Privacy by Design –Principles of Privacy-Aware

Ubiquitous Systems

Marc Langheinrich - Swiss Federal Institute of Technology, Zurich

Whitney Hess

What we already know

Privacy is a matter of opinion

It has always been a hot button issue

ex: Who did you vote for?

ex: Are you a virgin?

Some people are willing to share, others aren’t

Technology = Privacy

This is nothing new:• Photography exposes ppl w/o their permission• Telephones allow for wiretapping• Electronic data in central storages gives ppl easy

access (Nazis finding Jews during WWII)• Credit cards, Internet

Influential Legislation

US Privacy Art of 1974 - “fair information practices”

• Openness and transparency - honest• Individual participation - verifiable• Collection limitation - frugal• Data quality - relevant• Use limitation - purposeful• Reasonable security - secure• Accountability - accountable

Influential Legislation

EU Directive 95/46/EC of 1995• Data only shared with non-EU countries if

they have ample privacy protection• Subject of data must give consent to share it

Privacy limits technology

Computer scientists don’t like privacy because it diminishes what technology is capable of achieving

“Should I be knocked unconscious in a road traffic accident in New York – please let the ambulance have my medical record.”

Key questions

• Is it feasible to enforce privacy laws?

• Convenient tech outweighs loss of privacy?

• What’s good for community outweighs good for individual?

• We have equal access – eye for an eye?

Social Implications

We’ve been over this…Live among computers

Never know what they’re doing

Constantly being watched/judged

Help us remember/manage more info

Development Principles

• Notice - let user know what’s going on• Choice & consent - let user turn off detection• Anonymity & pseudonymity - let user be detected w/o

revealing identity• Proximity & locality - let user’s and device’s location

implicitly indicate the appropriateness of detection and dissemination

• Adequate security - encrypt transferred data as appropriate

• Access & recourse - follow privacy regulations

How are these achieved?

• How do we inform a user of system’s presence?• How will users tell system to stop looking at them?• How will users tell system that they want to be

watched but not revealed?• How will systems understand “appropriateness”

based on location of user and device?• How do we decide what data should be encrypted

and what doesn’t need to be?• How do we inform user that we are taking privacy

precautions? Are these precautions sufficient?