participatory privacy in urban sensing katie shilton, jeff burke, deborah estrin, mark hansen, mani...
TRANSCRIPT
Participatory Privacy in Urban Sensing
Katie Shilton, Jeff Burke, Deborah Estrin, Mark Hansen, Mani B. Srivastava
MODUS 2008: April 21, 2008
Talked to your IRB today?
• Respect
• Beneficence
• Justice
2
Broad principles balance risk & discovery for many kinds of investigations.
Are there principles like this for urban sensing?
• Confidentiality
• Informed consent
• Statement of risks
Investigations by the public
Close to individuals & intermixed in daily life.
Wide-spread ability to collect & share data.
Pilots: •PEIR•CBE
3
Participatory sensing: Campaigns to help people gather data, make case
InfluencesParticipatory sensing
• Community-based participatory research (CBPR)• Participatory action research (PAR) [1, 2]• Participatory design (PD) [3]
4
Privacy
•Contextual privacy [4]•Information ethics [5-7]
Participatory Privacy Regulation
5
System Designers
Campaign Groups
Participants
Decision about
boundaries Trust & commitment
Process of system
design and use
Where privacy regulation fits
6
Control over
capture
Control over
resolution
Control over
sharing
Control over
retention
Decision about
boundaries
Participation
Campaign goals
Instrument design
Data collection
Data analysis
Technical approaches to privacy
Existing toolbox includes:
• Privacy warning, notification, or feedback systems [8-10];
• User control over data sharing [11];
• Identity management systems [12] ;
• Selective retention systems [8];
• Encryption, privacy-enhancing technologies [13];
• Statistical anonymization of data [4];
• Data retention or its opposite, ‘forgetting’ [14, 15].
7
Participatory privacy regulation design guidelines
1. Participant primacy
2. Participatory design
3. Participant autonomy
4. Minimal, auditable information
5. Synergy between policy & technology
8
Design guideline 1: participant primacy
Feature examples:
• Data visualization, interfaces (where did I go today?)
• Alerts and reminders (it’s 9 pm: turn sensing off!)
9
Challenges:
•Legible interfaces
•Developing effective alert mechanisms that do not disrupt data collection or annoy participants
Help users take role, responsibilities of investigators
Design guideline 2: participatory design
Customizable features:
• Data representation (can you see our houses?)
• Selective sharing (share only with campaign leaders)
• Retention, reuse (we don’t need data after Jan 1, 2009)
10
Challenges:
• Flexible systems to adjust capture, storage, representation of data.
• Flexibility achieved early in the design process.
Customize systems to campaign needs
Design guideline 3: participant autonomy
Feature examples:• Discretion tools
(replace this trip with ‘average’ trip)
• Selective retention (delete from 9 to 10 am)
11
Challenges:• Building discretion tools
• Analyzing incomplete and/or falsified data
• Logging use of discretion tools
Enabling participants to negotiate privacy context
Design guideline 4: minimal, auditable information
Feature examples:• Parsimonious sensors
(collect location using only cell tower triangulation)
• Processing close to source
• Audit mechanisms (log who accesses data)
12
Challenges:• Designing systems that
support and benefit from minimal data collection.
• Building auditing mechanisms viewable, legible, useable by participants.
Parsimonious capture, watchdogs
Design guideline 5: synergy between policy & technology
Achieved through:• Sharing responsibility
• Discussing problems best addressed by policy vs. technology.
13
Challenges:• Authoring policy to
support technology
• Designing technology to support policy.
Software and hardware can’t do everything
In the future: evaluation
How well do these principles – and resultant software – work?
Meet design challenges: negotiating policy, building discretion tools, audit mechanisms, etc.
Log data: measuring use of the privacy regulation features
Interviews: evaluating participant trust of systems
Participant observation: determining when and why participants feel boundary or identity sensitivities; evaluating whether systems adequately address these sensitivities
Participant critique: of design methods, software, and conclusions
14
Conclusions
Participation over restriction
Balance between privacy and participation enables sensing systems to reach research, empowerment , documentary potential.
15
Participation in restriction
Enables participants to limit sensing according to their needs, values.
Citations[1] M. Cargo and S. L. Mercer, "The value and challenges of participatory research:
strengthening its practice," Annual Review of Public Health, vol. 29, 2008. [2] E. Byrne and P. M. Alexander, "Questions of ethics: Participatory information
systems research in community settings," in SAICSIT Cape Winelands, South Africa, 2006, pp. 117-126.
[3] S. Pilemalm and T. Timpka, "Third generation participatory design in health informatics - making user participation applicable to large-scale information system projects," Journal of Biomedial Informatics, 2007 (in press)
[4] H. Nissenbaum, "Privacy as contextual integrity," Washington Law Review, vol. 79, pp. 119–158, 2004.
[5] J. Waldo, H. S. Lin, and L. I. Millett, Engaging privacy and information technology in a digital age. Washington, D.C.: The National Academies Press, 2007.
[6] L. Palen and P. Dourish, "Unpacking "privacy" for a networked world," in CHI 2003. vol. 5 Ft. Lauderdale, FL: ACM, 2003, pp. 129-136.
[7] J. E. Cohen, "Privacy, Visibility, Transparency, and Exposure," University of Chicago Law Review, vol. 75, 2008.
[8] G. R. Hayes, E. S. Poole, G. Iachello, S. N. Patel, A. Grimes, G. D. Abowd, and K. N. Truong, "Physical, social and experiential knowledge in pervasive computing environments," Pervasive Computing, vol. 6, pp. 56-63, 2007.
16
Citations cont.[9] M. S. Ackerman and L. Cranor, "Privacy critics: UI components to safeguard users‘
privacy," in Conference on Human Factors in Computing Systems CHI’99: ACM Publications, 1999, pp. 258-259.
[10] D. H. Nguyen and E. D. Mynatt, "Privacy mirrors: understanding and shaping socio-technical ubiquitous computing systems," Georgia Institute of Technology GIT-GVU-02-16, 2002.
[11] D. Anthony, D. Kotz, and T. Henderson, "Privacy in location-aware computing environments," Pervasive Computing, vol. 6, pp. 64-72, 2007.
[12] S. Patil and J. Lai, "Who gets to know what when: configuring privacy permissions in an awareness application," in SIGCHI Conf. Human Factors in Computing Systems (CHI 05) Portland, Oregon: ACM Press, 2005, pp. 101–110.
[13] H. Burkert, "Privacy-enhancing technologies: Typology, critique, vision," in Technology and privacy: The new landscape, P. E. Agre and M. Rotenberg, Eds. Cambridge, MA and London: The MIT Press, 1998, pp. 125-142.
[14] L. Bannon, "Forgetting as a feature, not a bug: the duality of memory and implications for ubiquitous computing," CoDesign, vol. 2, pp. 3-15, 2006.
[15] J.-F. Blanchette and D. G. Johnson, "Data retention and the panoptic society: the social benefits of forgetfulness," The Information Society, vol. 18, 2002.
17