privacy in ubiquitous systems - eth z · microsoft powerpoint - sony.ppt author: langhein created...
TRANSCRIPT
Sony, January 2002
Privacy in Ubiquitous Systems
Marc LangheinrichETH Zurich, Switzerland
www.inf.ethz.ch/~langhein
Priv
acy
by D
esig
n
3/15/2002
Slide 2
Sony, January 2002About the ETH Zurich
Swiss Federal Institute Of Technology (ETH)– Founded 1854– 330 Professors (40% non-Swiss)– 12.000 Students (Computer Science: ~900)
Department of Computer Science– 23 Professors, ~120 PhD Students– Prof. Em. Niklaus Wirth (Pascal, Modula)
Zurich, Switzerland– Population: some 350,000
(All of Switzerland: 7.5 Million)– Only 1 hour to the Alps!
Intr
oduc
tion
3/15/2002
Slide 3
Sony, January 2002
The Distributed Systems GroupEstablished 1999– Prof. Friedemann Mattern (TH Darmstadt)– 12 PhD Students
Infrastructure for Ubiquitous Computing– Services Description & Discovery– Communications– Location– Reliability, Security,
Privacy
Intr
oduc
tion
3/15/2002
Slide 4
Sony, January 2002Projects & Partners
Swiss National Fund (“Terminodes”)– Infrastructureless communications
European Union (partners from UK, DE, FI, …)– “Smart-Its” (sensor-networks)– Ubicomp in health sector, application pending
Ladenburg Symposium (Daimler Foundation)– Ubicomp in the social sciences, law
M-Lab (together with Univ. St. Gallen, MIT)– Ubicomp in business (supply chain management)
“ETH World”– The future (virtual) campus of the ETH
Intr
oduc
tion
3/15/2002
Slide 5
Sony, January 2002Contents
Privacy primer– Does privacy matter?
Privacy in ubiquitous systems– What’s so different about it?
Challenges– Issues to address in ubicomp systems
Privacy-aware infrastructures– A first attempt
Priv
acy
by D
esig
n
3/15/2002
Slide 6
Sony, January 2002Just a Modern Fad?
“All this secrecy is making life harder, more expensive, dangerous...“ – Peter Cochran, former head of BT Research
“You have zero privacy anyway” – Scott McNealy, CEO Sun Microsystems
“By 2010, privacy will become a meaningless concept in western society” – Gartner Report, 2000
1. Pr
ivac
y Pr
imer
3/15/2002
Slide 7
Sony, January 2002Privacy – a Human Need?
References in the BibleJustice of Peace act (England 1361)– Provides for arrest of Peeping Toms and
eavesdroppersPrivacy is a human right – Universal declaration of human rights,
article 12 (1948) – European convention on human rights,
article 8 (1970)
1. Pr
ivac
y Pr
imer
3/15/2002
Slide 8
Sony, January 2002Legal Realities Today
Legislation varies around the world– Sectorial & self-regulation approach in US, Japan– Comprehensive laws for government and industry
in Europe, Canada, Australia, Hong KongEU Directive 95/46/EC– Limits data collection– Requires comprehensive disclosures – Prohibits data export to „unsafe“ countries
• Prompted legislative updates worldwide
1. Pr
ivac
y Pr
imer
3/15/2002
Slide 9
Sony, January 2002Contents
Privacy primer– Does privacy matter?
Privacy in ubiquitous systems– What’s so different about it?
Challenges– Issues to address in ubicomp systems
Privacy-aware infrastructures– A first attempt
2. P
rivac
y in
Ubi
com
p
3/15/2002
Slide 10
Sony, January 2002Aspects of Privacy
Anonymity– Authentication & Routing
Security– Encryption & Communication Hiding
Transparency & Control– Trust-Labels, Signatures, Protocols (P3P)
How much of this works in ubicomp?
2. P
rivac
y in
Ubi
com
p
3/15/2002
Slide 11
Sony, January 2002Unlimited Coverage
The Web: covers our digital life– Shopping, chatting, news reading
Ubicomp: real-world deployment!– Home, School, Office, Public Spaces, ...
2. P
rivac
y in
Ubi
com
p
Covers all of our life, comprehensively!– Day in, day out – from cradle to grave
No switch to turn it off?– Constant, seamless surveillance possible
3/15/2002
Slide 12
Sony, January 2002Loss of Awareness
Surveillance and data collection today– Stores, credit card applications, sweepstakes
Ubicomp: invisible computing– Computers disappear into the environment
2. P
rivac
y in
Ubi
com
p
When am I giving out data? – Fingerprint could be taken without notice
When am I under surveillance? – Life recorders, room computers, smart cups
3/15/2002
Slide 13
Sony, January 2002New Types of Data
Last 50 years of data collection– Identity, contact info, preferences, …
Ubicomp: advanced sensors – New data (location, health, habits, …)– More detailed & precise (24/7)
2. P
rivac
y in
Ubi
com
p
Does the system know more than I?– Body sensors detect moods– Nervous? Floor & seat sensors, eye tracker
3/15/2002
Slide 14
Sony, January 2002More Data, More Knowledge
Traditional data, traditional use– Compiling mailing lists, predicting trends, …
Ubicomp: smartness through context– Context is distilled sensory information
2. P
rivac
y in
Ubi
com
p
Encourages increased data collection– More data means more, better context
Innocuous data can lead to new knowledge– Data mining: more than the sum of its parts
3/15/2002
Slide 15
Sony, January 2002Contents
Privacy primer– Does privacy matter?
Privacy in ubiquitous systems– What’s so different about it?
Challenges– Issues to address in ubicomp systems
Privacy-aware infrastructures– A first attempt
3. C
halle
nges
3/15/2002
Slide 16
Sony, January 20021. Notice
No hidden data collection!– Legal requirement in many countries
Established means: privacy policies– Who, what, why, how long, etc. ...
3. C
halle
nges
How to publish policies in Ubicomp?– Periodic broadcasts– Privacy service?
Too many devices?– Countless announcements an annoyance
3/15/2002
Slide 17
Sony, January 20022. Choice & Consent
Laws require explicit consent by user– Usually a signature or pressing a button
True consent requires true choice– More than „take it or leave it“
3. C
halle
nges
How to ask without a screen?– Designing UI‘s for embedded systems, or– Finding means of delegation (is this legal?)
Providing conditional services– Can there be levels of location tracking?
3/15/2002
Slide 18
Sony, January 20023. Anonymity, Pseudonymity
Anonymous data comes cheap– no consent, security, access needed
Pseudonyms allow for customization– user can discard at any time
3. C
halle
nges
Sometimes one cannot hide!– No anonymizing cameras & microphones
Real-world data hard to anonymized– Even pseudonyms can reveal true identity
3/15/2002
Slide 19
Sony, January 20024. Meeting Expectations
Ubicomp: invisibly augments real-worldOld habits adapt slowly (if ever)– People expect solitude to mean privacy– Strangers usually don’t know me
3. C
halle
nges
No spying, please (Proximity)– Devices only record if owner is present
Rumors should not spread (Locality)– Local information stays local– Walls and Flower-Pots can talk (but won‘t do so over
the phone)
3/15/2002
Slide 20
Sony, January 20025. Security
No one-size-fits-all solutions– High security for back-end storage – Low security for low-power sensors
Real-world has complex situation-dependant security requirements– Free access to medical data in emergency situations
3. C
halle
nges
Context-specific security?– Depending on device battery status– Depending on types of data, transmission– Depending on locality, situation
3/15/2002
Slide 21
Sony, January 20026. Access & Recourse
Identifiable data must be accessible– Users can review, change, sometimes delete
Collectors must be accountable– Privacy-aware storage technology?
3. C
halle
nges
Ubicomp applications like lots of data– Increased need for accounting and access
Carefully consider what is relevant– How much data do I really need?
3/15/2002
Slide 22
Sony, January 2002Contents
Privacy primer– Does privacy matter?
Privacy in ubiquitous systems– What’s so different about it?
Challenges– Issues to address in ubicomp systems
Privacy-aware infrastructures– A first attempt
4. P
rivac
y In
fras
truc
ture
s
3/15/2002
Slide 23
Sony, January 2002
The Internet
Privacy Infrastructures
PA (PrivacyAssistant)
Privacy Beacon
Devices
Printer CounterpartCamera Counterpart
PA Counterpart
Privacy PolicyAccept / Decline
4. P
rivac
y In
fras
truc
ture
s
3/15/2002
Slide 24
Sony, January 2002Privacy Infrastructures
Project Status– Started Aug 2001– Currently implementing initial components
Challenges– Policy broadcasts, privacy services, user
interface, data management, ...Goals– Operational prototype for trying out new
concepts
4. P
rivac
y In
fras
truc
ture
s
3/15/2002
Slide 25
Sony, January 2002Privacy Infrastructures
Current activities– Backend storage (privacy-aware database)– Policy/data exchange protocol and
management (application server)– Preferences editor (APPEL)– Development tools (testing & verification)
Next steps– Low-level protocols (anonymity, power
efficiency, …)– Privacy assistant design (handheld)
4. P
rivac
y In
fras
truc
ture
s
3/15/2002
Slide 26
Sony, January 2002The Take Home Message
Many questions, few answers– Technology, laws still to evolve
Ubicomp adds a new quality to privacy– Invisible, real-world coverage,
comprehensive collection, inconspicuousUbicomp (privacy) challenges– User interface (notice, choice, consent)– Protocols (anonymity, security, access)– Social acceptance (user expectations)
Sum
mar
y &
Con
clus
ions
3/15/2002
Slide 27
Sony, January 2002
ETH Zurich & IBM Research www.pervasive2002.orgSystem architectures and platforms for pervasive computing Mobile, wireless, and wearable technologies Emerging applications and mobile business issues Scenarios for information appliancesContent distribution and delivery User interfaces for invisible and embedded computing Context awareness Security and privacy issues
Paper submissions due February 22, 2002