Personal and Ubiquitous Computing

, Volume 13, Issue 6, pp 401–412 | Cite as

Understanding and capturing people’s privacy policies in a mobile social networking application

  • Norman Sadeh
  • Jason Hong
  • Lorrie Cranor
  • Ian Fette
  • Patrick Kelley
  • Madhu Prabaker
  • Jinghai Rao
Original Article


A number of mobile applications have emerged that allow users to locate one another. However, people have expressed concerns about the privacy implications associated with this class of software, suggesting that broad adoption may only happen to the extent that these concerns are adequately addressed. In this article, we report on our work on PeopleFinder, an application that enables cell phone and laptop users to selectively share their locations with others (e.g. friends, family, and colleagues). The objective of our work has been to better understand people’s attitudes and behaviors towards privacy as they interact with such an application, and to explore technologies that empower users to more effectively and efficiently specify their privacy preferences (or “policies”). These technologies include user interfaces for specifying rules and auditing disclosures, as well as machine learning techniques to refine user policies based on their feedback. We present evaluations of these technologies in the context of one laboratory study and three field studies.


Machine Learning Technique Target User Location Privacy Location Tracking Privacy Preference 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work is supported by NSF Cyber Trust grant CNS-0627513, NSF grant CNS-0433540, ARO research grant DAAD19-02-1-0389 to Carnegie Mellon University’s CyLab, and a grant from FCT to the CMU/Portugal Information and Communication Technologies Institute. Additional support has also been provided by FranceTelecom, Nokia, IBM and Microsoft, the latter through the Center for Computational Thinking. PeopleFinder’s WiFi-based location tracking functionality runs on top of technology developed by Skyhook Wireless. The authors would like to thank all the other members of Carnegie Mellon University’s project on “User-Controllable Security and Privacy for Pervasive Computing” for their help designing and evaluating the PeopleFinder application, including Lujo Bauer, Bruce McLaren, Mike Reiter, Jacob Albertson, Paul Drielsma, Jason Cornwell, David Hacker, Gary Hsieh, Jialiu Lin, Justin Pincar, Rob Reeder, Alberto Sardinha, Karen Tang, Janice Tsai, Kami Vaniea, Michael Weber, Wei Zhiqiang, and Yue Zhang.


  1. 1.
    Aha DW, Kibler D, Albert MK (1991) Instance-based learning algorithms. Mach Learn 6:37–66Google Scholar
  2. 2.
    Barkhuus L (2004) Privacy in location-based services, concern vs. coolness. In: Proceedings of workshop paper in mobile HCI 2004 workshop: location system privacy and control. Glasgow, UKGoogle Scholar
  3. 3.
    Beresford AR, Stajano F (2003) Location privacy in pervasive computing. IEEE Pervasive Comput 2(1):46–55CrossRefGoogle Scholar
  4. 4.
    Canny J, Duan T (2004) Protecting user data in ubiquitous computing environments: towards trustworthy environments. In: Proceedings of privacy-enhancing technologies (PET). TorontoGoogle Scholar
  5. 5.
    Cornwell J, Fette I, Hsieh G, Prabaker M, Rao J, Tang K, Vaniea K, Bauer L, Cranor L, Hong J, McLaren B, Reiter M, Sadeh N (2007) User-Controllable security and privacy for pervasive computing. In: Proceedings of the 8th IEEE workshop on mobile computing systems and applications (HotMobile 2007)Google Scholar
  6. 6.
    Consolvo S, Smith I, Matthews T, LaMarca A, Tabert J, Powledge P (2005) Location disclosure to social relations: why, when, & what people want to share. In: Proceedings of CHI 2005, conference on human factors in computing systems, ACM Press, pp 82–90Google Scholar
  7. 7.
    Gruteser M, Grunwald D (2002) Anonymous usage of location-based services through spatial and temporal cloaking. In: Proceedings of the first international conference on mobile systems, applications, and services (MobiSys 2002)Google Scholar
  8. 8.
    Grudin J, Horvitz E (2003) Presenting choices in context: approaches to information sharing. Workshop on Ubicomp communities: privacy as boundary negotiation.
  9. 9.
    Harper RH (1996) Why people do and don’t wear active badges: a case study. In: Proceedings of computer supported cooperative work (CSCW96), pp 297–318Google Scholar
  10. 10.
    Hightower J, Borriello G (2001) Location systems for ubiquitous computing. IEEE Comput 34:57–66Google Scholar
  11. 11.
    Ho TK (1995) Random decision forest. In: Proceedings of the 3rd international conference on document analysis and recognition. Montreal, Canada, pp 278–282Google Scholar
  12. 12.
    Hong JI (2005) An architecture for privacy-sensitive ubiquitous computing. University of California at Berkeley, BerkeleyGoogle Scholar
  13. 13.
    Hong JI, Landay JA (2004) An architecture for privacy-sensitive ubiquitous computing. In: Proceedings of the second international conference on mobile systems, applications, and services. Boston, MA, pp 177–189Google Scholar
  14. 14.
    Hsieh G, Tang KP, Low WY, Hong JI (2007) Field deployment of IMBuddy: a study of privacy control and feedback mechanisms for contextual IM. In: Proceedings of 9th international conference on ubiquitous computing (Ubicomp 2007)Google Scholar
  15. 15.
    Kaasinen E (2003) User needs for location-aware mobile services. Pers Ubiquitous Comput 7(1):70–79CrossRefGoogle Scholar
  16. 16.
    Khalil A, Connelly K (2006) Context-aware telephony: privacy preferences and sharing patterns. In: Proceedings of computer supported collaborative work (CSCW 2006)Google Scholar
  17. 17.
    Krumm J (2007) Inference attacks on location tracks. In: Proceedings of fifth international conference on pervasive computing (Pervasive 2007). Toronto, Ontario May 13–16, 2007Google Scholar
  18. 18.
    Krumm J (2007) A survey of computational location privacy. In: Proceedings of 9th international conference on ubiquitous computing (Ubicomp 2007), workshop on privacy. Innsbruck, Austria, May 13–16, 2007Google Scholar
  19. 19.
    LaMarca A, Chawathe Y, Consolvo S, Hightower J, Smith I, Scott J, Sohn T, Howard HJJ, Potter F, Tabert J, Powledge P, Borriello G, Schilit BN (2005) Place lab: device positioning using radio beacons in the wild. In: Proceedings of international conference on pervasive computing (pervasive 2005) (to appear)Google Scholar
  20. 20.
    Lederer S, Mankoff J, Dey AK (2003) Who wants to know what when? Privacy preference determinants in ubiquitous computing. In: Proceedings of extended abstracts of CHI 2003, ACM conference on human factors in computing systems. Fort Lauderdale, FL, pp 724–725Google Scholar
  21. 21.
    Palen L, Dourish P (2003) Unpacking “privacy” for a networked world. CHI Letters (human factors in computing systems: CHI 2003) 5(1):129–136Google Scholar
  22. 22.
    Patil S, Lai J (2005) Who gets to know what when: configuring privacy permissions in an awareness application. In: Proceedings of the SIGCHI conference on human factors in computing systems (CHI 2005), pp 101–110Google Scholar
  23. 23.
    Priyantha NB, Chakraborty A, Balakrishnan H (2000) The cricket location-support system. In: Proceedings of MobiCom 2000: the sixth annual international conference on mobile computing and networking. ACM Press, Boston, pp 32–43Google Scholar
  24. 24.
    Rastogi V, Walbourne E, Khoussainova N, Kriplean R, Balazinska M, Borriello G, Kohno T, Suciu D (2007) Expressing privacy policies using authorization views. In: Proceedings of 9th international conference on ubiquitous computing (workshop on privacy). Innsbruck, Austria, May 13–16, 2007Google Scholar
  25. 25.
    Sadeh N, Gandon F, Kwon OB (2006) Ambient intelligence: the mycampus experience, in ambient intelligence and pervasive computing In: Pedrycz TVaW (ed). ArTech HouseGoogle Scholar
  26. 26.
    Sohn T, Varshavsky A, LaMarca A, Chen MY, Choudhury T, Smith I, Consolvo S, Griswold W (2006) Mobility detection using everyday GSM traces. In: Proceedings of 9th international conference on ubiquitous computing (Ubicomp 2007). Irvine, CAGoogle Scholar
  27. 27.
    Tang KP, Keyani P, Fogarty J, Hong JI (2006) Putting people in their place: an anonymous and privacy-sensitive approach to collecting sensed data in location-based applications. In: Proceedings of conference on human factors in computing systems. Montréal, Québec, Canada. ACM Press, New York, pp 93–102.
  28. 28.
    Want R, Hopper A, Falcão V, Gibbons J (1992) The active badge location system. ACM Trans Inf Syst 10(1):91–102CrossRefGoogle Scholar
  29. 29.

Copyright information

© Springer-Verlag London Limited 2008

Authors and Affiliations

  • Norman Sadeh
    • 1
  • Jason Hong
    • 1
  • Lorrie Cranor
    • 1
  • Ian Fette
    • 1
  • Patrick Kelley
    • 1
  • Madhu Prabaker
    • 1
  • Jinghai Rao
    • 1
  1. 1.ISR, School of Computer ScienceCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations