Usable Privacy - did you install the seat belt in your car?

In a recent chat with the journalist Eva Wolfangel we discussed why digital security and privacy is so little usable and why many computer scientists seem not to understand the problem. Reading several articles in newspapers I got really annoyed by many of my CS colleagues who:
(1) blame the user for not taking enough care of the data and for making little effort in installing the encryption modules into their email programs and
(2) focusing on new technologies and better encryption and better algorithms to improve security and not considering the entire system including the human user.

Eva wrote an interesting and comprehensive article on usable security in Spectrum der Wissenschaft (it is German and the full version is online at her website). In the following I am sharing the some of the thougts..

@1: Mount the Seatbelts Yourself 
Technically I agree that encryption is not really complicated to install and that most people using computers could learn how to keep their data safe and how to communicate using encryption. From my experience in the real world I see that they chose not to learn it and I completely disagree that this is the user’s fault. Making the end user responsible for security and privacy is in my view entirely and utterly wrong.

Photo by Wikipedia/Michiel1972

Consider this (obviously fictional) example that applies “user responsibly for safety” to another widely used product and shows how strange the idea is:
When you get a new car there are already fixtures and wholes prepared where you can attach the seat belts. In order to get the seats belts which you can than mount in your car, you just have to fill in a post-card (you get with the car) and send it to the manufacturer of your favorite seat belts. You get then the safety belts mailed to you home – free of charge – together with a 2-page manual how to fix them in the car. The only thing you need is a screwdriver and a wrench. It is so easy that really everyone can make their car safe within 30 minutes.

It is very clear and little surprising to anyone that this is not how we do it with cars. We have agreed that the car company is responsible for the safety of the car. Economically the above example would make it cheaper for the manufacturer – probably not all people would claim their seatbelt and the company saves the effort in mounting it. Nevertheless car companies still have to provide you with a build in seat belt if they want to sell their car in Germany…

@2: Live in a Bunker 

Again from a technical perspective it is of great importance that the algorithms are secure and the encryption is strong. Nevertheless this is in my view not the key problem. Take the following example. What is better a 20 random character string password or a 4 digit PIN? From a technical perspective this is clear – however most people will be able to remember a 4 digit PIN (without writing it down) but not many will be able to remember a 20 random character string. Hence the overall system with the PIN – if well designed – may be “better” than the apparently save password based solution (as people will write it down or email it to themselves).

In the physical world we are used to complex (social) systems that allow us to live in a secure environment. In Germany people generally live in houses and flats where people who are determined can break in (e.g. using a sledge hammer on the door, a stone from the front yard on the window, or using more subtle methods). Even though people could fortify their house most people I know value their windows and easy access to their house and do not live in a bunker or add seven additional locks to their front doors – they balance risk and comfort. In traditional environments we rely on the whole system: we expect that neighbors will keep an open eye, forced entry will leave traces, police will try to find a burglar and that they will be punished, and that for most people the risk of committing a crime is not worth the potential benefit.

From a society perspective we similarly balance risk and freedom. If a purse is stolen in a small town the police will not seal off the area and check each person and search each house. Traditionally this is not possible due to the effort involved but also due to our understanding that the actions taken by law enforcement has to follow the proportionality principle. In Germany we do not consider imposing a curfew, even though one could imagine that this would even more reduce the crime rate.

I think we should take the physical and social world as example and inspiration to create usable and secure systems that offer privacy to the end user.

Overall I think security and privacy in digital systems is much more a human computer interaction problem than most people (especially from the security community) think! If you read German you may want to look at the article Eva Wolfangel wrote on the topic.

Facebook – a platform to spot when companies go bankrupt? Real world example.

In the Germany the drug store chain Schlecker announced to be insolvent, see the Reuter news post. If you look at the company’s Facebook page and scan the comments from the last 4 weeks it is apparent that some people in the crowd and employees expected it already last year.
Schlecker is a large drug store chain with probably over 10.000 outlets in Europe and more than 30.000 employees.

The following screen shots show some selected examples I took from the following page: http://www.facebook.com/schlecker.drogerie 
The posts are in German – the minimal summary should give you some idea…

This one the company wishes a happy Christmas and reminds people of a chance to win a car. The first replies echo the holiday greetings but then one complains that they let their shops bleed out (run empty) and that the order good do not arrive (probably posted by an employee). One further speculates that the company is close to bankruptcy. (over 3 weeks before the official note of insolvency)





The company announces a 2 euro discount on a product. Then employees post that they would like to sell the goods to the customers but that they do not get the goods for their shops. Additionally they complain that the goods they get from other closed down shows are not what they need. One says we want to work but we cat (as they are running out of stock). (over 2 weeks before the official note of insolvency)


The company announces price reductions in some goods. Some says that is great – but would be much better if these goods would be in the shops to buy them. (9 days before the official note of insolvency)


Overall I think this is an instructive real world example of the information that can be found in social networks about the health/value of companies. In particular the mix of customers and employees posting makes it a good example to study. I would expect that companies will learn lessons from this with regard to guidelines for the employees… and about transparency / openness…to understand how reliable such posts are we probably need to do some more research? let us know if you are interested in working this with us.

Hippy, purple hair, piercing, ..., facebook? How to rebell

Inspired by some discussion on the implication of information sharing at AMI2011 I wanted to put this up for discussion here...

If you read newspapers you find a lot of people have major concerns about how young people are using social networks, and especially facebook. I believe many of them are well meaning when the speculate about the lasting damage young people do to themselves if the post too much too openly. Some of the concerns I share but I think there is another dimension to it, too.

Being young (e.g. teenager) is not about being sensible, reasonable, rational - it is about exploring the world and rebelling. Probably most of us looked for way to provoke reactions from parents and society in this phase of live. Some examples to remember... Hippies and sex in 70’s, green, blue, red and orange hair in the 80’s, in then in 90’s it was piercing. Now what can the young people do today? Granny had a skirt that was really short; parents had piercings in places where you don't want to think about…. It is easy - sharing a picture on facebook where you wear to little or nothing - and you get all the reactions. Especially you will get the same reaction that has been around for many decades (and your parent and grandparents got, too): if you do this no one will ever give you a job ;-)

I don't want to deny the risks of sharing information online, but I think we should analyze things a bit more deeply ...

Opening Keynote at AMI 2011: Margaret Morris

Margaret (Margi) Morris presented the opening keynote at the 2011 conference on ambient intelligence in Amsterdam (AMI2011) with the title “Left to our own devices”.

Margaret brought up an interesting point on motivation: Showing people what they lose is a stronger motivator than the prospective of gain. She made the point in order to implement this the depicted loss has to be very specific. She showed a facebook application “With a little help from my friends”, where this basic concept is applied.   I had recently seen a bill board adverting campaign for safe driving on motorways in Germany using this approach (basically showing the risk of loss of family).

In the talk several examples of devices and applications were presented. To learn more about her work I recommend the following two papers: at tool to improve emotional self-awareness [1] and an investing in social networks and their utility to promote health [2].

Another point that made me think was the question of how we design interventions. One conceptual example was about an obesity campaign. The official UK campaign starts out with the statement that obesity is a problem for 9 million kids. Her alternative is to provide instead of the information a specific hint about an opportunity for action for an individual (e.g. telling the kid when it leaves school in the afternoon: now is probably a good time to play soccer with your friends, as 16 of them like to play soccer). An open research question that relates to this seems to me to investigate the impact of information about the norm, e.g. how will it affect my behavior if I know that 70% of my friends think driving too fast is OK vs. if I know that only 20% find it acceptable. I think this could be further explored in the context of social networks to create interesting persuasive technologies.


There has been an interesting discussion after the talk. Norbert Streitz questioned if it is a good idea to ask people to engage more with digital devices (e.g. self monitoring one’s mood). The question is hinting that the engagement with the digital device keeps us from interaction in the “real” world. I think this separation is disappearing fast – making a phone call, listening to MP3, chatting with friends on facebook is for many of us real, we live in a world that is augmented by technology and the boundaries are bluring...

[1] Morris ME, Kathawala Q, Leen TK, Gorenstein EE, Guilak F, Labhard M, Deleeuw W. Mobile Therapy: Case Study Evaluations of a Cell Phone Application for Emotional Self-Awareness. Journal of Medical Internet Research 2010;12(2):e10. URL: http://www.jmir.org/2010/2/e10/

[2] Margaret E. Morris. 2005. Social Networks as Health Feedback Displays. IEEE Internet Computing 9, 5 (September 2005), 29-37. DOI=10.1109/MIC.2005.109 http://dx.doi.org/10.1109/MIC.2005.109

Complex circles, decision-making, expectations, plausible deniability

Google+ circles are on a conceptual basis well argued (e.g. the much talked about real world analogy) but it seems they do not to well for many of us. I though I share my limited observations in a blog post (if I would have done a real study I would publish it in a top conference ;-)

To me deciding  what circles I need and where to put people in these circles is pretty hard – ok I am in academia and this is not a typical environment (separation of work, hobby, friends...). Which of my co-workers are friends; do I differentiate between students in a course and the ones who do a thesis with me. Who belongs to “family” or do I need 5 or more categories to describe my family? It seems the number of circles is growing equally fast than the number of friends. Its probably just me who can not discriminate between different parts of live.

The implications of the many circles is that I have to make many more decisions than on facebook. If I accept an invitation it is a yes/no/not now decision in facebook (about 300-500ms plus the time to click ;-) … much longer with circles. When I post it is again time for making decisions – whom to include and who not to include.

The main issue with circles is for me the responsibility in sharing. In theory this is the great advantage – but in real live I think it is not (it is just a way of keeping old way of communication alive for some more time - if I want to address specific people I can use email ;-). As the others know that I have the choice to limit sharing to circles the expectation is that I manage this well. With whom should I share my unhappiness about a too long faculty meeting – thinking in circles – probably no one (or only the people waiting for me). Who should know that I have read an interesting article about planting bamboo – again in circles – probably only my wife because she asked me about it.

In summary this privilege (or the responsibility) to be able to specify whom we share information with make the posts much more predictable. I share with the HCI community the calls for papers, links to surveys we need participants, and the great papers we published, I share with the family the nice photo from our weekend hike, and I share with my students a link to a great article in the pervasive magazine they should read. Given my option to share to groups, sharing a photo of my daughter and me building a pneumatic lift with my students and colleagues would be inappropriate. However I argue that to share beyond circles – sharing things we would usually not share with this group – is what makes my facebook stream so much more exciting that the google+ stream. The comments of the people who I would not have included in a circle based addressing are the once which are often most interesting. From an information theoretical point of view the facebook stream has more entropy and carries massively more information as it is less predictable.

… and in facebook we (still) have an excuse (sort of plausible deniability) as there is no real responsibility for the sender to limit the receivers – it just a binary responsibility of is it OK to share or not.

Self-expression, Belonging, and Respect – Is Taking Risks Part of it?

Seeing someone walking up the leaning tower in Pisa with shoes that were clearly not designed for this situation I wondered about the risks people take in live. We recently had a discussion (with other parents) on the risks kids take today in the digital world – put up regrettable pictures flickr, liking a politically incorrect site on facebook, or posting silly things on twitter.

I sometimes feel in these discussions that I want to put things into perspective… We do a lot of things that are not reasonable in order to express ourselves and to present an image to our peer group (e.g. tattoos and piercings are common and there are risks associated). We want to belong to a group and hence we do things that are expected by our peers or even to impress them (e.g. doing a skateboard trick without protection or skiing where it is not allowed). If think hard there are probably many things you remember where you took major risks (when you were young)…  On TV I saw a yesterday night a documentary on the Hippie movement in the 1960/1970. In comparison to the risks young people took in order to change the world (or to just be different and accepted in their peer group) the risks you take on the Internet seem very tame…

There is a further point we can learn from this: eventually society (and the law) will catch up and some of the innovations will stay and change society. But some will no be accepted… People need to explore boundaries – otherwise progress is unlikely.

For many people who have explored boundaries in 1970ies (ranging from drugs to violence – in a way we have agreed today is completely unacceptable) this has not hindered their careers. People generally see actions in context…  Hence having the “wrong” photo on facebook is probably not harming someone’s career (but probably the time they spend on facebook rather than revising for exams may).

Percom 2011 in Seattle, keynote

This year's Percom conference was held in Seattle and offered an exciting and diverse program. Have a look the program to see it for yourself. The two keynotes were both looking at the implications of pervasive computing and communication - especially when thinking about the data is collected and how the data may be used.

Alex Pentland from MIT talked about their work on reality mining. The work looks at how one can capture interactions between people and between people and their environment and how such information can be exploited. One example he gave was on looking at the effect of face to face communication on the performance on workers. The basics insights of this work are thrilling and thinking it through it becomes obvious that we are at the start of new era of mankind. The arguments he made that we can contain and control such information I did not find convincing and I think it may be dangerous to tell decision makers in politics that we can provide solutions. I see no way (that is not restricting people's freedom massively or which reduces productivity massively) that would allow to control the information that will become available through pervasive computing… and all the solutions I have heard either will plainly not work or would require a global agreement over data protection laws…

The keynote on the second day was by Derek McAuley from Nottingham University. One of his topics was on product history and how the availability of product history has the potential to increase the value of products. I think this is a very powerful concept and we will in the near future see this commercially exploited.
Furthermore Dereck discussed interesting issues that come up with crowd sourcing and participatory sensing. One central point is where the data is hold and who controls the data collected. Especially in the context of cloud services this becomes transparent and important at the same time. With regard to the implementation is does not matter; however from a legal perspective it may make a serious difference whether you cloud service runs in German, the US, or on a ship somewhere in the Atlantic. An example he gave are navigation systems in cars which have a back channel. The cars sent back information about their speed and whereabouts and the information is used to predict the state of the road, which is then used to improve the navigation. He raised the questions what happens if this information is held somewhere were legislation has no control? I think this is going to happen and there is no real approach against it…
He made a case that end-users (individuals) should be able to bring together information about them and make use of it. On principle I like this idea to put the individual into control and allow them to exploit this data. For me this is however not a solution for data protection, as a certain part of individuals will sell their data - and in a free country there is probably very little society can do against it.

In summary - we are heading towards an exciting future!

PS: Percom 2012 will be in Lugano with Silvia and Marc chairing the conference. And I have the honor to serve as program chair. See the web page for more information (will be available soon) or the photo of the call for papers here.

What alarm clock are you using?

The answer is probably "my phone" - it seems that for many people the phone has become their primary alarm clock. We have discussed this before in a blog post…

Some years back I took part in a design competition at the appliance design conference and suggested an alarm clock that links you to your friends [1]. One of the ideas was to have dynamic wake up times based on when you friends got up. The paper was accepted in March 2005 - this was before twitter was founded and before facebook was open for general registration. At this time we envisioned this as a stand-alone appliance as micro-blogging was not yet around.

Time has move on and many appliance ideas have since become apps on the phone. In the course of his research Ali is working on ideas for increasing the connectedness between people. One of the case studies is now an alarm clock - called weSleep - that has the basic alarm clock function and has additionally means to log sleep hours and perceived sleep quality. It also allows to post information related to the going to sleep or being woken up to social networking software such as facebook.

Interesting in trying it out? Check out the web page of weSleep and if you are interested in taking part in a study please contact Ali (not sure if he still is interested in more volunteers).

[1] Schmidt, A. 2006. Network alarm clock (The 3AD International Design Competition). Personal Ubiquitous Comput. 10, 2-3 (Jan. 2006), 191-192. DOI=http://dx.doi.org/10.1007/s00779-005-0022-y

PhD defense of Michael Kuhn at ETH Zurich

Michael Kuhn defended his PhD thesis on "Understanding and Organizing User Generated Data: Methods and Applications" at ETH Zurich and I had the honor to be one of the examiners. His thesis is a prime example how solid theoretical concepts and practical applications go well together. He investigated the similarities in different domains, including people, conferences, and music. I came first across his work at Mobile HCI [1]. He has published an interesting set of papers on his work, see his page at ETH.

As one of the datasets he used http://www.livejournal.com which is can be freely crawled. This is an interesting resource for doing research on social networks.

As part of his dissertation project he implemented several applications. I found the following two remarkable and very useful:

• http://www.confsearch.org Looking for conference based on keywords? Searching for a conference in a field? Which conferences are related? Have a look and you will find some answers.
• http://www.museek.ethz.ch a comprehensive mobile music application for Android.

PS: http://academic.research.microsoft.com/ is another conference/publication search site - not sure how much I believe in automating the rankings of scientists - as the sites lists me with Aalborg University - and even a change request did not help to put my affiliation right ;-)

[1] Goussevskaia, O., Kuhn, M., and Wattenhofer, R. 2008. Exploring music collections on mobile devices. In Proceedings of the 10th international Conference on Human Computer interaction with Mobile Devices and Services (Amsterdam, The Netherlands, September 02 - 05, 2008). MobileHCI '08. ACM, New York, NY, 359-362. DOI= http://doi.acm.org/10.1145/1409240.1409288

Finally a simple explanation of social software

Social software and media is getting hugely popular and there are many longer explanations in CSCW and CHI why this works and what are the basic drivers. I saw a t-shirt that explains it in a single picture :-)

It may over generalize but there is some truth in it - and given the recent figures on the prevalence of ADHA it seems to be a driving business in the future…

Social networks connected to the real world

Florian Michahelles mentioned in his blog a talk [1] and paper [2] by Aaron Beach on mobile social networks that are linked to artefacts (e.g. clothing) in the real world. This is really interesting and I think we should look more into this...

[1] Aaron Beach. University of Colorado. Whozthat: Mobile Social Networks. Whoz touching me? Whoz Music? Whoz Watching? Who Cares?

[2] Beach, A.; Gartrell, M.; Akkala, S.; Elston, J.; Kelley, J.; Nishimoto, K.; Ray, B.; Razgulin, S.; Sundaresan, K.; Surendar, B.; Terada, M.; Han, R., "WhozThat? evolving an ecosystem for context-aware mobile social networks" Network, IEEE , vol.22, no.4, pp.50-55, July-Aug2008

Printed Yearbook - will they be replaced? Facebook with time-machine?

On the trip to Potsdam two young women sat opposite us - discussion one-by-one the pages in the yearbook of their school. The yearbook was from a school in Berlin was from 2009 and printed in highest quality - quite professional. Their discussion had a lot of forward references (what will become of people - and how they see and present themselves now). Looking back 10, 20 or 30 years after leaving school these images and texts are very interesting… There is a real value in paper that cannot be altered - here new technologies (facebook and alike) that evolve with the people are less entertaining.

Is there already a website like archive.org for social networks? An interesting feature in such sites could be a time machine. E.g. you can put in the date and you get the page as it was on that date (e.g. what friends did she have then, what music did she like, etc.) - would guess this is to come - I can hear the privacy worries already…