location-based services in the privacy matrix carl a. gunter - engineering susan wachter - business...
TRANSCRIPT
Location-Based Services in Location-Based Services in the Privacy Matrix the Privacy Matrix
Carl A. Gunter - EngineeringCarl A. Gunter - EngineeringSusan Wachter - Business Susan Wachter - Business
Polk Wagner – LawPolk Wagner – LawUniversity of Pennsylvania University of Pennsylvania
The Privacy MatrixThe Privacy Matrix
Access
Use
Collection
Example: observation of your walk down the street.
Points about the Privacy Points about the Privacy MatrixMatrix
Thinking about privacy for LBS will be Thinking about privacy for LBS will be incomplete without understanding each incomplete without understanding each dimension of the privacy matrix.dimension of the privacy matrix.
Legal or regulatory efforts that fail to Legal or regulatory efforts that fail to account for the complexities of the matrix account for the complexities of the matrix will be suboptimal.will be suboptimal.
Complexities inherent in the matrix forecast Complexities inherent in the matrix forecast significant problems in resolving issues.significant problems in resolving issues.
Understanding LBS in the privacy matrix Understanding LBS in the privacy matrix suggests the role that technology itself suggests the role that technology itself plays in privacy.plays in privacy.
A Technical Study of Privacy A Technical Study of Privacy for LBSfor LBS
The privacy matrix argues that privacy is not The privacy matrix argues that privacy is not only access control and confidentiality.only access control and confidentiality.
This research: we aim to augment traditional This research: we aim to augment traditional access control ideas with privacy concepts access control ideas with privacy concepts and promote an architecture for deploymentand promote an architecture for deployment
Formalism: privacy systemsFormalism: privacy systems Architecture: Personal Digital Rights Architecture: Personal Digital Rights
Management (PDRM)Management (PDRM) Case study: Location Based Services (LBS) Case study: Location Based Services (LBS)
www.cis.upenn.edu/gunter/dist/GunterMS04.www.cis.upenn.edu/gunter/dist/GunterMS04.pdfpdf
Carl A. Gunter, Michael May, Stuart StubblebineCarl A. Gunter, Michael May, Stuart Stubblebine
Related WorkRelated Work
Protection SystemsProtection Systems Graham and Denning, 1972Graham and Denning, 1972 Lampson, 1974Lampson, 1974 Harrison, Ruzzo, Ullman, 1976Harrison, Ruzzo, Ullman, 1976
Digital Rights ManagementDigital Rights Management Open Digital Rights Language (ODRL)Open Digital Rights Language (ODRL) eXtensible Rights Management eXtensible Rights Management
Language (XrML) [ContentGuard]Language (XrML) [ContentGuard]
Related Work, cont.Related Work, cont.
Privacy Specification LanguagesPrivacy Specification Languages Platform for Privacy Preferences (P3P) Platform for Privacy Preferences (P3P)
[W3C][W3C] A P3P Preference Exchange Language A P3P Preference Exchange Language
(APPEL) [W3C](APPEL) [W3C] Enterprise Privacy Authorization Language Enterprise Privacy Authorization Language
(EPAL) [IBM](EPAL) [IBM] Geographic PrivacyGeographic Privacy
Geopriv workgroup [IETF]Geopriv workgroup [IETF] Snekkenes, 2001Snekkenes, 2001
Location Based ServicesLocation Based Services
Services based on the location of a principal: Services based on the location of a principal: maps, activities, emergency response, law maps, activities, emergency response, law enforcement, inventory control, geo-fencing, enforcement, inventory control, geo-fencing, demographic data collection, and so on.demographic data collection, and so on.
Technical drivers: cell phones, GPS and Technical drivers: cell phones, GPS and telematics, RFID tags, DHCP and 802.11.telematics, RFID tags, DHCP and 802.11.
Growing field: estimated at $4 billion in the U.S. Growing field: estimated at $4 billion in the U.S. and $30 billion worldwide by the end of 2004.and $30 billion worldwide by the end of 2004.
Rules for archiving, redistribution, and usage Rules for archiving, redistribution, and usage must be addressed at individual and group must be addressed at individual and group levels.levels.
LBS ScenariosLBS Scenarios
Subjects: individuals Subjects: individuals concerned about concerned about privacy.privacy.
Holders: principals Holders: principals willing and able to willing and able to collection location collection location information about information about subjects.subjects. CellTrekCellTrek AutorealmAutorealm Canada On LineCanada On Line Spartan ChemicalsSpartan Chemicals
Subscribers: Subscribers: providers of LBS.providers of LBS. Friendsintown.comFriendsintown.com Market ModelsMarket Models What’s Here!What’s Here! Travel ArchiveTravel Archive
Privacy FundamentalsPrivacy Fundamentals
Transfer: What is the right of a principal Transfer: What is the right of a principal pp to to transfer an object transfer an object xx to a principal to a principal qq where where xx is is about a subject about a subject rr??
Action: What is the right of a principal Action: What is the right of a principal pp to to carry out an action that affects the privacy of a carry out an action that affects the privacy of a principal principal qq??
Creation: Which principals Creation: Which principals pp are allowed to are allowed to create objects create objects xx whose subject is whose subject is qq??
Right Establishment: How are rights Right Establishment: How are rights established for a principal established for a principal pp??
Fundamentals IllustratedFundamentals Illustrated
Right EstablishmentRight Establishment CreationCreation ActionAction TransferTransfer
Limitations of Existing Access Limitations of Existing Access Control Matrix SolutionsControl Matrix Solutions
No explicit representation of the idea that an object is No explicit representation of the idea that an object is private data private data aboutabout a given subject a given subject
Only a limited analysis of the rights that exist Only a limited analysis of the rights that exist between principals (as opposed to the rights between between principals (as opposed to the rights between principals and objects)principals and objects)
No explicit representation of the way in which the No explicit representation of the way in which the objects are transferred (distributed) between the objects are transferred (distributed) between the principalsprincipals
Concept of delegation is too limitedConcept of delegation is too limited No explicit representation for the idea that No explicit representation for the idea that
information transfers and actions are collaborations information transfers and actions are collaborations between principalsbetween principals
No concept of the transfer of an object after a privacy-No concept of the transfer of an object after a privacy-enforcing transformationenforcing transformation
NotationNotation
Assume we are given the following:Assume we are given the following: ObjectsObjects x, y, z x, y, z OO Principals Principals p, q, rp, q, r PP Actions Actions a, b, ca, b, c AA Time Time tt Each object Each object xx has a subject has a subject subjsubj((xx) that ) that
the object is “about” and a creation time the object is “about” and a creation time ctct((xx)) when it was made when it was made
Null object Null object and null principal and null principal PP
Privacy SystemPrivacy System
A A privacy privacy system is a tuple: <system is a tuple: <, , T, U, V, WT, U, V, W>> is a set of is a set of rightsrights
is a distinguished is a distinguished null rightnull right T: T: OO OO is a is a publish/subscribe publish/subscribe
rightsrights function function U U AA is an is an action rightsaction rights relation relation VV OO is a is a creation rightscreation rights relation relation WW is a is a right right
establishmentestablishment relation relation
Architecture: Personal Digital Architecture: Personal Digital Rights Management (PDRM)Rights Management (PDRM)
Turn Digital Rights Management on its headTurn Digital Rights Management on its head Those who the data is Those who the data is aboutabout can manage how it is used can manage how it is used
Users manage permissions on their data through Users manage permissions on their data through rules and enforcements mechanismsrules and enforcements mechanisms Use existing languages and software for DRMUse existing languages and software for DRM
If DRM can be used to specify that a movie can If DRM can be used to specify that a movie can be watched only a specific number of times, be watched only a specific number of times, PDRM can be used to specify that personal PDRM can be used to specify that personal information can only be used in a certain way a information can only be used in a certain way a particular number of timesparticular number of times
Case Study: AdLocCase Study: AdLoc
AdLoc system allows for permission-based AdLoc system allows for permission-based advertising based on geo-location informationadvertising based on geo-location information
Allows PDA users to discover their geo-Allows PDA users to discover their geo-location and send it to a central database location and send it to a central database where it can be accessed only with a digital where it can be accessed only with a digital licenselicense
Architectural elementsArchitectural elements GeoLocation Service (GLS)GeoLocation Service (GLS) GeoInformation Service (GIS)GeoInformation Service (GIS) AdLoc PDA ApplicationAdLoc PDA Application AdLoc Merchant ApplicationAdLoc Merchant Application
Pieces of the LBS Puzzle and Pieces of the LBS Puzzle and Ties to Formal SystemTies to Formal System
User DeviceUser Device Location ServerLocation Server Content ServerContent Server Merchant/Tracking Merchant/Tracking
CompanyCompany GovernmentGovernment
SubjectSubject HolderHolder
SubscribersSubscribers
Discovering LocationDiscovering Location
Subject
HolderPrivate Data
Collecting DataCollecting Data
Subject
Holder
Policy Database
Subscriber
Collecting a LicenseCollecting a License
Granted Rights
Approval
Action – Sending an AdAction – Sending an Ad
Action as approved by license
Sample license allowing Sample license allowing retention, limited retention, limited
redistribution, and sending adsredistribution, and sending ads<?xml version="1.0" encoding="utf-8" ?><core:licenseGroup xmlns:core="http://www.xrml.org/schema/2001/11/xrml2core" xmlns:cx="http://www.xrml.org/schema/2001/11/xrml2cx" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:sx="http://www.xrml.org/schema/2001/11/xrml2sx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:priv="http://www.pdrm.org/XrMLPrivacy" xmlns:p3p="http://www.w3.org/2002/01/P3Pv1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:schemaLocation= "http://www.xrml.org/schema/2001/11/xrml2cx ../schemas/xrml2cx.xsd">
<core:license licenseId="http://www.pdrm.org/examples/2003/SendAnyAd"> <core:inventory> <!-- Device with ad --> <priv:mobile licensePartId="mobiledevice"> <priv:locator> <priv:id>[email protected]</priv:id> </priv:locator> </priv:mobile> </core:inventory>
<core:grantGroup> <!--The company that is tracking us' specific key.--> <core:keyHolder> <core:info> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>...</dsig:Modulus> <dsig:Exponent>...</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </core:info> </core:keyHolder> <sx:x509SubjectName>CN=The Mobile Ad Company</sx:x509SubjectName>
<!-- The person allowing the company to track him/her--><core:issuer> <sx:commonName>John Doe</sx:commonName></core:issuer>
<!--The period for which the company may track the user. --><core:validityInterval licensePartId="trackingPeriod"> <core:notBefore>2004-05-20T19:28:00</notBefore> <core:notAfter>2004-07-29T19:28:00</notAfter></core:validityInterval>
<!--Grants Company the right to track the user through the permission period. --><core:grant> <priv:PrivacyPolicy> <!-- Disclosure--> <p3p:ACCESS> <p3p:all/> </p3p:ACCESS>
<!-- Disputes --> <p3p:DISPUTES-GROUP> <p3p:DISPUTES resolution-type="service" short-description="Customer service will remedy your complaints."> <p3p:REMEDIES> <p3p:correct/> </p3p:REMEDIES> </p3p:DISPUTES> </p3p:DISPUTES-GROUP>
<p3p:STATEMENT>
<p3p:CONSEQUENCE> We collect your location information for development purposes and for tracking your individual movement habits. </p3p:CONSEQUENCE> <!-- Why we use it --> <p3p:PURPOSE> <p3p:develop/> <p3p:individual-analysis/> <p3p:individual-decision/> <p3p:current/> </p3p:PURPOSE>
<!-- Who else can get this data --> <p3p:RECIPIENT> <p3p:ours/> </p3p:RECIPIENT> <!-- How long do we hold onto the data for --> <p3p:RETENTION> <p3p:legal-requirement/> </p3p:RETENTION> </p3p:STATEMENT> </priv:PrivacyPolicy>
<!--The mobile device from the inventory--> <priv:mobile licensePartIdRef="mobiledevice"/> <!--The rights that we are giving--> <priv:sendanyad/> </core:grant> </core:grantGroup> </core:license></core:licenseGroup>
<!--The period for which the company may track the user. --> <p3p:RETENTION>
<p3p:legal-requirement/> </p3p:RETENTION>
<!--The rights that we are giving--> <priv:sendanyad/>
<p3p:RECIPIENT><p3p:ours/>
</p3p:RECIPIENT>
ReferencesReferences
XrMLXrML http://www.xrml.orghttp://www.xrml.org
P3PP3P http://www.w3.org/P3P/http://www.w3.org/P3P/
EPALEPAL http://www.zurich.ibm.com/security/enterprise-http://www.zurich.ibm.com/security/enterprise-
privacy/epal/privacy/epal/ GeoPrivGeoPriv
http://www.ietf.org/html.charters/geopriv-charthttp://www.ietf.org/html.charters/geopriv-charter.htmler.html
ConclusionsConclusions
The privacy matrix provides a useful framework for The privacy matrix provides a useful framework for discussing privacy in general and LBS in particular.discussing privacy in general and LBS in particular.
Privacy systems provide an analog of access Privacy systems provide an analog of access control matrices with an emphasis on privacy control matrices with an emphasis on privacy rights.rights.
PDRM provides an architectural strategy for privacy PDRM provides an architectural strategy for privacy negotiations.negotiations.
Location Based Services raise interesting privacy Location Based Services raise interesting privacy challenges that can be addressed with privacy challenges that can be addressed with privacy systems and PDRM.systems and PDRM.