Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

ubicomp-aif-oct2002

VIEWS: 3 PAGES: 19

									  Group for                           University of
                                        California
  User Interface                         Berkeley
  Research
Approximate Information Flows:
 Socially-based Modeling of Privacy
 in Ubiquitous Computing




                                 Xiaodong Jiang
                                  Jason I. Hong
                               James A. Landay
  Designing for Privacy in Ubicomp

• What design goals?
• How to implement?
• Related work
    – Fair Information Practices, Westin, Langheinrich
    – Transparent Society, David Brin
    – Design Framework for Ubicomp, Bellotti and Sellen
• This work
    – How privacy is affected by more pragmatic forces
         • Market, Social, Legal, Technical (Lessig)
    – Principle of Minimum Asymmetry
    – Approximate Information Flows (AIF) as a way of tying
      together asymmetry, privacy, and ubicomp systems

Oct 01 2002                                               2
  Information Asymmetry

• Situations in which some actors hold private
  information relevant to everyone
• Akerlof (Nobel Prize 2001)
• Ex. Used cars and "Malfunctioning of Markets"




Oct 01 2002                                       3
  Asymmetry in Ubicomp

                Map Service
              (Data Collector)




   Large potential for asymmetries
        in information and powerAdvertiser
Alice (Data Owner)       Loc-based
                                 (Data User)




Oct 01 2002                                    4
  Forces on Privacy

                     Social     Lessig, “Architecture of
                                        Privacy”




      Market       Privacy            Legal




                  Technology
• Practical privacy shaped by four forces
• Asymmetry impedes Market, Social, and Legal
• How to build Technology to enable other forces?

Oct 01 2002                                         5
  Operationalizing Privacy

      Technology          Values (Ex. FIP, Transparency)


                   Information
                   Asymmetry


    Market           Social            Legal
Approximate Information Flows:
     Describe and prescribe different levels of
     information asymmetry in ubicomp systems
                     Privacy

Oct 01 2002                                       6
    Principle of Minimum Asymmetry

Minimize asymmetry of information between data
owners and data collectors and data users, by:
• Minimizing quality & quantity of info going out
• Maximizing quality & quantity of info going back in



                         Out
                                 Collectors /
            Owners
                         In        Users


  Oct 01 2002                                      7
     Minimizing Asymmetry in Ubicomp

                      Map Service
• Reduce accuracy                    • Aggregate
                    (Data Collector)
• Anonymize                          • Reduce accuracy




                                 Loc-based Advertiser
   Alice (Data Owner)
                                      (Data User)

                 • Ask for consent
                 • Notify
                 • Log
   Oct 01 2002                                     8
  Implications for Ubicomp

• Makes it easier to apply other forces
    – Market, ex. making informed decisions about
      personal data transactions
    – Social, ex. logging and notification to inform people
      about violations of social norms
    – Legal, ex. logs that serve as evidence for legal
      recourse
• Minimum asymmetry is a relative notion
    – Depends on the task, domain, and values




Oct 01 2002                                                   9
  Applying Minimum Asymmetry

• What are useful abstractions for thinking about
  and supporting minimum asymmetry?

• Approximate Information Flows
    – Where does the data live?
    – When does data flow to others?
    – What can people do to protect data?




Oct 01 2002                                    10
  Where Does the Data Live?

• Information Spaces, tied to boundaries
• Privacy-sensitive data representation
    – Persistence, how long does data live?
    – Confidence, sensor property
         • Ex. 95% vs 25%
    – Accuracy, usage property
         • Ex. "Sweden" vs "Göteberg" vs "Draken Cinema"
• Basic privacy-sensitive operations
    –   Read / Write
    –   Promote / Demote: persistence, confidence, accuracy
    –   Aggregate: composition, fusion (inference)
    –   Permissions and Logging association all operations

Oct 01 2002                                                11
  Example Usage of InfoSpaces



                         Owner="xyzzy"
                   Map Service
                         Loc=“Göteberg"
                    InfoSpace
                         Confidence="80%"
                         TTL="1 week"
                         Notify=“alice@anon.com"
                         Perm=“map service"

        Log
              Owner="Alice"
   Alice's    Loc=“Draken Cinema"     Loc-based
 InfoSpace    Confidence="85%"        Advertiser
              TTL="forever"           InfoSpace

Oct 01 2002                                        12
  When Does Data Flow to Others?

• Data Lifecycle
• Collection
    – The point when data is gathered
    – Ex. When Alice gets her location data (GPS)
• Access
    – The point when data is initially used
    – Ex. Map Service uses Alice’s location data
• Second use
    – Use and sharing of data after initial access
    – Ex. Location-based advertiser asks Map Service for
      location of Alice


Oct 01 2002                                                13
  What Can People Do to
  Protect Data?

• Themes for Minimizing Asymmetry
• Prevent privacy violations from occurring
    – Ex. Anonymize Alice's data
    – Minimizing flow out
• Avoid potential privacy risks
    – Ex. Alice asks others if Map Service is reputable
    – Minimizing flow out & maximizing flow in
• Detect privacy violations if there are any
    – Ex. A third party audits what Map Service is doing
    – Maximizing flow in



Oct 01 2002                                                14
  Approximate Information Flows
  Putting it all together


• Information spaces define “privacy zones”
• Incoming & outgoing flows for an InfoSpace
  determine its degree of asymmetry
• (Prevention, avoidance, detection) used to alter
  asymmetry for that InfoSpace
• Apply at (collection, access, second use)




Oct 01 2002                                    15
  Minimizing Asymmetry at
  Different Times
                                                      RBAC


                                           Prevent




                                                                                                       Detection
                                                     Location
                                                     Support
                                                                   Anonymization
                                                                  Pseudonymization
                                                                                                  Alice's
                                                                                                InfoSpace
         Themes for Minimizing Asymmetry


                                                     Wearables


                                                        P3P
                                           Avoid




                                                     User Interfaces for Feedback,
                                                       Notification, and Consent

                                                            Privacy Mirrors


                                                                 Logging
                                           Detect




Oct 01 2002
                                                        Collection       Access        Second Use      16
                                                                      Data Lifecycle
  Current & Future Work

• Model for privacy control: decentralized info
  space with unified privacy tagging
    – IEEE Pervasive Computing, July/Sept, 2002
• Integration into a context infrastructure
• Ways to translate end-user privacy prefs to
  system-level asymmetry-based policies




Oct 01 2002                                       17
  Conclusions

• Asymmetry as a way of tying together Market,
  Legal, Social, and Technical forces
• Principle of Minimum Asymmetry
• Approximate Information Flows as a model for
  implementing minimum asymmetry
    – Information Spaces
    – Data Lifecycle
    – Themes for minimizing asymmetry
• Approximate Information Flows for analyzing
  and minimizing asymmetry in ubicomp systems


Oct 01 2002                                  18
  Group for                         University of
                                      California
  User Interface                       Berkeley
  Research
Thanks to:
   John Canny
   Anind Dey
   Scott Lederer
   National Science Foundation ITR

                                  Xiaodong Jiang
                                   Jason I. Hong
                                James A. Landay
         http://guir.berkeley.edu/groups/privacy

								
To top