LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), - PowerPoint PPT Presentation

LOCATION PRIVACY Marc Langheinrich University of Lugano (USI), Switzerland

Zurich (2.5h) Milano (1h) Genoa (2.5h)

Securing a Mobile Phone

Securing a Mobile Phone

Securing a Mobile Phone

Securing a Mobile Phone

Can We Have it Both Ways? • Safe • Secure • Privacy-friendly • Usable • Useful • Used

WHAT IS PRIVACY?

Facets of Privacy

Hard To Define “Privacy is a value so complex , so entangled in competing and contradictory dimensions , so engorged with various and distinct meanings, that I sometimes despair Prof. Robert C. Post whether it can be usefully Yale Law School addressed at all.” Robert C. Post, Three Concepts of Privacy , 89 Georgetown Law Journal 2087 (2001). Original Slide from Lorrie Cranor: „ 8-533 / 8-733 / 19-608 / 95-818: Privacy Policy, Law, and Technology”, Fall 2008, CMU

Hard To Analyze „... The notion of privacy is fraught with multiple meanings, interpretations, and value judgments. … Nearly every thread of analysis leads to other questions and issues that also cry out for additional analysis—one might even regard the subject as fractal , where each level of analysis requires another equally complex level of analysis to explore the issues that the previous level raises.” James Waldo et al., Engaging Privacy and Information Technology in a Digital Age. National Academies Press, 2008

A Privacy Definition • “The right to be let alone.“ – Warren and Brandeis, 1890 (Harvard Law Review) • “Numerous mechanical devices threaten to make good the prediction that ’what is whispered in the closet shall be proclaimed from the housetops’“ Image source: http://historyofprivacy.net/RPIntro3-2009.htm

Technological Revolution, 1888 George Eastman 1854-1932 Image Source: Wikipedia; Encyclopedia Britannica (Student Edition)

The Location Revolution, 2009 Nokia N97 Infineon XPOSYS GPS Rakon GPS TomTom iPhone Hitachi Clarion Trackstick 2

A Privacy Definition • “The right to be let alone.“ – Warren and Brandeis, 1890 (Harvard Law Review) • “Numerous mechanical devices threaten to make good the prediction that ’what is whispered in the closet shall be proclaimed from the housetops’“ Image source: http://historyofprivacy.net/RPIntro3-2009.htm

Facets of Privacy SOLITUDE

Information Privacy • “The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“ Dr. Alan F. Westin – Alan Westin, 1967 Privacy And Freedom , Atheneum

Facets of Privacy CONTROL

Privacy Regulation Theory • Privacy as Accessibility Optimization: Inputs and Outputs – Not monotonic: “More“ is not always “better“ Irwin Altman University of Utah – Spectrum: “Openness“/ “Closedness“ – Privacy levels: isolation > desired > crowding • Dynamic Boundary Negotiation Process – Neither static nor rule-based – Privacy as a social interaction process – Cultural, territorial, verbal mechanisms See, e.g., L. Palen, P. Dourish: “Unpacking "privacy" for a networked world.” Proceedings of CHI 2003. pp.129-136.

Facets of Privacy INTIMACY

Privacy – More Than Secrecy! Secrecy Safety Solitude Privacy Anonymity Control Freedom Intimacy Dignity

WHY LOCATION PRIVACY?

„Location“ Privacy? What‘s so special about „location“ that it is worth inventing a special category for it?

Location Privacy Useful Definition?! Think Altman! • “… the ability to prevent other parties from learning one’s current or past location.“ Alastair Beresford Frank Stajano Cambridge Univ. Cambridge Univ. (Beresford and Stajano, 2003) • „It‘s not about where you are ... It‘s where you have been !“ • Gary Gale, Head of UK Engineering Gary Gale for Yahoo! Geo Technologies Yahoo! UK

Motivating Disclosure • Why Share Your Location? – By-product of positioning technology (e.g., cell towers, WiFi, ...) – Required to use service (local recommendations, automated payment for toll roads, ...) – Social benefits (let friends and family know where I am, finding new friends, ...) • Why NOT to Share Your Location? – Location profiles reveal/imply activities, interests, identity

Location Implications • Places I Go – Where I Live / Work – Who I Am (Name) – Hobbies/Interests/Memberships • People I Meet – My Social Network • Profiling, e.g., – ZIP-Code: implies income, ethnicity, family size

Implications: Profiles • Allow Inferences About You – May or may not be true! • May Categorize You – High spender, music afficinado, credit risk • May Offer Or Deny Services – Rebates, different prices, priviliged access • „ Social Sorting “ (Lyons, 2003) – Opaque decisions „channel“ life choices Image Sources: http://www.jimmyjanesays.com/sketchblog/paperdollmask_large.jpg http://www.queensjournal.ca/story/2008-03-14/supplement/keeping-tabs-personal-data/

www.nytimes.com/1992/09/12/technology/orwellian-dream-come-true-a-badge-that-pinpoints-you.html

Proxy-Based Location Privacy Active Badge System (1992) Bob? Location Query Bob‘s User Agent Service 7829 Where‘s Bob? Bob Location Updates Query Interface 7829 (pseudonym) Mike Spreitzer and Marvin Theimer. Providing location information in a ubiquitous computing environment. In Proc. of the 14 th ACM Symp. on Operating Systems Principles (SOSP ’93), pp. 270–283. ACM Press, 1993.

Location Triangle Who Where When

What To Protect Against • Protect against unwanted/accidential disclosure (friend finder services/Latitude) – Immediate disclosure vs. later „lookups“ • Protect against monitoring (nosy employer) – Monitoring breaks, work efficiency • Protect against commercial profiling – Excerting subtle influence over decisions • Against law enforcement – If you got nothing to hide, you got nothing to fear?

Do People Care? Danezis, George, Lewis, Stephen, Anderson, Ross: How Much is Location Privacy Worth. Fourth Workshop on the Economics of Information Security, Harvard University (2005)

End-User Attitudes Towards LBS • Clear value proposition • Simple and appropriate control and feedback Jason Hong CMU • Plausible deniability • Limited retention of data • Decentralized control • Special exceptions for emergencies Jason Hong: An Architecture for Privacy-Sensitive Ubiquitous Computing. PhD Thesis, Univ. of Califronia Berkeley, 2005. Available at www.cs.cmu.edu/~jasonh/publications/jihdiss.pdf

LOCATION PRIVACY TECHNOLOGY

Location Privacy Technology • Transparency Tools – Privacy Policies – Rule-based access control • Opacity Tools – Anonymization (“k-anonymity“) – Obfuscation

TRANSPARENCY TOOLS

GEOPRIV • “A suite of protocols that • GEOPRIV Model allow applications to – Defines how services represent and transmit should use location geographic and civic – Includes privacy controls ( Rule Holder ) location information – Location is published to about resources and Location Server entities, and to allow – Location is used by users to express policies Location Recipient on how these repre- • Defines XML Formats sentations are exposed – Location Objects (GML) and used” – Preference Rules http://tools.ietf.org/wg/geopriv/

GEOPRIV Model Location Device Generator Target Location Location Location Recipients Location Server Recipients Recipients Rule Rule Maker Holder Dawson, Martin; James Winterbottom, Martin Thomson (2006-11-13). IP Location. McGraw-Hill. ISBN 0-07-226377-6.

GEOPRIV Example [Restaurant Finder] Bob Bob‘s GPS-Enable Phone Restaurant Finder Location Location Target Device Generator Recipients Rule Rule Location Maker Holder Server Bob is at 43.5723 S, 153.21760 E Dawson, Martin; James Winterbottom, Martin Thomson (2006-11-13). IP Location. McGraw-Hill. ISBN 0-07-226377-6.

Location Privacy User Interfaces (UIs) Lederer, Hong, Dey, Landay, Personal Privacy through Understanding and Action: Five Pitfalls for Designers. Personal and Ubiquitous Computing, Vol. 8, no. 6, Nov. 2004, pp. 440-454

Example Confab/Lemming • Configuration during use • Built-in Plausible Deniability Hong, J. I. and Landay, J. A. 2004. An architecture for privacy- sensitive ubiquitous computing. In Proc. 2nd intl Conf. on Mobile Systems, Applications, and Services (MobiSys '04). ACM, pp. 177-189

Support for Continuous Services

Example UI: Google Latitude • Reciprocal sharing with individual contacts • Individual adjustments (hide, or only city level) • Global (temporal) adjustments – Manual override – Disable

OPACITY TOOLS

Location Anonymity [Naïve Approach] • Use random IDs that change periodically – Trivial to trace

Plan B: Strong Pseudonyms [Won‘t work either]

Why Pseudonyms Don‘t Work • Observation Identification (OI) Attack – Correlate single identifiable observation with location pseudonym – ATM use @ location -> Name for pseudonym

Observation Identifcation Attack

Observation Identifcation Attack

Observation Identifcation Attack