D1 - 19/04/23

The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies his or her acknowledgement of the confidential nature of its contents and his or her obligation not to reproduce, transmit to a third party, disclose or use for commercial purposes any of its contents whatsoever without France Telecom’s prior written agreement.

France TelecomR&D Division

Presence, Privacy and Service Personalization

CFP PrivSec WG Launch – August 19,

2005

Edward Mitukiewicz

France Telecom (RD/ILAB/BOS)

Distribution of this document is subject to France Telecom’s authorization D2 - 19/04/23

France TelecomR&D Division

Outline

s Assorted musings to facilitate future CFP PrivSec WG discussions

QFocused on the complexities of managing privacy-aware presence

QLimited to a few illustrative examples based on some lessons from a particular prototyping project and ideas from recently published research papers

s …NOT an attempt to

QDevelop a general problem statement and/or comprehensive issue list (albeit doing this and/or describing the current landscape seems to be a good idea!)

QConsider broader topics of trust/identity management – e.g., in the context of collecting, mining, distributing and protecting sensitive personal data

Distribution of this document is subject to France Telecom’s authorization D3 - 19/04/23

France TelecomR&D Division

Privacy Management: Current Practicess Multiple, uncoordinated control points – difficult to manage

QCall handling preferences – call waiting: divert or accept

QMessaging specific options – IM

QDevice controls – on/off, sounds/alerts

QControl settings – preferences, cookies, tokens

s Integrated policy-based solutions – too complex for the userQWho do you want to communicate with and under what circumstances

QHow do you want to communicate when and where

QWhat information should be shared with whom under what circumstances

QWhich policy should be activated when …

Distribution of this document is subject to France Telecom’s authorization D4 - 19/04/23

France TelecomR&D Division

Personalization: Opportunities & Riskss Users like service personalization, but want control over

QWhat, how and when relevant data is collected, processed and published

QHow such data is used – e.g., ONLY to provide a better service

s Service providers recognize the “added value” potential of personalization – enabled by the availability of data on user interactions with services QConversion of such data into usable information is difficult – e.g., integration of bits and pieces of data from multiple sources

QUsing that info to provide a better user experience usually requiresCompliance with the applicable regulations

User consent – often limited to a specific and context dependent purpose

Distribution of this document is subject to France Telecom’s authorization D5 - 19/04/23

France TelecomR&D Division

Presence and Privacy: See What?

s Value of presence grows with the richness and reliability of the available data (“see/be seen before you communicate” )Qe.g., location, availability and communication preferences

s Information disclosure restrictions and preferences (e.g., “only to authorized parties and only the minimum required”) – considering QGranularity of the available data – access to all vs. certain subsets

QExact vs. “blurred” responses

QRequestor specific vs. ”one-size-fits-all” responses

s Personalization requirements add more complexities …

Distribution of this document is subject to France Telecom’s authorization D6 - 19/04/23

France TelecomR&D Division

User Location: Intel Study (CHI2005)s Users tend to share their location info

selectivelyQUsers decisions depended on who was requesting the location info, why the requester wanted it, and what level of detail would be most useful

QStudy participants were typically willing to disclose either the most useful detail or nothing about their location

s Privacy control becomes a critical issue in the development of location-aware communications

QUsers want to stay in control of their location information – the challenge is to enable them to do this effectively

QPrivacy management has to help users to disclose location in order to facilitate interpersonal interactions – without raising any fears of being monitored

Source: Intel Research – Consolvo et al.

http://guir.berkeley.edu/pubs/chi2005/p486-consolvo.pdf

Distribution of this document is subject to France Telecom’s authorization D7 - 19/04/23

France TelecomR&D Division

Privacy Preferences: More Studies

s Peoples’ willingness to share information seems to depend primarily on who they are sharing it with

QSame privacy preferences are more likely to be applied to the same inquirer in different situations than to different inquirers in the same situation – this could help to reduce the underlying complexities and simplify the UI

s Clustering might help to specify and refine over time what users wish to share with whom in what situation

QInformation items AND peoples’ views of others they wish to share certain types of information with tend to cluster into a manageable set of categories

Sources: UCalBerkely and UofMich/Microsoft Research

http://guir.berkeley.edu/pubs/chi2003/lederer-chi03.pdf

http://research.microsoft.com/~horvitz/privacy_CHI2005.pdf

Distribution of this document is subject to France Telecom’s authorization D8 - 19/04/23

France TelecomR&D Division

Presence and Privacy: Illustrative Examples Combining address book info with

inferences – based on user’s location, calendar and “context aware” privacy policies – could allow for some see before you communicate and be seen enhancements

s Although such presence-aware privacy controls might help users to decide if, when and how others can see their location and/or communicate, user interface complexity becomes a problem…

Your friends are there

You are here

Source: “Friend Tracker”

Distribution of this document is subject to France Telecom’s authorization D9 - 19/04/23

France TelecomR&D Division

Privacy Management: Design Pitfallss Obscuring potential or actual information flow

QUsers should understand the extent of a system’s potential for disclosure – e.g., privacy implication of Low vs. High settings? – AND

Qwhat information is actually being disclosed to whom – e.g., browser cookies?

s Emphasizing configuration over action QDesigns should not require excessive configuration to manage privacy!

s Lacking coarse-grained controlQDesigns should not forgo a top-level mechanism for halting/resuming disclosure – e.g., simple mechanism for excluding the current purchase from a shopping profile

s Inhibiting existing practiceQDesigns should not inhibit users from transferring established social practice to emerging technologies – e.g., support for a social nuance: there could be value in keeping the caller ignorant of the reason for not answering the phoneSource: UCB – Scott Lederer et al.

http://www.cs.cmu.edu/~jasonh/publications/puc2004-five-pitfalls.pdf

Distribution of this document is subject to France Telecom’s authorization D10 - 19/04/23

France TelecomR&D Division

thanks!