their location data 24/7 to the PDV, but
share data with Biketastic only during
days and times when they regularly
commute by bike. Biketastic doesn’t
need to know where the participants
are during working hours, when they
take their lunch breaks, or how they
typically spend their evenings. A different example of collecting minimal
data is requesting processed, rather
than raw, data. Developers could build
applications such as PEIR to request
only inferred activity data (time spent
driving, walking, and indoors) and ZIP
code, rather than granular location
data. PEIR doesn’t need to know what
street a participant was on—only what
carbon-generating activity they were
engaged in. By collecting the minimum amount of information needed
for a service, application developers
can help participants maintain control
over their raw data.
Data legibility. Participatory sensing
systems can help participants make
sense of, and decisions about, their
data by visualizing granular, copious
data in ways individuals can understand. Methods to improve data legibility include visualization using tools
such as maps, charts, icons, pictures,
or scales. Data legibility also includes
showing users who has accessed their
data and how frequently, and showing
participants where their data goes and
how long it remains accessible. System
features should increase participants’
understanding of complex risks and
help them make better decisions about
data capture, sharing, and retention.
Developers should get creative
about what legibility might mean. An
application’s user interface, for example, could help users not only set data-sharing policies, but also see the results
of their policies. Imagine a Facebook
pop-up that asks, “Do you really want to
share the album ‘Party Pics’ with your
father?” Developing features either for
data vaults or for sensing applications
that illuminate who can see what data
will help users better understand the
consequences of data sharing.
Another approach is to show multiple interpretations of collected data.
The AndWellness interface, for example, uses both maps and timelines
to help users draw conclusions about
when and where their eating habits
strayed from their plans. Developers
Participatory
sensing opens the
door to entirely new
forms of granular
and pervasive data
collection. the risks
of this sort of data
collection are not
always self-evident.
might also experiment with natural
language, helping translate numerical
data or complex algorithms into something easier to understand. Natural
language might make inferences from
data points (for example, this bike route
has a few hills in the middle, most of
them easy, and one difficult hill at the
end); or plain text descriptions can explain how calculation and processing
works (for example, clicking on a route
in PEIR takes the participant to a “Trip
Journal” with a step-by-step breakdown of how the system calculated the
impact and exposure for that route.
Longitudinal engagement. Finally, developers will need to consider time as a
factor that affects privacy in participatory sensing. You may end participation
in a carbon footprint calculator when
you start taking public transportation
to work, but enroll in a new health program after receiving a surprising diagnosis. Personal habits and routines
change over time, altering the data collected into personal data vaults.
Because time is such a critical factor, application interfaces should encourage participants to engage with
the data from the point of collection
through analysis, long-term retention,
or deletion. Systems should enable
continued engagement to allow participants to change their data practices
as their context changes. The crux of
engaging individuals with decisions
about their data is refusing to put that
data in a black box. Instead, analyzing,
learning from the data, and making on-going choices about the data become
the goals of sensing.
We offer several suggestions for how
developers can encourage long-term
engagement. Policies that require users to check back in with a vault or application on a regular basis can remind
them to update their sharing preferences as their needs change. A data vault
could remind users to update their
sharing preferences every time they add
new contacts or applications. Building
adaptive filters can also enable participants to change their data sharing as
their preferences change. Such filters
could learn from user behavior to respond to privacy preferences. For example, the vault could learn never to share
a certain route or could learn to check
with users before sharing any routes recorded after 9 p.m.
