extending context models for privacy in pervasive computing environments
DESCRIPTION
Jadwiga Indulska The School of Information Technology and Electrical Engineering, The University of Queensland. Extending context models for privacy in pervasive computing environments. Talk outline. Pervasive computing Challenges in privacy enforcement Modelling of context information - PowerPoint PPT PresentationTRANSCRIPT
Extending context models for privacy in pervasive
computing environments
Jadwiga IndulskaJadwiga Indulska
The School of Information Technology and Electrical The School of Information Technology and Electrical Engineering,Engineering,
The University of QueenslandThe University of Queensland
Talk outlineTalk outline
Pervasive computingPervasive computingChallenges in privacy enforcementChallenges in privacy enforcementModelling of context informationModelling of context informationRequirements for ownership definitionsRequirements for ownership definitionsCapturing ownershipCapturing ownershipContext schemasContext schemasPrivacy enforcement based on ownershipPrivacy enforcement based on ownershipSummarySummary
Pervasive computingPervasive computing
Relies on context information to dynamically Relies on context information to dynamically adapt to user requirementsadapt to user requirementsContext information obtained from:Context information obtained from: Sensors Sensors User profiles User profiles ApplicationsApplications Derivation mechanismsDerivation mechanisms
Some types of context info can be sensitive Some types of context info can be sensitive (e.g., user location and activity)(e.g., user location and activity)Sensitive context needs protection => Sensitive context needs protection => privacy privacy enforcementenforcement
Challenges in privacy enforcementChallenges in privacy enforcement
Loose couplings between people and resourcesLoose couplings between people and resources
Often no direct link between context source and Often no direct link between context source and owner (e.g., camera and people captured by owner (e.g., camera and people captured by camera)camera)
Heterogeneous privacy requirements due to:Heterogeneous privacy requirements due to: Differences in information sensitivityDifferences in information sensitivity Differences in user preferencesDifferences in user preferences Context-dependent changes in preferences Context-dependent changes in preferences
Ownership may be context-dependentOwnership may be context-dependent
Ownership of context information Ownership of context information
Issue of context ownership is largely ignored Issue of context ownership is largely ignored
Context management systems either:Context management systems either: provide no privacy support, orprovide no privacy support, or assume prior organisation of information by ownerassume prior organisation of information by owner
Our work addresses it directly and integrates Our work addresses it directly and integrates ownership information into context modelsownership information into context models
Ownership is captured at level of:Ownership is captured at level of: Object typesObject types Fact typesFact types SituationsSituations
Modelling of context informationModelling of context information
We use a fact-based modelling approach (CML)We use a fact-based modelling approach (CML)
In approach, developers define:In approach, developers define: Entity types about which context information is Entity types about which context information is
representedrepresented Types of context information representedTypes of context information represented
(context fact types)(context fact types) Sources of context informationSources of context information Quality annotations Quality annotations
(quality metadata about facts)(quality metadata about facts) Dependencies between factsDependencies between facts Various other constraints and metadata on fact typesVarious other constraints and metadata on fact types
Example CML modelExample CML model
Person
Activity
Device
Place
engagedIn
locatedAt
owns
canUse
Organisation
ownedBy
controlledBy
DeviceTypehasType
[]
Profiled
Sensed
Temporal
Uniqueness constraints
[]
TerminologyTerminology
Object type:Object type: Modelled as ellipsis in CMLModelled as ellipsis in CML Class of entity described in context information Class of entity described in context information
(e.g., Person)(e.g., Person)
Fact type:Fact type: Modelled as role boxes in CMLModelled as role boxes in CML Relation on one or more object types (e.g., locatedAt)Relation on one or more object types (e.g., locatedAt)
Object:Object: Instance of Object type (e.g., the person Alice)Instance of Object type (e.g., the person Alice)
SituationSituation:: Describes context at higher level than factsDescribes context at higher level than facts Defined using variation of predicate logicDefined using variation of predicate logic Expresses conditions on contextExpresses conditions on context Evaluates to truth value (Evaluates to truth value (true, false, true, false, or or
unknown)unknown) E.g., E.g.,
Terminology (cont.)Terminology (cont.)
MeetingInProgress(room): person• locatedAt[person, room]• engagedIn[person, meeting]
Requirements for ownership Requirements for ownership definitionsdefinitions
Context models instantiated as large fact Context models instantiated as large fact bases => ownership must be scalablebases => ownership must be scalableOwnership must be definable at:Ownership must be definable at: organisational levelorganisational level individual levelindividual level
Ownership must be context-dependentOwnership must be context-dependentOwners of context information should have Owners of context information should have access at all timesaccess at all timesContext ownership (potentially) shared by Context ownership (potentially) shared by multiple entitiesmultiple entities
Capturing ownershipCapturing ownership
Ownership expressed through SQL-like context Ownership expressed through SQL-like context schemaschemaOur approach has clear benefits:Our approach has clear benefits: Context can be owned by multiple entitiesContext can be owned by multiple entities Ownership can be context dependentOwnership can be context dependent
Ownership supported on:Ownership supported on: Object typesObject types Fact typesFact types SituationsSituations
Ownership of object typesOwnership of object types
3 classes of ownership for objects types:3 classes of ownership for objects types: First class (capable of owning)First class (capable of owning) Second class (can be owned)Second class (can be owned) Third class (never have owners)Third class (never have owners)
E.g., a person (E.g., a person (first classfirst class) owns a laptop () owns a laptop (second second classclass), which has a device type (), which has a device type (third classthird class))
Default ownership of a context fact is defined as Default ownership of a context fact is defined as the union of the owners of objects participating the union of the owners of objects participating in rolesin roles
Object type classesObject type classes
Person
Activity
Device
Place
engagedIn
locatedAt
owns
canUse
Organisation
ownedBy
controlledBy
DeviceTypehasType
[]
1st Class
2nd Class
3rd Class
Ownership of fact typesOwnership of fact types
Can override default fact ownership by defining Can override default fact ownership by defining ownership explicitly on fact typesownership explicitly on fact typesFacts may have Facts may have 00, , 11 or or multiplemultiple owners owners0 owners0 owners:: Can be accessed by anyoneCan be accessed by anyone No privacy preferences appliedNo privacy preferences applied
1, multiple owners1, multiple owners:: Always accessible to ownersAlways accessible to owners Disclosed according to preferences of all ownersDisclosed according to preferences of all owners
Ownership of situationsOwnership of situations
Situations are defined in terms of context facts Situations are defined in terms of context facts and logical connectives (and logical connectives (and, or, not, exists, and, or, not, exists, forallforall))
Evaluating ownership on each fact is expensive!Evaluating ownership on each fact is expensive!
Assigning ownership to entire situation is cheaperAssigning ownership to entire situation is cheaper
Situations can be:Situations can be: UnownedUnowned Owned by 1 entityOwned by 1 entity Owned by multiple entitiesOwned by multiple entities
Context schemasContext schemas
Loosely based on SQLLoosely based on SQL
Alternative textual format for modelling contextAlternative textual format for modelling context
Defines object types in domainDefines object types in domain
Fact types defined in terms of object typesFact types defined in terms of object types
Situations defined in terms of fact typesSituations defined in terms of fact types
Used as input for schema compiler which can be hooked Used as input for schema compiler which can be hooked
up to tools for generating various outputs (e.g., model-up to tools for generating various outputs (e.g., model-
specific helper classes for context manipulation)specific helper classes for context manipulation)
Can be extended with ownership informationCan be extended with ownership information
First class objects First class objects Tagged “Tagged “FIRST CLASSFIRST CLASS”” e.g., e.g., FIRST CLASS PersonFIRST CLASS Person
Second class objects Second class objects Tagged “Tagged “SECOND CLASSSECOND CLASS”” Must also be “Must also be “OWNED BYOWNED BY” a first class object” a first class object Ownership may be context-dependent, e.g., Ownership may be context-dependent, e.g.,
Third class Objects Third class Objects Tagged Tagged “THIRD CLASS”“THIRD CLASS” e.g, e.g, THIRD CLASS DeviceTypeTHIRD CLASS DeviceType
Object type declarationsObject type declarations
SECOND CLASS Device OWNED BYSELECT person FROM UsingWHERE using.device = Device
Fact type declarationsFact type declarations
Fact types declared separately
Declaration includes: Object types participating in fact type roles Optional ownership information (default
ownership is assumed if not present)
For example:CREATE SENSED FACT TYPE locatedAt(
Person person KEY,Place place ALTROLE
) OWNED BY person
Situation declarationsSituation declarations
CREATE SITUATION Engaged(device)…OWNED BY
SELECT person FROM ownsWHERE owns.device = device
UNION SELECT organisation FROM ownedByWHERE ownedBy.device = device
Example situation ownership definition:Example situation ownership definition:
Privacy enforcement based on Privacy enforcement based on ownershipownership
Modelling ownership is a first step towards enforcing Modelling ownership is a first step towards enforcing privacyprivacy
However, also require information about owners’ privacy However, also require information about owners’ privacy requirementsrequirements
We express these requirements using our previously We express these requirements using our previously defined model for context-dependent preferencesdefined model for context-dependent preferences
Privacy enforcement based on Privacy enforcement based on ownership (cont.)ownership (cont.)
Privacy preferences contain:Privacy preferences contain: A scope statement (listing activation conditions)A scope statement (listing activation conditions) A scoring expression (oblige or prohibit)A scoring expression (oblige or prohibit)
Scope statement can contain the following variables:Scope statement can contain the following variables: RequesterRequester OwnerOwner PurposePurpose Fact type or situationFact type or situation Fact type attributes OR situation variablesFact type attributes OR situation variables
We are developing an access control scheme that We are developing an access control scheme that incorporates our ownership and preference modelsincorporates our ownership and preference models
SummarySummary
Sensitive context information requires privacy Sensitive context information requires privacy enforcementenforcementOne of the challenges is in first determining ownership of One of the challenges is in first determining ownership of context informationcontext informationWe support ownership declarations as an extension to We support ownership declarations as an extension to context modelscontext modelsOwnership declarations can be defined at three levels:Ownership declarations can be defined at three levels:
Object levelObject level Fact type levelFact type level Situation levelSituation level
Ownership information can be combined with context-Ownership information can be combined with context-dependent privacy preferences to provide access control dependent privacy preferences to provide access control for pervasive computing environmentsfor pervasive computing environments