Privacy by Design Principles of Privacy-Aware Ubiquitous Systems Marc Langheinrich Privacy by Design ETH Zurich, Switzerland www.inf.ethz.ch/~langhein Ubicomp 2001, Atlanta
Contents Ubicomp 2001, Atlanta ! Privacy primer – Does privacy matter? ! Privacy in ubiquitous systems – What’s so different about it? Privacy by Design ! Challenges – Issues to address in ubicomp systems ! Privacy-aware infrastructures – A first attempt 10/3/2001 Slide 2
Just a Modern Fad? Ubicomp 2001, Atlanta ! “All this secrecy is making life harder, more expensive, dangerous...“ – Peter Cochran, former head of BT Research ! “You have zero privacy anyway” – Scott McNealy, CEO Sun Microsystems 1. Privacy Primer ! “By 2010, privacy will become a meaningless concept in western society” – Gartner Report 10/3/2001 Slide 3
Privacy – a Human Need? Ubicomp 2001, Atlanta ! References in the Bible ! Jewish law (“…free from being watched”) ! Justice of Peace act (England 1361) ! Privacy is a human right – Universal declaration of human rights, 1. Privacy Primer article 12 (1948) – European convention on human rights, article 8 (1970) 10/3/2001 Slide 4
Legal Realities Today Ubicomp 2001, Atlanta ! Legislation varies around the world – Mostly self-regulatory approach in US – Comprehensive laws for government and industry in EU ! EU Directive 95/46/EC 1. Privacy Primer – Limits data collection – Requires comprehensive disclosures – Prohibits data export to „unsafe“ countries • Prompted legislative updates worldwide 10/3/2001 Slide 5
Contents Ubicomp 2001, Atlanta ! Privacy primer – Does privacy matter? ! Privacy in ubiquitous systems 2. Privacy in Ubicomp – What’s so different about it? ! Challenges – Issues to address in ubicomp systems ! Privacy-aware infrastructures – A first attempt 10/3/2001 Slide 6
Aspects of Privacy Ubicomp 2001, Atlanta ! Anonymity – Authentication & Routing ! Security 2. Privacy in Ubicomp – Encryption & Communication Hiding ! Transparency – Trust-Labels, Signatures, Protocols (P3P) How much of this works in ubicomp? 10/3/2001 Slide 7
Unlimited Coverage Ubicomp 2001, Atlanta ! The Web: covers our digital life – Shopping, chatting, news reading ! Ubicomp: real-world deployment! 2. Privacy in Ubicomp – Home, School, Office, Public Spaces, ... ! Covers all of our life, comprehensively! – Day in, day out – from cradle to grave ! No switch to turn it off? – Constant, seamless surveillance possible 10/3/2001 Slide 8
Loss of Awareness Ubicomp 2001, Atlanta ! Surveillance and data collection today – Stores, credit card applications, sweepstakes ! Ubicomp: invisible computing 2. Privacy in Ubicomp – Computers disappear into the environment ! When am I giving out data? – Fingerprint could be taken without notice ! When am I under surveillance? – Life recorders, room computers, smart cups 10/3/2001 Slide 9
New Types of Data Ubicomp 2001, Atlanta ! Last 50 years of data collection – Identity, contact info, preferences, … ! Ubicomp: advanced sensors 2. Privacy in Ubicomp – New data (location, health, habits, …) – More detailed & precise (24/7) ! Does the system know more than I? – Body sensors detect moods – Nervous? Floor & seat sensors, eye tracker 10/3/2001 Slide 10
More Data, More Knowledge Ubicomp 2001, Atlanta ! Traditional data, traditional use – Compiling mailing lists, predicting trends, … ! Ubicomp: smartness through context 2. Privacy in Ubicomp – Context is distilled sensory information ! Encourages increased data collection – More data means more, better context ! Innocuous data can lead to new knowledge – Data mining: more than the sum of its parts 10/3/2001 Slide 11
Contents Ubicomp 2001, Atlanta ! Privacy primer – Does privacy matter? ! Privacy in ubiquitous systems – What’s so different about it? ! Challenges – Issues to address in ubicomp systems 3. Challenges ! Privacy-aware infrastructures – A first attempt 10/3/2001 Slide 12
1. Notice Ubicomp 2001, Atlanta ! No hidden data collection! – Legal requirement in many countries ! Established means: privacy policies – Who, what, why, how long, etc. ... ! How to publish policies in Ubicomp? – Periodic broadcasts 3. Challenges – Privacy service? ! Too many devices? – Countless announcements an annoyance 10/3/2001 Slide 13
2. Choice & Consent Ubicomp 2001, Atlanta ! Laws require explicit consent by user – Usually a signature or pressing a button ! True consent requires true choice – More than „take it or leave it“ ! How to ask without a screen? – Designing UI‘s for embedded systems, or 3. Challenges – Finding means of delegation (is this legal?) ! Providing conditional services – Can there be levels of location tracking? 10/3/2001 Slide 14
3. Anonymity, Pseudonymity Ubicomp 2001, Atlanta ! Anonymous data comes cheap – no consent, security, access needed ! Pseudonyms allow for customization – user can discard at any time ! Sometimes one cannot hide! – No anonymizing cameras & microphones 3. Challenges ! Real-world data hard to anonymized – Even pseudonyms can reveal true identity 10/3/2001 Slide 15
4. Meeting Expectations Ubicomp 2001, Atlanta ! Ubicomp: invisibly augments real-world ! Old habits adapt slowly (if ever) – People expect solitude to mean privacy – Strangers usually don’t know me ! No spying, please (Proximity) – Devices only record if owner is present ! Rumors should not spread (Locality) 3. Challenges – Local information stays local – Walls and Flower-Pots can talk (but won‘t do so over the phone) 10/3/2001 Slide 16
5. Security Ubicomp 2001, Atlanta ! No one-size-fits-all solutions – High security for back-end storage – Low security for low-power sensors ! Real-world has complex situation-dependant security requirements – Free access to medical data in emergency situations ! Context-specific security? 3. Challenges – Depending on device battery status – Depending on types of data, transmission – Depending on locality, situation 10/3/2001 Slide 17
6. Access & Recourse Ubicomp 2001, Atlanta ! Identifiable data must be accessible – Users can review, change, sometimes delete ! Collectors must be accountable – Privacy-aware storage technology? ! Ubicomp applications like lots of data – Increased need for accounting and access 3. Challenges ! Carefully consider what is relevant – How much data do I really need? 10/3/2001 Slide 18
Contents Ubicomp 2001, Atlanta ! Privacy primer – Does privacy matter? 4. Privacy Infrastructures ! Privacy in ubiquitous systems – What’s so different about it? ! Challenges – Issues to address in ubicomp systems ! Privacy-aware infrastructures – A first attempt 10/3/2001 Slide 19
Privacy Infrastructures Ubicomp 2001, Atlanta PA Counterpart Printer Counterpart Camera Counterpart P r i v a c y P o l i c y A c c e p t / D e c l i n e 4. Privacy Infrastructures The Internet Privacy Beacon Devices PA (Privacy Assistant) 10/3/2001 Slide 20
Privacy Infrastructure Ubicomp 2001, Atlanta ! Project Status – Started Aug 2001 4. Privacy Infrastructures – Currently devising architecture ! Challenges – Policy broadcasts, privacy services, user interface, ... ! Goals – Operational prototype for trying out new concepts 10/3/2001 Slide 21
The Take Home Message Ubicomp 2001, Atlanta ! Many questions, few answers – Technology, laws still to evolve Summary & Conclusions ! Ubicomp adds a new quality to privacy – Invisible, real-world coverage, comprehensive collection, inconspicuous ! Ubicomp (privacy) challenges – User interface (notice, choice, consent) – Protocols (anonymity, security, access) – Social acceptance (user expectations) 10/3/2001 Slide 22
Recommend
More recommend
