups, ~4 per participant– Groups organized as class, major, clubs,
gender, work, location, ethnicity, family
– 6 groups revealed no information
– 7 groups disclosed all information
• Only two instances of changes to rules– In both cases, friend asked participant to
increase level of disclosure
Contextual Instant MessagingResults
• Likert scale survey at end – 1 is strongly disagree, 5 is strongly agree
– All participants agreed contextual information sensitive• Interruptibility 3.6, location 4.1, window 4.9
– Participants were comfortable using our controls (4.1)
– Easy to understand (4.4) and modify (4.2)
– Good sense of who had seen what (3.9)
• Participants also suggested improvements– Notification of offline requests
– Better notifications to reduce interruptions (abnormal use)
– Better summaries (“User x asked for location 5 times today”)
Contextual Instant MessagingCurrent Status
• Preparing for another round of deployment– Larger group of people
– A few more kinds of contextual information
• Developing privacy controls that scale better– More people, more kinds of information
Outline
• Motivation• Contextual Instant Messaging• People Finder• Access Control to Resources
People Finder
• Location useful for micro-coordination– Meeting up
– Okayness checking
• Developed phone-based client– GSM localization (Intel)
• Conducted studies to see how people specify rules (& how well)
• See how well machine learning can learn preferences
People FinderMachine Learning
• Using case-based reasoning (CBR)– “My colleagues can only see my location on
weekdays and only between 8am and 6pm”
– It’s now 6:15pm, so the CBR might allow, or interactively ask
• Chose CBR over other machine learning– Better dialogs with users (ie more understandable)
– Can be done interactively (rather than accumulating large corpus and doing post-hoc)
People FinderStudy on Preferences and Rules
• First conducted informal studies to understand factors important for location disclosures– Asked people to describe in natural language
– Social relation, time, location
– “My colleagues can only see my location on weekdays and only between 8am and 6pm”
People FinderStudy on Preferences and Rules
• Another study to see how well people could specify rules, and if machine learning could do better– 13 participants (+1 for pilot study)
– Specify rules at beginning of study
– Presented a series of thirty scenarios
– Shown what their rules would do, asked if correct and utility
– Given option to change rule if desired
People FinderStudy on Rules
People FinderResults – User Burden
Mean
(sec)
Std dev
(sec)
Rule Creation 321.53 206.10
Rule Maintenance 101.15 110.02
Total 422.69 213.48
People FinderResults – Accuracy
People FinderCurrent Conclusions
• Roughly 5 rules per participant• Users not good at specifying rules
– Time consuming & low accuracy (61%) even when they can refine their rules over time (67%)
– Interesting contrast with imbuddy411, where people were comfortable
• Possible our scenarios biased towards exceptions
• CBR seems better in terms of accuracy and burden• Additional experiments still needed
People FinderCurrent Work
• Small-scale deployment of phone-based People Finder with a group of friends– Still needs more value, people finder by itself not sufficient
– Trying to understand pain points on next iteration
• Need more accurate location– GSM localization accuracy haphazard
• Integration with imbuddy411– Smart phones expensive, IM vastly increases user base
Outline
• Motivation• Contextual Instant Messaging• People Finder• Access Control to Resources
Grey – Access Control to Resources
• Distributed smartphone-based access control system – physical resources like office doors,
computers, and coke machines
– electronic ones like computer accounts and electronic files
– currently only physical doors
• Proofs assembled from credentials– No central access control list
– End-users can create flexible policies
GreyCreating Policies
• Proactive policies– Manually create a policy beforehand
– “Alice can always enter my office”
• Reactive policies– Create a policy based on a request
– “Can I get into your office?”
– Grey sees who is responsible for resource, and forwards• Might select from multiple people (owner, secretary, etc)
– Can add the user, add time limits too
GreyDeployment at CMU
• 25 participants (9 part of the Grey team)• Floor plan with Grey-enabled Bluetooth doors
GreyEvaluation
• Monitored Grey usage over several months• Interviews with each participant every 4-8 weeks• Time on task in using a shared kitchen door
GreyResults of Time on Task of a Shared Kitchen Door
GreyResults of Time on Task of a Shared Kitchen Door
GreyResults of Time on Task of a Shared Kitchen Door
GreyResults of Time on Task of a Shared Kitchen Door
GreySurprises
• Grey policies did not mirror physical keys– Grey more flexible and easier to change
• Lots of non-research obstacles– user perception that the system was slow
– system failures causing users to get locked out
– need network effects to study some interesting issues
• Security is about unauthorized users out, our users more concerned with how easy for them to get in– never mentioned security concerns when interviewed
GreyCurrent work
• Iterating on the user interfaces– More wizard-based UIs for less-used features
• Adding more resources to control• Visualizations of accesses
– Relates to abnormal situations noted in contextual IM
GreyCurrent work in Visualizations
Concluding Remarks
• User-controllable privacy and security for three apps– Contextual instant messaging
– People Finder
– Grey distributed access control system
• Common threads– Simpler ways of specifying policies
– Better notifications and explanations
– Better visualizations
– Machine learning for learning preferences
Concluding Remarks
• Some early lessons– Many indirect issues need to be addressed to study usable
privacy and security (value proposition, network effects)
– People seem willing to use apps if good enough controland feedback for privacy and security
– Lots of iterative design needed
Acknowledgements
• NSF Cyber Trust Grant CNS-0627513 • ARO DAAD19-02-1-0389 ("Perpetually Available and
Secure Information Systems") to CMU’s CyLab
Source: http://www.rudezone.com/cartoon4/wireless.html
People FinderResults – Accuracy