Privacy risk models for designing privacy-sensitive ubiquitous computing systems

Privacy is a difficult design issue that is becoming increasingly important as we push into ubiquitous computing environments. While there is a fair amount of theoretical work on designing for privacy, there are few practical methods for helping designers create applications that provide end-users with a reasonable level of privacy protection that is commensurate with the domain, with the community of users, and with the risks and benefits to all stakeholders in the intended system. Towards this end, we propose privacy risk models as a general method for refining privacy from an abstract concept into concrete issues for specific applications and prioritizing those issues. In this paper, we introduce a privacy risk model we have developed specifically for ubiquitous computing, and outline two case studies describing our use of this privacy risk model in the design of two ubiquitous computing applications.

[1]  Anind K. Dey,et al.  Who wants to know what when? privacy preference determinants in ubiquitous computing , 2003, CHI Extended Abstracts.

[2]  A. Harter,et al.  A distributed location system for the active office , 1994, IEEE Network.

[3]  Amitai Etzioni,et al.  The Limits Of Privacy , 1999 .

[4]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[5]  Richard Harper Why do People Wear Active Badges , 1993 .

[6]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[7]  Jonathan Grudin Presenting choices in context: approaches to information sharing , 2003 .

[8]  Selma C. Etter Database Nation the Death of Privacy in the 21st Century , 2000, Journal of Computing in Higher Education.

[9]  William G. Griswold,et al.  Challenge: ubiquitous location-aware computing and the "place lab" initiative , 2003, WMASH '03.

[10]  Jonathan Kies,et al.  User and task analysis for interface design , 1998 .

[11]  Steve Talbott The trouble with ubiquitous technology pushers , 2000, CFP '00.

[12]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[13]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[14]  David Brin,et al.  The Transparent Society , 1998 .

[15]  Wendy E. Mackay,et al.  Triggers and barriers to customizing software , 1991, CHI.

[16]  Anind K. Dey,et al.  Towards a Deconstruction of the Privacy Space , 2003 .

[17]  Gary T. Marx,et al.  17. Identity and Anonymity: Some Conceptual Distinctions and Issues for Research , 2002 .

[18]  Simson Garfinkel,et al.  Database Nation , 2000 .

[19]  Jonathan Grudin,et al.  Groupware and social dynamics: eight challenges for developers , 1994, CACM.

[20]  Anind K. Dey,et al.  Location-Based Services for Mobile Telephony: a Study of Users' Privacy Concerns , 2003, INTERACT.

[21]  Joshua Cole,et al.  :Documenting Individual Identity: The Development of State Practices in the Modern World , 2004 .

[22]  Anne Adams,et al.  Multimedia information changes the whole privacy ballgame , 2000, CFP '00.

[23]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[24]  James A. Landay,et al.  The Design of Sites: Patterns, Principles, and Processes for Crafting a Customer-Centered Web Experience , 2002 .

[25]  Marco Gruteser,et al.  Wireless Location Privacy Protection , 2003, Computer.

[26]  David J. Danelski,et al.  Privacy and Freedom , 1968 .

[27]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[28]  Leysia Palen,et al.  Social, individual and technological issues for groupware calendar systems , 1999, CHI '99.

[29]  John Seely Brown,et al.  The Origins of Ubiquitous Computing Research at PARC in the Late 1980s , 1999, IBM Syst. J..

[30]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[31]  James A. Landay,et al.  Approximate Information Flows: Socially-Based Modeling of Privacy in Ubiquitous Computing , 2002, UbiComp.

[32]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[33]  P. Agre,et al.  Technology and privacy: The new landscape , 1998 .

[34]  Jakob Nielsen,et al.  Usability engineering , 1997, The Computer Science and Engineering Handbook.

[35]  Allison Woodruff,et al.  How push-to-talk makes talk less pushy , 2003, GROUP.

[36]  James A. Landay,et al.  Development and evaluation of emerging design patterns for ubiquitous computing , 2004, DIS '04.