Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous - - PowerPoint PPT Presentation

Personal Privacy in Ubiquitous Personal Privacy in Ubiquitous Computing

Marc Langheinrich Institute for Pervasive Computing Institute for Pervasive Computing ETH Zurich, Switzerland

Approaches to Ubicomp Privacy

Disappearing Computer Troubadour Project (10/02 05/03) Disappearing Computer Troubadour Project (10/02 - 05/03)

Promote Absence of Protection as User Empowerment

Promote Absence of Protection as User Empowerment

„ It's maybe about letting them find their own ways of cheating”

Make it Someone Elses Problem

„For [my colleague] it is more appropriate to think about [security

and privacy] issues. It’s not really the case in my case”

Insist that “Good Security” will Fix It

„All you need is really good firewalls“

C l d it i I tibl ith Ubi it C ti

Conclude it is Incompatible with Ubiquitous Computing

„I think you can't think of privacy... it's impossible, because if I do

it, I have troubles with finding [a] Ubicomp future”

Personal Privacy in Ubiquitous Computing 2

it, I have troubles with finding [a] Ubicomp future

11/29/2007

Today‘s Topics

What is Privacy and Why Should We Want It? What is Privacy and Why Should We Want It? H

d F t S t E i t Ch ll

How do Future Smart Environments Challenge

Existing Solutions?

How Less Security Can (Sometimes) Increase

y Privacy

Results of ETH/Hitachi-SDL cooperation 2006

p

11/29/2007 Personal Privacy in Ubiquitous Computing 3

What is Privacy?

The right to be let alone “ „The right to be let alone.

Louis Brandeis, 1890 (Harvard Law Review)

h d i f l t h f l

Louis D Brandeis 1856 - 1941

„The desire of people to choose freely

under what circumstances and to what t t th ill

Louis D. Brandeis, 1856 1941

extent they will expose themselves, their attitude and their b h i t th “ behavior to others.“

Alan Westin („Privacy And Freedom“, 1967)

Prof Emeritus Columbia University

Alan Westin

11/29/2007 Personal Privacy in Ubiquitous Computing 4

• Prof. Emeritus, Columbia University

Why Privacy?

Reasons for Privacy Reasons for Privacy

Free from Nuisance

Intimacy

Intimacy Free to Decide for Oneself

B A th N

By Another Name...

Data Protection Informational Self-Determination

Privacy isn‘t just about keeping secrets –

11/29/2007 Personal Privacy in Ubiquitous Computing 5

y j p g data exchange and transparency are key issues!

“But I’ve Got Nothing to Hide!”

Do you?

Arson Near Youth House Niederwangen Arson Near Youth House Niederwangen

At scene of crime: Migros-tools

Court ordered disclosure of all 133

Court ordered disclosure of all 133

consumers who bought items on their supermarket loyalty card (8/2004) their supermarket loyalty card (8/2004)

(Arsonist not yet found)

“Give me six lines written by the most

Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him”

d d l 8 6

11/29/2007 Personal Privacy in Ubiquitous Computing 6

excuse in them to hang him

Armand Jean du Plessis, 1585-1642 (a.k.a. Cardinal de Richelieu)

Ubicomp Privacy Implications

Data Collection Data Collection

Scale (everywhere, anytime)

Manner (inconspicuous invisible)

Manner (inconspicuous, invisible) Motivation (context!)

D t T

Data Types

Observational instead of factual data

Data Access

“The Internet of Things”

Personal Privacy in Ubiquitous Computing 7 11/29/2007

How do we achieve privacy? How do we achieve privacy?

11/29/2007 Personal Privacy in Ubiquitous Computing 8

Privacy – Not Just a Recent Fad

Justices Of The Peace Act (England 1361)

Justices Of The Peace Act (England, 1361)

Sentences for Eavesdropping and Peeping Toms

• The poorest man may in his cottage bid defiance to all

„The poorest man may in his cottage bid defiance to all

the force of the crown. It may be frail; its roof may shake; … – but the king of England cannot enter; all his forces … but the king of England cannot enter; all his forces dare not cross the threshold of the ruined tenement“

William Pitt the Elder (1708-1778)

( 7 77 )

First Data Protection Law in the World in Hesse

• 1970

11/29/2007 Personal Privacy in Ubiquitous Computing 9

The Fair Information Principles (FIP)

Drawn up by the OECD 1980

Drawn up by the OECD, 1980

“Organisation for economic cooperation and development” Voluntary guidelines for member states

y g

Goal: ease transborder flow of goods (and information!)

Five Principles (simplified)

1.

Openness

2.

Data access and control

4.

Collection Limitation

5.

Data subject’s consent

Core principles of most modern privacy laws

3.

Data security

Personal Privacy in Ubiquitous Computing 10

Implication: Technical solutions must support FIP

11/29/2007

• 1. Challenge: Openness

No Hidden Data Collection!

No Hidden Data Collection!

Legal requirement in many countries

Established Means: Privacy Policies

Established Means: Privacy Policies

Who, what, why, how long, etc. ...

How to Publish Policies in Smart Environments?

How to Publish Policies in Smart Environments?

Is a poster enough? A paragraph of fine print?

Too Many Transactions? Too Many Transactions?

Countless announcements an annoyance

11/29/2007 Personal Privacy in Ubiquitous Computing 11

• 2. Challenge: Access & Control

Identifiable Data Must be Accessible Identifiable Data Must be Accessible

Users can review, change, sometimes delete

C ll

t M t b A t bl

Collectors Must be Accountable

Privacy-aware storage technology

When Does Sensor Data Become Identifiable?

Even anonymized data can identify people (AOL case)

Who to Ask? How to Verify? How to Display?

Who was reading me when? Is this really my trace?

11/29/2007 Personal Privacy in Ubiquitous Computing 12

g y y

• 3. Challenge: Data Security

Traditional Approach: Centralistic Authentication

Traditional Approach: Centralistic Authentication

Powerful centralized system with known user list Plan for worst case scenario (powerful attacker)

Numerous, Spontaneous Interactions

How do I know who I communicate with, who to trust?

h d “b ” k ?

How much extra time does “being secure” take?

Complex Real-World Situations

Access to my medical data in case of emergency?

Access to my medical data in case of emergency?

Context-Dependent Security?

Based on battery power data type location situation

11/29/2007 Personal Privacy in Ubiquitous Computing 13

Based on battery power, data type, location, situation

• 4. Challenge: Data Minimization

Only collect as much information as needed Only collect as much information as needed

No in-advance data collection for future uses

B

t / d d t

Best: use anonymous/pseudonymous data

No consent, security, access needed

How much data is needed for becoming “smart”?

No useless data in smart environments (context!)

Sometimes one cannot hide!

Sensor data (biometrics) hard to anonymize

Slide 14

( ) y

11/29/2007 Personal Privacy in Ubiquitous Computing

• 5. Challenge: Consent

Participation Requires Explicit Consent Participation Requires Explicit Consent

Usually a signature or pressing a button

True Consent Requires True Choice

True Consent Requires True Choice

More than „take it or leave it“, needs alternatives

How to Ask “On The Fly”?

How to Ask On The Fly ?

The mobile phone as a background agent (legal issues?)

Consenting to What? Consenting to What?

Do I understand the implications?

D I h ti ?

11/29/2007 Personal Privacy in Ubiquitous Computing 15

Do I have options?

Ubicomp Challenges to Security & Privacy

1

How to inform subjects about data

1.

How to inform subjects about data collections?

2

How to provide access to stored data?

• 2. How to provide access to stored data?
• 3. How to ensure confidentiality, integrity, and

h i i ( li i )? authenticity (w/o alienating user)?

• 4. How to minimize data collection?
• 5. How to obtain consent from data subjects?

11/29/2007 Personal Privacy in Ubiquitous Computing 16

Public Concern over Unauthorized RFID Access

11/29/2007 Personal Privacy in Ubiquitous Computing 17

Unauthorized RFID Access – Implications

Pa Passport:

Name: John Doe Nationality: USA Visa for: Isreal

Wi Wig

Modell #2342 Material: Polyester Visa for: Isreal

atories

Our focus: Consumer items

Juels, RSA Labora

Ti Tiger T Tanga:

Manufacturer: Woolworth Washed: 736

• rk (c) 2006 Ari J

Wallet llet

:Contents: 370 Euro

Vi Viagra ra:

Manufacturer: Pfitzer

RFID-Man” Artwo

11/29/2007 Personal Privacy in Ubiquitous Computing 18 :Contents: 370 Euro Disability Card: #2845 Extra Large Package

Original “R

Killing Consumer Item RFID Tags

• Dead Tags Tell No Tales“

„Dead Tags Tell No Tales

Permanently deactivate tag at checkout

Hard Kill

Hard Kill

Cut tag antenna or „fry“ circuit

Soft Kill

Metro RFID De-Activator

Soft Kill

Needs password to prevent unauthorized killing

Both Approaches Require Consumer Action

Also voids any post-sales benefits (returns, services, …)

y p ( , , )

11/29/2007 Personal Privacy in Ubiquitous Computing 19

Alternative: Securing RFID Access

General Principle: Lock/Unlock ID With Password General Principle: Lock/Unlock ID With Password

Tag only replies if correct password/secret is sent

Requires RFID-Owner to Know Secret

d b f d h k ( h )

Password must be transferred at checkout (where to?)

Requires Owner to Know Which Secret to Use Requires Owner to Know Which Secret to Use

Chicken And Egg Problem: If you don‘t know what tag

it is how do you know what password to use? it is, how do you know what password to use?

11/29/2007 Personal Privacy in Ubiquitous Computing 20

What about small businesses?

Deactivation terminals? Password management?

11/29/2007 Personal Privacy in Ubiquitous Computing 21

Goal: Protecting RFID Readout Without Consumer Effort Goa :

• tect

g eadout t out Co su e

• t

11/29/2007 Personal Privacy in Ubiquitous Computing 22

Shamir Tags [Lan2007a]

A E l f Z M t P i P t ti An Example for Zero-Managament Privacy Protection

Default: Tags Take Long Time To Read Out

Default: Tags Take Long Time To Read Out

Complicates Tracking & Unauthorized Identification Bitwise release short range (e g one random bit/sec)

Bitwise release, short range (e.g., one random bit/sec)

Intermediate results meaningless, since encrypted Decryption requires all bits being read

yp q g

But: Known Tags Can be Directly Identified

Allows owner to use tags without apparent restrictions

• s o

e to use tags t out appa e t est ct o s

Initial partial release of bits enough for instant identification

from a limited set of known tags

11/29/2007 Personal Privacy in Ubiquitous Computing 23

[Lan2007a] [Lan2007a] Marc Langheinrich, Remo Marti: “Practical Minimalist Cryptography for RFID Privacy.” IEEE Systems Journal, Special Issue on RFID Technology, 1(1), December 2007.

Secret Shares (Shamir 1979)

Polynomial of degree n can be described using at least n+1 n+1 points P2 P1 P3

11/29/2007 Personal Privacy in Ubiquitous Computing 24

Secret Shares (Shamir 1979)

P2 P1 P3

11/29/2007 Personal Privacy in Ubiquitous Computing 25

96 bit EPC C d

011010111…1101 Secret s

96‐bit EPC‐Code 106‐bit Shamir Share

111000011…101101 101101101…110111 101010011…101101 Shares hi 111000011101010001010111010101101010100…1010101110101 Shamir Tag

318‐bit Shamir Tag

10‐bit x‐value 96‐bit y‐value

g P2 P1 P3

11/29/2007 Personal Privacy in Ubiquitous Computing 26

96 bit EPC C d

011010111…1101 Secret s

96‐bit EPC‐Code 106‐bit Shamir Share

111000011…101101 101101101…110111 101010011…101101 Shares hi 111000011101010001010111010101101010100…1010101110101 Shamir Tag

318‐bit Shamir Tag

10‐bit x‐value 96‐bit y‐value

g 111000011101010001010111010101101010100…1010101110101 Initial Reply

16‐bit Reply

Instant identification

• f known items

Time

+1 bit

111000011101010001010111010101101010100…1010101110101

+1 bit

• f known items
• sure Over T

+1 bit

111000011101010001010111010101101010100…1010101110101

+1 bit

111000011101010001010111010101101010100…1010101110101

+1 bit

Bit Disclo 111000011101010001010111010101101010100…1010101110101

+1 bit +1 bit

111000011101010001010111010101101010100…1010101110101

Unknown tags will eventually be identified

11/29/2007 Personal Privacy in Ubiquitous Computing 27

Preventing Tracking

000101111010101111101011010100011011010 0110111101001

Tag 3

Readout 3

111000011101010001010111010101101010100…1010101110101

Tag 1

000101111010101111101011010100011011010…0110111101001

Original Readout Readout 3

Tag 2

111000011101010001010111010101101010100…1010101110101

Tag 1

Readout 1 Readout 2

010100111000110101010110010100001010101…1010100001100

Tag 2

Subsequent readouts receive only substring of bits

Subsequent readouts receive only substring of bits

Insufficient data to track tag repeatedly E.g., tag population of 109 over 3 million tag have 5 bits in common

g g p p g

11/29/2007 Personal Privacy in Ubiquitous Computing 28

More Privacy Through Less Security?

Shamir Tags Require No Consumer Effort Shamir Tags Require No Consumer Effort

Delay upon first use, but no

no passwords passwords to manage! Not useful for important“ items (passports e money)

Not useful for „important items (passports, e-money) Does not alleviate user concerns (tags remain active)

Building Block for Comprehensive Solution

Strong crypto for passports, drug-authenticity, … Clipping/killing for concerned consumers Unconcerned consumers get basic protection „for free“

11/29/2007 Personal Privacy in Ubiquitous Computing 29

Shamir tag challenge [Lan2007b]

Range vs readability Range vs. readability

If read range is too long, easy to read long enough

Ideal very short range to force very close readout

Ideal: very short range to force very close readout

11/29/2007 30 Personal Privacy in Ubiquitous Computing

[Lan2007b [Lan2007b] Marc Langheinrich, Remo Marti: “RFID Privacy Using Spatially Distributed Shared Secrets.” Proc. of UCS 2007, Tokyo, Japan, November 26-28, 2007.

Shamir tag challenge [Lan2007b]

Range vs readability Range vs. readability

If read range is too long, easy to read long enough

Ideal very short range to force very close readout

Ideal: very short range to force very close readout

B t h i th t l t d?

But where is the tag located?

Short range: tag hard to find

11/29/2007 31 Personal Privacy in Ubiquitous Computing

[Lan2007b [Lan2007b] Marc Langheinrich, Remo Marti: “RFID Privacy Using Spatially Distributed Shared Secrets.” Proc. of UCS 2007, Tokyo, Japan, November 26-28, 2007.

Goal: make finding the (short range) tag easy

Idea: spread the Shamir shares across the item

E.g., woven into the garment No single locus of information

g

„Super-distributed RFID tag infrastructures“

[Bohn & Mattern 2004]

[Bohn & Mattern 2004]

Sweep reader across surface

Effort varies with spatial distribution Effort varies with spatial distribution,

# of different Shamir shares, Shamir threshold (shares needed) ( )

11/29/2007 32 Personal Privacy in Ubiquitous Computing

Multi-item identification

Problem: multiple overlapping polynomials Problem: multiple overlapping polynomials

Item 1 Item?

Unable to differentiate Shamir shares from different items!

Item 2 Item?

11/29/2007 33 Personal Privacy in Ubiquitous Computing

Item 2

Separating Shamir polynomials

Use prefix? Makes tags trivial to track! Use prefix? Makes tags trivial to track! Idea: cluster Shamir shares to keep items apart

All ti if h h h b d

Allows separation if enough shares have been read

11/29/2007 Personal Privacy in Ubiquitous Computing 34

Separating Shamir polynomials

Use prefix? Makes tags trivial to track! Use prefix? Makes tags trivial to track! Idea: cluster Shamir shares to keep items apart

All ti if h h h b d

Allows separation if enough shares have been read

Lagrange interpolation

11/29/2007 35 Personal Privacy in Ubiquitous Computing

Separating Shamir polynomials

Use prefix? Makes tags trivial to track! Use prefix? Makes tags trivial to track! Idea: cluster Shamir shares to keep items apart

All ti if h h h b d

Allows separation if enough shares have been read

Lagrange interpolation

11/29/2007 36 Personal Privacy in Ubiquitous Computing

Cluster methods for Shamir shares

Ch d id di i Ch d “ l i i

Grid-based Grid-based Line-based Line-based

• Choose random grid dimensions

and origin

• Select grid subset & use points
• Choose „random“ slope, origin
• Use points within known width
• To detect: begin with random

g p

• To detect: Substractive Clustering

Algorithm [Chiu‘94] C lli i D t t l l t To detect: begin with random point and find line (8 directions)

• Repeat until all points assigned
• Collisions: Detect larger clusters
• Collisions: Line crossings

11/29/2007 Personal Privacy in Ubiquitous Computing 37

Evaluation

Unauthorized readout? Instant identification? Unauthorized readout? Instant identification? Traceability of bitwise released Shamir shares?

S [L ] f d t il b th

See [Lan2007a] for details on both

Here: how well does item discrimination work? And: how does clustering affect traceability?

g y

[ ]

11/29/2007 38 Personal Privacy in Ubiquitous Computing

[Lan2007a Lan2007a] Marc Langheinrich, Remo Marti: “Practical Minimalist Cryptography for RFID Privacy.” IEEE Systems Journal, Special Issue on RFID Technology, 1(1), December 2007.

Detection rates (item discrimination)

Using simulator we ran 100 iterations of Using simulator, we ran 100 iterations of

Generate 1-10 items with 400-800 tags each (Shamir

threshold of 40-80% of tags) threshold of 40 80% of tags)

Read 80-100% of all tags Run clustering algorithm Run clustering algorithm

& note identification rates

11/29/2007 39 Personal Privacy in Ubiquitous Computing

Detection rates (simulation, 1-10 items)

8 % 100.00% 94 00% 96.00% 98.00% rate 90 00% 92.00% 94.00% grid line etection 86.00% 88.00% 90.00% D 86.00% 100% 90% 80% Percentage of Shamir shares read

11/29/2007 Personal Privacy in Ubiquitous Computing 40

Percentage of Shamir shares read

Detection rates (simulation, 1-20 items)

8 % 100.00% rate 94 00% 96.00% 98.00% etection 90 00% 92.00% 94.00% grid line D 86.00% 88.00% 90.00% Percentage of Shamir shares read 86.00% 100% 90% 80%

11/29/2007 Personal Privacy in Ubiquitous Computing 41

Percentage of Shamir shares read

Traceability (qualitative)

„Short“ readouts do not make clusters visible

Example below: ~45 shares, 15 items, ~800 shares each

Large „p x n“ space facilitates grid-based tracing

Large „p x n space facilitates grid based tracing

The „emptier“ the space, the easier grid to spot Line-based method more robust

11/29/2007 42 Personal Privacy in Ubiquitous Computing

Summing Up! Summing Up!

11/29/2007 Personal Privacy in Ubiquitous Computing 43

Take Home Message(s)

Privacy is more than just „good security“

Privacy is more than just „good security

It‘s about sharing and control

Smart environments pose new challenges

p g

Novel data types, increased # of incidents, implicit

interactions

i d i b bl b f l!

Security and privacy must be usable to be useful!

Almost never primary goals, get easily „in the way“

Goal: security/privacy mechanisms that „just work“

Shamir Tags: protection from unauthorized readouts Shamir Tags: protection from unauthorized readouts

11/29/2007 Personal Privacy in Ubiquitous Computing 44

SPMU’08: Security & Privacy I i M bil Ph U Issues in Mobile Phone Use

Secure payment/ticketing and authentication systems

Secure payment/ticketing and authentication systems

Usability issues in mobile phone security/privacy Public perception legal and social issues

Public perception, legal, and social issues

Digital rights management on mobile phones Options for using mobile phones in law enforcement Options for using mobile phones in law enforcement Organized by:

See: www.vs.inf.ethz.ch/events/spmu08/

Organized by:

Rene Mayrhofer (Lancaster University, UK) Marc Langheinrich (ETH Zurich, Switzerland)

g ( u , )

Alexander De Luca (LMU Munich, Germany)

11/29/2007 Personal Privacy in Ubiquitous Computing 45