Empirical Models of Privacy in Location Sharing, at Ubicomp2010

Empirical Models of Privacy in Location

Sharing

Eran Toch, Justin Cranshaw, Paul Hankes-Drielsma, Janice Y. Tsai, Patrick Gage Kelley, James Springfield, Lorrie Cranor,

Jason Hong, Norman Sadeh

Carnegie Mellon

(1) Motivation

Ubicomp 2010 Carnegie Mellon

Motivation

4Ubicomp 2010 Carnegie Mellon

Privacy

‣ Location sharing applications can reveal sensitive locations (e.g., home,) the activity of the user, social encounters etc...

‣ Privacy is a major concern that may limit adoption (Tsai et al. 2009.)

by Frank Groeneveld, Barry Borsboom and Boy van Amstel.

http://frankgroeneveld.nl/

http://barryborsboom.nl/


Background

‣ Privacy

‣ Khalil and Connelly (2006)

‣ Anthony et al. (2007)

‣ Benisch et al. (2010)

Location and Mobility

‣ Eagle et al. (2006)

‣ Gonz´alez et al. (2008)

‣ Mancini et al. (2009)

‣ Cranshaw et al., 2010

Our question: What are the privacy preferences associated

with locations and mobility patterns?

7Ubicomp 2010 Carnegie Mellon

Agenda

‣ Locaccino

‣ Study

‣ Results

‣ Conclusions

(2) Locaccino


Locaccino

‣ Location sharing application

‣ Expressive privacy controls

‣ Background location tracking

‣ Research framework

10


Locators

‣ Background location reporting every 2-10 minutes, depending on movement

‣ On laptops: Location WiFi positioning by Skyhook

‣ On smartphones: WiFi positioning + GPS

For Mac and Windows


Setting Privacy Policy


Requesting Locations

(3) Study


Study‣ 28 primary participants were recruited using flyers

scattered around the Carnegie Mellon Campus and mailing list posting. They were compensated at $30 + data plan.

‣ 373 secondary participants had joined by invitation of primary participants. They were not compensated.

‣ 230 of them installed a locator, and were requested by other participants.

1. Answering Entrance Survey

3.Installing locator4.Setting up

privacy policy5.Inviting friends

3. Using Locaccin

o

4. Answering

Place Survey +

Exit Survey

2. Randomly assigned a

locator


Population and Limitation

‣ All participants are from the university community.

‣ 17 graduate students, 9 undergraduate students and 2 staff members.

‣ The study was conducted in a single city (Pittsburgh.)

‣ And in the course of a single summer month.

(4) Results


Location Entropy‣ Entropy is a measure for the

diversity of visitors to a place (Cranshaw et al., 2010)

‣ Borrowed from bio-diversity, it assigns high values to places visited by many users in equal proportions.

‣ Let p(u,l) be the observations of a user u in a location l. Entropy is defined as:

High entropy (5+)

Medium entropy (1-5)Low entropy (1)

Locations are defined based a 100m radius


Place Survey


Entropy vs. Comfort in sharing locations

Users were more comfortable sharing high entropy locations.ANOVA, friends: F=5.46 p=0.02, distant relations: F = 15.57 p=0.001

The correlation is stronger for distant social relations than with close social relations


Sharing by Place Type

Tags were grouped by a team of 3 judges to 8 categories

For distant relations


Privacy and Mobility• Visible mobility is

correlated with the number of request for the user (ANOVA: F = 14.713 p = 0.00079)

‣ High mobility users were requested twice as much as low mobility users.

‣ Number of friends and the users’ activity are non significant.

High mobilit

y users

Low mobilit

y users

Visible mobilityNumber of unique daily

locations

Median: 3.4


Requests over time

The request rate for high mobility users increased twofold over the course of the study


Privacy and Mobility

Item ANOVA F ANOVA P-value

Expressiveness (number of policy restrictions)

5.63 0.025

Number of privacy policy updates 10.75 0.0028

Correlation between visible mobility and privacy properties

High mobility users were 4 times as likely to use location restrictions and 7 times more likely to use time restrictions

24


Rule Examples


Survey Results

Item Average ANOVA F ANOVA P-value

Overall Usefulness 4.74 4.54 0.043

Friends rules usefulness 5.48 4.68 0.04

Time rules usefulness 4.74 5.14 0.03

Location rules usefulness 5.14 4.15 0.052

‣Correlation between visible mobility and survey results

7-point Likert (1 stands for not useful and 7 for very useful)

(4) Conclusions


Conclusions

‣ Some privacy preferences can be predicted by location entropy and mobility.

‣ Enhancing location sharing: by suggesting helpful defaults, checking-in in high entropy places etc.

‣ Establishing privacy sensitive location reporting for location aware systems.

‣ Other fields? Is entropy related to other phenomena? Check Session VII

‣ Lots of future work...

Thank you

More info:

http://www.cs.cmu.edu/~eran/

Carnegie Mellon

Locaccino demo - tomorrow’s

lunch

http://www.cs.cmu.edu/~eran/


Location Privacy Preferences

‣Which measure best predicts the location privacy preferences?

ANOVA p-value

Measure friends and family

distant relations

Number of unique visitors

0.48 0.3

Number of observations 0.17 0.001

User’s visits to the location

0.98 0.22

Location entropy 0.02 0.001

30


Statistics

Item Average

Number of friends 12.86

Number of location observations 1,417,095

Empirical Models of Privacy in Location Sharing, at Ubicomp2010

Technology

carnegie mellon entropy

carnegie mellon sharing

carnegie mellon study

carnegie mellon conclusions

carnegie mellon motivation

carnegie mellon campus

carnegie mellon requests

carnegie mellon population