Capturing Location-Privacy Preferences: QuantifyingAccuracy and User-Burden TradeoffsMichael Benisch Patrick Gage Kelley Norman SadehLorrie Faith CranorMarch 2010CMU-ISR-10-105School of Computer ScienceCarnegie Mellon UniversityPittsburgh, PA 15213AbstractWe present a three-week user study in which we tracked the locations of 27 subjects and asked them to rate when,where, and with whom they would have been comfortable sharing their locations. The results of analysis conductedon over 7,500 hours of data suggest that the user population represented by our subjects has rich location-privacypreferences, with a number of critical dimensions, including time of day, day of week, and location. We describe amethodology for quantifying the effects, in terms of accuracy and amount of information shared, of privacy-settingtypes with differing levels of complexity (e.g., setting types that allow users to specify location- and/or time-basedrules). Using the detailed preferences we collected, we identify the best possible policy (or collection of rulesgranting access to one’s location) for each subject and privacy-setting type. We measure the accuracy with whichthe resulting policies are able to capture our subjects’ privacy preferences under a variety of assumptions about thesensitivity of the information and user-burden tolerance. One practical implication of our results is that today’slocation sharing applications may have failed to gain much traction due to their limited privacy settings, as theyappear to be ineffective at capturing the preferences revealed by our study.This work has been supported by NSF grants CNS-0627513, CNS-0905562, and DGE-0903659. Additional support has been providedby Nokia, France Telecom, Google, the CMU/Microsoft Center for Computational Thinking, ARO research grant DAAD19-02-1-0389 toCarnegie Mellon University’s CyLab, and the CMU/Portugal Information and Communication Technologies Institute.Keywords: Expressiveness, Usable privacy, Location sharing, Web services, Social networking, Mechanismdesign1 IntroductionThe past few years have seen an explosion in the range of websites allowing individuals to exchange personalinformation and content that they have created. These sites include location-sharing services, which are the focus ofthis paper, social-networking services, and photo- and video-sharing services. While there is clearly a demand forusers to share this information with each other, there is also substantial demand for greater control over the conditionsunder which their information is shared. This has led to expanded privacy and security controls on some services,such as Facebook, but designers of others appear reluctant to make this change. One reason for this reluctance maybe that more complex privacy settings typically lead to more complex and hard-to-use interfaces.Around one hundred different location-sharing applications exist today. These applications allow users to sharetheir location (frequently, their exact location on a map) and other types of information, but have extremely limitedprivacy settings. Typically, they only allow users to specify a white list, or a list of individuals with whom they wouldbe willing to share their locations at any time [21]. Despite the number of these types of applications available, theredoes not seem to be any service that has seen widespread usage. One possible explanation for this slow adoptionhas been established by a number of recent papers, which demonstrate that individuals are concerned about privacyin this domain [5,7, 8, 13, 14,18,22]. However, our work is the first, to our knowledge, to study location-privacypreferences at a detailed enough level to address the question of whether or not more complex privacy-setting typesmay help alleviate these concerns.We present the results from a user study where we tracked the locations of 27 subjects over three weeks in orderto collect their stated location-privacy preferences in detail. Each day, for each of the locations a subject visited, weasked whether or not he or she would have been willing to share that location with each of four different groups: closefriends and family, Facebook friends, the university community, and advertisers. Throughout the study, we collectedmore than 7,500 hours of location information and corresponding privacy preferences. In contrast to some earlierresearch that identified the requester’s identity [7] and user’s activity [6] as primarily defining privacy preferencesfor location sharing, we find that there are a number of other critical dimensions in these preferences, including timeof day, day of week, and exact location.We characterize the complexity of our subjects’ preferences by measuring the accuracy of different privacy-setting types. We consider setting types that allow a user to share his or her location based on the group of therequester, the time of day of the request, whether or not the request is made on a weekend, and his or her location atthe time of the request. Using the detailed preferences we collected during the location tracking phase, we identifyeach subject’s most accurate collection of rules, or policy, under each privacy-setting type. To test the effectivenessof the different setting types, we measure the accuracy with which each is able to capture our subjects’ preferences,while varying assumptions about the relative cost of revealing a private location, and about our subjects’ tolerancefor user burden.As one might expect, we find that more complex privacy-setting types, such as those that allow users to specifyboth location- and time-based rules, are more accurate at capturing the preferences of our subjects under a widevariety of assumptions. More surprising is the magnitude of accuracy improvement — in some cases more complexsetting types can result in almost three times the average accuracy of white lists. White lists appear to be particularlyineffective at capturing our subjects’ preferences. Even relatively simple extensions, such as those that allow rulesbased only on time of day, can yield a 33% increase in average accuracy, if we assume that our subjects are privacysensitive. This finding is also consistent with results from our pre-study survey, where subjects reported beingsignificantly more comfortable with the prospect of sharing their location using time- and location-based rules,compared to white lists.In addition to accuracy, we measure the amount of time each