user-controlled privacy for personal mobile...

Introduction PrivacyMate ScheduleME MIT-FIT Tutorial Evaluation Conclusion

User-controlled Privacy forPersonal Mobile Data

Sharon Paradesi

Decentralized Information Group, Bigdata@CSAILAdvisor: Dr. Lalana Kagal

August 6, 2014


Current privacy controls


Current data flow


Terminology

openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.

labs: mobile apps on the Living Lab platformLab names: ScheduleME ∼ Meetup


Terminology

openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.labs: mobile apps on the Living Lab platform

Lab names: ScheduleME ∼ Meetup


Terminology

openDPS: an open-source platform enabling decentralizeddata storage on trusted computing infrastructures.labs: mobile apps on the Living Lab platformLab names: ScheduleME ∼ Meetup


openPDS-enabled data flow


What’s missing?

openPDS is a privacy-preserving framework for personal datastores. However, the platform currently lacks fine-grained usercontrols for privacy.


Contributions of this thesis

Suite of user controls for privacyPrivacyMate

Additional labs built to validate PrivacyMateScheduleMEMIT-FIT


Overview of PrivacyMate


openPDS-enabled data flow with PrivacyMate


Preference creation


Global settings


Spatio-temporal context


Overall enforcementstart

Opt-in to dataaggregation

Opt-in to datacollection

Context

stop

Return nullReturn

data object


Data aggregation enforcement

if group computation:

opted in todata ag-

gregation?Return null

Opt-in to datacollection

no

yes


data collection enforcement

opted in todata

collection?Return null

Context

no

yes


Context enforcement

time ∈[start , end ]c

and day ∈daysc?

Return null

location

specified

in context?

Return

data object

location

within

500-m of

locationc?

no

yes

no

yes

no

yes


ScheduleME: Features

Privacy-preserving way to enable users to schedulemeetups without revealing either

current or desired physical locations orpoints of interest

Sweatt, B., Paradesi, S., Liccardi, I., Kagal, L., Pentland, A. S. BuildingPrivacy-preserving Location-based Apps. Privacy, Security and Trust (PST),2014 Twelfth Annual International Conference on. IEEE, 2014.


Determining meeting location

Meeting about PST paperFrom: [email protected]: user2 ([email protected]); user3([email protected])Day: Thursday 30th March;Time: 16:00 pmLocation: 42.3612, -71.0893

The Initiator requests a meeting by simply inserting participants emails addresses.The system uses past information about partici-pants’ locations to suggest a possible meet date,time and place.

The maps shows the location which is most convenient for the group, either as a total or a majority of the participants. In order to preserve participants’ privacy, the individual participants’ locations used to select the meeting place can not be inferred. Participants‘ possible locations for a meeting is selected randomly from within a bounding box created by the 4/5 location places captured (b1, b2) at the specific hour. Specific past location information ( ) is not used, a random location ( ) is selected within the limits of a bounding box containing the actual past location.This selected location is used in the computation of the centroid ( ).

Initiator Participants(b1)(b2)

(a) Requesting for a meeting

(b) Calculating the centroid


MIT-FIT: Features

MIT-FIT enables users to

track personal and aggregate high-activity regions andtimesview personalized fitness-related event recommendations


MIT-FIT: Features

MIT-FIT enables users totrack personal and aggregate high-activity regions andtimesview personalized fitness-related event recommendations


High-activity by location


High-activity by time and recommendations


Effect of enforcing different contexts


Comparison of MIT-FIT with other apps

APP VISIBILITY PRIVACY TECHNIQUES LOG IN ACCESS

NAME (SHARING) NEW S.N.

Fitbit F. T. policy safeguards for developer andAPI access

Yes F.

Nike+ F. T. P. grouping to share data and setting upprivate challenges

Yes F.

Pebble F. policy safeguards for developer andAPI access

Device -

Moves Private can use app without account Device -

RunKeeper F. T. grouping to control sharing of dataand analyses

Yes F.

Strava F. “Enhanced Privacy” Yes F.

MIT-FIT None individual private store, question andanswer framework, group computa-tion, user controls for privacy

Yes -

F. Facebook, T. Twitter, P. Pinterest


Tutorial: Creating a new lab

PrivacyMate’s functionality is part of the platform andtherefore a developer does not have to worry about it.

To create a new lab, a developer needs to make changesto the

openPDS server andMIT mobile app



PrivacyMate’s functionality is part of the platform andtherefore a developer does not have to worry about it.To create a new lab, a developer needs to make changesto the

openPDS server andMIT mobile app



On openPDS serverWrite Python code to define a task for the lab’s functionality.Schedule the task by adding it to the Celery scheduler.Write HTML code to create the lab visualization pages.Write JavaScript code, using backbone.js, to fetch data andcreate the lab visualizations.Add the path to HTML (visualization) to urls.py file forrouting.

On MIT Mobile client

Add the lab to the pds strings.xml file of the MIT Mobileclient.



On openPDS serverWrite Python code to define a task for the lab’s functionality.Schedule the task by adding it to the Celery scheduler.Write HTML code to create the lab visualization pages.Write JavaScript code, using backbone.js, to fetch data andcreate the lab visualizations.Add the path to HTML (visualization) to urls.py file forrouting.

On MIT Mobile clientAdd the lab to the pds strings.xml file of the MIT Mobileclient.


Semi-structured interviews

Goal: better understand the usability of the user controlsfor privacy and to obtain suggestions for improving them.

Procedure

verbal “walkthrough” of the labasked them to perform three tasksasked to rate their interaction with the framework whenaccomplishing the specific taskasked to justify their feedback for each rating and provideany final comments and feedback.

This is a small-scale user study (IS&T usabilityconsultation fell through)


Semi-structured interviews

Goal: better understand the usability of the user controlsfor privacy and to obtain suggestions for improving them.Procedure

verbal “walkthrough” of the labasked them to perform three tasksasked to rate their interaction with the framework whenaccomplishing the specific taskasked to justify their feedback for each rating and provideany final comments and feedback.

This is a small-scale user study (IS&T usabilityconsultation fell through)


Task 1:Allow Social Health Tracker to collect and use all required data

We received a somewhatuniform distribution offeedbacks for this task.

“three-dot icon”:ambiguous for some, butfor P6: “experienced verysimilar app settings andtherefore could do it.”

P1 about opt-in to data aggregation: “Is it sharing my data?I don’t want my data to be shared.”P3 about wording issues: not willingly reading text onmobile devices unless required to.


Task 2:Allow Social Health Tracker to only use data when at home

The majority of theresponses were “Neutral”

Questions: select more than one context and selectdifferent times during weekends compared to weekdays.Context was not directly apparent from the “DataPermissions” screen. P3: “... [context] is hidden. It can[only] be discovered by accident or remembered.”P5: “[It] would be nice to give an address and have themap drop a pin ... similar to ... Google maps.”


Task 3:Allow all labs to collect and use data

Four of the participantsrated the interaction for thistask as “Very easy.”

P1: “this task was easier because I found Global Settingsright at the beginning.”P2: “this [showed the] data collection and use [controls] onthe same screen, which is good.”P3: not knowing “what applications have what data”


Conclusion

Contributions of this thesis:User-controlled privacy mechanisms for the Living Labplatform: PrivacyMateTwo labs: ScheduleME, MIT-FITSmall-scale semi-structured usability interviews

Future Work:

The goal is eventual deployment across MIT campusMaking preferences easier to use and learning users’privacy preferencesIntegrating data from QS devices and considering differenttypes of activitiesExtensive usability studies


Conclusion

Contributions of this thesis:User-controlled privacy mechanisms for the Living Labplatform: PrivacyMateTwo labs: ScheduleME, MIT-FITSmall-scale semi-structured usability interviews

Future Work:The goal is eventual deployment across MIT campusMaking preferences easier to use and learning users’privacy preferencesIntegrating data from QS devices and considering differenttypes of activitiesExtensive usability studies


Thank You! Any Questions?

Special thanks toLalana Kagal (Thesis advisor)Sam Madden and Elizabeth Bruce (Living Lab advisors)Hal Abelson, Ilaria Liccardi, Joe Pato, K KrasnowWaterman, Danny Weitzner, Fuming Shih, OshaniSeneviratne, Daniela Miao, Andrei Sambra, Mike Specterand other DIG group membersBrian Sweatt, Myra Hope Eskridge, Laura Watts and otherLiving Lab collaborators

Contact: [email protected]

user-controlled privacy for personal mobile...

Documents