Kevin Schofield: chi2006

CHI Session -- Privacy 2

Wed, 26 Apr 2006 19:32:44 GMT

I'm in another CHI paper session on privacy issues.

Hi session -- Privacy

I'm in the CHI session on Privacy.

The first paper is on incidental informational privacy. The scenarios is that you're at work, or in an airport gate area, and someone might look over your shoulder. They surveyed a broad set of users on their preferences and behavior. Not any real surprises here, just some good quantitative results that reinforce intuition.

Second paper: Being Watched or being special. They reference a study from a study from the '70s that shows that people are much more willing to comply with impositions if a reason -- any reason, no matter how absurd -- is given. Their study shows that this extends to privacy. Fascinating.

CHI Panel -- Tagging

Wed, 26 Apr 2006 18:15:24 GMT

I'm in the CHI panel on "Why Taggigng systems work."

This is really frustrating to watch. There are representatives from Yahoo/Flickr, Google, and various research institutions on this panel, all trying to define tagging, but REALLY trying to define tagging in a way where it's more important and signficant than just metadata. In essence, they're trying to define the "tagging phenomenon" while skirting around the fact that they all have a vested interest in tagging being an important phenomenon with long-term staying power.

The one useful point raised is that in contrast to prior metadata efforts that were really designed around archiving and re-dscovery, tagging is largely focused on distribution (though certainly has an IR use too).

Out of this has grown Luis von Ahn's work on cooperative community tagging (and how to use games to do this). I'm a big fan of Luis's work at CMU.

Interesting observation/question from the audience: it seems like you need to be a "tag devotee" and pretty religiously do it to get a lot of value out of it. (panel answer: there's a fair amount of value just as a consumer for others' tags, e.g. Wikipedia)

"man on the street" video, surveying people on their own filing/searching habits. What would get people to spend 30 minutes a day tagging web sites? Two most common answers: money (i.e. getting paid to do it) or "nothing."

Interesting insight from George Furnas, University of Michigan: people overestimate their own ability to tag items accurately, and underestimate a group's ability to come up with a good diverse set that represents the object well.

Furnas is definitely the star of this panel: he has a great historical perspective and a thoughtful approach that goes beyond the obvious memes of the tagging community (something the other panel members are having trouble with).

Good audience question: will tagging make it outside of the community? Will out mothers ever tag things? (the moderator punted; he wants to come back to it at the end of the session)

A panel member cited a UC Berkeley study that showed that tags are very similar to dialects: well-connected groups of people quickly converge on common sets of tags.

When asked where tagging will go, really no clear ideas. Except fr one panel member who thinks we'll end up tagging (and thereby judging) people.

An audience emember brought up that amazon added tagging to product pages a couple of months ago and it was a total disaster. A panelist said that it's Amazon's fault because the page is too busy. (another member jumped in and also blamed the UI) A third panelist is suggesting that the implementation was too eglaitarian -- not only could everyone tag, but everyone could define new tags.

Question from a panelist: does tagging scale up to large, heterogeneous groups? the panelists seem to say "no" and I would suggest that this might be a more general indictment of social software systems: they almost never scale to large-scale, heterogeneous groups.

recurring point that relates to this: one universal, flat terrain for tags probably doesn't work. You need to think about clusters of tags (potentially overlapping) and hierarchies. In other words, in classing Internet form, the tagging community has just rediscovered IR, taxonomies, and semantic hierarchies.

Audience question: how many tags to people associate with an item? On delicious, the average is two (not surprisingly, that's the same as the number of words people type into a search box on MSN Search or Google).

CHI Session: Mashups

Wed, 26 Apr 2006 14:37:15 GMT

I'm in the CHI panel on Mashups.

The BBC Backstage guy is giving a "Basics" talk on what Mashups are.

Why do developers get involved in building mashups?

new business opportunities
it's cool
they're frustrated with missing features/abilities in what the main provider supports
to get noticed.

BBC Backstage is BBC's developer network for supporting third parties creating mashups with BBC's data. They only support non-commercial use, and stress that all intellectual property remains solely with BBC. They offer broadcast schedule data, audio and video archives, plus travel data for the UK (train, road, etc.)

BBC launched today reboot:bbc.co.uk, a competition to re-design the BBC home page. Cool idea.

The Google guy is talking about the technical underpinnings of mashups. and why AJAX and lightweight feed protocols make it much easier to do mashup web apps. The data sources are growing faster than specific UI services are, which is a problem at one level and certainly exacerbates UI consistency issues since each mashup developer needs to roll their own.

A good question from the audience about how to address accessibility issues for AJAX applications and machups in general.

Not a lot of good answers to questions; mostly a lot of "good question, there are people thinking about that, no answer today."

The discussant is talking about the privacy and security issues behind mashups. For example: do mashups make it really easy to develop a phishing site?

Another issue: authentication for mashups. If you go to a mashup site and type in your password for another site, how do you know what's really going on behind the scenes? Will we see the return of Passport? or will Infocard pick up quickly, or will Liberty Alliance finally get going? Will SSL be required? (is that too costly in terms of getting an SSL certificate from Verisign?)

The discussant is suggesting that mashup developers should develop more like enterprise developers.

The Google guy just said that we need to be careful not to put too much burden on mashup developers to "do things the right way." and we should look for technical solutions instead. (my editorial view: there is a natural tension here, but if we really want mashups to take off, the responsibility needs to be both on the mashup enablers as well as the mashup developers)

Is there a separation between mashups on Web sites vs. cell phones? The BBC guy says no.

Some audience questions around the intersection of "citizen journalism" and mashups, and the issues of accuracy, authenticity and reliability of information. Also if there are errors, how do we build a feedback mechanism from end-users through mashups back to the original data source providers?

Another audience question: mashups are a developer phenomenon today. Is there any chance to make it an end-user phenomenon? What would those tools look like? The Google guy thinks that it will happen eventually, but will just take time.

My takeaway: the discussant (Hart Rossman, SAIC) has thought far more deeply about the issues behind mashups than either the BBC or Google guys. Mashups are very very young, and the hype has masked a number of severe limitations. We've seen a set of relatively simple mashups where the end-users cna remain anonymous (like layering data on top of maps) and that maps (no pun intended) well to 3 of the 4 reasons stated above why mashups are getitng built: coolness, frustration, and to get noticed. The real business opportunities, in order to be realized, will require actually tackling the hard issues, and we'll have to see if and how that happens -- or if not, how quickly mashups dies as just one more fad.

I'm also disappointed at how little discussion there really was about the HCI issues related to mashups -- other than to point out that the HCI/usability community is not at all involved today.

CHI -- Security Papers

Tue, 25 Apr 2006 21:53:57 GMT

I'm in the CHI papers session on Security.

The first paper is "Why phishing works." Interesting point: both security designers and phishers use user interface techniques to accomplish their goals. Three basic categories of reasons why phishing works:

lack of knowledge ( e.g. about URLs, security indicators)
visual deception (e.g. "vv" istead of "w", overlaying windows,embedding fake address and status bar in page )
bounded atention (i.e. inattention to secuirty indicators)

In their study of whether people can correctly identify real and phishing sites, participant knowledge and use of security indicators was the best indicator of success in correctly identifying the sites. Though in walking through the examples, the reasons why people made mistakes were all over the place.

Interesting suggestion: that product teams "spoof" their own design in the testing of their web sites, to see how easy it is to convincingly phish your site.

Another interesting design point: address bar prints the URL in small type that's hard to read; can you re-size the text to make it bigger and more readable?

Second paper: Secrecy, Flagging and Paranoia: Adoption Criteria in encrypted E-mail. There is an argument that people should encrypt all of their email. Conventional wisdom is that people don't encrypt email because it's too hard. Their user study showed that in fact people often don't encrypt email because there is a social meaning (in fact, a negative stigma) associated with encryption that they don't want to convey. People will use it for financial information, and for protecting secret planning information. But recipients think that if it's encrypted it must be important -- so encrypting all email would send the wrong message (no pun intended). This was a pretty limited study and it's unclear how much it can be generalized, but it's an interesting thought.

Third paper: Do Security Toolbars Actually Prevent Phishing Attacks? There are many browser toolbars that try to help identify phishing sites. The categories of toolbars:

neutral info: domain name, date registered, country registered
System-decision: propose whether the site is OK or potentially fraudulent
SSL-verification: presents a logo if it's a verified site.

Recurring point: security is almost never the user's primary task and we don't want to make it the primary task, but we do want the user to be motivated and engaged to make good decisions. Their results are that secuirty toolbars are not as effective as one would hope in preventing phishing attacks. The study reinforces the notion that users don't understnad or know how to parse URL's. Interestingly, anecdotal comments suggest that false-positives in spam filters cause people to expect anti-phishing spoolbars to be wrong some percentage of the time. In other words: often the phishing web site looks more credible than the toolbar. Also, since security is a separate, secondary task, people's desire and focus on getting the primary task done overrides the focus on the secondary task. This is a bizarre dilemma: we don't want to make security the primary task, but then users will often override security in favor of the primary task and open themselves up to phishing attacks.

CHI Session: Managing Deviant Behavior in Online Communities

Tue, 25 Apr 2006 19:52:31 GMT

I'm in the CHI panel session on "Managing Deviant Behavior in Online Communities."

The first panelist, from IBM Research, studies intranet online communities and made the point that managers should just "chill out" about extreme behavior on corporate online presences -- there isn't that much downside, there are social corrective measures, and efforts to prevent the use of these systems within a company would be a far greater negative than trying to manage their use well.

The second speaker is an administrator for slashdot and everything2.com. His big issues:

not all misbehavior is the same
not all misbehavior is intentional
not all misbehavior is bad/harmful
deviance is all relative to your perspective. Deviants something think that their critics are the deviants. And sometimes there are good reasons to be a deviant from a society.

The third speaker argues that managing deviant behavior online and offline are essentially the same.

The fourth speaker works with online games, and deals with issues around cheating in games. One difficulty there is how to keep the game open and emergent, encoraging exploration, without encouraging testing boundaries and exploiting rules.

The discussion is cetered around some interesting scenarios. The first was from World of Warcraft, wher ethe member of a guild dies (in real life) and the other members of the guild organize an online memorial service. a rival guild notices the public notice of this, show up in force and slaughter everyone -- to add insult to injury, they videorecord the entire massacre and post it online to flaunt their actions. What should the WoW people do?

The second one: a large mailing list where one person keeps sending irrelevant posts. Talking to the person only casues very short-term relief. What should one do?

The third one: the recurring troll on an online bulletin board system who explicityl tries to get the community stirred up. Is this any different from the second case above?

The fourth example is more of an explicit (online) dscussion of who in a community had the privilege/right to define deviancy.

CHI session -- i-schools

Tue, 25 Apr 2006 16:28:48 GMT

I'm in the CHI 2006 session on Schools of Information, aka "i-schools." The session chair suggests that i-schools focus on information as the central concept vs. computers or computing.

There's no single model for an i-school; some evolved from computer science, some from library science, some are hybrids of several departments. There are about 20 i-schools in North America. They tend to grow up in places where there isn't already an independent School of Computer Science, at least partially as a way to raise the awareness and importance of subfields (like HCI) that tend to get buried in a department of CS that's buried in an engineering school.

If you imagine a triangular "problem space" with information, people and technology at the points, you've mapped out the area of concern for an i-school.

This "i-school movement" raises lots of hard questions:

is HCI more central/relevant to i-schools than to Computer Science?
will it make HCI even less central to CS?
what publications are important for tenure decisions?
is research biased toward studies and away from actually creating intellectual property that could be commercialized?
over time, will i-schools "silo" to the detriment of interdisciplinary subfields (like HCI)?
what's the difference between a "school of information" and a "school of informatics"?
within i-schools, is HCI in danger of becoming too diffuse?
will i-schools buck the trend of the overall decline of enrollment in CS programs?

This is a very frustrating session. There's a long list of audience members waiting to comment or ask questions, so I'd never make it to the mike before the session ended, but they're asking all the wrong questions. They're focused on branding, identty, and how to facilitate interdisciplinary work. The right questions to ask are all more basic:

what kind of jobs are your preparing people to? (one of the panelists said that he hoped that their graduates would go to work in other i-schools!)
have you actually talked to any employers to see if they value what you're offering?
How do you "market" i-schools to the rest of academia and to industry?
where do researchers in your field publish? (besides CHI)
Is it easier of more difficult to get funding for research when you're in an i-school vs. a CS, engineering or other school?
will i-schools create anything that will ever get commercialized? (I realize this is in my list above, in a slightly different form)
is this really anything more than an attempt to get HCI and interdisciplinary work more respect wthin the university?
What kind of degrees do people get from an i-school, and do they mena anything to anyone? Is the undergraduate degree BS or BA? (similar question for the master's degree)

CHI session -- XBox 360 critique

Tue, 25 Apr 2006 13:21:12 GMT

The plenary session this morning at CHI is an "expert critique" of the XBox 360. Two of the user experience managers for the XBox team are presenting a photographic history of the design process, followed by a panel of experts giving their critique, followed by opening it up to the audience for comments and critique.

I applaud the XBox team for doing this; it's pretty brave to stand up in front of a highly critical set of experts (and an often MS-unfriendly group to boot) and lay it all out.

The expert critiquers are asking mostly slow-pitch questions, which is a little disappointing. But there was one zinger so far: it took one of the experts 90 minutes to set up a new XBox 360, most of that time taken up with reading the EULA.

CHI -- alt.chi session

Mon, 24 Apr 2006 21:30:40 GMT

I'm in the "alt.chi" session, which is a collection of papers that are very interesting projects but for one reason or another would not compete well against traditional research papers to make it into the conference programs.

First project: incorporating digital technologies into a playground. Their first prototype was a mat (looks sort of like two sets of train tracks, side by side) that kids could step or run on, and hitting pressure mats would activate motors. In their second iteration, they got the kids involved in making spinners to put on the motors. Then they observed how kids used it and experimented with it, including inventing their own games. Their big goal: use technologies toaugment playground equipment without compromising the nature of unstructired play?

Second project: Tokyo Youth at Leisure, supporting the design of new meida to support leisure planning and practice. A user study of young adults aged 18-25 (the only age group that actually has free time) to see how they plan and participate in their leisure outings. Relaxation and companionship were the most important leisure qualities; finding new romance was the least. People and TV were the top resources for planning outings, mobile device was very low (though distinguish planning from coordination, where mobile and PC are used extensively). "downtime" is essential; they often spend it alone, but hyper-connected (via email and mobile phone). For group outings, you choose the set of people you want to be with first, then decide what to do. Planning a meeting place for a specific activity is the process of minimizing the commute and maximizing opportuinities for other serendipitous activities. One interesting take-away: lots of cultural hype of mobile phones' hyperuse as distinctly Japanese, but the PC was used a lot more than was expected; people liked the large screen for viewing information and planning activities.

Third project: RoomBugs. simulating insect infestations in elementary school classrooms. Kids use computers to run a simulation over several days of insects in the classroom, as a science experiment where they need to quantify can classify the infestation. PC's act as stations around the room and show the virtual equivalent of a "sand trap" where they see insect tracks as virtual insects walk voer them. Kids were able to correctly count and identify 94% of over 1500 insect tracks that they were exposed to over a 2-week period. Yow!

Fourth project: Orbital Browser. How to connect up components in a ubiquitous computing environment.

Fifth project: Quill: a narrative-based interface for personal document retrieval.

CHI Panel -- Managing International User Research

Mon, 24 Apr 2006 19:54:13 GMT

I'm listening to a panel on how to manage international user research -- whether you're trying to build a product directed at a far-away market, or trying to design for a worldwide audience.

There's fair consensus that international research is budget constrained more than anything else -- in fact, Microsoft keeps coming up as an example of a company with the "luxury" of having user researchers in many parts of the world and the money to send them to others (as if making those investments weren't a difficult budget decision just like at every other company).

Susan Dray made the good point, though, that deciding to do international research is usually a strategic decision, not a tactical one. That usually puts it in a separate decision-making process for investment.

Lots of discussion about the cultural issues -- both in terms of the "content," i.e. discovering cultural issues that affect your design; and in terms of the user research process and how certain practices (and certain questions) are not culturally appropriate in some countries.

Privacy

Mon, 24 Apr 2006 16:58:11 GMT

I'm in the first session on privacy issues. Clare-Marie Karat is presenting a paper on a system for how to express formal privacy rules in natural language.

Here's a useful and simple definition of a privacy policy:

Who has access to what personal information:

for what purposes

to carry out what actions

under what conditions

with what obligations

Many of the question revolve around ways to handle exceptions -- which is the downfall of most data and workflow automation systems.

Karen Tang presented a paper on how to preserve privacy/anonymity in mobile location-based services. Person-centric applications reduce the fidelity of queries to increase anonymity. But location-centric services/queries are different in some ways and does the fidelity-degradation approach work? (no) so what does work? The discussion of the work point out that this is really an application-layer system, and that there are many threats from other layers particularly if the application layer system is dependent upon lower layers to accurately label locations.

Kirsten Boehner is talking about "Advancing Ambiguity" Ambiguity is "the admitting of multiple interpretation" (Gaver, 2003).

Generally more information and awareness reduces ambiguity, but sometimes there are exceptions. "If you have one clock, you always know the time. If you have two clocks, you never know the time."

Wendy March talked about "Girls, Technology and Privacy: Is My Mother Listening?" Question: do you make phone calls sitting in your closet? It turns out that lots of teenage girls do. (so their parents can't overhear)

Important learning: girls pay attention to "location privacy" -- don't trust IM to be secret, just voice calls. But they don't feel like home is "their place" and will take phone (cell or cordless) somewhere that they can have a private conversation. Will only use computer for private conversations if they can physically move it somewhere private.

Blogging CHI and the Opening Plenary

Mon, 24 Apr 2006 15:37:55 GMT

I'm going to try to blog at regular intervals this week while I'm at CHI in Montreal. They have the student volunteers organized to do this too, so it should be an interesting collection of entries on the official CHI blog site by the end of the conference.

The opening plenary this morning, by Scott Cook of Intuit, was great. Scott is a very genial, affable guy who quickly builds a cnnection with the audience. The official topic for his talk, which he generally stuck to, was "Creating game-changing innovation."

He had many interesting insights into the business of innovation, many cribbed from Peter Drucker (in a good way, with appropriate credit given). Of particular note was his list of five "models of innovation inside a company:

1. the lone genius
2. the boss is the genius
3. copy competitors' innovations
4. cloister the geniuses in a lab
5. make the people the geniuses

and of course he subscribes to the last one.

The heart of his talk, though was about five principles of innovation and invention. His principles:

1. Invention comes from mindset change.
2. Mindset change comes from seeing differently.
3. Savor surprises -- as learning. (and 3a. celebrate your failures for the learning you derive from them)
4. Focus managers on a customer metric
5. Nurture and protect teams that are doing innovative work.

Cook talked a lot about how Intuit has a culture of always starting with the customer need. He gave several examples of how Intuit products were created directly out of customer studies that gave them key insights about how they weren't solving the needs of their customers.

It was a fun and inspiring talk. If you get an opportunity to hear Cook talk, I would strongly encourage you to do so.