Location-Based Services in Location-Based Services in the Privacy Matrix the Privacy Matrix

Carl A. Gunter - EngineeringCarl A. Gunter - EngineeringSusan Wachter - Business Susan Wachter - Business

Polk Wagner – LawPolk Wagner – LawUniversity of Pennsylvania University of Pennsylvania

The Privacy MatrixThe Privacy Matrix

Access

Use

Collection

Example: observation of your walk down the street.

Points about the Privacy Points about the Privacy MatrixMatrix

Thinking about privacy for LBS will be Thinking about privacy for LBS will be incomplete without understanding each incomplete without understanding each dimension of the privacy matrix.dimension of the privacy matrix.

Legal or regulatory efforts that fail to Legal or regulatory efforts that fail to account for the complexities of the matrix account for the complexities of the matrix will be suboptimal.will be suboptimal.

Complexities inherent in the matrix forecast Complexities inherent in the matrix forecast significant problems in resolving issues.significant problems in resolving issues.

Understanding LBS in the privacy matrix Understanding LBS in the privacy matrix suggests the role that technology itself suggests the role that technology itself plays in privacy.plays in privacy.

A Technical Study of Privacy A Technical Study of Privacy for LBSfor LBS

The privacy matrix argues that privacy is not The privacy matrix argues that privacy is not only access control and confidentiality.only access control and confidentiality.

This research: we aim to augment traditional This research: we aim to augment traditional access control ideas with privacy concepts access control ideas with privacy concepts and promote an architecture for deploymentand promote an architecture for deployment

Formalism: privacy systemsFormalism: privacy systems Architecture: Personal Digital Rights Architecture: Personal Digital Rights

Management (PDRM)Management (PDRM) Case study: Location Based Services (LBS) Case study: Location Based Services (LBS)

www.cis.upenn.edu/gunter/dist/GunterMS04.www.cis.upenn.edu/gunter/dist/GunterMS04.pdfpdf

Carl A. Gunter, Michael May, Stuart StubblebineCarl A. Gunter, Michael May, Stuart Stubblebine

Related WorkRelated Work

Protection SystemsProtection Systems Graham and Denning, 1972Graham and Denning, 1972 Lampson, 1974Lampson, 1974 Harrison, Ruzzo, Ullman, 1976Harrison, Ruzzo, Ullman, 1976

Digital Rights ManagementDigital Rights Management Open Digital Rights Language (ODRL)Open Digital Rights Language (ODRL) eXtensible Rights Management eXtensible Rights Management

Language (XrML) [ContentGuard]Language (XrML) [ContentGuard]

Related Work, cont.Related Work, cont.

Privacy Specification LanguagesPrivacy Specification Languages Platform for Privacy Preferences (P3P) Platform for Privacy Preferences (P3P)

[W3C][W3C] A P3P Preference Exchange Language A P3P Preference Exchange Language

(APPEL) [W3C](APPEL) [W3C] Enterprise Privacy Authorization Language Enterprise Privacy Authorization Language

(EPAL) [IBM](EPAL) [IBM] Geographic PrivacyGeographic Privacy

Geopriv workgroup [IETF]Geopriv workgroup [IETF] Snekkenes, 2001Snekkenes, 2001

Location Based ServicesLocation Based Services

Services based on the location of a principal: Services based on the location of a principal: maps, activities, emergency response, law maps, activities, emergency response, law enforcement, inventory control, geo-fencing, enforcement, inventory control, geo-fencing, demographic data collection, and so on.demographic data collection, and so on.

Technical drivers: cell phones, GPS and Technical drivers: cell phones, GPS and telematics, RFID tags, DHCP and 802.11.telematics, RFID tags, DHCP and 802.11.

Growing field: estimated at $4 billion in the U.S. Growing field: estimated at $4 billion in the U.S. and $30 billion worldwide by the end of 2004.and $30 billion worldwide by the end of 2004.

Rules for archiving, redistribution, and usage Rules for archiving, redistribution, and usage must be addressed at individual and group must be addressed at individual and group levels.levels.

LBS ScenariosLBS Scenarios

Subjects: individuals Subjects: individuals concerned about concerned about privacy.privacy.

Holders: principals Holders: principals willing and able to willing and able to collection location collection location information about information about subjects.subjects. CellTrekCellTrek AutorealmAutorealm Canada On LineCanada On Line Spartan ChemicalsSpartan Chemicals

Subscribers: Subscribers: providers of LBS.providers of LBS. Friendsintown.comFriendsintown.com Market ModelsMarket Models What’s Here!What’s Here! Travel ArchiveTravel Archive

Privacy FundamentalsPrivacy Fundamentals

Transfer: What is the right of a principal Transfer: What is the right of a principal pp to to transfer an object transfer an object xx to a principal to a principal qq where where xx is is about a subject about a subject rr??

Action: What is the right of a principal Action: What is the right of a principal pp to to carry out an action that affects the privacy of a carry out an action that affects the privacy of a principal principal qq??

Creation: Which principals Creation: Which principals pp are allowed to are allowed to create objects create objects xx whose subject is whose subject is qq??

Right Establishment: How are rights Right Establishment: How are rights established for a principal established for a principal pp??

Fundamentals IllustratedFundamentals Illustrated

Right EstablishmentRight Establishment CreationCreation ActionAction TransferTransfer

Limitations of Existing Access Limitations of Existing Access Control Matrix SolutionsControl Matrix Solutions

No explicit representation of the idea that an object is No explicit representation of the idea that an object is private data private data aboutabout a given subject a given subject

Only a limited analysis of the rights that exist Only a limited analysis of the rights that exist between principals (as opposed to the rights between between principals (as opposed to the rights between principals and objects)principals and objects)

No explicit representation of the way in which the No explicit representation of the way in which the objects are transferred (distributed) between the objects are transferred (distributed) between the principalsprincipals

Concept of delegation is too limitedConcept of delegation is too limited No explicit representation for the idea that No explicit representation for the idea that

information transfers and actions are collaborations information transfers and actions are collaborations between principalsbetween principals

No concept of the transfer of an object after a privacy-No concept of the transfer of an object after a privacy-enforcing transformationenforcing transformation

NotationNotation

Assume we are given the following:Assume we are given the following: ObjectsObjects x, y, z x, y, z OO Principals Principals p, q, rp, q, r PP Actions Actions a, b, ca, b, c AA Time Time tt Each object Each object xx has a subject has a subject subjsubj((xx) that ) that

the object is “about” and a creation time the object is “about” and a creation time ctct((xx)) when it was made when it was made

Null object Null object and null principal and null principal PP

Privacy SystemPrivacy System

A A privacy privacy system is a tuple: <system is a tuple: <, , T, U, V, WT, U, V, W>> is a set of is a set of rightsrights

is a distinguished is a distinguished null rightnull right T: T: OO OO is a is a publish/subscribe publish/subscribe

rightsrights function function U U AA is an is an action rightsaction rights relation relation VV OO is a is a creation rightscreation rights relation relation WW is a is a right right

establishmentestablishment relation relation

Architecture: Personal Digital Architecture: Personal Digital Rights Management (PDRM)Rights Management (PDRM)

Turn Digital Rights Management on its headTurn Digital Rights Management on its head Those who the data is Those who the data is aboutabout can manage how it is used can manage how it is used

Users manage permissions on their data through Users manage permissions on their data through rules and enforcements mechanismsrules and enforcements mechanisms Use existing languages and software for DRMUse existing languages and software for DRM

If DRM can be used to specify that a movie can If DRM can be used to specify that a movie can be watched only a specific number of times, be watched only a specific number of times, PDRM can be used to specify that personal PDRM can be used to specify that personal information can only be used in a certain way a information can only be used in a certain way a particular number of timesparticular number of times

Case Study: AdLocCase Study: AdLoc

AdLoc system allows for permission-based AdLoc system allows for permission-based advertising based on geo-location informationadvertising based on geo-location information

Allows PDA users to discover their geo-Allows PDA users to discover their geo-location and send it to a central database location and send it to a central database where it can be accessed only with a digital where it can be accessed only with a digital licenselicense

Architectural elementsArchitectural elements GeoLocation Service (GLS)GeoLocation Service (GLS) GeoInformation Service (GIS)GeoInformation Service (GIS) AdLoc PDA ApplicationAdLoc PDA Application AdLoc Merchant ApplicationAdLoc Merchant Application

Pieces of the LBS Puzzle and Pieces of the LBS Puzzle and Ties to Formal SystemTies to Formal System

User DeviceUser Device Location ServerLocation Server Content ServerContent Server Merchant/Tracking Merchant/Tracking

CompanyCompany GovernmentGovernment

SubjectSubject HolderHolder

SubscribersSubscribers

Discovering LocationDiscovering Location

Subject

HolderPrivate Data

Collecting DataCollecting Data

Subject

Holder

Policy Database

Subscriber

Collecting a LicenseCollecting a License

Granted Rights

Approval

Action – Sending an AdAction – Sending an Ad

Action as approved by license

Sample license allowing Sample license allowing retention, limited retention, limited

redistribution, and sending adsredistribution, and sending ads<?xml version="1.0" encoding="utf-8" ?><core:licenseGroup xmlns:core="http://www.xrml.org/schema/2001/11/xrml2core" xmlns:cx="http://www.xrml.org/schema/2001/11/xrml2cx" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:sx="http://www.xrml.org/schema/2001/11/xrml2sx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:priv="http://www.pdrm.org/XrMLPrivacy" xmlns:p3p="http://www.w3.org/2002/01/P3Pv1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:schemaLocation= "http://www.xrml.org/schema/2001/11/xrml2cx ../schemas/xrml2cx.xsd">

<core:license licenseId="http://www.pdrm.org/examples/2003/SendAnyAd"> <core:inventory> <!-- Device with ad --> <priv:mobile licensePartId="mobiledevice"> <priv:locator> <priv:id>2155555050@MobileISP.com</priv:id> </priv:locator> </priv:mobile> </core:inventory>

<core:grantGroup> <!--The company that is tracking us' specific key.--> <core:keyHolder> <core:info> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>...</dsig:Modulus> <dsig:Exponent>...</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </core:info> </core:keyHolder> <sx:x509SubjectName>CN=The Mobile Ad Company</sx:x509SubjectName>

<!-- The person allowing the company to track him/her--><core:issuer> <sx:commonName>John Doe</sx:commonName></core:issuer>

<!--The period for which the company may track the user. --><core:validityInterval licensePartId="trackingPeriod"> <core:notBefore>2004-05-20T19:28:00</notBefore> <core:notAfter>2004-07-29T19:28:00</notAfter></core:validityInterval>

<!--Grants Company the right to track the user through the permission period. --><core:grant> <priv:PrivacyPolicy> <!-- Disclosure--> <p3p:ACCESS> <p3p:all/> </p3p:ACCESS>

<!-- Disputes --> <p3p:DISPUTES-GROUP> <p3p:DISPUTES resolution-type="service" short-description="Customer service will remedy your complaints."> <p3p:REMEDIES> <p3p:correct/> </p3p:REMEDIES> </p3p:DISPUTES> </p3p:DISPUTES-GROUP>

<p3p:STATEMENT>

<p3p:CONSEQUENCE> We collect your location information for development purposes and for tracking your individual movement habits. </p3p:CONSEQUENCE> <!-- Why we use it --> <p3p:PURPOSE> <p3p:develop/> <p3p:individual-analysis/> <p3p:individual-decision/> <p3p:current/> </p3p:PURPOSE>

<!-- Who else can get this data --> <p3p:RECIPIENT> <p3p:ours/> </p3p:RECIPIENT> <!-- How long do we hold onto the data for --> <p3p:RETENTION> <p3p:legal-requirement/> </p3p:RETENTION> </p3p:STATEMENT> </priv:PrivacyPolicy>

<!--The mobile device from the inventory--> <priv:mobile licensePartIdRef="mobiledevice"/> <!--The rights that we are giving--> <priv:sendanyad/> </core:grant> </core:grantGroup> </core:license></core:licenseGroup>

<!--The period for which the company may track the user. --> <p3p:RETENTION>

<p3p:legal-requirement/> </p3p:RETENTION>

<!--The rights that we are giving--> <priv:sendanyad/>

<p3p:RECIPIENT><p3p:ours/>

</p3p:RECIPIENT>

ReferencesReferences

XrMLXrML http://www.xrml.orghttp://www.xrml.org

P3PP3P http://www.w3.org/P3P/http://www.w3.org/P3P/

EPALEPAL http://www.zurich.ibm.com/security/enterprise-http://www.zurich.ibm.com/security/enterprise-

privacy/epal/privacy/epal/ GeoPrivGeoPriv

http://www.ietf.org/html.charters/geopriv-charthttp://www.ietf.org/html.charters/geopriv-charter.htmler.html

ConclusionsConclusions

The privacy matrix provides a useful framework for The privacy matrix provides a useful framework for discussing privacy in general and LBS in particular.discussing privacy in general and LBS in particular.

Privacy systems provide an analog of access Privacy systems provide an analog of access control matrices with an emphasis on privacy control matrices with an emphasis on privacy rights.rights.

PDRM provides an architectural strategy for privacy PDRM provides an architectural strategy for privacy negotiations.negotiations.

Location Based Services raise interesting privacy Location Based Services raise interesting privacy challenges that can be addressed with privacy challenges that can be addressed with privacy systems and PDRM.systems and PDRM.