User Perspective of Privacy in Mobility Pricing Systems: A ... - CiteSeerX

1 downloads 21 Views 265KB Size Report
Harris-Equifax Consumer Privacy Survey 1991. Atlanta, GA, Equifax Inc. 17. Westin, A. F. (1998). E-commerce & Privacy: What Net Users Want. . Hackensack ...
User Perspective of Privacy in Mobility Pricing Systems: A Survey Muhammad Usman Iqbal1, Samsung Lim2 PhD Candidate1, Senior Lecturer2 School of Surveying and Spatial Information Systems The University of New South Wales

[email protected], [email protected] Abstract. Mobility-pricing is one of the avenues leading to the information highway . Using a combination of positioning, communication and information processing, automobile insurance can be priced based on actual mileage of the vehicle. Vehicle s location is periodically and electronically disclosed to a central server for invoice generation. This raises the possibility of this data being used to reveal the driver s identity and social activity. Past research has only been speculative of the motorists privacy perspective . This paper uses mobility-priced insurance as a case study and reports the results of a survey where respondents are asked to indicate their preferred trade-off between location privacy and the setup costs of a hypothetical mobility-priced insurance product. The respondents are also asked about their willingness to reveal location information to various social groups as a function of the time of day and day of week. It is hoped that the results of this research can be used to influence the design of other mobility-based payment systems. Keywords: Location-privacy; Mobility pricing; transport surveillance; tracking; anonymity; Global Positioning System (GPS); telematics

1. Introduction The automobile has gradually evolved from an analogue machine with mostly mechanical and hydraulic components to an electronic system with a growing number of computer-based systems. The term Telematics is specifically being used for the combination of communications, positioning and computing technologies onboard the vehicle for improving the safety, security and comfort of vehicle occupants. Satellite navigation is becoming increasingly available on new mid range car models as standard feature. Likewise, aftermarket Global Positioning System (GPS) products are also becoming increasingly affordable. This capability enables the use of positioning equipment for other value added services. Various services have been proposed, including, emergency response, stolen-vehicle tracking and GPS-based road charging (Vidales & Stajano, 2002; Zhang, Wang & Hackbarth, 2003). Within the realms of this smart car revolution, mobility-pricing has drawn recent attention. Mobility pricing means that different taxes, levies and insurance charged to motorists for using the roads can be priced based on actual mileage (Litman, 2001). Various insurance companies now offer products that take customers mileage into account and offer reduction in premiums using GPS and GSM (Global System for Mobile communications) boxes for position determination and reporting (Norwich Union, 2007; Tripsense, 2007). While there are apparent benefits in using telematics-driven payment systems, the location disclosure requirement raises privacy issues. Travel behaviour profiles of motorists can be generated which can be used to make inferences about them, without their knowledge or consent. Some privacy researchers have tried to address this issue by designing privacy-aware telematics payment systems (Coroama & Langheinrich, 2006; Iqbal & Lim, 2006). These designs, however, have only been speculative of the motorists privacy preferences. Therefore, it is vital that public opinion is considered as an input to the design process of privacy-aware systems. This paper uses mobility-priced insurance as a case study and reports the results of a survey where respondents are asked to indicate their preferred trade-off between location privacy and the setup costs of a hypothetical mobility-priced insurance product. The respondents are also asked about their willingness to reveal location information to various social groups (e.g. family, co-workers) as a function of the time of day and day of week. The results of this research can be used to influence the design of other mobility based payment systems, e.g. road tax, paid parking, electronic toll collection. Section 2 presents a background about mobility pricing and its associated privacy issues.

2. Background 2.1 Mobility pricing and location privacy Mobility-pricing of insurance is a new approach to employ location technology and customise insurance premiums to more accurately reflect the actual risks encountered on-road. This would reduce the cross-financing of high-risk drivers by low-risk ones and increase fairness of insurance systems. Mobility-pricing systems use GPS logs to calculate the distances travelled on different types of roads in order to invoice customers. These GPS logs are disclosed to the pricing server using the GSM network. With the current architecture of sending GPS logs to a central server, there is a possibility of a range of privacy abuses. There would be unintentional transmission of information such as how fast do drivers accelerate, how hard do they brake, and how often do they go above a prescribed speed limit (Iqbal & Lim, 2007a). Similar data might even be used to find the driver s situation just before a collision. It is also possible that these systems may conveniently enable ubiquitous surveillance of any registered motorist causing a chilling effect to their privacy. These developments, however, have not gone unnoticed from privacy researchers. In the context of mobility-pricing, Coroama and Langheinrich (2006) implemented a GPS based insurance system where premiums are calculated on-board the vehicle ensuring privacy of motorists. There is periodic transmission of aggregated information to the insurance provider for bill generation. Iqbal and Lim (2006) extended this idea further and proposed a GPS-based insurance product that preserves location-privacy by computing distances travelled on the on-board unit and additionally safeguarded spend-privacy by proposing smart card based anonymous payment systems. As shown in Figure 1, GPS data provides precise time and position information. There is a risk of making inferences about individuals based on these travel logs, which may be misleading. Iqbal and Lim (2007b) highlighted these issues by developing an automated profile generation tool that made inferences about individuals. They collected GPS data from users representing different communities at the university campus ranging from academic and support staff, to postgraduate and undergraduate students. They demonstrated that various inferences can be made about these individuals based on their GPS data. They inferred home addresses, the university subgroup the volunteer represents (staff, student, etc) and the on-road travel behaviour of these individuals. These inferential privacy threats are further exasperated by the possibility of this data being used to calculate an individual s actual risk-exposure and future premiums without users explicit knowledge or consent. 2.3 Related work Within the realms of location-privacy, various surveys have been conducted to seek an understanding of how much users value their location information. Some studies sought to determine the monetary value that would attract a person to disclose his/her location information while other studies focused on the social relations that people would be comfortable in disclosing their whereabouts to. Danezis et al. (2005) conducted an experiment with undergraduate students at a university campus where they explained the potential respondents that their mobile cell location information would be used for a period of 28 days at a 500m resolution in exchange for financial incentives and selection of candidates would be based on a reverse auction sequence. Potential respondents were asked to go online to a portal and make their bids about how much compensation they expected to disclose their location data for the length of the required study. The bids ranged from £0 - £400 with a mean value of £27. This study provides a measure of personal privacy although this value may be a lower bound on the value of user s location information as a typical undergraduate student may have a greater desire to sell his/her information at a cheaper price than the general population. Barkhaus and Dey (2003) also conducted a series of experiments in an attempt to gauge how students rated ubiquitous services for usefulness and intrusiveness. Four hypothetical services, among which two were location-tracking and the remaining two position-aware, were provided to the users for use on their mobile phones. Position-aware services computed the position on the mobile phones independent of the network, while the location-tracking services notified an interested party once the user s mobile phone was within a predefined region. Interviews conducted with the participants revealed that people were more concerned about being tracked than when their mobile phone reacted to a change in location. Nearly one-third of the participants said that they would never use location tracking applications because of their intrusive nature. The aforementioned studies demonstrate that research has yielded important results in understanding user perception within the spectrum of location-privacy. However, not much work can be found in the current

literature which incorporates user opinion in the design of privacy-aware location technology . This paper is an effort to understand user perspectives when it comes to designing privacy-aware solutions.

3. Survey An online survey was conducted to gauge user opinion in the design of a hypothetical insurance product with inherent privacy-protecting features. Respondents were asked to indicate their preferred trade-off between location privacy and the setup costs of this system. This survey seeks to understand only the trend in privacy vs. cost that respondents make, rather than exploring actual setup costs. The survey also seeks user opinion in their willingness to reveal location data to different social networks as a function of time of day and day of week. The results of these preferences can be used to customise privacy middle-ware, e.g. in case of an emergency or accident, the middle-ware would know who to disclose the location/position data to. 3.1 Methodology The survey was available online which allowed participants to complete it in their own time, in a place of their own choosing. The user responses were stored in a relational database and were completely anonymous. Upon completion of the survey, analysis of this data was performed using a well-known statistical analysis package, SPSS 10.0, and the hypotheses were verified by applying various statistical tests. Before respondents take the survey, they are presented with a small animation in an effort to increase their understanding of the benefits and threats of location technologies. Participation to this survey was completely voluntary and no compensation was offered. The survey took about 14 minutes to complete. It was refined through several iterations of pilot testing and critique. 3.2 Video clip A video clip is presented to the participants as a survey introduction (Iqbal & Lim, 2007c). This clip aims to provide the respondents a background in order to reduce any biases that they may have about telematics and location-privacy by presenting scenarios depicting positives of the technology as well as potential abuse (see figure 2). The video starts with the GPS satellite constellation revolving round the earth. The satellite signals then propagate onto the surface of the earth where a vehicle, fitted with a GPS based telematics system, receives the signals to position itself on the road and report its location to a telematics call centre. In the same scene, the vehicle is involved in a collision. The call centre receives a notification of air-bag deployment on the vehicle and its last position. The call centre then dispatches emergency personnel to the accident site. This scene acknowledges the safety-of-life advantages that can be brought about using telematics systems. On the abuse side, the video clip displays a potential attacker s hideout, where continuous tracking of target individuals is being performed. Retrospective analysis of collected data is performed and is presented on the screen. Information like average and instantaneous speed, preferred routes to different destinations, residential addresses, and driver s road behaviour are covered. 3.3 Population Participants are recruited by circulating advertisements via email on various web-based mailing lists, of the school and industry. Population included academic members, undergraduate and graduate students, members from the industry and consulting. The invitation email contains a brief description of the survey, and the web-site Uniform Resource Locator (URL) to the home page of the survey. The aim was to collect at least 100 responses of adults over the age of 18. The data from this survey represents the opinions of 133 respondents, almost half of which (49%) came from the 26-32 age group. 17% of the respondents do not drive a vehicle or have a licence to drive a vehicle. The participants were diverse with respect to profession, and the occupations ranged from business-men to engineers, but information technology professionals are over-represented at 54% of the sample. A non-probability sampling technique called the convenience modelling is used in this research, which means the survey is based on self-selection of respondents. With internet-based surveys, the common criticism is that they are not adequate for general population surveys. The criticism is well-founded, but this does not mean that internet survey results are of no value. A survey conducted by the Australian Bureau of Statistics of adults with access to the internet in Australia concludes that web users are generally young, highly educated professionals (ABS 2000) as evident from this survey s sample space too. It is acknowledged that the survey

sample here is not truly representative of the wider community, but as telematics become largely available, and more people start using it, it is expected that their privacy preferences would closely match that of the sample population of this survey. 3.4 Questionnaire Once the video clip ends, survey respondents are provided with a link to proceed to the questionnaire. The respondents are asked to provide personal information including age, gender, profession, type of licence, and type of vehicle they drive in an effort to determine demographics for the further questions. The null hypothesis postulated assumes there is no correlation between the choice that individuals made about privacy features and their demographics which would be later tested in the results section. Section 2 of the survey is designed to gauge the interest of respondents in acquiring GPS navigation devices for their vehicles, and to test if they have adequate understanding of its use. Section 3 contains of one of the most important questions of this survey, which was to probe respondents attitude in their choice when it comes to privacy-aware systems vs. costs of maintaining privacy. The idea here was to find out if users were keen on acquiring highest privacy regardless of the costs involved, or moderately rated privacy threats. Section 3 explores location disclosure to social networks. Respondents were asked to reflect upon who they felt should access their location information during different times of the day, e.g. during working hours or after hours or weekends.

4. Results 4.1 Telematics and GPS In order to ascertain the importance of conducting privacy research in telematics, respondents are asked if they would be interested in acquiring GPS devices and telematics services for their vehicles. When asked if the respondents would be interested in purchasing a satellite navigation product for their vehicle, 17% responded that they would purchase one in the near future, while 42% responded that they would buy one if the prices drop significantly. 26% said they were not interested in acquiring such a product in the near future while the remaining said they were not interested at all, Therefore more than half (60%) said they would consider buying a GPS navigation device sooner or later. Similarly, when the respondents were asked if they would be interested in accessing telematics services, more than half (56%) responded that they would subscribe to the freely available services, while 25% were even willing to subscribe to the paid services. This demonstrates that there is a potential market for telematics in the imminent future, as more than 81% respondents were interested in telematics. Only 7% of the remaining respondents said they would not subscribe due to driver-distraction issues, while the 11% responded that they were not interested in any telematics services. Therefore, this interest from respondents justifies investigation of privacy issues in telematics, so that privacy is a design feature of future telematics services, not just an after-thought . 4.2 Privacy-aware insurance design An important question of this survey is related to mobility-pricing, and privacy. Respondents were given an explanation of GPS-based insurance and its potential benefits of increasing fairness for premium calculations. At the same time, the survey also mentioned the potential threats related to location disclosure. Respondents were asked what option they would choose if new privacy preserving insurance products are on the market. The following options are listed in the survey to determine user opinion, Fairer premiums, highest privacy but higher setup costs Fairer premiums, moderate privacy but with medium setup costs Fairer premiums, lowest privacy and lowest setup cost Not interested due to privacy reservations Not interested, as I am happy with current insurance arrangements Consistent with Westin's (1991) conclusion on online privacy attitude, there was an apparent grouping of the population s subset that chose one of the first three privacy-aware options (see figure 3) and can be divided into three broad categories respectively. There is a privacy fundamentalist minority of 11% who are willing to

pay the highest infrastructure costs to maintain the highest privacy followed by a pragmatic majority of 28% who are satisfied with moderate privacy if they are required to spend a moderate setup cost. Finally there is a marginally concerned minority of 12% who are not concerned with their privacy and opt for lowest setup costs, i.e. existing mobility-pricing offerings. Other significant subgroups which do not choose any form of GPS-based insurance due to privacy issues with such insurance (23%) or are satisfied with their existing insurance arrangements (19%). 4.3 Location disclosure to social networks The last section of the survey aims to ask respondents who would they comfortably disclose their locations at different times of days. Five groups of people, namely, employer, peers, friends, family, and three types of time periods, namely, working hours, after hours, and weekends are identified. The majority of the respondents agreed to disclose their location to their family (or significant other) at all times. In case of location disclosure to friends, the response was almost balanced with a slight inclination towards the willingness to disclose location to friends. More importantly, and interestingly, the majority of respondents did not prefer to disclose their location information to their employers, peers at work, and team (who they supervise) during working hours, after-hours or weekends. During the design phase of the survey, it was predicted that there may be a correlation between the choice that respondents make about privacy-aware GPS-based insurance and the access to their location they provide. Bi-variate analysis between people choosing a form of GPS-based (highest privacy, moderate privacy or lowest setup cost) and location disclosure based on relationship and time reveals a significant relationship. There appears to be a positive correlation (Pearson Chi-Square, significant at the .001 level) between the people choosing insurance that is capable of tracking people and the choices those people make to disclose their location information. In summary, what this means is that people who opt for any type of GPS-based insurance would most certainly only disclose their location to their families. 4.4 Demographics and rewards programs Past survey based research has indicated that there is a relation between demographics and the importance people place on their privacy (Westin 1998). With the aim of verifying this attitude, the survey asks respondents to provide demographics data including age and gender, among other variables. Bi-variate analysis using Crosstabs in SPSS lead to a positive correlation between gender and subscription to rewards programs. There appears to be a weak relationship between the two (Chi-Square statistics significant at the 0.05 Level). Survey results suggest that the female populace is more careful of privacy abuse and value their privacy more even if financial or other incentives like rewards programs are offered (see figure4). Furthermore, this relationship is consistent with Westin s findings who suggested a relationship between demographics and the level of online privacy concerns of respondents. Analogy can be drawn with his findings where he suggested that women expressed higher levels of concerns on every privacy-related issue about which they were questioned. The barchart in figure 4 reveals that females censure incentives like rewards programs in exchange for location disclosure more then their male counterparts.

5. Discussion 5.1 General In the past, road travel used to be an anonymous experience, where the only possible way of tracking an individual was through physical surveillance. The systematic monitoring of public places has provided the opportunity of a ubiquitous surveillance system. While it is generally accepted that individuals should not expect similar privacy protection in public places as they would expect in their private spaces, these location identification technologies raise grave issues such as what expectation of privacy an individual in public places should have. While technological developments have made mobility pricing a reality, the privacy issues associated with such technologies raise concerns. It is critical to incorporate public opinion in the design process of such technologies to assuage any social issues that may arise in the future and cause public dispel. The authors believe that the results of this survey would provide a critical input in the design of privacy-aware telematics solutions from the consumers perspective. To the authors knowledge no such initiative has been taken before.

Past surveys using psychological and experimental economics techniques have only focused in assessing the extent to which location information is valued by individuals (Acquisti & Grossklags, 2005; Cvrcek et al., 2006; Danezis et al. 2005), but not on their participation and willingness in redesign of privacy-aware positioning solutions. Important issues have been highlighted as a result of this survey, which need further exploration. Engaging in public discussions and valuing public opinion would be essential in designing privacy-aware systems tailored to citizens needs. As evident from the attitude of respondents when their opinions were sought in redesigning privacy-aware GPS-based insurance, one-fourth of the respondents declined in participating due to privacy issues. There can be many explanations to this scenario but regardless of the motivation, there is a considerable minority who perceive a privacy threat from new technological developments. Likewise, contrary to other surveys conducted to find how much financial value respondents give to their location-privacy (Cvrcek et al. 2006; Danezis et al. 2005), the results from this survey indicates that respondents were not willing to subscribe to rewards programs in exchange for giving up their location tracks. Therefore, to obtain public acceptance, even privacy-aware solutions should cater to public opinion. 5.2 Function Creep If existing mobility pricing solutions are allowed to proceed, they have the capability to collect huge amount of personal location data from consumers. There are concerns raised by privacy advocates about the function creep this data enables (Wigan & Clarke, 2006). There is a possibility that authorities would like to access mobility data collected by GPS-based insurance projects, by providing rebates and incentives to insurance providers and use this data for national congestion charging schemes, or enhancing mass surveillance projects. This same data may also seek secondary uses, much different from the initial intended purpose that it was collected for. There is also a possibility that data collected through mobility pricing would be sold to third parties like Original Equipment Manufacturers (OEMs), and vehicle part makers for their analysis. 5.3 Privacy-aware Middle-ware Results of the survey can help regulate privacy-aware differentiated pricing solutions. It is clear that the majority of respondents are interested in mobility pricing and do not expect absolute privacy guarantees. While privacy expectation is not quite high for the majority pragmatists, there is reasonable expectation to control the granularity and disclosure of information with customisation features embedded into the privacy-aware middleware. Therefore, privacy researchers working on telematics privacy design should cater for sufficient flexibility and control of location data for users. Additionally, survey results have also indicated that users value their social relationships strongly when it comes to location disclosure. Therefore, this information can be used for good reason, and stored to inform close family members in the event of an accident or emergency. One should expect that privacy-aware user interfaces would be quite complex and contain many configurable options, one such interface that was recently identified is the GM FleetView (2007), which is primarily for fleet management, but has built-in privacy features. Employees may find such systems quite useful to track work-related travel for tax purposes; however, these individuals operating such vehicles have a reasonable expectation of privacy when using the vehicles after-hours. This survey s results also support the notion, where the majority of respondents were against disclosing location information to their office personnel after-hours or weekends.

6. Concluding Remarks Mobility pricing is inevitable. It is considered to be one of a few ways to introduce the concept of fairness of road tax and motor insurance. While economists have argued about the increased social benefits of variable pricing, there has been increased resistance from politicians and user groups about such a charge. The major issue, besides user acceptance, is that the mechanism of telematics-enabled congestion charging is vulnerable to intrusive privacy abuse. If mobility pricing is to be generally accepted, its privacy threats have to be assuaged, and public opinion polls should be sought to gather users opinion and attitude towards a privacy-aware redesign process as demonstrated in this paper.

Acknowledgement The authors wish to express their gratitude to all respondents who agreed to participate in the online survey. The authors also wish to express their appreciation to the contribution provided by OMNILINK Pty. Ltd for this research.

References 1. 2. 3. 4. 5.

6. 7. 8. 9. 10.

11. 12. 13. 14. 15. 16. 17. 18. 19.

Acquisti, A. & Grossklags, J. (2005). Privacy and Rationality in Individual Decision Making IEEE Security and Privacy, 3, 26-33. Australian Bureau of Statistics (ABS) (2000). Household Use of Information Technology, Australia, 1999, Catalogue No. 8146.0, Canberra: Australian Government Publishing Service. Barkhuus, L., Dey, A.K. (2003). Location-based services for mobile telephony: A study of users' privacy concerns, in the proceedings of Interact 2003, Zurich, Switzerland, pp. 709-712. Cvrcek, D., Kumpost, M., Matyas, V. & Danezis, G. (2006). The Value of Location Information: A European-Wide Study. Cambridge Security Protocols Workshop 2006. Coroama, V., & Langheinrich, M. (2006). Personalized Vehicle Insurance Rates A Case for Client-Side Personalization in Ubiquitous Computing, Paper presented at the Workshop on Privacy-Enhanced Personalization at CHI 2006, Montréal, Canada, 22 April, 2006. Danezis, G., Lewis, S. & Anderson, R. (2005). How much is location privacy worth? In Proceedings of Workshop on Economics of Information Security (WEIS 05). GM Fleetview. (2007). GM FleetView Presentation Video. Available online at: http://video.vividas.com/media/4630_GMFleet/web/ (accessed 18 March 2007) Iqbal, M.U., & Lim, S. (2006). A privacy preserving GPS-based Pay-as-You-Drive insurance scheme. . Symp. on GPS/GNSS (IGNSS2006). Surfers Paradise, Australia, 17-21 July, CD-ROM procs. Iqbal, M.U., & Lim, S. (2007a). Location Privacy in Automotive Telematics IN KARIMI, H. (Ed.) The Encyclopedia of Geoinformatics. Idea Group Publishing (In Press). Iqbal, M.U., & Lim, S. (2007b). An automated real-world privacy assessment of GPS tracking and profiling. Second Workshop on Social Implications of National Security: From Dataveillance to Uberveillance, Wollongong, Australia, 29 October, 2007, pp 225-240. Iqbal, M.U., & Lim, S. (2007c). Location Privacy Survey Video Animation. Available online at http://129.94.167.206:8080/PrivacySurvey/privacy.swf Litman, T. (2001). Distance-Based Vehicle Insurance: Feasibility, Costs and Benefits. Comprehensive Technical Report, Victoria Transport Policy Institute. Victoria, British Columbia. Norwich Union. (2007). Pay As You Drive Insurance - Car Insurance- Norwich Union UK. Available online at: http://www.norwichunion.com/pay-as-you-drive/index.htm (accessed 15 January 2007). Tripsense. (2007). TripSenseHow TripSensor Works. Available online at: https://tripsense.progressive.com/about.aspx?Page=HowDeviceWorks accessed 12 February 2007). Vidales, P., & Stajano, F. (2002). The Sentient Car: Context-Aware Automotive Telematics. Paper presented at the LBS-2002. Westin, A. F. (1991). Harris-Equifax Consumer Privacy Survey 1991. Atlanta, GA, Equifax Inc. Westin, A. F. (1998). E-commerce & Privacy: What Net Users Want. . Hackensack, NJ: Privacy & American Business. Wigan, M. & Clarke, R. (2006). Social Impacts of Transport Surveillance Prometheus, 24, 389-403 Zhang, D., Wang, X.H., Hackbarth, K. (2003). OSGi Based Service Infrastructure for Context Aware Automotive Telematics, Paper presented at the IEEE Vehicular Technology Conference, Italy.

Appendix Figure 1: A sample GPS log

Figure 2: Some scenes from the animation that respondents watched before taking the survey

Figure 3: Bar-chart representing correlation between insurance options and location disclosure to social networks

Figure 4: Bar-chart representing correlation between rewards program subscription and gender

This document was created with Win2PDF available at http://www.win2pdf.com. The unregistered version of Win2PDF is for evaluation or non-commercial use only.