Privacy-Aware Design for Physical InfrastructureProf. Stephen WickerCornell University
Sensor Networks for Infrastructure Protection
Protecting Infrastructure◦ Opportunities for embedding sensor networks
Power Grid/SCADA Transportation Water and Fuel
◦ Driven by development of supporting technology for randomly distributed, wireless sensors
Buildings◦ Combine surveillance with energy control◦ Integrate into building materials
Open Spaces (parks, plazas, etc.)◦ Combine surveillance with environmental monitoring ◦ Line-of-sight surveillance technologies
Privacy IssuesSensor networks collect data.
Privacy issues follow.Standard Problems: Data Security
and Integrity◦ Protection against hackers, etc.
Evolving Problem: Data Presence◦ We need protection against those who collect
the data. Cellular Service Providers ISPs …
A Moral Hazard:The Market for Information
The goal of information collection is discriminationOscar Gandy, The Panoptic Sort
Highly-focused marketing strategies make money◦ Telemarketing is a $662 billion a year industry in
2003
The Impact of Pervasive Surveillance
Big Brother Syndrome – passive behavior in response to surveillance (epistemic impact)
Kafka Syndrome - an extreme imbalance between the individual and private and public bureaucracies
“A new mode of obtaining power of mind over mind, in a quantity hitherto without example.” Jeremy Bentham, The Panopticon Writings “Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. ” Michel Foucault, Discipline and Punish
Mitigation: Electronic Communications Privacy Act of 1986
Amendment to Title III of Omnibus Crime Control Bill (1968 Wire Tap Statute)◦ Title I: Electronic Communications in Transit
Content of communication Strictest standards for warrants
◦ Title II: Stored Electronic Communication Weaker standards Where does e-mail fit in?
◦ Title III: Pen Register/Trap and Trace Devices Context of communication Information obtained must be relevant and material to
an ongoing investigation
Weakened by PATRIOT Act “National Security Letters”
Obtaining Cellular Records Prior to 2005, law enforcement agencies routinely
granted access to location data without judicial oversight “Relevant and material” is pretty weak…
August 2005 – Federal District Court in NY turns down request for cellular data ◦ Required evidence of probable cause.
Undeniable good can be done◦ Thief stole a woman’s car with phone and child inside. Location data
used to find and stop car within 30 minutes◦ Uncountable E911 calls
But… ◦ People should have a choice◦ The presence of the data remains a threat.
Money too attractive Potential for governmental abuse too great
A General Solution:Privacy-Aware Design
Design systems so as to minimize privacy threat.
Such design practices are a moral obligation given the potential harm to the individual.◦ Argument for another day:
Kantian emphasis on individual vs. Benthamite stress on greatest good for the greatest number.
Privacy-Aware Design Practices
1. Provide full disclosure of data collection2. Require consent to data collection3. Minimize collection of personal data4. Minimize identification of data with
individuals5. Minimize and secure retained data.
• Analogous to 1973 U.S. Fair Information Practices and 1980 OECD Guidelines.
Provide Full Disclosure of Data Collection◦ Description requirement◦ Enforceability requirement
FTC – privacy statements◦ Irrevocability requirement◦ Intelligibility requirement
Require Consent to Data Collection◦ Acknowledgement requirement◦ Opt-in requirement
See U. S. West v. Federal Communications Commission (182 F. 3d 1224, 10th Circuit 1999)
Minimize Collection of Personal Data (1)
Establish functional requirement for collection◦ Match data to the mission
Type, resolution◦ Collection must be necessary to the
functionality of the communication system Not just an easier or cost-effective
alternative Collection of data for “testing” is a grey
area
Minimize Collection of Personal Data (2)
Distributed processing requirement◦ Process data as close to the source as
possible Functional/destructive processing Aggregation prior to centralized
collection◦ Limits potential for re-use and hacking
Technical Problem!Demand-Response without
centralized data collection◦ Develop architecture that supports
demand-response without collecting fine-grained power consumption data.
◦ Secure local processing loop
Minimize Identification with Individuals
Does the technology require association of data with individual or with his/her equipment?
Non-Attribution Requirement◦ Track equipment, not the user
Separate Storage Requirement◦ Authentication/billing records should be
separate from “functional” records.◦ Isolation of records should be cryptographically
secure.
Technical Problem!Private use of public service.
◦ Assume a pool of valid users.◦ How does a user show that they are in the
pool without identifying his or herself?◦ Cryptographic primitives?
Minimize and Secure Data RetentionFunctional Requirement for
Retention◦ Retention should be directly connected to
functionality◦ Otherwise, opt-in required (at a minimum)
Basic Security Requirement◦ Inadvertent disclosure should be difficult to
impossible.Non-Reusability Requirement
◦ Use of data in an undisclosed manner is difficult to impossible
Example: Privacy-Aware Cellular RegistrationWhat is required for registration?
◦ HLR/home MSC needs to know how to route incoming calls◦ VLR/gateway MSC needs to authenticate user
MS Registration - Data minimal solution◦ Token identifies MS’s associated HLR◦ Provide sufficient info to HLR for authentication
Public-key encrypted ID Zero-knowledge proof
HLR Operation◦ Return authentication to VLR/GMSC◦ Associate current GMSC and registration number with user
phone number No way around this – needed for incoming calls No need for further location resolution No need for long-term retention after user moves on.
Conclusion
Sensor networks offer a powerful means for securing and monitoring critical infrastructure.
Data collection creates a clear problem for the individual and the collecting authority.◦ Seemingly impersonal data can still be a problem.
Particular issue in the EU, where extensive regulations protect the individual against corporate abuse.
Privacy-aware design rules provide an important tool as sensors are deployed to protect critical infrastructure.