Information about http://cups.cs.cmu.edu/soups/2008/posters/bandara.pdf
Privacy Rights Management for Mobile Applications A. K.…
Tags: bandara, bath ba2 7ay, computing department, digital rights management, dulay, gps devices, imperial college london, keynes mk7 6aa, london sw7 2az, lupu, management centre, milton keynes, mobile applications, mobile telephony, pervasive system, remote health, sloman, uk london, uk participants, university of bath,Pages: 2
Language: english
Created: Mon Jun 2 09:58:25 2008
Display cached document
Page 1
Page 2
Privacy Rights Management for Mobile Applications
A. K. Bandara, B. A. Nuseibeh, N. Dulay, E. C. Lupu, A. N. Joinson
B. A. Price, Y. Rogers A.Russo, M. Sloman School of Management
Centre for Research in Computing Department of Computing University of Bath
The Open University Imperial College London Bath, BA2 7AY, UK
Milton Keynes, MK7 6AA, UK London, SW7 2AZ, UK a.n.joinson@bath.ac.uk
{a.k.bandara, b.nuseibeh, {n.dulay, e.c.lupu, a.russo,
b.a.price, y.rogers}@open.ac.uk m.sloman}@imperial.ac.uk
participants across a wide population demographic. We aim to
1. INTRODUCTION develop a Privacy Rights Management (PRM) framework that
With mobile telephony and GPS devices becoming ubiquitous, will enable users to specify and manage the privacy of personal
there are many tracking and monitoring devices being developed context information generated by a pervasive system [1]. This
that have a range of potential applications, from supporting framework will integrate users' privacy policies with their
mobile learning to remote health monitoring of the elderly and personal information to control how information is used. This is
chronically ill. However, do users actually understand how much analogous to Digital Rights Management (DRM), which uses
of their personal information is being shared with others? In software solutions to protect digital information against copyright
general, there will be a trade off between usefulness of disclosing infringement and often incorporates information such as `digital
private information and the risk of it being misused. In this watermarks' in the data being protected or encapsulates the data
position paper, we describe the Privacy Rights Management for such that it is self protecting [8]. Our work will identify how
Mobile Applications (PRiMMA) project, where we are people perceive privacy in ubiquitous systems, how they would
investigating techniques for protecting the private information like to control it, and provide tools that will enable them to
typically generated from ubiquitous computing applications from manage the privacy of the information they generate. To this end,
malicious or accidental misuse. Consider the following scenario: we are will recruit a large cohort of over 1000 Open University
(OU) students with a broad range of ages and backgrounds, both
"Alice and Bob's son Charles is involved in many after school
for identifying requirements and a smaller group of over 100 to
activities. Concerned for his safety whilst travelling to and from
evaluate the tools for privacy management prototyped in the
these activities, Charles' parents buy him a new mobile phone
project. We will focus on two types of ubiquitous computing
that has a GPS tracking feature together with a Privacy Manager
privacy risks: the unidirectional risk, such as where a student is
(PM) tool. To prevent Charles from unintentionally disclosing is
being monitored by his tutor, and the bi-directional risk where
location to others Bob configures the PM with a policy that states
peers (e.g., students, friends, colleagues, spouses) are implicitly or
that only Alice and Bob can read Charles' location information.
explicitly exchanging context information. We will implement a
One day Charles needs a lift home and uses a taxi firm, PRM system that allows users to specify privacy preferences, to
`zCar', that allows customers to send SMS requests containing help visualize them, to learn from the user's behaviour what their
their location. However, when Charles tries to send a pick-up likely preferences are, and to enforce privacy policies. We will
request, his PM informs him that this would violate his location develop simple interfaces that allow users to specify and
privacy policy. Charles chooses to override his policy and soon a understand what is being revealed about them. By providing an
taxi arrives to take him home. The next time Charles needs a lift, analysis and learning system within the framework, we believe
he uses another firm offering the same service, `qCab', and is that we can produce a usable system that does not burden users
again forced to override his policy. Over time, Charles' PM with complex privacy rule sets.
learns this behaviour and suggests a new policy that will disclose
his location to taxi firms whenever he requests a pick-up." 2. RESEARCH ISSUES & OBJECTIVES
This scenario illustrates the need for explicit privacy rights in The overall objective of the project is to determine how users
mobile computing interactions, and the importance of being able perceive privacy issues related to information they will generate
to detect and resolve inconsistencies between user privacy in pervasive systems, and to develop a Privacy Rights
policies and the information required to provide particular Management (PRM) System to enable them to specify privacy
functionalities. It also raises the need to be able to analyse a controls which will be enforced by the system. Interface
collection of user privacy policies before making a decision to evaluation, especially for novel interfaces, typically involves
disclose private information. Together with the need for small numbers of users (usually computer science or psychology
automated learning of privacy policies in order to minimise the undergraduates) who have been trained on the experimenter's
overhead of requiring user intervention whenever there is an equipment and perform a lab-based or other brief evaluation. Our
inconsistency between policies or between an information request work will move the evaluation of novel interfaces to the next level
and privacy policies. by allowing many more users from the general population to use
their own equipment (mobile phones) doing real world tasks over
We are investigating privacy requirements across the general a period of weeks. The research issues and questions related to
population for a specific set of ubiquitous computing technologies the above objectives include:
and produce a reusable framework with demonstrator
applications, based on the above scenarios, evaluated with
Determining how users perceive privacy of information they functionality can be incorporated on portable devices and what
generate. Who will they share it with? What sort of controls needs to be offloaded to more powerful computers. For example,
do they want over the information? can policies be learned in real-time or only as an offloaded
background activity; can detailed analysis results be shown on a
What is the granularity of context information that users are
mobile display; etc? Finally, although not shown explicitly in the
willing to divulge in the different contexts of work, learning,
architecture diagram, we will also implement requirements
and play?
monitoring mechanisms for evaluating how users' stated
What mechanisms are needed to automate the control of requirements change in ubiquitous computing environments once
privacy and how should these be distributed between mobile applications are in use.
devices and the infrastructure?
Can we predict the privacy requirements over a range of users
4. RELATED WORK
from monitored information and how do these change over Hong and Landay [3] identify a number of privacy requirements
time? for end users, including simple and appropriate control and
feedback. They address this concern in their Confab architecture
Can we detect and resolve inconsistencies in users' privacy by adding digitally signed privacy tags to shared data items with
requirements? retention and use policies. This approach corresponds to the
European data protection model of data being licensed for a
3. APPROACH specific purpose and no other. The idea of combining data with
metadata in Confab is the starting point for the DRM-style of
We propose to develop four distinct components to address the
PRM that we propose. Other DRM-style approaches include
problem of privacy control in ubiquitous computing: both large
Gunter et al. [4] who combined a method using a formal access
and small screen user interfaces for privacy management;
control matrix with Personal DRM (PDRM). Their PDRM system
information models for context data and privacy policies; privacy
combines the features of P3P with the eXtensible rights Markup
policy languages and enforcement mechanisms; and learning and
Language (XrML) [5] to create digitally signed contracts
analysis techniques for automating specification, derivation and
licensing the use of personal data for specific purposes and for
validation of privacy policies. A high-level architecture diagram
fixed periods of time. Our approach extends this idea to
of our proposed framework illustrating how these components
incorporate actual user requirements, context awareness, and a
would interact is shown in Figure 1.
practically tested user interface. Despite these results, the
problems of privacy control in mobile or ubiquitous computing
remain largely unaddressed.
5. ACKNOWLEDGEMENTS
This work is funded by the UK EPSRC (Grant # EP/F024037/1)
and is supported by IBM Research as part of their Open
Collaborative Research (OCR) initiative. We are grateful to our
OCR partners, Jorge Lobo (IBM), John Karat (IBM), Lorrie
Cranor (CMU) and Elisa Bertino (Purdue) for their input into this
work.
6. REFERENCES
[1] Fahrmair, M., W. Sitou, and B. Spanfelner. Security and
Figure 1: High-level PRM Architecture
privacy rights management for mobile and ubiquitous
A key output of this project will be an implementation of this computing. in Workshop on UbiComp Privacy: Privacy in
PRM framework, including demonstrator applications together Context at UbiComp'05. 2005. Tokyo, Japan.
with a comprehensive evaluation with >100 participants across a
[2] Lessig, L. The Architecture of Privacy. in Taiwan Net'98.
wide demographic. Before starting detailed design and
1998. Taipei, Taiwan.
implementation of the components shown, we will conduct a large
scale requirements gathering exercise to elicit initial privacy [3] Hong, J.I. and J.A. Landay. An Architecture for Privacy-
requirements for ubiquitous computing involving over 1000 Sensitive Ubiquitous Computing. in Proceedings of the 2nd
people. These requirements will guide the interaction/interface Int. Conf. on Mobile systems, applications, and services.
design which will produce a reusable privacy user interface for 2004. Boston, MA, USA
both handheld devices and visualization on large screen devices. [4] Gunter, C.A., M.J. May, and S.G. Stubblebine. A Formal
The requirements will also guide the development of models for Privacy System and its Application to Location Based
the context and policy information used by the privacy Services. in Workshop on Privacy Enhancing Technologies.
management framework and will also provide input to the design 2004. Toronto, Canada.
of a specialised privacy policy.. Our framework will include a
privacy manager agent which is able to interpret and enforce the [5] ContentGuard.com, XrML Version 2.0. 2005
policies deployed on the user devices. We will also evaluate what