2.2 Multiplying Matrices Mr. Anderson Pre Calculus Falconer Central High School Falconer, NY.
Privacy-enhanced Web Personalisation R. Falconer, B. Hallett, A. Hazelden, V. Miloshevski Group...
-
date post
22-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Privacy-enhanced Web Personalisation R. Falconer, B. Hallett, A. Hazelden, V. Miloshevski Group...
Privacy-enhanced Web Personalisation
R. Falconer, B. Hallett, A. Hazelden, V. MiloshevskiGroup CS4114026, equal contributions
Contents
• Introductiono Overview of the material
• Individuals' Privacy Concerns
• Factors Fostering Personal Information Disclosure
• Privacy laws, industry and company regulations, & principles
of fair information practices
• Privacy Enhancing Technology for personalised systems
Introduction
• Privacy is a topical and an interesting (usually...) subject, with many wildly differing views, from country to country and culture to culture
• Personalisation vs. Privacy:
o personalised systems move to the webo more sources of user data availableo more powerful analyses of user data availableo restrictions imposed by privacy legislation
• There exists no magic bullet for making personalised
systems privacy enhanced • Numerous small enhancements need to be introduced
Methodological preliminaries
Major principal types of empirical methods: • Inquiry-based methods
• Observation-based methods
Potential effects of privacy concerns on personalised systems
• users reluctant to provide personal data • users supplying false or fictitious information
• concerns about websites sharing information
• deleting cookies
• maintaining multiple identities/accounts
Effects on information type
• Own preferences vs. credit card or social security number • Demographic or lifestyle vs. financial, purchase-related and
personal identifier information • Demographic vs. on-line behaviour
Interpersonal differences in privacy attitudes
Three clusters of users as categorised by Harris Interactive and Alan Westin: • privacy fundamentalists (extremely concerned)
• privacy unconcerned (mildly concerned)
• privacy pragmatists (generally concerned)
Factors fostering the disclosure of personal informationFactors that affect people's information disclosure• Value of personalisation
• Knowledge of and control over use • Trust in a website
• Benefits other than personalisation • Cost-benefit analysis
Factors fostering the disclosure of personal information• Value of personalisation
o Twice as influential as the consumers' concern for privacyo Clear personalisation benefits
• Knowledge of and control over the use of personal informationo People more likely to disclose information if they can see
they will be able to edit it later
Factors fostering the disclosure of personal information• Trust in a website
o 63% of people who declined to provide information to websites listed mistrust as their reason for doing so.
o Trust was also found to positively affect the intended use of an e-commerce website
o ...unsurprisingly
We will discuss the following things which contribute to trust;o positive past experiences o website designo website operator's reputationo privacy sealso privacy statements
Factors fostering the disclosure of personal information• Trust in a website
o positive experiences in the past Users more forthcoming with personal details over time, given
previous positive experience of a given site.
o design and operation of a website absence of errors professional feel usability contact information links from trusted website email confirmation ...and a photo of a "customer care person"
Factors fostering the disclosure of personal information• Trust in a website
o reputation of the website operator "Schoenbachler and Gordon found a positive
relationship between the perceived reputation of a company and stated trust in the company"
Ground breaking stuff. Interestingly, in a study by Earp and Baumer, subjects were less willing to provide personally identifiable information to lower traffic sites Designers of lower traffic sites should be especially sure to
only request personal information if it's going to be useful
Factors fostering the disclosure of personal information• Trust in a website
o presence of a privacy statement The mere presence was found to increase trust. "Comprehensibility of privacy statements for normal internet users is fairly low"
In fact, 57% of US adults believe; "if a website has a privacy policy it will not share my
information with other websites or companies"!
Factors fostering the disclosure of personal information• Trust in a website
o presence of a privacy statement (continued) Should help build trust, but due to lack of understanding...
In a study my Metzger, 43.7% of people withheld information when a privacy statement was present, compared to 15% when privacy was present.
Factors fostering the disclosure of personal information• Trust in a website
o presence of a privacy seal Logos of certification agencies
Prone to abuse Certification did not guarantee trustworthiness; 3.5%
(January 2006) Misunderstood by most users
Factors fostering the disclosure of personal information• Benefits other than personalisation
Financial rewards ...16% of respondents agreed they would give out personal information to a website if they were compensated in some way"
Social Adjustment Benefitso Pseudonymity instead of Anonymityo Allow the user to integrate into social groups with which
they may have a common interest; Face to face Chat rooms
Both ideas only really relevant in specific scenarios
Factors fostering the disclosure of personal information• Disclosure behaviour resulting from cost-benefit analysis
People are less willing to disclose personally-identifiable information (address and telephone number) when buying Playboy magazines and condoms.
"Evidence of hyperbolic temporal discounting" o users overvalue small immediate benefits, and undervalue future
negative privacy impacts.
Developers should ensure userso value the personalisation o allow the user to control how personal information is usedo provide bennefits other than personalisation as extra incentive
Privacy laws, industry and company regulations
&principles of fair information
practices
Ben Hallett
Privacy Laws &c.
• Personalised systems collect personal data • Personal data is subject to privacy laws• Many (probably most) countries have some sort of
legislation on private data Therefore, designers of personalised systems must pay attention to these laws...
Privacy Laws &c.
These laws govern: • Acquisition
o Opt-in, opt-out • Storage
o Security • Transfer
o Access rights • Processing
• Users' rights to be informed about the above
Privacy Laws &c.
In the EU, for instance:• The user's consent must be obtained.
o Alternatively, the data may be anonymous. • That consent must be withdrawable.
o Can be easy or difficult,o Finely-controllable or all-or-nothing.
• The user must be informed about how their data will be treated.
o Can be difficult for personalised systems in which this is not necessarily known.
• No important decisions may be automated on those data.
o No online exams for you!
Privacy Laws &c.
Even more stringent requirements: Czech Republic:• Personal data obtained for different purposes may not be
grouped. Germany:• Usage data must be erased immediately after each session.
o Kobsa: "This ... could affect the use of machine learning methods that derive additional assumptions about users."
Privacy Laws &c.How to comply and still personalise?
The ACM produced a comprehensive list of recommendations for businesses:
Minimisation• Gather only what is "strictly required".
Consent• Require consent to collect or share data, allow users to withdraw consent.
Openness• Tell users what the data will be used for.
Access• Let users see what you're storing about them.
Accuracy• Let users alter their data so that it is accurate.
Security• protect the data technically (encrypt it) and physically (lock the doors) in
storage and transit.
Pseudonymous Users and User Models
A truly pseudonymous system would be: • Unidentifiable
o Neither the personalised system nor third parties should be able to determine the identity of pseudonymous users
• Linkable for the personalised systemo The personalised system can link every interaction with a
specific user, even across sessions (users maintain a persistent identity)
• Unlinkable for third parties.o Third parties cannot link two interaction steps of the same user
• Unobservable for third partieso Third parties cannot recognise that a personalised system is
being used by a given user
Pseudonymous Users and User Models
Do we actually want a truly pseudonymous system? The system may require the ability to identify the user.• Misuse• Non-payment• Delivery of goods
What isn't good enough User-picked pseudonyms Releasing "anonymised" data• AOL search logs - anonymised but ridiculously privacy violating
Client-Side Personalisation
Privacy problem reduced• No data stored on server
Users more likely to disclose information?
Problems• How to analyse data?• How to secure proprietary algorithms?
The dangers of centralised databases
Traditional collaborative filtering systems collect large amounts of information• To find patterns to make future recommendations• In a central repository
Can we trust these central repositories? Can we trust the security measures they have in place?• They are likely to be an attractive target
The dangers of centralised databases
Even if we think they are secure, can we extract individual user data anyway?• Correlations between an item and others will disclose much information about
the choices of its raters if this item has been rated by a small number of individuals.
Even better: use cleverly constructed profiles• For instance, personal websites tend to be visited by their owners more
frequently than by anyone else.• In a recommender system that tracks users’ website visits, websites that are
highly correlated with personal websites are hence likely to have been visited by those owners as well.
• Requesting a recommendation for pages to visit using a profile that contains this home page only may therefore reveal frequently visited web pages of its owner.
Distribution
One possible strategy to better safeguard individuals’ data;• abandon central repositories that contain the data of all users• use distributed clusters that contain information about some users only.
Distribution may also improve performance and availability of the recommender system. PocketLens• Share data only with neighbours in P2P system• Over time, reach global agreement?
Perturbation/Obfuscation
Change user's values so that the global average remains untouched
Perturbation:• Adjust values by some random amount
Obfuscation:• Replace values with something else (e.g. current average)• Allow user to select values to be obfuscated
o Allows plausible deniability o Are some fields more likely to be chosen?
Personalising Privacy
Individual privacy preferences may differ between users, and applicable privacy laws may also be different for users from different states and countries. Different privacy preferences and laws impose different requirements on admissible personalisation methods for each user. Kobsa suggests that Personalised systems should therefore cater to the different privacy needs of individual users, i.e. they should “personalize privacy"
Largest permissible common subset approachDifferent country/region versions• Neither scales well• Neither take users’ individual privacy preferences into account.
Conclusion
• Web content creators should not be discouraged personalise their web sites since if there are sufficient factors to alleviate user privacy concerns.
• They should however be careful to only use personalisation where there's an obvious benefit to the user, and ensure to follow all relevant privacy laws.
• Different types of websites (their purpose, what they're selling, their traffic
volume, etc) should offer personalisation in different ways. • Pseudonymous systems, user modelling, and personalisation systems
should all be considered.