Empirical Models of Privacy in Location Sharing, at Ubicomp2010

Empirical Models of Privacy in Location

Sharing

Eran Toch, Justin Cranshaw, Paul Hankes-Drielsma, Janice Y. Tsai, Patrick Gage Kelley, James Springfield, Lorrie Cranor,

Jason Hong, Norman Sadeh

Carnegie Mellon

(1) Motivation

Ubicomp 2010 Carnegie Mellon

Motivation

4Ubicomp 2010 Carnegie Mellon

Privacy

‣ Location sharing applications can reveal sensitive locations (e.g., home,) the activity of the user, social encounters etc...

‣ Privacy is a major concern that may limit adoption (Tsai et al. 2009.)

by Frank Groeneveld, Barry Borsboom and Boy van Amstel.

Ubicomp 2010 Carnegie Mellon

Background

‣ Privacy

‣ Khalil and Connelly (2006)

‣ Anthony et al. (2007)

‣ Benisch et al. (2010)

Location and Mobility

‣ Eagle et al. (2006)

‣ Gonz´alez et al. (2008)

‣ Mancini et al. (2009)

‣ Cranshaw et al., 2010

Our question: What are the privacy preferences associated

with locations and mobility patterns?

7Ubicomp 2010 Carnegie Mellon

Agenda

‣ Locaccino

‣ Study

‣ Results

‣ Conclusions

(2) Locaccino

Ubicomp 2010 Carnegie Mellon

Locaccino

‣ Location sharing application

‣ Expressive privacy controls

‣ Background location tracking

‣ Research framework

10

Ubicomp 2010 Carnegie Mellon

Locators

‣ Background location reporting every 2-10 minutes, depending on movement

‣ On laptops: Location WiFi positioning by Skyhook

‣ On smartphones: WiFi positioning + GPS

For Mac and Windows

Ubicomp 2010 Carnegie Mellon

Setting Privacy Policy

Ubicomp 2010 Carnegie Mellon

Requesting Locations

(3) Study

Ubicomp 2010 Carnegie Mellon

Study‣ 28 primary participants were recruited using flyers

scattered around the Carnegie Mellon Campus and mailing list posting. They were compensated at $30 + data plan.

‣ 373 secondary participants had joined by invitation of primary participants. They were not compensated.

‣ 230 of them installed a locator, and were requested by other participants.

1. Answering Entrance Survey

3.Installing locator4.Setting up

privacy policy5.Inviting friends

3. Using Locaccin

o

4. Answering

Place Survey +

Exit Survey

2. Randomly assigned a

locator

Ubicomp 2010 Carnegie Mellon

Population and Limitation

‣ All participants are from the university community.

‣ 17 graduate students, 9 undergraduate students and 2 staff members.

‣ The study was conducted in a single city (Pittsburgh.)

‣ And in the course of a single summer month.

(4) Results

Ubicomp 2010 Carnegie Mellon

Location Entropy‣ Entropy is a measure for the

diversity of visitors to a place (Cranshaw et al., 2010)

‣ Borrowed from bio-diversity, it assigns high values to places visited by many users in equal proportions.

‣ Let p(u,l) be the observations of a user u in a location l. Entropy is defined as:

High entropy (5+)

Medium entropy (1-5)Low entropy (1)

Locations are defined based a 100m radius

Ubicomp 2010 Carnegie Mellon

Place Survey

Ubicomp 2010 Carnegie Mellon

Entropy vs. Comfort in sharing locations

Users were more comfortable sharing high entropy locations.ANOVA, friends: F=5.46 p=0.02, distant relations: F = 15.57 p=0.001

The correlation is stronger for distant social relations than with close social relations

Ubicomp 2010 Carnegie Mellon

Sharing by Place Type

Tags were grouped by a team of 3 judges to 8 categories

For distant relations

Ubicomp 2010 Carnegie Mellon

Privacy and Mobility• Visible mobility is

correlated with the number of request for the user (ANOVA: F = 14.713 p = 0.00079)

‣ High mobility users were requested twice as much as low mobility users.

‣ Number of friends and the users’ activity are non significant.

High mobilit

y users

Low mobilit

y users

Visible mobilityNumber of unique daily

locations

Median: 3.4

Ubicomp 2010 Carnegie Mellon

Requests over time

The request rate for high mobility users increased twofold over the course of the study

Ubicomp 2010 Carnegie Mellon

Privacy and Mobility

Item ANOVA F ANOVA P-value

Expressiveness (number of policy restrictions)

5.63 0.025

Number of privacy policy updates 10.75 0.0028

Correlation between visible mobility and privacy properties

High mobility users were 4 times as likely to use location restrictions and 7 times more likely to use time restrictions

24

Ubicomp 2010 Carnegie Mellon

Rule Examples

Ubicomp 2010 Carnegie Mellon

Survey Results

Item Average ANOVA F ANOVA P-value

Overall Usefulness 4.74 4.54 0.043

Friends rules usefulness 5.48 4.68 0.04

Time rules usefulness 4.74 5.14 0.03

Location rules usefulness 5.14 4.15 0.052

‣Correlation between visible mobility and survey results

7-point Likert (1 stands for not useful and 7 for very useful)

(4) Conclusions

Ubicomp 2010 Carnegie Mellon

Conclusions

‣ Some privacy preferences can be predicted by location entropy and mobility.

‣ Enhancing location sharing: by suggesting helpful defaults, checking-in in high entropy places etc.

‣ Establishing privacy sensitive location reporting for location aware systems.

‣ Other fields? Is entropy related to other phenomena? Check Session VII

‣ Lots of future work...

Thank you

More info:

http://www.cs.cmu.edu/~eran/

Carnegie Mellon

Locaccino demo - tomorrow’s

lunch

Ubicomp 2010 Carnegie Mellon

Location Privacy Preferences

‣Which measure best predicts the location privacy preferences?

ANOVA p-value

Measure friends and family

distant relations

Number of unique visitors

0.48 0.3

Number of observations 0.17 0.001

User’s visits to the location

0.98 0.22

Location entropy 0.02 0.001

30

Ubicomp 2010 Carnegie Mellon

Statistics

Item Average

Number of friends 12.86

Number of location observations 1,417,095