Questions for Privacy Risk Modeling

In 2004, my colleagues and I published a paper called Privacy risk models for designing privacy-sensitive ubiquitous computing systems. This paper posed a series of questions about user interface design, system design, and organizational issues that one should consider with respect to privacy when designing new ubicomp systems.

In a recently published chapter in the book Mobile Sensing in Psychology: Methods and Applications, I offer an updated version of these questions, shared below.

Design Issues 
• What kinds of personal information are sensed or gathered (e.g., name, email)?
• How sensitive is the data? If leaked, can the data be easily linked to a specific individual?
• Is there a clear value proposition for end users for sharing their personal data? Is this value proposition clear to end users?
• Does this data collection match people’s expectations about the app? For example, it makes sense for a sleep monitor to use a microphone but perhaps not for a food diary app.
• For each type of sensitive information, is it opt-in or opt-out, or do data sharers even have a choice?
• What is the minimal amount of data needed for the mobile device and associated apps? Does the data need to be collected at all?
• What devices and sensors are used to collect personal information? Who has physical control over these devices and sensors?
• What happens if there are sensing or inferencing errors on the data? Is there potential for embarrassment or other mishaps?
• How are data collection and data use practices conveyed to users?
• What kinds of controls and feedback do end users have for managing their personal data? Are these user interfaces easily understandable and accessible? 

Social Context
• Who are the data sharers, the people sharing personal information? What kinds of concerns do they have?
• Who are the data observers, other users who might see and use that personal information?
• What kinds of personal data are shared with data observers?
• What are the relationships between data sharers and data observers? What is the level and nature of trust? Is there a power imbalance? What incentives do data observers have to protect data sharers’ personal information (or not, as the case may be)?
• Are there potentially malicious data observers (e.g., spammers, stalkers, abusive partners, trolls)? How might they abuse your system?
• What are the social and cultural norms around how personal information will be used?
• What are the data sharers’ expectations about how personal information will be used?
• Are there other stakeholders or third parties who might be directly or indirectly impacted by the system, for example, passersby incidentally near a mobile sensing system?

Organizational Context
• What are the policies and procedures for accessing the data by people internal to the organization? What kinds of data and granularities can people internal to the organization see? How will these be enforced? Will accesses be logged and audited?
• Will any collected data be shared with any third parties? Can the data be anonymized before sharing?

Technical Issues
• How are users identified? Is it a device hardware identifier, an app-specific identifier, a user-specified identifier (such as a username or email address), or an advertising identifier (e.g., Apple’s IDFA or Google’s AAID)? Each has tradeoffs over how much control users have and how much people can be tracked across devices and apps.
• What is the granularity of the information sent or shared, for example, with respect to space (e.g., room, building, street), time (e.g., continuous, every hour, every day), or fidelity (e.g., for identity, is it a specific person, a pseudonym, or anonymous)? How often is information shared? Is it discrete and one-time? Is it continuous?
• Can the data be processed entirely on the device? Do the data need to leave the device?
• What sensitive data are sent to the backend? Where are these data stored? Note that there may be legal implications based on in which country the data is stored. Who has access to the data? How long are data retained? What about backups of data?


Comments

Post a Comment

Popular posts from this blog

How to Fix a Jammed Toyota Camry Trunk

This problem needs a higher pagerank, so I figured I would post the solution here. If your Toyota Camry trunk won't open, one possible reason is that it is set to valet mode. Valet mode means that you cannot open the trunk using the release lever inside the car. To set valet mode, you put the key into the trunk lock and turn it counterclockwise. You will know that your trunk is in valet mode if the lock is horizontal rather than vertical, and if you cannot open the trunk using the lever near the driver's seat. Of course, a problem is that sometimes the Camry can get stuck in valet mode, such that you can't use your key to get out of it. (You can see how I spent part of my Sunday morning ...) The solution turns out to be WD-40 . Spray some WD-40 on your key and on the lock. Put the key in, and jiggle it around, and happiness ensues. From an interaction design perspective, it sort of makes sense to have a valet mode. After all, the point of having a valet key is to limit the
Read more

Web 2.0 and Research

I've been chatting with many of my friends and colleagues about an issue that's been bugging me for a while, namely whether academic research has any role to play in the emerging Web 2.0 . I've been slowly coming to the conclusion that the answer is not much. I had a similar discussion with other researchers at HotMobile a few weeks ago. When the web first came out, pretty much every systems researcher ignored it because it was so ugly. The web was not very sophisticated in terms of distributed systems, HTTP lacked elegance, HTML conflated many different ideas, and so on. There were also not any really new ideas with the web, as evidenced by the fact that Tim Berners-Lee 's first paper on the Web was (probably rightfully) rejected from an ACM conference on hypertext. I'm sure one thing that really irked researchers about the nascent web was that it completely ignored the large body of work in hypertext and distributed systems that had preceded it. Even in 1997, as
Read more

NYTimes: It Takes a Cyber Village to Catch an Auto Thief

I like this idea of "open-source crime solving", as it reminds me a lot of PhishTank and CastleCops . It is, however, an idea that is fraught with issues of trust, reliability, and vigilantism. Online auto forums have helped unravel crimes before. Two years ago, a detective in Los Angeles used the forum on FreshAlloy.com, a Nissan enthusiast site, to track down victims of an elaborate fraud scheme. (That case, too, involved Nissan Skylines.) The Beyond.ca site had also played a role in earlier cases of what might be called open-source crime solving. A year ago one of its members saw a hit-and-run accident a block in front of him, said Shelton Kwan, who co-founded the site with his cousin Ken Chan in 2002. “He took pictures. And the guy who got hit was another member of ours.” NYTimes Link
Read more