Ubiquitous Computing and Privacy

Introduction 
Ubiquitous computing is a topic in sciences for almost 3 decades and there are the very first application of ubiquitous computing in real life. People wish with ubiquitous computing to ease in work and allday routines, they hope for a rise of security and to extended their senses and memory. Every day objects would have sensors and/or RFID-tags. These sensors and RFID-tags can be read ubiquitously and personal data are inquired, computed and/or stored. Ubiquitous computing needs an infrastructure of ubiquitous surveillance. 
In the future many participants, in constantly changing settings, with manifold goals in very different contexts will take part in ubiquitous computing. Systems will organize them selves, unnoticed by the ones affected, and mysterious for them. 
Privacy laws of today hold for situations with few participants in their straight defined roles. They claim to establish transparency, attachments, needs, control abilities, and participation of the affected ones. But these laws are not made for situations with many participants, in a variaty of constantly changing rules, under different goals in each role. Privacy laws must accommodate to the needs of ubiquitous computing to realize a right to informational selfdetermination (9). 
New Privacy Laws should address the following principles: 
 
data should be fair and be computed law-abiding, 
data should only computed on their purpose, 
data should be appropriate, relevant and not excessive, 
data should be precise and up-to-date, 
data should remain as local as possible, 
data shouldn’t be stored longer than necessary, 
appropriate punishments must be possible (11). 
 
To realize all this in ubiquitous computing, it is necessary to integrate privacy principles into the technology. In networks of sensors and RFID-Systems privacy is ment to the appropriate handling and transfer of the ubiquitous surveillance infrastructures they realize (9). 
Surveillance has allways to faces. It is necessary and supportive for securety, crime prevention and crime detection. On the other hand surveillance changes behaviour, people fell unfree and inhibited (6,7). Because of the latter people will stay anonymous in public spaces (6, 11). Concepts like the principle of agreeing with the gethering, computing and storing of data, like we know it today, didn’t function in the context of ubiquitous surveillance. “If I couldn’t buy some thing to eat without surveillance, how can the acceptance be free?”(6). In future the Focus of privacy law should be more to the person than to the data. Privacy in ubiquitous computing and surveillance is more and more a problem of anonymity and untraceability. But anonymity of users and untraceability of each kind of “items of interest” would make a lot of applications of ubiquitos computing impossible. Though anonymity and untraceability are only senseless against attackers and not the legal users of surveillance. The legality of surveillance in ubiquitous computing and surveillance is to be ruled out in privacy law. 
Anonymity 
From the view of technology anonymity is the state of non identifiability within a set of subjects (e. g. people) the anonymity set. The anonymity set is a set of subjects which are able to trigger actions and/or which are addressed by actions. I. e. subjects are sender or receiver within a set of senders respectively a set of receivers. If a attacker is unable to identify the connection between a single user and a specific sender resepctively to receiver, then the user is anonymous. Anonymity is not the anonymity of senders and receivers, it’s the anonymity of users (8). 
Welbourne et. al. have engineered tools for RFID-Systems with which users can delete the data the system has stored about them. The user can easily implement rules about who should read which data when, and which concatenations the system is allowed to do. With this it is possible to implement anonymity (“nobody is allowed to read personal data”), but the system functions nevertheless. Also the requirements of systems and authorities can be implemented and recorded. This is an example for technologies with which anonymity can be implemented in ubiquitous computing and ubiquitous surveillance (12). 
Untraceability 
Also untraceability is described from a technological view here. Therefore we define Data, Entities, Identities, Users, Objekts, Subjects, Services, Ressources, and so on, or instances of them as Items of Interest (IOI). IOI are „things“ which an attacker is interested in. IOI are untraceable, if an attacker is unable to see a relation between two or more IOI’s or to trace an IOI in a network. For instance if in a Car to Car Safety Message System there is a message exchange, then messages has to be untraceable to one of the car’s such that there is no possiblity to trace the track of the car (10,2,5,1,3,8). 
The same holds when clothes have RFID-tag’s on it and when they pass different readers in a while (4). 
Untraceability in this way can be implemented as follows (4): 
 
the reader sends a messag to the tag with a nouce-identifier NR. 
the tag generates a new nouce-identifier NT and sends this, the encrypted tag-ID h(ID) und the encrypted nouce-identifier pair h(ID)(NR,NT) back to the reader. The reader passes that triple to the application system. The application system decodes with the key h and computes with the known nouce-identifier NR the nouce-Identifier NT. With this the application can verify the ID of the tag. 
If the application system accepts the tag, it computes a new tag-ID. The tag also computes a new tag-ID with the same algorithm. The application system with new tag-ID generates the encrypted message h(ID+1)(NT,NR) and send this to the tag. 
The tag evaluates the message and the new ID. If the received ID is the same as the ID computed by the tag, the old ID and the nouce-Identifier NT are erased from the tag-store. 
 
For an attacker the tag is untraceable, because it changes its ID with each message transfer. Traceability of the tag by the applicationsystem is still possible (4). 
The above examples presented for implementing anonymity and untraceability show the possibility to implement privacy in ubiquitous systems as it is required by Rosnagel (9). Needed are the legal frameworks to require such privacy features in ubiquitous systems. By defining this sort of legal framework there should be answers to the following questions: 
 
Who is the owner of the data an RFID-Reader explores and an application system computes and stores? 
Are there marking obligations for items with RFID-tags on it (e.g. clothing, food)? 
Is it necessary to require offical approval for the installation of RFID-readers and sensors? 
 
When CCTV in public places appeared in the 1990’iesth Gras (6) showed that it is much more difficult to regulate and rule the use of technologie when already installed, than before installation and use. Therefore it is important that legislation keeps pace with technological progress. 
References and Notes 
 
Arapinis, M.;Chothia, T.;Ritter, E.;Ryan, M.: Analysing Unlinkability and Anonymity Using the Applied Pi Calculus http://www.cs.bham.ac.uk/~tpc/Papers/csf10.pdf, visited 16.12.14 
Blues Team: Unverkettbarkeit und Pseudonymitat in der digitalen Welt, http://blues.inf.tu-dresden.de/prime/EUT_Tutorial_V0/german/german/Content/Unit2/dig.%20unlink.htm, visited 16.12.14 
Bruso, M.; Chatzikokolakis, K.;Etalle, S.; Den Hartog, J.: Linking Unlinkability https://hal.inria.fr/hal-00760150/PDF/Unlinkability.pdf, besucht am 16.12.14 
Dimitriou, T: A Lightweight RFID Protocol to protect against Traceability an cloning attacks, http://www.ait.gr/export/TDIM/various/RFID-securecomm05.pdf, visited 18.2.15 
Fischer, L.: Measuring Unlinkability for Privacy Enhancing Technologies, http://tuprints.ulb.tu-darmstadt.de/2367/1/lars_fischer_dissertation.pdf, visited 16.12.14 
Gras, M. L.: The Legal Regulaiton of CCTV in Europe, http://library.queensu.ca/ojs/index.php/surveillance-and-society/article/viewFile/3375/3338, visited 17.02.15 
Gerichtshof der Europaischen Union: „Der Gerichtshof erklart die Richtlinie uber die Vorratsspeicherung von Daten fur ungultig“, http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054de.pdf, visited 17.02.15 
Pfitzmann, A.; Hansen, M.: Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology, http://freehaven.net/anonbib/cache/terminology.pdf, visited 16.12.14 
Rosnagel, A.: Datenschutz in einem informatisierten Alltag, http://library.fes.de/pdf-files/stabsabteilung/04548.pdf, visited 19.11.14 
Rost, M.; Pfitzmann, A.: Datenschutzziele, http://download.springer.com/static/pdf/814/art%253A10.1007%252Fs11623-009-0072-9.pdf?auth66=1416396902_c7935e6bcf15afa95108ffb192c1fd9f&ext=.pdf, visited 19.11.14 
Taylor, N. : State Surveillance and the Right to Privacy, http://library.queensu.ca/ojs/index.php/surveillance-and-society/article/viewFile/3394/3357, visited 17.02.15 
Welbourne, E.; Battle, L.; Cole, G.; Gould, K.; Rector, K.; Raymer, S.; Balazinska, M.; Borriello, G.: Building the Internet of Things Using RFID, http://www.researchgate.net/profile/Kyle_Rector/publication/220491250_Building_the_Internet_of_Things_Using_RFID_The_RFID_Ecosystem_Experience/links/0c960519d82721508d000000.pdf, visited 18.2.15


Introduction
Ubiquitous computing and ambient interfaces have the potential to usher us into a golden age in which all our wants are met with the flick of a wrist, and our environment dynamically adapts to suit our needs.It also has the potential to lead us into a terrifying brave new world filled with omnipresent surveillance and universal intrusion into our private lives.Privacy is very important to many computer users, and there is a growing worry that it may be going the way of the dodo.Privacy-aware interface design coupled with privacy-sensitive ubiquitous systems can help ensure that the game of hide-and-seek will remain playable and fun for the foreseeable future.This paper gives a brief overview of the current state of privacy from a cultural, legal, and economic perspective, and then gives an overview of the privacy levels afforded in current technologies for building ambient interfaces.We then talk about some of the ways ambient interface projects are dealing with privacy, and end with three visions of the future.

The State of Privacy
The issue of privacy has only recently begun to be embraced by the computer science community.This makes some sense because, unlike security, privacy is impossible to separate from the surrounding culture and values.In an effort to help spur a formalized approach, however, some have called for privacy risk models.These risk models would function analogously to security threat models and which would allow designers and scientists to speak more rigorously about what they do and do not mean by "this system is privacy enhanced".
Aside from these developments, there is a growing consensus that "privacy may be the greatest barrier to the long term success of ubiquitous computing" [HNLL].As people are exposed to more and more images of omnipresent surveillance as a recipe for a fascist dystopia via books like 1984, Brave New World, and We and movies such as Minority Report, Enemy of the State, and Conspiracy Theory, there is a growing cultural unease about the current state of privacy and where it is headed.The movies in particular were riddled with images of what is possible with fast computers and unethical programmers.The CEO of Sun Microsystems, Scott McNeally, has famously said that "You have no privacy, get over it", a quote that does not sit well with most of the population.
Guaranteeing privacy solely through hacker wizardry and creative number theory does not seem to be possible -indeed, whether privacy even matters varies from culture to culture.This inability to separate the privacy problem from its surrounding culture means that, as Lessig notes, to talk about privacy we must talk about it with respect to the forces that affect it -cultural, economic, legal, and technological [Les99].We deal with these forces in order in the following sections.

Cultural and Ethical
Putting aside issues of economics and legal rights, what should we be allowed to keep private?Both American and European culture seems to say "anything that you want", although European culture seems less interested in keeping it private.Where these two cultures differ is how others may use data collected about you.In the European Union, companies are expected to ask before trading your data.In the US, almost anything a company can collect is fair game for them to sell to anyone else, and that is generally culturally okay.SAGE, the system administrator's guild associated with USENIX, has a written code of ethics for system administrators, and it's privacy section states I will access private information on computer systems only when it is necessary in the course of my technical duties.I will maintain and protect the confidentiality of any information to which I may have access regardless of the method by which I came into knowledge of it.[SAG03] This seems like the policy we all can agree on, despite its fuzziness when applied to other disciplines.Companies should respect the privacy of their customers and only use and gather that data which is necessary in the fulfillment of their business.Everyone should be honorable and respect the privacy desires of their fellow citizens.
This fuzzy desire has already been codified for years in a set of guidelines set forth by the government in 1973 entitled "Fair Information Practices" [UDoHW73].Fair information practices generally match what a casual reader would want them to.An entity that follows these guidelines must: • Disclose all data gathering and record keeping • Take steps to assure that the data is reliable • Allow people to see their own records and find out how they are used • Not collect data for one purpose and then use it for another without user consent • Allow people to correct or amend their own files Ironically, if we could depend on everyone to be nice, we would not need any other form of privacy protection.Privacy is only really useful when keeping a secret from someone who would use that information maliciously.Thus, while a code of ethics is a good idea, particularly in professions that have access to lots of private information, stronger guarantees of privacy are essential in the long run.
Any ambient or ubiquitous system under design should allow for fair information practices, should the installer of the system want to implement them.This cultural and ethical decision has several technological implications, with the requirement that people may see their own files being perhaps the most onerous.

The Current Market
Companies have no obligation to keep things private beyond the legal requirements of telling you if they are going to be making an audio recording.Consumer demand for privacy seems to be nil, and so nobody is trying to fill the gap.Unfortunately, it seems that the reason demand is so low is that people do not realize how little privacy they really have, and do not comprehend the realities of the current situation.When asked whether privacy is important to them, most people will strongly say yes, but that professed desire is not born out in their consumer choices.
Fair Information Practices do a pretty good job of defining what it means to have a good privacy policy, and they state in very specific ways what a company needs to do in order to comply with them.When a company is in compliance they can then put the fact that they follow fair information practices on their company literature.Some people hope that this or some other certification could be used much like the organic certification for food and provide consumers an opportunity to make an informed choice about their privacy preferences.
If a system designer of an ambient or ubiquitous system would like to have the privacy-promoting version of their system installed and used, then it is essential that privacy not be an expensive option.Given that people are currently willing to trade privacy for a 5% discount on groceries, if the privacy option increases costs more than 5% then nobody will elect to purchase it.

Legal
The police and other executive branches are required to obtain a warrant to search your person, but the law is a lot murkier with respect to signals that travel over the air.Cellular and cordless phones are legally phones, and accorded the same legal protections as corded phones, but wireless computers and other digital signaling devices lie in a gray area.It seems to be illegal to use someone's wireless network without their permission, but whether or not any traffic you can sniff on the local link is legal for you to look at is another matter entirely.
Ambient interfaces, many of which monitor the state of the local environment, must be made with these legal guidelines in mind.Signs must be posted if audio sensors are used, or else the system might run afoul of wiretap laws.If data is logged, the designers of the system must take into account what can be mined from the system's logs and what they really want to have that is vulnerable to a subpoena.

Privacy in Current Ubiquitous Computing Technologies 3.1 Cellular Phones
Cell phones are rapidly becoming a computer that everyone carries with them.Many can log in to instant messenger systems or browse the web, and new ones include cameras and GPS receivers.Because cell phones work on a cell system, they necessarily inform the phone company about what cell the phone is in at all times.Furthermore, because they are broadcast signals, the signals can be picked up by anyone with a scanner.Since analog phone signals are sent in the clear, this means that anything said on an analog cellular phone can be heard by anyone with a scanner that can pick up the relevant frequencies.
Since cell phones are a replacement for phones, however, the courts have ruled that wiretap laws apply to all cell communications, so it is actually illegal to listen in to cell phone transmissions without some kind of judicial permission.Fortunately, digital cell phones can depend on more than just people being nice enough not to break the law, as most digital phones send encrypted signals.
Because cell phones eventually transmit across the standard telephone system, they can still be wiretapped with the assistance of the phone company, but that has always been true for phones.
The increasing capabilities of cell phones, and the convergence with digital cameras and global positioning system (GPS) devices, has led to an awareness of the fact that a GPS/cellphone/camera with some firmware tweaks would make a really great bug.The social implications of putting bugging technology in the hands of everyone who wants it remain unclear, but everyone agrees that it will, in the long run, greatly change things [Bri99].

802.11
If the interface requires wireless communication using IP, then 802.11 is rapidly becoming the standard way.The designers of 802.11 tried to create a crypto system that would give the same amount of privacy as data coming across the wire, and so called it Wired Equivalent Privacy (WEP).They explicitly had a goal of building a crypto system that, while perhaps not perfect, was good enough.Unfortunately, it turns out that the system has flaws at the protocol level that allow a malicious listener to decrypt all network traffic after sniffing a small number of packets.[SIRar] So all 802.11 traffic is essentially being broadcast in the clear to the surrounding area.
Again, this is an area where technology has moved ahead of the law, so it is not clear how or whether wiretap laws apply when non-voice data is being sent over the air -and it's certainly trivial for non-law-enforcement people to tap these communications.

Bluetooth
For shorter range networking between smaller devices, such as wireless keyboards and MP3 players, Bluetooth has become the standard of choice.Much derided due to a slow adoption phase, it nonetheless is beginning to gain a foothold in the market.When Bluetooth was designed, the designers were cognizant of the existence of privacy issues, but chose to ignore them based on the idea that Bluetooth was only for short range communications, so the signals would not be traveling far enough for privacy to be a concern.This approach means that there are no protocol-level or hardware-level privacy protections intrinsic to the technology.
High powered Bluetooth devices do exist, however, and even the low powered devices are sniffable from farther away than a user might want.Ad-hoc networking may occur without the user's knowledge or consent, which worries people to the point that it is now possible to buy shielding bags whose only purpose is to prevent wireless signals, and particularly Bluetooth, from leaving a device.
The legality of listening to another person's Bluetooth communications is even less clear than 802.11due to the commonness of spontaneous ad-hoc networking, coupled with the potentially highly personal nature of a lot of bluetooth traffic.

Radio Frequency ID
Radio Frequency ID (RFID) is the most worrisome new technology for privacy advocates.Designed to replace Universal Product Codes (UPC) with a technology that is more easily scanned and can be read from farther away, these little tags are extremely inexpensive and can be put on almost anything.Because it is powered by the query signal, there is no battery to wear down and the tag will broadcast it's globally unique id to anyone that asks.With read ranges of up to 16 feet, RFID enables tracking through a building almost trivially.
This could be an ambient interface designer's dream come true!If every object had a globally unique identifier, then it would be much easier to monitor the environment and get reliable information about what objects are where.This confidence can then be translated into more daring software agents that can change the lighting or send alarms based on the state of the surrounding world.
This technological breakthrough is being introduced in a very poor way.Due to consumer privacy concerns and fear of a public backlash after a public rollout, RFID tags are being embedded in products without consumers' knowledge or permission.When confronted with consumer outrage over omnipresent tracking, many companies are choosing to simply roll out the technology in secret.In order to keep this secret, and to insure that tags are difficult to tamper with, tags are often embedded in such a way that removing them breaks the product.Some examples are tags being sewn into the liner of clothes, or embedded in between the layers of paper in a bag of dog food.
Security and privacy aware RFID tags do exist, but at approximately a 400% markup from the regular tags it remains unlikely that any user of the technology is going to elect to quadruple their costs without real consumer demand for privacy, and consumer demand for privacy is very fickle.RFID tags are currently being debated for tracking library books in the San Francisco library system, but they have been very quietly rolled out in others with no debate at all.In Eugene, Oregon, the Eugene Public Library is RFID enabled, but does not use the secure tags.Thus, anyone with an RFID scanner and an internet connection can know exactly what books are inside a person's backpack.Of course, this enables bookstores to know a browser's interests from the moment they walk in the door, but it also enables the police to know what books a person is carrying without a warrant or permission, or even your knowledge.Anecdotal evidence and conversations with librarians at the Eugene Public Library, which recently became RFID enabled, has revealed a profound lack of understanding of its tracking capabilities.
There is also a continual rumor that large denominations of currency will have RFID tags in them in an effort to fight counterfeiting.There have been rumors of Japan putting tags on all the 10,000 Yen notes, as well as the EU putting tags on the 200 Euro and 500 Euro notes.The privacy risks with that scheme are numerous, obvious, and astounding, but since very little credible news about these schemes has surfaced, this should be currently filed away in the rumor bin.

Platform for Privacy Preferences
There is one technology that has been designed, implemented, and deployed based solely on the desire for privacy protection.The Platform for Privacy Preferences (P3P) is a technology designed at AT&T that attempts an agentbased approach to privacy preferences.It is a browser plugin that parses a machine readable (and legally binding) privacy policy for a site, and then the agent decides whether it matches the users preferences, and then can refuse to connect if the privacy policy on the other end is unacceptable.It is the developers' hope that this idea can be extended beyond the web to other fields, and that people might be able to autonegotiate their own privacy preferences in the real world using a system built on P3P.[Cra02] It suffers a bit of a chicken and egg problem, in that unless browsers support P3P nobody will put up machine readable policies, and nobody will build a browser to support a complicated standard that no one is using.Adoption of the technology has been proceeding apace, however, with a greater and greater number of sites sporting privacy policies.This has largely been happening because Microsoft has decided that the next version of Internet Explorer (IE6) will not accept third-party cookies unless there is an acceptable privacy policy attached to them.Thus, any site that wants to use third-party cookies and be interoperable with IE6 must institute P3P.

Confab
In an attempt to provide a privacy sensitive toolkit to ambient interface and ubiquitous computing designers, a privacy-sensitive toolkit has been developed [HL04].This toolkit, Confab, provides designers with a way of describing what information can and should be shared, and how long it can and should be shared.Furthermore, it allows personal information to be tagged with expiration dates and times, so if some agent in the system is not deleting data when they should, whenever they share that data it is obvious that they are behaving badly and not to be trusted.This provides a pretty good model of how the real world works.If a person is gossiping a lot, then people are less likely to share personal information with them.
On top of Confab, they built three sample applications, and showed how each one protected privacy.The general idea behind each system's privacy protections was that all data remain with a trusted party (either the user or a designated agent) until the last possible moment.That trusted party is then empowered to give away information or not, and change the precision of the information being distributed based on the identity of the recipient.This is analogous to how people give out information in the physical world, and thus works well with most peoples' intuitions about privacy.

Privacy Sensitive Interfaces
This survey of technology is all well and good, albeit a little depressing, but we already know that in some circumstances it is possible to build a good reliable system on what seems like a shaky foundation.TCP is a good example -it forms reliable connections on top of a system in which quality of service is not guaranteed.SSH is another -it assures people of secure and private connections and it runs on top of TCP, which has no security guarantees.Perhaps P3P is yet another of these technologies in the way that it tries to provide privacy protections using HTTP, which has no privacy component.So it is perhaps possible that we can help ensure privacy by building systems that work on top of the technologies already surveyed.
In an effort to see if anyone is actually building privacy into their systems, we will examine what is hoped to be a representative sample of ambient interfaces and how each has dealt with the issue of privacy.Like most technology, each of these systems can clearly be used for good or ill, and the culture in which each is used has more to do with whether abuses will happen then the technology itself.Some systems rely solely on the deployer being a good person and applying fair information practices across the board, while others try to provide real safeguards to prevent abuse.Despite the paramount importance of the context of the use, privacy protections that are intrinsic to the system can be of great use to the users, so for each technology we will try to report both what the expected use is, and what might be possible.

AmbientROOM
AmbientROOM is a project from the MIT Media Lab that is an attempt at building the workspace of the future.It is filled with projected displays of information, from a set of stars that twinkle and increase in number based on the occupancy of a nearby lobby, to aural indicators of network traffic and physical icons representing the state of various sensors.There is also a clock that will, when set to a non-current time, put the office into the state it was in at that time.[IWB + 98]  This obviously has massive data mining potential, both for and of the room's inhabitant.The displays can be connected to any valid sensor, and can allow the user to constantly monitor many more systems and areas than previously possible.In an effort to better serve the user, the room also continuously records its state and saves that state to allow the user to go back in time to a previous room configuration.In a workplace, this data could be invaluable to a snooping employer or corporate spy.
Privacy concerns clearly came up in the design and testing of the system, as they abstracted their display of the occupancy of an adjacent lobby based on user concerns about privacy, but that seems to be their only concession in that direction.The data that they collect on a user is potentially quite extensive, and any installer would need to explicitly set up fair information practices in order to respect a users privacy.

Telemurals
The Telemurals project was an audiovisual display linking the elevator waiting areas in two buildings on the MIT campus.In each space there is a camera, a microphone, a projected display of what the other camera is seeing, and a speaker playing what the other microphone is receiving.The thought was that this would cause people to start spontaneous conversations, despite the fact that they were not in the same room.Almost immediately after installation, they changed the display to be more privacy sensitive.[KD04] Their initial display was a series of pictures of the space, that would scroll to the other user in slideshow form.This caused people to actually avoid using the elevator and to skirt around the space.As time wore on, they went to greater and greater lengths to abstract and obscure the data that was sent, until the final version, in which people who aren't participating in a conversation don't appear in the picture at all.[KD04] During the design phase, privacy was not taken to be a great concern, but user feedback ended up driving the displays towards a very abstract, privacysensitive display.They also tried to, perhaps unwittingly, follow fair information practices.The area that the camera watched was marked with signs, and people could opt out simply by taking a different elevator or the stairs.Any installer of the system would have to further follow these practices by making it clear what data is stored on a long-term basis, and what is thrown away.

Everywhere Displays
Everywhere Displays is a project from IBM that directs graphical displays to any surface in a given environment.The user can then interact with any of these displays through embedded sensors, speech recognition, and gesture recognition[SPK + 03].Context sensitive information is meant to pop up on surfaces that a user can see and provide useful information about the task at hand.
Very little mention was given to privacy in the literature, and it did not appear that there was a mechanism for turning the displays off.This lack of mention is not too surprising, as Everywhere Displays were meant to be installed in a retail environment, and ever since the advent of closed-circuit surveillance cameras there has been no cultural expectation of privacy while shopping.Any retailer installing this system would have a tough time following fair information practices, since turning off the system for one user would potentially disable it for all users.Also automated monitoring of customers' browsing habits seems like a lure that is too strong to resist.

BlueSpace
BlueSpace was another IBM project, this time using Everywhere Displays as well as a few other technologies in an effort to build the best working environment possible, given the restrictions of a cubicle[LLC + 02].With this system, there are two forms of privacy that need to be dealt with, as the employer-employee relationship has different privacy requirements, and a different privacy risk model, than the employee-employee relationship.
BlueSpace requires that people wear radio ID badges (not necessarily RFID) and then tracks them throughout the building.Everyone in the company can then see where everyone else in the company is.This privacy loss is, in a sense, a very equitable one, as it gives the information out to everyone.We talk more about this concept in Section??.
Because privacy from their coworkers was listed as one of the major desires of cubicle workers, the BlueSpace designers set out to create a system that, despite its lack of privacy, could provide many of the benefits of a private office.They provided displays at the front of each cube that the occupant could note whether or not it was okay for them to be interrupted.This would hopefully lead to what the users wanted -a "cone of silence" -within a cubicle context.In general, the system provided one kind of privacy very well; when users marked themselves as not available, they would get left alone.The system enabled a huge degree of employer snooping, however.With globally trackable badges and computer-based availability messages, employers could find out what percentage of time employees spent at various locations, and how often they claimed to be available.Indeed, many people remarked that if the system were installed at their workplace, everyone would simply mark themselves as not available.
BlueSpace does provide one form of privacy, namely privacy from coworkers, but it enables such high levels of snooping on a company-wide basis that any installer would have to be very careful if they wanted to build a system with privacy guarantees.Unfortunately for worker privacy in the United Sates, there is no cultural expectation or legal requirement of privacy at work, so any installation probably would not follow fair information practices because there would be very little perceived need or value in doing so.

Lillis Business Complex
The University of Oregon Business School has recently opened the Lillis Business Complex, a modern "smart building".Because it is a building and not a computer, no privacy concerns seem to have been considered.The state of each room is constantly monitored, and this data is digitized and stored on a computer in the basement.Since there is no way to turn on the lights besides via a motion detector, massive data gathering is now possible.Indeed, because every light is on a motion sensor, and these motion sensors are all archived.it would certainly be possible to track a professor working late as they travel from their office throughout the building.If the granularity and frequency of measurements is fine enough, it might even be possible to track people as they move through the crowded building during the day, but that is still an open question.
The lack of aforethought about privacy leading to a complete lack of privacy protections in an environment that has traditionally supported very strong privacy guarantees might best serve as a cautionary tale.Unless designers start taking privacy into account, it will be lost by accident.

Guidelines for Interface Designers
In an effort to formalize how privacy can be dealt with, the idea of privacy risk models has been proposed [HNLL].These can be thought of as analogous to threat models for security researchers.So the first thing that a designer might want to is to consider their risk model and try and figure out who might want to watch what, and how bad it could be.If all UI designers did this, then this section would be completely unnecessary.Unfortunately, this places a high burden on UI designers.Since UI designers probably have just as much patience designers of other kinds of computer systems, this time-intensive procedure is likely to be ignored.Hopefully, these designers would be willing to follow some general advice, however.
After surveying each of these interfaces, some guidelines emerge to help interface designers enhance privacy as well as the user experience.
• Consider how your system might affect a user's privacy • Don't store data forever These guidelines match up very neatly with the ideas behind fair information practices, which match up in turn with the SAGE guidelines, which match up with what we intuitively think of as privacy.Thus it seems reasonable to hope that if designers had these in the back of their heads as they created systems, the technology would be much more supportive of privacy at all levels.

•
Let people know what data is being collected • Make the value proposition clear • Give the user control • Let it be turned off • Collect only what you need • Display only what the user needs • Abstract information as much as possible