Personal Privacy & The Virtual Residence · Accessibility – How does one find anything in this...
Transcript of Personal Privacy & The Virtual Residence · Accessibility – How does one find anything in this...
IPTS Sevilla, Spain
Personal Privacy & The Virtual Residence
Marc LangheinrichETH Zurich, Switzerland
http://www.inf.ethz.ch/~langhein/
April 11, 2003
Slide 2
IPTS Sevilla, SpainTopic: Privacy in Ubicomp
! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy & personal borders
! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions
! Outlook: The Virtual Residence– A Ubicomp perspective
April 11, 2003
Slide 3
IPTS Sevilla, SpainNot Virtual Reality…
Virtual Reality Paradigm: Use PC Hardware to simulate real world.
April 11, 2003
Slide 4
IPTS Sevilla, SpainBut Virtual Computer!
!
April 11, 2003
Slide 5
IPTS Sevilla, SpainEmbedded Computing
Real world objects canprocess and communicateinformation!
! Functional Aspect! Embedded processors! Wireless communication! Sensors
! Perceptual Aspects! Grounded in real-world
experience! Communication &
computation hidden!
April 11, 2003
Slide 6
IPTS Sevilla, SpainCyberspace vs. Ubicomp
! Cyberspace– World appears to be hidden in data (e.g., set
of VR-glasses „peek“ into PC)! Ubicomp
– Data appears to be hidden in real worldobjects (e.g., pen has memory)
– No virtual location, but real world location!– Virtual concepts not part of user experience
April 11, 2003
Slide 7
IPTS Sevilla, SpainWhat Is Privacy?
! „The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“– Alan Westin, 1967 („Privacy And
Freedom“)
April 11, 2003
Slide 8
IPTS Sevilla, SpainWhat Is Privacy?
! „The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others.“– Alan Westin, 1967 („Privacy And
Freedom“)Data Self-DeterminationBeing in control of personal information flow
Data Self-DeterminationBeing in control of personal information flow
April 11, 2003
Slide 9
IPTS Sevilla, SpainFunctional Definition
! Privacy invasive effects of surveillance and data collection due to crossing of personal borders– Prof. Gary T. Marx, MIT
! Privacy boundaries– Natural– Social– Spatial / temporal– Transitory
April 11, 2003
Slide 10
IPTS Sevilla, SpainPrivacy Boundaries
! Natural– Physical limitations (doors, sealed Letters)
! Social– Group confidentiality (doctors, colleagues)
! Spatial / Temporal– Family vs. work, adolescence vs. midlife
! Transitory– Fleeting moments, unreflected utterances
April 11, 2003
Slide 11
IPTS Sevilla, SpainExamples: Border Crossings
! Smart appliances– “Spy” on you in your own home (natural borders)
! Family intercom– Grandma knows when you’re home (social borders)
! Consumer profiles– Span time & space (spatial/temporal borders)
! “Memory amplifier”– Records careless utterances (transitory borders)
Privacy Litmus-test: What borders can be crossed?
April 11, 2003
Slide 12
IPTS Sevilla, SpainTopic: Privacy in Ubicomp
! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy borders
! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions
! Outlook: The Virtual Residence– A Ubicomp perspective
April 11, 2003
Slide 13
IPTS Sevilla, SpainCollection Parameters
1. Scale– To what extend is my life visible to others?
2. Manner– How obviously is data collected?
3. Type– What type of data is recorded?
4. Motivation– What are the driving factors?
5. Accessibility– How does one find anything in this data?
April 11, 2003
Slide 14
IPTS Sevilla, Spain1. Collection Scale
! Before: public appearances– Physically separated in space and time
! Today: online time– Preferences & problems (online shopping)– Interests & hobbies (chat, news)– Location & address (online tracking)
! Tomorrow: the rest– Home, school, office, public spaces, ...– No switch to turn it off?
April 11, 2003
Slide 15
IPTS Sevilla, Spain2. Collection Manner
! Before: reasonable expectations– You see me – I see you
! Today: visible boundaries– Online, real-world electronic transactions
! Tomorrow: invisible interactions– Interacting with a digital service?
• Life recorders, room computers, smart coffee cups
– No blinking „recording now“ LED?
April 11, 2003
Slide 16
IPTS Sevilla, Spain3. Collection Types
! Before: eyes & ears! Today: electrical and digital surveillance tools! Tomorrow: better sensors
– More detailed & precise data– Cheaper, smaller, self-powered (ubiquitous!)
! Do I know myself best?– Body sensors detect stress, anger, sadness – Health sensors alert physician– Nervous? Floor & seat sensors, eye tracker
April 11, 2003
Slide 17
IPTS Sevilla, Spain4. Collection Motivation
! Before: collecting out-of-ordinary events! Today: collecting routine events! Tomorrow: smartness through pattern
prediction– More data = more patterns = smarter– Context is everything, everything is context
! Worthless information? Data-mining!– Typing speed (dedicated?), shower habits (having an
affair?), chocolate consumption (depressed?)
April 11, 2003
Slide 18
IPTS Sevilla, Spain5. Collection Accessibility
! Before: natural separations– Manual interrogations, word-of-mouth
! Today: online access– Search is cheap– Database federations
! Tomorrow: cooperating objects?– Standardized semantics– What is my artifact telling yours?– How well can I search your memory?
April 11, 2003
Slide 19
IPTS Sevilla, SpainControl Parameters
1. Transfer Selection– How can I be aware of data transfers?
2. Recipient Selection– How do I choose whom to send data to? Implies
secondary parameters (e.g., retention, security)3. Data Selection
– How do I control what data to give out?4. Purpose Selection
– How do I know what the data is needed for?5. Status Information
– Who knows what about me?
April 11, 2003
Slide 20
IPTS Sevilla, SpainFair Information Principles
! Organization for economic cooperation and development (OECD), 1980
! Voluntary guidelines for members to ease international flow of information (simplified):1. Notice &
disclosure2. Choice & consent3. Anonymity &
pseudonymity
4. Data security5. Access &
recourse6. Meeting
expectations
April 11, 2003
Slide 21
IPTS Sevilla, Spain1. Notice And Disclosure
! No hidden data collection!– Legal requirement in many countries
! Established means: privacy policies– Who, what, why, how long, etc. ...
! How to publish policies in Ubicomp?– Periodic broadcasts– Privacy service?
! Too many devices?– Countless announcements an annoyance
P3P
April 11, 2003
Slide 22
IPTS Sevilla, Spain2. Choice & Consent
! Participation requires explicit consent– Usually a signature or pressing a button
! True consent requires true choice– More than „take it or leave it“
! How to ask without a screen?– Designing UI‘s for embedded systems, or– Finding means of delegation (is this legal?)
! Providing conditional services– Can there be levels of location tracking?
April 11, 2003
Slide 23
IPTS Sevilla, Spain3. Anonymity, Pseudonymity! Anonymous data comes cheap
– no consent, security, access needed! Pseudonyms allow for customization
– user can discard at any time! Sometimes one cannot hide!
– No anonymizing cameras & microphones! Real-world data hard to anonymized
– Even pseudonyms can reveal true identity
April 11, 2003
Slide 24
IPTS Sevilla, Spain4. Security
! No one-size-fits-all solutions– High security for back-end storage – Low security for low-power sensors
! Real-world has complex situation-dependant security requirements– Free access to medical data in emergency situations
! Context-specific security?– Depending on device battery status– Depending on types of data, transmission– Depending on locality, situation
April 11, 2003
Slide 25
IPTS Sevilla, Spain5. Access & Recourse
! Identifiable data must be accessible– Users can review, change, sometimes delete
! Collectors must be accountable– Privacy-aware storage technology?
! Ubicomp applications like lots of data– Increased need for accounting and access
! Carefully consider what is relevant– How much data do I really need?
April 11, 2003
Slide 26
IPTS Sevilla, Spain6. Meeting Expectations
! Ubicomp: invisibly augments real-world! Old habits adapt slowly (if ever)
– People expect solitude to mean privacy– Strangers usually don’t know me
! No spying, please (Proximity)– Devices only record if owner is present
! Rumors should not spread (Locality)– Local information stays local– Walls and flower-pots can talk (but won‘t do so over
the phone)
April 11, 2003
Slide 27
IPTS Sevilla, SpainPrivacy Toolbox Summary
! Requirements– When, who, what, why?
! Tools– When: Notice– Why: Choice– What: Anonymity– Who: Security– Status: Access
! Ethical Guidance– Meeting Expectations
April 11, 2003
Slide 28
IPTS Sevilla, SpainExisting Privacy Tools
! Technical– Encryption & authentication– Anonymity & pseudonymity– Transparency & trust
! Legal– Laws and regulation
! Social– Ethics & social norms
Optional: P3P
Optional: US/EU Privacy Laws
April 11, 2003
Slide 29
IPTS Sevilla, Spain
Privacy PolicyAccept / Decline
A Privacy Awareness System
Privacy Beacons
Privacy Proxies
Privacy DB
April 11, 2003
Slide 30
IPTS Sevilla, SpainTopic: Privacy in Ubicomp
! Background: Concepts & Definitions– Virtual worlds vs. embedded computing– Privacy borders
! Analysis: Current Status & Evolution– How does Ubicomp change the picture?– Applicability of existing solutions
! Outlook: The Virtual Residence– A Ubicomp perspective
April 11, 2003
Slide 31
IPTS Sevilla, SpainThe Virtual Residence
! Creates Online Private Space– Explicitly on the Internet (Homepages, …)– Implicitly through Ambient Intelligence at
home, work, school…! Provides Conceptual Guidelines
– Future laws– Economy– System architecture– Social norms (e.g., identity management)
April 11, 2003
Slide 32
IPTS Sevilla, SpainOffline/Online Private Space! Localization Of Actions, Events
– Web today: initiation location irrelevant– Ubicomp Tomorrow: actions tied to real-world
events! Ubicomp: Online Space Direct Mapping
From Offline Space!
Real World
Virtual World
Ubicomp tomorrowWeb today
shopping
searching
chatting
April 11, 2003
Slide 33
IPTS Sevilla, SpainConceptual Guidelines
! Concept Reuse– Web today: virtual space takes shape
through real-world analogies– Ubicomp tomorrow: preserve physical space
through 1:1 mappings
Real World
Virtual World
Ubicomp tomorrowWeb today
shopping
searching
chatting
April 11, 2003
Slide 34
IPTS Sevilla, Spain
Adoption
Concept Reuse
Real World
Ubicomp
Recreation
Preservation
Online World
April 11, 2003
Slide 35
IPTS Sevilla, SpainExample: Identity
! Real World– I am myself– Implicit identity
! Virtual World– I can be anything– Explicit identity (mgmt)
! Ubicomp– Needs to map real-
world experience!– Identity management? – Anonymity, credentials management!
April 11, 2003
Slide 36
IPTS Sevilla, SpainAnonymity Management
! Real-Life Anonymity w/ Digital Services– Online interactions: virtual characters, needs strong
authentication– Real-world, digital interactions: grounded in time &
space!! Anonymous Authentication in Time & Space
– Not “who?” but “where & when? here & now!”! Data Minimization Principle
– First step towards technical support?
April 11, 2003
Slide 37
IPTS Sevilla, SpainSummary: Privacy in Ubicomp! Acceptability Goal:
– Expect smart things to behave like normal ones(when it comes to privacy)
! That means:– No border crossings (physical, spatial/ temporal,
social, ephemeral/transitory)! Requires:
– Strong data to object/location/owner ties– Intuitive data (identity) management– Virtual residence = real residence (strong ties)
April 11, 2003
Slide 38
IPTS Sevilla, SpainRecommended Reading
! David Brin: The Transparent Society. Perseus Publishing, 1999
! Lawrence Lessig: Code and Other Laws of Cyberspace. Basic Books, 2000
! Simson Garfinkel: Database Nation – The Death of Privacy in the 21st Century. O’Reilly, 2001
April 11, 2003
Slide 39
IPTS Sevilla, SpainMore Books
! Security for Ubiquitous Computing, by Frank Stajano
! The Privacy Law Sourcebook 2001: United States Law, International Law, and Recent Developments, by Marc Rotenberg
! Privacy & Human Rights,EPIC