- 1. Ubiquitous Computing: Privacy Issues Hongseok Kim November 19, 2003 SI 668
2. Overview • Basics of Ubiquitous Computing • Context Awareness • Privacy Issues • Policy Principles and Guidelines 3. Ubiquitous Computing Vision • Mark Weiser (1952~1999), XEROX PARC – Coined the term, “ubiquitous computing”, in 1988 – Seminal Article: “The Computer for the 21st Century,” Scientific American (Sep. 1991) “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” 4. Inverted Paradigm • “Computer in the world (embodied virtuality)” instead of “World in the computer (virtual reality)” • Small, lightweight, and cheap processors embedded in everyday objects 5. Smart Objects • Enrich real world objects with information processing capabilities – Embedded Processors and Memory can remember pertinent events! – Wireless Communications communicate with their environment – Sensors responsive context-sensitive or context-aware behavior 6. Context Awareness • Context awareness – A ubiquitous computing system must be cognizant of its user’s state and surroundings, and must modify its behavior according to the cognizance. • A user’s context can be: – Physical location – Physiological state (e.g., body temperature and heart rate) – Emotional state (e.g., angry, distraught, and calm) – Personal history – Daily behavioral patterns 7. An Example of a Smart Object • MediaCup@TecO – augmented with sensing, processing and communication capabilities (integrated in the cup's bottom), to collect and communicate general context information in a given environment 8. Networked with Other Smart Objects ANOTHER BEER, PLEASE, HAL… I’M SORRY, DAVE. I CAN’T DO THAT. THE BATHROOM SCALE AND THE HALL MIRROR ARE REPORTING DISTURBING FLAB ANOMALIES. 9. Smart Clothing • Conductive textiles and inks – Print electrically active patterns directly onto fabrics • Sensors based on fabric – e.g., monitor pulse, blood pressure, body temperature • Invisible collar microphones and Integrated small cameras • Youth clothing – Game console on the sleeves? – Integrated GPS-driven locators Privacy Issues? 10. Context Awareness Revisited • Xerox Parc’s automatic phone-call routing experiment • A federal office described in Neal Stephenson’s “Snow Crash” 11. Privacy Implications of UbiComp • What is it that makes ubiquitous computing any different from other computer science domains with respect to privacy? • Why should scientists and engineers in this particular domain be any more concerned with such vague notions of liberty, freedom, and privacy? 12. Privacy Implications, cont’d. • Ubiquitous devices are ideally suited for covert operation and illegal surveillance. • Information provided by many sensors to acquire knowledge about the context; these sensors can be invisible to users. • The sensors, gathering information about people without being noticed, can be a threat to privacy. 13. Privacy Challenges (1) • Privacy is already a concern with the WWW • Much more dramatic in a ubiquitous computing environment – Unlimited coverage (sensors everywhere) – Loss of awareness (invisible computing) – New types of data (location, health, habits, …) – More knowledge though context – Anonymity hard to achieve – Difficulty in explicit notice or consent by user 14. Privacy Challenges (2) • Privacy is greatly complicated by ubiquitous computing. – Mechanisms such as location tracking, smart spaces, and use of surrogates monitor user actions on an almost continuous basis. – As a user becomes more dependent on a ubiquitous computing system, the system becomes more knowledgeable about that user’s movements, behavior patterns and habits. 15. Six Guiding Principles • Marc Langheinrich, “Privacy by Design: Principles of Privacy-Aware Ubiquitous Systems,” in the proceedings of Ubicomp 2001. – Notice – Choice and Consent – Anonymity and Pseudonymity – Proximity and Locality – Adequate Security – Access and Recourse 16. Notice (Openness) • The subject whose information is collected must be notified. • Environment where it is often difficult for data subjects to realize that data collection is actually taking place • Necessary to have not only mechanisms to declare collection practices (i.e., privacy policies), but also efficient ways to communicate these to the user (i.e., policy announcement). 17. Choice and Consent • It is necessary to get explicit consent of the subject by means of digital or handwriting signature. • How can we offer customers many choices of security and get their consent? • In order to give users a true choice, we need to provide a selection mechanism (i.e., privacy agreements) so that users can indicate which services they prefer. 18. Anonymity and Pseudonymity • An important option when offering clients a number of choices. – But, it is not easy to get anonymity in ubiquitous environment because sensors will easily disclose the real identity. • Pseudonymity is an alternative that allows for a more fine grained control of anonymity in ubiquitous environments. 19. Proximity and Locality • A user can benefit from information gathered only within a particular area. Information value decreases when distance increases. • The system should support mechanisms to encode and use locality information for collected data that can enforce access restrictions based on the location of the person wanting to use the data. 20. Adequate Security • It is not necessary to increase the security level to an extent when it is not worth the intrusion. • We need to employ robust security features only in situations with highly sensitive data transfer – financial transactions – transfer of medical information 21. Access and Recourse • Needs to provide a way for users to access their personal information in a simple way through standardized interfaces (i.e., data access). • Users should be informed about the usage of their data once it is stored, similar to call-lists that are often part of monthly phone bills (i.e., usage logs). 22. Privacy in Ubiquitous Computing • Privacy is possible in ubiquitous computing environment. – Let people know about collections – Let people query, update, delete their own data – Let people know about each usage • Solutions need not be perfect to be useful – Trusting fair information practices – Trusting collectors to keep their promises – Trusting the legal system 23. Conclusions • We are not trying to achieve total security, let alone total privacy! • What should be within our reach is achieving a good balance of convenience and control when interacting with ubiquitous, invisible devices and infrastructures. • We can begin by designing ubiquitous systems for privacy in the initial stages, not after implementation.