Sony, January 2002

Privacy in Ubiquitous Systems

Marc LangheinrichETH Zurich, Switzerland

www.inf.ethz.ch/~langhein

Priv

acy

by D

esig

n

3/15/2002

Slide 2

Sony, January 2002About the ETH Zurich

Swiss Federal Institute Of Technology (ETH)– Founded 1854– 330 Professors (40% non-Swiss)– 12.000 Students (Computer Science: ~900)

Department of Computer Science– 23 Professors, ~120 PhD Students– Prof. Em. Niklaus Wirth (Pascal, Modula)

Zurich, Switzerland– Population: some 350,000

(All of Switzerland: 7.5 Million)– Only 1 hour to the Alps!

Intr

oduc

tion

3/15/2002

Slide 3

Sony, January 2002

The Distributed Systems GroupEstablished 1999– Prof. Friedemann Mattern (TH Darmstadt)– 12 PhD Students

Infrastructure for Ubiquitous Computing– Services Description & Discovery– Communications– Location– Reliability, Security,

Privacy

Intr

oduc

tion

3/15/2002

Slide 4

Sony, January 2002Projects & Partners

Swiss National Fund (“Terminodes”)– Infrastructureless communications

European Union (partners from UK, DE, FI, …)– “Smart-Its” (sensor-networks)– Ubicomp in health sector, application pending

Ladenburg Symposium (Daimler Foundation)– Ubicomp in the social sciences, law

M-Lab (together with Univ. St. Gallen, MIT)– Ubicomp in business (supply chain management)

“ETH World”– The future (virtual) campus of the ETH

Intr

oduc

tion

3/15/2002

Slide 5

Sony, January 2002Contents

Privacy primer– Does privacy matter?

Privacy in ubiquitous systems– What’s so different about it?

Challenges– Issues to address in ubicomp systems

Privacy-aware infrastructures– A first attempt

Priv

acy

by D

esig

n

3/15/2002

Slide 6

Sony, January 2002Just a Modern Fad?

“All this secrecy is making life harder, more expensive, dangerous...“ – Peter Cochran, former head of BT Research

“You have zero privacy anyway” – Scott McNealy, CEO Sun Microsystems

“By 2010, privacy will become a meaningless concept in western society” – Gartner Report, 2000

1. Pr

ivac

y Pr

imer

3/15/2002

Slide 7

Sony, January 2002Privacy – a Human Need?

References in the BibleJustice of Peace act (England 1361)– Provides for arrest of Peeping Toms and

eavesdroppersPrivacy is a human right – Universal declaration of human rights,

article 12 (1948) – European convention on human rights,

article 8 (1970)

1. Pr

ivac

y Pr

imer

3/15/2002

Slide 8

Sony, January 2002Legal Realities Today

Legislation varies around the world– Sectorial & self-regulation approach in US, Japan– Comprehensive laws for government and industry

in Europe, Canada, Australia, Hong KongEU Directive 95/46/EC– Limits data collection– Requires comprehensive disclosures – Prohibits data export to „unsafe“ countries

• Prompted legislative updates worldwide

1. Pr

ivac

y Pr

imer

3/15/2002

Slide 9

Sony, January 2002Contents

Privacy primer– Does privacy matter?

Privacy in ubiquitous systems– What’s so different about it?

Challenges– Issues to address in ubicomp systems

Privacy-aware infrastructures– A first attempt

2. P

rivac

y in

Ubi

com

p

3/15/2002

Slide 10

Sony, January 2002Aspects of Privacy

Anonymity– Authentication & Routing

Security– Encryption & Communication Hiding

Transparency & Control– Trust-Labels, Signatures, Protocols (P3P)

How much of this works in ubicomp?

2. P

rivac

y in

Ubi

com

p

3/15/2002

Slide 11

Sony, January 2002Unlimited Coverage

The Web: covers our digital life– Shopping, chatting, news reading

Ubicomp: real-world deployment!– Home, School, Office, Public Spaces, ...

2. P

rivac

y in

Ubi

com

p

Covers all of our life, comprehensively!– Day in, day out – from cradle to grave

No switch to turn it off?– Constant, seamless surveillance possible

3/15/2002

Slide 12

Sony, January 2002Loss of Awareness

Surveillance and data collection today– Stores, credit card applications, sweepstakes

Ubicomp: invisible computing– Computers disappear into the environment

2. P

rivac

y in

Ubi

com

p

When am I giving out data? – Fingerprint could be taken without notice

When am I under surveillance? – Life recorders, room computers, smart cups

3/15/2002

Slide 13

Sony, January 2002New Types of Data

Last 50 years of data collection– Identity, contact info, preferences, …

Ubicomp: advanced sensors – New data (location, health, habits, …)– More detailed & precise (24/7)

2. P

rivac

y in

Ubi

com

p

Does the system know more than I?– Body sensors detect moods– Nervous? Floor & seat sensors, eye tracker

3/15/2002

Slide 14

Sony, January 2002More Data, More Knowledge

Traditional data, traditional use– Compiling mailing lists, predicting trends, …

Ubicomp: smartness through context– Context is distilled sensory information

2. P

rivac

y in

Ubi

com

p

Encourages increased data collection– More data means more, better context

Innocuous data can lead to new knowledge– Data mining: more than the sum of its parts

3/15/2002

Slide 15

Sony, January 2002Contents

Privacy primer– Does privacy matter?

Privacy in ubiquitous systems– What’s so different about it?

Challenges– Issues to address in ubicomp systems

Privacy-aware infrastructures– A first attempt

3. C

halle

nges

3/15/2002

Slide 16

Sony, January 20021. Notice

No hidden data collection!– Legal requirement in many countries

Established means: privacy policies– Who, what, why, how long, etc. ...

3. C

halle

nges

How to publish policies in Ubicomp?– Periodic broadcasts– Privacy service?

Too many devices?– Countless announcements an annoyance

3/15/2002

Slide 17

Sony, January 20022. Choice & Consent

Laws require explicit consent by user– Usually a signature or pressing a button

True consent requires true choice– More than „take it or leave it“

3. C

halle

nges

How to ask without a screen?– Designing UI‘s for embedded systems, or– Finding means of delegation (is this legal?)

Providing conditional services– Can there be levels of location tracking?

3/15/2002

Slide 18

Sony, January 20023. Anonymity, Pseudonymity

Anonymous data comes cheap– no consent, security, access needed

Pseudonyms allow for customization– user can discard at any time

3. C

halle

nges

Sometimes one cannot hide!– No anonymizing cameras & microphones

Real-world data hard to anonymized– Even pseudonyms can reveal true identity

3/15/2002

Slide 19

Sony, January 20024. Meeting Expectations

Ubicomp: invisibly augments real-worldOld habits adapt slowly (if ever)– People expect solitude to mean privacy– Strangers usually don’t know me

3. C

halle

nges

No spying, please (Proximity)– Devices only record if owner is present

Rumors should not spread (Locality)– Local information stays local– Walls and Flower-Pots can talk (but won‘t do so over

the phone)

3/15/2002

Slide 20

Sony, January 20025. Security

No one-size-fits-all solutions– High security for back-end storage – Low security for low-power sensors

Real-world has complex situation-dependant security requirements– Free access to medical data in emergency situations

3. C

halle

nges

Context-specific security?– Depending on device battery status– Depending on types of data, transmission– Depending on locality, situation

3/15/2002

Slide 21

Sony, January 20026. Access & Recourse

Identifiable data must be accessible– Users can review, change, sometimes delete

Collectors must be accountable– Privacy-aware storage technology?

3. C

halle

nges

Ubicomp applications like lots of data– Increased need for accounting and access

Carefully consider what is relevant– How much data do I really need?

3/15/2002

Slide 22

Sony, January 2002Contents

Privacy primer– Does privacy matter?

Privacy in ubiquitous systems– What’s so different about it?

Challenges– Issues to address in ubicomp systems

Privacy-aware infrastructures– A first attempt

4. P

rivac

y In

fras

truc

ture

s

3/15/2002

Slide 23

Sony, January 2002

The Internet

Privacy Infrastructures

PA (PrivacyAssistant)

Privacy Beacon

Devices

Printer CounterpartCamera Counterpart

PA Counterpart

Privacy PolicyAccept / Decline

4. P

rivac

y In

fras

truc

ture

s

3/15/2002

Slide 24

Sony, January 2002Privacy Infrastructures

Project Status– Started Aug 2001– Currently implementing initial components

Challenges– Policy broadcasts, privacy services, user

interface, data management, ...Goals– Operational prototype for trying out new

concepts

4. P

rivac

y In

fras

truc

ture

s

3/15/2002

Slide 25

Sony, January 2002Privacy Infrastructures

Current activities– Backend storage (privacy-aware database)– Policy/data exchange protocol and

management (application server)– Preferences editor (APPEL)– Development tools (testing & verification)

Next steps– Low-level protocols (anonymity, power

efficiency, …)– Privacy assistant design (handheld)

4. P

rivac

y In

fras

truc

ture

s

3/15/2002

Slide 26

Sony, January 2002The Take Home Message

Many questions, few answers– Technology, laws still to evolve

Ubicomp adds a new quality to privacy– Invisible, real-world coverage,

comprehensive collection, inconspicuousUbicomp (privacy) challenges– User interface (notice, choice, consent)– Protocols (anonymity, security, access)– Social acceptance (user expectations)

Sum

mar

y &

Con

clus

ions

3/15/2002

Slide 27

Sony, January 2002

ETH Zurich & IBM Research www.pervasive2002.orgSystem architectures and platforms for pervasive computing Mobile, wireless, and wearable technologies Emerging applications and mobile business issues Scenarios for information appliancesContent distribution and delivery User interfaces for invisible and embedded computing Context awareness Security and privacy issues

Paper submissions due February 22, 2002