Lightweight Identification for Enabling Personalization on Public Displays. Max Van .... plays eliminates the potential for Big Brother tracking sce- narios, and ...
Lightweight Identification for Enabling Personalization on Public Displays
Max Van Kleek EMAX @ CSAIL . MIT. EDU Christopher Varenhorst CHRISV @ CSAIL . MIT. EDU Larry Rudolph RUDOLPH @ CSAIL . MIT. EDU MIT Computer Science and Artificial Intelligence Laboratory, 32 Vassar St., Cambridge MA, 02139 USA
1. Introduction
2. Lightweight identification
Digital information displays are appearing in public places, prevalently in places where people are known to gather. But even as these displays grow increasingly interactive with touchscreens and multimedia, the essential content of these displays, ranging from the location-specific information which is being provided to the inevitable sponsored advertisements which render them viable, are generally still static, manually pre-selected materials arranged by the specific administrator. This predetermined content thus remains regardless of viewers’ interests or other contextual factors. As these displays become increasingly ubiquitous, active personalization becomes critical in order to provide a positive user experience and to prevent their being perceived as mere annoyances or distractions.
Unlike anonymous clickstream data, which contain distinguishing identifiers that help to indicate successive visits by returning visitors, such as the user’s network (IP) address, interactions at touchscreen displays usually do not have any immediately distinguishable characteristics for returning users. In order to enable the construction of user models that span multiple visits, the display requires a means by which it can recognize returning visitors. While a traditional log-in and password approach would suffice, ensuring one’s security would require having a different password and login for each display. Keeping track of all the login/password combinations would potentially grow to cause unreasonable cognitive overhead; moreover, the act of typing in one’s login and password at each display could be time-consuming and tiresome. Biometric identification techniques provide another option. While effective at identifying a user, biometric identification techniques rely on a physical aspect of a user that is (generally) tied to their physiology. Therefore, users’ principals, or the digital identity from the displays’ perspectives, become inextricably tied to users’ actual identities, which yields an inappropriate privacy risk for use on untrusted displays.
1.1 Personalization on public displays Since users rightfully should not be obliged to trust blindly the myriad public displays they encounter throughout their day with their personal information, public terminals should, from the users’ perspectives, require as little private or personal information from them as possible. Instead, displays should automatically deduce what they need to know about users based on observations of their actions. Just as many web sites today take advantage of users’ anonymous clickstream data to start tailoring content to users prior to their logging in, public displays do not actually require having the users’ specific identities in order to start tailoring the displays. Although it has been shown that building such user models with limited access to personal information yields more limited possibilities for personalization than having complete information about the user, (Padmanabhan et al., 2001) anonymous interaction data has shown to be predictive of various aspects of future usage patterns, such as when the user will visit again (Montgomery, 1999).
Thus, we propose a new family of methods of identification for use in building models for personalization on untrusted public systems known as lightweight identification techniques. Unlike traditional authentication techniques which are evaluated based on their effectiveness against attacks, lightweight identification schemes are evaluated along the following dimensions: 1. Anonymity - The degree to which users’ lightweight principals are intrinsically tied to any identifying information about a person’s actual identity; lightweight identities should not be traceable back to their original owners, and a person should be allowed to obtain multiple principals or change principals whenever they want to. 2. Ease of use - The speed and ease with which users can identify themselves to a system; effective lightweight
schemes should be able to identify a person within a negligible fraction of total interaction time with the system, and with little cognitive or physical effort. 3. Size of cognitive footprint - The nature and amount of information a user has to remember to identify his or herself to a system; a smaller footprint eases the task of memorizing mappings from systems to identification keys, and allows users to more easily keep multiple principals straight, such as for different systems. 4. Cognitive persistence - How rememberable the information required to identify one’s self remains over time. 5. Scalability - The maximum size of the set of potential users from which a user can be uniquely distinguished. 6. Degree of guarantee - The traditional measure of ”security”, the degree of certainty that a person is the owner of the principal for which they were identified. The relative importance of each of these dimensions when evaluating a particular scheme depends on the application. For personalizing public displays and information kiosks, anonymity, ease of use, and scalability are likely to be of primary importance. Since public kiosk systems are untrusted, protecting the anonymity of the user on public displays eliminates the potential for Big Brother tracking scenarios, and also prevents the accumulation of potentially sensitive information. The second dimension exists for praticality; since interaction times with kiosks are typically very short, the time and effort required for identifying oneself to a system must be sufficiently small for the system to be usable and useful. Finally, scalability is likely to be very important, since public displays can have an extremely large potential user base. Meanwhile, however, the degree of security, or certainty that a user is whom he or she claims to be, is likely to be less important than for an application that, for example, provides access to a user’s sensitive information. 2.1 Related research Much of the inspiration for lightweight identification comes from Weinshall and Kirkpatrick’s recent work on utilizing observed human memory phenomena for schemes for user identification that can be performed with extremely little apparent conscious effort (Weinshall & Kirkpatrick, 2004). They describe a lightweight identification scheme based on the imprinting/recognition memory of the human visual perceptual system that is easy for users to perform, scalable, and can yield a high degree of confidence for recognition.
3. Distinctive Touch Our system, known as Distinctive Touch, or DT, is an example of a lightweight identification scheme we designed for touchscreen information kiosks. As described in (Varenhorst, 2004), DT takes advantage of users’ tactile memory for letting users easily identify themselves. In this scheme, users create their own ”passdoodle”, a unique, identifying personal scribble gesture, which they simply perform on a display where they wish to be identified. New users train the system by demonstrating their gesture five times, which the system uses to build a model using both doodle shape and gesture velocity. A gesture recognizer determines the most similar model out of its library of users, and generates a confidence level corresponding to how closely the doodle matched the particular user. Our hypothesis was that passdoodles would feature two main advantages for public touch-screen displays over a traditional textual username and password. First, that doodling would be easier and faster to perform while standing at a touchscreen display than typing a username and password on either an onscreen or attached physical keyboard. Second, that recalling and remembering gestures such as passdoodles would rely more on one’s implicit motor learning capabilities than one’s conscious semantic memory, which may lead to better memorability and reduced conscious effort required for recollection. Unlike biometric identification schemes such as fingerprint-scanning or faceid, doodles are anonymous and virtually untraceable back to their owners. Our initial implementation of DT built simple models of doodle shapes and compared candidate gestures with the model using a minimum description length measure. During an informal 10-user evaluation we conducted using this algorithm,we collected 7 positive samples of each user’s chosen doodle. We then performed leave-one-out crossvalidation, by omitting a sample from each user’s set, building models from the remaining samples, and classifying the held out sample. Our recognizer classified 69 out of the 70 collected samples correctly. Furthermore, the time required to perform each passdoodle was consistently under 2 seconds, with average taking 1.08 seconds. Unfortunately, however, due to the limited number of classes (users), we were unable to gauge the scalability of the algorithm to a large user population. We were also unable to ascertain how much cognitive overhead remembering passdoodles required compared with traditional passwords. However, findings from an earlier user study (Goldberg et al., 2002) suggest that the memorability of paper-based passdoodles compares closely to that of chosen textual passwords. We are currently working on improving our doodlerecognition algorithm to incorporate comparison of gesture velocity over time. This has the potential of enhance scala-
bility, by allowing simiarly-shaped but differently executed passdoodles to be distinguished from another, as well as to improve security by making impersonation of passdoodles more difficult. We are planning a larger, follow-up study to evaluate the performance of our new algorithm.
4. Mobile device token-based identification An alternative approach reduces user effort by offloading the task of identifying oneself to portable digital devices that users may already be carrying around with them, such as PDAs or mobile phones. Wu et al. demonstrated (Wu et al., 2003) a scheme for securely accessing remote services through potentially insecure public terminals. We have tried a number of simpler, lightweight approaches more suitable for personalization that reduces the amount of work required of the user during identification. In the simplest such approach, new users download a small digital token to their cell phone which contains their unique user identification code. When users later return to the display, they use their cell phone to present this token back at the display. Our current implementation uses a small application (a midlet) on the mobile phone to make a connection to the display (via the cellular data network) and transmit the user identification code. In practice, the efficiency of this approach proved to be limited by two factors: the speed with which users could locate their mobile phone, and delays experienced in making the data connection. As wristwatches become bluetooth-enabled (IBM, 2002), we may see both of these delays diminish.
5. Summary We believe that lightweight identification techniques will play an essential role for enabling displays to recognize and personalize interactions with users, while protecting user privacy. Just as magazine street vendors recognize regular customers, displays on the street may eventually use these techniques to recognize regular passers-by and provide a more friendly and familiar user experience.
References Goldberg, J., Hagman, J., & Sazawal, V. (2002). Doodling our way to better authentication. CHI ’02 extended abstracts on Human factors in computing systems (pp. 868–869). Minneapolis, Minnesota, USA: ACM Press. IBM (2002). IBM lab demonstrates special bluetooth watch. http://www.mobilemag.com/content/100/342/C1241/. Montgomery, A. L. (1999). Using clickstream data to predict www usage. http://www.andrew.cmu.edu/user/alm3/papers/predicting
Padmanabhan, B., Zheng, Z., & Kimbrough, S. O. (2001). Personalization from incomplete data: what you don’t know can hurt. Knowledge Discovery and Data Mining (pp. 154–163). Varenhorst, C. (2004). Passdoodles: A lightweight authentication method. http://oknet.csail.mit.edu/papers/varenhorst.pdf. Weinshall, D., & Kirkpatrick, S. (2004). Passwords you’ll never forget, but can’t recall. Extended abstracts of the 2004 conference on Human factors and computing systems (pp. 1399–1402). Vienna, Austria: ACM Press. Wu, M., Garfinkel, S., & Miller, R. C. (2003). Secure web authentication with mobile phones. Proceedings of the Student Oxygen Workshop 2003. Cambridge, MA.