Protecting People Location Information

September 29, 2002

Urs Hengartner & Peter Steenkiste

2

Motivation• Ubiquitous computing relies on

location information. • Location information is sensitive.

– Location activity

• Access to it needs to be protected in location policies.

• What properties need to be controllable in policies?

• How do different environments influence policy specification?

3

Overview

• Location policies• Different environments• Prototype of secure location

system• Conclusions

4

User vs. Room Policies

• Two types of queries:– User query

• Where is Alice?

– Room query• Who is in CMU Wean Hall 8220?

• Two types of policies:– User policy– Room policy

5

Controllable Properties

• Granularity– CMU Campus vs. CMU Wean Hall

8220– Alice vs. someone

• Subject– Alice, Bob’s friends, tracking

service

6

Controllable Properties (cont.)

• Time intervals– During weekdays only

• Location/Users– Return my location only if

I’m in my office.– Return people in my office

only if it is Alice or Bob.

Additional properties should be possible!

7

Transitivity

Should Bob be able to forward his access right ?

Alice can locate Carol.

Bob

Bob can locate me.

Carol

8

Transitivity (cont.)• Should access rights be transitive?• Depends on environment.• Location system should selectively

support transitivity.• Non-transitivity can be circumvented.

9

Conflicting PoliciesBob can locate

people in my office

Carol’s office

Should Bob learn about Alice’s location?

Who is in Carol’s office?

Bob

Bob cannot locate me

Alice

Bob cannot locate me

Alice

10

Resolving Conflicts• Prioritization:

– Check user policy for user queries.– Check room policy for room queries.

• Intersection:– Check both room and user policy for any

query.

• Synchronization:– Establish user and room policies in a

synchronized way.

Best approach depends on environment.

11

Individual vs. Institutional Definition

• Different entities can define policies:– Individuals:

• User policy User• Room policy Room “owner”

– Institution (central authority)

• Which one depends on environment.• Combined specification should be

possible.

12

Environments - MilitarySecurity based on labeling and

clearances.• Definition

– Policies are specified by central authority.

• Transitivity– Policies are non-transitive.

• Conflicts– Both user and room policies need to be

checked for any query.

13

Environments - HospitalMultilateral security model.• Definition

– Most policies are specified by central authority.

– Patients can give additional people access in user policy.

• Transitivity– Patient policies can be transitive.

• Conflicts– Synchronization of user and room

policies is not necessary.

14

Environments - UniversityInstitution cares less about security.• Definition

– User policies and room policies for offices are specified by individuals.

• Transitivity– User policies are transitive, room

policies probably not.

• Conflicts– Have user and room policies become

synchronized for lecture halls.

15

Prototype• People location system for university

environment.• Multiple front ends.• Digital certificates for expressing

location policies.– transparent to users.

• Location system exploits – calendar information,– Finger service,– wireless network access points.

16

Status• Emphasis on user queries• Controllable properties

– Subject, Granularity– Soon: Location, Time

• Transitivity– supported by back end

• Conflicts– configurable option

• Definition– by individuals

17

Evaluation

• Evaluation of prototype with real users (in progress).

• Questions:– What kind of policies are specified?– What features are used/requested?– How is location system used?

18

Conclusions• Location information needs to be

protected.• Location policies should provide control

over multiple properties.• Policy-related issues are dealt with

differently in different environments.• Location policies and system thus need

to be flexible.• How should society deal with ubiquitous

location information?