Information about http://cups.cs.cmu.edu/soups/2006/posters/tarasewich-poster_abstract.pdf
Protecting the Privacy of Displayed Information …
Tags: based solutions, blinders, boston ma 02115, ccs, computer information science, conlan, current technologies, eyeglasses, gong, hci laboratory, huntington avenue, information privacy, laptop screens, mobile displays, northeastern university, owner information, privacy requirements, public spaces, web browser privacy,Pages: 2
Language: english
Created: Fri Jun 2 18:49:44 2006
Display cached document
Page 1
Page 2
Protecting the Privacy of Displayed Information
Peter Tarasewich, Jun Gong, Richard Conlan
HCI Laboratory, College of Computer & Information Science, Northeastern University
360 Huntington Avenue, 202 WVH, Boston, MA 02115
{tarase, gjoliver, kaige} @ccs.neu.edu
ABSTRACT information while restricting strangers' access to this same
Current technologies allow users to access information in virtually information. Privacy requirements will also vary based on the type
any public setting. This creates situations where sensitive of information, and on the preferences of the information's owner
information, both organizational and personal in nature, can be (e.g., individual or organization) [e.g., 2].
seen and captured by nearby people and technology. Therefore, Several hardware-based solutions have been explored to solve the
methods are necessary to ensure the privacy and security of problem of maintaining information privacy on mobile displays.
information displayed in public spaces. The authors have Privacy covers have been developed for laptop screens that
developed Web browser privacy blinders, which hide sensitive provide a clear view of the screen's contents to the user but
information from view while leaving other information obscure the view to anyone looking at the screen from an angle.
unobscured. Research to date on this topic is reviewed, along with Contents of screens can also be blurred, readable only through
current and future work devices such as special eyeglasses. While potentially valuable in
protecting the privacy of information, these techniques may have
1. INTRODUCTION potential drawbacks in terms of 1) additional cost; 2) additional
Maintaining privacy in the mobile environment remains difficult weight, bulk, and power consumption; 3) increased complexity;
because the context of a device or application can change rapidly and 4) distortion or degradation of the displayed information,
and without notice. This is in sharp contrast to a fixed which could affect performance.
environment, like an office, where people can consistently control Our ongoing research concerns the development and testing of
the way that information is handled to minimize the chance of privacy blinders and related techniques. Privacy blinders [4]
divulging sensitive information to unauthorized parties. In an mimic the use of yellow sticky-notes to cover parts of a larger
office, computer screens can be pointed towards a user such that document so that they are not viewable by others. Blinders can be
other people cannot easily read them [1]. People are not used to provide a mixed display in which sensitive information is
intentionally careless when it comes to protecting information in hidden (covered) but information not considered private is
public places, but normal human behavior makes it easy for displayed normally. If the user decides to view the sensitive
unsafe conditions to exist. For example, laptop computers are information, they can temporarily remove the blinder. For
often used whenever and wherever needed or desired (e.g., in a example, blinders on a tablet PC or PDA might be removed by
airplane). In this situation, the user can become more focused on touching them with a stylus. When the stylus is removed from the
the task at hand rather than the fact that information might be screen, the blinders reappear. It is also possible to create blinders
overseen or recorded by someone close by. While current that can only be removed with a certain gesture, thereby creating a
technology makes it easy to access information anywhere and level of security along with information privacy.
anytime, it does not concurrently provide adequate protection of
that information. Effective solutions to privacy protection Furthermore, privacy blinders can automatically respond to a
problems must not only be technically sound, but usable and predefined organizational and/or personal "privacy policy," which
understandable from a social perspective. Mobile users need specifies what types of information are covered under different
interaction methods that work well with multiple and varied tasks, circumstances. An organizational policy might be dictated by the
and in environments that can change rapidly and potentially be company a person works for, while a personal policy is
hostile. If this is not accomplished, users must accept tradeoffs customized to a user's own comfort level and privacy
between the pervasive availability of information and the potential requirements. This method can also account for user context
loss of privacy and security [1]. changes; if a person moves to a less public space, they might turn
off the blinder feature and view all information without
While privacy is often maintained through methods (e.g., obstruction. Context might also be taken into account
encryption) that keep data from being read by unauthorized automatically by the system. For example, a change in location
parties, this research looks at the relatively unexplored but equally from a private office to a public meeting room might modify
important problem of maintaining the privacy of displayed privacy settings by design. This flexibility allows adaptation to the
information. Our overall goal is to create technically sound but changing environment of the mobile device user.
practical methods of maintaining privacy of sensitive information
that is displayed in public and mobile environments. Any solution
must be resilient enough to work in any context (i.e., location and 3. BLINDERS TO HIDE INFORMATION
task independent), and ultimately adapt to changing contexts. To date we have completed two pilot studies with privacy
blinders. The first study [4] tested the basic concept of the
blinders in terms of usability and effectiveness. We used a
2. BACKGROUND limited-function Mozilla Web browser prototype in a controlled
Privacy is valued and expected by most people to varying degrees. laboratory study with each subject searching three "canned"
Usually an individual expects reasonable access to personal banking Web sites for specific information. Privacy blinders were
1
displayed based on special HTML tags next to information that removing a blinder, it might be set to drop its opacity level,
was defined to be sensitive in nature. The blinders were set to a allowing the user to view the information through a translucent
predefined size, and appeared centered directly over sensitive panel, but still discouraging onlookers who are at a distance from
information. The user could reveal information protected by a the screen. When this is done, the software can also be compared
blinder in one of two predetermined ways. For one, the blinder directly against hardware-based techniques for screen privacy.
disappeared when the stylus was moved over it. The blinder One implementation difficulty has been determining what content
reappeared when the stylus moved away. In the second, the to cover. Currently the plug-in relies upon a simple matching
privacy blinder disappeared for a total of 10 seconds when a paradigm to determine what to cover.
special stylus gesture was made, then reappeared.
Figure 2. Configuration Dialog Box for Privacy Blinders.
Since our pilot studies, we have also modified the plug-in to cover
graphics as well as text, and continue to add to its functionality
and ability for user customization. Our long-term goal is to
Figure 1. A random webpage with privacy blinders enabled.
establish an interface that allows the easy definition of a personal
In the second study [4], a FireFox Web browser extension with "privacy policy" that can be used along with organizational
user-configurable privacy settings allowed users to browse privacy settings as required (see [3] for a good discussion of
personal information from any Web site. Unlike the software from developing privacy rules).
the first study, this extension did not simply look for predefined
We are planning to run longitudinal field tests where participants
HTML tags. It preprocessed any Web page, located user-defined
will be given a version of the software to run on their personal
sensitive information, placed user-customized blinders on top of
devices. The software will automatically track information about
the specified content, and presented the resulting "blinded" Web
the privacy settings and how often blinders appear on various
page to the user. Figure 1 shows a random Web page viewed with
Web sites. The software will prompt the user for feedback after
privacy blinders. Properties of the privacy blinders that could be
performing tasks with the browser. Versions of the privacy blinder
user-configured included 1) whether to group blinders, 2) to use
software will also be created to run on PDA's and mobile phones.
fixed or variable blinder sizes, and 3) setting the blinder opacity
(transparency). Besides these blinder properties, the "privacy Context data (such as location, co-location, and scheduled events)
policy" could also be customized through an interface shown in might also be used to automatically ensure that a user is
Figure 2. Four classes of potentially sensitive content were interacting with a mobile system in the safest possible manner,
supported. These were 1) monetary amounts (a number starting and might increase privacy management effectiveness by shifting
with "$" or containing two decimal points); 2) email addresses the burden of environmental awareness from user to system.
(abc@xyz.dom); 3) telephone numbers (e.g., xxx-xxx-xxxx); and
4) a user-specified delineated list of words and phrases that they 5. REFERENCES
wanted covered. All participants in this study responded 1. Dourish, P., Grinter, R.E., Delgato de la Flor, J., and Joseph,
positively to using the privacy blinders, and felt that M. Security in the Wild: User Strategies for Managing
privacy blinders would be useful on a PDA or mobile Security as an Everyday, Practical Problem. Personal and
phone. Additional results of both studies can be found in [4]. Ubiq. Computing, 8, (2004), 391-401.
2. Hawkey, K. and Inkpen, K. M. Keeping Up Appearances:
4. CONTINUING WORK Understanding the Dimensions of Incidental Information
While the original intent of the privacy blinders had been to Privacy. Proc. of CHI 2006, (2006), 821-830.
protect sensitive personal and financial information from 3. Karat, C.-M., Karat, J., Brodie, C., and Feng, J. Evaluating
onlookers, there are many alternative uses that we had not Interfaces for Privacy Policy Rule Authoring. Proc. of CHI
originally envisioned, including parental filters, workplace 2006, (2006), 83-92.
privacy, highlighting, and color-coding of sensitive terms.
4. Tarasewich, P., Gong, J., and Conlan, R. Protecting Private
Work continues on examining different sizes and shapes of Data in Public, Adjunct Proc. of CHI 2006, (2006), 1409-
blinders, alternate ways of placing and removing blinders, and 1414.
degrees of user customization One idea is rather than completely
2