ArticlePDF Available

Super-Ego: A framework for privacy-sensitive bounded context-awareness


Abstract and Figures

Context-awareness enables applications to better streamline and personalize their service according to the current situation of the user. However, the user's information used by context-aware applications, such as the user's current location, is inherently private and sensitive. Using this information without proper control by the user can lead to privacy risks and might harm the trust users have in the context-aware application. To address this tradeoff between the effectiveness and privacy, we present Super-Ego, a framework for at-hoc management of access to location information in ubiq-uitous environment. Using this framework, we model and evaluate different decision strategies for managing mobile application's access to location context. The strategies we test are based on automatic algorithms that use knowledge about historical disclosure of locations by large number of users, with the optional delegation of some of the decisions to the user. We evaluate the system empirically, using people's detailed location trails from public resources, augmented with simulated data about sharing behavior. Our results reflect on an interesting tradeoff between automation and accuracy, which can enable the design of efficient and usable approaches to privacy-sensitive context-aware applications.
Content may be subject to copyright.
Super-Ego: A Framework for Privacy-Sensitive Bounded
Eran Toch
Department of Industrial Engineering
Tel Aviv University
Ramat Aviv, Tel Aviv 69978, Israel
Context-awareness enables applications to better streamline and
personalize their service according to the current situation of the
user. However, the user’s information used by context-aware ap-
plications, such as the user’s current location, is inherently private
and sensitive. Using this information without proper control by the
user can lead to privacy risks and might harm the trust users have
in the context-aware application. To address this tradeoff between
the effectiveness and privacy, we present Super-Ego, a framework
for at-hoc management of access to location information in ubiq-
uitous environment. Using this framework, we model and evaluate
different decision strategies for managing mobile application’s ac-
cess to location context. The strategies we test are based on auto-
matic algorithms that use knowledge about historical disclosure of
locations by large number of users, with the optional delegation of
some of the decisions to the user. We evaluate the system empiri-
cally, using people’s detailed location trails from public resources,
augmented with simulated data about sharing behavior. Our results
reflect on an interesting tradeoff between automation and accuracy,
which can enable the design of efficient and usable approaches to
privacy-sensitive context-aware applications.
Context-awareness, autonomous systems, privacy, usability
Categories and Subject Descriptors
K.6.5 [Management of Computing and Information Systems]:
Security and protection; I.2.8 [Artificial Intelligence]: Problem
Solving, Control Methods, and Search; H.5.3 [Information Inter-
faces and Presentation]: Group and Organization Interfaces
Ensuring users’ privacy is becoming a major challenge in context-
aware applications. As mobile applications increasingly rely on
automatic context sensing to simplify and personalize services to
users, users may find it difficult to trust the process in which ser-
vices collect and use their context information. Users need to know
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
Casemans ‘11, Sep 18, 2011, Beijing, China.
Copyright 2011 ACM 978-1-4503-0877-9 ...$10.00.
that their information is collected and used in a way which is con-
sistent with their expectations. Otherwise, their information might
be taken out of its intended context, and used in ways which may
harm their privacy. This is becoming a challenge for designers
of autonomous context-based systems due to two dramatic trends.
The first trend is the huge advanced of mobile technology that sim-
plifies the way application collect diverse context information, in-
cluding exact physical location, proximity to other users, interac-
tion with other users, calendar information and so forth. The sec-
ond trend is the wide adoption of social networks, which increases
the possible use of context information. Context information can
now be reported to friends, family, co-workers and other social
relations, complicating privacy risks and making them tangible to
How can we design self-managed systems that protect users’ pri-
vacy? Current theories highlight the inherent challenges in pro-
tecting privacy by self-managed systems, and in particular in sys-
tems that are used for sharing information between users. Helen
Nissenbaum’s contextual integrity theory explains why transmit-
ting information about a person from the original context to a new
context can lead to privacy risks [15]. For example, information
about the user’s location can be safely shared with work colleagues
during work hours, but not with the same people during the night.
The challenges users face when managing the context of their in-
formation is becoming increasingly difficult, when it is shared in
expanding social contexts. The control users have over how their
information is collected and used is crucial for their sense of pri-
vacy and identity management [16]. By definition, self-managing
systems strive to act as independently as possible, which can lead
to compromised sense of privacy if systems use information in con-
texts that the user did not anticipate and cannot control.
In this paper we address the tension between autonomy and pri-
vacy by suggesting a limited approach to context-awareness. We
that using the “Super-Ego” framework bounded context-awareness
for location context information. The framework controls the flow
of context information from the mobile phone to context-aware
applications. As in Sigmund Freud’s structural model, where the
super-ego plays the critical and moralizing role in our mental life,
our framework plays a similar part to self-managed context-aware
applications. When a context-aware application requires a location
context information, it requests the location from Suepr-Ego, which
uses a mixture of automatic and manual decision making strategies
to decide whether to accept or reject the request.
The automatic decision algorithms rely on existing information
about the disclosure of past location contexts. Several empirical
works show that users consistently discriminate between location
context disclosure, and that some instances are considered more
private than others [13, 12, 3, 4]. Empirical works also proved
that there is strong commonality between different users when it
comes to decisions regarding location disclosure [2, 18]. Given
a set of location disclosure decisions by the general population,
Super-Ego determines whether a decision can be decided automat-
ically, or should be decided by the user. For example, let us imag-
ine a location-based dating service that uses the location of the
user when other users wish to see if there are possible romantic
partners nearby. The dating application, which is installed on the
user’s smart-phone, would request the location from the Super-Ego
framework. The framework would learn whether the decisions of
the general population and would either provide the current loca-
tion to the application, deny it, or let the user decided if no confident
decision can be made automatically. For isntance, if the user is cur-
rently sitting in a coffee shop, a place with high probability of being
shared, then the framework would release it automatically. On the
other hand, if the user is currently at home, Super-Ego would dele-
gate the decision to the user.
Super-Ego defines quantitatively the boundaries of self manage-
ability with respect to the desired accuracy of the decision process
and the required user involvement. We use the framework to de-
velop and evaluate a model for location context disclosure using
measures from information retrieval and human-computer interac-
tion. We develop an evaluation methodology that takes into account
the accuracy of our the decision strategy and the level of automation
the strategy provides. We evaluate our approach using actual loca-
tion data of 21 users collected over a 2 month period, made avail-
able by Microsoft Research [6]. The data is enhanced with simu-
lated sharing preferences that mimic reported location sharing be-
havior in several research papers [18]. Our results show that semi-
manual strategies exhibit an optimal accuracy/automation balance
when both of these parameters are considered as significant.
To summarize, the contributions of the papers are threefold: we
propose an architecture for privacy-sensitive context-aware com-
puting, we develop models for location context management based
on historical disclosure preferences, and we analyze the properties
of these models with respect to accuracy, automation and overall
In existing mobile operating systems, controlling location con-
text collection is very limited. In the Google Android operating
system, mobile applications request permission for accessing oper-
ating system resources, including context information such as ex-
act location in different levels of granularity [1]. When the user
installs a new application, the list of requested permissions is pre-
sented, and the user can choose to accept or reject the installation.
In the Apple iOS operating system, deployed on iPhones, at the first
time that the application requests the location, the system presents
a modal dialog that asks the user whether to provide the location.
If the answer is positive, the location is released to the application,
and the user’s decision is set as default for that particular appli-
cation. In both operating systems, and in most mobile operating
systems in general, location disclosure decisions are done at the
application level, either allowing the application full access to all
future locations or to none.
In these “all or nothing” approaches to location context utiliza-
tion, users cannot differentiate between private locations, which
they do now wish to disclose, and locations they do wish to dis-
close. However, empirical evidence shows that users have detailed
preferences regarding disclosure of specific locations. The willing-
ness of users to share their location depends the specific identity
of the person receiving the location [3], the activity of the user in
the location [12], the time and place [4], and the properties of the
location, e.g., the variety of people that visits the location [18].
Therefore, we believe that frameworks for managing location con-
text information should be able to provide users with fine-grained
and usable control over individual locations.
Context-aware applications use context information about the
state of people, places, and objects relevant to users and their activ-
ities to adapt the applications’ behavior [8]. As information about
the state of the users is inherently private, the tension between pri-
vacy and context-awareness is an ever challenging research ques-
tion [11]. It has been addressed by using technologies such as rule-
based policies [10, 4], conflict specification with automatic resolv-
ing [19], and setting context roles for expected contexts [7]. Loca-
tion obfuscation was also suggested to be used to restrict context
awareness, by limiting the level of detail given about a location
[9]. Our work complements these research efforts by developing a
context-aware framework that manages disclosure of location con-
text data. The work takes a different approach, relying on at-hoc
decision making regarding the disclosure of the location, on the
basis of historical sharing data from the general population with
optional interference by the user.
In this section we explain in details how Super-Ego implements
fine-grained automatic location context control. We explain how
the framework is embedded within contemporary mobile operat-
ing systems and explain the concept of decision strategies and the
research questions they pose.
3.1 Architecture
The framework we present offers a simple architecture that in-
sures privacy-sensitive context-awareness. Current mobile operat-
ing systems provide an API (Application Programming Interface)
that is used by mobile application to access context information
and other operating system resources. The Super-Ego framework
is positioned between the original operating system API and the
mobile application. In our approach, mobile applications access
context using the framework, which decides whether to grant ac-
cess to the context information. As Figure 1 depicts, when a mo-
bile application request a context information from the operating
system API, the request first go to the Super-Ego framework, that
decides whether to release the context information. If the request
is granted, then the mobile application can function on the context.
Otherwise, the mobile application should be able to handle the re-
jection in a user-friendly way.
Decisions on whether to release the context information are based
on a context model that is maintained by the framework. The con-
text model includes the set of earlier locations requested from the
mobile operating system API, as well as historical knowledge of
the disclosure decisions regarding the current location by the cur-
rent user and by all other users of Super-Ego. The general knowl-
edge is kept in a centralized server, and contains information about
the ratio in which the current location was disclosed by Super-Ego
users. For the sake of privacy, the actual decisions of individual
users are not stored.
The heart of the framework is a decision engine that computes
the response to the location requests. The response regarding a par-
ticular location request can be one of three outcomes: disclose - to
accept the request, deny - to reject the request, or manual - to let
the user decide. If the response is disclosed, then the location is
returned to the mobile application. If the response is to deny the
request, then the function throws an exception that the calling ap-
plication need to handle. If the response is manual, then the user is
presented with a user interface that asks whether to release the lo-
Mobile Phone
Mobile Operating System
Mobile Context
Historical Context
Decision User
Figure 1: The architecture of the Super-Ego framework. Super-Ego is embedded within the mobile operating system (e.g., Android,
iOS, or Windows Mobile 7.) A context-aware mobile application is the client of Super-Ego, and accesses it when a location context is
required. The Super-Ego framework uses two external resources when deciding on location disclosure: data about historical context
information and the user herself.
cation to the current application. From this point, Super-Ego would
implement whatever the user had decided.
Super-Ego was designed to adhere to privacy-by-architecture prin-
ciples, promising that mobile applications cannot achieve unde-
sired context information due to malicious or buggy infrastructure.
Therefore, in our theoretical architecture, Super-Ego is embedded
within the operating system, and used as the sole methods for ac-
cessing location contexts by applications. Super-Ego exhibits sev-
eral other properties:
1. Variable manual control: allowing manual intervention and
decision in certain cases, when the certainty of automatic de-
cision is low.
2. General and historical knowledge: basing the context re-
lease decisions on past history and global context models,
due to evidence showing strong diversion to the mean when
it comes to information sharing preferences.
3. Configurable automation: Super-Ego can be configured to
require different levels of user involvement.
Super-Ego was implemented on Android 2.3 mobile operating
system. While not impossible, embedding the framework within
the operating system takes great effort, and therefore it was imple-
mented as a Java library that can be used in mobile applications
that requires access to location context. The library wraps most of
the native location API and provide access to them through a set of
methods that first call the decision engine.
3.2 Decision Strategies
The main focus of our work is to develop and evaluate differ-
ent strategies for deciding the release of location context informa-
tion to mobile applications. We are interested in an open frame-
work that can exhibit different strategies for both engineering and
research standpoints. From the engineering standpoint, allowing
configurable strategies can be used to personalized specific strate-
gies to specific users or applications. From the research standpoint,
configurable strategies make it easier to formally model decision
algorithms and to systematically evaluate them.
While strategies can be very complex, in this work we focus on
simple strategies that can be configured using a simple set of pa-
rameters. The simplicity of the strategies described in this paper
allows us to compare them in a straightforward manner, revealing
relations between the strategy performance and its specification. A
strategy is basically specified using two parameters: manual thresh-
old and disclose threshold. Below the manual threshold, the deci-
sion engine would deny the request. Above the manual threshold
and below the disclose threshold, the engine would send the re-
quest to manual intervention, and above the disclose threshold, the
engine would disclose the location. Strategies differ by the two pa-
rameters, as well as by methods for dynamically setting the disclose
The use of strategies in a framework that allows both manual and
automatic decision making, raises several questions which are criti-
cal to the understanding of using privacy-sensitive context-awareness
frameworks. Specifically, we are interested in evaluating the amount
of manual intervention required in a specific strategy, and its impact
on the accuracy of the decision engine. We ask several research
questions, which are answered in Section 5.
1. What is the effectiveness of using general historical informa-
tion about location disclosure decisions?
2. What is the impact of manual decision delegation on the
automation, accuracy and overall performance of decision
3.3 Model for Bounded Awareness
Decisions in Super-Ego are taken for each instance of location
context requested by a mobile application. At each request, the de-
cision engine operates on a given location context, l
. Each loca-
tion is basically a pair of longitude/latitude coordinate. In order to
perform a decision, the decision engine uses a context model, M,
which documents the privacy preferences for all known locations
from all known users of the framework. Prior decisions are repre-
sented by the ration, r [0, 1], the average of the scores for sharing
the location and sd(r), a number that represents the standard devi-
ation of that ratio. For example, if a location l
was considered by
sharing by n users, each of them giving a score between 0 to 1 for
comfort in sharing the location, then r(ratio) is the mean of those
scores and sd(r) is the standard deviations of the scores.
We define the context model as a mapping function M : L
r × sd(r) that assigns a disclosure ratio and standard deviation to
each recorded location. We identify locations using an approxima-
tion of 25 meters, so when the decision engine judges a location
, we look at all locations M(l
) <
25m}. We then look at the average of ratios and standard devia-
tions for all locations in M(l
historical ratio - r
0 1
Strategy M: Fully manual strategy
Deny Manual Disclose
Strategy SM-C: Semi-manual (constant threshold)
Deny Disclose
= t
Strategy A: Fully automatic strategy
Deny Manual Disclose
Strategy SM-V: Semi-manual (variable threshold)
Figure 2: A depiction of four strategies: fully manual, fully
automatic, semi-manual with constant threshold and semi-
manual with variable threshold. Each strategy is specified us-
ing two threshold values: t
and t
, which are used
to judge location requests according to the ratio of historical
decisions for the given location. In the diagram, each strategy
is displayed with the thresholds visibly located where their val-
ues are set for that strategy. In the last strategy, semi-manual
with variable threshold, the arrow between the threshold depict
the fact that t
is set dynamically according to the stan-
dard deviation of the historical location data from the context
The decision engine computes a decision based on a decision
strategy, a construct that is used to configure the decision algo-
rithm and to set the extent of manual intervention the decision algo-
rithm will yield. As depicted in Figure 2, we represent the strategy
as a set of two threshold values t
and t
on the range
of the ratio[0, 1]. We define the decision engine as a function that
takes a set of three elements: a context l
, a context model M and
a strategy S and returns a decision:
F : l
× M × S {disclose, deny, manual}
The outcome of the function is set by a straightforward algorithm:
F (l
, M, S)=
disclose r > t
manual t
deny r < t
Let us exemplify the way the model of the decision engine works
using the following scenario. A mobile application requests the
location of the user, l
. The historical ratio for that location is:
r =0.9 with standard deviation of sd(r)=0.081. If the his-
torical ratio is lower than t
, the location is disclosed, if the
ratio is between t
and t
, then the user is asked to
weigh in on the decision, and if the ratio is higher than t
then the location is disclosed without any user intervention. For
example, if t
=0.8, then the location will be disclosed.
Setting the thresholds can yield dramatically different behavior, as
we exemplify in Figure 2. If the strategy is set as: S = {t
=1} then the decision engine is fully manual, as all
ratios will be above the manual threshold and below the disclose
threshold. In that case, the outcome of our example scenario is
manual. If the strategy is set as: S = {t
0.5} then the decision is fully automated as all ratio values will
be either smaller than t
or higher than t
. In a semi-
manual strategy, the threshold values will be set up is some distinc-
tive way that would reflect the desired amount and nature of user
In this section, we explain our empirical framework for assessing
decision strategies. We first define measures for strategy assess-
ment, and then follow by providing a detailed explanation about
our experimental testbed.
4.1 Measures for Estimating Strategies
In order to measure the performance of decision strategies, we
define a methodology that focuses on two aspects: accuracy and
automation. This methodology will enable us to compare strategies
and simulate how different strategies would impact the user inter-
action and the overall behavior of the system. The performance
measure is a combination of these two aspects of a strategy. If a de-
cision engine involves the user in every decision, it might get per-
fect results, but would compromise the usability of the application
through excessive user burden. On the other hand, if an engine re-
quires no manual intervention, its accuracy might be mediocre. The
objective of our evaluation methodology is to enable us to charac-
terize how well a strategy fits in this tradeoff between accuracy and
automation, and help us identify good strategies that balance these
two important aspects.
We assume that we run a decision engine F on an identical set of
locations L = {l
, ··· ,l
} and an identical context model M.
Every request which is decided upon by the decision engine, can
turn out to be a positive decision (disclose) or negative (denied).
We can then judge the performance of the decision according to
the actual decision made by the user. Information about these deci-
sions was obtained, in our case, by a-priory simulation. If the user
agrees with the decision engine, then the decision is called true.
Otherwise, it is called false. We assume that the user is always
satisfied with the result of a manual request, and therefore man-
ual decisions are always considered true. Therefore, information
retrieval categorization can be used on the output of the decision
engine, resulting in four categories:
0.0 0.2 0.4 0.6 0.8 1.0
Figure 3: The density of the historical ratio for all simulated lo-
cation context. The ratio has local peaks on the extreme values
of the scale (1-2 and 10), and on values which are slightly above
the average (6-8.)
True positive (tp) - the decision was to disclose, and the pre-
diction was correct (i.e., the prior user decision agrees with
the outcome of the decision engine.)
False positives (fp) - the decision was to disclose, and the
prediction was incorrect.
True negatives (tn ) - the decision was to deny, and the pre-
diction was correct.
False negatives (fn) - the decision was to deny, and the pre-
diction was incorrect.
On the basis of the categorization of result satisfaction, we em-
ploy standard measurements from information retrieval, namely
precision, recall and accuracy. We define the precision of a strategy
tp + fp
and the recall of the strategy as
tp + fn
A conservative decision engine that uses a high threshold (hypo-
thetically returning few true positives and many false negatives)
will have high precision but low recall. A liberal decision engine
that uses a low threshold (hypothetically returning many false pos-
itives and few false negatives) will have a low precision but high
recall. We evaluate the overall accuracy using the standard accu-
racy function used in information retrieval, giving equal weights to
both measures:
tp + tn
tp + tn + fp + fn
In order to evaluate the user involvement for each of the strate-
gies, we count the number of manual decisions and the number of
automatic decisions. We define the user involvement of a given
strategy as the ratio between automatic decisions and the overall
number of decisions. We denote by a the number of decisions
taken autonomically by the decision engine, and by m the num-
ber of decisions sent to the user. We define the automation measure
m + a
The two measures, accuracy and automation, reflect respectively
how well an algorithm decides regarding a set of locations, and how
much user intervention is required. To evaluate the overall perfor-
mance of an algorithm, configured by a strategy, we developed a
simple combined measure, which we call the combined score (or
“combined” for short). We define the score as follows:
combined(S)=α · automation(S)+(1 α) · accuracy(S)
The combined score is a sum of automation and accuracy, weighted
by a coefficient α [0, 1] which sets the ratio between the two
measures. For example, when α =0, a high score would be
given to a strategy with high accuracy with no regard to automa-
tion. When α =1, the only meaningful measure would be automa-
tion, and when α =0.5, equal importance would be given to both
4.2 Evaluated Strategies
In evaluating the strategies we had devised and implemented four
strategies that represent different variations of strategy types, as de-
picted in Figure 2. We denote by x [0, 1] a threshold that serves
as a variable in the experiments. The following four strategies were
Manual strategy (M): all requests are decided as manual,
such that S = {t
Fully automatic strategy (A): all requests are decided auto-
matically, such that S = {t
= x, t
= x}
Semi-manual with constant threshold (SM (C)): in this strat-
egy, t
= x, and t
= t
+ , where is
a constant. The constant was arbitrarily set up to the average
standard deviation of all disclosure rates for all locations in
the context model. In our experiments, =0.229.
Semi-manual with variable threshold (SM (V)): in this strat-
egy, t
is a variable, but unlike the previous strategy,
is varied and changes between locations. It depends on
the standard deviation of rates for that particular location,
such that for a specific location l
with a ratio r, t
x sd(r) and t
= x + sd(r).
The logic behind choosing these particular strategies is as fol-
lows. The automatic and manual strategies were designed to un-
derstand the boundaries of the automation/accuracy tradeoff. The
two strategies represent the baseline for comparison for both of the
tradeoff extremes. The two semi-manual approaches were designed
to search for a balance between accuracy and automation using dif-
ferent approaches for decision making.
4.3 Experimental Setup
The context model used in the evaluation is based on a data set
of the GPS coordinates of 21 different users, provided by Microsoft
Research [6]. The locations were recorded through a period of 2
months by a GPS device that sampled the location every 5 sec-
onds. Overall, there were 3,082,900 location observations. On top
of these locations, we had simulated disclosure ratios for a sample
of the locations. The simulated disclosure ratio followed the prop-
erties reported in [18], which report relations between the history
of place visitation (by the user and by all users) to the likelihood of
sharing the location. In assigning sharing ratios for these locations,
we boosted the ratio according to the empirical model, giving the
number of times the user visited the location and the entropy of the
location (a measure for the diversity of the location.) The average
values of disclosure ratios are displayed in Figure 3. The mean ra-
tio is 0.711 and the standard deviation is 0.22. Extreme points have
local peaks, as some locations are almost never shared (and there-
fore the ratio for these location is 0) and other points are shared by
several users.
When running the experiment, we had evaluated each location in
the data set using each of the strategies. The decision for each of the
locations was saved and compared against the original simulated
decision of the user. The decision was then analyzed according to
the methodology listed above.
The four strategies differ significantly with respect to their accu-
racy and automation. The following table summarize the accuracy
and automation of the strategies. Values are means and values in
parenthesis is the standard deviation.
Strategy Performance
Strategy Accuracy Automation
A 0.594 (0.075) 1 (0)
M 1 (0) 0 (0)
SM (C) 0.685 (0.06) 0.819 (0.131)
SM (V) 0.64 (0.052) 0.919 (0.089)
The difference between the strategies, when it comes to automa-
tion and accuracy, is significant. Results were obtained In a two-
sample independent t-tests with unequal variances, with p<0.001
for every strategy pair. The test details for the comparison of accu-
racy between the two semi-manual strategies are: t = 3.3219, df =
73.834 and the 95% confidence interval are 0.0179 and 0.0716.
Our second set of results, presented in Figure 4, investigates the
accuracy of each of the different strategies, for different threshold
values. As we assume that all manual decisions are correct
(true positives and true negatives), it is not surprising that the man-
ual strategy (M) has perfect accuracy. The fully automatic strategy
(A) is producing reasonable results, when framed as an information
retrieval problem and compared to similar problems. It exhibits a
with maximal accuracy of 0.652, with precision of 0.714 and re-
call of 0.685. However, the automatic strategy is outperformed by
the two semi-automatic approaches, as they are asking the user to
manually intervene on some of the location contexts.
For the semi-manual approaches, the best accuracy is achieved
with a threshold of 0.7, for both semi-manual approaches. At those
points, the semi-manual with constant threshold, provides an ac-
curacy of 0.74 with precision of 0.88 and recall of 0.722 and the
semi-manual with variable threshold provides an accuracy of 0.7
with precision of 0.79 and recall of 0.7. This boost in accuracy can
be explained by turning the decision to manual intervention, which
results in true positives and true negatives, thus increasing both the
recall and precision of the strategy. Furthermore, as the decision
algorithm outputs location contexts with medium grades as manual
results, they receive a boots exactly where automatic algorithms
will risk outputting a decision that will be either false positive or
false negative.
While manual and semi-manual approaches are outperforming
automatic approaches, they have a cost in decreased level of au-
tomation. Figure 5 presents the levels of automation for each of
the strategies. Naturally, the fully manual approach has no automa-
tion. On the other hand, the fully automatic strategy has maximal
automation regardless of the threshold. The semi-manual strategies
exhibit variable levels of automation, based on the threshold, as the
decisions that result in manual intervention (and therefore decrease
automation) are based on the threshold. The highest levels of au-
tomation are perceived in either a very low threshold (where most
requests are denied) or a very high threshold (where most requests
are allowed.) The lowest levels of automation and the highest lev-
els of accuracy for the same threshold levels (0.675 0.825). At
those points the constant strategy delegates 4 our of 10 requests to
the user, and the variable approach delegates 2 out of 10 requests.
This phenomena has several reasons. First, in these ratio values,
there is a lot of variability, as can be seen in Figure 3. Second, the
variability increases the chances that a location will be sent to man-
ual rather than being denied. In result, the efficiency of the strategy
increases, on the expense of its automation.
We now consider how the strategies differ with respect to the
tradeoff between automation and accuracy. Figure 6 shows the
combined score for all four strategies, with a variable threshold and
five sub-diagrams according to a variable α value. The combined
score is configured by the α coefficient, where α =1gives all the
weight on accuracy and α =0gives all weight to automation. The
sub-diagrams in Figure 6 are ordered from left to right according
to the α values, ranging from giving full weight to automation (on
the left) and full weight to accuracy (on the right). Here, we see a
generalization of the results shown in Figures 4 and 5, expressing
an accuracy-automation tradeoff. The manual strategy has constant
accuracy, and therefore it is dependent only on the α value, hav-
ing the worst combined score when α =0and the best combined
score when α =1. Similarly, the combined score of the automatic
strategy is linearly decreasing as it is dependent on the proportion
of accuracy in the overall score. The tradeoff is particularly telling
when it comes to the semi-manual approaches. The semi-manual
strategy with constant threshold trades automation with accuracy,
and is less sensitive to the α value than the automatic approach.
The variable approach outperforms the constant strategy when au-
tomation plays a meaningful role in the combined score (α < 0.7),
as it is relatively less dependent on manual input to provide accu-
In analyzing Figure 6, the tradeoff between automation and ac-
curacy is very clear. In delegating tough decisions for manual in-
tervention, algorithms can increase their accuracy and outperform
fully automatic strategies. When automation is factored into the
combined score, reflecting the need to minimize user burden, the
score of manual and semi-manual strategies are decreasing. Ap-
proaches such as the semi-manual approach with variable thresh-
old, which are more selective in the contexts they decide as “man-
ual”, are more robust when the need to minimize user involvement
is important.
In this section, we take an overview of our findings with respect
to larger open issues the research community faces. Specifically,
we examine three issues.
The first issue is managing the tradeoff between automation and
accuracy in questions related to privacy. The research community
and the media are well aware that one of the main problems in man-
aging privacy is its substantial requests on the user’s time and effort
[4, 17, 5]. The Super-Ego framework manifests this tradeoff as part
of its inherent mechanism, making it possible to configure the rela-
tions between automation and accuracy. The simple framework we
propose for evaluation, presented in Section 4 can be used to sys-
tematically evaluate the tension between automation and accuracy
in user studies and for different algorithms.
The second issue is better ways to personalize context disclo-
sure policy according to the user’s particular privacy profile. As
Figure 4: The accuracy versus a variable threshold value t
for each of the four strategies. Points represent data observations
while curves shows moving average (with 95% confidence inter-
Figure 5: The automation versus the threshold value t
each strategy. Points represent data observations while curves
shows moving average (with 95% confidence intervals.) Note that
the automatic strategy has constant automation level.
combined score
(1) 0:1 Automation
0 1 2 3
(2) 0.25:0.75
0 1 2 3
(3) 0.5:0.5
0 1 2 3
(4) 0.75:0.25
0 1 2 3
(5) 1:0 Accuracy
0 1 2 3
SM (C)
SM (V)
Figure 6: The combined score versus a variable threshold for each of the strategies, given according to 5 α values from 0 (on the
left) to 1 (on the right). The combined score weights accuracy by α and weights automation by 1 α, such that: combined =
α · automation +(1 α) · accuracy. Therefore the combined score starts from a combination that expresses just automation (on
the left) all the way to a combination that expresses just accuracy (on the right). In each of the five α value settings, we show the
combined score depending on a moving threshold.
the literature of privacy preferences repeatedly tell us, people have
distinct privacy preferences that follow profiles such as those de-
scribed by Alan Westin: privacy fundamentals, privacy pragmatists
and unconcerned [14]. The model coefficients presented in Sec-
tion 3.3 can be used to personalize the user experience for different
categories of users. For example, by providing a less automated
strategy for users who are privacy fundamentals.
The third issue relates to using Super-Ego in solutions for man-
aging context information using a combination of at-hoc decision
strategies solutions and pre-defined rules. Several works have shown
how pre-defined specifications of rules, conflict specifications and
roles can effectively be employed in privacy-sensitive contextaware-
ness [10, 4, 19, 7]. Combining rule-based decision models with
at-hoc decision models, such as Super-Ego, can result in usable
privacy management systems. In a combined approach, the user’s
known restrictions can be expressed directly using a rule-based in-
terface. Unexpected situations, which are not well defined by rules,
can be handled by Super-Ego, with its combination of automatic
and manual decision processes.
The approach we present in this paper is limited in several ways.
First, Super-Ego requires knowledge about location disclosure be-
havior from the general population. While wide-spread adoption of
Super-Ego can eventually lead to create such a knowledge base, it
is currently nonexistent. Moreover, in this paper we do not resolve
potential privacy risks that stem from sharing historical location
context disclosure decisions. The second limitation is the architec-
ture of Super-Ego, which requires all context requests to go through
a single filtering layer. This property can eventually limit the ap-
plicability of the approach. The third limitation is the equal weight
we give to false positives and false negatives. In most scenarios
the outcome of a wrongful disclosure of a private location can be
considered more harmful than denying a mobile application of a
location. Finally, we do not take into account in the decision pro-
cess the different applications that request the information, and the
different uses the applications might use the location context for.
In this paper, we present a method for preserving privacy in
context-aware systems using at-hoc decision making. We had im-
plemented and evaluated our approach for a particular type of con-
text: locations sensed by the mobile device. We present an archi-
tecture in which a filtering layer, called Super-Ego, is placed be-
tween the mobile platform’s operating system and mobile applica-
tions that require the user’s context information. As mitigating the
task of deciding about the the release of every location to the user
will compromise the usability of the framework, we develop and
evaluate a model for decision strategies that combine automated
methods and manual intervention.
The evaluation of Super-Ego is based on simulated data sharing
preferences, generated on the basis on actual location data gathered
from by Microsoft Research of 21 users tracked for 2 months. The
empirical evaluation portrayed the tradeoff between accuracy and
automation with respect to different decision strategies, including
manual, automatic, and various semi-manual approaches. While
a fully automated approach delivers reasonable results (precision
of 0.7 with recall of 0.8), they are less accurate than manual and
semi-manual approaches. Our results show that having the user
interfere in even a small part of the location contexts boosts the
accuracy of the decision process. While user intervention reduces
the automation of a given strategy, it is possible to quantify and
adapt the strategy to the desired amount of user involvement.
The findings in this paper open several possibilities for future
work. One possibility involves exploring additional dimensions of
automatic decision making, based on learning algorithms. Algo-
rithms that use machine learning and advanced location data sets
to provide better predictions for managing contexts, improving the
precision and recall of current approaches.The second possibility
is investigating the impact of accuracy models that provide differ-
ent weights to positive and negative errors. For example, studying
the difference between models that are less tolerant to releasing un-
wanted locations than to blocking legitimate locations.
[1] Android Developer Guide. Security and permissions.,
June 2011.
[2] D. Anthony, D. Kotz, and T. Henderson. Privacy in
location-aware computing environments. IEEE Pervasive
Computing, 6(4):64–72, 2007.
[3] L. Barkhuus, B. Brown, M. Bell, S. Sherwood, M. Hall, and
M. Chalmers. From awareness to repartee: sharing location
within social groups. In CHI ’08, pages 497–506, 2008.
[4] M. Benisch, P. Kelley, N. Sadeh, and L. Cranor. Capturing
location-privacy preferences: quantifying accuracy and
user-burden tradeoffs. Personal and Ubiquitous Computing,
pages 1–16, 2010.
[5] N. Bilton. Price of facebook privacy? start clicking. New
York Times Article, May 12 2010.
[6] A. B. Brush, J. Krumm, and J. Scott. Exploring end user
preferences for location obfuscation, location-based services,
and the value of location. In Proceedings of the 12th ACM
international conference on Ubiquitous computing, Ubicomp
’10, pages 95–104, New York, NY, USA, 2010. ACM.
[7] P. Costa, J. Almeida, L. Pires, and M. van Sinderen.
Evaluation of a rule-based approach for context-aware
services. In Global Telecommunications Conference, 2008.
IEEE GLOBECOM 2008. IEEE, pages 1 –5, 30 2008-dec. 4
[8] A. K. Dey, G. D. Abowd, and D. Salber. A conceptual
framework and a toolkit for supporting the rapid prototyping
of context-aware applicati. In Human-Computer Interaction,
[9] M. Duckham and L. Kulik. A formal model of obfuscation
and negotiation for location privacy. In H. Gellersen,
R. Want, and A. Schmidt, editors, Pervasive Computing,
volume 3468 of Lecture Notes in Computer Science, pages
243–251. Springer Berlin / Heidelberg, 2005.
[10] C. Hesselman, H. Eertink, and M. Wibbels. Privacy-aware
context discovery for next generation mobile services. In
Applications and the Internet Workshops, 2007. SAINT
Workshops 2007. International Symposium on, page 3, jan.
[11] J. I. Hong and J. A. Landay. An architecture for
privacy-sensitive ubiquitous computing. In Proceedings of
the 2nd international conference on Mobile systems,
applications, and services, MobiSys ’04, pages 177–189,
New York, NY, USA, 2004. ACM.
[12] G. Iachello, I. Smith, S. Consolovo, G. Abowd, J. Hughes,
J. Howard, F. Potter, J. Scott, T. Sohn, J. Hightower, and
A. LaMarca. Control, deception, and communication:
Evaluating the deployment of a location-enhanced
messaging service. In Ubicomp ’05, pages 213 231.
Springer-Verlag, 2005.
[13] A. Khalil and K. Connelly. Context-aware telephony: Privacy
preferences and sharing patterns. In CSCW ’06, 2006.
[14] P. Kumaraguru and L. F. Cranor. Privacy indexes: A survey
of westin’s studies. Tech report, Institute for Software
Research International, Carnegie Mellon University, 2005.
[15] H. Nissenbaum. Privacy as contextual integrity. Washington
Law Review Association, 79:119–158, 2004.
[16] L. Palen and P. Dourish. Unpacking "privacy" for a
networked world. In CHI ’03, pages 129–136, New York,
NY, USA, 2003. ACM.
[17] N. Sadeh, J. Hong, L. Cranor, I. Fette, P. Kelley, M. Prabaker,
and J. Rao. Understanding and capturing people’s privacy
policies in a mobile social networking application. Personal
and Ubiquitous Computing, 13(16):401 412, August 2009.
[18] E. Toch, J. Cranshaw, P. H. Drielsma, J. Y. Tsai, P. G. Kelley,
J. Springfield, L. Cranor, J. Hong, and N. Sadeh. Empirical
models of privacy in location sharing. In Proceedings of the
12th ACM international conference on Ubiquitous
computing, Ubicomp ’10, pages 129–138, New York, NY,
USA, 2010. ACM.
[19] V. Tuttlies, G. Schiele, and C. Becker. End-user configuration
for pervasive computing environments. In Complex,
Intelligent and Software Intensive Systems, 2009. CISIS ’09.
International Conference on, pages 487 –493, march 2009.
... These solutions are close to an automated approach but also rely on machine learning, making them capable of adapting to changes and requiring some level of user involvement. Existing solutions avoid interrupting the user unless it is strictly necessary, i.e. low inference confidence [8,31,33]. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. ...
... Prediction Certainty: Prediction certainty relates to the decision for a particular interaction. It has been the main variable considered when deciding to interrupt the user for further input [8,31,33] and is defined solely by the system's ability to correctly infer the user's privacy preferences. Depending on the user and context its role may vary immensely. ...
Conference Paper
This paper presents an organized set of variables that can aid intelligent privacy agents in predicting the best and necessary moments to interrupt users in order to give them control and awareness over their privacy, avoiding information overload or over choice.
... The following 32 accepted papers went to next phase (Keyword relevant topics and Data extraction): (Abi-Char et al. 2010;Cappiello et al. 2009;Chang and Lin 2011;Damián-Reyes et al. 2011;De Moor et al. 2010;Evers et al. 2010;Haapalainen et al. 2010;Iqbal et al. 2005;Jafari et al. 2010;Jia et al. 2009;Kemp et al. 2008;Kim et al. 2008;Ko et al. 2010;Kourouthanassis et al. 2008;Kryvinska et al. 2011;Lee and Yun 2012;Lee et al. 2008;Liampotis et al. 2009;Ranganathan et al. 2005;Ross and Burnett 2001;Rubio and Bozo 2007;Schalkwyk et al. 2010;Scholtz and Consolvo 2004;Sousa et al. 2011;Sun and Denko 2008;Thompson and Azvine 2004;Toch 2011;Wagner et al. 2012;Waibel et al. 2010;Weihong-Guo et al. 2008;Wu and Fu 2012;Zhang et al. 2006). ...
Full-text available
The advent of ubiquitous systems places even more focus on users, since these systems must support their daily activities in such a transparent way that does not disturb them. Thus, much more attention should be provided to human–computer interaction (HCI) and, as a consequence, to its quality. Dealing with quality issues implies first the identification of the quality characteristics that should be achieved and, then, which software measures should be used to evaluate them in a target system. Therefore, this work aims to identify what quality characteristics and measures have been used for the HCI evaluation of ubiquitous systems. In order to achieve our goal, we performed a large literature review, using a systematic mapping study, and we present our results in this paper. We identified 41 pertinent papers that were deeply analyzed to extract quality characteristics and software measures. We found 186 quality characteristics, but since there were divergences on their definitions and duplicated characteristics, an analysis of synonyms by peer review based on the equivalence of definitions was also done. This analysis allowed us to define a final suitable set composed of 27 quality characteristics, where 21 are generic to any system but are particularized for ubiquitous applications and 6 are specific for this domain. We also found 218 citations of measures associated with the characteristics, although the majority of them are simple definitions with no detail about their measurement functions. Our results provide not only an overview of this area to guide researchers in directing their efforts but also it can help practitioners in evaluating ubiquitous systems using these measures.
... When a context-aware application requires a location context information, it requests the location from Super-Ego, which uses a crowd-opinion model and a mixture of automatic and manual decision making strategies. The first version of Super-Ego was presented in [24] as a general framework for filtering sensitive information in mobile operating system environment. In this paper, we develop and evaluate methods for privacy decision making based on crowdsourcing. ...
Full-text available
Developers of context-aware applications are faced with a tough challenge: powerful privacy controls are essential to maintain user trust, but they are also hard to use and not adequate in all situations. To address this tradeoff, we present Super-Ego, a crowdsourcing framework for privacy management of location information in ubiquitous environment. We study how crowdsourcing can be used to predict the user’s privacy preferences for different location on the basis of the general user population. The crowdsourcing methods are evaluated in a 2-week user study in which we tracked the locations of 30 subjects and asked them to provide privacy preferences for the locations they had visited. Our results show that by employing simple methods for semantic analysis of locations and by profiling the user’s privacy inclination, our methods can accurately predict the privacy preferences for 80 % of the user’s locations. By employing semi-automatic decision strategies, which ask the user to decide regarding the privacy of some of the locations, the accuracy rate raises to 90 %.
... However, none of them support the dynamic configuration of privacy policies. In the Super-Ego framework [27], location requests from mobile applications are autonomously decided based on how often others have shared this location. Saleh et al. [23] enable users to set privacy preferences in and for specific context situations. ...
Conference Paper
Full-text available
Ubiquitous computing is characterized by the merger of phys- ical and virtual worlds as physical artifacts gain digital sens- ing, processing, and communication capabilities. Maintain- ing an appropriate level of privacy in the face of such com- plex and often highly dynamic systems is challenging. We argue that context awareness not only enables novel Ubi- Comp applications but can also support dynamic regula- tion and configuration of privacy mechanisms. We propose a higher level context model that abstracts from low level details and contains only privacy relevant context features. Context changes in our model can trigger reconfiguration of privacy mechanisms or facilitate context-specific privacy recommendations to the user. Based on our model, we an- alyze potential privacy implications of context changes and discuss how these results could inform actual reconfiguration of privacy mechanisms.
Conference Paper
Full-text available
Although privacy is broadly recognized as a dominant concern for the development of novel interactive technologies, our ability to reason analytically about privacy in real settings is limited. A lack of conceptual interpretive frameworks makes it difficult to unpack interrelated privacy issues in settings where information technology is also present. Building on theory developed by social psychologist Irwin Altman, we outline a model of privacy as a dynamic, dialectic process. We discuss three tensions that govern interpersonal privacy management in everyday life, and use these to explore select technology case studies drawn from the research literature. These suggest new ways for thinking about privacy in socio-technical environments as a practical matter.
Full-text available
Since the late 1970's Dr. Alan Westin has conducted over 30 privacy surveys. For each of his surveys, Westin has created one or more Privacy Indexes to summarize his results and to show trends in privacy concerns. Many privacy researchers are interested in using these privacy indexes as benchmarks to which they can compare their own survey results. However, the details of how the indexes were calculated have not been reported except in the original survey reports. These reports were originally distributed in paper form, and many are no longer readily available. We obtained paper copies of five of these survey reports and found a sixth report online. We also found summaries of eight additional reports online. Here we report on the methodology used each year to calculate the privacy indexes and draw some conclusions about which indexes can be used to infer privacy trends.
Conference Paper
Full-text available
The rapid adoption of location tracking and mobile social networking technologies raises significant privacy challenges. Today our understanding of people's location sharing privacy preferences remains very limited, including how these preferences are impacted by the type of location tracking device or the nature of the locations visited. To address this gap, we deployed Locaccino, a mobile location sharing system, in a four week long field study, where we examined the behavior of study participants (n=28) who shared their location with their acquaintances (n=373.) Our results show that users appear more comfortable sharing their presence at locations visited by a large and diverse set of people. Our study also indicates that people who visit a wider number of places tend to also be the subject of a greater number of requests for their locations. Over time these same people tend to also evolve more sophisticated privacy preferences, reflected by an increase in time- and location-based restrictions. We conclude by discussing the implications our findings.
Conference Paper
Full-text available
We report on a two-week deployment of a peer-to-peer, mobile, location-enhanced messaging service. This study is specifically aimed at investigating the need for and effectiveness of automatic location disclosure mechanisms, the emerging strategies to achieve plausible deniability, and at understanding how place and activity are used to communicate plans, intentions and provide awareness. We outline the research that motivated this study, briefly describe the application we designed, and provide details of the evaluation process. The results show a lack of value of automatic messaging functions, confirm the need for supporting plausible deniability in communications, and highlight the prominent use of activity instead of place to indicate one’s location. Finally, we offer suggestions for the development of social mobile applications.
Conference Paper
Full-text available
This paper investigates emergent practices around 'microblogging', changing and sharing status within a social group. We present results from a trial of 'Connecto', a phone based status and location sharing application that allows a group to 'tag' areas and have individuals' locations shared automatically on a mobile phone. In use the system moved beyond being an awareness tool to a way of continuing the ongoing 'story' of conversations within the group. Through sharing status and location the system supported each groups' ongoing repartee - a site for social exchange, enjoyment and friendship. Author Keywords
Conference Paper
Full-text available
We present a system that enables applications to discover and obtain information that describes the context of a particular entity (e.g., a user or a device). Our system revolves around the notion of a context agent, which is a service that represents an entity and provides access to context information about that entity. Context agents facilitate the enforcement of an entity's policies regarding the release of context information (e.g., to applications or visiting users), even while these entities roam across different administrative domains. Context agents form an overlay on top of traditional local area service discovery infrastructures (e.g., based on SLP or WS- Discovery) and are enablers for more intelligent pervasive computing environments. In this extended abstract, we outline the architecture of our system based on a simple scenario.
Conference Paper
Although privacy is broadly recognized as a dominant concern for the development of novel interactive technologies, our ability to reason analytically about privacy in real settings is limited. A lack of conceptual interpretive frameworks makes it difficult to unpack interrelated privacy issues in settings where information technology is also present. Building on theory developed by social psychologist Irwin Altman, we outline a model of privacy as a dynamic, dialectic process. We discuss three tensions that govern interpersonal privacy management in everyday life, and use these to explore select technology case studies drawn from the research literature. These suggest new ways for thinking about privacy in socio-technical environments as a practical matter.
The practices of public surveillance, which include the monitoring of individuals in public through a variety of media (e.g., video, data, online), are among the least understood and controversial challenges to privacy in an age of information technologies. The fragmentary nature of privacy policy in the United States reflects not only the oppositional pulls of diverse vested interests, but also the ambivalence of unsettled intuitions on mundane phenomena such as shopper cards, closed-circuit television, and biometrics. This Article, which extends earlier work on the problem of privacy in public, explains why some of the prominent theoretical approaches to privacy, which were developed over time to meet traditional privacy challenges, yield unsatisfactory conclusions in the case of public surveillance. It posits a new construct, "contextual integrity," as an alternative benchmark for privacy, to capture the nature of challenges posed by information technologies. Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it. Building on the idea of "spheres of justice," developed by political philosopher Michael Walzer, this Article argues that public surveillance violates a right to privacy because it violates contextual integrity; as such, it constitutes injustice and even tyranny.
Conference Paper
Long-term personal GPS data is useful for many UbiComp services such as traffic monitoring and environmental impact assessment. However, inference attacks on such traces can reveal private information including home addresses and schedules. We asked 32 participants from 12 households to collect 2 months of GPS data, and showed it to them in visualizations. We explored if they understood how their individual privacy concerns mapped onto 5 location obfuscation schemes (which they largely did), which obfuscation schemes they were most comfortable with (Mixing, Deleting data near home, and Randomizing), how they monetarily valued their location data, and if they consented to share their data publicly. 21/32 gave consent to publish their data, though most households' members shared at different levels, which indicates a lack of awareness of privacy interrelationships. Grounded in real decisions about real data, our findings highlight the potential for end-user involvement in obfuscation of their own location data.
Conference Paper
Pervasive computing systems are highly complex distributed systems. Due to their intrinsic heterogeneity and dynamism, applications must reconfigure themselves continuously to adapt to changes in their execution context. In addition, applications influence their context themselves, e.g., by outputting audio. This may lead to conflicts, when applications interfere with each other or disturb users in the vicinity. To handle such conflicts, we propose a dynamic conflict management system that detects and resolves conflicts at runtime. In this paper we focus on how the system can be used by end-users in order to tailor a pervasive system to the userpsilas preferences. By defining individual conflicts in a conflict specification our system ensures that system states which are unacceptable for the user are automatically detected and resolved. We present our approach, discuss our proposed conflict notation and evaluate the users' acceptability of our notation with a short user study.