Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing
-
Upload
cooper-kirk -
Category
Documents
-
view
33 -
download
2
description
Transcript of Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing
Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing
Xiaodong JiangJason I. Hong
James A. Landay
G r o u p f o rUser Interface Research
University of CaliforniaBerkeley
Oct 01 2002 2
Designing for Privacy in Ubicomp
• What design goals?• How to implement?• Related work
– Fair Information Practices, Westin, Langheinrich– Transparent Society, David Brin– Design Framework for Ubicomp, Bellotti and Sellen
• This work– How privacy is affected by more pragmatic forces
• Market, Social, Legal, Technical (Lessig)
– Principle of Minimum Asymmetry– Approximate Information Flows (AIF) as a way of tying
together asymmetry, privacy, and ubicomp systems
Oct 01 2002 3
Information Asymmetry
• Situations in which some actors hold private information relevant to everyone
• Akerlof (Nobel Prize 2001)• Ex. Used cars and "Malfunctioning of Markets"
Oct 01 2002 4
Alice (Data Owner)
$ $$
Loc-based Advertiser (Data User)
Map Service(Data Collector)
Asymmetry in Ubicomp
Large potential for asymmetries in information and power
Oct 01 2002 5
Forces on Privacy
Privacy
Social
Market Legal
Technology
Lessig, “Architecture of Privacy”
• Practical privacy shaped by four forces• Asymmetry impedes Market, Social, and Legal• How to build Technology to enable other forces?
Oct 01 2002 6
Operationalizing Privacy
Technology
Information Asymmetry
Market Social Legal
Privacy
Values (Ex. FIP, Transparency)
Approximate Information Flows: Describe and prescribe different levels of information asymmetry in ubicomp systems
Oct 01 2002 7
Principle of Minimum Asymmetry
Minimize asymmetry of information between data owners and data collectors and data users, by:• Minimizing quality & quantity of info going out• Maximizing quality & quantity of info going back in
Collectors /Users
OwnersOut
In
Oct 01 2002 8
Minimizing Asymmetry in Ubicomp
Alice (Data Owner)
$ $$
Loc-based Advertiser (Data User)
Map Service (Data Collector)
• Reduce accuracy• Anonymize
• Ask for consent• Notify• Log
• Aggregate• Reduce accuracy
Oct 01 2002 9
Implications for Ubicomp
• Makes it easier to apply other forces– Market, ex. making informed decisions about
personal data transactions– Social, ex. logging and notification to inform people
about violations of social norms– Legal, ex. logs that serve as evidence for legal
recourse
• Minimum asymmetry is a relative notion– Depends on the task, domain, and values
Oct 01 2002 10
Applying Minimum Asymmetry
• What are useful abstractions for thinking about and supporting minimum asymmetry?
• Approximate Information Flows– Where does the data live?– When does data flow to others?– What can people do to protect data?
Oct 01 2002 11
Where Does the Data Live?
• Information Spaces, tied to boundaries• Privacy-sensitive data representation
– Persistence, how long does data live?– Confidence, sensor property
• Ex. 95% vs 25%
– Accuracy, usage property• Ex. "Sweden" vs "Göteberg" vs "Draken Cinema"
• Basic privacy-sensitive operations– Read / Write– Promote / Demote: persistence, confidence, accuracy– Aggregate: composition, fusion (inference)– Permissions and Logging association all operations
Oct 01 2002 12
Example Usage of InfoSpaces
Alice'sInfoSpace
Map ServiceInfoSpace
Loc-based AdvertiserInfoSpace
Owner="Alice"Loc=“Draken Cinema"Confidence="85%"TTL="forever"
Owner="xyzzy"Loc=“Göteberg"Confidence="80%"TTL="1 week"Notify=“[email protected]"Perm=“map service"
Log
Oct 01 2002 13
When Does Data Flow to Others?
• Data Lifecycle• Collection
– The point when data is gathered– Ex. When Alice gets her location data (GPS)
• Access– The point when data is initially used– Ex. Map Service uses Alice’s location data
• Second use– Use and sharing of data after initial access– Ex. Location-based advertiser asks Map Service for
location of Alice
Oct 01 2002 14
What Can People Do to Protect Data?
• Themes for Minimizing Asymmetry• Prevent privacy violations from occurring
– Ex. Anonymize Alice's data– Minimizing flow out
• Avoid potential privacy risks– Ex. Alice asks others if Map Service is reputable– Minimizing flow out & maximizing flow in
• Detect privacy violations if there are any– Ex. A third party audits what Map Service is doing– Maximizing flow in
Oct 01 2002 15
Approximate Information FlowsPutting it all together
• Information spaces define “privacy zones”• Incoming & outgoing flows for an InfoSpace
determine its degree of asymmetry • (Prevention, avoidance, detection) used to alter
asymmetry for that InfoSpace• Apply at (collection, access, second use)
Oct 01 2002 16
Minimizing Asymmetry at Different Times
Avo
idP
reve
nt
Collection Second UseAccess
The
mes
for
Min
imiz
ing
Asy
mm
etry
Data Lifecycle
AnonymizationPseudonymization
P3P
RBAC
LocationSupport
Privacy Mirrors
Wearables
User Interfaces for Feedback, Notification, and Consent
Logging
Det
ectio
n
Alice'sInfoSpace
Det
ect
Oct 01 2002 17
Current & Future Work
• Model for privacy control: decentralized info space with unified privacy tagging– IEEE Pervasive Computing, July/Sept, 2002
• Integration into a context infrastructure• Ways to translate end-user privacy prefs to
system-level asymmetry-based policies
Oct 01 2002 18
Conclusions
• Asymmetry as a way of tying together Market, Legal, Social, and Technical forces
• Principle of Minimum Asymmetry• Approximate Information Flows as a model for
implementing minimum asymmetry– Information Spaces– Data Lifecycle– Themes for minimizing asymmetry
• Approximate Information Flows for analyzing and minimizing asymmetry in ubicomp systems
Xiaodong JiangJason I. Hong
James A. Landayhttp://guir.berkeley.edu/groups/privacy
G r o u p f o rUser Interface Research
University of CaliforniaBerkeley
Thanks to:John CannyAnind DeyScott LedererNational Science Foundation ITR