wRoE.A,.L-

M I K E S P R E I T Z E R A N D M A R V I N T H E I M E R

S c a l a b l e , S e £ u r e , M o b i l e C o m p u t i n g w i t h L o c a t i o n I n f o r m a t i o n

L ocation information is important to mobile computer users fo r a variety o f reasons [2-5]. While

keeping track of and making available location information about "publ ic" th ings--such as printers and restau- r an t s - i s both acceptable and desirable, the same does not necessarily apply to people. We consider unrestr icted access to a person's location data to be an un- acceptable invasion of privacy; to us pri- vacy means that personal information remains known only to that person un- less he or she explicitly hands it out to someone else.

we also want an architecture that Is scalable to a global scale, Implying that i t must cope with a great multiplicity o f heterogeneous administrative domains. Consequently, authentici ty o f persons, systems services, and location informa- t ion Itself become an issue.

In a system that covers only one fr iendly administrative domain, security may be accomplished by something as simple as a centralized location database with access controls, unfor tunate ly this simple approach will not scale to a sys- tem that must span multiple administra- t ive domains. An Interesting alternative Is to be more "user centrlc": private In- format ion (including location) about any given user is kept only by that user's trusted "user agent," and each user's dealings with other users and with for- eign system services are moderated by some means of evaluating how "trust- wor thy" the user deems them to be.

There are two familiar problems In sys- tem security: ensuring the accuracy of information and identit ies and establish- ing secret communications. Our require- ments stress new aspects of these prob- lems. Authenticating the location information supplied to a user agent is diff icult because today's sensor systems typically only detect things such as ac- tive badges that can be removed f rom the mobile objects they represent. Un- less society forces the use of nonremov- able "tags" (which we consider undesira- ble) this problem implies that applications must be prepared to deal with the at tendant uncertainties of the location information they use.

Because of the potential size and het- erogeneity o f the system, it Is not always possible to keep an explicit list o f princi- pals known or deemed trustworthy. There must be some mechanism fo r es-

tablishing the trustworthiness or ac- countabil i ty Of heretofore unencoun- tered principals--be they persons, devices, or programs.

Establishing secret communications has tradit ionally focused on safeguarding the contents of a message. We must also safeguard the contents of the envelope of a message, since that may contain addressing information f rom which loca- t ion can be determined. Preventing in- format ion f rom being leaked In this fash- Ion requires the use of anonymous identit ies and intermediate " laundering agents" to allow sources and destina- t ions to be decoupled f rom each other [ I ] .

Even when individual communications packets do not allow determinat ion of someone's location, an attacker who can observe all the communications in the system may be able to employ traff ic analysis techniques to deduce it anyway. Traffic analysis can be performed on communications both when they cross tradit ional "wi red" networks as well as when they are being conveyed by (multi- celled) wireless media.

Exactly how much information an at- tacker can derive f rom traff ic analysis depends on how much traff ic is ana- lyzed, how much users are willing to re- strict the i r behavior, and how much users are willing to pay fo r techniques that make traff ic analysis harder. An ex- plorat ion o f this region Is beyond the scope of this article.

Instead, we will ment ion users' ability to selectively disable transmissions. This allows them to enable traff ic analysis only when they are in a fr iendly environ- ment or when they do not care if some- one finds out their location. Note that i f information destined for a user Is broad- cast in a f ixed pattern that does not depend on the user's location, absolutely no information about that user's loca- t ion is revealed. Hence, safe one-way communicat ion may be possible even in a less-than-friendly environment. Alter- natively, if the information destined for a user is broadcast to large areas that fol- low the user, the user's location is only coarsely revealed--and this is sometimes acceptable.

In summary, privacy is not easy to pro- vide in an absolute sense. The security model a user is will ing to adopt says something about how much t rust the user is will ing to place in various pieces o f infrastructure. Some administrative

domains will be more t rus twor thy than others, both in an absolute sense and in the opinion of a particular user. The choice of model also involves an estima- t ion of how far an attacker would be willing to go to violate security. It also depends on whether the user thinks the model will be broken Infrequently enough that the user is will ing to suffer an attendant, l imited privacy loss.

We believe the challenge is to design an architecture that offers both Imple- menters and users a choice concerning how much "privacy enforcement" must be paid fo r in any given administrative domain. The resulting heterogeneous system will allow users to operate In a moded fashion, in which location-based applications may be freely usable in fr iendly environments but may have to be eschewed in others.

We conclude by observing that while technical means may give people the ability to control revelation o f private Information, that is not enough to as- sure privacy: a person must also have the f reedom (legal, economic, and social) to exercise that control. If an employer seems to give good performance re- views only to people who reveal their location Indiscriminantly, or i f society begins to expect that everyone will make their location publlcally known, then there is Still a privacy problem, r4 References 1. Chaum, D.L Untraceable electronic mall, return ad-

dresses, and digital pseudonyms. Commun. ACM 24, 2 (Feb. 1981), 84-88.

2. FIshman, N. and Mazer, M.S. Experience in deploying an active badge system. In Proceedings Of: IEEE GIobecom Workshop on Networking of Personal Communications Applications. IEEE, New York, 1992.

3. Want, R. and Hopper, A. ACtive badges and personal Interactive computing objects. Trans. Consum. BeG $8, t (Feb. 1992).

4. Want, R., Hopper, A., Falcao, V. and Gibbons, J. The ac- five badge location system. ACM Trans. Inf. Syst 10, 1 (Jan. 1992).

5. welser, M. The computer for me twenty-first century. ScL Am. (Sept. 1992), 94-104.

CR Categories and Subject Descriptors: C.2.0 [Com- puter-Communication Networks]: General; D.4.6 [Operat- Ing Systems]: Security and ProteCtion; DA.7 [Operating Systems]: Organization and Design--distributed systems

General Terms: Security Additional Key WOrds and Phrases: Location Informa-

tion, mobile computing, privacy, scalablllty

About the Authors: MICHAEL SPREITZER IS a member of the research staff at xerox Palo AltO Research Center. MARVIN THEIMER Is a member of the research staff at XerOx Palo Alto Research Center. Authors' present Address: Xerox PARC, 3333 Coyote Hill Rd., Palo Alto, CA 94304; emall: spreltzer@parc.xerox.com and thelmer@parc.xerox.com

¢OMMUN|CA ' r l oNso IRTHI IACMJu ]y 1993/Vol.36, No.7 27