Running Research as a ServiceImplications for Privacy Policies and Ethics

Mateusz Mikusz

School of Computing and Communications

m.mikusz@lancaster.ac.uk

Pervasive Displays at Lancaster

• To date, over 60 public displays deployed across the university campus and Lancaster city centre.

• All displays accessible (software and hardware) for research purposes.

• Entire system (backend and player) developed in the context of multiple research projects.

Network of Public Displays

Understanding Display Personalisation

• Making the display more relevant to the viewer.

• Three main types:• Walk by personalisation

• Longitudinal personalisation

• Active personalisation

• The risks:• Location tracking

• Content disclosure

• Profile building and tracking by the display infrastructure

Design Goals

• Support multiple usage models

• Support multiple presence technologies

• Viewer privacy

• Integrate with existing signage systems

Tacita System Architecture

Tacita App

Trusted

Service

Provider

Infrast ructure

Service Proxy

Map

Provider

Send request for showing the application.

Maps

Notify app when entering trigger

zone (depending

on settings).

Requests mapsSubscribes to map updates

DisplaysDisplaysDisplaysDisplaysDisplaysDisplays

A

B

C

D

Send schedule requests to individual display nodes.

E

A : app request maps

B: map specificationC: Triggering a trigger zone

D : Trusted Service Provider requests applicationE: Individual schedule request from

Infrastructure Service Proxy to displays.

Content Request Status Response

F

Trigger Event Status Response

G

Request content descriptor set.

Deployment Insights

• Over 200 iBeacons for deployment at displays and key locations on campus of which 50 are deployed

• Beacons currently used as proximity sensors of users to displays

• iLancaster and Tacita: apps allow students and staff to subscribe to location-sensitive services:• anonymous location tracking for new analytical insights

• using proximity information to automatically show personalised content and applications on displays

Tacita Mobile Client Application

Tacita Display Applications

Data Collection

• Design of Tacita: iBeacon visits reported to applications that the user has turned on; not required to be passed through to infrastructure.

• Tacita generates a random unique identifier for each application the user configures.

• App configurations (e.g. weather forecast location) linked to this random unique identifier.

• When the user deletes the app, all identifiers are removed as well and cannot be retrieved.

• Location visits only linked to this random identifier and only stored within each application with which the user has a trust relationship.

Challenges

• We don’t know yet all use cases for the data.

• Data that underpins research publications must be retained for a long time (depending on funding, …)

• Location data is very sensitive even if anonymised.

How we solved this

• Keeping data secure and confidential.

• Privacy policy linked from the App Store and from inside the app that clearly describes the purpose of the app and the use of data.

• Upon starting Tacita for the first time, users consent to the use of Background Location tracking (iOS feature).

• After one day of using Tacita, users get notified that Tacita is using their location in background and are given an opportunity to turn off the location tracking feature.

Privacy Policy: “Research Use of Collected Data“

Tacita is part of research around pervasive displays and display personalisation conducted at Lancaster University.

Data that is collected in the context of this app is used to improve the system and for current and future research purposes.

The access and use of the data will be subject to ethical approval at Lancaster University.

Anonymised data may be included in a range of research outputs including but not limited to research publications, journal articles, data archives, presentations and may also be used for teaching purposes.

Data Retention Policy, Managing your Information, and Data Deletion

We will retain User Provided and Automatically Collected data for an unlimited period of time to facilitate research and system development.

[... secure data storage …]

We are not able to respond to requests for deletion of User Provided or Automatically Collected data due to the design of the application:

we do not link any of your location traces and data you have provided within an application with your name, email address or any unique device identifier.

Instead, we use (different) random identifiers for each personalised service within the Application.

Therefore, we are not able to identify datasets that may belong to you for deletion.

[… exception for E-Mail subscription …]

Next Step?

Ethics approval for accessing and using the data

https://appsto.re/gb/P9DBdb.i