With the advent of sensor-rich mobile devices such as smartphones, an increasing number of people are sharing personal "contextual" information like location, activity, and health/fitness information with members of their social network. To enhance privacy for people sharing such information, a large body of research has focused on ways for users to specify who should be authorized to access their information. This research improves end-user privacy by addressing the related question of "Who is accessing my information and to what extent?". Providing users with an accurate sense of their "exposure" will enable them to better control how their contextual information is shared and will help mitigate emerging privacy risks.

This research advances the state of the art in privacy by formalizing the notion of exposure-awareness research, and by investigating metrics that can be used to quantify a person?s exposure, developing usable feedback models and visualizations that leverage these metrics to convey exposure, and creating exposure control extensions to established policy architectures to help users control exposure and refine their data sharing policies over time. The proposed research will thus allow ordinary people to proactively rein in the amount of personal information shared online, and will reduce the privacy risks for the large population of users who are increasingly using social-networking applications to share personal contextual information.

Project Report

With the advent of mobile-computing devices such as smartphones, tablets, and wearables, an increasing number of people are sharing or broadcasting personal contextual information using social-networking services such as Facebook and Twitter. For example, people are now sharing not only their location, but also geo-tagged photographs, activity information as deduced from onboard sensors such as accelerometers, and fitness information. A large body of research has focused on disclosure policies for personal information (i.e., Who should see my information?), but has neglected to characterize what we call a user's 'exposure' (i.e., Who is accessing my information and to what extent?). Existing work on disclosure policies allows, e.g., Alice to specify that her co-workers are permitted to access her physical location during the work week. While such policies may provide Alice with some baseline notion of exposure control, they do not provide Alice with feedback about her queriers. Would Alice still feel in control if she learned that Bob was accessing her location every 5 minutes? Or if every member of her project team checked her location while she was visiting a medical specialist? To truly enable individual control of data, people need a way to quantify, interpret, and control the extent to which this data is accessed, cross-correlated, and disseminated. During the course of this project, we have made a number of important advances with respect to this exposure control lifecycle: Design Principles for Exposure-Aware Systems: Throughout this project, our team has conducted a variety of surveys and user studies to better understand exposure in contextual sharing systems. These studies have provided insight into (i) the types of factors that individuals want to consider when sharing contextual information and where existing systems fall short of supporting this conditional disclosure; (ii) how differences in usage (e.g., social vs. professional, always-on vs. check-in) of the same system can lead to very different norms of sharing and access, and thereby different exposure threats; (iii) the types of access patterns to an individual's data that are allowed by specified access policies, but are inconsistent with the individual's intended sharing behavior; and (iv) how over- and under-exposure awareness can alter an individual's use of a system. Our findings led to the design of the first exposure-aware policy language, and have informed the design of all system artifacts produced during this research. Exposure Awareness Interfaces: A key difficulty in building exposure-aware systems lies in identifying instances of over-sharing. The contextual, temporal, and intra-personal factors that lead to instances of over-exposure are often impossible to capture using the policy or preference languages supported by most platforms; as such, although an access is allowed by an individual's preferences, it may still be contrary to their desired exposure goals. To this end, we have developed exposure awareness interfaces that leverage aggregate exposure summaries to convey information to participants in a system, and evaluation methodologies for assessing the efficacy of these types of interfaces. Balancing the coarseness of these types of interfaces with the cognitive overhead of more frequent interruptions is a challenging problem that defines a fruitful space for future work. Secure Storage of Presence Information: One important finding from our surveys of user perception of exposure is the distinction between the utility of allowing a individual accesses to a user's contextual data (e.g., location, presence, etc.), and the intrusiveness of aggregate data collection. That is, a single disclosure of Alice's location is helpful for scheduling an in-person meeting, while repeated disclosures can lead to a wide array of profiling attacks. To address this problem, we have developed cryptographic approaches for facilitating location sharing between social and professional peers that is protected from analysis by a service provider, and for allowing the usage of aggregate statistics about worker presence without exposing the minutiae of an individual's day-to-day activities. This work has made important strides toward advancing all phases of the exposure control lifecycle, ranging from policy specification and deployment, to quantification metrics, to interfaces supporting feedback and policy revision. Ongoing collaborations enabled by this award are now investigating the deployment of exposure-aware services in the context of social sharing, data management, and workplace presence sensing. The project also sought to strengthen the interests of underrepresented groups in STEM fields (science, technology,engineering, and math) including graduate study in STEM fields. We hosted multiple African American summer interns from HBCU institutions, and US undergraduate male and female interns as part ofthis effort.

Project Start
Project End
Budget Start
2010-09-01
Budget End
2014-08-31
Support Year
Fiscal Year
2010
Total Cost
$149,859
Indirect Cost
Name
University of Pittsburgh
Department
Type
DUNS #
City
Pittsburgh
State
PA
Country
United States
Zip Code
15260