Transcript cmu-phd2005

Privacy, Security, and
Ubiquitous Computing
Jason I. Hong
Overview
•
Privacy and Security Today
– Supporting Trust Decisions
•
Privacy and Security Tomorrow
– Privacy and Usability in Pervasive Environments
– Location-enhanced Web
– Whisper
Everyday Security Problems
Everyday Security Problems
Everyday Security Problems
Everyday Security is Important
•
People increasingly asked to make trust decisions
– Install this software?
– Trust expired certificate? (“what the !@^% is a certificate?”)
– Enter username and password?
•
Consequence of wrong trust decision can be dramatic
– Spyware
– Malware (viruses, worms)
– Identity theft
Project: Supporting Trust Decisions
•
•
Computers can’t make all trust decisions for you
Goal here is to help people make better decisions
– Context here is anti-phishing
– Multidisciplinary team
•
Approach 1: Design Patterns
– Extract UI design patterns that work well
•
Approach 2: Embedded Training
– Surreptitiously train people to be better at
discriminating scams from the real thing
•
Approach 3: Public Health System
– Back-end system + UIs for marking scams
Overview
•
Privacy and Security Today
– Supporting Trust Decisions
•
Privacy and Security Tomorrow
– Privacy and Usability in Pervasive Environments
– Location-enhanced Web
– Whisper
Ubicomp Presents New Benefits
•
Advances in wireless networking, sensors, devices
– Greater awareness of and interaction with physical world
•
Ubicomp can help in efficiency, coordination, safety
RFID
Find Friends
Incident Command
Ubicomp Also Presents New Risks
•
Some potential new risks:
– Commit fraud
– Draw embarrassing or inaccurate inferences
– Discriminate against users
Everyday Risks
Friends, Family
Extreme Risks
Employers
Government
_________________________________
_________________________________
__________________________
Over-protection
Social obligations
Embarrassment
Over-monitoring
Discrimination
Reputation
Civil liberties
Stalkers, Muggers
_________________________________
Well-being
Personal safety
Ubicomp Privacy is a Serious Concern
“[It] could tell when you were in the
bathroom, when you left the unit, and
how long and where you ate your lunch.
EXACTLY what you are afraid of.”
- allnurses.com
Project: Privacy and Usability in
Pervasive Environments
Group project split into two major parts:
1.
Decentralized trust management infrastructure for
enforcing policies
– Project Grey, MyCampus, Pervasive Access Control
2.
User interfaces for helping people elucidate their
privacy preferences
– When to get notifications?
– When to share personal information?
Project: Privacy and Usability in
Pervasive Environments
•
•
•
You think you are in one
context, actually
overlapped in many others
Without this understanding,
cannot act appropriately
Optionally, useful to specify
when it’s okay to broadcast
Project: Privacy and Usability in
Pervasive Environments
•
Pessimistic, Optimistic, and Mixed-mode privacy
– Pessimistic:
– Optimistic:
– Mixed:
setup prefs beforehand
detect problems and fix afterwards
ask me
•
Extend Privacy Bird
•
Conversational Case Based Reasoning (CCBR)
– Major component, help people use similar past situations
•
Empirical user studies to compare these UIs
– Correctness, desirability, predictability, time on task, …
Project: Location-Enhanced Web
Three big problems with location-based services:
1.
Need a high level of expertise to create locationenhanced content and services
– Lots of programming and/or hardware expertise
– Significantly stifles innovation
2.
Difficult to deploy location-enhanced content
and services
– No location app works on multiple phones
– Haphazard wireless connectivity
3.
Location privacy
Web + Location = Location-Enhanced Web
•
Evolve existing web infrastructure to support
location-awareness
– Minimal re-design and re-deployment
– Leverage existing web browsers, web servers
•
Co-opt existing location-enhanced content
– Transparently make web sites that already have locationenhanced content part of the location-enhanced web
– Ex. Restaurant guides, bus schedules, tour guides, etc
– Anything with street address info
•
Make it easy to create location-enhanced content
– Authoring of web pages vs programming apps
Underlying Design Philosophy
•
•
Capture, store, and process personal data on my
computer as much as possible (laptops and PDAs)
Provide greater control and feedback over sharing
How It Will Work
Overview
•
(1) Determine location locally on device
– Listen to “beacons” to calculate location locally
•
(2) Use local proxies to transparently add new features
– Let users use existing web browsers
•
(3) Local services
– Geocoders, maps, etc
•
(4) Occasionally-connected computing
– Cache content like a madman, periodically update
•
(5) Better user interfaces
– Provide better UIs for sharing info
•
(6) Provide authoring tools for new content and services
How It Will Work
Usage Scenario (1/5)
•
•
Alice does a one-click install for her laptop
Place Lab WiFi positioning system calculates location
– Unique WiFi MAC Address  Latitude, Longitude
A
–Works indoors and
B
in urban
canyons
–Works with encrypted nodes
C
–No special equipment
–Privacy-sensitive
–Rides the WiFi wave
How It Will Work
Usage Scenario (2/5)
•
Regular web browser starts auto-filling in web forms
for location-unaware sites
– Local geocoder service looks up address info
– Uses publicly available data about countries, states, ZIP, etc
How It Will Work
Usage Scenario (3/5)
•
Alice can also go to a location-aware site that uses
our extensions
– Web-based tour guide of CMU
•
Alice gets a Place Bar UI to control what level of
location info she is willing to disclose
– Selectively trade privacy for services
How It Will Work
Usage Scenario (4/5)
•
Local proxy transparently processes new locationenhanced features
– Triggers to auto-load new content
• Ex. show this page when user enters this building
– Context-sensitive links
• Ex. “Map” link shows indoor map when indoors, etc
– Active map
How It Will Work
Usage Scenario (5/5)
•
Alice can also download content for use when not
connected to network
– Too expensive, roaming, poor coverage, etc
•
Every morning, her laptop downloads location+
information about Pittsburgh
– Community events like talks, concerts, book signings
– Restaurant guides (download and geocode entire site)
– Locally filter and examine
•
Can also block-fetch info
– Ex. Travel to Seattle, download all info for that week
– Service knows you are in Seattle, that’s it
– If linked with calendar, can do this when you’re in Pittsburgh
Authoring Tools
Advantages of this Approach
•
This approach leverages:
–
–
–
–
•
Familiar user model (links, pages, web sites, submit button)
Lots of existing content
Lots of authoring and debugging tools
Lots of content creators
Icing on the cake
–
–
–
–
–
Simple user model: everything private unless you choose
Software only extensions, no new hardware
Minimal changes to existing web browsers, proxies, servers
Don’t have to wait for widespread cheap wireless networking
Can do this today!
Can Address Key Research Problems
•
Need a high level of expertise to create locationenhanced content and services
– Shift problem from programming to authoring
– Provide libraries and templates for advanced features
•
Difficult to deploy location-enhanced content and
services
– Local proxy, local services, local storage
– Occasionally connected computing
•
Privacy
– OCC (use data offline)
– Better user interfaces for when and what to share
Lots of Research Issues
•
OCC and block-fetching algorithms
– How much to download? When to refresh?
– Privacy metric: level of privacy vs cpu, bandwidth, disk,
power
– Pre-fetch: plausible deniability, potentially useful info
•
Will work for laptops, what about phones and PDAs?
– Start with local, push back into infrastructure as needed
– Ex. Trusted proxies, a for-pay service that honors privacy
•
User interfaces
– Place Bar okay but hard to use in user evals
– What is live vs cached?
Apps to Build Towards (1/2)
•
•
•
•
Web page autofill
Virtual post-it notes (geonotes)
Location-enhanced tourguide
Map-It
– Map from current location to address on page
Apps to Build Towards (2/2)
•
Location dashboard
– Subscribe to Starbucks coffee, crime database, and
geonotes server
– As you move around, you can see:
• Nearest Starbucks
• Crime “thermometer”
• Previews of notes your friends have posted
– Like an RSS feed for the real world!
•
Whisper Community Event Service
– Crawl web for community events
– Use location, social networks, and keywords to filter
– “Notify me when Yo-Yo Ma will play a concert in Pittsburgh”
Project Whisper
•
Community event service
– Foster sociability within community
– Get people away from TV
•
First iteration done
– (Before location-enhanced web though)
•
User evaluations
– Useful but…
– I want to know who else is going
– Too many events shown!
•
Make it easier for people to coordinate
– Lightweight, minimal social obligations
•
Make it easy to see what’s going on
Project Whisper
•
Use location information, preferences, and
social networking to filter
– Location:
“Shadyside art festival”
– Preferences:
“Yo-Yo Ma”
– Social Networking: “I’m going to this concert, anyone else?”
•
Hypothesis: instigators
– N% of population who really like to organize outings
– Subscribe to events these people are interested in
•
Provide personalized events as lightweight RSS feed
– RSS a simple way of subscribing to things
Project Whisper
Wed (Today):
• Talk on privacy (3:30PM)
Fri
• Churchbrew (Lorrie, 6:30PM)
Weekend
• Shadyside art festival (all day)
• Garage sale Squirrel Hill
Future
• Yo-Yo Ma (Oct 28)
Project Whisper
Wed (Today):
• Talk on privacy (3:30PM)
Fri
• Churchbrew (Lorrie, 6:30PM)
Weekend
• Shadyside art festival (all day)
• Garage sale Squirrel Hill
Future
• Yo-Yo Ma (Oct 28)
I get this because of
simple keyword
matching on “privacy”
Project Whisper
Wed (Today):
• Talk on privacy (3:30PM)
Fri
• Churchbrew (Lorrie, 6:30PM)
Weekend
• Shadyside art festival (all day)
• Garage sale Squirrel Hill
Future
• Yo-Yo Ma (Oct 28)
I get this because I
subscribe to Lorrie’s
personal RSS feed
Project Whisper
Wed (Today):
• Talk on privacy (3:30PM)
Fri
• Churchbrew (Lorrie, 6:30PM)
Weekend
• Shadyside art festival (all day)
• Garage sale Squirrel Hill
Future
• Yo-Yo Ma (Oct 28)
I get these two
because I live in
Shadyside
Rather than current
location, leverage
where we spend a lot
of our time (ie, home,
work, etc)
Project Whisper
Wed (Today):
• Talk on privacy (3:30PM)
Fri
• Churchbrew (Lorrie, 6:30PM)
Weekend
• Shadyside art festival (all day)
• Garage sale Squirrel Hill
Future
• Yo-Yo Ma (Oct 28)
I get this because of
keyword “Yo Yo Ma”.
I can also publish this
as part of my
personal RSS feed,
so my friends can
also see this event.
Whisper can then
help with who’s
going, carpools, etc.
Summary of Projects
Privacy, security, and ubiquitous computing
•
Supporting Trust Decisions
– Design patterns, Embedded Training, Public Health
•
Privacy and Usability in Pervasive Environments
– Design, implement, and eval multiple UIs
•
Location-enhanced web
– Systems and UI issues for combining location and web
•
Whisper Community Event Service
– Make it easier for people to find interesting events and
coordinate who’s going
Future of Ubiquitous Computing?
Jason I. Hong
NSH 2504D
Perspective on Privacy
“The problem, while often couched in terms of
privacy, is really one of control. If the computational
system is invisible as well as extensive, it becomes
hard to know:
–Empower
what is controlling
what
people
so they
–choose
what is connected
to what
to share:
– where information is flowing
• the right information
– how it is being used
can
• with the right people or services
• at the right time
The Origins of Ubiquitous Computing Research at PARC in
the Late 1980s
Weiser, Gold, Brown
Computers Are Becoming Ubiquitous…
… and Integrated with Real World
Client- Centered Architectures
•
Basic idea:
– Local sensing, local storage, local processing
– Provide better control and feedback over sharing
•
Examples:
– Anonymous Broadcast
• Satellites (GPS, Sirius or XM), Radio (AM / FM), WiFi AP
– Sensing: GPS, Cricket, Place Lab
– Storage: Occasionally Connected Computing
• Sync up lots of potentially useful info beforehand
– Services
• Geocoding, maps, etc
• These services would also be OCC services
Weaknesses of Client-Centered Approach
•
Only useful for certain kinds of apps
– Default is not to share info, some apps hard to build
– Personal mobile apps vs Place-oriented apps (cameras)
– Best for read-only data
•
Requires really high-end devices
– Invoke Moore’s Law
– Fundamental tradeoff
•
Centralized / decentralized tradeoff
–
–
–
–
Like hotmail vs cmu IMAP vs own IMAP
Decentralized probably scales better
But users are own sysadmins, viruses, spyware
Again, fundamental tradeoff