Abstract
Reconciling personalization with privacy has been a continuing interest in user modeling research. This aim has computational, legal and behavioral/attitudinal ramifications. We present a dynamic privacy-enhancing user modeling framework that supports compliance with users’ individual privacy preferences and with the privacy laws and regulations that apply to each user. The framework is based on a software product line architecture. It dynamically selects personalization methods during runtime that meet the current privacy constraints. Since dynamic architectural reconfiguration is typically resource-intensive, we conducted a performance evaluation with four implementations of our system that vary two factors. The results demonstrate that at least one implementation of our approach is technically feasible with comparatively modest additional resources, even for websites with the highest traffic today. To gauge user reactions to privacy controls that our framework enables, we also conducted a controlled experiment that allowed one group of users to specify privacy preferences and view the resulting effects on employed personalization methods. We found that users in this treatment group utilized this feature, deemed it useful, and had fewer privacy concerns as measured by higher disclosure of their personal data.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agrawal, D., Aggarwal, C.C.: On the design and quantification of privacy preserving data mining algorithms. In: 20th ACM SIGACT–SIGMOD–SIGART Symposium on Principles of Database System, pp. 247–255, Santa Barbara (2001)
ArchStudio: Archstudio 3 (2005). www.isr.uci.edu/projects/archstudio/
ArchStudio: Myx (2008). www.isr.uci.edu/projects/archstudio/myx.html
Berendt B., Günther O., Spiekermann S.: Privacy in e-commerce: stated preferences vs. actual behavior. Commun. ACM 48(4), 101–106 (2005). doi:10.1145/1053291.1053295
Berkovsky, S., Eytani, Y., Kuflik, T., Ricci, F.: Privacy-enhanced collaborative filtering. In: PEP05, UM05 Workshop on Privacy-Enhanced Personalization, pp. 75–84, Edinburgh (2005)
Berkovsky, S., Eytani, Y., Kuflik, T., Ricci, F.: Hierarchical neighborhood topology for privacy-enhanced collaborative filtering. In: PEP06, CHI06 Workshop on Privacy-Enhanced Personalization, pp. 6–13, Montreal (2006)
Berkovsky, S., Kuflik, T., Ricci, F.: Distributed collaborative filtering with domain specialization. In: Konstan, J.A., Riedl, J., Smyth, B. (eds.) RecSys: Proceedings of the 2007 ACM conference on Recommender Systems, pp. 33–40, ACM, Minneapolis (2007)
Bhole Y., Popescu A.: Measurement and analysis of http traffic. J. Netw. Syst. Manage. 13(4), 357–371 (2005). doi:10.1007/s10922-005-9000-y
Bosch J.: Design and Use of Software Architectures: Adopting and Evolving a Product-Line Approach. Addison-Wesley, Reading (2000)
Boyle, M.: A shared vocabulary for privacy. In: UbiComp 2003 Workshop on Ubicomp Communities: Privacy as Boundary Negotiation, Seattle (2003)
Buyya, R., Yeo, C.S., Venugopal, S.: Market-oriented cloud computing: vision, hype, and reality for delivering IT services as computing utilities. In: 10th IEEE Intl. Conf. on High Perf. Comp. and Comms., pp. 5–13, IEEE Computer Society (2008). doi:10.1109/HPCC.2008.172
Canny, J.: Collaborative filtering with privacy. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 45–57, IEEE Computer Society (2002a). doi:10.1109/SECPRI.2002.1004361
Canny, J.: Collaborative filtering with privacy via factor analysis. In: Proceedings of the 25th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 238–245, ACM, Tampere (2002b). doi:10.1145/564376.564419
Carmichael D.J., Kay J., Kummerfeld B.: Consistent modeling of users, devices and sensors in a ubiquitous computing environment. User Model. User-Adap. Inter. 15(3–4), 197–234 (2005)
Cassel, L., Wolz, U.: Client side personalization. In: DELOS Workshop: Personalisation and Recommender Systems in Digital Libraries (2001). http://www.ercim.eu/publication/ws-proceedings/DelNoe02/CasselWolz.pdf
Ceri, S., Dolog, P., Matera, M., Nejdl, W.: Model-driven design of web applications with client-side adaptation. In: Proceedings of the International Conference on Web Engineering, pp. 201–214 (2004). doi:10.1007/978-3-540-27834-4_26
Chen, Z., Kobsa, A.: A collection and systematization of international privacy laws, with special consideration of internationally operating personalized websites (2002). http://www.ics.uci.edu/~kobsa/privacy
Chlebus, E., Brazier, J.: Nonstationary poisson modeling of web browsing session arrivals. Inform. Process. Lett. 102(5), 187–190 (2007). doi:10.1016/j.ipl.2006.12.015
Ciocchetti, C.: The future of privacy policies: a privacy nutrition label filled with fair information practices. John Marshall J. Comp. Info. Law 26(1) (2008). http://www.jcil.org/journal/articles/495.html
Coroama, V.: The smart tachograph—individual accounting of traffic costs and its implications. In: Fishkin, K.P., Schiele, B., Nixon, P., Quigley, A.J. (eds.) Pervasive Computing: 4th International Conference, PERVASIVE 2006. Lecture Notes in Computer Science, vol. 3968, pp. 135–152. Springer (2006)
Coroama, V., Langheinrich, M.: Personalized vehicle insurance rates: A case for client-side personalization in ubiquitous computing. In: Kobsa, A., Chellappa, R., Spiekermann, S. (eds.) Proceedings of PEP06, CHI 2006 Workshop on Privacy-Enhanced Personalization, pp. 56–59, Montreal, Canada (2006). http://www.isr.uci.edu/pep06/papers/PEP06_CoroamaLangheinrich.pdf
Culnan M.J., Bies R.J.: Consumer privacy: balancing economic and justice considerations. J. Soc. Issues 59(2), 323–342 (2003). doi:10.1111/1540-4560.00067
Dashofy, E., Asuncion, H., Hendrickson, S., Suryanarayana, G., Georgas, J., Taylor, R.: Archstudio 4: an architecture-based meta-modeling environment. In: ICSE 2007: International Conference on Software Engineering, pp. 67–68, IEEE Computer Society (2007)
DE: German Federal Data Protection Act, as of 14 August 2009 (2009). http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf
DE-TML: German telemedia law (2007). http://www.gesetze-im-internet.de/tmg/
Disney: Personal Communication, Chief Privacy Officer. Disney Corporation (2002)
Dourish P., Anderson K.: Collective information practice: exploring privacy and security as social and cultural phenomena. Hum. Comput. Interact. 21(3), 319–342 (2006)
Earp J.B., Baumer D.: Innovative web use to learn about consumer behavior and online privacy. Commun. ACM 46(4), 81–83 (2003). doi:10.1145/641205.641209
EU: Directive 95/46/EC of the European parliament and of the Council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Off. J. Eur. Communities (23 November 1995 No L. 281), 31ff (1995). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
EU: Directive 2002/58/EC of the European parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (2002). http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:HTML
Fink J., Kobsa A.: User modeling in personalized city tours. Artif. Intell. Rev. 18(1), 33–74 (2002). doi:10.1023/A:1016383418977
Foner, L.: Yenta: a multi-agent, referral-based matchmaking system. In: AGENTS ’97: Proceedings of the First International Conference on Autonomous Agents, pp. 307, 301, ACM Press (1997). doi:10.1145/267658.267732
Frankowski, D., Cosley, D., Sen, S., Terveen, L., Riedl, J.: You are what you say: Privacy risks of public mentions. In: 29th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 565–572, Seattle (2006). doi:10.1145/1148170.1148267
Fredrikson, M., Livshits, B.: RePriv: re-imagining content personalization and in-browser privacy. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 131–146, IEEE (2011). doi:10.1109/SP.2011.37
FTC: Privacy Online: Fair Information Practices in the Electronic Marketplace. A Report to Congress. Federal Trade Commission (2000). www.ftc.gov/reports/privacy2000/privacy2000.pdf
Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: How to make personalized web browsing simple, secure, and anonymous. In: Financial Cryptography’97. Lecture Notes in Computer Science, vol. 1318, pp. 17–31. Springer Verlag, Berlin (1997). doi:10.1007/3-540-63594-7_64
Gupta, D., Digiovanni, M., Narita, H., Goldberg, K.: Jester 2.0 (poster abstract): evaluation of an new linear time collaborative filtering algorithm. In: Proceedings of the 22nd Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 291–292, ACM, Berkeley (1999). doi:10.1145/312624.312718
Hine C., Eve J.: Privacy in the marketplace. Inform. Soc. 14, 253–262 (1998). doi:10.1080/019722498128700
Hitchens, M., Kay, J., Kummerfeld, B., Brar, A.: Secure identity management for pseudo-anonymous service access. In: Hutter, D., Ullmann, M. (eds.) Security in Pervasive Computing: Second International Conference, SPC 2005, Proceedings, Boppard, April 6–8, 2005, pp. 48–55. Springer Verlag, Berlin (2005). doi:10.1007/b135497
Huck S.W.: Reading Statistics and Research, 6th edn. Pearson Education, Boston (2012)
IBM: Personal Communication, Chief Privacy Officer. IBM Zurich (2003)
Ishitani L., Almeida V., Meira W.J.: Masks: bringing anonymity and personalization together. IEEE Secur. Privacy Mag. 1(3), 18–23 (2003). doi:10.1109/MSECP.2003.1203218
Jensen C., Potts C., Jensen C.: Privacy practices of internet users: self-reports versus observed behavior. Int. J. Hum. Comput. Stud. 63, 203–227 (2005). doi:10.1016/j.ijhcs.2005.04.019
Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A “nutrition label” for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security SOUPS ’09, Mountain View (2009). doi:10.1145/1572532.1572538
Kelley, P.G., Cesca, L., Bresee, J., Cranor, L.F.: Standardizing privacy notices: an online study of the nutrition label approach. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 1573–1582, ACM Press, Atlanta (2010). doi:10.1145/1753326.1753561
Knijnenburg, B., Kobsa, A., Moritz, S., Svensson, M.A.: Exploring the effects of feed-forward and feedback on information disclosure and user experience in a context-aware recommender system. In: UMAP 2011 Workshop on Decision Making and Recommendation Acceptance Issues in Recommender Systems, Girona (2011). http://www.ics.uci.edu/~kobsa/papers/2011-DEMRA-kobsa.pdf
Kobsa A.: Personalized hypermedia and international privacy. Commun. ACM 45(5), 64–67 (2002). doi:10.1145/506218.506249
Kobsa, A.: A component architecture for dynamically managing privacy constraints in personalized web-based systems. In: Dingledine, R. (ed.) Privacy Enhancing Technologies: 3rd Intl. Workshop, PET 2003, pp. 177–188, Springer Verlag (2003). doi:10.1007/978-3-540-40956-4_12
Kobsa, A.: Generic user modeling systems. In: Brusilovsky, P., Kobsa, A., Nejdl, W. (eds.) The Adaptive Web: Methods and Strategies of Web Personalization. Lecture Notes in Computer Science, vol. 4321, pp. 136–154. Springer Verlag, Berlin (2007a). doi:10.1007/978-3-540-72079-9_4
Kobsa, A.: Privacy-enhanced web personalization. In: Brusilovsky, P., Kobsa, A., Nejdl, W. (eds.) The Adaptive Web: Methods and Strategies of Web Personalization, pp. 628–670, Springer-Verlag, (2007b). doi:10.1007/978-3-540-72079-9_21
Kobsa, A., Fink, J.: Performance evaluation of user modeling servers under real-world workload conditions. In: Brusilovsky, P., Corbett, A.T., Rosis, F.D. (eds.) User Modeling 2003: 9th International Conference, pp. 143–153, Springer Verlag (2003). doi:10.1007/978-3-642-02247-0_10
Kobsa A., Fink J.: An LDAP-based user modeling server and its evaluation. User Model. User-Adap. Inter. 16(2), 129–169 (2006). doi:10.1007/s11257-006-9006-5
Kobsa A., Schreck J.: Privacy through pseudonymity in user-adaptive systems. ACM Trans. Internet Technol. 3(2), 149–183 (2003). doi:10.1145/767193.767196
Kobsa, A., Teltzrow, M.: Contextualized communication of privacy practices and personalization benefits: impacts on users’ data sharing and purchase behavior. In: Martin, D., Serjantov, A. (eds.) Privacy Enhancing Technologies: Fourth International Workshop, PET 2004, Toronto, Canada, vol. LNCS 3424, pp. 329–343, Springer Verlag, Heidelberg (2005). doi:10.1007/11423409_21
Kobsa A., Koenemann J., Pohl W.: Personalized hypermedia presentation techniques for improving online customer relationships. Knowl. Eng. Rev. 16, 111–155 (2001). doi:10.1017/S0269888901000108
Lwin M., Wirtz J., Williams J.D.: Consumer online privacy concerns and responses: a power–responsibility equilibrium perspective. J. Acad. Market. Sci. 35(4), 572–585 (2007)
Malin, B., Sweeney, L., Newton, E.: Trail Re-Identification: Learning Who You Are from Where You Have Been. Technical Report LIDAP-WP12. Laboratory for International Data Privacy, Carnegie Mellon University (2003). http://privacy.cs.cmu.edu/people/sweeney/trails1.pdf
McJones, P.: Eachmovie Collaborative Filtering Data Set (1997). http://research.compaq.com/SRC/eachmovie/
Metzger, M.J.: Privacy, trust, and disclosure: exploring barriers to electronic commerce. J. Comput. Mediated Commun. 9(4) (2004). http://jcmc.indiana.edu/vol9/issue4/metzger.html
Miller B.N., Konstan J.A., Riedl J.: PocketLens: toward a personal recommender system. ACM Trans. Inf. Syst. 22(3), 437–476 (2004). doi:10.1145/1010614.1010618
Morenoff E., McLean J.B.: Application of level changing to a multilevel storage organization. Commun. ACM 10, 149–154 (1967). doi:10.1145/363162.363183
Movielens: Movielens—movie recommendations (1997). http://www.movielens.org/
Mulligan, D., Schwartz, A.: Your place or mine? privacy concerns and solutions for server and client-side storage of personal information. In: Proceedings of the Tenth Conference on Computers, Freedom and Privacy: Challenging the Assumptions, pp. 81–84, ACM, Toronto (2000). doi:10.1145/332186.332255
Nakashima, E.: AOL search queries open window onto users’ worlds. (2006). http://www.washingtonpost.com/wp-dyn/content/article/2006/08/16/AR2006081601751.html
Narayanan, A., Shmatikov, V.: Robust de-anonymization of large sparse datasets. In: SP ’08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 111–125, IEEE Computer Society, Washington (2008). doi:10.1109/SP.2008.33
Narayanan A., Shmatikov V.: Myths and fallacies of “personally identifiable information”. Commun. ACM 53(6), 24–26 (2010). doi:10.1145/1743546.1743558
Nissenbaum H.F.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books, Stanford (2010)
Ohm, P.: Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Rev. 57(6), 1701–1777 (2010). http://uclalawreview.org/pdf/57-6-3.pdf
Opler, A.: Dynamic flow of programs and data through hierarchical storage. In: Kalenich, W.A. (eds.) Information Processing 1965, Proceedings of IFIP Congress, vol. 1, pp. 273–276, New York (1965)
Palen, L., Dourish, P.: Unpacking “privacy” for a networked world. In: CHI-02, pp. 129–136, Fort Lauderdale (2002)
Pew: Privacy implications of fast, mobile internet access (2008). http://www.pewinternet.org/Reports/2008/Privacy-Implications-of-Fast-Mobile-Internet-Access.aspx
Polat, H., Du, W.: Privacy-Preserving collaborative filtering using randomized perturbation techniques. In: IEEE International Conference on Data Mining, pp. 625–628, IEEE Computer Society, Los Alamitos (2003). doi:10.1109/ICDM.2003.1250993
Polat, H., Du, W.: SVD-based collaborative filtering with privacy. In: Proceedings of the 2005 ACM Symposium on Applied Computing, pp. 791–795, ACM, Santa Fe (2005). doi:10.1145/1066677.1066860
Rao, J.R., Rohatgi, P.: Can pseudonymity really guarantee privacy? In: 9th USENIX Security Symposium, pp. 85–96, Denver (2000). www.usenix.org/events/sec00/full_papers/rao/rao.pdf
Schafer, J., Frankowski, D., Herlocker, J., Sen, S.: Collaborative filtering recommender systems. In: Brusilovsky, P., Kobsa, A., Nejdl, W. (eds.) The Adaptive Web. Lecture Notes in Computer Science, pp. 291–324. Springer Verlag, Berlin (2007). doi:10.1007/978-3-540-72079-9_9
Schoenbachler D.D., Gordon G.L.: Trust and customer willingness to provide information in database-driven relationship marketing. J. Interact. Market. 16(3), 2–16 (2002). doi:10.1002/dir.10033
Shankland, S. Google uncloaks once-secret server (2009). http://news.cnet.com/8301-1001_3-10209580-92.html
Smith, H.J., Milberg, S.J., Burke, S.J.: Information privacy: Measuring individuals’ concerns about organizational practices. MIS Q. 20(2), 167–196 (1996). http://www.jstor.org/stable/249477
Spiekermann, S., Grossklags, J., Berendt, B.: E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In: EC’01: Third ACM Conference on Electronic Commerce, pp. 38–47, Tampa, FL (2001)
Sweeney, L.: Uniqueness of Simple Demographics in the U.S. Population. Technical Report LIDAPWP4. Laboratory for International Data Privacy, Carnegie Mellon University (2000)
Teltzrow, M., Kobsa, A.: Impacts of user privacy preferences on personalized systems: a comparative study. In: Karat, C.M., Blom, J., Karat, J. (eds.) Designing Personalized User Experiences for eCommerce, pp. 315–332. Kluwer, Dordrecht (2004). doi:10.1007/1-4020-2148-8_17
TRUSTe: Web privacy seal program requirements (2010). http://www.truste.com/pdf/Web_Privacy_Seal_Program_Requirements_Website.pdf
Turow, J., King, J., Hoofnagle, C.J., Bleakley, A., Hennessy, M.: Americans reject tailored advertising and three activities that enable it. SSRN eLibrary (2009). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1478214
van der Hoek A.: Design-time product line architectures for any-time variability. Sci. Comp. Prog., special issue on Softw. Variability Mgmt 53(30), 285–304 (2004)
van der Hoek, A., Mikic-Rakic, M., Roshandel, R., Medvidovic, N.: Taming architectural evolution. In: 9th ACM Symp. on the Foundations of Softw. Eng., pp. 1–10 (2001)
Wang, Y., Kobsa, A.: Impacts of privacy laws and regulations on personalized systems. In: Kobsa, A., Chellappa, R., Spiekermann, S. (eds.) Proceedings of PEP06, CHI 2006 Workshop on Privacy-Enhanced Personalization, pp. 44–46, ACM (2006). http://www.ics.uci.edu/~kobsa/papers/2006-PEP-wang-kobsa.pdf
Wang, Y., Kobsa, A.: Respecting users’ individual privacy constraints in web personalization. In: Conati, C., McCoy, K.F., Paliouras, G. (eds.) User Modeling 2007: 11th Intl. Conf., pp. 157–166, Springer, (2007). doi:10.1007/978-3-540-73078-1_19
Wang, Y., Kobsa, A.: Performance evaluation of a Privacy-Enhancing framework for personalized websites. In: Houben, G., McCalla, G., Pianesi, F., Zancanaro, M. (eds.) User Modeling, Adaptation, and Personalization: 17th International Conference, UMAP 2009, vol. 5535, pp. 78–89, Springer, Berlin (2009a). doi:10.1007/978-3-642-02247-0_10
Wang, Y., Kobsa, A.: Privacy-enhancing technologies. In: Gupta, M., Sharman, R. (eds.) Social and Organizational Liabilities in Information Security, pp. 203–227, IGI Global (2009b). doi:10.4018/978-1-60566-132-2.ch013
Wang, Y., Kobsa, A., van der Hoek, A., White, J.: PLA-based runtime dynamism in support of privacy-enhanced web personalization. In: SPLC’06: Proceedings of the 10th International Software Product Line Conference, pp. 151–162, IEEE Press (2006). doi:10.1109/SPLC.2006.30
Xie E., Teo H., Wan W.: Volunteering personal information on the internet: Effects of reputation, privacy notices, and rewards on online consumer behavior. Market. Lett. 17(1), 61–74 (2006). doi:10.1007/s11002-006-4147-1
Young J.: Introduction: a look at privacy. In: Young, J. Privacy, Wiley, New York (1978)
Zadorozhny V., Yudelson M., Brusilovsky P.: A framework for performance evaluation of user modeling servers for web applications. Web Intelli. Agent Syst. 6(2), 175–191 (2008). doi:10.3233/WIA-2008-0136
Author information
Authors and Affiliations
Corresponding author
Additional information
The managing editor of this paper was Sandra Carberry, University of Delaware.
The conceptual and technical research described herein has already been reported in earlier preliminary publications, as indicated by self-references. The user evaluation and its connection with the other research thrusts is completely unreported.
Rights and permissions
About this article
Cite this article
Wang, Y., Kobsa, A. A PLA-based privacy-enhancing user modeling framework and its evaluation. User Model User-Adap Inter 23, 41–82 (2013). https://doi.org/10.1007/s11257-011-9114-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11257-011-9114-8