[guardian-dev] Respectful Analytics
Hans-Christoph Steiner
hans at guardianproject.info
Thu Jan 26 04:40:02 EST 2017
Debian Popularity Contest is a good example of opt-in usage metrics:
http://popcon.debian.org/
https://www.linuxjournal.com/content/popcon-are-you-or-out
It doesn't do active identity obfuscation as far as I can tell, as in
adding noise to the data or other tricks, but it actively avoids sending
identity info like IP address, hostname, username, language, time zone, etc.
.hc
Tom Ritter:
> +1 for Rappor. I would think that the simplest usage metrics ('Did a
> user use this feature' and 'How long/many was X') should be pretty
> simple to do with Rappor and provide very strong privacy while keeping
> the normal metric use scenario people are used to: users submit data
> to a server, and you have fancy tools that draw fancy graphs.
>
> -tom
>
> On 25 January 2017 at 09:50, Nathan of Guardian
> <nathan at guardianproject.info> wrote:
>> Inspired by Tor's work on anonymous metrics[0], as well as Apple's
>> recent announcements about the use of Differential Privacy[1], I am
>> starting to do some research and thinking on creating a new mobile
>> analytics package that is private, anonymous, confidential, etc, by
>> design. This is also being inspired by the recent kerfuffle around the
>> Meitu apps insane hoovering of personal data. For now, I am calling this
>> Respectful Analytics. This work is being done with some colleagues at
>> the new Berkman-Klein Assembly[0.1] program I am participating in.
>>
>> All in all, it is good as a developer to know if your app is working
>> well, and if your user is happy, but for projects like ours, we can't
>> just plop in Google Analytics or some other package, and call it day. We
>> do want to know if version by version we are getting better at things
>> like battery usage, responsiveness, data latency, and so on, but we
>> definitely aren't interested in having every tap a user makes, or
>> heatmaps of every screen.
>>
>> My thought is that we could create something with some of these
>> properties:
>>
>> - Data is stored and processed on the client, rather than logged en
>> masse on a server, to determine outcomes
>> - Specific queries can be defined such as "is battery usage better or
>> worse than with the last version?" that gain can be analyzed on the
>> client
>> - Any data aggregation should be done via Tor and possibly some kind of
>> mix/data laundering middle server onion
>> - user identifiers would be pseudonymous key identities that would only
>> last per lifetime of an app install (and could be optionally
>> cleared/reset by the user)
>> - Some kind of user control panel for opting in/out of various aspects
>> of the analytics package, and controlling when/how data is shared
>> - As possible, advanced techniques like Differential Privacy[3],
>> Randomized Response[4], Google's Rappor[5] should be utilized to further
>> protect from misuse of data
>>
>> So, does any of this exist today already? Any packages, projects or
>> papers I should be looking at? Any other thoughts on how we could make
>> this broadly useful for mobile app developers, web developers, and
>> perhaps even IoT?
>>
>> Thanks!
>>
>>
>> [0]
>> https://blog.torproject.org/blog/tors-innovative-metrics-program-receives-award-mozilla
>> [0.1] https://berkmankleinassembly.org/
>> [1]
>> https://www.wired.com/2016/06/apples-differential-privacy-collecting-data/
>> [2] https://techcrunch.com/2017/01/19/meitu-app-collects-personal-data/
>> [3] https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf
>> [4]
>> https://www.dartmouth.edu/~chance/teaching_aids/RResponse/RResponse.html
>> [5] https://github.com/google/rappor
>>
>> --
>> Nathan of Guardian
>> nathan at guardianproject.info
>> _______________________________________________
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
>
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the guardian-dev
mailing list