Practical privacy-aware opportunistic networking

Opportunistic networks have been the study of much research — in particular on making end-to-end routing efficient. Users’ privacy concerns, however, have not been the subject of much research. What privacy concerns might opportunistic network users have? Is it possible to build opportunistic networks that can mitigate users’ privacy concerns while maintaining routing performance? Our work-to-date has tackled the problem of creating privacy-preserving routing protocols, with less emphasis on discovering users’ actual privacy concerns. We summarise our current results, and describe a future experiment that we have planned to better understand users’ privacy concerns.


INTRODUCTION
People commonly carry mobile devices -such as phones -during their daily lives.When in proximity, these devices may exchange data directly, without using any traditional infrastructure, via a protocol such as Bluetooth.If many such devices cooperate with one another, an opportunistic network may be formed (Pelusi et al. 2006).Data are exchanged between mobile devices opportunistically as they move into physical proximity, in a disconnected store-andforward architecture.
There are a number of challenges in opportunistic networking research.One challenge is routing.Given episodic connectivity, based on people's realworld movements, how might we efficiently route messages through the network?If we naïvely exchange messages during each and every encounter, flooding messages out along all possible paths, then the message will certainly find and follow any existing path -indeed, the shortest pathbetween sender and destination to be delivered as quickly as possible. 1But this epidemic routing approach is costly: large numbers of redundant messages are typically sent, which may rapidly drain the batteries of the mobile devices.Therefore, various routing schemes have been proposed that utilise social network information to inform routing 1 Under ideal conditions.If storage space is finite, for example, then nodes may run out of storage space and drop messages, and thus this may not be the case.
A second, related challenge is privacy.Through participating in an opportunistic network -and especially if social network information is used to inform routing decisions -users may experience a variety of privacy threats (Parris and Henderson 2011b).
Our research focuses on the intersection of these challenges.What privacy concerns might opportunistic network users have?How might we measure these concerns for future application users, given the disconnect between what people say and what people do with respect to privacy?Is it possible to build opportunistic networks which can mitigate users' privacy concerns while maintaining routing performance?
The proposed PhD thesis statement is: it is possible to maintain opportunistic network performance after adding the privacy-preserving features that users desire.
Our work-to-date has tackled the problem of creating privacy-preserving protocols.We have performed simulations with real users' data -location traces, and location-privacy preferences -to quantify the impact of privacy preferences on performance.
Our focus is now on a problem up-the-stack: the user.We wish to perform an HCI experiment, utilising a new methodology, to measure the privacy concerns of users for an example future opportunistic network application.Ultimately, the goal is to improve the happiness of users, through securing their potentiallysensitive data -which we note ties in with the HCI 2011 Health, wealth & happiness theme.We hope to receive useful feedback and suggestions at the HCI 2011 Doctoral Consortium.Those experiencing simulated publishing of their data share their data more openly than those experiencing real publishing: they less often disclose their location to no-one, and more often to everyone.

CURRENT RESULTS
So far, we have found three main results: (i) Users behave differently when participating in a real system, compared to a simulated system.(ii) Users' location-privacy preferences may significantly impact opportunistic-network performance.(iii) Significant obfuscation of social-network information is possible, while still maintaining good social-network routing performance.
We describe each in turn.

User study: location-privacy preferences
We performed a user study, investigating the location-sharing privacy preferences of 80 users of the popular online social network Facebook. 2 Participants carried a location-sensing mobile phone for one week of their daily lives.Due to resource constraints -we had 20 mobile phones available, but 80 participants -we performed the user study in four one-week runs, each with 20 participants.Two of the runs were conducted in a small UK town, St Andrews; the other two runs were conducted in a large UK city, London.
2 http://www.facebook.com/ Utilising the experience sampling method (Consolvo and Walker 2003), participants were prompted up to 20 times each day to choose how widely they would be happy for their current location to be shared on Facebook -to everyone, to some or all of their Facebook social contacts, or to no-one.
At the start of each of the four runs, the 20 participants in the run were randomly divided into two groups.The real group experienced real publishing of their location information on Facebook; the simulation group experienced simulated publishing, where information was never disclosed to anybody, regardless of user preferences.We investigated whether publishing information "for real" (the real group) resulted in a difference of behaviour compared to simulated publishing.Figure 1 shows our main result: the simulation group shared their locations more openly than the real group (Parris et al. 2010).3

Performance impact of users' location privacy preferences
Inspired by Westin (2003), we built a privacy model for location sharing from the study described in Section 2.1.
We performed simulations utilising this privacy model, in three different modes: • Default (D): Privacy preferences ignored.
• Friendly (F): Privacy mode, where nodes may share to everyone, to no-one, or to their social contacts.• PubPriv (PP): Stronger privacy mode, where nodes share only with either everyone or noone.
Figure 2 demonstrates our main finding.We found (Parris and Henderson 2011a) that users' locationprivacy preferences may significantly impact opportunistic network routing performance.Indeed, under the stronger PubPriv mode, the median delivery performance was zero.

Performance evaluation for protocols preserving social graph privacy
We target the threat of leakage of social-graph information by obfuscating the sender's social network at the time of message generation.
Through simulation, we evaluate the performance of these new privacy-enhanced protocols.Figure 3 demonstrates our main finding.It is possible to significantly obfuscate the social network information, by removing up to 40% of the sender's "friends list" (social graph neighbours) from each message at generation time, while still maintaining good routing performance -a message delivery proportion (delivery ratio) of 90% that of unmodified social network routing).Further details are available in Parris and Henderson (2011b).

FUTURE WORK
We are planning an HCI experiment to probe the question of how privacy concerns may impact the willingness of users to participate in a future opportunistic network application.Our current results (Section 2.1) suggest that users behave differently in real and simulated systems, and thus we are planning a deceptive user study, where we simulate an opportunistic application, but do not inform participants that it is a simulated application.We intend to use the experiment results to inform interpretation of our current routing performance results (described in Sections 2.2 and 2.3).

Experiment plan
The opportunistic network application that we intend to simulate is a proposed, distributed, privacy-aware mobile advertising system, MobiAd (Haddadi et al. 2010).In such a real system, advertisements are distributed to mobile devices opportunistically, as are anonymous "click reports" describing interaction with the advertisements.The users, therefore, would dedicate some of their device's resources to the network -for example, accepting a certain reduction in battery life, due to the extra energy used when transmitting messages.
By simulating this application, and presenting the experimental participants with various examples of potentially-sensitive information that may be leaked through its use, we wish to investigate differing degrees of willingness to participate in the network, as measured by the quantity of phone resources that participants would be willing to dedicate to the application.
We hypothesise that, as we increase the amount of sensitive information displayed, users will become less willing to participate in the network -and, therefore, will allocate less resources to the application.This is a non-trivial hypothesis: perhaps the increased transparency of the application increases user confidence, and thus increases the willingness to participate in the network?We thus search for the amount of information "leakage" that results in maximal participation in the network.
In our proposed experiment, we will create an Android application, installed on mobile phones given to experiment participants for one week.This application will prompt participants for a username, on the first run.It will display (fake) adverts on the phone's home screen at all times, by using Android's capability to detect the user's location, and then scraping web services for nearby businesses to "advertise" to the user.
There will additionally be an option on the home screen to display extra information about other participants.This information will be simulated for each participant, but the participants will not know this: this is the deception mentioned earlier, in order to mitigate the difference of behaviour of users of real vs simulated applications.The intention is that each participant will become aware that their own information may be leaked to other participants, by analogy to the information that they believe they can see about the others ("if I can see this information about them, then they must be able to see this information about me too").
The simulated information displayed to the participants will differ across groups, to which participants will randomly be assigned at the start of the experiment.We intend to examine the effects of leakage of two types of potentiallysensitive information, at differing resolutions: location and social graph.We therefore propose dividing the participants into five groups: Social-All: Simulated list of all participants, with the option to click through to see their (simulated) lists of frequently-encountered participants.
The phones will prompt each participant once per day to answer a question, along with providing an explicit view of the simulated information (so that this information is salient, if the user chooses not to review it during the day).The question will be to ask the participant to use a slider (initially unset) to choose a maximum amount of battery life (in hours) that they would be prepared to devote to the opportunistic network application in the next 24 hours.We reason that this question would be easy for participants to understand, and quick to answer.The application would, however, not really use their phone's resources based on the previous question answers, so as to avoid draining the device's battery and possibly hindering the experiment: we reason that even without real usage of the battery, we would obtain a measure of the user's willingness to participate in the network at various times.We are interested only in relative differences between groups, rather than absolute values.
As mentioned earlier, the experiment results would inform interpretation of our previous performance results, which evaluate performance for protocols under varying assumptions of user behaviour.
Example questions that we hope to answer are: (i) Which privacy mode from our location simulation is more realistic?(ii) Are participants concerned about social graph privacy?

Problems and questions
Some open questions, which we hope to discuss during the HCI 2011 Doctoral Consortium, include: • How precisely could we best display potentially-large numbers of simulated encounters (i.e., social graph information) or location information to the relevant participants, on the small phone screens?• Should participants interact to differing degrees with the visualisations of potentiallysensitive information, then what are the implications for interpretation of the results?• How could the potentially-noisy results best be interpreted?• How many participants should take part in the experiment?And how should they be selected?• If participants' willingness to participate in the network varies in different contexts (e.g., perhaps there are particular times when they do not wish to give up any battery life), then is it possible to improve on the coarse sliderbased questions?

CONCLUSION
We have summarised our current results, and detailed our planned user study.We hope that these results and plan may be of interest to HCI 2011 Doctoral Consortium participants, and in turn we hope to receive useful feedback and suggestions.

Figure 1 :
Figure 1: Location-sharing preferences of Facebook users.Those experiencing simulated publishing of their data share their data more openly than those experiencing real publishing: they less often disclose their location to no-one, and more often to everyone.

Figure 2 :
Figure 2: Delivery ratio (i.e., proportion of unique messages that are delivered) for epidemic and socialnetwork routing, under three different privacy modes.The delivery ratio falls significantly when privacy concerns are taken into account (the Friendly (F) and PubPriv (PP) privacy modes).

Figure 3 :
Figure3: Delivery ratio after various degrees of obfuscation of social-network information.It is possible to maintain good performance (90% that of unmodified routing) after significant (-40%) obfuscation of the social network information.
No sensitive information displayed.(ii) Location-Street: Simulated locations of users displayed, at the street-level.(iii) Location-City: Simulated locations of users displayed, at the city-level.(iv) Social-Neighbours: Simulated list of participants frequently encountered by this particular user.(v)