1 / 18

Privacy-Aware Design for Physical Infrastructure

Privacy-Aware Design for Physical Infrastructure. Prof. Stephen Wicker Cornell University. Sensor Networks for Infrastructure Protection. Protecting Infrastructure Opportunities for embedding sensor networks Power Grid/SCADA Transportation Water and Fuel

delta
Download Presentation

Privacy-Aware Design for Physical Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University

  2. Sensor Networks for Infrastructure Protection • Protecting Infrastructure • Opportunities for embedding sensor networks • Power Grid/SCADA • Transportation • Water and Fuel • Driven by development of supporting technology for randomly distributed, wireless sensors • Buildings • Combine surveillance with energy control • Integrate into building materials • Open Spaces (parks, plazas, etc.) • Combine surveillance with environmental monitoring • Line-of-sight surveillance technologies

  3. Privacy Issues • Sensor networks collect data. Privacy issues follow. • Standard Problems: Data Security and Integrity • Protection against hackers, etc. • Evolving Problem: Data Presence • We need protection against those who collect the data. • Cellular Service Providers • ISPs • …

  4. A Moral Hazard:The Market for Information • The goal of information collection is discrimination • Oscar Gandy, The Panoptic Sort • Highly-focused marketing strategies make money • Telemarketing is a $662 billion a year industry in 2003

  5. The Impact of Pervasive Surveillance • Big Brother Syndrome – passive behavior in response to surveillance (epistemic impact) • Kafka Syndrome - an extreme imbalance between the individual and private and public bureaucracies “A new mode of obtaining power of mind over mind, in a quantity hitherto without example.”  Jeremy Bentham, The Panopticon Writings “Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. ”  Michel Foucault, Discipline and Punish

  6. Mitigation: Electronic Communications Privacy Act of 1986 • Amendment to Title III of Omnibus Crime Control Bill (1968 Wire Tap Statute) • Title I: Electronic Communications in Transit • Content of communication • Strictest standards for warrants • Title II: Stored Electronic Communication • Weaker standards • Where does e-mail fit in? • Title III: Pen Register/Trap and Trace Devices • Context of communication • Information obtained must be relevant and material to an ongoing investigation • Weakened by PATRIOT Act “National Security Letters”

  7. Obtaining Cellular Records • Prior to 2005, law enforcement agencies routinely granted access to location data without judicial oversight • “Relevant and material” is pretty weak… • August 2005 – Federal District Court in NY turns down request for cellular data • Required evidence of probable cause. • Undeniable good can be done • Thief stole a woman’s car with phone and child inside. Location data used to find and stop car within 30 minutes • Uncountable E911 calls • But… • People should have a choice • The presence of the data remains a threat. • Money too attractive • Potential for governmental abuse too great

  8. A General Solution:Privacy-Aware Design • Design systems so as to minimize privacy threat. • Such design practices are a moral obligation given the potential harm to the individual. • Argument for another day: • Kantian emphasis on individual vs. Benthamite stress on greatest good for the greatest number.

  9. Privacy-Aware Design Practices • Provide full disclosure of data collection • Require consent to data collection • Minimize collection of personal data • Minimize identification of data with individuals • Minimize and secure retained data. • Analogous to 1973 U.S. Fair Information Practices and 1980 OECD Guidelines.

  10. Provide Full Disclosure of Data Collection • Description requirement • Enforceability requirement • FTC – privacy statements • Irrevocability requirement • Intelligibility requirement • Require Consent to Data Collection • Acknowledgement requirement • Opt-in requirement • See U. S. West v. Federal Communications Commission (182 F. 3d 1224, 10th Circuit 1999)

  11. Minimize Collection of Personal Data (1) • Establish functional requirement for collection • Match data to the mission • Type, resolution • Collection must be necessary to the functionality of the communication system • Not just an easier or cost-effective alternative • Collection of data for “testing” is a grey area

  12. Minimize Collection of Personal Data (2) • Distributed processing requirement • Process data as close to the source as possible • Functional/destructive processing • Aggregation prior to centralized collection • Limits potential for re-use and hacking

  13. Technical Problem! • Demand-Response without centralized data collection • Develop architecture that supports demand-response without collecting fine-grained power consumption data. • Secure local processing loop

  14. Minimize Identification with Individuals Does the technology require association of data with individual or with his/her equipment? • Non-Attribution Requirement • Track equipment, not the user • Separate Storage Requirement • Authentication/billing records should be separate from “functional” records. • Isolation of records should be cryptographically secure.

  15. Technical Problem! • Private use of public service. • Assume a pool of valid users. • How does a user show that they are in the pool without identifying his or herself? • Cryptographic primitives?

  16. Minimize and Secure Data Retention • Functional Requirement for Retention • Retention should be directly connected to functionality • Otherwise, opt-in required (at a minimum) • Basic Security Requirement • Inadvertent disclosure should be difficult to impossible. • Non-Reusability Requirement • Use of data in an undisclosed manner is difficult to impossible

  17. Example: Privacy-Aware Cellular Registration • What is required for registration? • HLR/home MSC needs to know how to route incoming calls • VLR/gateway MSC needs to authenticate user • MS Registration - Data minimal solution • Token identifies MS’s associated HLR • Provide sufficient info to HLR for authentication • Public-key encrypted ID • Zero-knowledge proof • HLR Operation • Return authentication to VLR/GMSC • Associate current GMSC and registration number with user phone number • No way around this – needed for incoming calls • No need for further location resolution • No need for long-term retention after user moves on.

  18. Conclusion • Sensor networks offer a powerful means for securing and monitoring critical infrastructure. • Data collection creates a clear problem for the individual and the collecting authority. • Seemingly impersonal data can still be a problem. • Particular issue in the EU, where extensive regulations protect the individual against corporate abuse. • Privacy-aware design rules provide an important tool as sensors are deployed to protect critical infrastructure.

More Related