privacy in pervasive computing - usi informatics · informational self ‐ determination...
TRANSCRIPT
![Page 1: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/1.jpg)
PRIVACY IN PERVASIVE COMPUTING
Marc LangheinrichUniversity of Lugano (USI), Switzerland
![Page 2: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/2.jpg)
Approaches to Ubicomp Privacy Disappearing Computer Troubadour Project (10/2002 ‐ 05/2003)
Promote Absence of Protection as User Empowerment“It’s maybe about letting them find their own ways of cheating“
Make it Someone Else’s Problem“For [my colleague] it is more appropriate to think about [security and privacy] issues. It’s not really the case in my case“
Insist that “Good Security“ will Fix It“All you need is really good firewalls“
Conclude it is Incompatible with Ubiquitous Computing“I think you can’t think of privacy... it’s impossible, because if I do it, I have troubles with finding [a] Ubicomp future“
Marc Langheinrich: The DC‐Privacy Troubadour – Assessing Privacy Implications of DC‐Projects. Designing for Privacy Workshop. DC Tales Conference, Santorini, Greece, June 2003.
4
![Page 3: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/3.jpg)
Today‘s Menu
Understanding PrivacyDefinitions
1. Public policy
2. Laws and regulations
3. Interpersonal aspects
Technical ApproachesChallenges
1. Location privacy
2. RFID privacy
3. Smart environments
5
![Page 4: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/4.jpg)
UNDERSTANDING PRIVACYPrivacy in Pervasive Computing
![Page 5: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/5.jpg)
What Is Privacy?“The right to be let alone.“
Warren and Brandeis, 1890 (Harvard Law Review)
“Numerous mechanical devices threaten to make good the prediction that ’what is whispered in the closet shall be proclaimed from the housetops’“ Louis D. Brandeis, 1856 ‐ 1941
7
![Page 6: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/6.jpg)
Technological Revolution, 1888
8
![Page 7: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/7.jpg)
Information Privacy“The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“
Alan Westin, 1967Privacy And Freedom, Atheneum
Dr. Alan F. Westin
9
![Page 8: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/8.jpg)
1. PRIVACY AS PUBLIC POLICYPrivacy in Pervasive Computing
![Page 9: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/9.jpg)
Why Privacy?“A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy… privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech…“
Preamble To Australian Privacy Charter, 1994“All this secrecy is making life harder, more expensive, dangerous and less serendipitous“
Peter Cochrane, Former Head Of BT Research“You have no privacy anyway, get over it“
Scott McNealy, CEO Sun Microsystems, 1995
11
![Page 10: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/10.jpg)
The NTHNTF‐Argument„If you’ve got nothing to hide,
you’ve got nothing to fear”UK Gov’t Campaign Slogan for CCTV (1994)
AssumptionPrivacy is (mostly) about hiding (evil/bad/unethical) secrets
ImplicationsPrivacy protects wrongdoers (terrorists, child molesters, …)
No danger for law‐abiding citizens
Society overall better off without it!
12
![Page 11: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/11.jpg)
Informational Self‐Determination“Informationelle Selbstbestimmung“
“If one cannot with sufficient surety be aware of the personal information about him that is known in certain part of his social environment, . . . can beseriously inhibited in his freedom of self‐determined planning and deciding. A society in which the individual citizen would not be able to find out who knows what when about them, would not be reconcilable with the right of self‐determination over personal data. Those who are unsure if differing attitudes and actions are ubiquitously noted and permanently stored, processed, or distributed, will try not to stand out with their behavior. . . . This would not only limit the chances for individual development, but also affect public welfare, since self‐determination is an essential requirement for a democratic society that is built on the participatory powers of its citizens.“
German Federal Constitutional Court (Census Decision ’83)
13
![Page 12: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/12.jpg)
Informational Self‐Determination“Informationelle Selbstbestimmung“
“The problem is the possibility of technology taking on a life of its own, so that the actuality and inevitability of technology creates a dictatorship. Not a dictatorship of people over people with the help of technology, but a dictatorship of technology over people.“
Ernst Benda (1983)Federal Constitutional Court Chief Justice
Ernst Benda, *1925Chief Justice 1971‐1983
15
![Page 13: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/13.jpg)
Issue: ProfilesAllow Inferences About You
May or may not be true (re. AOLStalker)!
May Categorize YouHigh spender, music afficinado, credit risk
May Offer Or Deny ServicesRebates, different prices, priviliged access
„Social Sorting“ (Lyons, 2003)Opaque decisions „channel“ life choices
Image Sources: http://www.jimmyjanesays.com/sketchblog/paperdollmask_large.jpg and http://www.queensjournal.ca/story/2008‐03‐14/supplement/keeping‐tabs‐personal‐data/
![Page 14: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/14.jpg)
Not Orwell, But Kafka!
17
![Page 15: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/15.jpg)
2. PRIVACY LAW PRIMERPrivacy in Pervasive Computing
![Page 16: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/16.jpg)
Privacy Law HistoryJustices Of The Peace Act (England, 1361)
Sentences for Eavesdropping and Peeping Toms
„The poorest man may in his cottage bid defiance to all the force of the crown. It may be frail; its roof may shake; … – but the king of England cannot enter; all his forces dare not cross the threshold of the ruined tenement“
William Pitt the Elder (1708‐1778)
First Modern Privacy Law in the German State Hesse, 1970
19
![Page 17: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/17.jpg)
Fair Information Principles (FIP)Drawn up by the OECD, 1980
“Organisation for economic cooperation and development“
Voluntary guidelines for member states
Goal: Ease transborder flow of goods (and information!)
Five Principles (simplified)
Core principles of modern privacy laws world‐wide
1. Openness
2. Data access and control
3. Data security
4. Collection Limitation
5. Data subject’s consent
20
![Page 18: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/18.jpg)
Laws and RegulationsPrivacy laws and regulations vary widely throughout the worldUS has mostly sector‐specific laws, with relatively minimal protections
Self‐Regulation favored over comprehensive Privacy LawsFear that regulation hinders e‐commerce
Europe has long favored strong privacy lawsOften single framework for both public & private sectorPrivacy commissions in each country (some countries have national and state commissions)
21
![Page 19: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/19.jpg)
EU Privacy LawEU Data Protection Directive 1995/46/EC
Sets A benchmark for national law for processing personal information in electronic and manual files
Expands on OECD Fair Information Practices: no automated ad‐verse decisions, minimality, retention, sensitive data, checks, …
Facilitates data‐flow between Member States and restrictsexport of personal data to „unsafe“ non‐eu countries
“E‐Privacy“ Directive 2002/58/EC (“amends“ 95/46/EC)Provisions for “public electronic communications services“
Data Retention Directive 2006/24/ECOrders storage of “traffic data“ for law enforcement
22
![Page 20: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/20.jpg)
US‐EU: Safe HarborHow to Make US a “Safe“ Country (in terms of the Directive)
US companies self‐certify adherence to requirementsDept. of Commerce maintains list (1790 as of 04/09) http://www.export.gov/safeharbor/
Signatories must providenotice of data collected, purposes, and recipientschoice of opt‐out of 3rd‐party transfers, opt‐in for sensitive dataaccess rights to delete or edit inaccurate informationsecurity for storage of collected dataenforcement mechanisms for individual complaints
Approved July 26, 2000 by EU (w/ right to renegotiate)So far, not a single dispute!
23
![Page 21: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/21.jpg)
APEC Privacy Framework 2004APEC – Asia Pacific Economic Group
21 Member States, e.g., Japan, South Korea, PR China, Hong Kong, Philipines, Australia, New Zealand, Macau, U.S., Canada
APEC „agreements“ non‐binding, only public commitment
Defines Nine „APEC Privacy Principles“Typically less strict than EU and even OECD principles, e.g., no purpose specification, no prior notice, use of “harm principle”
No details or checks on national implementation
No attempt at EU Data Directive 95/46/EC compliance
No consideration of existing privacy laws in region (see in italics)
24See also: (Kennedy et al., 2009), (Greenleaf, 2009)
![Page 22: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/22.jpg)
3. INTERPERSONAL PRIVACYPrivacy in Pervasive Computing
![Page 23: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/23.jpg)
Privacy InvasionsWhen Do We Feel that Our Privacy Has Been Violated?
Perceived privacy violations due to crossing of “privacy borders“
Privacy Boundaries1. Natural
2. Social
3. Spatial / temporal
4. TransitoryGary T. Marx
MIT
27
![Page 24: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/24.jpg)
Privacy Borders (Marx)Natural
Physical limitations (doors, sealed letters)
SocialGroup confidentiality (doctors, colleagues)
Spatial / TemporalFamily vs. work, adolescence vs. midlife
TransitoryFleeting moments, unreflected utterances
28
![Page 25: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/25.jpg)
Privacy Regulation TheoryPrivacy as Accessibility Optimization: Inputs and Outputs
Spectrum: “Openness“/ “Closedness“
Contrasts with privacy as withdrawal (“to be let alone“)
Privacy not monotonic: “More“ is not always “better“
Dynamic Boundary Negotiation ProcessNeither static nor rule‐based
Requires fine‐grained coordination of action & disclosure
Focus on public spaces, mediated by spatial environment
Irwin AltmanUniversity of Utah
29
![Page 26: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/26.jpg)
Managing Privacy BoundariesUse Altman‘s Theory for Networked Environments
Very different from real‐world public spaces!Disclosure Boundary: Private and Public
We sometimes use publicity to limit accessibilityIdentity Boundary: Self and Other
Acting according to status, group, affiliationDisclosure according to recipient’s identity & roleDisclosure as means to differentiate or associate
Temporality Boundary: Past, Present, and FutureEffects of temporal sequence of disclosures
Leysia PalenUniv. of Colorado
Paul DourishUC Irvine
30L. Palen, P. Dourish: “Unpacking "privacy" for a networked world.” Proceedings of CHI 2003. pp.129‐136.
![Page 27: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/27.jpg)
Today‘s Menu
Understanding PrivacyDefinitions
1. Public policy
2. Laws and regulations
3. Interpersonal aspects
Technical ApproachesChallenges
1. Location privacy
2. RFID privacy
3. Smart environments
31
![Page 28: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/28.jpg)
TECHNICAL APPROACHESPrivacy in Pervasive Computing
![Page 29: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/29.jpg)
Ubicomp Privacy Implications Data Collection (“more transactions“)
Scale (everywhere, anytime)
Manner (inconspicuous, invisible)
Motivation (context!)
Data Types (“not without computers“)Observational instead of factual data
Data Access (“more easily accessible“)“The Internet of Things“
34
![Page 30: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/30.jpg)
FIP Challenges in UbicompHow to inform subjects about data collections?
Unintrusive but noticeableHow to provide access to stored data?
Who has it? How much of this is “my data“?How to ensure confidentiality, and authenticity?
Without alienating user!How to minimize data collection?
What part of the “context“ is relevant?How to obtain consent from data subjects?
Missing UIs? Do people understand implications?
35
![Page 31: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/31.jpg)
Border Crossings in UbicompSmart appliances (natural borders)
“Spy“ on you in your own home
Family intercom (social borders)Grandma knows when you’re home
Consumer profiles (temporal borders)Span time & space
“Memory amplifier“ (transitory borders)
Records careless utterances
36
![Page 32: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/32.jpg)
1. LOCATION PRIVACYPrivacy in Pervasive Computing
![Page 33: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/33.jpg)
Location Privacy“… the ability to prevent other parties from learning one’s current or past location.“ (Beresford and Stajano, 2003)
Why Share Your Location?By‐product of positioning technology (e.g., cell towers)
Required to use service (recommendations, toll roads, ...)
Let others (friends, family) know where I am
Why NOT to Share Your Location?Location profiles reveal/imply activities, interests, identity
Useful Definition?! Think Altman!
38
![Page 34: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/34.jpg)
Location Privacy TechnologyMany Proposals
Laws/regulations and audits (enterprise privacy)
Anonymization (“k‐anonymity“)
Obfuscation
Rule‐based access control
Privacy Model?Assumption: Less location disclosure means more privacy
(Krumm, 2008) Provides Overview of State‐of‐the‐Art
John KrummMicrosoft Research
39
![Page 35: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/35.jpg)
Location Obfuscation
Adding noise, pertubation, dummy traffic to location dataProtects against attackers, but degrades service use(Krumm, 2007) showed that LOTS of obfuscation is neededTypically combined with rules to selectively adjust accuracy
Image Source: Krumm, J., Inference Attacks on Location Tracks, in Fifth International Conference on Pervasive Computing (Pervasive 2007). 2007: Toronto, Ontario Canada. p. 127‐143. 40
![Page 36: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/36.jpg)
Location Mix ZonesFrequently Change Pseudonyms to Prevent Tracking
Change often trivial to detect
Idea: Designate “Mix Zones“ With No Tracking / LBS Active
Change pseudonyms only within mix zone
(Beresford and Stajano, 2003) offer probabilistic model for unlinkability in mix zones
Alastair BeresfordCambridge Univ.
Frank StajanoCambridge Univ.
41
![Page 37: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/37.jpg)
2. RFID PRIVACYPrivacy in Pervasive Computing
![Page 38: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/38.jpg)
RFID Privacy Concerns
43
![Page 39: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/39.jpg)
Why RFID Privacy?Embarrassment
Whig? Underwear? Medicine?
Criminal ActsTheft, assault, murder, terror
WhigModel #2342
Material: Polyester
WalletCash: 370 Euro
Student ID: #2845/ETH
Tiger TangaMaker: Aldi (Suisse)
Last washed: 5 days ago
ViagraMaker: Pfitzer
Size: Maxi (60 pills)
PassportName: John DoeNationality: USAVisa for: Israel
Original “RFID‐M
an“ Artwork (c) 2
006 Ari Ju
els, RSA
Laboratories
44
![Page 40: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/40.jpg)
Why RFID Privacy?Embarrassment
Whig? Underwear? Medicine?
Criminal ActsTheft, assault, murder, terror
Indirect ControlSubtle influence through consumer profiles
Direct Control“Technology Paternalism“, government surveillance
Spiekermann, Pallas: Technology Paternalism – Wider Implications of Ubiquitous Computing. Poiesis and Praxis: International Journal of Technology Assessment and Ethics of Science. Springer, Jan 2006, pp.1–13 45
![Page 41: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/41.jpg)
RFID Privacy ApproachesTag Deactivation
Fry, cut, or silence (software)Prevents further use
Tag Encryption (Lots!)More expensive tagsPassword management!
Readout Interference (“Blocker‐Tag“, “Guardian“)Reliability? Feasibility? Legal?Burdens user (conscious use, configuration)
(Juels, 2006) Provides Overview of State‐Of‐The‐Art See also (Langheinrich, 2008) or (Spiekermann, 2008) Ari Juels
RSA Laboratories
Kill‐StationMETRO Future Store
46
![Page 42: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/42.jpg)
Shamir Tags: “Keyless“ EncryptionIdea: Encrypted Tag Carries Its Own Key
No need to manage keys!
Prevent Skimming: Key Readout Takes Long TimeBitwise release, short range (e.g., one bit/sec)
Intermediate results meaningless, since encrypted
Prevent Tracking: Reply With Random BitsDecryption requires all bits being read
Allow Known Tags to be Directly IdentifiedAllows owner to use tags without apparent restrictions
Initial bit‐release enough for instant identification from known set
Source: Langheinrich, Marti: Practical Minimalist Cryptography for RFID Privacy. IEEE Systems Journal, Vol. 1, No. 2, 2007
Remo MartiErgon Informatik
(This Speaker)
47
![Page 43: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/43.jpg)
011010111…1101 Secret s
111000011…101101 101101101…110111 101010011…101101 Shares hi
96‐bit EPC‐Code
106‐bit Shamir Share
111000011101010001010111010101101010100…1010101110101 Shamir Tag318‐bit Shamir Tag
Bit D
isclosure Over Time
10‐bit x‐value 96‐bit y‐value
111000011101010001010111010101101010100…1010101110101 Initial Reply16‐bit Reply
111000011101010001010111010101101010100…1010101110101+1 bit
+1 bit
111000011101010001010111010101101010100…1010101110101
111000011101010001010111010101101010100…1010101110101+1 bit
111000011101010001010111010101101010100…1010101110101+1 bit
111000011101010001010111010101101010100…1010101110101+1 bit
Unknown tags willeventually be identified
Instant identificationof known items
48
![Page 44: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/44.jpg)
3. SMART ENVIRONMENTSPrivacy in Pervasive Computing
![Page 45: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/45.jpg)
Smart EnvironmentsPrivacy Middleware
Machine‐readable privacy policies con‐trol data collection, processing, access
Personal device (e.g., mobile phone) to monitor and configure environment
Optional: Built‐in data obfuscation
Example ProjectsPawS/P3P (Langheinrich, 2003)
Confab toolkit (Hong and Landay, 2004) James LandayUniv. of Washington
Jason HongCMU
Aware HomeGeorgia Tech
50
![Page 46: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/46.jpg)
Presence TechnologyProviding Control and Awareness to Users
Who is seeing what information about me?
CSCW / Telecommuting(Bellotti and Sellen, 1993) – EuroPARC’s RAVE media space
(Neustaedter, Greenberg, and Boyle, 2006) – Blurring?
Location Disclosure(Hong and Landay, 2004) – Lemming: Location‐enhanced IM
(Consolvo et al., 2005) – Social relations and loc. disclosure
Image Source: (Neu
staedter, G
reen
berg, and
Boyle, 2006)
51
![Page 47: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/47.jpg)
Related IssuesPrivacy and Usability
CUPS group @ CMU
Hippocratic DatabasesPrivacy‐compliant processing
Statistical DatabasesAnonymization in databases (“k‐anonymity“)
Economics of PrivacyWhen do people share data?
Rakesh AgrawalMicrosoft Research
Lorrie F. CranorCMU
Latanya SweeneyCMU
Alessandro AcquistiCMU
52
![Page 48: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/48.jpg)
SUMMARY & OUTLOOKPrivacy in Pervasive Computing
![Page 49: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/49.jpg)
Take Home MessagePrivacy is Not Just Secrecy and Seclusion!
Privacy is a process, not a stateSolution requires good understanding of social, legal, and policy issues involved
Pervasive Computing Offers New ChallengesInvisible, comprehensive, sensor‐based, …
Ubicomp (Privacy) ChallengesUser interface (notice, choice, consent)Protocols (anonymity, security, access)Social compatibility (privacy boundaries)
54
![Page 50: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/50.jpg)
Some Techno FallaciesThe Objectivity Of Numbers
Data Means Knowledge
More Data Means More Knowledge
If It Is In The Computer, It Must Be Right
If You Have Nothing To Hide, There’s No Danger
Less Data Means More Privacy
Technology Is Neither Good Nor Bad. Nor Is It Neutral Melvin C. Kranzberg
See, e.g., Gary Marx: Rocky Bottoms and Some Information Age Techno‐Fallacies. Intl. Political Sociology, Vol. 1, No. 1. March 2007, pp. 83‐110.
Irwin AltmanUniversity of Utah
Melvin C. KranzbergGeorgia Tech (1917‐1995)
Gary T. MarxMIT
55
![Page 51: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/51.jpg)
Thank You For Your Attention
Understanding PrivacyDefinitions
1. Public policy
2. Laws and regulations
3. Interpersonal aspects
Technical ApproachesChallenges
1. Location privacy
2. RFID privacy
3. Smart environments
56
![Page 52: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/52.jpg)
General ReadingDavid Brin: The Transparent Society. Perseus Publishing, 1999Simson Garfinkel: Database Nation –The Death of Privacy in the 21stCentury. O’Reilly, 2001Lawrence Lessig: Code and Other Laws of Cyberspace. Basic Books, 2006http://codev2.cc/
57
![Page 53: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/53.jpg)
Privacy LawRotenberg: The Privacy Law Sourcebook 2004. EPIC, 2004
Privacy & Human Rights 2006.EPIC
Solove, Schwartz: Information Privacy Law. 3rd edition, Aspen, 2009
58
![Page 54: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/54.jpg)
Privacy and TechnologyDeborah Estrin (ed.): Embedded, Every‐where: A Research Agenda for Networked Systems of Embedded Computers. National Academies Press, 2001.http://www.nap.edu/openbook.php?isbn=0309075688
Waldo, Lin, Millett (eds.): Engaging Privacy and Information Technology in a Digital Age. National Academies Press, 2007.
Wright, Gutwirth, Friedewald, et al.: Safeguards in a World of Ambient Intelligence. Springer, 2008
59
![Page 55: Privacy in Pervasive Computing - USI Informatics · Informational Self ‐ Determination “InformationelleSelbstbestimmung“ y “The problem is the possibility of technology taking](https://reader033.vdocuments.mx/reader033/viewer/2022060609/606060fa6bb4f35cf00945c4/html5/thumbnails/55.jpg)