Privacy in Privacy in Ubiquitous Systems Ubiquitous Systems Marc - - PowerPoint PPT Presentation

UEC, January 2002

Privacy in Ubiquitous Systems

Marc Langheinrich ETH Zurich, Switzerland

www.inf.ethz.ch/~langhein

Privacy in Ubiquitous Systems

3/15/2002 Slide 2

UEC, January 2002

About the ETH Zurich

Swiss Federal Institute Of Technology (ETH)

– Founded 1854 – 330 Professors (40% non-Swiss) – 12.000 Students (Computer Science: ~900)

Department of Computer Science

– 23 Professors, ~120 PhD Students – Prof. Em. Niklaus Wirth (Pascal, Modula)

Zurich, Switzerland

– Population: some 350,000 (All of Switzerland: 7.5 Million) – Only 1 hour to the Alps!

Introduction

3/15/2002 Slide 3

UEC, January 2002

The Distributed Systems Group

Established 1999

– Prof. Friedemann Mattern (TH Darmstadt) – 13 PhD Students

Infrastructure for Ubiquitous Computing

– Services Description & Discovery – Communications – Location – Reliability, Security, Privacy

Introduction

3/15/2002 Slide 4

UEC, January 2002

Projects & Partners

Swiss National Fund (“Terminodes”)

– Infrastructureless communications

European Union (partners from UK, DE, FI, …)

– “Smart-Its” (sensor-networks) – “TAPIR” (ubicomp in health sector, appl. pending)

Ladenburger Symposium (Daimler Foundation)

– Ubiquitous computing in the social sciences

M-Lab (together with Univ. St.Gallen, MIT)

– Ubiquitous computing in business

“ETH World”

– The future campus

Introduction

3/15/2002 Slide 5

UEC, January 2002

Contents

Privacy primer

– Does privacy matter? – Privacy Models

Privacy in ubiquitous systems

– What’s so different about it? – Issues to address in ubicomp systems

Privacy-aware infrastructures

– A first attempt

Privacy in Ubiquitous Systems

3/15/2002 Slide 6

UEC, January 2002

Just a Modern Fad?

“All this secrecy is making life harder, more expensive, dangerous...“

– Peter Cochran, former head of BT Research

“You have zero privacy anyway”

– Scott McNealy, CEO Sun Microsystems

“By 2010, privacy will become a meaningless concept in western society”

– Gartner Report, 2000

1.1 Why Privacy?

3/15/2002 Slide 7

UEC, January 2002

Privacy – a Human Need?

References in the Bible Justice of Peace act (England 1361)

– Provides for arrest of Peeping Toms and eavesdroppers

Privacy is a human right

– Universal declaration of human rights, article 12 (1948) – European convention on human rights, article 8 (1970)

1.1 Why Privacy?

3/15/2002 Slide 8

UEC, January 2002

Do People Care?

Japan’s Ministry of Postal & Telecommunications survey

– interviews with 968 adults, 1999 – 70% have interest in privacy protection – 92% fear that personal information is used unknowingly

1.1 Why Privacy?

3/15/2002 Slide 9

UEC, January 2002

What Data is Private?

Source: Cranor, Reagle, Ackerman „Beyond Concern: Understanding Net Users’ Attitudes About Online Privacy“

1.1 Why Privacy?

3/15/2002 Slide 10

UEC, January 2002

Regional Differences

IBM-Harris multinational survey

– Phone interviews with 1000+ adults in each

• f three countries: US, UK and Germany

(10/1999) – US:

• greatest trust in companies, but
• most likely to actively protect privacy

– Germany:

• most comfortable with governmental privacy

protection

1.1 Why Privacy?

3/15/2002 Slide 11

UEC, January 2002

Privacy Definitions

“The right to be left alone”

– Judge Brandeis, 1890 (“The right to privacy”)

“The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitudes, and their behavior to others.”

– Alan Westin, 1967 (“Privacy and Freedom”)

1.1 Why Privacy?

3/15/2002 Slide 12

UEC, January 2002

Contents

Privacy primer

– Does privacy matter? – Privacy Models

Privacy in ubiquitous systems

– What’s so different about it? – Issues to address in ubicomp systems

Privacy-aware infrastructures

– A first attempt

Privacy in Ubiquitous Systems

3/15/2002 Slide 13

UEC, January 2002

Privacy Models

Self-Regulation

– Industry-developed code of practice, overseen by self-elected bodies

Comprehensive Laws

– Covers both governmental and private data collection

Sectorial Laws

– Govern only specific privacy aspects in a single sector (e.g. video rental records)

Privacy Technology

– Self-employed (e.g. Anonymizer, Encrpytion, etc)

1.2 Privacy Models

3/15/2002 Slide 14

UEC, January 2002

Self-Regulation

Voluntary guidelines

– Define acceptable base-line protection

Privacy policies

– Communicate practices to users

Seal programs

– Establish trust relationships

1.2 Privacy Models

3/15/2002 Slide 15

UEC, January 2002

Voluntary Guidelines

Often based on “OECD Fair Information Principles” created in 1981 Examples

– Online Privacy Alliance

http://www.privacyalliance.org

– Direct Marketing Association Privacy Promise

http://www.thedma.org/library/privacy/ privacypromise.shtml

1.2 Privacy Models

3/15/2002 Slide 16

UEC, January 2002

OECD Fair Information Principles

Notice and awareness Choice and consent Security safeguards Data quality and access Accountability Use limitation Collection limitation (data minimization) 1.2 Privacy Models

3/15/2002 Slide 17

UEC, January 2002

Privacy Policies

Policies let consumers know about site’s privacy practices Consumers can then decide whether or not practices are acceptable, when to

• pt-in or opt-out, and who to do business

with The presence or privacy policies increases consumer trust 1.2 Privacy Models

3/15/2002 Slide 18

UEC, January 2002

Privacy Policy Drawbacks

BUT policies are often

– difficult to understand – hard to find – take a long time to read

• usually 3-4 pages!

– changed without notice 1.2 Privacy Models

3/15/2002 Slide 19

UEC, January 2002

Seal Programs

TRUSTe – http://www.truste.org BBBOnline – http://www.bbbonline.org CPA WebTrust –

http://www.cpawebtrust.org/

Japanese Privacy Mark

http://www.jipdec.or.jp/security/privacy/

1.2 Privacy Models

3/15/2002 Slide 20

UEC, January 2002

Seal Program Problems

Basic Principle:

– Publish a policy (any policy) and follow it

Only few require base-level standard

– BBBOnline requires client in good standing with Better Business Bureau

Effect:

– Good notices of bad practices

1.2 Privacy Models

3/15/2002 Slide 21

UEC, January 2002

Privacy Models

Self-Regulation

– Industry-developed code of practice, overseen by self-elected bodies

Comprehensive Laws

– Covers both governmental and private data collection

Sectorial Laws

– Govern only specific privacy aspects in a single sector (e.g. video rental records)

Privacy Technology

– Self-employed (e.g. Anonymizer, Encrpytion, etc)

1.2 Privacy Models

3/15/2002 Slide 22

UEC, January 2002

Laws and Regulations

Privacy laws and regulations vary widely throughout the world US has mostly sector-specific laws, with relatively minimal protections

– Self-Regulation favored over comprehensive Privacy Laws – Fear that regulation hinders (e-)commerce

Europe has long favoured strong privacy laws

– First data protection law in the world: State of Hesse, Germany (1970) – Council of Europe Convention on Automatic Procession of Personal Data (1981) – Privacy commissions in each country (some countries have national and state commissions)

1.2 Privacy Models

3/15/2002 Slide 23

UEC, January 2002

Some US Privacy Laws

Bank Secrecy Act, 1970 Fair Credit Reporting Act, 1971 Privacy Act, 1974 Right to Financial Privacy Act, 1978 Cable TV Privacy Act, 1984 Video Privacy Protection Act, 1988 Family Educational Right to Privacy Act, 1993 Electronic Communications Privacy Act, 1994 Freedom of Information Act, 1966, 1991, 1996

1.2 Privacy Models

3/15/2002 Slide 24

UEC, January 2002

EU Data Directive

1995 Data Protection Directive 95/46/EC

– Limits data collection – Requires comprehensive disclosures

Member states responsible for passing relevant national laws by 10/1998

– 12 out of 15 member states have passed legislation, france, ireland, luxemb. are still pending (as of 01/2002)

World-wide impact

– Prohibits data export to „unsafe“ countries

• Prompted legislative updates worldwide

1.2 Privacy Models

3/15/2002 Slide 25

UEC, January 2002

Safe Harbor

Membership

– US companies self-certify adherance to requirements – Dept. of Commerce maintains signatory list

http://www.export.gov/safeharbor/SafeHarborInfo.htm

Signatories must provide

– notice notice of data collected, purposes, and recipients – choice choice of opt-out of 3rd-party transfers, opt-in for sensitive data – access access rights to delete or edit inaccurate information – security security for storage of collected data – enforc enforcem ement ent mechanisms for individual complaints

Approved July 26, 2000 by EU

– reserves right to renegotiate if remedies for EU citizens prove to be inadequate

1.2 Privacy Models

3/15/2002 Slide 26

UEC, January 2002

Privacy around the World

• Australia*

– Proposed: Privacy Amendment (Private Sector) Bill in 2000 – In talks with EU officials

• Brazil

– Proposed: Bill No. 61 in 1996 (pending)

• Canada*

– Passed: Bill C-6 in 4/2000 – Under review by EU

• Hong Kong*

– Passed: Personal Data (Privacy) Ordinance in 1995

• Japan

– Currently: self-regulation & prefectural laws – In talks with EU officials

• Russia

– Law on Information, Informatization, and Inform.

• Protect. 1995

– In Progress: updated to comply with EU directive

• South Africa

– Planned: Privacy and Data Protection Bill

• Switzerland*

– EU-certified safe third country for data transfers http://www.privacyinternational.org/survey/

* Has National Privacy Commissioner

1.2 Privacy Models

3/15/2002 Slide 27

UEC, January 2002

Privacy Models

Self-Regulation

– Industry-developed code of practice, overseen by self-elected bodies

Comprehensive Laws

– Covers both governmental and private data collection

Sectorial Laws

– Govern only specific privacy aspects in a single sector (e.g. video rental records)

Privacy Technology

– Self-employed (e.g. Anonymizer, Encrpytion, etc)

1.2 Privacy Models

3/15/2002 Slide 28

UEC, January 2002

Privacy Tools

Encryption tools

– Prevent others from listening in on your communications

Anonymity tools

– Prevent your actions from being linked to you

Transparency tools

– Make informed choices about how your information will be used

Trust tools

– Know that assurances about information practices are trust worthy

1.2 Privacy Models

3/15/2002 Slide 29

UEC, January 2002

Encryption Standards

Public Key Cryptography

– Allows secure key exchange over insecure channel

Applications & Protocols

– IPSec – Secure IP – SSH – Secure Shell – SSL – Secure Socket Layer – SET – Secure Electronic Transactions – PGP – Pretty Good Privacy

1.2 Privacy Models

3/15/2002 Slide 30

UEC, January 2002

The Anonymizer

Acts as a proxy for users Hides information from end servers Sees all web traffic Adds ads to pages (free service; subscription service also available)

http://www.anonymizer.com

Anonymizer

Request Request Reply Reply

Client Server

1.2 Privacy Models

3/15/2002 Slide 31

UEC, January 2002

B, kA C kB

Mixes [Chaum81]

Sender routes message randomly through network

• f “Mixes”, using layered public-key encryption.

Mix A

dest,msg kC

C kB

dest,msg kC dest,msg kC

Sender Destination

msg

Mix C

kX = encrypted with public key of Mix X

Mix B

1.2 Privacy Models

3/15/2002 Slide 32

UEC, January 2002

Realization of Mixes

Onion Routing (Office of Naval Research)

– http://www.onion-router.net

– service ended 01/2000

Freedom (Zero-Knowledge Systems, Canada)

– http://www.zeroknowledge.com

Java Anon Proxy (TU Dresden)

– http://anon.inf.tu-dresden.de

1.2 Privacy Models

3/15/2002 Slide 33

UEC, January 2002

Privacy Tools

Encryption tools

– Prevent others from listening in on your communications

Anonymity tools

– Prevent your actions from being linked to you

Transparency tools

– Make informed choices about how your information will be used

Trust tools

– Know that assurances about information practices are trust worthy

1.2 Privacy Models

3/15/2002 Slide 34

UEC, January 2002

Original Idea behind P3P

A framework for automated privacy discussions

– Web sites disclose their privacy practices in standard machine-readable formats – Web browsers automatically retrieve P3P privacy policies and compare them to users’ privacy preferences – Sites and browsers can then negotiate about privacy terms

1.2 Privacy Models

3/15/2002 Slide 35

UEC, January 2002

P3P1.0 – A First Step

Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format

– Can be deployed using existing web servers

This will enable the development of tools that:

– Provide snapshots of sites’ policies – Compare policies with user preferences – Alert and advise the user

1.2 Privacy Models

3/15/2002 Slide 36

UEC, January 2002

A simple HTTP Transaction

Web Server GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page

1.2 Privacy Models

3/15/2002 Slide 37

UEC, January 2002

HTTP/1.1 200 OK Content-Type: text/html . . . Send web page

P3P1.0 over HTTP

Web Server GET /x.html HTTP/1.1 Host: foo.com . . . Request web page HTTP/1.1 200 OK Opt: http://www.w3.org/2000/P3Pv1/; ns=11 11-PolicyRef: http://foo.com/p3p.xml Content-Type: text/html . . . Send web page Request Policy Reference File Send Policy Reference File Request P3P Policy Send P3P Policy

1.2 Privacy Models

3/15/2002 Slide 38

UEC, January 2002

Example Privacy Policy

At CatalogExample, we care about your privacy. When you come to

• ur site to look for an item, we will only use this information to

improve our site and will not store it in an identifiable way. CatalogExample is a licensee of the PrivacySealExample Program. … Questions regarding this statement should be directed to: CatalogExample 1-248-392-6753 When you browse through our site we collect: The basic information about your computer and connection to make sure that we can get you the proper information and for security purposes Aggregate information on what pages consumers access or visit to improve our site We purge the browsing information that we collect regulalry

1.2 Privacy Models

3/15/2002 Slide 39

UEC, January 2002

P3P/XML Encoding

<POLICY xmlns="http://www.w3.org/2000/12/P3Pv1" discuri="http://www.catalog.example.com/Privacy.html"> <ENTITY><DATA-GROUP><DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.loccode"> 248</DATA> <DATA ref="#business.contact-info.telecom.telephonenum.number"> 3926753</DATA> </DATA-GROUP></ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.exampleorg" <REMEDIES><correct/></REMEDIES> <IMG src="http://www.PrivacySeal.example.org/Logo.gif"/> </DISPUTES></DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> <DATA-GROUP> </STATEMENT> </POLICY>

1.2 Privacy Models

3/15/2002 Slide 40

UEC, January 2002

Privacy Tools

Encryption tools

– Prevent others from listening in on your communications

Anonymity tools

– Prevent your actions from being linked to you

Transparency tools

– Make informed choices about how your information will be used

Trust tools

– Know that assurances about information practices are trust worthy

1.2 Privacy Models

3/15/2002 Slide 41

UEC, January 2002

Trust Tools

Privacy seals

– Only limited usefulness

Digital signatures

– Web of trust – Requires public-key infrastructure

Infomediaries (e.g. Microsoft Passport)

– Trusted Services that manage your privacy

1.2 Privacy Models

3/15/2002 Slide 42

UEC, January 2002

Example: PrivacyBank.Com Bookmark allows access to

– privacy policy – automatic form-fill

Infomediaries

PrivacyBank bookmark

1.2 Privacy Models

3/15/2002 Slide 43

UEC, January 2002

Infomediary example: PrivacyBank

PrivacyBank bookmark

1.2 Privacy Models

3/15/2002 Slide 44

UEC, January 2002

Privacy Tools

Encryption tools

– Prevent others from listening in on your communications

Anonymity tools

– Prevent your actions from being linked to you

Transparency tools

– Make informed choices about how your information will be used

Trust tools

– Know that assurances about information practices are trust worthy

How much of this works in ubicomp? 1.2 Privacy Models

3/15/2002 Slide 45

UEC, January 2002

Contents

Privacy primer

– Does privacy matter? – Privacy Models

Privacy in ubiquitous systems

– What’s so different about it? – Issues to address in ubicomp systems

Privacy-aware infrastructures

– A first attempt

Privacy in Ubiquitous Systems

3/15/2002 Slide 46

UEC, January 2002

The Ubicomp Vision

Small, lightweight, cheap, mobile processors and sensors

– in almost all everyday objects („embedded computing“) – on your body („wearable computing“) – embedded in the environment („ambient intelligence“)

„In the 21st century, the technology revolution will move into the everyday, the small and the invisible…“

Mark Weiser (1952 – 1999), XEROX PARC

2.1 Privacy in Ubicomp

3/15/2002 Slide 47

UEC, January 2002

Unlimited Coverage

The Web: covers our digital life

– Shopping, chatting, news reading

Ubicomp: real-world deployment!

– Home, School, Office, Public Spaces, ...

2.1 Privacy in Ubicomp Covers all of our life, comprehensively!

– Day in, day out – from cradle to grave

No switch to turn it off?

– Constant, seamless surveillance possible

3/15/2002 Slide 48

UEC, January 2002

Loss of Awareness

Surveillance and data collection today

– Stores, credit card applications, sweepstakes

Ubicomp: invisible computing

– Computers disappear into the environment

When am I giving out data?

– Fingerprint could be taken without notice

When am I under surveillance?

– Life recorders, room computers, smart cups

2.1 Privacy in Ubicomp

3/15/2002 Slide 49

UEC, January 2002

New Types of Data

Last 50 years of data collection

– Identity, contact info, preferences, …

Ubicomp: advanced sensors

– New data (location, health, habits, …) – More detailed & precise (24/7)

Does the system know more than I?

– Body sensors detect moods – Nervous? Floor & seat sensors, eye tracker

2.1 Privacy in Ubicomp

3/15/2002 Slide 50

UEC, January 2002

More Data, More Knowledge

Traditional data, traditional use

– Compiling mailing lists, predicting trends, …

Ubicomp: smartness through context

– Context is distilled sensory information

Encourages increased data collection

– More data means more, better context

Innocuous data can lead to new knowledge

– Data mining: more than the sum of its parts

2.1 Privacy in Ubicomp

3/15/2002 Slide 51

UEC, January 2002

Contents

Privacy primer

– Does privacy matter? – Privacy Models

Privacy in ubiquitous systems

– What’s so different about it? – Issues to address in ubicomp systems

Privacy-aware infrastructures

– A first attempt

Privacy in Ubiquitous Systems

3/15/2002 Slide 52

UEC, January 2002

• 1. Notice

No hidden data collection!

– Legal requirement in many countries

Established means: privacy policies

– Who, what, why, how long, etc. ...

2.2 Challenges How to publish policies in Ubicomp?

– Periodic broadcasts – Privacy service?

Too many devices?

– Countless announcements an annoyance

3/15/2002 Slide 53

UEC, January 2002

• 2. Choice & Consent

Laws require explicit consent by user

– Usually a signature or pressing a button

True consent requires true choice

– More than „take it or leave it“

How to ask without a screen?

– Designing UI‘s for embedded systems, or – Finding means of delegation (is this legal?)

Providing conditional services

– Can there be levels of location tracking?

2.2 Challenges

3/15/2002 Slide 54

UEC, January 2002

• 3. Anonymity, Pseudonymity

Anonymous data comes cheap

– no consent, security, access needed

Pseudonyms allow for customization

– user can discard at any time

Sometimes one cannot hide!

– No anonymizing cameras & microphones

Real-world data hard to anonymized

– Even pseudonyms can reveal true identity

2.2 Challenges

3/15/2002 Slide 55

UEC, January 2002

• 4. Meeting Expectations

Ubicomp: invisibly augments real-world Old habits adapt slowly (if ever)

– People expect solitude to mean privacy – Strangers usually don’t know me

No spying, please (Proximity)

– Devices only record if owner is present

Rumors should not spread (Locality)

– Local information stays local – Walls and Flower-Pots can talk (but won‘t do so over the phone)

2.2 Challenges

3/15/2002 Slide 56

UEC, January 2002

• 5. Security

No one-size-fits-all solutions

– High security for back-end storage – Low security for low-power sensors

Real-world has complex situation-dependant security requirements

– Free access to medical data in emergency situations

Context-specific security?

– Depending on device battery status – Depending on types of data, transmission – Depending on locality, situation

2.2 Challenges

3/15/2002 Slide 57

UEC, January 2002

• 6. Access & Recourse

Identifiable data must be accessible

– Users can review, change, sometimes delete

Collectors must be accountable

– Privacy-aware storage technology?

Ubicomp applications like lots of data

– Increased need for accounting and access

Carefully consider what is relevant

– How much data do I really need?

2.2 Challenges

3/15/2002 Slide 58

UEC, January 2002

Contents

Privacy primer

– Does privacy matter? – Privacy Models

Privacy in ubiquitous systems

– What’s so different about it? – Issues to address in ubicomp systems

Privacy-aware infrastructures

– A first attempt

Privacy in Ubiquitous Systems

3/15/2002 Slide 59

UEC, January 2002

The Internet

Privacy Infrastructures

PA (Privacy Assistant) Privacy Beacon Devices Printer Counterpart Camera Counterpart PA Counterpart

Privacy Policy Accept / Decline

• 3. Privacy Infrastructures

3/15/2002 Slide 60

UEC, January 2002

Privacy Infrastructures

Project Status

– Started Aug 2001 – Currently implementing initial components

Challenges

– Policy broadcasts, privacy services, user interface, data management, ...

Goals

– Operational prototype for trying out new concepts

• 3. Privacy Infrastructures

3/15/2002 Slide 61

UEC, January 2002

Privacy Infrastructures

Current activities

– Backend storage (privacy-aware database) – Policy/data exchange protocol and management (application server) – Preferences editor (APPEL) – Development tools (testing & verification)

Next steps

– Low-level protocols (anonymity, power efficiency, …) – Privacy assistant design (handheld)

• 3. Privacy Infrastructures

3/15/2002 Slide 62

UEC, January 2002

The Take Home Message

Many questions, few answers

– Technology, laws still to evolve

Ubicomp adds a new quality to privacy

– Invisible, real-world coverage, comprehensive collection, inconspicuous

Ubicomp (privacy) challenges

– User interface (notice, choice, consent) – Protocols (anonymity, security, access) – Social acceptance (user expectations)

Summary & Conclusions

3/15/2002 Slide 63

UEC, January 2002

ETH Zurich & IBM Research ETH Zurich & IBM Research www.pervasive2002.org

www.pervasive2002.org

System architectures and platforms for pervasive computing Mobile, wireless, and wearable technologies Emerging applications and mobile business issues Scenarios for information appliances Content distribution and delivery User interfaces for invisible and embedded computing Context awareness Security and privacy issues Paper submi Paper submissions due February 22, 2002 sions due February 22, 2002