sidekaixin001

UserModelUser-AdapInter(2012)22:203–220DOI10.
1007/s11257-011-9110-zORIGINALPAPERPersonalizationandprivacy:asurveyofprivacyrisksandremediesinpersonalization-basedsystemsEranToch·YangWang·LorrieFaithCranorReceived:14September2010/Acceptedinrevisedform:31December2010/Publishedonline:10March2012SpringerScience+BusinessMediaB.
V.
2012AbstractPersonalizationtechnologiesofferpowerfultoolsforenhancingtheuserexperienceinawidevarietyofsystems,butatthesametimeraisenewprivacycon-cerns.
Forexample,systemsthatpersonalizeadvertisementsaccordingtothephysicallocationoftheuseroraccordingtotheuser'sfriends'searchhistory,introducenewprivacyrisksthatmaydiscouragewideadoptionofpersonalizationtechnologies.
Thisarticleanalyzestheprivacyrisksassociatedwithseveralcurrentandprominentper-sonalizationtrends,namelysocial-basedpersonalization,behavioralproling,andlocation-basedpersonalization.
Wesurveyuserattitudestowardsprivacyandperson-alization,aswellastechnologiesthatcanhelpreduceprivacyrisks.
Weconcludewithadiscussionthatframesrisksandtechnicalsolutionsintheintersectionbetweenper-sonalizationandprivacy,aswellasareasforfurtherinvestigation.
Thisframeworkscanhelpdesignersandresearcherstocontextualizeprivacychallengesofsolutionswhendesigningpersonalizationsystems.
KeywordsPrivacy·Personalization·Human–computerinteraction·Socialnetworks·E-commerce·Location-basedservices1IntroductionNewpersonalizationtechnologiesarebecomingincreasinglywidespread,raisingamultitudeofprivacychallenges.
ThreetrendsinpersonalizationrequirespecialE.
Toch(B)DepartmentofIndustrialEngineering,TelAvivUniversity,69978TelAviv,Israele-mail:erant@post.
tau.
ac.
ilY.
Wang·L.
F.
CranorSchoolofComputerScience,CarnegieMellonUniversity,4720ForbesAve.
,Pittsburgh,PA15213,USA123204E.
Tochetal.
attentionwithregardtoprivacy:social-basedpersonalization,behavioralproling,andthemobileWeb.
TheWebhadbecomemoresocial,aplacewherepeopleusetheirrealidentitiesandcommunicatewiththeirfamily,friends,andcolleagues.
Asaresult,applicationshavestartedtouseinformationaboutauser'ssocialnet-workstopersonalizeadvertising,searchresultsandothercontent.
Personaliza-tionalgorithmshavebeensteadilyimproving,makingbehavioralprolingmoreaccurateandpowerful.
Finally,theWebhadbecomemobile,frequentlyaccessedthroughsmartphones,providingnewinformationandpossibilitiesthatcanbeusedforpersonalization.
PersonalizationhasthepotentialtoamplifyandcomplicatetheInternet'sinher-entprivacyrisksandconcerns.
Forexample,personalizedcontentinasocialnet-worksystemcanrevealpotentiallyembarrassinginformationdirectlytofriends,fam-ily,andcolleagues.
Personalizingcontentaccordingtothephysicallocationoftheusercanrevealthelocationtounauthorizedthird-partyentities.
Examplesofthesetypesofpersonalizationarereadilyapparentatmanywebservicesoperatingtodayinwhichusersarefacingacomplicatedprivacylandscape.
Recentsurveyshavedescribedincreasingconcernsaboutprivacyinthecontextofpersonalization.
A2010surveybyAntonetal.
(2010)showedthatprivacyconcernsregardingwebsitepersonali-zationhavegrownsignificantlybetween2002and2008.
AsurveybyTurowetal.
(2009)foundthat66%ofAmericansdonotwantmarketerstopersonalizeadver-tisementstotheirinterests,andthatthisattitudeisconsistentacrossagegroupsandgender.
Facebook'spersonalizationattemptsprovideanalarmingcasestudythatcanhigh-lightthetensionbetweenprivacyandpersonalization.
OnNovember2007,Facebookintroducedafeaturecalled"FacebookBeacon,"whichallowedthird-partysitestoaccessFacebook'suserproleandpersonalizeadvertisementsandcontentaccord-ingly.
Theuser'sactivitiescouldalsobepostedtotheuser'snewsfeed,andmadeavailabletotheuser'ssocialnetwork.
CompaniessuchaseBay,Travelocity,andtheNewYorkTimes,receivedaccesstotheuser'sproleinformationandhersocialnet-workinordertocustomizetheirservices.
Thenewfeatureencounteredstrongpublicoppositionduetopossibleexposureofprivateinformationtofriendsandthird-partysites.
Severalweeksafterlaunchingthefeature,Facebookhadhastilyretractedit(StoryandStone2007).
Thisstudyaimstoreconcilethetensionbetweenprivacyandpersonalization.
Ourobjectiveistoprovidedesignerswithtoolstobuildeffectivepersonalizationwhilepreservingtheprivacyoftheirusers.
Severalsurveyarticleshavedescribedpri-vacyinpersonalization,includingsurveysbyVolokh(2000),Riedl(2001),Cranor(2003),andKobsa(2007b).
Inthisarticle,wesurveythenovelprivacyandper-sonalizationlandscapewhichevolvedoverthelast3years.
Inparticular,wesurveycontemporarytechnologiesthathaveapotentiallytransformativeimpactonprivacy:socialnetworks,behavioralproling,andlocation-basedWebservices.
Wesumma-rizethearticlebyintroducingaframeworkforclassifyingprivacyrisksandsolutionsaccordingtothedifferentstageofthepersonalizationprocess.
Theframeworkcanaiddesignersinunderstandingandresolvingprivacychallengesinpersonalizationtechnology.
123Personalizationandprivacy2052NewprivacychallengesContemporarypersonalizationtechnologiesposeanumberofnewriskstousers'privacy.
Inthissection,wediscussthreedomainsofpotentialrisks:social-basedper-sonalization,behavioralproling,andlocation-basedpersonalization.
2.
1Social-basedpersonalizationTheexponentialgrowthofsocialnetworksystems(SNS)inthelastfewyearshascreatedahugeonlinerepositoryofrealidentities,unparalleledtoanythingknownbefore.
SNSssuchasFacebook,Twitter,MySpace,Orkut,LinkedIn,Kaixin001,andRenrenhaveacombinedtotalofover900millionusers(Wangetal.
2011).
Mostofthesocialnetworksstorerichinformationabouttheirusers,includingrealnames,emailaddresses,listoffriends,demographics,personalphotos,location,inter-personalcommunications,andmore.
Thisinformationisusedforvariousmeansofpersonaliza-tion,indomainssuchasapplicationcustomization,socialsearch,andonlinemarket-ing.
However,implementingprivacypreservingpersonalizationinSNSisparticularlychallenging.
First,socialnetworksincludehighlysensitiveinformation,becausesocialnetworksenablein-personcommunication,peopleareoftenwillingtorevealmoreprivateinformationthantheywouldotherwise(AcquistiandGross2006;StutzmanandKramer-Dufeld2010).
Second,personalizingcontentaccordingtotheuser'sfriendsmaycompromisenotjusttheuser'sprivacy,butalsoherfriends'privacy.
Third,releasinginformationwithinthesocialnetworkenvironmenthasthepotentialtoembarrasstheuserinthefaceoffriends,family,andcolleagues.
Theconsequencescanbesevere:in2008,8%ofU.
S.
companiesemploying1000workersormorehadreportedringanemployeebecauseofinformationreleasedononlinesocialnetworks(ForresterConsulting2008).
Inthissection,wedescribemarketingandsocialsearchasprominentexamplesofprivacyrisksinsocial-basedpersonalization.
Facebook'sendeavorsintopersonalizationprovideatellingstoryoftheconse-quencesofnotaddressingprivacyconcernswhendeployingsocial-basedperson-alizationinonlinemarketing.
The"Beacon"advertisingprogramwaslaunchedinNovember2007.
Partnercompanieswereallowedtoaccessusers'proles,andtopresentpersonalizedadvertisingtothoseusers.
Certainactivities,suchaspurchasingaproductoraddingaproducttoawishlist,werepublishedtotheuser'sfriends.
Theservicehadencounteredresistanceintheformsofonlinepetitionsprotestingthepro-gram,negativemediaattention,andaclassactionlawsuit.
ThefactthatBeaconallowedtheusersfriendstolearnaboutthegoodsandservicestheybuyandviewonlinewasthemostcitedconcernagainstthenewfeature(StoryandStone2007).
Asaresult,theservicewasshutdowninSeptember2009.
Ayearandahalflater,Facebookencoun-teredsimilarresistancetoanotherfeature,called"InstantPersonalization,"whichwasintroducedinApril2010(Facebook2010).
Withinstantpersonalization,servicepro-viderswereallowedaccesstoSNSprolesautomaticallywhenusersvisitedtheirsite,withoutrequiringexplicitconsentfromusers.
InstantPersonalizationwascriticizedbyusers,media,andregulators,andwasquicklyretractedbyFacebook(HelftandWortham2010).
123206E.
Tochetal.
Thepotentialenhancingpersonalizationusinginformationdrawnfromsocialnetworkshasbeenincreaseddramaticallybytheintroductionofsocialnetworkappli-cationprogramminginterfaces(API).
LargeSNSsallowthird-partyapplicationstoaccessusers'prolesthroughanAPI,suchasFacebook's"Facebookconnect.
"Theinterfaceallowsthird-partyapplicationstoaccessuserdataandtopublishstoriesandinformationtotheuser'sfriends.
Usersoftenhavelimitedcontrolovertheapplicationsthataccesstheirinformation(BonneauandPreibusch2009),andaretypicallyaskedtoauthorizeapplicationaccessonlywhenstartingtheapplicationatthersttime.
ThisrelativeeaseofaccesstosocialnetworkdatathroughtheAPIposesaprivacyrisktousers.
Forexample,Facebookapplicationscouldaccessalmosteverythingonauserprole,includinghometown,groupstheuserbelongto,eventsattended,favoritebooks,andmore.
Socialsearch,personalizedrecommendation,andtargetedadvertisingarethemostwidelyusedformsofsocial-basedpersonalization(Paliouras2012).
Insocialsearch,searchresultsarepersonalizedaccordingtotheuser'ssocialnetwork(Heymannetal.
2008;Dalal2007).
ServicessuchasDelver,Sightix,SideStripe,andGooglesocialsearch,takeintoaccountusers'socialnetworksindifferentways.
Forexample,Google+1searchfeaturendsrelevantcontentfromyourfriendsandcontactsandhighlightsitforyouontheregularsearchresultspage(Google2011).
Othersocialsearchengines,suchasMicrosoftBing,showuser-generatedcontentfromsocialnetworkssuchasTwitterandFacebook,andpersonalizetheresultsaccordingtothesocialdistancefromtheuserpostingthequery.
Socialsearchexempliesanothervulnerabilityofsocial-basedpersonalization:itcanrevealinformationabouttheuser'ssocialnetworkthatmightnotbeeasilyaccessiblethroughregularinteraction.
Forexample,ifafriendhadmarkedasearchresultaboutcancertreatment,thisinformationcanberevealedwhenanacquaintanceontheuser'ssocialnetworkwillsearchforthesamething.
Thisscenarioexemplieshowpersonalizationcaneliminatetheoriginalcontextfortheinteractionandcreateunexpectedresults.
UsershaveagrowingsensitivitytowardsprivacyinSNSs.
In2005,AcquistiandGrossshowedthatFacebookusershaveconcernsregardingtheirprivacy,butonlyasmallminorityofthemactupontheseconcernsandprotecttheirpublicprole(AcquistiandGross2006).
However,ina2010articlebyStutzmanandKramer-Dufeld,whichstudieduserswithcomparabledemographicstotheAcquistiandGrosspaper,amajorityofusershadfriends-onlyproles(StutzmanandKramer-Dufeld2010).
Surveyshaveshownthatprivacyconcernsincreasewhentheuserismoreactiveinthesocialnetwork(Lewisetal.
2008)andwhenshehasmoresocialcontextsthatareincludedinthesocialnetwork(Lampinenetal.
2009).
Thelastfac-torisparticularlyrelevanttopersonalization,aspersonalizationhasthepotentialofintroducingnewcontextstosocialnetworking,sharingprivateinformationinwayswhichtheuserdidnotforesee.
Usersarenotonlyconcernedabouttheirprivateinformationbeingused,butalsoaboutunintentionalowofinformationtotheirsocialnetwork.
Knowledgeaboutauser'ssocialnetworkisinitselfaprivatepieceofinformationandasensitivemediumthroughwhichprivateinformationcanleak.
Consider,forexample,theuproarcon-cerningexposedGmailcontactsthroughGoogleBuzz(Mullins2010).
Anunintendedleakageofinformationcompromisestheuser'sabilitytocontrolherpublicpersonaand123Personalizationandprivacy207interferewiththeinteractionoftheuserwithhersocialnetwork(PalenandDourish2003).
Furthermore,surprisingtheuserbysharingunintendedinformationwithhersocialnetworkcanviolatesocialnorms,thusharmingtheintegrityofthecontextualuseofthesocialnetwork(Nissenbaum2004).
ItisimportanttoemphasizethatnotallSNSarethesame.
DifferentSNSusershavedifferentprivacyapproaches,anddifferentSNShavedifferentprivacycontrols,varyinginexpressivenessandfunctionality(BonneauandPreibusch2009).
Thedif-ferencescanbeexplainedbythecommercialmotivationbehindtheSNS,aswellastheoverallsensitivitytowardssharinginformationbetweendifferentusercommuni-ties.
Dwyeretal.
(2007)foundthatFacebookusershaveagreatersenseoftrustinotherFacebookusersandthusrevealmoreinformationthanusersonMySpace.
Somedifferencesregardingprivacyapproachesandbehaviorscanaredependentonculturalapproachesregardingtrust,privacy,andinformationsharing.
ArecentstudybyWangetal.
(2011)foundthatAmericansocialnetworkusershavemoreprivacyconcernsthantheirChineseandIndiancounterparts,andthatthetypeofinformationregardedasprivatediffersbetweencultures.
2.
2BehavioralprolinganddataaggregationBehavioralprolingisthepracticeofcollectinglongitudinaldataaboutaperson'sactivitiesandtailoringtheuserexperiencebasedonthoseactivities.
Unlikesystemsthatrelyondataactivelyprovidedbytheuser,inmostinstancesofbehavioralprolingthesystemtracksawiderangeofuserbehaviors,withlittleornoconsentofusers.
Inrecentyears,behavioralprolinghasbecomecommoninmanydomains,includ-ingInternetadvertising,Websearchandelectroniccommerce.
Prolesarecreatedbasedonavarietyofdifferentactivities,includingsitesvisited,productspurchased,productpagesviewed,emailssent,andsofourth.
Mostbehavioralprolingsystemstrackusersoverlongperiodsoftimeusingbrowsercookies,whichidentifytheuserbetweenconsecutivesessions.
Behavioralprolingposesseveralpotentialprivacyrisks.
AnFTCrecentlyhigh-lightedtheconcernsassociatedwithbehavioraladvertising,includingtheinvisibilityofdatacollectiontousersandtheriskthatdatawouldfallintoundesired3rdpartyhand(FederalTradeCommission2009).
Oneriskcitedbymanyusersisunsolicitedmarketing(CulnanandMilne2001).
Anotherriskassociatedwithpersonalizationisthatpersonalinformationwillbeinadvertentlyrevealedtootherusersofthesamecomputer.
Ascookiesareusedtoidentifyusers,userswhosharethesamecomputerandWebbrowsermayvieweachother'sads.
Moreover,asInternetadvertisementproviderssuchasGooglearelinkingbehavioralprolestoserver-sideuseraccounts,advertisementscanbeshownacrossdifferentcomputers.
Thus,thereisapossibilitythatsomeonewhodoesnotsharetheuserscomputerwillgainaccesstoherpersonal-izedcontent.
Finally,usersreportthatthemerefeelingofbeingwatchedandtracked,isdisturbing(McDonaldandCranor2010).
Sophisticatedanalysiscanbeusedtoderivenewfactsabouttheusermodel,andthereforecanpotentiallycontradicttheuser'sinitialperceptionsofthesystemcontextinwhichthedatawascollected.
Aprominentexampleofthesetypesofanalysis123208E.
Tochetal.
iscollaborativeltering(Schaferetal.
2007).
Theunderlyingassumptionofcollaborativelteringisthatauserwilllikethingsthatsimilaruserslike.
Itcom-putesclustersofuserswhosharesimilartastesbasedontheirpreviouspreferences,andthenusespreferences(e.
g.
,ratings)ofthesesimilaruserstomakepredictions.
TraditionalCFsystemscollectandstoreuserinformation(e.
g.
,users'productratings)inacentralizedrepository.
Thiscongurationcanraisesecurityrisks,aswellaspri-vacyrisks.
Studieshaveshownthatsomeusersareuncomfortablebeingwatchedandanalyzed(Cranor2003).
AsNissenbaum(2004)compellinglyargues,themereactionofcontextswitchingholdsprivacyrisksasitcanleadtoviolatingtheintegrityoftheoriginalcontext.
Incollaborativeltering,forexample,theusermodelisenrichedwithinformationinferredfromotherusers.
Personalizationbasedoninformationaggregationisbecomingwidespreadinindus-tryandalsoasaresearcheldinacademia.
Thebarrierstowardslargescaleinformationaggregationincludelegalrestrictions(WangandKobsa2006)aswellastechnologicalhurdles.
Inaseriesofarticles,Mehtaandotherresearchersshowhowusermodelscanbeexchangedbetweensystemstoprovidecross-systempersonalizationusinguni-edsemanticdescriptions(Mehtaetal.
2005)ormachinelearningalgorithmsMehta(2006,2007).
Thisfunctionalitywillenablepersonalizationsystemstouseinformationfromothersystems,forexample,amusicpersonalizationservicecanusetheuser'sbookrecommendationstoofferpersonalizedcontent.
However,theinformationusedbythepersonalizationsystemisinherentlyusedunderadifferentcontextthanitwascollectedandhasthepotentialofsurprisingorembarrassingtheuser.
Forexample,theGooglesocialgraphAPIGoogle(2008)isanexampleforsemanticdataaggregationofsocialnetworkinformation,whichcanresultinblendingdifferentsocialcontexts.
Userattitudestowardsbehavioralprolingwerestudiedinseveralsurveysanduserstudies.
ArecentsurveybytheTRUSTeorganizationhadfoundthatonly28%ofInternetuserswouldfeelcomfortablewithadvertisersusingwebbrowsinghistory,and35%believetheirprivacyhasbeeninvadedinthepastyearduetoinformationontheInternet,eveniftheirbrowsinghistoryisnottiedtotheiractualname(TRUSTeandTNS2009).
Theconcernsregardingtailoredadvertisingarealsoreectedinanationallyrepresentativephonesurveyconductedin2009,whichfoundthat66%ofadultsdonotwanttailoredadvertising.
Thisincreasedto86%whenparticipantswereinformedoftechniquessuchasthird-partycookies(Turowetal.
2009).
Userunderstandingofthetechniquesbehindbehavioraladvertisingislimited.
AstudybyMcDonaldandCranorreportedthatasmallpercentageofusersunderstandthemech-anismbehindbehavioraltracking,andwhentoldaboutthesemechanismsmostusersfoundthemconcerning(McDonaldandCranor2010).
Furthermore,Thereisgrow-ingevidencethatprivacyconcernsimpactthebehaviorofbothusersandmarketers.
Tsaietal.
foundthatwhenpresentedwithprivacyinformationinsearchresults,labstudyparticipantsoftenpaidasmallpremiumtoshopatwebsiteswithgoodprivacypolicies(Tsaietal.
2011).
Thetimingofpresentingtheprivacyinformation(e.
g.
,whilesearchingorwhileshowingtheproductinformation)hasasignificanteffectonuserbehavior(Egelmanetal.
2009).
ArecentsurveybytheMediaPostreportedthatsomemarketersarelimitingtheirbehavioraltargetingduetoprivacyissues(Davis2010).
123Personalizationandprivacy2092.
3Location-basedpersonalizationPersonalizedlocation-awareservicesarebecomingmoreandmorewidespread.
DevelopmenthasbeentriggeredbytheadoptionofGPS-enabledphonesandWiFipositioningtechnologies,aswellastheincreaseinmobiledatabandwidth.
Asthesophisticationofmobiledevicesgrows,soistheabilityofserviceproviderstocon-tinuouslytrackthelocationoftheirusers,offeringthemservicesbasedontheirexactphysicallocation.
Ithasbecomeeasiertodevelopmobileapplicationsthatrequesttheexactlocationoftheuserthroughtheuseofeasilyaccessibleoperatingsystemandbrowserapplicationprogramminginterfaces.
Forexample,theiPhoneoperatingsys-temandGoogle'sAndroidhavelocationservicesprogramminginterfacesthatallowbackgroundlocationrequests.
OperatingsystemssuchasWindows7andMacOS10,aswellasbrowserssuchasMozillaFirefox,exhibitalocationprogramminginterfacethatallowsapplicationdevelopersandwebsitebuilderstorequesttheuser'sphysicallocation.
Physicallocationisusedinvariouswaysforpersonalization.
Luetal.
(2010)andYietal.
(2009)useusers'physicallocationinformationtoimprovetheirpersonalizedsearchresults.
Thisisbecomingacommonpractice.
Inaddition,searchresultsdis-playedonsmartphonesareselectedaccordingtotheuser'slocation,highlightinglocalvenuesandservices.
Servicesformobileadvertising,e.
g.
AppleiAdandGoogle,offerpersonalizedadsbasedonlocation.
Variousservices,includingvenuenders(e.
g.
,Yelp,UrbanSpoon),personalclassieds(e.
g.
,Grindr,OkCupid,Skout),weatherandnewsapplications,andsoforthuselocationforpersonalization.
E-commerceservices,suchasShopkick,areusinglocation-basedpricediscrimination,offeringcouponsbasedonlocationanduserprole.
AccordingtoasurveybyTsaietal.
(2010)usershaveseveralconcernsregardinglocation-basedservice.
Theseconcernsare(intheorderofimportance):beingstalked,revealinghomelocation,beingtrackedbytheirboss,beingtrackedbythegovernment,andbeingbotheredbylocation-basedads.
Theprimaryprivacyconcernssurround-ingthedisclosureofthisinformationincludecontextanduse(Barkhuusetal.
2008).
Privacyconcernscandependonthesituationoractivityinwhichtheusermaybeengaged(Iachelloetal.
2005).
AstudybyBenischetal.
(2011)empiricallyevaluatedmethodsforprivacycontrolinlocationsharingscenarios.
Theresultsshowthatcer-taincontexts,identiedusingtimeorlocation,areconsideredmoreprivatebyusers.
Expressiveprivacycontrolsthatallowuserstospecifyparticularlocationsortimesinwhichtheywillnotreceiveadvertisementswerefoundtobetterexpresstheusers'preferences.
AstudybyTochetal.
(2010)presentedamodelforprivacyinlocationsharingapplications,showingthatusersarelesscomfortablesharingplaceswhicharelessfrequentlyvisitedbythegeneralpopulation.
3ReducingprivacyrisksTheprivacyriskshighlightedinthesectionabovecanbereducedbycare-fullyexaminingtechnologicalarchitecturesthatmitigatethoserisks.
Inthissec-tion,wedescribeexistingapproachestosystemdesignthatallowpersonalization123210E.
Tochetal.
methodstooperatewhileminimizingthepotentialriskstousers.
Wediscussthetradeoffsbetweenpersonalizationeffectivenessandtheprivacyrisksforeachoftheapproaches.
3.
1PseudonymouspersonalizationPseudonymouspersonalizationallowsuserstousepseudonymsinapersonalizedsystem.
Thisapproachenablesthesystemtotrackthesamepseudonymacrossdif-ferentsessionsandprovidepersonalizedserviceswithoutknowingthetrueidentityofthepseudonym.
Severalsystemsallowausertocreateandmaintainmorethanonepseudonymouspersona,sothattheusercanseparatedifferentaspectsofheronlineactivities(e.
g.
,workversusentertainment)andcancontrolwhichservicepro-vidercanhaveaccesstocertainpersona(Arleinetal.
2000;Hitchensetal.
2005).
Kobsaproposedasystemthatgoesonestepfurtherbyhidingnotonlytheidentitiesoftheusersbutalsothelocationoftheusermodelingserversinthenetwork(KobsaandSchreck2003).
Fromtheperspectiveof"identiabilityofdata,"pseudonymouspersonalizationhasaclearadvantagebecauseitseemstohideidentityand,inmostcases,privacylawsarenotapplicablewhentheinteractionisanonymous.
However,anonymityisstillcurrentlydifcultortedioustopreservewhenpayments,physicalgoods,andnon-electronicservicesareinvolved.
Moreover,ithasbeenshownrepeat-edlythatonlyhidingexplicitidentityinformation(e.
g.
,name,emailaddress)isnotsufcienttohideidentitybecauseotherdatasourcesmaybeusedtouncoverone'sidentity(e.
g.
,databaseentries(Sweeney2002),webtrails(Malinetal.
2003),andqueryterms(Nakashima2006)).
3.
2Client-sidepersonalizationThekeyideabehindclient-basedpersonalizationisthatusers'dataarestoredattheclientside(e.
g.
,users'computersormobilephones)andsubsequentpersonaliza-tionprocessesalsotakeplaceattheclientside(Casseletal.
2001;Cerietal.
2004;CoroamaandLangheinrich2006;MulliganandSchwartz2000;Gerberetal.
2010).
Sincedatacollectionandprocessingoccurattheclientsideratherthantheserverside,usersmayperceivemorecontrolovertheirdataandperceivelessprivacyrisk.
However,theseassumptionsstilllackempiricalevidence.
Furthermore,iftheserverside(serviceprovider)doesnothaveuserdataandcannotidentifytheiruserswithreasonableeffort,privacylawsmaynotapplytothesystem.
However,thisapproachalsofaceschallenges.
First,existingpersonalizationalgorithmssuchascollaborativelteringandstereotypelearning(seeKobsaetal.
2001),mayneedtoberedesignedtottheclient-sidemodel.
Second,programcodethatisusedforpersonalizationoftenincorporatescondentialbusinessrulesormethods,andmustbeprotectedfromdis-closurethroughreverseengineering.
Trustedcomputingplatformswillthereforehavetobedevelopedforthispurpose,similartotheonethatCoroamaandLangheinrich(CoroamaandLangheinrich2006)envisagetoensuretheintegrityoftheirclient-sidecollectionofpersonaldata.
123Personalizationandprivacy2113.
3Distribution,aggregationandotherprivacy-preservingtechniquesAnumberofdistribution,aggregation,perturbationandobfuscationtechniqueshavebeenproposedtohelpprotectuserprivacyinrecommendersystemsthatemploycol-laborativeltering(CF)(Schaferetal.
2007).
Onepossiblestrategyistodistributeuserdata,preferablyacrossusers'ownmachines.
Thisisakintotheclient-sideper-sonalizationapproach.
However,thismeasurealonecannotsolvetheprivacyissuesinCFsystemsbecauseCFneedsotherusers'datatomakerecommendationsforauser.
(Milleretal.
2004)proposedadistributedCFalgorithmthatupdatesauser'sinterestmodelincrementallybyincorporatingoneneighbor'sratingsatatime(ratingsareimmediatelydiscardedthereafter).
Anotherstrategyistouseencryptedaggregationofusers'data.
Forinstance,Canny(Canny2002)proposedamulti-partycomputationschemethatallowsacommunityofuserstocomputeanaggregateoftheirdata(i.
e.
,asingularvaluedecompositionmodeloftheuser-itemmatrix)basedsolelyonvectoradditionsothatindividualdatawillnotbedisclosed.
Theanonymousaggregatecanthenbeusedalongwithone'sownratingsattheclient-sidetomakepersonalizedrecommendations.
Mehta(2007)usedasimilaralgorithmtopreservedataanonymityinadistributedcross-sitepersonalizationsystem.
Otherapproachestowardsprivacypreservingcollaborativelteringsystemsincludeperturbationandobfuscation.
Perturbationmeansusers'ratingsgetsystematicallyalteredusingaperturbationfunction(e.
g.
,addingrandomnumberstoratings)beforesubmissiontoacentralrepositorysoastohideusers'truevaluesfromtheserver.
Forexample,PolatandDu(PolatandDu2003,2005)showedthatusingperturbeddatamaystillyieldacceptablerecommendations.
Obfuscationmeansthatacertainpercentageofusers'ratingsgetreplacedbyrandomvalues.
Forinstance,Berkovskyetal.
(2005)alsoshowedthattheirobfuscationschemes(e.
g.
,replacewiththemean)workedreasonablywell.
Bothperturbationandobfuscationaffordssomedegreeof"plausibledeniability"becausesomeuserdataarenottrue.
Allthesealternativestrat-egiesshowpromisingresultsinCFsystems,buttheirapplicationtoothernon-CFpersonalizedsystemsisstillanopenquestion.
3.
4UsercontrolsandfeedbackJudyKayandhercolleagues(Kayetal.
2003;Kay2006)suggestedputtingscruta-bilityintousermodelingandpersonalizedsystems.
Theterm"Scrutability"signiestheabilityofuserstounderstandandcontrolwhatgoesintotheirusermodel,whatinformationfromtheirmodelisavailabletodifferentservices,andhowthemodelismanagedandmaintained.
Theirusermodelingsystem,Personis,appliesthreeprivacy-enhancingmechanismstocontroltheprotectionofeachunitofpersonalinformation("evidence")intheusermodel(Kayetal.
2003):–expirationdatesandpurgingofolderevidence,–compaction,forreplacingasetofevidencefromasinglesourcewithanaggregate,and–morphing,whichreplacesanarbitrarycollectionofevidence.
123212E.
Tochetal.
Forcontrollingtheusageofevidencefromtheusermodel,Personisallowsuserstorestricttheevidencesavailabletoapplications,andthemethodsthatmaygenerateausermodelandoperateonit.
Despitethedesirabilityofscrutabilityfromaprivacypointofview,itsimplementationandcontroliscurrentlyverychallengingduetousers'lackofunderstandingofthesenotionsandofeffectiveandefcientuserinter-facestosupportthem.
Moreover,scrutabilitymayrevealthepersonalizationmethodsthatawebsiteuses,whichmayposeaprobleminapplicationareasinwhichthoseareconsideredtobecompetitiveadvantagesandthereforecondential(e.
g.
,inonlineretailwebsites).
WangandKobsa(2007)proposedawayforuserstospecifytheirprivacyprefer-encesandthentheunderlyingusermodelingsystemswilldynamicallyrecongureitselfbyonlyselectingandusingpersonalizationmethodsthatarepermissibleunderusers'currentprivacypreferencesandapplicableprivacyregulations.
Theresultoftheirlabexperimentshowedthatthismechanismincreasesusers'disclosureofdataandthelikelihoodofmakingonlinepurchases(Wang2010).
Inhelpinguserssetandcontroltheirprivacypreferences,Kelleyetal.
(2008)proposedanapproachcalleduser-controllablepolicylearningthatutilizesmachinelearningtechniquestolearnandpredictusers'privacypreferencesfromusers'privacydecisions.
Morespecifically,thesystemcansuggestprivacypreferencedecisionstoauserandcanlearnfromtheuser'decisionsofwhethertoacceptthesystemsugges-tions.
Userscancontrolthislearningprocessbecause(1)userscandecidewhethertoacceptorrejectthesystemsuggestions,and(2)userscandirectlymodifytheirprivacypreferencesinthesystemanytime.
Theirevaluationofapplyingthisapproachinaloca-tion-sharingapplicationyieldspromisingresults(about90%accuracyofpreferencepredictions).
Generalsolutionsforcontrollingdatacollectionthatarerelevanttopersonalizationincludeopt-outcookiesandthe"Do-not-track"mechanismforInternetusagetracking(MayerandNarayanan2011).
ThemechanismaddsanHTTPheadertoexpresstheuser'sintenttooptoutofInternettracking.
3.
5Privacy-preservinglocationtrackingResearchonprivacy-preservinglocationtrackinghasbuiltonexistingprivacypre-servingtechniquessuchasanonymityandpertubationtechniques.
BeresfordandSta-jano(2003)designedamixnetworkapproachtoenhancelocationprivacy.
GruteserandLiu(2004)deviseddisclosure-controlalgorithmsthathideusers'locationinsensitiveareas.
HohandGruteser(2005)developedaschemeofperturbingpathinformationofausertoconfuseanadversary.
Tangetal.
(2006)designedahitch-hikingapproachofachievinglocationprivacyessentiallybysupportinganonymouslocationreportingbyindividualusers.
Ristenpartetal.
(2008)builtasystem,Ade-ona,thatusescryptographictechniquesanddistributedhashtablestohideamobiledevice'svisitedlocationsfromthird-partyservicesandotherparties.
GedikandLiu(2008)proposedalocationprivacyframeworkbasedonak-anonymityscheme(Sweeney2002)andasuiteoflocationperturbationalgorithms.
Inaddition,Tsaietal.
(2010)advocatedsupportforusercontrolsinlocationsharing.
Benischetal.
(2011)123Personalizationandprivacy213conductedanempiricalstudythataskeduserstoratewhen,where,andwithwhomtheywouldfeelcomfortablesharingtheirlocationinformation.
Theirstudydemon-stratedthatusershavene-grainedlocationprivacypreferences,forexamplebasedontimeofday,whicharenotcurrentlysupportedbycommerciallocationsharingtools.
4DiscussionThechangingfaceofpersonalizationtechnologiesrequiresnewframeworksforunderstandingprivacyrisksandsolutionsinpersonalizationsystems.
Inthissec-tion,wesummarizeoursurvey,andproposeaframeworktohelpsystemdesignerstounderstandandaddressprivacyrisksinpersonalizationsystems.
4.
1AnalyzingprivacyrisksThenewtechnologiespresentedinthisarticleimpactprivacyinseveraldistinctiveways.
Sometechnologiesenablenewkindsofinformationtobecollected,othertech-nologiesprovidenewwaystoanalyzedata,andtherestenablethepossibilityofdistributingthepersonalizedcontentinnewways.
Tounderstandtheeffectsofthethesenewtechnologies,andtoguidethedesignofprivacyenhancingapproaches,weconstructasimpleframeworkforclassifyingprivacyaspectsinpersonalization.
Theframework,depictedinFig.
1,isbasedontwodimensions:personalizationphasesandprivacycontrol.
ThepersonalizationphasesaretakenfromthepersonalizationliteratureKobsa(2001,2007a),andincludedatacollection,usermodelcreation,andadaptation.
Eachofthethreephasesimposedifferentchallengesonprivacyandrequiredifferentmeasurestoaddressthesechallenges.
ThedatacollectionphaserepresentsFig.
1Frameworkforprivacymanagementinpersonalization.
Eachoftheverticalcategoriesdenesaphaseinthepersonalizationprocessandeachofhorizontalsub-categoriesdenesalevelofprivacyintrusiveness123214E.
Tochetal.
privacyrisksthatoriginatefromnewtypesofdatacollectionandanalysis.
Forexam-ple,personalizationbasedonlocationdataintroducesnewrisksthatoriginatefromnewtechnologiesfortrackinglocationonmobiledevices.
Theusermodelcreationphaserepresentsrisksthatoriginatefromnewtechnologiesforanalyzingthedata.
Forexample,technologiessuchascollaborativelteringandmachinelearningallownewpredictionstobeinferredfromdata,posingnewprivacyrisks.
Technologiesandpracticesforexchangingdatabetweencompaniesincreasethoserisksastheyallowdatatobetradedandsentbeyondtheserviceitwascollectedin.
Finally,risksattheadaptationphaseoriginateformdistributingtheadaptedandpersonalizedcontentinnewways.
Forexample,intraditionalpersonalizationsystems,thepersonalizedcon-tentwasshownonlytotheuser,butaswehavedemonstratedinthesectionsabove,newpersonalizationtechnologiesdistributecontenttotheuser'ssocialnetworkoreventotheWorldWideWeb.
Theseconddimensionofourframeworkisprivacycontrol:theamountofperceivedandactualcontrolusershaveovertheirprivacyinthepersonalizationprocess.
Tech-nologiesthatlimitusers'controlovertheirprivacyareperceivedasmoreintrusivebyusersAwadandKrishnan(2006).
Forexample,apersonalizationsystemthatreliesonuser-provideddataforthesakeofpersonalizationhasthepotentialofbeinglessintru-sivethanasystemthattracksdowntheuser'sactionsautomatically.
Theframeworkhighlightshowtechnologiesthatarebasedonhighlevelsofautomationposeextendedriskstousers'privacy.
ItcanexplaintheinherentproblemsofapplicationssuchasGoogleBuzz,whichreliesonautomaticallycollectedcontextinformation(e.
g.
,hersocialnetwork).
Fig.
2Frameworkforprivacymitigatingsolutionsfordifferentprocessingphasesofpersonalization123Personalizationandprivacy2154.
2Designingprivacy-sensitivepersonalizationsystemsThetechnologiespresentedinSect.
3providedesignerswitharichtoolboxforavoidingormitigatingprivacyrisks.
Inordertoefcientlyuseprivacypreservingtechnologiesandtoguidethedevelopmentofnewones,itisimportanttounderstandwhichtypeprivacyriskstheycanmitigate.
Inthissection,weusetheframeworkpresentedintheprevioussectiontoframeprivacytechnologiesaccordingtothepersonalizationpro-cessphasestheyapplyto.
Theframework,depictedinFig.
2,includestwodimensionsforcategorization:personalizationphaseandengineeringapproach.
Solutionapproachesareclassiedaccordingtotheirfocusonthepersonaliza-tionphases:datacollection,usermodelcreation,andadaptation.
Forexample,theDo-Not-Trackinitiative(MayerandNarayanan2011)limitsdatacollectionwhilethecongurableusermodeling(WangandKobsa2007)providesuserswithcontrolovertheusermodelcreation.
Someapproachesimpactmorethanonepersonalizationphase:pseudonymouspersonalizationisapplicabletoallthreepersonalizationphasesitcollectsuserdata,createsusermodelandappliesadaptationunderpseudonyms.
Theengineeringapproachcategorizesapproachestowardsengineeringpersonaliza-tionsystems,basedonaframeworkbySpiekermannandCranor(2009)thatmapsengineeringpracticesforprivacypreservingsystems.
Theframeworkdistinguishesbetweenprivacy-by-policy,whichfocusesontheimplementationofthenoticeandchoiceprinciplesoffairinformationpractices,andprivacy-by-architecture,whichaspirestocreatesystemsthatminimizesthecollectionandprocessingofidentiablepersonaldata.
Privacytechnologiesthatarerelevanttothedatacollectionphasepreventser-vicesfromcompilingdetailedprolesofindividualusersbytrackingtheirbehav-ior.
Technologiessuchasclient-basedpersonalizationprovideprivacy-by-architecturesolutionsbypreventingservicesfromaccessinguserinformationdirectly.
Othertech-nologies,suchasDo-Not-Track(MayerandNarayanan2011)andInternetExplorerTrackingProtectionLists(Microsoft2010),enableaprivacy-by-policysolutionforuserswhowishtoopt-outoftracking.
Technologiesthatarerelevanttothemodelcreationphaseallowindividualdatatobehiddenfromcentralservices,usingtechnologiessuchasdistributedcollaborativeltering,ortobeconguredbytheuserusingcongurableusermodeling.
However,itisnotclearthatpurelyarchitecturalsolutionsarefeasibletomitigateprivacyrisksinthemodelcreationphase,asmodelswhicharebasedonricherdatamighthavethepotentialofbeingmoreaccurate.
Forexample,Knijnenburgetal.
(2012)showthatinrecommendersystems,thereisatradeoffbetweentheusers'perceivedusefulnessofthesystemandprivacyconcerns.
Theadaptationphaseposeanewchallengetodesignersofprivacypreservingtech-nologies,astheapplicationsofpersonalizedcontentgofarbeyondthetraditionalapplicationofpersonalizingtheexperienceforasingleuser.
Currently,thesocialnet-work'sprivacysettingscanbeusedtolimitaccesstopersonalizedcontent,butthesesolutionsarepartialatbest.
Specifically,thequestionofhowtocontrolthedistributionoftheproductofthepersonalizationprocessisstillanopenquestion.
123216E.
Tochetal.
4.
3WhatthefutureholdsforprivacyandpersonalizationItisalmostimpossibletopredictwhichtechnologieswillraisenewprivacychallengesinthefuture.
However,ourpersonalizationprivacyrisksframeworkprovidesawaytoanalyzethewayfuturedevelopmentmightimpactusers'privacy,andhowresearchcanmitigatefutureprivacyconcerns.
Thescopeofdatacollectionisincreasingasnewtechnologiescaptureandinfermoreandmoreinformation.
Facerecognitiontechnologies,forexample,arenowbecomingincreasinglypowerfulinautomaticallyidentifyingpeople'sidentitiesinvideofeeds,photocollectionsandsofourth.
Facerecognitioncanbeusedtoinferawiderangeofknowledgeaboutpeople'sbehaviorfromshoppinghabitstosocialties.
Asthedataisgatheredandanalyzedautomatically,thecontrolpeoplehaveonthisinformationishighlylimited.
Therstexamplesofthistechnology,suchasFace.
com,exemplifytheimportanceofpolicyregulationandpropertechnologicalarchitectureinhandlingthisnewtechnology.
Newdataanalysistechnologiesprovideanotherpotentialfortensionsbetweenef-cientpersonalizationandprivacy.
Theabilityofmassivedatacenterstoprocesshugeamountsofinformationraisenewabilitiestoinferinformationaboutindividualusers.
Personalizationtechnologies,suchasthoseoperatingbyGoogleandAmazon,exem-plifyhowindividualuserprolesarecomparedtomassivesetsofprolerecordstoidentifywhatisrelevanttotheuserandwhatisnot.
Asthepredictionsbecomemoreandmoreaccurate,andasservicesincreasetheirrelianceonthesepredictions,userprivacyconcernsmayincrease.
Furthermore,theresultsofdataleakage,authorizedorunauthorized,aremoreserious.
Theadaptationphaseinpersonalizationposesnewchallengesaswell.
Onlinesocialnetworksandothercollaborativeinformationsystemsamplifyexistingprivacyprob-lemsbycommunicatingpossiblysensitiveinformationtopeers:friends,co-workers,andfamily.
Nowadays,theaudienceofthepersonalizationprocessgoesbeyondtheindividualuser,andcanincludetheuser'ssocialnetworkandotherusersofacollab-orativesystem.
Thisaspectofcollaborativesystemsmaterializesprivacyrisksfromvaguenotionstoconcreterisksassociatedwithpersonalization.
5ConclusionsThisarticlehasreviewedseveralprivacyrisksrelatedtopersonalizationanddis-cussedtechnologiesandarchitecturesthatcanhelpdesignersbuildprivacypreservingpersonalizationsystems.
Whilenosilverbulletexistsfordesigningprivacy-protec-tivepersonalizationsystems,therearetechnologiesandprinciplesthatcanbeusedtoeliminate,reduce,andmitigateprivacyrisks.
Furthermore,existingapproachesarenotmutuallyexclusiveandshouldbeconsideredascomplementaryinprotectingusers'privacyinpersonalizedsystems.
Pseudonymousprolesandaggregationcanbeusedwhenpersonalizationinformationneednotbetiedtoanidentiableuserprole.
Client-sideprolesareusefulwhenpersonalizationservicescanbeperformedlocally.
Usercontrolsshouldalwaysbeconsideredontopofothertechnicalapproachesastheywilllikelymakethepersonalizedsystemmoreusableandtrustworthy.
Weenvisionadvancesinalloftheseareasandmoresystemsthatincorporatemultipletechniquesintheirprivacyprotectionmechanisms.
123Personalizationandprivacy217ReferencesAcquisti,A.
,Gross,R.
:Imaginedcommunities:Awareness,informationsharing,andprivacyontheface-book.
In:Danezis,G.
,Golle,P.
(eds.
)Privacyenhancingtechnologies,Lecturenotesincomputerscience,vol.
4258,pp.
36–58.
Springer,Berlin(2006).
doi:10.
1007/119574543Anton,A.
I.
,Earp,J.
B.
,Young,J.
D.
:Howinternetusers'privacyconcernshaveevolvedsince2002.
IEEE.
Secur.
Priv.
8(1),21–27(2010)ArleinR.
M.
,JaiB.
,JakobssonM.
,MonroseF.
,ReiterM.
K.
:Privacy-preservingglobalcustomization.
In:2ndACMconferenceonelectroniccommerce,pp.
176–184.
ACMPress,Minneapolis(2000)Awad,N.
F.
,Krishnan,M.
S.
:Thepersonalizationprivacyparadox:anempiricalevaluationofinformationtransparencyandthewillingenesstobeproledonlineforpersonalization.
MISQuarterly30(1),13–28(2006)BarkhuusL.
,BrownB.
,BellM.
,SherwoodS.
,HallM.
,ChalmersM.
:Fromawarenesstorepartee:shar-inglocationwithinsocialgroups.
In:Proceedingofthetwenty-sixthannualSIGCHIconferenceonHumanfactorsincomputingsystems,pp.
497–506.
ACMPress,NewYork(2008)Benisch,M.
,Kelley,P.
,Sadeh,N.
,Cranor,L.
:Capturinglocation-privacypreferences:quantifyingaccuracyanduser-burdentradeoffs.
Pers.
UbiquitousComput.
15(7),679–694(2011)Beresford,A.
R.
,Stajano,F.
:Locationprivacyinpervasivecomputing.
IEEE.
PervasiveComput.
2(1),46–55(2003)BerkovskyS.
,EytaniY.
,KuflikT.
,RicciF.
:Privacy-enhancedcollaborativeltering.
In:KobsaA.
,CranorL.
(eds.
)PEP05,UM05workshoponprivacy-enhancedpersonalization,pp.
75–84.
Edinburgh(2005)Bonneau,J.
,Preibusch,S.
:Theprivacyjungle:Onthemarketfordataprotectioninsocialnet-works.
In:Moore,T.
,Pym,D.
,Ioannidis,C.
(eds.
)Economicsofinformationsecurityandpri-vacy,pp.
121–167.
Springer,NewYork(2009)Canny,J.
:Collaborativelteringwithprivacyviafactoranalysis.
In:Proceedingsofthe25thannualinter-nationalACMSIGIRconferenceonresearchanddevelopmentininformationretrieval,pp.
238–245.
ACMPress,Tampere(2002)Cassel,L.
,Cassel,L.
,Wolz,U.
:Clientsidepersonalization.
In:ProceedingsofthejointDELOS-NSFworkshoponpersonalizationandrecommendersystemsindigitallibraries,DublinCityUniversity,Dublin(2001)Ceri,S.
,Dolog,P.
,Matera,M.
,Nejdl,W.
:Model-drivendesignofwebapplicationswithclient-sideadap-tation.
In:Internationalconferenceonwebengineering,ICWE'04,vol.
3140,pp.
201–214.
Springer,Munich(2004)Coroama,V.
,Langheinrich,M.
:Personalizedvehicleinsurancerates—acaseforclient-sidepersonalizationinubiquitouscomputing.
UbiquitousComput.
WorkshopPriv.
EnhancedPersonal.
CHI'06(22),56–59(2006)Cranor,L.
F.
:Ididn'tbuyitformyself:privacyandecommercepersonalization.
In:2003ACMworkshoponprivacyintheelectronicsociety,pp.
111–117ACMPress,Washington,DC(2003)Culnan,M.
J.
,Milne,G.
R.
:Theculnanmilnesurveyonconsumersandonlineprivacynotices:summaryofresponses.
http://www.
ftc.
gov/bcp/workshops/glb/supporting/culnan-milne.
pdf(2001).
AccessedDec2001Dalal,M.
:Personalizedsocial&real-timecollaborativesearch.
In:Proceedingsofthe16thinternationalconferenceonWorldWideWeb,WWW'07,pp.
1285–1286.
ACMPress,NewYork(2007)Davis,W.
:Report:Marketerslimitbehavioraltargetingduetoprivacyworries.
Tech.
rep.
,MediaPostReport(2010)Dwyer,C.
,Hiltz,S.
R.
,Passerini,K.
Trustandprivacyconcernwithinsocialnetworkingsites:acompari-sonoffacebookandmyspace.
In:Proceedingsofthethirteenthamericasconferenceoninformationsystems(AMCIS2007),Keystone(2007)Egelman,S.
,Tsai,J.
,Cranor,L.
,Acquisti,A.
:TimingiseverythingTheeffectsoftimingandplacementofonlineprivacyindicators.
In:Proceedingsofthe27thinternationalconferenceonHumanfactorsincomputingsystems,pp.
319–328.
ACMPress,NewYork(2009)Facebook(2010)Facebookinstantpersonalization.
http://blog.
facebook.
com/blog.
phppost=384733792130.
Accessed26April2010FederalTradeCommission:self-regulatoryprinciplesforonlinebehavioraladvertising.
Tech.
rep.
,FederalTradeCommission(2009)ForresterConsulting:Outboundemailanddatalosspreventionintoday'senterprise.
http://www.
proofpoint.
com/outbound(2008).
AccessedMarch2008123218E.
Tochetal.
Gedik,B.
,Liu,L.
:Protectinglocationprivacywithpersonalizedk-anonymity:architectureandalgo-rithms.
IEEETrans.
MobileComput.
7(1),1–18(2008)Gerber,S.
,Fry,M.
,Kay,J.
,Kummerfeld,B.
,Pink,G.
,Wasinger,R.
PersonisJ:mobile,Client-Sideusermodelling.
In:Internationalconferenceonusermodeling,adaptation,andpersonalization,lecturenotesincomputerscience,vol.
6075,pp.
111–122.
Springer,Berlin(2010)Google(2008)SocialgraphAPI.
http://code.
google.
com/apis/socialgraph/.
Accessed01Feb2008Google(2011)Google+1button-socialsearch.
http://www.
google.
com/+1/button/.
Accessed01June2011Gruteser,M.
,Liu,X.
:Protectingprivacy,incontinuouslocation-trackingapplications.
Secur.
Priv.
IEEE.
2(2),28–34(2004)Helft,M.
,Wortham,J.
:Facebookbowstopressureoverprivacy.
NewYorkTimes,NewYork(2010)Heymann,P.
,Koutrika,G.
,Garcia-Molina:CansocialbookmarkingimprovewebsearchIn:Proceedingsoftheinternationalconferenceonwebsearchandwebdatamining,WSDM'08,pp.
195–206.
NewYork(2008)Hitchens,M.
,Kay,J.
,Kummerfeld,B.
,Brar,A.
Secureidentitymanagementforpseudo-anonymousser-viceaccess.
In:Hutter,D.
,Ullmann,M.
(eds.
)Securityinpervasivecomputing:secondinternationalconference,pp.
48–55,Boppard(2005)Hoh,B.
,Gruteser,M.
:Protectinglocationprivacythroughpathconfusion.
In:Securityandprivacyforemergingareasincommunicationsnetworks,2005.
SecureComm2005.
Firstinternationalconfer-enceonsecurityandprivacyforemergingareasincommunicationsnetworks,pp.
194–205.
IEEEComputerSociety,Washington(2005)Iachello,G.
,Smith,I.
,Consolovo,S.
,Abowd,G.
,Hughes,J.
,Howard,J.
,Potter,F.
,Scott,J.
,Sohn,T.
,Hightower,J.
,LaMarca,A.
:Control,deception,andcommunication:Evaluatingthedeploymentofalocation-enhancedmessagingservice.
In:Ubicomp'05,pp.
213–231.
Springer-Verlag,Berlin(2005)Kay,J.
:Scrutableadaptation:becausewecanandmust.
In:Adaptivehypermediaandadaptiveweb-basedsystems,pp.
11–19.
Springer,Berlin(2006)Kay,J.
,Kummerfeld,B.
,Lauder,P.
Managingprivateusermodelsandsharedpersonas.
In:Workshoponusermodellingforubiquitouscomputing,9thinternationalconferenceonusermodeling,pp.
1–11.
Johnstown(2003)Kelley,P.
G.
,Drielsma,P.
H.
,Sadeh,N.
,Cranor,L.
F.
:User-controllablelearningofsecurityandprivacypolicies.
In:Proceedingsofthe1stACMworkshoponAISec,pp.
11–18.
ACMPress,Alexandria(2008)Knijnenburg,B.
P.
,Willemsen,M.
C.
,Gantner,Z.
,Soncu,H.
,Newell,C.
:Explainingtheuserexperienceofrecommendersystems.
UserModel.
UserAdapt.
Interact.
22(2012).
doi:10.
1007/s11257-011-9118-4Kobsa,A.
:Genericusermodelingsystems.
UserModel.
UserAdapt.
Interact.
11(1–2),49–63(2001)Kobsa,A.
:Genericusermodelingsystems.
In:Brusilovsky,P.
,Kobsa,A.
,Nejdl,W.
Theadaptiveweb:methodsandstrategiesofwebpersonalization.
,pp.
136–154.
SpringerVerlag,Heidelberg(2007a)Kobsa,A.
:Privacy-enhancedwebpersonalization.
In:Brusilovsky,P.
,Kobsa,A.
,Nejdl,W.
TheAdaptiveWeb.
,pp.
628–670.
Springer-Verlag,Berlin(2007b)Kobsa,A.
,Schreck,J.
:PrivacythroughpseudonymityinUser-Adaptivesystems.
ACM.
Trans.
InternetTechnol.
3(2),149–183(2003)Kobsa,A.
,Koenemann,J.
,Pohl,W.
:Personalizedhypermediapresentationtechniquesforimprovingonlinecustomerrelationships.
Knowl.
Eng.
Rev.
16,111–155(2001)Lampinen,A.
,Tamminen,S.
,Oulasvirta,A.
:Allmypeoplerighthere,rightnow:managementofgroupco-presenceonasocialnetworkingsite.
In:GROUP'09:ProceedingsoftheACM2009internationalconferenceonsupportinggroupwork,pp.
281–290.
ACMPress,NewYork(2009)Lewis,K.
,Kaufman,J.
,Christakis,N.
:Thetasteforprivacy:ananalysisofcollegestudentprivacysettingsinanonlinesocialnetwork.
J.
Comput.
Mediat.
Commun.
14(1),79–100(2008)Lu,Y.
,Peng,F.
,Wei,X.
,Dumoulin,B.
:Personalizewebsearchresultswithuser'slocation.
In:Proceedingofthe33rdinternationalacmsigirconferenceonresearchanddevelopmentininformationretrieval,SIGIR2010,pp.
763–764,Geneva(2010)Malin,B.
,Sweeney,L.
,Newton,E.
:Trailre-identication:learningwhoyouarefromwhereyouhavebeen.
TechnicalReportLIDAP-WP12,CarnegieMellonUniversity,Laboratoryforinternationaldataprivacy(2003)Mayer,J.
R.
,Narayanan,A.
:Donottrackiab/w3c/ietfpositionpaper.
Tech.
rep.
,W3C(2011)McDonald,A.
M.
,Cranor,L.
F.
:Beliefsandbehaviors:Internetusers'understandingofbehavioraladver-tising.
Tech.
rep.
CarnegieMellonUniversity,Pittsburgh(2010)123Personalizationandprivacy219Mehta,B.
:Crosssystempersonalizationbylearningmanifoldalignments.
In:Proceedingsofthe21stnationalconferenceonarticialintelligence,Vol.
2,pp.
1920–1921.
AAAIPress,MenloPark(2006)Mehta,B.
:Learningfromwhatothersknow:privacypreservingcrosssystempersonalization.
In:Pro-ceedingsofthe11thinternationalconferenceonusermodeling,UM'07,pp.
57–66.
Springer-Verlag,Berlin(2007)Mehta,B.
,Niederee,C.
,Stewart,A.
,Degemmis,M.
,Lops,P.
,Semeraro,G.
:Ontologically-enricheduniedusermodelingforcross-systempersonalization.
In:ArdissonoL.
,BrnaP.
,MitrovicA.
(eds.
)UserModeling2005,Lecturenotesincomputerscience,vol.
3538,pp.
119–123.
Springer,Berlin(2005)MicrosoftInternetexplorertrackingprotectionlists.
http://ie.
microsoft.
com/testdrive/Browser/TrackingProtectionLists(2010).
AccessedSept2010Miller,B.
N.
,Konstan,J.
A.
,Riedl,J.
:PocketLens:towardapersonalrecommendersystem.
ACM.
Trans.
Inf.
Syst.
22(3),437–476(2004)Mulligan,D.
,Schwartz,A.
:Yourplaceormine:privacyconcernsandsolutionsforserverandclient-sidestorageofpersonalinformation.
In:Proceedingsofthetenthconferenceoncomputers,Freedomandprivacy:challengingtheassumptions,pp.
81–84.
ACMPress,Toronto(2000)Mullins,R.
:VentureBeatreport:privacygrouparguesbuzzbreakswiretaplaws.
http://venturebeat.
com/2010/02/17/privacy-group-argues-buzz-breaks-wiretap-laws/(2010).
Accessed17Feb2010Nakashima,E.
:AOLsearchqueriesopenwindowontousers'worlds.
WashingtonPost(2006)Nissenbaum,H.
:Privacyascontextualintegrity.
Wash.
LawRev.
Assoc.
79,119–158(2004)Palen,L.
,Dourish,P.
:Unpacking"privacy"foranetworkedworld.
In:ProceedingsoftheSIGCHIcon-ferenceonhumanfactorsincomputingsystems(CHI'03),pp.
129–136.
ACMPress,NewYork(2003)Paliouras,G.
:Discoveryofwebusercommunitiesandtheirroleinpersonalization.
UserModel.
UserAdapt.
Interact.
22(1–2),151–175(2012)Polat,H.
,Du,W.
:Privacy-preservingcollaborativelteringusingrandomizedperturbationtechniques.
In:IEEEinternationalconferenceondatamining(ICDM'03).
IEEEComputerSociety,LosAlamitos(2003)Polat,H.
,Du,W.
:SVD-basedcollaborativelteringwithprivacy.
In:20thACMsymposiumonappliedcomputing,pp.
791–795.
SantaFe(2005)Riedl,J.
:Personalizationandprivacy.
InternetComput.
IEEE.
5(6),29–31(2001)Ristenpart,T.
,Maganis,G.
,Krishnamurthy,A.
,Kohno,T.
:Privacy-preservinglocationtrackingoflostorstolendevices:cryptographictechniquesandreplacingtrustedthirdpartieswithDHTs.
In:Proceed-ingsofthe17thconferenceonsecuritysymposium,pp.
275–290.
USENIXAssociation,SanJose(2008)Schafer,J.
,Frankowski,D.
,Herlocker,J.
,Sen,S.
:Collaborativelteringrecommendersystems.
In:Brusi-lovsky,P.
,Kobsa,A.
,Nejdl,W.
(eds.
)TheAdaptiveWeb,pp.
291–324.
Springer-Verlag,Berlin(2007)Spiekermann,S.
,Cranor,L.
F.
:Engineeringprivacy.
IEEE.
Trans.
Softw.
Eng.
35(1),67–82(2009)Story,L.
,Stone,B.
:Facebookretreatsononlinetracking.
NewYorkTimes,NewYork(2007)Stutzman,F.
,Kramer-Dufeld,J.
:Friendsonly:examiningaprivacy-enhancingbehaviorinfacebook.
In:MynattED,SchonerD,FitzpatrickG,HudsonSE,EdwardsK,RoddenT(eds.
)CHI,pp.
1553–1562.
ACM,NewYork(2010)Sweeney,L.
:K-anonymity:amodelforprotectingprivacy.
Int.
J.
Uncertain.
FuzzinessKnowlBasedSyst.
10(5),557–570(2002)Tang,K.
P.
,Keyani,P.
,Fogarty,J.
,Hong,J.
I.
:Puttingpeopleintheirplace:ananonymousandprivacy-sensi-tiveapproachtocollectingsenseddatainlocation-basedapplications.
In:ProceedingsoftheSIGCHIconferenceonhumanfactorsincomputingsystems,pp.
93–102.
ACMPress,Montréal(2006)Toch,E.
,Cranshaw,J.
,Drielsma,P.
H.
,Tsai,J.
Y.
,Kelley,P.
G.
,Springeld,J.
,Cranor,L.
,Hong,J.
,Sadeh,N.
:Empiricalmodelsofprivacyinlocationsharing.
In:Proceedingsofthe12thACMinternationalconferenceonUbiquitouscomputing,Ubicomp'10,pp.
129–138.
ACMPress,NewYork(2010)TRUSTe,TNS:2009study:consumerattitudesaboutbehavioraltargeting.
Tech.
rep.
,TRUSTe(2009)Tsai,J.
,Kelley,P.
G.
,Cranor,L.
F.
,Sadeh,N.
:Location-sharingtechnologies:Privacyrisksandcontrols.
J.
LawPolicyInf.
Soc.
6(2),119–151(2010)Tsai,J.
Y.
,Egelman,S.
,Cranor,L.
,Acquisti,A.
:Theeffectofonlineprivacyinformationonpurchasingbehavior:anexperimentalstudy.
Inf.
Syst.
Res.
22,254–268(2011)Turow,J.
,King,J.
,Hoofnagle,C.
J.
,Bleakley,A.
,Hennessy,M.
:Americansrejecttailoredadvertisingandthreeactivitiesthatenableit.
http://papers.
ssrn.
com/sol3/papers.
cfmabstract_id=1478214(2009).
Accessed29Sept2009123220E.
Tochetal.
Volokh,E.
:Personalizationandprivacy.
CommunACM43,84–88(2000)Wang,Y.
:AframeworkforPrivacy-Enhancedpersonalization.
Ph.
D.
Dissertation,UniversityofCalifornia,Irvine(2010)Wang,Y.
,Kobsa,A.
:Impactsofprivacylawsandregulationsonpersonalizedsystems.
In:Kobsa,A.
,Chell-appa,R.
K.
,Spiekermann,S.
(eds.
)PEP06,CHI06workshoponprivacy-enhancedpersonalization,pp.
44–46.
Montréal(2006)Wang,Y.
,Kobsa,A.
:Respectingusers'individualprivacyconstraintsinwebpersonalization.
In:Conati,C.
,McCoy,K.
,Paliouras,G.
(eds.
)UM07,11thinternationalconferenceonusermodeling,Berlin–Heidelberg–NewYork,pp.
157–166.
Springer-Verlag,Corfu(2007)Wang,Y.
,Norcie,G.
,Cranor,L.
F.
:Whoisconcernedaboutwhatastudyofamerican,chineseandindianusers'privacyconcernsonsocialnetworkingsites.
In:4thinternationalconferenceontrustandtrust-worthycomputing(TRUST2011),Springer,Pittsburgh2011Yi,X.
,Raghavan,H.
,Leggetter,C.
:Discoveringusers'specicgeointentioninwebsearch.
In:WWW'09:Proceedingsofthe18thinternationalconferenceonWorldwideweb,pp.
481–490.
ACMPress,NewYork2009AuthorBiographiesEranTochisafacultymemberatTelAvivUniversity,whereheisalecturerattheDepartmentofIndus-trialEngineering.
Hisresearchinterestliesattheintersectionofseveralelds:privacy,human-computerinteractionandarticialintelligence.
Previously,hewasapost-doctoralfellowattheSchoolofComputerScienceatCarnegieMellonUniversity.
Dr.
TochreceivedhisPh.
D.
fromTheTechnion—IsraelInstituteofTechnology.
YangWangisResearchScientistinCyLabatCarnegieMellonUniversity,workingintheareaofusableprivacyandsecurity,personalization,andsocialcomputing.
HereceivedhisM.
S.
andPh.
D.
inInformationandComputerSciencefromtheUniversityofCalifornia,Irvine.
HiscontributiontothisarticleisbasedonexperiencesgainedbothfromhisPh.
D.
workandhiscurrentresearchonprivacy-enhancingpersonalization.
LorrieFaithCranorisanAssociateProfessorofComputerScienceandofEngineeringandPublicPolicyatCarnegieMellonUniversitywheresheisdirectoroftheCyLabUsablePrivacyandSecurityLaboratory(CUPS).
Sheisalsoaco-founderofWombatSecurityTechnologies,Inc.
ShewaspreviouslyaresearcheratAT&T-LabsResearchandtaughtintheSternSchoolofBusinessatNewYorkUniversity.
Dr.
CranorreceivedherdoctoratedegreeinEngineeringandPolicyfromWashingtonUniversityinSt.
Louis.
123