Personalization in privacy-aware highly dynamic systems Evica Ilieva

Supervisor: Gerrit Kahl

Zite – Personalized Magazine

Personalization on the Internet

Personalization Pyramid

Outline

•Motivation

• HDS in stationary retailing

• Personalization improvement

• Risks of personalization

• Privacy improvement in HDS

• Related Work

• Conclusion

What is HDS?

• Highly dynamic system – HDS

• Collection of nodes

• heterogeneous

• decentralized

• Components

• enter and leave the system spontaniously

• autonomous in their actions

HDS in Stationary Retailing

• Benefits

• Electronic one-to-one communication

• Collection of context data

• Effectively and cheaply

• Improve customer satisfaction

Future Retail

Suggestion based on previous purchases

Warnings to the allergy sufferers

Optimization of the route through the store

Special offers

Purchasing suggestion

Controlling expenditure

Position in the market

Information about product

Future Retail and Personalization Pyramid

Personalized automatic checkouts

Outline

•Motivation

• HDS in stationary retailing

• Personalization improvement

• Risks of personalization

• Privacy improvement in HDS

• Related Work

• Conclusion

Data Collection in HDS

Extensive data collection

Unobservable data collection

Data Collection in HDS

• Data is increasingly collected

• Without any indication

• Without any predefined purpose

• Collected data are persistent

• Different devices record events simultaneously

• Multiple events are registered simultaneously

• Undermines the users’ desire to control personal data

Risk of Personalization

• RFID-tagged articles

• Video surveillance

• Customer loyalty cards

• Embedded RFID tags

Stopped the RFID-based surveillance

Dropped the use of RFID tags in cards

According to a survey of more than 1,000 U.S. customers, two-thirds identified as a major concern the likelihood that RFID would lead to their data being shared with third parties

Customers concerns regarding RFID and privacy

Privacy and Transparency

Privacy problems in HDS

increasing complexity for modeling the

system

hinder the proof of their behavior

assignment of a formulated privacy policy to personal data is impossible

Outline

•Motivation

• HDS in stationary retailing

• Personalization improvement

• Risks of personalization

• Privacy improvement in HDS

• Related Work

• Conclusion

Transparency in HDS

Technology for detection

Enforceable privacy contracts

Privacy evidence creation

Policies Evidence Creation

Privacy Evidence

Log View

Secure Logging

Policies

• P3P – the Platform for Privacy Preferences

• XML- specifications

• what kind of data is to be stored

• how data is to be used

• its permanence and visibility

• Cannot express

• composed privacy policies

• policies involving

• multiple departments

• hierarchical departments

Novel Algebraic Privacy Specification (NAPS)[1]

• Offers conjunction

• Offers composition

• Scoping operators

• Exhibits desirable algebraic properties

• Allows a distributed evaluation of composed policies

Privacy evidence creation

Policies Evidence Creation

Privacy Evidence

Log View

Secure Logging

Authenticity of log data

Confidentiality

Integrity

Uniqueness

• Standard logging mechanisms fail

• Secure logging is required

Seccure Logging Realization[2][3]

Privacy evidence creation

Policies Evidence Creation

Privacy Evidence

Log View

Secure Logging

Log Views

• Compilations of log entries encompassing all data collected about a user

• In a P3P/EPAL setting

• Log View is a query on log file

• In HDS

• large variety of events

• recorded as isolated pieces of information

• follow unspecified, unforeseen, and chaotic patterns

Techniques

• Guessing particular situations

• Measuring their plausibility against known facts

• Extensive data mining

• Results

• doubtlessly be associated with corresponding customer

• probabilistic estimation

• Completeness of evidence generated - unresolved issue

Outline

•Motivation

• HDS in stationary retailing

• Personalization improvement

• Risks of personalization

• Privacy improvement in HDS

• Related Work

• Conclusion

Privacy Evidence Workflow[4]

(1) PA

Dynamic System

Log File (2) Log View (3) Client

Audit (4)

Privacy Evidence (5)

Privacy Evidence Creation[4]

• Policy Language

• access and collection -act

• provisions and obligations

• Secure Logging

• Simmilar to previously shown proposal

• LogViews

• Answer to question

• Which? Who? How?

• Automated Audits

• Violation of rules are shown to the user

• How rules are violated

• Tests within an airport

Outline

•Motivation

• HDS in stationary retailing

• Personalization improvement

• Risks of personalization

• Privacy improvement in HDS

• Related Work

• Conclusion

Conclusion

• HDS enable several novel ways to increase personalization

• Extensive data collection is necessary

• Raises privacy concerns

• Transparency - reasonable way to maintain privacy

• An initial step – concept of privacy evidence

Conclusion

Summary

References

[1] Raub, D. and Steinwandt, R. An algebra for enterprise privacy policies closed under composition and conjunction. In G. Müller, Ed. ETRICS 2006, Lecture Notes in Computer Science 3995, Springer-Verlag, 2006.

[2] Schneier, B. and Kelsey, J. Security audit logs to support computer forensics. ACM Transactions on Information and System Security 2, 2 (May 1999), 159–176

[3] Accorsi, R. On the relationship of privacy and secure remote logging in dynamic systems. In S. Fisher-Hübner et al., Eds., Proceedings of the IFIP International Federation for Information Processing, Volume 201, Security and Privacy in Dynamic Environments, Springer-Verlag, 2006, pp. 329–338

[4] Automated Privacy Audits to Complement the Notion of Control for Identity Management by Rafael Accorsi