Privacy Risk Models for Designing
Privacy-Sensitive Ubiquitous Computing Systems

Jason I. Hong, Jennifer D. Ng, Scott Lederer
Group for User Interface Research
Computer Science Division
University of California, Berkeley
Berkeley, CA USA
jasonh@cs.berkeley.edu
James A. Landay
DUB Group
Computer Science and Engineering
University of Washington
Seattle, WA, USA
landay@cs.washington.edu

ABSTRACT
Privacy is a difficult design issue that is becoming increasingly
important as we push into ubiquitous computing environments.
While there is a fair amount of theoretical work on designing for
privacy, there are few practical methods for helping designers create
applications that provide end-users with a reasonable level of
privacy protection that is commensurate with the domain, with the
community of users, and with the risks and benefits to all
stakeholders in the intended system. Towards this end, we propose
privacy risk models as a general method for refining privacy from an
abstract concept into concrete issues for specific applications and
prioritizing those issues. In this paper, we introduce a privacy risk
model we have developed specifically for ubiquitous computing,
and outline two case studies describing our use of this privacy risk
model in the design of two ubiquitous computing applications.
Categories and Subject Descriptors
H.5.2 [Information Interfaces and Presentation]: User
Interfaces—Theory and methods, Style guides,
Evaluation/methodology; K.4.1 [Public Policy Issues] – Privacy
General Terms: Design, Human Factors
Keywords
Privacy, Privacy Risk Model, Ubiquitous Computing
INTRODUCTION
Privacy has always been a contentious issue for ubiquitous
computing. On the one hand, the convergence and increasing
widespread deployment of sensors, wireless networking, and devices
of all form factors are providing tremendous opportunities for
interaction design, allowing us to create systems that can improve
safety, efficiency, and convenience. On the other hand, there are
numerous interviews (e.g. [7, 20]), essays (e.g. [12, 39, 41]), books
(e.g. [10, 16]), and instances of negative media coverage (e.g. [38,
43]) that indicate a general unease over the potential for abuse, fear
over a potential lack of control, and desire for privacy-sensitive
ubicomp systems. These concerns suggest that privacy may be the
greatest barrier to the long-term success of ubiquitous computing.
This barrier persists, in part, because it is difficult to design privacy-
sensitive ubiquitous computing systems. Discussions about privacy
often generate a great deal of heat but little light. There are two
primary reasons for this. The first is the wide range of issues that fall
under the rubric of “privacy”, including concepts as wide-ranging
and disparate as Big Brother governments watching every move you
make, overprotective parents keeping close tabs on their children,
overzealous telemarketers, and protection of one’s genetic
information. The second reason is that we each perceive privacy
differently. As Westin notes, “no definition [of privacy]… is
possible, because [those] issues are fundamentally matters of values,
interests and power” [4]. As a result, it is difficult to sort out and
conduct reasoned debates over the practical issues, and then to
design systems that address them effectively.
Our position is that a systematic method is needed to help designers
identify, understand, and prioritize privacy risks for specific
applications. Here, the goal is not perfect privacy (if there even is
such a thing), but rather a practical method to help designers create
applications that provide end-users with a reasonable level of
privacy protection that is commensurate with the domain, the
community of users, and the risks and benefits to all stakeholders in
the intended system.
Towards this end, we propose privacy risk models as a general
method for doing this. Herein we focus on personal privacy, the
processes by which individuals selectively disclose personal
information–such as email address, shopping history, or location–to
organizations and to other people. We also introduce a specific
privacy risk model for personal privacy in ubiquitous computing.
Our privacy risk model consists of two parts. The first part is a
privacy risk analysis which poses a series of questions to help
designers think about the social and organizational context in which
an application will be used, the technology used to implement that
application, and control and feedback mechanisms that end-users
will use. The second part looks at privacy risk management, and is a
cost-benefit analysis intended to help designers prioritize privacy
risks and develop architectures, interaction techniques, and
strategies for managing those risks. This privacy risk model is
intended to be used in conjunction with other methods, such as
interviews and lo-fi prototypes.
This privacy risk model came about from an analysis of previous
work, an examination of emerging ubicomp applications in use
(most notably AT&T Wireless Find Friends [6]), as well as from our
own experiences in developing privacy-sensitive systems. We
noticed that there were many common patterns of issues with respect
to privacy, and so we compiled them into a format more amenable
for design teams.
The rest of this paper is organized as follows. First, we place privacy
risk models in the context of related work. Then, we describe our

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
DIS2004, August 1–4, 2004, Cambridge, Massachusetts, USA.
Copyright 2004 ACM 1-58113-787-7/04/0008...$5.00.

91

privacy risk model in detail. We wrap up with two case studies
describing our use of the privacy risk model in developing two
ubicomp applications, a location-enhanced instant messenger and an
emergency response service.
RELATED WORK
There has been some previous analytical and prescriptive work on
privacy-sensitive systems. Bellotti and Sellen argue the importance
of feedback and control for maintaining privacy in multimedia
ubicomp environments [9]. Palen and Dourish argue that privacy is
not simply a problem of access control, but is rather an ongoing and
organic process of negotiating boundaries of disclosure, identity,
and time. They also suggest genres of disclosure as a sort of design
pattern approach to support the development of privacy-sensitive
applications [33]. Langheinrich looked at how the fair information
practices can be adapted for ubicomp scenarios, providing many
examples of how these practices might influence the design of such
applications [23]. Jiang et al proposed a systems design space for
minimizing the information asymmetry between users and observers
[22]. Lederer et al provide a useful deconstruction of the privacy
space, looking at system properties, actor relations, and information
types [25]. The privacy risk model we propose is inspired by the
theoretical work above, but is focused more on providing a practical
method that designers can use to concretely conceptualize and
mitigate privacy risks faced by end-users in specific domains. In a
related paper, we offer a set of pitfalls in designing user interfaces
for privacy [24] and ubicomp design patterns for privacy [11].
A commonly cited resource in the privacy canon is the set of fair
information practices. These guidelines help large organizations,
such as corporations and governments, manage people’s personal
information in a responsible manner [42]. They include concepts
such as notice, choice, security, and recourse. While extremely
influential on the field of information privacy and on this work as
well, the fair information practices are intended more for large
organizations and do not translate well for interpersonal
relationships, such as between friends and family. Furthermore, the
fair information practices provide high-level requirements, rather
than delving into specific privacy risks. The privacy risk model we
propose is complementary to the fair information practices, in that it
can help designers examine specific privacy risks for specific
domains and end-users. It can also aid designers in determining
what kinds of security and recourse mechanisms are needed, helping
to translate these high-level requirements into more concrete and
detailed goals.
From an interaction design perspective, creating a privacy risk
model is similar in spirit to performing a task analysis (see for
example [19]). A task analysis involves asking a systematic series of
questions about the end-users, their desired tasks, their current tools,
and their social and organizational context. The privacy risk model
we propose falls along these lines, but focuses on specific privacy-
related factors, rather than on the task as a whole.
Privacy risk models were inspired by the idea of security threat
models in the field of computer security. Felten, a well-known
security researcher, describes the importance of security threat
models as follows:
[T]he first rule of security analysis is this: understand your
threat model. Experience teaches that if you don't have a clear
threat model - a clear idea of what you are trying to prevent
and what technical capabilities your adversaries have - then
you won't be able to think analytically about how to proceed.
The threat model is the starting point of any security analysis.
[15]
Our goal with the privacy risk model is to do the same, focusing on
privacy for individuals rather than on security for the systems that
those individuals use. Here, it is important to draw a distinction
between security and privacy. Saltzer and Schroder [35] describe
security as the “mechanisms and techniques that control who may
use or modify the computer or the information stored in it”, and
privacy as “the ability of an individual (or organization) to decide
whether, when, and to whom personal (or organizational)
information is released.”
Security and privacy are clearly related; however, while a basic level
of security is necessary for helping people manage their personal
privacy, it is by no means sufficient. Furthermore, the security
mindset is often very different from what is needed in developing
privacy-sensitive applications. In security, one is often defending
against adversaries that are actively attacking and threatening one’s
systems and resources. However, Orwell and media headlines
notwithstanding, this is not always the case with privacy. For
example, one could imagine sharing one’s location information with
friends to facilitate micro-coordination of arrivals at a meeting place,
or sharing simple notions of activity to convey a sense of presence to
co-workers and friends. It is important to note here that in these
cases, the parties that are receiving such information already know
one’s identity, are not adversaries in the traditional sense, and that
the privacy risks may be as simple as wanting to avoid undesired
social obligations or potentially embarrassing situations.1
The point is that, rather than being a single monolithic concept,
privacy is a heterogeneous, fluid, and malleable notion with a range
of needs and trust levels. The goal of a privacy risk model is to help
elucidate those needs and trust levels, refining privacy from abstract
principles into concrete issues that can be acted upon in specific
domains for specific applications.
As a final note, privacy risk models tend to look at privacy from the
perspective of individual end-users and their relationships, rather
than that of large communities. In some cases, it may be of greater
benefit to the overall community not to have some forms of privacy,
for example making it mandatory to display license plates on cars.
Etzioni [13] calls this the communitarian view on privacy, and
discusses the balance between privacy for individuals and benefit for
communities with respect to such topics as mandatory HIV testing,
sex offender laws, and medical records. This topic, however, is
beyond the scope of this paper.
PRIVACY RISK MODEL FOR UBIQUITOUS COMPUTING
In this section, we describe a privacy risk model that we have
developed for ubiquitous computing, though aspects of it will apply
to networked applications in general. Our privacy risk model is
comprised of two parts. The first part is a privacy risk analysis that
poses a series of questions to help designers refine their
understanding of the problem space. The second part looks at
privacy risk management, which deals with categorizing,
prioritizing, and developing interaction techniques, architectures,
and strategies for managing potential privacy risks.

1
These differences are also why we termed our method a privacy risk
model rather than the privacy threat model.
92