Empowering Lay Users to Control Complex Privacy and Communication Policies

Organized by Norman Sadeh, Lorrie Cranor, and Jason Hong


The objective of this PROBE is to develop and evaluate new policy-authoring tools that combine user-centered design principles with dialogue, explanation and learning technologies to empower lay users to effectively specify and refine policies. Evaluation metrics will look at both accuracy and overall user acceptance, including user burden. Users should feel that they have adequate control over the behavior of the applications they interact with. Specifically, we propose to develop and evaluate a new family of recommendation techniques that reconcile the power of machine learning with the need for users to remain in control of their policies. The proposed solution will help generate incremental changes to user-specified policies in the form of suggestions users can selectively accept or reject. This functionality will be combined with dialogue and explanation functionality enabling users to ask “why”, “why not”, and “what if” types of questions (e.g. why was my location shared with this person under this particular scenario, and what if I were to change the following rule).

Because different application domains give rise to different tradeoffs between expressiveness, tolerance for errors and user burden, we will aim to validate our techniques across several different application domains. We have already built and deployed a “people finder” application that allows users to selectively share their location information gathered through WiFi or cell phone position data. We have developed a user interface for users to specify their location preferences and to audit the system’s decisions about disclosing their location. We have used the audit data as input into our user-controllable policy learning algorithm and developed a simulation to show that the system is able to learn user preferences over time. We plan to validate this technique in a field study and apply it in other applications such as social networking site applications and a unified communication application. In particular, in this study we propose to customize our user-controllable policy learning techniques for a Facebook application where users control conditions under which some of their information can be shared with others (e.g. location information or calendar information).

Papers

Who’s Viewed You? The Impact of Feedback in a mobile location Sharing System
Janice Y. Tsai, Patrick Kelley, Paul Drielsma, Lorrie Cranor, Jason Hong, Norman Sadeh
CHI, 2009

The Impact of Expressiveness on the Effectiveness of Privacy Mechanisms for Location Sharing
Michael Benisch, Patrick Gage Kelley, Norman Sadeh, Tuomas Sandholm, Lorrie Faith Cranor, Paul Hankes Drielsma, Janice Tsai
CMU-ISR-08-141, December 2008

User-Controllable Learning of Security and Privacy Policies
Patrick Gage Kelley, Paul Hankes Drielsma, Norman Sadeh, Lorrie Faith Cranor

Understanding and capturing people’s privacy policies in a mobile social networking application
Norman Sadeh, Jason Hong, Lorrie Cranor, Ian Fette, Patrick Kelley, Madhu Prabaker, Jinghai Rao
Journal of Personal and Ubiquitous Computing

Capturing Social Networking Privacy Preferences: Can Default Policies Help Alleviate Tradeos between Expressiveness and User Burden?
Ramprasad Ravichandran, Michael Benisch, Patrick Gage Kelley, and Norman M. Sadeh