implicit authorization for social location disclosure

Implicit Authorization for SocialLocation Disclosure

Georg Treu1, Florian Fuchs1, and Christiane Dargatz2

1Mobile and Distributed Systems Group, Institute for Informatics2Department of Statistics

Ludwig-Maximilian University Munich, Germany[georg.treu|florian.fuchs]@ifi.lmu.de, [email protected]

Abstract— Being increasingly equipped with highly-accuratepositioning technologies, today’s mobile phones enable theirowners to transmit their current position over the cellularnetwork and share it with others. So-called location-basedcommunity services make use of this possibility, for examplefor locating friends, co-workers or family members. Ofcourse, these services give target persons control aboutthe way location data may be accessed by others. So far,this is done by the target explicitly granting or denyingpermissions through authorization policies or ad-hoc au-thorization. Unfortunately, apart from bringing along highmanagement effort, the concept of explicit authorization insuch a privacy-sensitive application entails the disadvantageof social difficulties.

In this paper we introduce the concept of implicit au-thorization, which has reciprocity as its central element:Another person is granted access to a certain target’slocation information implicitly by the target accessing theinformation of that other person as well. The technique aimsto reduce social pressure on the target person when decidingwhether a certain person may locate her or not. Also,the target person is relieved from management overhead.Several realizations of implicit authorization are proposed.They differ in the service pattern (reactive/proactive) theyare useful for and the way a once given access grant isrevoked.

Index Terms— community LBS, proactive LBS, social dis-closure, authorization, reciprocity, ambiguity

I. M OTIVATION

With the mass market introduction of cellular phonesin the early 1990s, the paradigm of always being availablechanged the way we think and act. In recent time,mobile phones are increasingly equipped with highly-accurate positioning technologies like GPS, which notonly facilitates local applications like navigation, but alsoallows individuals to transmit their current position overthe cellular network and share it with others. Suddenly,it becomes easily possible that everybody can always belocated by anybody.

So-calledlocation-based community services (LBCSs)make use of this technique. Examples are friend finderservices [1] [2], child trackers, dating services, andlocation-enhanced instant messaging (IM) services [3].

This paper is based on “Implicit Authorization for Accessing LocationData in a Social Context” by G. Treu, F. Fuchs, and C. Dargatz, whichappeared in the Proceedings of The Second International Conferenceon Availability, Reliability and Security (ARES), Vienna, Austria, April2007. c© 2007 IEEE.

According to the classification in [4], an LBCS canbe eitherreactive or proactive. In the former case thelocation information of the target is presented to the useronly when the user explicitly asks for it. An example isa simple friend finder application which has a button forthe user that allows him to locate one or more of hisfriends and show their position on a map. In the lattercase location information is automatically displayed tothe user on the arrival of a certain pre-defined spatialcondition, defined in terms of the position(s) of thetarget(s). An example is an office tracker applicationwhich automatically notifies the co-workers of the targetperson as soon as she has approached the work placebelow a certain distance.

In order to be acceptable at the market, LBCSs givetarget persons control about the way location data maybe accessed. So far, this is done byexplicit access autho-rization, which requires an explicit yes or no decision bythe target whether a given user may access her locationdata or not and which can be implemented in two generalways. First, the target can depositauthorization policieswith the LBCS provider, which exclude or include certainindividuals from accessing her location information. Thesecond strategy isad-hoc authorization, where the targetperson is asked for approval each time her location datais to be transferred to the user.

Unfortunately, explicit authorization has several disad-vantages. First, it is associated with considerable manage-ment effort for the user, which in one case is dedicatedto the a-priori definition of policies and in the secondcase to the target’s manual interaction with the service.Second, explicit authorization has a high potential ofintroducing social difficulties. For instance, a user whowants to inquire the location of a target person may feelrejected by the target if access is not granted. On the otherhand, the target may feel socially pressured to grant theinquirer access in order to avoid possible negative socialimplications.

For circumventing these problems, this paper intro-duces the concept ofimplicit authorization. An inquirerAis granted access to the location information of targetB,only if B in turn has previously attempted to accessthe location information ofA. That is, by accessing thelocation information of another person, that person isimplicitly granted access to one’s own location.

18 JOURNAL OF SOFTWARE, VOL. 3, NO. 1, JANUARY 2008

© 2008 ACADEMY PUBLISHER

We believe the technique is better socially acceptablethan explicit authorization for the following two reasons.First, reciprocal information exchangeis enforced, whichis generally desirable for privacy-sensitive applicationslike LBCS. Second,plausible deniabilityis built in by themechanism as explicit denial decisions by the target aresimply disabled. Instead, the concept providesambiguityand thus ”makes space for stories” [5], because deniedaccess attempts can be attributed to the target having notlocalized the other person, which in turn can have multiplecauses, e.g. economical ones.

Different realizations of implicit authorization arepresented, which differ in the service pattern (reac-tive/proactive) they are useful for and the way a oncegiven access grant is revoked. One revocation techniqueis based on leases: After a certain amount of time anaccess right ceases automatically. If a renewal is desired,the target needs to locate the user again. Another proposedtechnique uses a whitelist of limited size for revokingaccess rights: If a new user is added to the whitelist andif the maximum size of the list is reached, then the userin the list which was least recently localized by the targetloses his access grant automatically.

The paper is structured as follows: Section II identi-fies basic requirements on an authorization scheme forLBCSs, such as usage simplicity and control. Further-more, two general concepts that enhance social accept-ability are presented, which are reciprocity and ambi-guity. Section III reviews existing techniques of explicitauthorization. Section IV introduces the novel conceptof implicit authorization and discusses the three givenrealizations. The work is concluded in Section V.

II. CHALLENGES

We consider the following requirements on an autho-rization mechanism for LBCSs as the most essential ones.

A. Control

The mechanism should give the target control aboutwho may access her location information at any time. Thatis, decisions made by the mechanism concerning denialor approval of access should reflect the current attitudesof the target as well as possible.

For expressing this quality in a more formal way,we introduce the termscorrectnessand completenessofauthorization, which are defined in analogy to the metricsprecisionandrecall common ininformation retrieval (IR).For a given time span, correctness denotes the fractionof those location disclosures approved by the mechanismwhich were also desired by the target. Completeness, inturn, denotes the fraction of those location disclosuresdesired by the target to be approved which were actuallyapproved by the mechanism. Mathematically, correctnessand completeness are defined in close analogy to precisionand recall, whereby instead ofpositivesandnegatives, wespeak of disclosureapprovalsand denials, respectively.Similarly to IR, the target’s agreement is reflected by qual-ifying a disclosure decision astrue or false, respectively.

Also in analogy to precision and recall, achieving ahigh level of correctness without considering complete-ness, or vice versa, is fairly simple. Consider for instancean overly restrictive system which discloses location datato nobody. Obviously, that would yield excellent correct-ness as nofalse approvalscan happen. The achievedcompleteness, however, would be poor as, potentially,there could be a lot offalse denials. Another exampleis an overly permissive approach which discloses a tar-get’s location to everybody. The result would be perfectcompleteness as nofalse denialscan happen, but thecorrectness would be poor, because of the possibly highnumber offalse approvals. To conclude, the challenge isto design an authorization mechanism which guaranteeshigh values for correctness and completeness at the sametime.

B. Simplicity

Despite giving the target the desired control, an au-thorization mechanism should be simple enough to beadopted in the first place.

Simplicity is naturally associated with good usabilityof the mechanism. Obviously, time and effort the targethas to spend for managing an authorization mechanismshould be reduced as far as possible. Such managementeffort can include the a-priori definition of authorizationpolicies, or, in case of authorization on request, ad-hocinteraction with the authorization procedure. Of course,the mechanism should be intuitive to use and not toocomplex in order to be practicable for everyone whouses the service. The latter aspect represents a particularproblem for authoring privacy policies [6], which need tobe fine-tuned and reworked on a regular basis in order toreflect current target attitudes.

Simplicity is also desirable with regard to the effortto implement the mechanism and, possibly, integrate itwith existing solutions, which is probably one of themost important considerations for LBCS providers. In thisaspect, between the two introduced explicit authorizationtechniques, the policy-based approach seems to haveclear advantages over ad-hoc authorization as it allowsthe definition of policies to be decoupled from theirenforcement. This way, no dedicated user interface isneeded for prompting the target for approval, which inturn enables an easier integration of more diverse terminaltypes and positioning methods like network-based ones,where a component located in the network derives thetarget’s current position without communicating with hermobile device. For a good overview about positioningtechnologies, see [7].

C. Social Acceptability

If LBCSs are really to become a part of people’s dayto day life, their social implications should be profoundlyanalyzed and possible negative consequences should beavoided by design, a task that goes beyond classicalrequirements engineering. If one takes a look at recent

JOURNAL OF SOFTWARE, VOL. 3, NO. 1, JANUARY 2008 19


literature in that field, e.g. [8] [9], social issues of privacyare more and more emphasized. Two related conceptsseem to be especially important, see also [3]:reciprocityandambiguity.

1) Reciprocity.: This is a well-known principle forestablishing balance between parties that engage in aprivacy-sensitive exchange of information. The principlestates that the amount of information transferred frompersonA to personB should be roughly the same as theinformation that is transferred fromB to A. According to[10], who discuss the principle for context-aware services,reciprocity helps to avoid negative social situations. Theauthors compare these negative situations to economicalinefficiencies which arise in a market environment whencertain people take advantage of insider knowledge.

While related works so far promote reciprocity forachieving balance of mere information flows, a potentialprivacy risk still exists when the interest in receivingthe information is not well-balanced. Suppose personAand personB are socially related. AsA feels thatBshould be able to locate her, she authorizesB to do so,however, only under the premise that the flow of locationinformation between the two is balanced (”classical”reciprocity). That is, wheneverB requests the positionof A, B also has to reveal his own position toA.

However, while being already advantageous over non-reciprocal sharing, a problem forA with this setup canstill arise whenA is actually not interested in know-ing B’s location, butB is in knowingA’s. Imagine thatB is rather indifferent about revealing his own locationseveral times a day toA, if only B can determineA’sposition as often as desired. This could lead toA feelingcontrolled byB.

As a conclusion, we suggest that an authorizationmechanism aimed to balance the privacy between per-sons should not only guarantee symmetric informationflows, but also consider mutual interest in receiving theexchanged information.

2) Ambiguity.: Being marked by U.S. politics in the1950s, the termplausible deniabilityoriginally refers toobscuring operations by the then newly-formed CentralIntelligence Agency. In the meantime it has also becomean essential concept for achieving personal privacy inpervasive systems [11]. Plausible deniability denotes thatthe potential observer of another person cannot determinewhether a lack of disclosure was intentional or not. Anobvious example is a person who does not want to belocated and decides to turn off her mobile device. Fromthe location inquirer’s point of view, it is not clear whetherthe person beingtemporarily unavailableis deliberate ordue to technical problems like missing radio contact.

Being strongly related to plausible deniability,ambigu-ity is discussed by [5] and [12] forpersonal communica-tion systems (PCSs)like push-to-talk. When unsuccessfulcommunication attempts are mediated to the caller in away that can be ambiguously interpreted, possible socialdifficulties arising between caller and called person inthe aftermath are reduced, a process referred to as ”face

work”. Apart from possible technical problems, space forambiguous interpretation (”stories”) can be made, e.g.by attributing rejected calls to economical resources ofthe called person, which would have been consumed bytaking the call. Based on sociological studies it is statedthat, in order to enable ”face work”, the ”story” presentedto the caller needs not be extremely convincing. Moreimportant is that ambiguous interpretation is possible, sothat both persons can save face. Ambiguity is less focusedthan plausible deniability on mediating an explicit denialdecision to the observer and thus fits well with the implicitauthorization technique proposed later.

Applied to LBCSs, ambiguity avoids directly repulsinga location inquirer, which in turn reduces the socialpressure on the target person when deciding about whomay locate her and who not. With ambiguity it remainsunclear to the inquirer whether a denied location disclo-sure was deliberate by the target person, or if other causes,e.g. limited economical resources, have kept the targetfrom disclosing her location. Especially because computersystems are getting more and more reliable, possibletechnological causes for refused disclosures, which rep-resent the ”classical” way of ambiguity, are diminishing.Therefore, new ways to support ambiguity in LBCSs andcontext-aware services need to be discovered, which isone of the main objectives of this paper.

III. E XISTING AUTHORIZATION TECHNIQUES

This section reviews existing techniques of explicitauthorization – policy-based, ad-hoc, and hybrid autho-rization – in more detail.

A. Policy-based.

According to [13], an authorization policy is an asser-tion that a certain amount of information may be releasedto a certain entity under a certain set ofconstraints. Apolicy typically consists of various types of constraints,see also [14]:Actor constraintsrestrict access to a limitedset of inquirers,time constraintsto publishing locationdata only at certain times, andlocation constraintslimitaccess to certain predefined locations. By specifyingaccuracy constraints, a target can intentionally degradethe accuracy of emitted location information. Accuracyconstraints have also been proposed as an extension toGeopriv [15], a well-known protocol standard for privacy-aware exchange of location data. Authorization policiesare typically defined by the target but enforced by adifferent actor on behalf of the target, e.g. the LBCSprovider.

B. Ad-hoc.

While policies are deposited in advance, ad-hoc autho-rization interactively involves the target in the authoriza-tion procedure. Ad-hoc authorization is promoted by workoriginated from the Place Lab project [16]. Examples areReno and Boise, both being systems for social locationdisclosure based on numerous practical evaluations and



user studies, compare [17] [18] [19]. For increasing thesocial acceptability of ad-hoc authorization, several tech-niques are proposed. One is usingsilent time-outs, that is,if the target does not respond to an authorization requestfor a given time-out interval, the inquirer is automaticallydenied access and the request is discarded. This way, roomfor ambiguity is created, because it is not clear to theinquirer whether the target has deliberately refused therequest or not. Furthermore, ad-hoc authorization enablesfine-grained deception techniques, which are useful whenthe target person decides to publish a false location tothe inquirer, e.g., to avoid certain situations of socialpressure. Also, with ad-hoc authorization the target canbetter examine the reason of the inquirer’s request, whichgenerally enhances reciprocal exchange of information.Note that ad-hoc authorization is suited rather for reactivethan for proactive LBCSs. The latter should trigger eventsautomatically, which is somewhat contradictory to theconcept of manual (ad-hoc) interaction.

C. Hybrid.

Authorization by policy and ad-hoc authorization canalso be combined. By so-callednotification constraints,which may be part of an authorization policy or not, atarget can define certain situations in which she wishesto be prompted for ad-hoc approval. Many mobile net-work operators, when externally requested to locate asubscriber’s mobile terminal, rely on that combination.Notice, that is, a target is generally informed aboutattempts of locating her, can also happen in a purelypassive way. It is seen as a fundamental technique forprivacy improvement, see also [20].

Noteworthy is an investigation by [21], saying thata target’s attitude toward authorizing an inquirer is in-fluenced stronger by the inquirer’s identity than by thecurrent situation of the target. That is, a once takenauthorization decision regarding a given person may stayrelatively constant for different situations.

D. Conclusion.

While explicit authorization gives the target controlabout her location data, it also brings up two inevitableproblems. First, despite certain techniques for reducingsocial impact (silent time-outs, selective deceiving, etc.),a potential inquirer has good reason to assume denialdecisions are made in an explicit way, which stronglylimits space for ambiguity. Second, extra time and effortof the target is needed for managing the mechanism,which is typically the higher the more fine-grained thedesired control is. A related and complex issue is theprovisioning of an appropriate user interface for the targetperson.

As a possible solution, the next section presents thenovel approach of implicit authorization.

IV. I MPLICIT AUTHORIZATION

This section defines and discusses implicit authoriza-tion as a generally new paradigm for granting other

persons access to one’s own location information. Con-crete realizations for both reactive and proactive LBCSsillustrate the paradigm.

Implicit authorization has reciprocity as a central ele-ment: Location disclosure to a certain personA is implic-itly admitted by a certain target personB whenB requestsa location disclosure fromA as well. The scheme is suitedfor LBCSs where members of a community voluntarilyexchange location information among themselves andwere the information exchange is per se rather balanced.One example is a typical friend finder service. Another isan LBCS which allows co-workers to locate each otherfor coordination purposes. The mechanism is not suitedfor LBCSs that rely on single-sided tracking, like a childtracker or a system used for elder care. However, in theselatter applications the need for reducing social pressurealso seems less prevalent.

The technique applies to proactive as well as to reactiveLBCSs. Proactive LBCSs, which are not request-basedbut triggered by spatial events, have a natural ambiguityfeature built in: The ambiguity lies in the fact that, if theuser does not receive any notification for a certain eventwith respect to the target she has subscribed to, it canhave two reasons. First, the target may have blocked thedisclosure. Second, the event simply has not occurred.

However, while being an advantage in general, thisnatural ambiguity can only be carried to a certain level.In the introductory example, where co-workers are to beinformed as soon as the target enters the work place,they can tell by physical observation whether the eventin fact happened or not. Hence, additional ambiguity isalso needed for proactive LBCSs. Reactive LBCSs do notexhibit this built-in ambiguity, because when requestingthe location of the target person, the user explicitly waitsfor a result message.

In order to account for the different properties of re-active and proactive LBCSs, the following first discussestwo versions of implicit authorization for reactive LBCSs.Then, a version suited for proactive LBCSs is presented.

A. Implicit Authorization for Reactive LBCSs

Implicit authorization for reactive LBCSs means thatthe request of userA for the location of userB will onlybe answered positively ifB has requested the locationof A before. That is, by showing interest in somebodyelse’s location (that is, by requesting the location), oneimplicitly grants the person access to one’s own location.

Obviously, inquiring another person’s location requiresa certain effort, e.g. time or monetary costs spent formobile bearer services or other limited resources. Hence,in case a person is not granted access, it is easier forthe target person to argue that certain resource constraintshave kept her from locating the person, which would havegranted the access for that person. Thus, in contrast toexplicit authorization, the mechanism provides a richerresource for ambiguity, which reduces social pressure.Also, apart from providing reciprocal information flows,



LocationServer

Person A

"not permitted”

RequestPosition (B)1

2

Person B

3

4

5

6CurrentPosition (B)

7

8

RequestPosition (B)

RequestPosition (A)

RequestPosition (A)

CurrentPosition (A)

“ ”not permitted

B is entitled to access A’s Position

A is entitled to access B’s Position

Figure 1. Implicit Authorization for Reactive LBCSs with Revocationbased on Leases.

mutual interest in the exchanged information is enforcedas postulated in Section II-C.1.

The mechanism is simple to use and provides controlfor the target, who can decide before locating anotherperson whether she wants to sacrifice some of her ownprivacy in turn. By deliberately avoiding to locate certainpersons, a high value for correctness can be achieved. Atthe same time a high value for completeness is possible, asevery user in the system is free to try to locate each other.User identifiers in the system can be static and publiclyknown, like email addresses. No additional managementeffort and no user interface dedicated to authorizationis needed, because permission management is handledimplicitly, simply through using an LBCS.

A possible source of irritation is that first-time locatingattempts are always unsuccessful, although the targetmight be willing to disclose. However, as users are awareof the mechanism, they can handle this situation, e.g. byinitially encouraging the target to locate them once.

A bigger problem, we think, is finding an easy-to-understand and practicable method for revoking once-granted access permissions. Therefore, the following dis-cusses two different revocation methods, one using time-based leases, one using whitelists of limited size.

1) Revocation Based on Leases:In this version ofimplicit authorization, access is revoked based on so-called leaseswhose validity is limited in time or anotherdimension (see below). A lease is associated with exactlyone target-inquirer relation. It can be extended only bythe target re-locating the inquirer. Consider Figure 1 asan illustration. Each time the location server receives arequest, it uses a simple rule for deciding on the disclosureof the requested information: The request of userA for

the location of userB will only be answered positivelyif B has requested the location ofA less than a particulartime period ago.A’s first attempt to locateB is rejected(1 and 2), becauseB has not inquiredA’s position yet.However, due to the request a lease allowingB to locateA is deposited at the server.B makes use of the lease soon(3 and 4), which in turn entitlesA to locateB some timeafterward (5 and 6). AfterA not locatingB for a longerperiod of time,B’s lease times out and her positioningattempt is rejected (7 and 8).

In addition to being limited by a time frame, the validityof the lease can be linked with different conditions andcombinations of these, e.g.:

• A lease can be valid for a certainnumber of requests.That is, it authorizes the lease holder to access thelocation of the lease grantern times.

• A lease can be valid for a certainspatial region. Thatis, it authorizes the lease holder to access the locationof the lease granter only when the lease granter islocated within a certain range from where the leasewas created.

In order to learn more about the long-term behavior ofthe mechanism, the following evaluations are carried out.

We investigate the practicability of our approach in thecase that two participants actuallywant to authorize eachother and thus request each other’s location accordingto a given probability distribution. This is done usingsimulations on a statistical model. Here, we summarizeour findings and refer to [22] for details.

a) Model and Scenarios:We assume two partici-pants who access each other’s location. The number ofaccesses per hour for each participanti is modeled by aPoisson distribution with rate parameterλi. We assumethat all accesses are legitimate and should therefore begranted. When participanti accesses the location ofparticipantj, our proposed authorization system automat-ically grants j access toi’s location for the followingδi hours (denoted aslease time). With no real data athand, the value ranges forλi and δi were chosen basedon common sense.

We investigate two scenarios: Inscenario 1:1, bothparticipants exhibit the same access rate, while inscenario3:1, participant one has an access rate three times higherthan participant two. Applied to a friend-finder service,scenario one simulates two friends with totally balancedinterest in locating each other, while scenario two corre-sponds to a less balanced relation, where one person ismore interested in locating another one than the other wayround.

b) Effect of Access Rate:The first experiment in-vestigates the dependence between access rate and theproportion of granted accesses assuming a fixed lease timeof 48 hours.

In scenario 1:1, the access rate for each participantvaries from once a week to 6 times per day. Figure 2shows the simulation results for the total number ofaccesses: In order to achieve an approval rate of at least95%, at least 3.2 accesses per day are required in total.



This translated to about 1.6 accesses per day for eachparticipant.

In scenario 3:1, the access rate for participant one variesfrom 1.5 per week to 9 per day, while participant twohas access rates from 0.5 per week to 3 per day. Here,the effect is of course different for each participant (seeFigure 2). In order to achieve an approval rate of atleast 95% for both participants, access rates of at least6.5 requests per day for participant one and at least 1.6requests per day for participant two are required.

Accumulated access rate (per day)

Pro

port

ion

of g

rant

ed a

cces

ses

(%)

0 1 2 3 4 5 6 7 8 9 10 11 12

2550

7510

0

Figure 2. Two participants with identical access rates and a lease timeof 48h

Accumulated access rate (per day)

Pro

port

ion

of g

rant

ed a

cces

ses

(%)

0 1 2 3 4 5 6 7 8 9 10 11 12

2550

7510

0

Figure 3. Two participants with access rate ratio of 3:1 and a lease timeof 48h

c) Effect of Lease Time:In a second experiment,we investigate the effect of lease time length on theproportion of granted accesses. Here, access rates for bothparticipants are assumed as 3 per day in scenario 1:1 and4.5 and 1.5 per day in scenario 3:1. Lease time lengthvaries from one hour to three days.

In scenario 1:1, a lease time of at least 24 hours isrequired in order to achieve at least 95% of correctlygranted accesses. In scenario 3:1, participant one requiresa lease time of at least 49 hours for achieving at least 95%of granted accesses. Participant two, being queried morefrequently, requires a minimum lease time of 16 hours.

d) Summary: The mechanism is quite reliable incase two persons locate each other relatively often andif the interest in each other’s location is balanced. Other-wise, denied access attempts get more frequent, at leastregarding the person that is requested more seldom bythe other. Thus, applications for single-sided tracking,like child- or pet-finders, or ones used only seldom, likeemergency services, are probably not compatible withlease-based revocation. However, the mechanism seems tobe well suited when balance of interest is actually desiredand when the LBCS is used more frequently, as conceiv-able for typical friend finder services. The selection ofthe ideal lease time is a trade-off: Long periods increasereliability, while shorter ones increase control in terms ofcorrectness and also enhance ambiguity in case a targetdecides not to renew a lease. For the assumed access rates,lease times between 24h and 48h seem most appropriate.

2) Revocation Based on Whitelists:The previouslydescribed revocation scheme is very sensitive to changesin usage patterns of the LBCS: The lease time is selectedfor a particular frequency of service usage. If either of thetwo involved parties diverge from the assumed frequency,revocation based on temporary leases will produce falsedenials.

As an improvement for scenarios with volatile usagefrequencies, we propose a different revocation schemethat uses FIFO whitelists. Like before, users deposittheir location information at a central location serverand request the location information of others from it.However, this time a different rule is used for deciding onthe disclosure of this information: The request of userAfor the location of userB will only be answered positivelyif B is one of then most recent users who requested thelocation ofA. So at any point in time, maximumn usersare granted access to the location of userA. This is whywe speak of a whitelist for userA with n entries. Thelist is updated every time userA requests the locationof somebody else. WhenA requests the location ofC,C is added to the head of the list and the user whowas previously at positionn is removed from the list.The whitelist therefore exhibits a FIFO (first in, first out)behavior. Figure 4 illustrates the procedure forn = 3.

This scheme has the following advantages: It enforcesreciprocal exchange of location information without im-posing temporal restrictions in contrast to the previ-ous schemes. The scheme is independent from usage



LocationServer

Person A

RequestPosition (B)

RequestPosition (C)

RequestPosition (D)

RequestPosition (E)

RequestPosition (B)

Who may locate A(A’s white list,

n=3)

B

B,C

B,C,D

C,D,E

D,E,B

1

2

3

4

5

Figure 4. Implicit Authorization for Reactive LBCSs with Revocationbased on Whitelists.

frequency and therefore more robust in scenarios withvolatile usage frequencies.

At the same time, the number of possible disclosurerelationships is limited, which could be seen as a dis-advantage. However, this also allows the owner of thewhitelist to control location disclosure to a good degree.E.g., by locating random persons who certainly will notlocate back, such as celebrities, the target can removeany unwanted inquirer from his list at once. This leadsto a higher correctness than with leases in case thetarget suddenly changed his mind about a certain user.In addition, it provides the user with ambiguity as deniedlocation requests can be justified as being due to otherlocation requests that had to be carried out by the user inbetween (resulting in the removal of previous users fromthe whitelist).

An important decision is the choice ofn. It shouldbe small enough to result in continuous adaptation ofthe whitelist and at the same time large enough toenable stable disclosure relationships within a narrowcircle. Regarding the fact that location information is veryprivacy-sensitive and that normally the circle of very closerelationships of a person is rather small,n = 5 seemsreasonable to us. However, user studies will be necessaryfor a better-founded selection. Also,n may depend on thetype of LBCSs and/or the type of the target communityand should be chosen accordingly. E.g., adults may bemore averse toward location disclosure than teenagers,resulting in a smallern for adults.

B. Implicit Authorization for Proactive LBCSs

The previously described schemes are designed for re-active LBCSs. Proactive LBCSs, however, have differentcharacteristics, e.g. that at the time of service initiation,the concrete moment and the number of location disclo-sures is not yet known. Still, starting with the subscriptionto a target’s location, there is thepossibilityof receivinghis location information anytime. This ”potential knowl-edge” should be balanced as well, e.g., by requiring the

potentialdisclosure of the inquirer’s location informationin return. Implicit authorization represents an attractiveauthorization scheme for this.

A subscription of personA to a particular event re-garding personB entitlesB to receive events regardingA as well. This way, a reciprocity of subscriptions is en-forced, which takes account of thepossibilityof locationdisclosures. By unsubscribing from userB, userA willnot receive any events related to userB anymore. At thesame time, userB will not receive any events relatedto userA even if userB is still subscribed to userA.Figure 5 illustrates the technique.A subscribes to eventEv1 regardingB (1). Soon afterward,A triggers the eventherself (2). However, sinceB is not subscribed yet, theevent is not forwarded. At step (3)B also subscribesto the event fromA, which finally entitlesA to receivenotifications of this event type fromB. Hence, when instep (4)B triggers the event, it is forwarded toA (5).After that, A unsubscribes from the event (6) which atonce revokesB’s grant to receive the next event fromA(7). Finally, B also unsubscribes fromA’s events (8).

The application of implicit authorization to proactiveLBCSs carries particular advantages: It enables the user tocontrol disclosure of location information to other users.At the same time, there is no management overheador specialized user interaction necessary, as disclosinginformation is implicitly coupled with requesting (future)information. Finally, ambiguity is enhanced as the absenceof notifications can always be justified with the fact thatinterest is not mutual or that the overhead of receivingevents regarding a certain person is just too big for thereceiving person. This avoids the feeling of repulse for aperson who waits in vain for location events of another.

In analogy to the whitelist-based revocation fromabove, a variation of this scheme is to limit the numberof subscriptions a user can place. This way, an additionalsource of ambiguity is created: If userB happens toknow (for example because userB and A came acrosseach other) that an event related to userA should havebeen fired but was not fired, thenB can argue thatthe number of subscriptions is limited and that it wasnecessary to subscribe to somebody else’s location eventsin the meantime.

C. Discussion

One risk associated with implicit authorization is thatthe mechanism could be perceived as artificial chicaneryand not be accepted. The target person might wonder whyshe cannot simply authorize an inquirer person withouthaving to locate the person first. However, we believe thatthe technique has the potential of being regarded as a veryeconomical way of exercising control – designed to avoidthe management overhead associated with explicit autho-rization. Put into other terms, while our motivation fordesigning the mechanism was to reduce social pressure,one way to promote it to actual users is to emphasize itsease of use.



B is entitled to receive event Ev1 about A

A is entitled to receive event Ev1 about B

LocationServer

Person A

Event (Ev1)

SubscribeEvent (B,Ev1)1

2

Person B

SubscribeEvent (A,Ev1) 3

Event (Ev1) 4

UnsubscribeEvent (B,Ev1)6

UnsubscribeEvent (A,Ev1) 8

EventNotification (B, Ev1) 5

Event (Ev1) 7

Figure 5. Implicit Authorization for Proactive LBCSs.

Another open issue is whether reciprocal location dis-closure can always be assumed for LBCSs used by inde-pendent adults (excluding child trackers and elder care).This work simply did so. However, when single-sidedtracking is actually desired, at least by one party (e.g.,a boss wants to track her employee, while the employeedoes not want to track the boss), this mechanism is notuseful. A related question which we cannot and do notwant to answer is whether single-sided tracking is ethicalor not and whether it should be promoted or not. Wethink that by giving the user a new tool at hand, suchas implicit authorization, certain social norms, such as“Should single-sided tracking be supported or not?”, atleast have the chance to develop more freely, because itenables users to choose between different alternatives forauthorization.

V. CONCLUSIONS ANDFUTURE WORK

The paper presented a novel paradigm for authorizingsocial disclosure of location data:Implicit authorizationreduces management overhead and social pressure. Con-crete realizations for reactive and proactive LBCSs werediscussed, including versions with revocation based onleases and FIFO whitelists. It was analyzed why the tech-niques are particularly well-suited for different variationsof equilateral LBCSs like friend finder services. They aresimple to use, provide control, and feature reciprocity aswell as ambiguity.

The proposed mechanisms are currently being testedwithin the device-centric LBS middleware frameworkTraX [4], which especially supports community services.Future work is also concerned with analyzing the le-gal implications of the mechanism, e.g. with respect toregulation efforts for personal data collection like [23].Last but not least, implicit authorization is not specificfor protecting location data. The principle may apply to

further types of personal information users might want toshare.

REFERENCES

[1] “Dodgeball.com,” 2006, http://www.dodgeball.com,last access 2006/09/08. [Online]. Available:http://www.dodgeball.com

[2] “Socialight,” 2006, http://socialight.com, last access2006/03/07. [Online]. Available: http://socialight.com

[3] M. Raento and A. Oulasvirta, “Privacy management forsocial awareness applications,” inProc. of Workshop onContext Awareness for Proactive Systems (CAPS 2005),2005.

[4] A. K upper, G. Treu, and C. Linnhoff-Popien, “Trax: Adevice-centric middleware framework for location-basedservices,”IEEE Communications Magazine, vol. 44, no. 9,September 2006.

[5] P. M. Aoki and A. Woodruff, “Making space for stories:ambiguity in the design of personal communication sys-tems,” in Proc. of CHI ’05. New York, NY, USA: ACMPress, 2005, pp. 181–190.

[6] C.-M. Karat, J. Karat, C. Brodie, and J. Feng, “Evaluatinginterfaces for privacy policy rule authoring,” inProc. ofCHI ’06. New York, NY, USA: ACM Press, 2006, pp.83–92.

[7] A. K upper,Location–based Services — Fundamentals andOperation. John Wiley & Sons, Aug. 2005.

[8] J. I. Hong, J. D. Ng, S. Lederer, and J. A. Landay, “Pri-vacy risk models for designing privacy-sensitive ubiquitouscomputing systems,” inProc. of Conference on DesigningInteractive Systems (DIS ’04). New York, NY, USA: ACMPress, 2004, pp. 91–100.

[9] G. Iachello, I. Smith, S. Consolvo, M. Chen, and G. D.Abowd, “Developing privacy guidelines for social locationdisclosure applications and services,” inSOUPS ’05: Proc.of the 2005 symposium on Usable privacy and security.New York, NY, USA: ACM Press, 2005, pp. 65–76.

[10] X. Jiang, J. I. Hong, and J. A. Landay, “Approximateinformation flows: Socially-based modeling of privacy inubiquitous computing,” inProc. of Ubicomp ’02. London,UK: Springer-Verlag, 2002, pp. 176–193.

[11] S. Lederer, I. Hong, K. Dey, and A. Landay, “Personalprivacy through understanding and action: five pitfalls fordesigners,”Personal Ubiquitous Computing, vol. 8, no. 6,pp. 440–454, 2004.

[12] K. Boehner and J. T. Hancock, “Advancing ambiguity,” inProc. of CHI ’06. New York, NY, USA: ACM Press,2006, pp. 103–106.

[13] J. Cuellar, “Location information privacy,” inGeographicLocation in the Internet, B. Sarikaya, Ed. Norwell, MA:Kluwer Academic Publishers, 2002, pp. 179–212.

[14] G. Myles, A. Friday, and N. Davies, “Preserving privacyin environments with location-based applications,”IEEEPervasive Computing, vol. 2, no. 1, pp. 56–64, 2003.

[15] H. Schulzrinne, H. Tschofenig, J. Morris, J. Cuellar,and J. Polk, “A document format for expressingprivacy preferences for location information. draft-ietf-geopriv-policy-08.txt,” February 2006. [Online]. Avail-able: http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-08.txt

[16] A. LaMarca, Y. Chawathe, S. Consolvo, J. Hightower, andal., “Placelab: Device positioning using radio beacons inthe wild,” in Proc. of Pervasive 2005, ser. LNCS. Munich,Germany: Springer-Verlag, May 2005, pp. 116–133.

[17] S. Consolvo, I. Smith, T. Matthews, A. LaMarca, J. Tabert,and P. Powledge, “Location disclosure to social relations:why, when, & what people want to share,” inProc. of CHI’05. New York, NY, USA: ACM Press, 2005, pp. 81–90.



[18] I. Smith, S. Consolvo, A. LaMarca, J. Hightower, and al.,“Social disclosure of place: From location technology tocommunications practices,” inProc. of Pervasive 2005, ser.LNCS. Springer-Verlag, May 2005.

[19] G. Iachello, I. Smith, S. Consolvo, G. D. Abowd, and al.,“Control, deception, and communication: Evaluating thedeployment of a location-enhanced messaging service,” inProc. of Ubicomp 2005, ser. LNCS. Springer-Verlag,September 2005, pp. 213–231.

[20] M. Langheinrich, “Privacy by design – principles ofprivacy-aware ubiquitous systems,” inProc. of Ubicomp2001, ser. LNCS, G. Abowd, B. Brumitt, and S. Shafer,Eds., vol. 2201. Springer, 2001, pp. 273–291. [Online].Available: http://citeseer.nj.nec.com/491722.html

[21] S. Lederer, J. Mankoff, and A. K. Dey, “Who wantsto know what when? privacy preference determinants inubiquitous computing,” inProc. of CHI ’03. New York,NY, USA: ACM Press, 2003, pp. 724–725.

[22] G. Treu, F. Fuchs, and C. Dargatz, “Implicit authorizationfor accessing location data in a social context,” inTheSecond International Conference on Availability, Reliabil-ity and Security (ARES’07). Los Alamitos, CA, USA:IEEE Computer Society, 2007, pp. 263–272.

[23] “Directive 2002/58/EC on the Processing of Personal Dataand the Protection of Privacy in the Electronic Com-munications Sector,”Official Journal of the EuropeanCommunities of 31 July 2002, no. L 201/37, July 2002.

Georg Treu received his Ph.D. in Computer Science from theLudwig-Maximilians-University Munich in 2007 and his Mas-ter’s degree from the Technical University of Munich in 2004.His research interests include location-based services (LBSs),in particular, proactive multi-target LBSs, and mechanisms forlocation privacy.

Florian Fuchs received his Master’s degree in Computer Sci-ence from the Technical University of Munich in 2005. Heis currently a Ph.D. student at Siemens Corporate Technol-ogy and the Mobile and Distributed Systems Group, Ludwig-Maximilians-University Munich. His research interests includecontext-aware services and, in particular, context modeling andreasoning on context information.

Christiane Dargatz received an M.Sc. in Computational Model-ing from Brunel University West London in 2003 and a Master’sdegree in Mathematics from the University of Hanover in 2005.She is currently a Ph.D. student at the Institute of Statistics,Ludwig-Maximilians-University Munich. Her research focuseson the stochastic analysis of interactions between individuals indiverse fields such as mobile services and epidemiology.



implicit authorization for social location disclosure

Documents