Abstract
We present a 3-week user study in which we tracked the locations of 27 subjects and asked them to rate when, where, and with whom they would have been comfortable sharing their locations. The results of analysis conducted on over 7,500 h of data suggest that the user population represented by our subjects has rich location-privacy preferences, with a number of critical dimensions, including time of day, day of week, and location. We describe a methodology for quantifying the effects, in terms of accuracy and amount of information shared, of privacy-setting types with differing levels of complexity (e.g., setting types that allow users to specify location- and/or time-based rules). Using the detailed preferences we collected, we identify the best possible policy (or collection of rules granting access to one’s location) for each subject and privacy-setting type. We measure the accuracy with which the resulting policies are able to capture our subjects’ preferences under a variety of assumptions about the sensitivity of the information and user-burden tolerance. One practical implication of our results is that today’s location-sharing applications may have failed to gain much traction due to their limited privacy settings, as they appear to be ineffective at capturing the preferences revealed by our study.
Similar content being viewed by others
Notes
Loopt. http://loopt.com
Latitude. http://www.google.com/latitude
iPhone Dev Center. http://developer.apple.com/iphone
Android. http://code.google.com/android
Fire Eagle. http://fireeagle.yahoo.net
Locaccino. http://locaccino.org
These phones were generously provided by Nokia.
Details about the Skyhook API are available at http://skyhookwireless.com/.
For more details about this process, see the description of a similar technique used by Wang et al. for managing energy consumption while tracking users with mobile devices [26].
Path observations between locations were also depicted on some pages. However, we do not address those observations in this paper since they accounted for less than 1% of the observed time.
The partial group option was chosen about 20% of the time for Facebook friends. However, 89% of the time this option was chosen by a subject, the subject also reported that he or she would have been comfortable sharing with either friends and family, or the university community. These subjects were most likely considering one or both of these two groups as subgroups of Facebook friends. This hypothesis is further supported by the fact that 82% of the subjects reported in the post-study survey that they did not feel there were any relevant groups missing from our list. For these reasons, we treat this response as denying the entire group in our subsequent analysis.
We assume that there is no penalty for mistakenly withholding a location, since our post-study survey results suggest that subjects had relatively little dis-utility at this prospect. However, this can easily be added as an additional cost to the accuracy calculation in (1).
When a subject indicated that he or she would never have shared their location with a particular group, thereby making the accuracy equation undefined, we report the accuracy for that subject and group as one, since we assume that the default behavior of the system is to deny access, which is consistent with the subject’s preferences.
References
Barkhuus L, Brown B, Bell M, Hall M, Sherwood S, Chalmers M (2008) From awareness to repartee: sharing location within social groups. In: Proceedings of the conference on human factors in computing systems (CHI)
Barkhuus L, Dey A (2003) Location-based services for mobile telephony: a study of users’ privacy concerns. In: Proceedings of the international conference on human-computer interaction (INTERACT)
Benisch M, Sadeh N, Sandholm T (2008) A theory of expressiveness in mechanisms. In: Proceedings of the national conference on artificial intelligence (AAAI)
Benisch M, Sadeh N, Sandholm T (2009) Methodology for designing reasonably expressive mechanisms with application to ad auctions. In: Proceedings of the international joint conference on artificial intelligence (IJCAI)
Burghardt T, Buchmann E, Müller J, Böhm K (2009) Understanding user preferences and awareness: privacy mechanisms in location-based services. In: Proceedings of the onthemove conferences (OTM)
Connelly K, Khalil A, Liu Y (2007) Do I do what I say? Observed versus stated privacy preferences. In: Proceedings of the international conference on human-computer interaction (INTERACT)
Consolovo S, Smith I, Matthews T, LaMarca A, Tabert J, Powledge P (2005) Location disclosure to social relations: why, when, and what people want to share. In: Proceedings of the conference on human factors in computing systems (CHI)
Cornwell J, Fette I, Hsieh G, Prabaker M, Rao J, Tang K, Vaniea K, Bauer L, Cranor L, Hong J, McLaren B, Reiter M, Sadeh N (2007) User-controllable security and privacy for pervasive computing. In: Proceedings of the workshop on mobile computing systems and applications
Gonzalez MC, Hidalgo CA, Barabasi A-L (2008) Understanding individual human mobility patterns. Nature 453(7196):779–782
K Group (2009) BIA’s The Kelsey Group Forecasts U.S. mobile local search advertising revenues to reach $1.3B in 2013. http://www.kelseygroup.com/press
Hightower J, LaMarca A, Smith IE (2006) Practical lessons from place lab. IEEE Pervasive Comput 5(3):32–39
Huang S, Proulx F, Ratti C (2007) iFIND: a Peer-to-Peer application for real-time location monitoring on the MIT campus. In: International conference on computers in urban planning and urban management (CUPUM)
Iachello G, Smith I, Consolovo S, Abowd G, Hughes J, Howard J, Potter F, Scott J, Sohn T, Hightower J, LaMarca A (2005) Control, deception, and communication: evaluating the deployment of a location-enhanced messaging service. In: Proceedings of the international conference on ubiquitous computing (UbiComp)
Kelley PG, Benisch M, Sadeh N, Cranor LF (2010) When are users comfortable sharing locations with advertisers? Technical Report CMU-ISR-10-126, Carnegie Mellon University
Lederer S, Mankoff J, Dey AK (2003) Who wants to know what when? Privacy preference determinants in ubiquitous computing. In: Proceedings of the conference on human factors in computing systems (CHI)
Mazurek M, Arsenault J, Bresee J, Gupta N, Ion I, Johns C, Lee D, Liang Y, Olsen J, Salmon B, Shay R, Vaniea K, Bauer L, Cranor L, Ganger G, Reiter M (2010) Access control for home data sharing: attitudes, needs and practices. In: Proceedings of the conference on human factors in computing systems (CHI)
Miller CC, Wortham J (2010) Technology aside, most people still decline to be located. http://www.nytimes.com/2010/08/30/technology/30location.html
Patil S, Lai J (2005) Who gets to know what when: configuring privacy permissions in an awareness application. In: Proceedings of the conference on human factors in computing systems (CHI)
Sadeh N, Gandon F, Kwon OB (2006) Ambient intelligence: the MyCampus experience. In: Vasilakos T, Pedrycz W (eds) Ambient intelligence and pervasive computing. ArTech House, Norwood
Sadeh N, Hong J, Cranor L, Fette I, Kelley P, Prabaker M, Rao J (2009) Understanding and capturing people’s privacy policies in a mobile social networking application. J Pers Ubiquit Comput 13(6):401–412
Simon HA (1957) Models of man. Wiley, New York
Smith I, Consolovo S, LaMarca A, Hightower J, Scott J, Sohn T, Hughes J, Iachello G, Abowd G (2005) Social disclosure of place: from location technology to communication practices. In: Lecture notes in computer science: pervasive computing, pp 134–151
Toch E, Cranshaw J, Drielsma PH, Tsai JY, Kelley PG, Springfield J, Cranor L, Hong J, Sadeh N (2010) Empirical models of privacy in location sharing. In: International conference on Ubiquitous Computing (UbiComp), Copenhagen, Denmark
Tsai J, Kelley P, Cranor L, Sadeh N (2009) Location-sharing technologies: privacy risks and controls. In: Research conference on communication, information and internet policy (TPRC)
Tsai J, Kelley P, Drielsma PH, Cranor LF, Hong J, Sadeh N (2009) Who’s viewed you? The impact of feedback in a mobile-location system. In: Proceedings of the conference on human factors in computing systems (CHI)
Wang Y, Lin J, Annavaram M, Jacobson QA, Hong J, Krishnamachari B, Sadeh N (2009) A framework of energy efficient mobile sensing for automatic user state recognition. In: International conference on mobile systems, applications, and services (MobiSys)
Want R, Falcão V, Gibbons J (1992) The active badge location system. ACM Trans Inf Syst 10:91–102
Acknowledgments
This work has been supported by a Siebel Scholarship and NSF grants CNS-0627513, CNS-0905562, CNS-1012763. This research was also supported by CyLab at Carnegie Mellon under grants DAAD19-02-1-0389 and W911NF-09-1-0273 from the Army Research Office. Additional support has been provided by Nokia, France Telecom, Google, and the CMU/Portugal Information and Communication Technologies Institute. The authors would also like to thank Paul Hankes-Drielsma, Janice Tsai, Tuomas Sandholm, Lucian Cesca, Jialiu Lin, Tony Poor, Eran Toch, Kami Vaniea, and Jianwei Niu for their assistance with our study.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Benisch, M., Kelley, P.G., Sadeh, N. et al. Capturing location-privacy preferences: quantifying accuracy and user-burden tradeoffs. Pers Ubiquit Comput 15, 679–694 (2011). https://doi.org/10.1007/s00779-010-0346-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-010-0346-0