Research - Research Areas - Ubiquitous Computing - Place Lab (Location, Location, Location)

Ian Smith
Ian E. Smith joined the Intel Research Seattle laboratory in 2003 where he explores the privacy issues surrounding location-enhanced computing. Previously on staff at the Xerox Palo Alto Research Center (PARC), Smith focused on the integration of software development tools and practices with ethnographic techniques in user interface development. He holds a Ph.D. in computer science from the Georgia Institute of Technology.

Q1: What is the primary challenge faced in the development of location-enhanced computing?
A1: Privacy. People need to stay in control of their location information. The challenge then is providing that control in a way they can understand and utilize effectively. It's very clear that people want to share their location information in some cases. "Where are you?" is the first question anyone asks on a cell phone. If privacy management gets out of the individual's control though, they start to think they're being monitored rather than occasionally disclosing things in order to aid their life.

Q2: How does Place Lab deal with these challenges?
A2: Place Lab has a couple of built-in advantages. In principle it's a passive system. It listens to the world and is able to compute location on the user's device. Secondly, our goal is to avoid the need for a central place where everyone's location information is collected.

Q3: In what way does distributing location information help?
A3: If you put everyone's location information in one place, you make it much more attractive for someone to potentially get in there and steal the data. It's a bigger target. However, if everyone retains control of their own location information, it's much more difficult to commit large-scale data theft.

Q4: Even if Place Lab provides privacy-observant positioning, don't the applications that run on it require users to divulge information?
A4: We hope to develop compelling applications that are also privacy sensitive. We've devised an application, called Ambush, which is compelling but also presents significant privacy risks. In this way, we can face those challenges head on. Ambush enables you to express a concept like "I want to know when my friend shows up on Telegraph Avenue because I live near there and I want to have a coffee with him." When the person arrives, you get notified. Of course, there are also enormous nefarious uses for this kind of application. We want people to say, "I understand why it's dangerous, but I want to use it and here's why."

Q5: How might Ambush lead to new techniques to reduce privacy concerns?
A5: We're doing user studies to get at people's understanding of what they believe the system is disclosing about them, how close their beliefs are to reality, and how important their location information is to them. People already carry cell phones, and those are tracked twenty-four hours a day, seven days a week. It seems that people have decided that it's either worth it for them--the utility value is high--or they're not informed about the risk. Ambush enables us to experiment with several privacy strategies and mechanisms to determine that.

Q6: Why not just use an on/off switch?
A6: The opt-in/opt-out solutions offered by institutions don't work very well for interpersonal interactions. The goal is to have a technology that enables a richer choice than "Yes, I'll provide my exact location" or "No, I won't." When someone calls you on your phone and asks where you are, you give a wide variety of answers depending on your relationship with that person. You might say, "I'm on my way home." Of course, strictly speaking that's not actually a place but it's still a useful piece of information. Or, you might tell your spouse that you're just a few blocks from home. I want my device to tell different things to different people.

Q7: What are some examples of those various degrees of location information?
A7: I travel a lot, so if my mom in Atlanta asks where I am, I can just answer "Seattle" and that's good enough for her. Sometimes, I might not mind my friends knowing my exact address. But if I'm away from the office and my co-workers ask where I am, I may be sensitive about that information. I may be at a doctor's appointment or running an errand with my wife. It's going to be hard to design a simple knob someone can turn to control what's revealed and to whom.

Q8: What techniques are you currently exploring?
A8: One way to prevent most abuse is reciprocity. To get someone else's location information, you have to give up yours. The system lets you know who is requesting your location. Another method is to enable the user to "make an argument" for the release of location information. If you want someone's location you have to tell them why you want it. For example, you might send a request for my location with the message "We should get our kids together in the park. Are you nearby?" The system must also enable you to describe and categorize people in complicated ways. For example, labeling someone a co-worker and automatically applying a set of rules about what's revealed isn't good enough. I have friends at work and I may have enemies at work too. I don't want them to have access to the same information about me.

Q9: Can each user make the decision on a case-by-case basis?
A9: We'd prefer this "explicit acceptance" technique, where you have to take a particular action to disclose your location at a level you're comfortable with. The problem is that this does not scale well to large numbers of requests. Either you'll get annoyed by having to constantly interact with the system or you'll become numb to the request and not really think through the decision of whether or not to disclose your location.

The relationship we have to people and our location is very complicated. If we don't get the privacy approach right, the rest of the technology just won't matter.