Privacy-enhanced Web Personalisation R. Falconer, B. Hallett, A. Hazelden, V. Miloshevski Group...

Privacy-enhanced Web Personalisation

R. Falconer, B. Hallett, A. Hazelden, V. MiloshevskiGroup CS4114026, equal contributions

Contents

• Introductiono Overview of the material

• Individuals' Privacy Concerns

• Factors Fostering Personal Information Disclosure

• Privacy laws, industry and company regulations, & principles

of fair information practices

• Privacy Enhancing Technology for personalised systems

Introduction

• Privacy is a topical and an interesting (usually...) subject, with many wildly differing views, from country to country and culture to culture

• Personalisation vs. Privacy:

o personalised systems move to the webo more sources of user data availableo more powerful analyses of user data availableo restrictions imposed by privacy legislation

• There exists no magic bullet for making personalised

systems privacy enhanced • Numerous small enhancements need to be introduced

1. Individuals' Privacy Concerns

Vanya Miloshevski

Methodological preliminaries

Major principal types of empirical methods: • Inquiry-based methods

• Observation-based methods

Potential effects of privacy concerns on personalised systems

• users reluctant to provide personal data • users supplying false or fictitious information

• concerns about websites sharing information

• deleting cookies

• maintaining multiple identities/accounts

Effects on information type

• Own preferences vs. credit card or social security number • Demographic or lifestyle vs. financial, purchase-related and

personal identifier information • Demographic vs. on-line behaviour

Interpersonal differences in privacy attitudes

Three clusters of users as categorised by Harris Interactive and Alan Westin: • privacy fundamentalists (extremely concerned)

• privacy unconcerned (mildly concerned)

• privacy pragmatists (generally concerned)

2. Factors Fostering Personal Information Disclosure

Richard Falconer

Factors fostering the disclosure of personal informationFactors that affect people's information disclosure• Value of personalisation

• Knowledge of and control over use • Trust in a website

• Benefits other than personalisation • Cost-benefit analysis

Factors fostering the disclosure of personal information• Value of personalisation

o Twice as influential as the consumers' concern for privacyo Clear personalisation benefits

• Knowledge of and control over the use of personal informationo People more likely to disclose information if they can see

they will be able to edit it later

Factors fostering the disclosure of personal information• Trust in a website

o 63% of people who declined to provide information to websites listed mistrust as their reason for doing so.

o Trust was also found to positively affect the intended use of an e-commerce website

o ...unsurprisingly

We will discuss the following things which contribute to trust;o positive past experiences o website designo website operator's reputationo privacy sealso privacy statements


o positive experiences in the past Users more forthcoming with personal details over time, given

previous positive experience of a given site.

o design and operation of a website absence of errors professional feel usability contact information links from trusted website email confirmation ...and a photo of a "customer care person"


o reputation of the website operator "Schoenbachler and Gordon found a positive

relationship between the perceived reputation of a company and stated trust in the company"

Ground breaking stuff. Interestingly, in a study by Earp and Baumer, subjects were less willing to provide personally identifiable information to lower traffic sites Designers of lower traffic sites should be especially sure to

only request personal information if it's going to be useful


o presence of a privacy statement The mere presence was found to increase trust. "Comprehensibility of privacy statements for normal internet users is fairly low"

In fact, 57% of US adults believe; "if a website has a privacy policy it will not share my

information with other websites or companies"!


o presence of a privacy statement (continued) Should help build trust, but due to lack of understanding...

In a study my Metzger, 43.7% of people withheld information when a privacy statement was present, compared to 15% when privacy was present.


o presence of a privacy seal Logos of certification agencies

Prone to abuse Certification did not guarantee trustworthiness; 3.5%

(January 2006) Misunderstood by most users

Factors fostering the disclosure of personal information• Benefits other than personalisation

Financial rewards ...16% of respondents agreed they would give out personal information to a website if they were compensated in some way"

Social Adjustment Benefitso Pseudonymity instead of Anonymityo Allow the user to integrate into social groups with which

they may have a common interest; Face to face Chat rooms

Both ideas only really relevant in specific scenarios

Factors fostering the disclosure of personal information• Disclosure behaviour resulting from cost-benefit analysis

People are less willing to disclose personally-identifiable information (address and telephone number) when buying Playboy magazines and condoms.

"Evidence of hyperbolic temporal discounting" o users overvalue small immediate benefits, and undervalue future

negative privacy impacts.

Developers should ensure userso value the personalisation o allow the user to control how personal information is usedo provide bennefits other than personalisation as extra incentive

Privacy laws, industry and company regulations

&principles of fair information

practices

Ben Hallett

Privacy Laws &c.

• Personalised systems collect personal data • Personal data is subject to privacy laws• Many (probably most) countries have some sort of

legislation on private data Therefore, designers of personalised systems must pay attention to these laws...

Privacy Laws &c.

These laws govern: • Acquisition

o Opt-in, opt-out • Storage

o Security • Transfer

o Access rights • Processing

• Users' rights to be informed about the above

Privacy Laws &c.

In the EU, for instance:• The user's consent must be obtained.

o Alternatively, the data may be anonymous. • That consent must be withdrawable.

o Can be easy or difficult,o Finely-controllable or all-or-nothing.

• The user must be informed about how their data will be treated.

o Can be difficult for personalised systems in which this is not necessarily known.

• No important decisions may be automated on those data.

o No online exams for you!

Privacy Laws &c.

Even more stringent requirements: Czech Republic:• Personal data obtained for different purposes may not be

grouped. Germany:• Usage data must be erased immediately after each session.

o Kobsa: "This ... could affect the use of machine learning methods that derive additional assumptions about users."

Privacy Laws &c.How to comply and still personalise?

The ACM produced a comprehensive list of recommendations for businesses:

Minimisation• Gather only what is "strictly required".

Consent• Require consent to collect or share data, allow users to withdraw consent.

Openness• Tell users what the data will be used for.

Access• Let users see what you're storing about them.

Accuracy• Let users alter their data so that it is accurate.

Security• protect the data technically (encrypt it) and physically (lock the doors) in

storage and transit.

4. Privacy Enhancing Technology for personalised

systemsAlan Hazelden

Pseudonymous Users and User Models

A truly pseudonymous system would be: • Unidentifiable

o Neither the personalised system nor third parties should be able to determine the identity of pseudonymous users

• Linkable for the personalised systemo The personalised system can link every interaction with a

specific user, even across sessions (users maintain a persistent identity)

• Unlinkable for third parties.o Third parties cannot link two interaction steps of the same user

• Unobservable for third partieso Third parties cannot recognise that a personalised system is

being used by a given user

Pseudonymous Users and User Models

Do we actually want a truly pseudonymous system? The system may require the ability to identify the user.• Misuse• Non-payment• Delivery of goods

What isn't good enough User-picked pseudonyms Releasing "anonymised" data• AOL search logs - anonymised but ridiculously privacy violating

Client-Side Personalisation

Privacy problem reduced• No data stored on server

Users more likely to disclose information?

Problems• How to analyse data?• How to secure proprietary algorithms?

The dangers of centralised databases

Traditional collaborative filtering systems collect large amounts of information• To find patterns to make future recommendations• In a central repository

Can we trust these central repositories? Can we trust the security measures they have in place?• They are likely to be an attractive target

The dangers of centralised databases

Even if we think they are secure, can we extract individual user data anyway?• Correlations between an item and others will disclose much information about

the choices of its raters if this item has been rated by a small number of individuals.

Even better: use cleverly constructed profiles• For instance, personal websites tend to be visited by their owners more

frequently than by anyone else.• In a recommender system that tracks users’ website visits, websites that are

highly correlated with personal websites are hence likely to have been visited by those owners as well.

• Requesting a recommendation for pages to visit using a profile that contains this home page only may therefore reveal frequently visited web pages of its owner.

Distribution

One possible strategy to better safeguard individuals’ data;• abandon central repositories that contain the data of all users• use distributed clusters that contain information about some users only.

Distribution may also improve performance and availability of the recommender system. PocketLens• Share data only with neighbours in P2P system• Over time, reach global agreement?

Perturbation/Obfuscation

Change user's values so that the global average remains untouched

Perturbation:• Adjust values by some random amount

Obfuscation:• Replace values with something else (e.g. current average)• Allow user to select values to be obfuscated

o Allows plausible deniability o Are some fields more likely to be chosen?

Personalising Privacy

Individual privacy preferences may differ between users, and applicable privacy laws may also be different for users from different states and countries. Different privacy preferences and laws impose different requirements on admissible personalisation methods for each user. Kobsa suggests that Personalised systems should therefore cater to the different privacy needs of individual users, i.e. they should “personalize privacy"

Largest permissible common subset approachDifferent country/region versions• Neither scales well• Neither take users’ individual privacy preferences into account.

Personalising Privacy

Conclusion

• Web content creators should not be discouraged personalise their web sites since if there are sufficient factors to alleviate user privacy concerns.

• They should however be careful to only use personalisation where there's an obvious benefit to the user, and ensure to follow all relevant privacy laws.

• Different types of websites (their purpose, what they're selling, their traffic

volume, etc) should offer personalisation in different ways. • Pseudonymous systems, user modelling, and personalisation systems

should all be considered.

Thanks for listening!

Any questions?

Privacy-enhanced Web Personalisation R. Falconer, B. Hallett, A. Hazelden, V. Miloshevski Group...

Documents

Transcript of Privacy-enhanced Web Personalisation R. Falconer, B. Hallett, A. Hazelden, V. Miloshevski Group...