Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
User-controlled Privacy forPersonal Mobile Data
Sharon Paradesi
Decentralized Information Group, Bigdata@CSAILAdvisor: Dr. Lalana Kagal
August 6, 2014
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Current privacy controls
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Current data flow
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Terminology
openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.
labs: mobile apps on the Living Lab platformLab names: ScheduleME ∼ Meetup
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Terminology
openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.labs: mobile apps on the Living Lab platform
Lab names: ScheduleME ∼ Meetup
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Terminology
openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.labs: mobile apps on the Living Lab platformLab names: ScheduleME ∼ Meetup
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
openPDS-enabled data flow
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
What’s missing?
openPDS is a privacy-preserving framework for personal datastores. However, the platform currently lacks fine-grained usercontrols for privacy.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Contributions of this thesis
Suite of user controls for privacyPrivacyMate
Additional labs built to validate PrivacyMateScheduleMEMIT-FIT
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Overview of PrivacyMate
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
openPDS-enabled data flow with PrivacyMate
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Preference creation
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Global settings
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Spatio-temporal context
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Overall enforcementstart
Opt-in to dataaggregation
Opt-in to datacollection
Context
stop
Return nullReturn
data object
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Data aggregation enforcement
if group computation:
opted in todata ag-
gregation?Return null
Opt-in to datacollection
no
yes
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
data collection enforcement
opted in todata
collection?Return null
Context
no
yes
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Context enforcement
time ∈[start , end ]c
and day ∈daysc?
Return null
location
specified
in context?
Return
data object
location
within
500-m of
locationc?
no
yes
no
yes
no
yes
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
ScheduleME: Features
Privacy-preserving way to enable users to schedulemeetups without revealing either
current or desired physical locations orpoints of interest
Sweatt, B., Paradesi, S., Liccardi, I., Kagal, L., Pentland, A. S. BuildingPrivacy-preserving Location-based Apps. Privacy, Security and Trust (PST),2014 Twelfth Annual International Conference on. IEEE, 2014.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
ScheduleME: Features
Privacy-preserving way to enable users to schedulemeetups without revealing either
current or desired physical locations orpoints of interest
Sweatt, B., Paradesi, S., Liccardi, I., Kagal, L., Pentland, A. S. BuildingPrivacy-preserving Location-based Apps. Privacy, Security and Trust (PST),2014 Twelfth Annual International Conference on. IEEE, 2014.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Determining meeting location
Meeting about PST paperFrom: [email protected]: user2 ([email protected]); user3([email protected])Day: Thursday 30th March;Time: 16:00 pmLocation: 42.3612, -71.0893
The Initiator requests a meeting by simply inserting participants emails addresses.The system uses past information about partici-pants’ locations to suggest a possible meet date,time and place.
The maps shows the location which is most convenient for the group, either as a total or a majority of the participants. In order to preserve participants’ privacy, the individual participants’ locations used to select the meeting place can not be inferred. Participants‘ possible locations for a meeting is selected randomly from within a bounding box created by the 4/5 location places captured (b1, b2) at the specific hour. Specific past location information ( ) is not used, a random location ( ) is selected within the limits of a bounding box containing the actual past location.This selected location is used in the computation of the centroid ( ).
Initiator Participants(b1)(b2)
(a) Requesting for a meeting
(b) Calculating the centroid
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
MIT-FIT: Features
MIT-FIT enables users to
track personal and aggregate high-activity regions andtimesview personalized fitness-related event recommendations
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
MIT-FIT: Features
MIT-FIT enables users totrack personal and aggregate high-activity regions andtimesview personalized fitness-related event recommendations
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
High-activity by location
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
High-activity by time and recommendations
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Effect of enforcing different contexts
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Comparison of MIT-FIT with other apps
APP VISIBILITY PRIVACY TECHNIQUES LOG IN ACCESS
NAME (SHARING) NEW S.N.
Fitbit F. T. policy safeguards for developer andAPI access
Yes F.
Nike+ F. T. P. grouping to share data and setting upprivate challenges
Yes F.
Pebble F. policy safeguards for developer andAPI access
Device -
Moves Private can use app without account Device -
RunKeeper F. T. grouping to control sharing of dataand analyses
Yes F.
Strava F. “Enhanced Privacy” Yes F.
MIT-FIT None individual private store, question andanswer framework, group computa-tion, user controls for privacy
Yes -
F. Facebook, T. Twitter, P. Pinterest
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Tutorial: Creating a new lab
PrivacyMate’s functionality is part of the platform andtherefore a developer does not have to worry about it.
To create a new lab, a developer needs to make changesto the
openPDS server andMIT mobile app
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Tutorial: Creating a new lab
PrivacyMate’s functionality is part of the platform andtherefore a developer does not have to worry about it.To create a new lab, a developer needs to make changesto the
openPDS server andMIT mobile app
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Tutorial: Creating a new lab
On openPDS serverWrite Python code to define a task for the lab’s functionality.Schedule the task by adding it to the Celery scheduler.Write HTML code to create the lab visualization pages.Write JavaScript code, using backbone.js, to fetch data andcreate the lab visualizations.Add the path to HTML (visualization) to urls.py file forrouting.
On MIT Mobile client
Add the lab to the pds strings.xml file of the MIT Mobileclient.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Tutorial: Creating a new lab
On openPDS serverWrite Python code to define a task for the lab’s functionality.Schedule the task by adding it to the Celery scheduler.Write HTML code to create the lab visualization pages.Write JavaScript code, using backbone.js, to fetch data andcreate the lab visualizations.Add the path to HTML (visualization) to urls.py file forrouting.
On MIT Mobile clientAdd the lab to the pds strings.xml file of the MIT Mobileclient.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Semi-structured interviews
Goal: better understand the usability of the user controlsfor privacy and to obtain suggestions for improving them.
Procedure
verbal “walkthrough” of the labasked them to perform three tasksasked to rate their interaction with the framework whenaccomplishing the specific taskasked to justify their feedback for each rating and provideany final comments and feedback.
This is a small-scale user study (IS&T usabilityconsultation fell through)
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Semi-structured interviews
Goal: better understand the usability of the user controlsfor privacy and to obtain suggestions for improving them.Procedure
verbal “walkthrough” of the labasked them to perform three tasksasked to rate their interaction with the framework whenaccomplishing the specific taskasked to justify their feedback for each rating and provideany final comments and feedback.
This is a small-scale user study (IS&T usabilityconsultation fell through)
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Semi-structured interviews
Goal: better understand the usability of the user controlsfor privacy and to obtain suggestions for improving them.Procedure
verbal “walkthrough” of the labasked them to perform three tasksasked to rate their interaction with the framework whenaccomplishing the specific taskasked to justify their feedback for each rating and provideany final comments and feedback.
This is a small-scale user study (IS&T usabilityconsultation fell through)
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 1:Allow Social Health Tracker to collect and use all required data
We received a somewhatuniform distribution offeedbacks for this task.
“three-dot icon”:ambiguous for some, butfor P6: “experienced verysimilar app settings andtherefore could do it.”
P1 about opt-in to data aggregation: “Is it sharing my data?I don’t want my data to be shared.”P3 about wording issues: not willingly reading text onmobile devices unless required to.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 1:Allow Social Health Tracker to collect and use all required data
We received a somewhatuniform distribution offeedbacks for this task.
“three-dot icon”:ambiguous for some, butfor P6: “experienced verysimilar app settings andtherefore could do it.”
P1 about opt-in to data aggregation: “Is it sharing my data?I don’t want my data to be shared.”P3 about wording issues: not willingly reading text onmobile devices unless required to.
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 2:Allow Social Health Tracker to only use data when at home
The majority of theresponses were “Neutral”
Questions: select more than one context and selectdifferent times during weekends compared to weekdays.Context was not directly apparent from the “DataPermissions” screen. P3: “... [context] is hidden. It can[only] be discovered by accident or remembered.”P5: “[It] would be nice to give an address and have themap drop a pin ... similar to ... Google maps.”
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 2:Allow Social Health Tracker to only use data when at home
The majority of theresponses were “Neutral”
Questions: select more than one context and selectdifferent times during weekends compared to weekdays.Context was not directly apparent from the “DataPermissions” screen. P3: “... [context] is hidden. It can[only] be discovered by accident or remembered.”P5: “[It] would be nice to give an address and have themap drop a pin ... similar to ... Google maps.”
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 3:Allow all labs to collect and use data
Four of the participantsrated the interaction for thistask as “Very easy.”
P1: “this task was easier because I found Global Settingsright at the beginning.”P2: “this [showed the] data collection and use [controls] onthe same screen, which is good.”P3: not knowing “what applications have what data”
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Task 3:Allow all labs to collect and use data
Four of the participantsrated the interaction for thistask as “Very easy.”
P1: “this task was easier because I found Global Settingsright at the beginning.”P2: “this [showed the] data collection and use [controls] onthe same screen, which is good.”P3: not knowing “what applications have what data”
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Conclusion
Contributions of this thesis:User-controlled privacy mechanisms for the Living Labplatform: PrivacyMateTwo labs: ScheduleME, MIT-FITSmall-scale semi-structured usability interviews
Future Work:
The goal is eventual deployment across MIT campusMaking preferences easier to use and learning users’privacy preferencesIntegrating data from QS devices and considering differenttypes of activitiesExtensive usability studies
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Conclusion
Contributions of this thesis:User-controlled privacy mechanisms for the Living Labplatform: PrivacyMateTwo labs: ScheduleME, MIT-FITSmall-scale semi-structured usability interviews
Future Work:The goal is eventual deployment across MIT campusMaking preferences easier to use and learning users’privacy preferencesIntegrating data from QS devices and considering differenttypes of activitiesExtensive usability studies
Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion
Thank You! Any Questions?
Special thanks toLalana Kagal (Thesis advisor)Sam Madden and Elizabeth Bruce (Living Lab advisors)Hal Abelson, Ilaria Liccardi, Joe Pato, K KrasnowWaterman, Danny Weitzner, Fuming Shih, OshaniSeneviratne, Daniela Miao, Andrei Sambra, Mike Specterand other DIG group membersBrian Sweatt, Myra Hope Eskridge, Laura Watts and otherLiving Lab collaborators
Contact: [email protected]