Privacy-Aware Design for Physical InfrastructureProf. Stephen WickerCornell University

Sensor Networks for Infrastructure Protection

Protecting Infrastructure◦ Opportunities for embedding sensor networks

Power Grid/SCADA Transportation Water and Fuel

◦ Driven by development of supporting technology for randomly distributed, wireless sensors

Buildings◦ Combine surveillance with energy control◦ Integrate into building materials

Open Spaces (parks, plazas, etc.)◦ Combine surveillance with environmental monitoring ◦ Line-of-sight surveillance technologies

Privacy IssuesSensor networks collect data.

Privacy issues follow.Standard Problems: Data Security

and Integrity◦ Protection against hackers, etc.

Evolving Problem: Data Presence◦ We need protection against those who collect

the data. Cellular Service Providers ISPs …

A Moral Hazard:The Market for Information

The goal of information collection is discriminationOscar Gandy, The Panoptic Sort

Highly-focused marketing strategies make money◦ Telemarketing is a $662 billion a year industry in

2003

The Impact of Pervasive Surveillance

Big Brother Syndrome – passive behavior in response to surveillance (epistemic impact)

Kafka Syndrome - an extreme imbalance between the individual and private and public bureaucracies

“A new mode of obtaining power of mind over mind, in a quantity hitherto without example.”  Jeremy Bentham, The Panopticon Writings “Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. ”  Michel Foucault, Discipline and Punish 

Mitigation: Electronic Communications Privacy Act of 1986

Amendment to Title III of Omnibus Crime Control Bill (1968 Wire Tap Statute)◦ Title I: Electronic Communications in Transit

Content of communication Strictest standards for warrants

◦ Title II: Stored Electronic Communication Weaker standards Where does e-mail fit in?

◦ Title III: Pen Register/Trap and Trace Devices Context of communication Information obtained must be relevant and material to

an ongoing investigation

Weakened by PATRIOT Act “National Security Letters”

Obtaining Cellular Records Prior to 2005, law enforcement agencies routinely

granted access to location data without judicial oversight “Relevant and material” is pretty weak…

August 2005 – Federal District Court in NY turns down request for cellular data ◦ Required evidence of probable cause.

Undeniable good can be done◦ Thief stole a woman’s car with phone and child inside. Location data

used to find and stop car within 30 minutes◦ Uncountable E911 calls

But… ◦ People should have a choice◦ The presence of the data remains a threat.

Money too attractive Potential for governmental abuse too great

A General Solution:Privacy-Aware Design

Design systems so as to minimize privacy threat.

Such design practices are a moral obligation given the potential harm to the individual.◦ Argument for another day:

Kantian emphasis on individual vs. Benthamite stress on greatest good for the greatest number.

Privacy-Aware Design Practices

1. Provide full disclosure of data collection2. Require consent to data collection3. Minimize collection of personal data4. Minimize identification of data with

individuals5. Minimize and secure retained data.

• Analogous to 1973 U.S. Fair Information Practices and 1980 OECD Guidelines.

Provide Full Disclosure of Data Collection◦ Description requirement◦ Enforceability requirement

FTC – privacy statements◦ Irrevocability requirement◦ Intelligibility requirement

Require Consent to Data Collection◦ Acknowledgement requirement◦ Opt-in requirement

See U. S. West v. Federal Communications Commission (182 F. 3d 1224, 10th Circuit 1999)

Minimize Collection of Personal Data (1)

Establish functional requirement for collection◦ Match data to the mission

Type, resolution◦ Collection must be necessary to the

functionality of the communication system Not just an easier or cost-effective

alternative Collection of data for “testing” is a grey

area

Minimize Collection of Personal Data (2)

Distributed processing requirement◦ Process data as close to the source as

possible Functional/destructive processing Aggregation prior to centralized

collection◦ Limits potential for re-use and hacking

Technical Problem!Demand-Response without

centralized data collection◦ Develop architecture that supports

demand-response without collecting fine-grained power consumption data.

◦ Secure local processing loop

Minimize Identification with Individuals

Does the technology require association of data with individual or with his/her equipment?

Non-Attribution Requirement◦ Track equipment, not the user

Separate Storage Requirement◦ Authentication/billing records should be

separate from “functional” records.◦ Isolation of records should be cryptographically

secure.

Technical Problem!Private use of public service.

◦ Assume a pool of valid users.◦ How does a user show that they are in the

pool without identifying his or herself?◦ Cryptographic primitives?

Minimize and Secure Data RetentionFunctional Requirement for

Retention◦ Retention should be directly connected to

functionality◦ Otherwise, opt-in required (at a minimum)

Basic Security Requirement◦ Inadvertent disclosure should be difficult to

impossible.Non-Reusability Requirement

◦ Use of data in an undisclosed manner is difficult to impossible

Example: Privacy-Aware Cellular RegistrationWhat is required for registration?

◦ HLR/home MSC needs to know how to route incoming calls◦ VLR/gateway MSC needs to authenticate user

MS Registration - Data minimal solution◦ Token identifies MS’s associated HLR◦ Provide sufficient info to HLR for authentication

Public-key encrypted ID Zero-knowledge proof

HLR Operation◦ Return authentication to VLR/GMSC◦ Associate current GMSC and registration number with user

phone number No way around this – needed for incoming calls No need for further location resolution No need for long-term retention after user moves on.

Conclusion

Sensor networks offer a powerful means for securing and monitoring critical infrastructure.

Data collection creates a clear problem for the individual and the collecting authority.◦ Seemingly impersonal data can still be a problem.

Particular issue in the EU, where extensive regulations protect the individual against corporate abuse.

Privacy-aware design rules provide an important tool as sensors are deployed to protect critical infrastructure.