Who Should Have Access to my Pointing Data? Privacy Tradeoffs of Adaptive Assistive Technologies
Foad Hamidi, Kellie Poneres, Aaron Massey, Amy Hurst · 2018 · Proceedings of the 20th International ACM SIGACCESS Conference on Computers and Accessibility (ASSETS 2018) · doi:10.1145/3234695.3239331
Summary
This UMBC study examines the often-overlooked privacy tradeoffs inherent in Adaptive Assistive Technologies (AATs) — software systems that monitor user performance data to automatically adapt their functionality. While AATs offer significant usability benefits for people whose abilities vary over time, they necessarily collect sensitive data that can reveal health conditions, disability status, and changes in ability. The paper makes two contributions: a formal privacy threat model analysis of AATs using the LINDDUN framework (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance), and an interview study with 8 older adults (ages 64-87) who experience variable pointing difficulties, primarily due to Essential Tremor (ET). ET is the most prevalent movement disorder in the world, affecting 15-25% of people with the condition in their employment, with 60% choosing not to apply for jobs because of uncontrollable shaking. The researchers chose this population because individuals with variable, mild impairments may be more sensitive about disclosure than those with established disabilities — many did not identify as "disabled" and were actively dealing with the emotional impact of changing abilities. The prototype PINATA (Pointing Interaction Notifications and AdapTAtions) was used as a technology probe: a Chrome extension with an adaptive bubble cursor that dynamically adjusts its selection area based on detected pointing difficulties, plus a pointing history browser visualizing error patterns over time.
Key findings
The threat model analysis identified concrete privacy risks across all six LINDDUN categories for AAT users. Linkability: pointing data can be algorithmically linked to health diagnoses (e.g., Parkinson's detection from mouse movement). Identifiability: AAT data patterns over time can fingerprint individual users. Non-repudiation: the mere presence of an AAT eliminates plausible deniability about disability. Detectability: an employer could discover a job applicant's AT use through browser fingerprinting. In interviews, participants were enthusiastic about PINATA and comfortable sharing data to improve system accuracy, but had strong preferences about who could access their data. Family members and medical professionals were broadly acceptable (6-7 of 8); employers were strongly rejected (only 1 of 8 comfortable with private data); insurance companies were the most rejected (0 of 8 comfortable with private data). Participants feared employers would "misjudge their abilities" and insurance companies would "extrapolate" about their driving or other capabilities. A critical finding was the asymmetry in privacy perception: participants expressed significant concerns about non-assistive online systems but initially voiced no concerns about AATs collecting their data — suggesting that enthusiasm for assistive technology may cause users to overlook privacy risks. Participants also had asymmetric reactions to system errors: false positives (detecting problems that weren't there) provoked stronger negative reactions than false negatives (missing real problems), because false positives implied worse ability than reality.
Relevance
This paper raises essential questions for anyone designing assistive technology that collects user data — which is increasingly all assistive technology as systems move to cloud-based, adaptive architectures. The central insight is that assistive technology data is inherently health-related, yet it typically falls outside HIPAA protections because AT is not provided by covered medical entities. This regulatory gap means that data revealing tremor severity, cognitive decline, or vision changes could be collected, sold, or breached without the protections afforded to formal medical records. For practitioners, the LINDDUN-based threat model provides a structured framework for evaluating privacy risks in any AT system. The finding that users' positive attitudes toward AT may blind them to privacy risks creates an ethical obligation for designers: users cannot make informed consent decisions if they don't understand the threats. The paper recommends that AT developers conduct formal privacy threat analyses, provide transparent data visualizations showing what is collected, and give users granular control over who can access their data — especially preventing access by employers and insurance companies.
Tags: privacy · security · adaptive systems · assistive technology · essential tremor · older adults · pointing · motor impairment · threat modeling · ethics
Standards referenced: HIPAA