440 likes | 618 Views
563.6 Monitoring and Surveillance. Presented by: Carl A. Gunter University of Illinois Spring 2006. The Privacy Matrix. Access. Collection. Use. Example: observation of your walk down the street. Gunter Wachter Wagner 04. Three Case Studies. AdLoc: Location-Based Advertising
E N D
563.6 Monitoring and Surveillance Presented by: Carl A. Gunter University of Illinois Spring 2006
The Privacy Matrix Access Collection Use Example: observation of your walk down the street. Gunter Wachter Wagner 04
Three Case Studies • AdLoc: Location-Based Advertising • Janus’s Map: Location Information Systems (LISs) based on Building Automation Systems (BASs) • Assisted Living: monitoring health information from devices in homes
Case Study: AdLoc • AdLoc system allows for permission-based advertising based on geo-location information • Allows PDA users to discover their geo-location and send it to a central database where it can be accessed only with a digital license • Architectural elements • GeoLocation Service (GLS) • GeoInformation Service (GIS) • AdLoc PDA Application • AdLoc Merchant Application Gunter May Stubblebine 04
Location Based Services • Services based on the location of a principal: maps, activities, emergency response, law enforcement, inventory control, geo-fencing, demographic data collection, and so on. • Technical drivers: cell phones, GPS and telematics, RFID tags, DHCP and 802.11. • Growing field: estimated at $4 billion in the U.S. and $30 billion worldwide by the end of 2004. • Rules for archiving, redistribution, and usage must be addressed at individual and group levels.
User Device Location Server Content Server Merchant/Tracking Company Government Subject Holder Subscribers Three Types of Participants
Discovering Location Holder Private Data Subject
Collecting Data Subject Policy Database Holder Subscriber
Collecting a License Approval Granted Rights
Action – Sending an Ad Action as approved by license
Sample License <!--The period for which the company may track the user. --> <p3p:STATEMENT> <p3p:CONSEQUENCE> We collect your location information for development purposes and for tracking your individual movement habits. </p3p:CONSEQUENCE> <!-- Why we use it --> <p3p:PURPOSE> <p3p:develop/> <p3p:individual-analysis/> <p3p:individual-decision/> <p3p:current/> </p3p:PURPOSE> <!-- Who else can get this data --> <p3p:RECIPIENT> <p3p:ours/> </p3p:RECIPIENT> <!-- How long do we hold onto the data for --> <p3p:RETENTION> <p3p:legal-requirement/> </p3p:RETENTION> </p3p:STATEMENT> </priv:PrivacyPolicy> <!--The mobile device from the inventory--> <priv:mobile licensePartIdRef="mobiledevice"/> <!--The rights that we are giving--> <priv:sendanyad/> </core:grant> </core:grantGroup> </core:license> </core:licenseGroup> <!-- The person allowing the company to track him/her--> <core:issuer> <sx:commonName>John Doe</sx:commonName> </core:issuer> <!--The period for which the company may track the user. --> <core:validityInterval licensePartId="trackingPeriod"> <core:notBefore>2004-05-20T19:28:00</notBefore> <core:notAfter>2004-07-29T19:28:00</notAfter> </core:validityInterval> <!--Grants Company the right to track the user through the permission period. --> <core:grant> <priv:PrivacyPolicy> <!-- Disclosure--> <p3p:ACCESS> <p3p:all/> </p3p:ACCESS> <!-- Disputes --> <p3p:DISPUTES-GROUP> <p3p:DISPUTES resolution-type="service" short-description="Customer service will remedy your complaints."> <p3p:REMEDIES> <p3p:correct/> </p3p:REMEDIES> </p3p:DISPUTES> </p3p:DISPUTES-GROUP> <p3p:RETENTION> <p3p:legal-requirement/> </p3p:RETENTION> <?xml version="1.0" encoding="utf-8" ?> <core:licenseGroup xmlns:core="http://www.xrml.org/schema/2001/11/xrml2core" xmlns:cx="http://www.xrml.org/schema/2001/11/xrml2cx" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:sx="http://www.xrml.org/schema/2001/11/xrml2sx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:priv="http://www.pdrm.org/XrMLPrivacy" xmlns:p3p="http://www.w3.org/2002/01/P3Pv1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:schemaLocation= "http://www.xrml.org/schema/2001/11/xrml2cx ../schemas/xrml2cx.xsd"> <core:license licenseId="http://www.pdrm.org/examples/2003/SendAnyAd"> <core:inventory> <!-- Device with ad --> <priv:mobile licensePartId="mobiledevice"> <priv:locator> <priv:id>2155555050@MobileISP.com</priv:id> </priv:locator> </priv:mobile> </core:inventory> <core:grantGroup> <!--The company that is tracking us' specific key.--> <core:keyHolder> <core:info> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>...</dsig:Modulus> <dsig:Exponent>...</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </core:info> </core:keyHolder> <sx:x509SubjectName>CN=The Mobile Ad Company</sx:x509SubjectName> <p3p:RECIPIENT> <p3p:ours/> </p3p:RECIPIENT> <!--The rights that we are giving--> <priv:sendanyad/>
Case Study: Janus’s Map • Smart buildings collect data on users through the building automation system (BAS) • BAS data protected because of privacy concerns • BAS data could be used to aid building users Boyer Tan Gunter 06
Location Information System • Allows building users to gain and control information about tracked users and objects in a building • Works by aggregating BAS information, together with other sources of raw data
Raw Data Sources • Door Lock System • Occupancy Sensors • Network Jack Activity • Application Software, such as AIM • Video Surveillance • Wireless Network • GPS • RFID Tags • Telephone
The Seibel Center • Andover Continuum BAS • Uses electronic door locks and occupancy sensors • Case study for a Location Information System
How to Build an LIS • Define an Ownership Model • Determine the environment events of interest and how to deduce them • Develop a model for privacy-information sharing for events
Ownership Model • U, set of users • L, setof locations • S, set of system events • T, a set of values with a linear ordering, signifying time • time : STwhich determines the time of an event • user : SU U {} which determines the users associated with an event • loc : S L which determines the location in which an event occurred • o : L 2U which determines the owner of a location • : S2U which determines the owner of an event
Environmental Events • An aggregate event • Deduced from a set of system events • E is the set of environment events in an LIS • induce : 2S2E determines the set of environment events that can be deduced from a set of system events • Applies a set of deduction rules of the following form:
Privacy Policy • System events protected to protect user’s privacy • We define 2 index families of functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • Users are able to define 2 functions that establish their privacy policy • filteruv : 2S2S • maskuv : 2E2E
Formal Definition of LIS • A Location Information System, L, between an ownership model and set, E, of environment events consists of three functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • induce : 2S2E
Reveal • We also define a family of functions reveal : UxU(2S2E) which performs a look of environment events in an LIS • revealuvis the function that v calls when he wishes to learn something about u
Janus’s Map: Ownership • Locations in Siebel Center • G={floor, wing, room}, the set of location granularities • Lfloor L, Lwing L, Lroom L • Locations are defined as a tuple: Lfloor x (Lwing U {})x (Lroom U {}) • Events • Defined as a tuple (UU {}) x L x T x • is a set of event types • type : S returns the type of an event
Janus’s Map: Ownership (con’t) • ois static policy that maps room ownership • assigns ownership of an event s first to the user(s) and then to o(loc(s))
Janus’s Map: Environment Events • The main goal of Janus’s Map is to determine location information about users in the building • E is defined as a set of tuples U x L x T x P • P = {In,Near} defines a users proximity to a location
Janus’s Map: Privacy Policy • Users define rules from which the functions filteruv and maskuv are derived • System events are filtered based on time, date, event type, and location • Environment events are masked to hide detailed location information
An Example: System Events What happens when Bob searches for Alice?
An Example: Filtering Events • Alice’s Filtering Policy for Bob: Events must: • Occur Any day between 08:00 and17:00 • Be of type ValidAccess, DoorAjar, or OccupancySensorTrue • After the filtering policy is applied:
An Example: Event deduction • Rule: if a ValidAccess event occurs followed by a DoorAjar followed by a OccupancySensorTrue event all in the same location we can deduce that the users who performed the ValidAccess was in the room at the time of the OccupancySensorTrue event as well as that there were near the room at the time of the ValidAccess event. • We can deduce: • (Alice, SC4309, 1/1/2006 10:01, Near) • (Alice, SC4309, 1/1/2006 10:03, In)
An Example: Masking • Alice’s Masking policy for Bob: • Bob can only know what floor Alice is on, not the room • Bob is finally returned: • (Alice, SC4, 1/1/2006 10:01, Near) • (Alice, SC4, 1/1/2006 10:03, In)
Architecture for Janus’s Map Rule Database Door Rights List Rules Owners Door Access Database Access Control Module Alice’s door accesses Alice? Location Service Data Aggregator Alice’s Location For Bob Aggregated Data Data Cleaner Internet Occupancy Sensor System Room Occ. Run Demo
Rules in Janus’s Map • 3 Parts • Targets • Data Access • Visibility • Example: • Target: Bob, Carol • Number of past entries: 5 • Event types: Valid Access only • Event time: Between 8am and 5pm • Event date: From Jan. 1, 2006 to Jan 1, 2007 • Event days: Monday - Friday • Rooms: All • Visible fields: Event Type, Event Time, Room • Granularity: Wing
Digital Rights Management Problem • Bob can keep track of long term data on Alice by aggregating the data himself • Similar to the problem of copying digital media • Alice has no control over what Bob does once he has her data. • An LIS should be designed to make it difficult for Bob to use Alice’s data in inappropriate ways
Case Study: Assisted Living • The number of elderly people is growing • Many elderly people who live alone have special medical needs • Many people have chronic diseases • The medical treatments of chronic diseases need periodic monitoring of patients' condition. • Health monitoring system • captures patients’ status information automatically • delivers it to physicians periodically Shin Gunter 06
Issues • Security • Privacy information must be protected during transmissions • Devices should be authenticated to use home-network resources • Reliability • Health information should be delivered correctly • Usability • Easy-of-use is important for elderly people • Interoperability • Heterogeneous and distributed devices should be integrated
Architecture • Drop-Box architecture • Medical Devices • Monitoring Service • Clinician Service • Home-Network Protection • USB token-based approach • Web service-based approach • Web service standards: SOAP, WS-Security, WS-Reliability • Security • (End-to-End Confidentiality • and Integrity) • Reliability • Security • (Availability) • Usability • Interoperability
Drop-Box Architecture Monitoring Service Clinician Medical Device Store & Forward Enc[Health status] Enc[Reminder ]
Security • WS-Security • OASIS Standard v 1.0 (2004) • Provides end-to-end message level security • It is possible to encrypt an element of a message SOAP Envelope SOAP Envelope • Double Encryption of SOAP Messages • Step 1: Encrypt medical information using an end-to-end key (patient-doctor key) • Step 2: Encrypt the whole message using a transmission key (patient-monitoring server key) SOAP Body SOAP Element: [Routing Information] SOAP Element: [Medical Information] SOAP Element: [Medical Information]
Reliability • WS-Reliability • OASIS Standard V1.1 (2004)
Home-Network Protection • Home-network resources should be protected • Availability: access control to home network router • Confidentiality, Integrity • WPA (Wi-fi Protected Access 2) - Personal • WPA-Personal (or WPA-PSK) does not require an authentication server (c.f., WPA-Enterprise) • Almost OSs (Windows, Linux, Mac) and Wireless AP products support WPA-Personal
Tools for Secret Sharing • Possible devices to create a location-limited channels • Passive USB storage tokens • Infrared channels • Audio channels • Camera phones and 2D barcodes Balfanz Durfee Grinter Smetters Stewart 05McCune Perrig Reiter 05
Functionalities Home Network Protection & Usability Reliability End-to-End Secure Communication Interoperability
AMY Drop-Box SOAP Message User: Alice Clinician: Dr. Brown Architecture • Drop Box and AMY (Auth. Manager for You) From: Alice To: Dr. Brown [BloodSugarRate: 135] From: Alice To: Dr. Brown [************************] From: Alice To: Dr. Brown [BloodSugarRate: 135]
Testbed Implementation Environment • - Java 2 SE 5.0 • Apache AXIS (SOAP) • Apaache WSS4J • (WS-Security) • Apache Sandesha • (WS-Reliability) • - Linux Server, Windows Clients • - WPA Wireless Network Environment of Siebel Center Windows (Notebook) Desktop (Linux) Windows (Notebook)
Conclusions • There will be increasing opportunities for monitoring and surveillance • There will be increasing use of monitoring and surveillance • Techniques to control these techniques so that the best serve stakeholders will be a pivotal concern