protecting people location information september 29, 2002 urs hengartner & peter steenkiste
TRANSCRIPT
Protecting People Location Information
September 29, 2002
Urs Hengartner & Peter Steenkiste
2
Motivation• Ubiquitous computing relies on
location information. • Location information is sensitive.
– Location activity
• Access to it needs to be protected in location policies.
• What properties need to be controllable in policies?
• How do different environments influence policy specification?
3
Overview
• Location policies• Different environments• Prototype of secure location
system• Conclusions
4
User vs. Room Policies
• Two types of queries:– User query
• Where is Alice?
– Room query• Who is in CMU Wean Hall 8220?
• Two types of policies:– User policy– Room policy
5
Controllable Properties
• Granularity– CMU Campus vs. CMU Wean Hall
8220– Alice vs. someone
• Subject– Alice, Bob’s friends, tracking
service
6
Controllable Properties (cont.)
• Time intervals– During weekdays only
• Location/Users– Return my location only if
I’m in my office.– Return people in my office
only if it is Alice or Bob.
Additional properties should be possible!
7
Transitivity
Should Bob be able to forward his access right ?
Alice can locate Carol.
Bob
Bob can locate me.
Carol
8
Transitivity (cont.)• Should access rights be transitive?• Depends on environment.• Location system should selectively
support transitivity.• Non-transitivity can be circumvented.
9
Conflicting PoliciesBob can locate
people in my office
Carol’s office
Should Bob learn about Alice’s location?
Who is in Carol’s office?
Bob
Bob cannot locate me
Alice
Bob cannot locate me
Alice
10
Resolving Conflicts• Prioritization:
– Check user policy for user queries.– Check room policy for room queries.
• Intersection:– Check both room and user policy for any
query.
• Synchronization:– Establish user and room policies in a
synchronized way.
Best approach depends on environment.
11
Individual vs. Institutional Definition
• Different entities can define policies:– Individuals:
• User policy User• Room policy Room “owner”
– Institution (central authority)
• Which one depends on environment.• Combined specification should be
possible.
12
Environments - MilitarySecurity based on labeling and
clearances.• Definition
– Policies are specified by central authority.
• Transitivity– Policies are non-transitive.
• Conflicts– Both user and room policies need to be
checked for any query.
13
Environments - HospitalMultilateral security model.• Definition
– Most policies are specified by central authority.
– Patients can give additional people access in user policy.
• Transitivity– Patient policies can be transitive.
• Conflicts– Synchronization of user and room
policies is not necessary.
14
Environments - UniversityInstitution cares less about security.• Definition
– User policies and room policies for offices are specified by individuals.
• Transitivity– User policies are transitive, room
policies probably not.
• Conflicts– Have user and room policies become
synchronized for lecture halls.
15
Prototype• People location system for university
environment.• Multiple front ends.• Digital certificates for expressing
location policies.– transparent to users.
• Location system exploits – calendar information,– Finger service,– wireless network access points.
16
Status• Emphasis on user queries• Controllable properties
– Subject, Granularity– Soon: Location, Time
• Transitivity– supported by back end
• Conflicts– configurable option
• Definition– by individuals
17
Evaluation
• Evaluation of prototype with real users (in progress).
• Questions:– What kind of policies are specified?– What features are used/requested?– How is location system used?
18
Conclusions• Location information needs to be
protected.• Location policies should provide control
over multiple properties.• Policy-related issues are dealt with
differently in different environments.• Location policies and system thus need
to be flexible.• How should society deal with ubiquitous
location information?