privacy management in ubiquitous computing environment jin zhou ho geun an priyanka vanjani kwane e....
TRANSCRIPT
Privacy Management in Privacy Management in Ubiquitous Computing Ubiquitous Computing
EnvironmentEnvironmentJin ZhouJin Zhou
Ho Geun AnHo Geun AnPriyanka VanjaniPriyanka Vanjani
Kwane E. WelcherKwane E. Welcher
SummarySummary
Introduction (Jin)Introduction (Jin)
Internet Privacy (Ho An)Internet Privacy (Ho An)
Privacy in E-Commerce (Priyanka)Privacy in E-Commerce (Priyanka)
Privacy in Ubiquitous Computing (Jin)Privacy in Ubiquitous Computing (Jin)
Policy-Based Control (Kwane)Policy-Based Control (Kwane)
Trust and Reputation (Jin)Trust and Reputation (Jin)
Conclusion (Jin)Conclusion (Jin)
IntroductionIntroduction
Ubiquitous Computing promises a world where Ubiquitous Computing promises a world where computational artifacts embedded in the computational artifacts embedded in the environment will continuously sense our environment will continuously sense our activities and provide services based on what is activities and provide services based on what is sensedsensed
It is thought of third It is thought of third wave in computing wave in computing and just beginning and just beginning
ScenarioScenario
Properties of UbicompProperties of Ubicomp
UbiquityUbiquity
InvisibilityInvisibility
SensingSensing
Memory AmplificationMemory Amplification
Privacy ProblemsPrivacy Problems
Example ScenarioExample Scenario
Alice is visiting a cityAlice is visiting a city
Use Bob’s location Use Bob’s location serviceservice
Alice’s location is Alice’s location is stored in Bob’s Serverstored in Bob’s Server
Bob may sell Alice’s Bob may sell Alice’s information to Carolinformation to Carol
Fair Information PracticesFair Information Practices
Notice/AwarenessNotice/Awareness
Choice/ConsentChoice/Consent
Access/ParticipationAccess/Participation
Integrity/SecurityIntegrity/Security
Enforcement/RedressEnforcement/Redress
InternetInternet
Internet is one of the biggest parts of Internet is one of the biggest parts of ubiquitous computing environment.ubiquitous computing environment.Based on End User Centric ArchitectureBased on End User Centric ArchitectureBenefits:Benefits: Flexibility / Generality / OpennessFlexibility / Generality / Openness
Disadvantages:Disadvantages: End user care about the privacy protectionEnd user care about the privacy protection the place where privacy violations occur most the place where privacy violations occur most
often today. often today.
Personal Information on InternetPersonal Information on Internet
MediumMedium Web site / email / IM / Chat room / bulletin Web site / email / IM / Chat room / bulletin
board / p2p network / voice / video board / p2p network / voice / video communicationcommunication
Personal InformationPersonal Information Name / Address / SSN /Credit Card Number / Name / Address / SSN /Credit Card Number /
User behaviorUser behavior
ThreatsThreats
Four factors make data collector much Four factors make data collector much easier to gain personal information: In easier to gain personal information: In order to reach public, one mustorder to reach public, one must advertise advertise use well-known protocols and standardsuse well-known protocols and standards reveal one’s content reveal one’s content accept that one may come under the scrutiny accept that one may come under the scrutiny
of the authoritiesof the authorities
ThreatsThreats
The widely used protocols (e.g. TCP / IP / The widely used protocols (e.g. TCP / IP / HTTP / DNS) and applications do not support HTTP / DNS) and applications do not support any kind of protection for privacy. any kind of protection for privacy. By using these factors, data collectors are By using these factors, data collectors are gathering personal information over the network gathering personal information over the network without notice and consentwithout notice and consent..There are several data storages/flows on There are several data storages/flows on network that contains personal information and network that contains personal information and being targeted by data collectors.being targeted by data collectors. DNS / URL / Cookie / ScriptingDNS / URL / Cookie / Scripting
DNS ServerDNS Server
A DNS server resolves the host names found in A DNS server resolves the host names found in Uniform Resource Locators (URL) into a Uniform Resource Locators (URL) into a numeric Internet address [RFC1035]numeric Internet address [RFC1035]Since there is no assurance in the protocol that Since there is no assurance in the protocol that replies from DNS server are genuine and not replies from DNS server are genuine and not have been tampered with, have been tampered with, DNS spoofingDNS spoofing would would deceive users and extract sensitive information.deceive users and extract sensitive information.Structural remedies for the DNS vulnerabilities Structural remedies for the DNS vulnerabilities are available but not widely deployed. are available but not widely deployed. The Domain Name System Security Extensions The Domain Name System Security Extensions
[RFC2065] [RFC2065]
URL LeakURL Leak
URL “http://www.personal.com?URL “http://www.personal.com?link_type=form&form_id=xxx&pass=xxx” link_type=form&form_id=xxx&pass=xxx” contains user ID and password.contains user ID and password.There are many ways that referenced There are many ways that referenced URLs leak:URLs leak: History / referrer / logsHistory / referrer / logs
SolutionSolution HTTPSHTTPS
Cookie ExposureCookie Exposure
Cookie is a message given to web browser by a Cookie is a message given to web browser by a web server.web server. Main purpose of cookie is to identify users and possibly Main purpose of cookie is to identify users and possibly
prepare customized WebPages for them.prepare customized WebPages for them. Cookie is used for basically two ways: tracking users Cookie is used for basically two ways: tracking users
and authenticating users.and authenticating users.
Unfortunately, there is no standard mechanism to Unfortunately, there is no standard mechanism to establish the integrity of a cookie returned by a establish the integrity of a cookie returned by a browser browser Best defense is to avoid shopping online or Best defense is to avoid shopping online or registering with online services that use unsafe registering with online services that use unsafe cookie-based authentication.cookie-based authentication.
RecommendsRecommends
[RFC2964] recommends proper use of cookie: [RFC2964] recommends proper use of cookie: 1.1. the user is aware that cookie is being maintained the user is aware that cookie is being maintained
and consent to it. and consent to it.
2.2. The user has the ability to delete the cookie The user has the ability to delete the cookie associated with such a session at any time. associated with such a session at any time.
3.3. The information obtained through the cookies is not The information obtained through the cookies is not disclosed to other parties without the user’s explicit disclosed to other parties without the user’s explicit consent. consent.
4.4. Session information itself cannot contain sensitive Session information itself cannot contain sensitive information and cannot be used to obtain sensitive information and cannot be used to obtain sensitive information. information.
Cross Site Scripting (CSS)Cross Site Scripting (CSS)
CSS is a type of computer security vulnerability CSS is a type of computer security vulnerability typically found in web application which allows typically found in web application which allows malicious web users to inject client side script malicious web users to inject client side script (Javascript or HTML) or ActiveX controls into the (Javascript or HTML) or ActiveX controls into the web pages, e-mail messages, instant messages, web pages, e-mail messages, instant messages, newsgroup posting, or various other media. newsgroup posting, or various other media. Victim users may unintentionally execute the Victim users may unintentionally execute the script without any notice.script without any notice.A CSS vulnerability could potentially be used to A CSS vulnerability could potentially be used to collect HTTP Cookies or the URL history and collect HTTP Cookies or the URL history and disseminate the data to an unauthorized party. disseminate the data to an unauthorized party.
Prevent CSSPrevent CSS
Web administrator must filter a user-supplied Web administrator must filter a user-supplied data:data: All non-alphanumeric client-supplied data (possibly All non-alphanumeric client-supplied data (possibly
contains malicious script) should be converted to contains malicious script) should be converted to HTML character entities before being re-displayed to HTML character entities before being re-displayed to other clients.other clients.
For end users, the most effective way to prevent CSS For end users, the most effective way to prevent CSS attacks is to disable all scripting languages in their attacks is to disable all scripting languages in their web browsers. web browsers.
They should be careful to click links on untrusted web They should be careful to click links on untrusted web pages or e-mails. pages or e-mails.
Also they should not install any ActiveX controls from Also they should not install any ActiveX controls from untrusted web sites. untrusted web sites.
Addressing Privacy in E-Addressing Privacy in E-CommerceCommerce
E-Commerce:E-Commerce: Business conducted Business conducted over the internet using any of the over the internet using any of the applications that rely on internetapplications that rely on internet
Email, Web Services, Online Email, Web Services, Online ShoppingShopping
DataData
Implicit: Personalization is gathered from Implicit: Personalization is gathered from information inferred from a user. information inferred from a user.
Explicit: Requires demographics, rating or Explicit: Requires demographics, rating or other user information provided explicitly other user information provided explicitly by the user.by the user.
Privacy RisksPrivacy Risks
Users fear that their information might be shared Users fear that their information might be shared with other organizations and/or companies. Fear with other organizations and/or companies. Fear of undesired marketing. of undesired marketing. Users are concerned about how the information Users are concerned about how the information they have provided would be used. they have provided would be used. Risk of a website not being run by a trusted Risk of a website not being run by a trusted organization and the information stored in their organization and the information stored in their database.database.Information might be distributed amongst other Information might be distributed amongst other unwanted websites, or may be used by other unwanted websites, or may be used by other organizationsorganizationsFear of online activities being tracked Fear of online activities being tracked
User ConcernsUser Concerns
Most of the users do not care much about Most of the users do not care much about factors like:factors like: If a site has privacy policy postedIf a site has privacy policy posted if the site has a data retention policyif the site has a data retention policy if the site has a privacy seal if the site has a privacy seal
This is because hey are not well aware of This is because hey are not well aware of the importance of the above factors the importance of the above factors
Protecting PrivacyProtecting Privacy
P3PP3POne of the solutions in protecting privacy One of the solutions in protecting privacy as far as E-Commerce is concerned as far as E-Commerce is concerned Enables websites to express their privacy Enables websites to express their privacy practices in a standard format which is practices in a standard format which is convenient for user agents to retrieve and convenient for user agents to retrieve and interpret. interpret.
HTTP Transaction with P3P addedHTTP Transaction with P3P added
Summary of P3PSummary of P3P
P3P is not an "Enforcement Mechanism"P3P is not an "Enforcement Mechanism"
Facilitates better communicationFacilitates better communication
P3P Version 1.0: Goal of the specification: P3P Version 1.0: Goal of the specification:
To make user agents aware of the To make user agents aware of the practices that websites follow to collect practices that websites follow to collect data.data.
TRUSTeTRUSTeTRUSTe: Certifies, Monitors a websites privacy TRUSTe: Certifies, Monitors a websites privacy policies, email policies and is also aimed policies, email policies and is also aimed towards resolving consumer privacy problems. towards resolving consumer privacy problems.
TRUSTe developed the first online privacy seal TRUSTe developed the first online privacy seal program program
the TRUSTe Watchdog—an alternative dispute the TRUSTe Watchdog—an alternative dispute resolution mechanism that allows you to submit resolution mechanism that allows you to submit any privacy violations by an accredited site any privacy violations by an accredited site directly to TRUSTe via the Web.directly to TRUSTe via the Web.
Conclusion of E-Commerce PrivacyConclusion of E-Commerce Privacy
Users nowadays have strong opinion regarding Users nowadays have strong opinion regarding privacy online and they tend to make their own privacy online and they tend to make their own assumptions about the data collection and the assumptions about the data collection and the results turn out to be quite unfavorable.results turn out to be quite unfavorable.
It is vital to have more concrete and full-proof It is vital to have more concrete and full-proof data nowadays regarding E-Commerce and data nowadays regarding E-Commerce and privacy technologies in order to improve and win privacy technologies in order to improve and win over user‘s trust and expectations.over user‘s trust and expectations.
Privacy in Ubicomp EnvironmentPrivacy in Ubicomp Environment
Principle of Minimum AsymmetryPrinciple of Minimum Asymmetry
Anonymization and PseudonymizationAnonymization and Pseudonymization
P3PP3P
PawSPawS
WearableWearable
Other MechanismsOther Mechanisms
Principle of AsymmetryPrinciple of Asymmetry
Negative externalitiesNegative externalities are often much are often much harder to overcome in environments with harder to overcome in environments with significant significant asymmetryasymmetry in both in both information information and powerand power between different parties. between different parties.
Principle of Minimum AsymmetryPrinciple of Minimum Asymmetry DecreasingDecreasing the flow of information from data the flow of information from data
owners to data collectors and usersowners to data collectors and users IncreasingIncreasing the flow of information from data the flow of information from data
collectors and users back to data ownerscollectors and users back to data owners
Principle of Minimum AsymmetryPrinciple of Minimum Asymmetry
Approximate Information FlowApproximate Information Flow
Information SpacesInformation Spaces Storage perspectiveStorage perspective
Data LifecycleData Lifecycle Dataflow perspectiveDataflow perspective
Themes for minimizing AsymmetryThemes for minimizing Asymmetry End-user perspectiveEnd-user perspective
Information SpacesInformation Spaces
Boundaries:PhysicalSocialActivity-based
Properties:LifetimeAccuracyConfidence
Operations:Addition/Deletion/UpdateAuthorization/RevocationPromotion/DemotionComposition/DecompostionFusion/Inference
Data LifecyleData Lifecyle
CollectionCollection
AccessAccess
Second UseSecond Use
Themes for Minimizing AsymmetryThemes for Minimizing Asymmetry
PreventionPrevention
AvoidanceAvoidance
DetectionDetection
Design SpaceDesign Space
Anonymization and Anonymization and PseudonymizationPseudonymization
Anonymity precludes association of data or a Anonymity precludes association of data or a transaction with a particular person.transaction with a particular person.However, services which require presence of However, services which require presence of users are not possible with anonymity, in that users are not possible with anonymity, in that case, pseudonymity is required.case, pseudonymity is required.With user selected pseudonyms, users can With user selected pseudonyms, users can interact with the environment in an anonymous interact with the environment in an anonymous way by having a pseudo identity.way by having a pseudo identity.Nevertheless, pseudonymity can be Nevertheless, pseudonymity can be compromised at times as the user is physically compromised at times as the user is physically present there and be identified at times. present there and be identified at times.
P3PP3P
A framework for A framework for standardizedstandardized, , machine machine readablereadable privacy policies. privacy policies.
Relieve the problem of time consuming Relieve the problem of time consuming process of reading policy.process of reading policy.
Enabled web browser can decide what to Enabled web browser can decide what to do by comparing this policy with the user's do by comparing this policy with the user's stored preferences.stored preferences.
An XML file or in the HTTP headerAn XML file or in the HTTP header
An Example P3P FileAn Example P3P File
Main Content of a PolicyMain Content of a Policy
which information the server stores: which information the server stores: which kind of information is collected (identifying or which kind of information is collected (identifying or
not); not); which particular information is collected (IP number, which particular information is collected (IP number,
email address, name, etc.); email address, name, etc.);
use of the collected information: use of the collected information: how this information is used (for regular navigation, how this information is used (for regular navigation,
tracking, personalization, telemarketing, etc.); tracking, personalization, telemarketing, etc.); who will receive this information (only the current who will receive this information (only the current
company, third party, etc.); company, third party, etc.);
permanence and visibility: permanence and visibility: how long information is stored; how long information is stored; whether and how the user can access the stored whether and how the user can access the stored
information (read-only, optin, optout). information (read-only, optin, optout).
Privacy Awareness System (PawS)Privacy Awareness System (PawS)
Based on Based on Fair Information PracticesFair Information PracticesMainly focuses on four principles:Mainly focuses on four principles: NoticeNotice
Policy announcement mechanismsPolicy announcement mechanisms Choice and ConsentChoice and Consent
Machine readable policiesMachine readable policies Proximity and localityProximity and locality
Access restriction based on location.Access restriction based on location. Access and recourseAccess and recourse
Privacy proxies / privacy-aware databasesPrivacy proxies / privacy-aware databases
Overview of PawSOverview of PawS
WearableWearable
Instead of putting sensors and cameras in Instead of putting sensors and cameras in the room put them on the person. the room put them on the person.
Suited to providing privacy and Suited to providing privacy and personalization.personalization.
Have trouble with Have trouble with localized informationlocalized information, , localized controllocalized control and and resource resource managemenmanagemen
Other ApproachesOther Approaches
Location privacy policyLocation privacy policy Individual should be able to adjust the Individual should be able to adjust the
accuracy of his location, identity, time and accuracy of his location, identity, time and speed and therefore have the power to speed and therefore have the power to enforce the need-to-know principle enforce the need-to-know principle
Privacy MirrorPrivacy Mirror provides feedback to end-users, showing provides feedback to end-users, showing
them what information is being collected, and them what information is being collected, and what information has been accessed and by what information has been accessed and by whom.whom.
Policy Based PrivacyPolicy Based Privacy
Personal Privacy PoliciesPersonal Privacy Policies
Policies definedPolicies defined
Personal privacy policy definedPersonal privacy policy defined
Proposed personal privacy modelProposed personal privacy model
Personal Privacy Policy ModelPersonal Privacy Policy Model
Personal Privacy Policy ContentPersonal Privacy Policy Content
Model Code for the Protection of Personal Model Code for the Protection of Personal Information Information
Privacy risk analysis questionsPrivacy risk analysis questions
Model Code for the Protection of Model Code for the Protection of Personal Information 10 PrinciplesPersonal Information 10 PrinciplesAccountabilityAccountability
Identifying PurposeIdentifying Purpose
ConsentConsent
Limiting CollectionLimiting Collection
Limiting Use, Disclosure, RetentionLimiting Use, Disclosure, Retention
Model Code for the Protection of Model Code for the Protection of Personal Information 10 PrinciplesPersonal Information 10 PrinciplesAccuracyAccuracy
SafeguardsSafeguards
OpennessOpenness
Individual Access Individual Access
Challenging ComplianceChallenging Compliance
Personal Privacy Policy SamplePersonal Privacy Policy Sample
Usage Control PoliciesUsage Control Policies
Usage control policy definedUsage control policy defined
Usage control policy goalUsage control policy goal
Usage Control Policy ConceptUsage Control Policy Concept
Usage Control Policy Usage Control Policy ComponentsComponents
RequirementsRequirements
ObligationsObligations ControllableControllable ObservableObservable
Compensation ActionsCompensation Actions
Usage Control Policy Usage Control Policy ComponentsComponents
High-level policiesHigh-level policies
Low-level policiesLow-level policies
Usage Control Policy ProcessUsage Control Policy Process
Privacy Policy DiscussionPrivacy Policy Discussion
Personal Privacy PolicyPersonal Privacy Policy
++
Usage Control PolicyUsage Control Policy
++
Technological SolutionsTechnological Solutions
==
Enhanced Privacy in UBICOMPEnhanced Privacy in UBICOMP
Trust and Reputation Based Trust and Reputation Based ControlControl
People use trust and reputation to manage People use trust and reputation to manage their privacy.their privacy. Not all people are untrustworthy.Not all people are untrustworthy. Some have higher reputation, someone we Some have higher reputation, someone we
trust more and to whom we are willing to give trust more and to whom we are willing to give more privacy information.more privacy information.
trust networks and a reputation system to trust networks and a reputation system to help users manage how, when, and where help users manage how, when, and where they share their personal information. they share their personal information.
AdvantagesAdvantages
Policy based mechanism such as Policy based mechanism such as P3PP3P and and pawSpawS assume that the user maintains only assume that the user maintains only one privacy policy and this policy is one privacy policy and this policy is applicable to all entities.applicable to all entities.
Two advantagesTwo advantages AdaptivityAdaptivity FlexibilityFlexibility
ConclusionConclusion
Fair Information Practices should be Fair Information Practices should be served as guidelines for designing a served as guidelines for designing a ubicomp system.ubicomp system.Internet vulnerabilities should also be Internet vulnerabilities should also be considered.considered.Minimizing Asymmetry.Minimizing Asymmetry.Machine readable policies.Machine readable policies.Trust and reputation based system for Trust and reputation based system for information sharing.information sharing.
Questions?Questions?