Approximate Information Flows: Socially-based Modeling of Privacy in Ubiquitous Computing

Xiaodong JiangJason I. Hong

James A. Landay

G r o u p f o rUser Interface Research

University of CaliforniaBerkeley

Oct 01 2002 2

Designing for Privacy in Ubicomp

• What design goals?• How to implement?• Related work

– Fair Information Practices, Westin, Langheinrich– Transparent Society, David Brin– Design Framework for Ubicomp, Bellotti and Sellen

• This work– How privacy is affected by more pragmatic forces

• Market, Social, Legal, Technical (Lessig)

– Principle of Minimum Asymmetry– Approximate Information Flows (AIF) as a way of tying

together asymmetry, privacy, and ubicomp systems

Oct 01 2002 3

Information Asymmetry

• Situations in which some actors hold private information relevant to everyone

• Akerlof (Nobel Prize 2001)• Ex. Used cars and "Malfunctioning of Markets"

Oct 01 2002 4

Alice (Data Owner)

$ $$

Loc-based Advertiser (Data User)

Map Service(Data Collector)

Asymmetry in Ubicomp

Large potential for asymmetries in information and power

Oct 01 2002 5

Forces on Privacy

Privacy

Social

Market Legal

Technology

Lessig, “Architecture of Privacy”

• Practical privacy shaped by four forces• Asymmetry impedes Market, Social, and Legal• How to build Technology to enable other forces?

Oct 01 2002 6

Operationalizing Privacy

Technology

Information Asymmetry

Market Social Legal

Privacy

Values (Ex. FIP, Transparency)

Approximate Information Flows: Describe and prescribe different levels of information asymmetry in ubicomp systems

Oct 01 2002 7

Principle of Minimum Asymmetry

Minimize asymmetry of information between data owners and data collectors and data users, by:• Minimizing quality & quantity of info going out• Maximizing quality & quantity of info going back in

Collectors /Users

OwnersOut

In

Oct 01 2002 8

Minimizing Asymmetry in Ubicomp

Alice (Data Owner)

$ $$

Loc-based Advertiser (Data User)

Map Service (Data Collector)

• Reduce accuracy• Anonymize

• Ask for consent• Notify• Log

• Aggregate• Reduce accuracy

Oct 01 2002 9

Implications for Ubicomp

• Makes it easier to apply other forces– Market, ex. making informed decisions about

personal data transactions– Social, ex. logging and notification to inform people

about violations of social norms– Legal, ex. logs that serve as evidence for legal

recourse

• Minimum asymmetry is a relative notion– Depends on the task, domain, and values

Oct 01 2002 10

Applying Minimum Asymmetry

• What are useful abstractions for thinking about and supporting minimum asymmetry?

• Approximate Information Flows– Where does the data live?– When does data flow to others?– What can people do to protect data?

Oct 01 2002 11

Where Does the Data Live?

• Information Spaces, tied to boundaries• Privacy-sensitive data representation

– Persistence, how long does data live?– Confidence, sensor property

• Ex. 95% vs 25%

– Accuracy, usage property• Ex. "Sweden" vs "Göteberg" vs "Draken Cinema"

• Basic privacy-sensitive operations– Read / Write– Promote / Demote: persistence, confidence, accuracy– Aggregate: composition, fusion (inference)– Permissions and Logging association all operations

Oct 01 2002 12

Example Usage of InfoSpaces

Alice'sInfoSpace

Map ServiceInfoSpace

Loc-based AdvertiserInfoSpace

Owner="Alice"Loc=“Draken Cinema"Confidence="85%"TTL="forever"

Owner="xyzzy"Loc=“Göteberg"Confidence="80%"TTL="1 week"Notify=“alice@anon.com"Perm=“map service"

Log

Oct 01 2002 13

When Does Data Flow to Others?

• Data Lifecycle• Collection

– The point when data is gathered– Ex. When Alice gets her location data (GPS)

• Access– The point when data is initially used– Ex. Map Service uses Alice’s location data

• Second use– Use and sharing of data after initial access– Ex. Location-based advertiser asks Map Service for

location of Alice

Oct 01 2002 14

What Can People Do to Protect Data?

• Themes for Minimizing Asymmetry• Prevent privacy violations from occurring

– Ex. Anonymize Alice's data– Minimizing flow out

• Avoid potential privacy risks– Ex. Alice asks others if Map Service is reputable– Minimizing flow out & maximizing flow in

• Detect privacy violations if there are any– Ex. A third party audits what Map Service is doing– Maximizing flow in

Oct 01 2002 15

Approximate Information FlowsPutting it all together

• Information spaces define “privacy zones”• Incoming & outgoing flows for an InfoSpace

determine its degree of asymmetry • (Prevention, avoidance, detection) used to alter

asymmetry for that InfoSpace• Apply at (collection, access, second use)

Oct 01 2002 16

Minimizing Asymmetry at Different Times

Avo

idP

reve

nt

Collection Second UseAccess

The

mes

for

Min

imiz

ing

Asy

mm

etry

Data Lifecycle

AnonymizationPseudonymization

P3P

RBAC

LocationSupport

Privacy Mirrors

Wearables

User Interfaces for Feedback, Notification, and Consent

Logging

Det

ectio

n

Alice'sInfoSpace

Det

ect

Oct 01 2002 17

Current & Future Work

• Model for privacy control: decentralized info space with unified privacy tagging– IEEE Pervasive Computing, July/Sept, 2002

• Integration into a context infrastructure• Ways to translate end-user privacy prefs to

system-level asymmetry-based policies

Oct 01 2002 18

Conclusions

• Asymmetry as a way of tying together Market, Legal, Social, and Technical forces

• Principle of Minimum Asymmetry• Approximate Information Flows as a model for

implementing minimum asymmetry– Information Spaces– Data Lifecycle– Themes for minimizing asymmetry

• Approximate Information Flows for analyzing and minimizing asymmetry in ubicomp systems

Xiaodong JiangJason I. Hong

James A. Landayhttp://guir.berkeley.edu/groups/privacy

G r o u p f o rUser Interface Research

University of CaliforniaBerkeley

Thanks to:John CannyAnind DeyScott LedererNational Science Foundation ITR