personal privacy in ubiquitous personal privacy in
play

Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous - PowerPoint PPT Presentation

Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland Approaches to Ubicomp Privacy Disappearing Computer


  1. Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland

  2. Approaches to Ubicomp Privacy Disappearing Computer Troubadour Project (10/02 - 05/03) Disappearing Computer Troubadour Project (10/02 05/03) � Promote Absence of Protection as User Empowerment Promote Absence of Protection as User Empowerment � „ It's maybe about letting them find their own ways of cheating ” � Make it Someone Elses Problem � „For [my colleague] it is more appropriate to think about [security and privacy] issues. It’s not really the case in my case ” � Insist that “Good Security” will Fix It � „All you need is really good firewalls “ � Conclude it is Incompatible with Ubiquitous Computing C l d it i I tibl ith Ubi it C ti � „I think you can't think of privacy... it's impossible , because if I do it, I have troubles with finding [a] Ubicomp future” it, I have troubles with finding [a] Ubicomp future 11/29/2007 Personal Privacy in Ubiquitous Computing 2

  3. Today‘s Topics � What is Privacy and Why Should We Want It? � What is Privacy and Why Should We Want It? � How do Future Smart Environments Challenge � H d F t S t E i t Ch ll Existing Solutions? � How Less Security Can (Sometimes) Increase y Privacy � Results of ETH/Hitachi-SDL cooperation 2006 p 11/29/2007 Personal Privacy in Ubiquitous Computing 3

  4. What is Privacy? � „The right to be let alone. � The right to be let alone “ � Louis Brandeis, 1890 (Harvard Law Review) � „The desire of people to choose freely Louis D Brandeis 1856 - 1941 Louis D. Brandeis, 1856 1941 h d i f l t h f l under what circumstances and to what extent they will expose t t th ill themselves, their attitude and their b h behavior to others.“ i t th “ � Alan Westin („Privacy And Freedom“, 1967) Alan Westin Prof Emeritus Columbia University Prof. Emeritus, Columbia University 11/29/2007 Personal Privacy in Ubiquitous Computing 4

  5. Why Privacy? � Reasons for Privacy � Reasons for Privacy � Free from Nuisance � Intimacy Intimacy � Free to Decide for Oneself � By Another Name... B A th N � Data Protection � Informational Self-Determination Privacy isn‘t just about keeping secrets – y j p g data exchange and transparency are key issues! 11/29/2007 Personal Privacy in Ubiquitous Computing 5

  6. “But I’ve Got Nothing to Hide!” Do you? � Arson Near Youth House Niederwangen � Arson Near Youth House Niederwangen � At scene of crime: Migros-tools � Court ordered disclosure of all 133 Court ordered disclosure of all 133 consumers who bought items on their supermarket loyalty card (8/2004) their supermarket loyalty card (8/2004) � (Arsonist not yet found) � “Give me six lines written by the most Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him” excuse in them to hang him Armand Jean du Plessis, 1585-1642 d d l 8 6 (a.k.a. Cardinal de Richelieu) 11/29/2007 Personal Privacy in Ubiquitous Computing 6

  7. Ubicomp Privacy Implications � Data Collection � Data Collection � Scale (everywhere, anytime) � Manner (inconspicuous, invisible) Manner (inconspicuous invisible) � Motivation (context!) � Data Types D t T � Observational instead of factual data � Data Access � “The Internet of Things” 11/29/2007 Personal Privacy in Ubiquitous Computing 7

  8. How do we achieve privacy? How do we achieve privacy? 11/29/2007 Personal Privacy in Ubiquitous Computing 8

  9. Privacy – Not Just a Recent Fad � Justices Of The Peace Act (England 1361) Justices Of The Peace Act (England, 1361) � Sentences for Eavesdropping and Peeping Toms � � „The poorest man may in his cottage bid defiance to all The poorest man may in his cottage bid defiance to all the force of the crown. It may be frail; its roof may shake; … – but the king of England cannot enter; all his forces … but the king of England cannot enter; all his forces dare not cross the threshold of the ruined tenement“ � William Pitt the Elder (1708-1778) ( 7 77 ) � First Data Protection Law in the World in Hesse 1970 � 11/29/2007 Personal Privacy in Ubiquitous Computing 9

  10. The Fair Information Principles (FIP) � Drawn up by the OECD 1980 Drawn up by the OECD, 1980 � “Organisation for economic cooperation and development” � Voluntary guidelines for member states y g � Goal: ease transborder flow of goods (and information!) � Five Principles (simplified) Openness Collection Limitation 1. 4. Data access and control Data subject’s consent 2. 5. Data security 3. � Core principles of most modern privacy laws � Implication: Technical solutions must support FIP 11/29/2007 Personal Privacy in Ubiquitous Computing 10

  11. 1. Challenge: Openness � No Hidden Data Collection! No Hidden Data Collection! � Legal requirement in many countries � Established Means: Privacy Policies Established Means: Privacy Policies � Who, what, why, how long, etc. ... � How to Publish Policies in Smart Environments? How to Publish Policies in Smart Environments? � Is a poster enough? A paragraph of fine print? � Too Many Transactions? � Too Many Transactions? � Countless announcements an annoyance 11/29/2007 Personal Privacy in Ubiquitous Computing 11

  12. 2. Challenge: Access & Control � Identifiable Data Must be Accessible � Identifiable Data Must be Accessible � Users can review, change, sometimes delete � C ll � Collectors Must be Accountable t M t b A t bl � Privacy-aware storage technology � When Does Sensor Data Become Identifiable? � Even anonymized data can identify people (AOL case) � Who to Ask? How to Verify? How to Display? � Who was reading me when? Is this really my trace? g y y 11/29/2007 Personal Privacy in Ubiquitous Computing 12

  13. 3. Challenge: Data Security � Traditional Approach: Centralistic Authentication Traditional Approach: Centralistic Authentication � Powerful centralized system with known user list � Plan for worst case scenario (powerful attacker) � Numerous, Spontaneous Interactions � How do I know who I communicate with, who to trust? � How much extra time does “being secure” take? h d “b ” k ? � Complex Real-World Situations � Access to my medical data in case of emergency? Access to my medical data in case of emergency? � Context-Dependent Security? � Based on battery power data type location situation � Based on battery power, data type, location, situation 11/29/2007 Personal Privacy in Ubiquitous Computing 13

  14. 4. Challenge: Data Minimization � Only collect as much information as needed � Only collect as much information as needed � No in-advance data collection for future uses � B � Best: use anonymous/pseudonymous data t / d d t � No consent, security, access needed � How much data is needed for becoming “smart”? � No useless data in smart environments (context!) � Sometimes one cannot hide! � Sensor data (biometrics) hard to anonymize ( ) y 11/29/2007 Personal Privacy in Ubiquitous Computing Slide 14

  15. 5. Challenge: Consent � Participation Requires Explicit Consent � Participation Requires Explicit Consent � Usually a signature or pressing a button � True Consent Requires True Choice True Consent Requires True Choice � More than „take it or leave it“, needs alternatives � How to Ask “On The Fly”? How to Ask On The Fly ? � The mobile phone as a background agent (legal issues?) � Consenting to What? � Consenting to What? � Do I understand the implications? � Do I have options? D I h ti ? 11/29/2007 Personal Privacy in Ubiquitous Computing 15

  16. Ubicomp Challenges to Security & Privacy 1. 1 How to inform subjects about data How to inform subjects about data collections? 2 2. How to provide access to stored data? How to provide access to stored data? 3. How to ensure confidentiality, integrity, and authenticity (w/o alienating user)? h i i ( li i )? 4. How to minimize data collection? 5. How to obtain consent from data subjects? 11/29/2007 Personal Privacy in Ubiquitous Computing 16

  17. Public Concern over Unauthorized RFID Access 11/29/2007 Personal Privacy in Ubiquitous Computing 17

  18. Unauthorized RFID Access – Implications Pa Passport : Name: John Doe Nationality: USA Visa for: Isreal Visa for: Isreal Wi Wig Our focus: Consumer items atories Modell #2342 Material: Polyester Juels, RSA Labora ork (c) 2006 Ari J Ti Tiger T Tanga : Manufacturer: Woolworth Washed: 736 RFID-Man” Artwo Vi Viagra ra : Wallet llet Manufacturer: Pfitzer :Contents: 370 Euro :Contents: 370 Euro Original “R Extra Large Package Disability Card: #2845 11/29/2007 Personal Privacy in Ubiquitous Computing 18

  19. Killing Consumer Item RFID Tags � „Dead Tags Tell No Tales Dead Tags Tell No Tales“ � Permanently deactivate tag at checkout � Hard Kill Hard Kill � Cut tag antenna or „fry“ circuit � Soft Kill Soft Kill Metro RFID De-Activator � Needs password to prevent unauthorized killing � Both Approaches Require Consumer Action � Also voids any post-sales benefits (returns, services, …) y p ( , , ) 11/29/2007 Personal Privacy in Ubiquitous Computing 19

Recommend


More recommend