IPTS Sevilla, Spain

Personal Privacy & The Virtual Residence

Marc LangheinrichETH Zurich, Switzerland

http://www.inf.ethz.ch/~langhein/

April 11, 2003

Slide 2

IPTS Sevilla, SpainTopic: Privacy in Ubicomp

! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy & personal borders

! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions

! Outlook: The Virtual Residence– A Ubicomp perspective

April 11, 2003

Slide 3

IPTS Sevilla, SpainNot Virtual Reality…

Virtual Reality Paradigm: Use PC Hardware to simulate real world.

April 11, 2003

Slide 4

IPTS Sevilla, SpainBut Virtual Computer!

!

April 11, 2003

Slide 5

IPTS Sevilla, SpainEmbedded Computing

Real world objects canprocess and communicateinformation!

! Functional Aspect! Embedded processors! Wireless communication! Sensors

! Perceptual Aspects! Grounded in real-world

experience! Communication &

computation hidden!

April 11, 2003

Slide 6

IPTS Sevilla, SpainCyberspace vs. Ubicomp

! Cyberspace– World appears to be hidden in data (e.g., set

of VR-glasses „peek“ into PC)! Ubicomp

– Data appears to be hidden in real worldobjects (e.g., pen has memory)

– No virtual location, but real world location!– Virtual concepts not part of user experience

April 11, 2003

Slide 7

IPTS Sevilla, SpainWhat Is Privacy?

! „The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“– Alan Westin, 1967 („Privacy And

Freedom“)

April 11, 2003

Slide 8

IPTS Sevilla, SpainWhat Is Privacy?

! „The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“– Alan Westin, 1967 („Privacy And

Freedom“)Data Self-DeterminationBeing in control of personal information flow

Data Self-DeterminationBeing in control of personal information flow

April 11, 2003

Slide 9

IPTS Sevilla, SpainFunctional Definition

! Privacy invasive effects of surveillance and data collection due to crossing of personal borders– Prof. Gary T. Marx, MIT

! Privacy boundaries– Natural– Social– Spatial / temporal– Transitory

April 11, 2003

Slide 10

IPTS Sevilla, SpainPrivacy Boundaries

! Natural– Physical limitations (doors, sealed Letters)

! Social– Group confidentiality (doctors, colleagues)

! Spatial / Temporal– Family vs. work, adolescence vs. midlife

! Transitory– Fleeting moments, unreflected utterances

April 11, 2003

Slide 11

IPTS Sevilla, SpainExamples: Border Crossings

! Smart appliances– “Spy” on you in your own home (natural borders)

! Family intercom– Grandma knows when you’re home (social borders)

! Consumer profiles– Span time & space (spatial/temporal borders)

! “Memory amplifier”– Records careless utterances (transitory borders)

Privacy Litmus-test: What borders can be crossed?

April 11, 2003

Slide 12

IPTS Sevilla, SpainTopic: Privacy in Ubicomp

! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy borders

! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions

! Outlook: The Virtual Residence– A Ubicomp perspective

April 11, 2003

Slide 13

IPTS Sevilla, SpainCollection Parameters

1. Scale– To what extend is my life visible to others?

2. Manner– How obviously is data collected?

3. Type– What type of data is recorded?

4. Motivation– What are the driving factors?

5. Accessibility– How does one find anything in this data?

April 11, 2003

Slide 14

IPTS Sevilla, Spain1. Collection Scale

! Before: public appearances– Physically separated in space and time

! Today: online time– Preferences & problems (online shopping)– Interests & hobbies (chat, news)– Location & address (online tracking)

! Tomorrow: the rest– Home, school, office, public spaces, ...– No switch to turn it off?

April 11, 2003

Slide 15

IPTS Sevilla, Spain2. Collection Manner

! Before: reasonable expectations– You see me – I see you

! Today: visible boundaries– Online, real-world electronic transactions

! Tomorrow: invisible interactions– Interacting with a digital service?

• Life recorders, room computers, smart coffee cups

– No blinking „recording now“ LED?

April 11, 2003

Slide 16

IPTS Sevilla, Spain3. Collection Types

! Before: eyes & ears! Today: electrical and digital surveillance tools! Tomorrow: better sensors

– More detailed & precise data– Cheaper, smaller, self-powered (ubiquitous!)

! Do I know myself best?– Body sensors detect stress, anger, sadness – Health sensors alert physician– Nervous? Floor & seat sensors, eye tracker

April 11, 2003

Slide 17

IPTS Sevilla, Spain4. Collection Motivation

! Before: collecting out-of-ordinary events! Today: collecting routine events! Tomorrow: smartness through pattern

prediction– More data = more patterns = smarter– Context is everything, everything is context

! Worthless information? Data-mining!– Typing speed (dedicated?), shower habits (having an

affair?), chocolate consumption (depressed?)

April 11, 2003

Slide 18

IPTS Sevilla, Spain5. Collection Accessibility

! Before: natural separations– Manual interrogations, word-of-mouth

! Today: online access– Search is cheap– Database federations

! Tomorrow: cooperating objects?– Standardized semantics– What is my artifact telling yours?– How well can I search your memory?

April 11, 2003

Slide 19

IPTS Sevilla, SpainControl Parameters

1. Transfer Selection– How can I be aware of data transfers?

2. Recipient Selection– How do I choose whom to send data to? Implies

secondary parameters (e.g., retention, security)3. Data Selection

– How do I control what data to give out?4. Purpose Selection

– How do I know what the data is needed for?5. Status Information

– Who knows what about me?

April 11, 2003

Slide 20

IPTS Sevilla, SpainFair Information Principles

! Organization for economic cooperation and development (OECD), 1980

! Voluntary guidelines for members to ease international flow of information (simplified):1. Notice &

disclosure2. Choice & consent3. Anonymity &

pseudonymity

4. Data security5. Access &

recourse6. Meeting

expectations

April 11, 2003

Slide 21

IPTS Sevilla, Spain1. Notice And Disclosure

! No hidden data collection!– Legal requirement in many countries

! Established means: privacy policies– Who, what, why, how long, etc. ...

! How to publish policies in Ubicomp?– Periodic broadcasts– Privacy service?

! Too many devices?– Countless announcements an annoyance

P3P

April 11, 2003

Slide 22

IPTS Sevilla, Spain2. Choice & Consent

! Participation requires explicit consent– Usually a signature or pressing a button

! True consent requires true choice– More than „take it or leave it“

! How to ask without a screen?– Designing UI‘s for embedded systems, or– Finding means of delegation (is this legal?)

! Providing conditional services– Can there be levels of location tracking?

April 11, 2003

Slide 23

IPTS Sevilla, Spain3. Anonymity, Pseudonymity! Anonymous data comes cheap

– no consent, security, access needed! Pseudonyms allow for customization

– user can discard at any time! Sometimes one cannot hide!

– No anonymizing cameras & microphones! Real-world data hard to anonymized

– Even pseudonyms can reveal true identity

April 11, 2003

Slide 24

IPTS Sevilla, Spain4. Security

! No one-size-fits-all solutions– High security for back-end storage – Low security for low-power sensors

! Real-world has complex situation-dependant security requirements– Free access to medical data in emergency situations

! Context-specific security?– Depending on device battery status– Depending on types of data, transmission– Depending on locality, situation

April 11, 2003

Slide 25

IPTS Sevilla, Spain5. Access & Recourse

! Identifiable data must be accessible– Users can review, change, sometimes delete

! Collectors must be accountable– Privacy-aware storage technology?

! Ubicomp applications like lots of data– Increased need for accounting and access

! Carefully consider what is relevant– How much data do I really need?

April 11, 2003

Slide 26

IPTS Sevilla, Spain6. Meeting Expectations

! Ubicomp: invisibly augments real-world! Old habits adapt slowly (if ever)

– People expect solitude to mean privacy– Strangers usually don’t know me

! No spying, please (Proximity)– Devices only record if owner is present

! Rumors should not spread (Locality)– Local information stays local– Walls and flower-pots can talk (but won‘t do so over

the phone)

April 11, 2003

Slide 27

IPTS Sevilla, SpainPrivacy Toolbox Summary

! Requirements– When, who, what, why?

! Tools– When: Notice– Why: Choice– What: Anonymity– Who: Security– Status: Access

! Ethical Guidance– Meeting Expectations

April 11, 2003

Slide 28

IPTS Sevilla, SpainExisting Privacy Tools

! Technical– Encryption & authentication– Anonymity & pseudonymity– Transparency & trust

! Legal– Laws and regulation

! Social– Ethics & social norms

Optional: P3P

Optional: US/EU Privacy Laws

April 11, 2003

Slide 29

IPTS Sevilla, Spain

Privacy PolicyAccept / Decline

A Privacy Awareness System

Privacy Beacons

Privacy Proxies

Privacy DB

April 11, 2003

Slide 30

IPTS Sevilla, SpainTopic: Privacy in Ubicomp

! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy borders

! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions

! Outlook: The Virtual Residence– A Ubicomp perspective

April 11, 2003

Slide 31

IPTS Sevilla, SpainThe Virtual Residence

! Creates Online Private Space– Explicitly on the Internet (Homepages, …)– Implicitly through Ambient Intelligence at

home, work, school…! Provides Conceptual Guidelines

– Future laws– Economy– System architecture– Social norms (e.g., identity management)

April 11, 2003

Slide 32

IPTS Sevilla, SpainOffline/Online Private Space! Localization Of Actions, Events

– Web today: initiation location irrelevant– Ubicomp Tomorrow: actions tied to real-world

events! Ubicomp: Online Space Direct Mapping

From Offline Space!

Real World

Virtual World

Ubicomp tomorrowWeb today

shopping

searching

chatting

April 11, 2003

Slide 33

IPTS Sevilla, SpainConceptual Guidelines

! Concept Reuse– Web today: virtual space takes shape

through real-world analogies– Ubicomp tomorrow: preserve physical space

through 1:1 mappings

Real World

Virtual World

Ubicomp tomorrowWeb today

shopping

searching

chatting

April 11, 2003

Slide 34

IPTS Sevilla, Spain

Adoption

Concept Reuse

Real World

Ubicomp

Recreation

Preservation

Online World

April 11, 2003

Slide 35

IPTS Sevilla, SpainExample: Identity

! Real World– I am myself– Implicit identity

! Virtual World– I can be anything– Explicit identity (mgmt)

! Ubicomp– Needs to map real-

world experience!– Identity management? – Anonymity, credentials management!

April 11, 2003

Slide 36

IPTS Sevilla, SpainAnonymity Management

! Real-Life Anonymity w/ Digital Services– Online interactions: virtual characters, needs strong

authentication– Real-world, digital interactions: grounded in time &

space!! Anonymous Authentication in Time & Space

– Not “who?” but “where & when? here & now!”! Data Minimization Principle

– First step towards technical support?

April 11, 2003

Slide 37

IPTS Sevilla, SpainSummary: Privacy in Ubicomp! Acceptability Goal:

– Expect smart things to behave like normal ones(when it comes to privacy)

! That means:– No border crossings (physical, spatial/ temporal,

social, ephemeral/transitory)! Requires:

– Strong data to object/location/owner ties– Intuitive data (identity) management– Virtual residence = real residence (strong ties)

April 11, 2003

Slide 38

IPTS Sevilla, SpainRecommended Reading

! David Brin: The Transparent Society. Perseus Publishing, 1999

! Lawrence Lessig: Code and Other Laws of Cyberspace. Basic Books, 2000

! Simson Garfinkel: Database Nation – The Death of Privacy in the 21st Century. O’Reilly, 2001

April 11, 2003

Slide 39

IPTS Sevilla, SpainMore Books

! Security for Ubiquitous Computing, by Frank Stajano

! The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments, by Marc Rotenberg

! Privacy & Human Rights,EPIC