220 likes | 360 Views
Jadwiga Indulska The School of Information Technology and Electrical Engineering, The University of Queensland. Extending context models for privacy in pervasive computing environments. Talk outline. Pervasive computing Challenges in privacy enforcement Modelling of context information
E N D
Jadwiga Indulska The School of Information Technology and Electrical Engineering, The University of Queensland Extending context models for privacy in pervasive computing environments
Talk outline Pervasive computing Challenges in privacy enforcement Modelling of context information Requirements for ownership definitions Capturing ownership Context schemas Privacy enforcement based on ownership Summary
Pervasive computing Relies on context information to dynamically adapt to user requirements Context information obtained from: Sensors User profiles Applications Derivation mechanisms Some types of context info can be sensitive (e.g., user location and activity) Sensitive context needs protection => privacy enforcement
Challenges in privacy enforcement Loose couplings between people and resources Often no direct link between context source and owner (e.g., camera and people captured by camera) Heterogeneous privacy requirements due to: Differences in information sensitivity Differences in user preferences Context-dependent changes in preferences Ownership may be context-dependent
Ownership of context information Issue of context ownership is largely ignored Context management systems either: provide no privacy support, or assume prior organisation of information by owner Our work addresses it directly and integrates ownership information into context models Ownership is captured at level of: Object types Fact types Situations
Modelling of context information We use a fact-based modelling approach (CML) In approach, developers define: Entity types about which context information is represented Types of context information represented(context fact types) Sources of context information Quality annotations (quality metadata about facts) Dependencies between facts Various other constraints and metadata on fact types
Example CML model Device Type Person Device [] Activity Organisation Place Profiled Sensed Temporal Uniqueness constraints canUse hasType engagedIn owns ownedBy locatedAt controlledBy []
Terminology Object type: Modelled as ellipsis in CML Class of entity described in context information (e.g., Person) Fact type: Modelled as role boxes in CML Relation on one or more object types (e.g., locatedAt) Object: Instance of Object type (e.g., the person Alice)
Situation: Describes context at higher level than facts Defined using variation of predicate logic Expresses conditions on context Evaluates to truth value (true, false, or unknown) E.g., Terminology (cont.) MeetingInProgress(room): person • locatedAt[person, room] • engagedIn[person, meeting]
Requirements for ownership definitions Context models instantiated as large fact bases => ownership must be scalable Ownership must be definable at: organisational level individual level Ownership must be context-dependent Owners of context information should have access at all times Context ownership (potentially) shared by multiple entities
Capturing ownership Ownership expressed through SQL-like context schema Our approach has clear benefits: Context can be owned by multiple entities Ownership can be context dependent Ownership supported on: Object types Fact types Situations
Ownership of object types 3 classes of ownership for objects types: First class (capable of owning) Second class (can be owned) Third class (never have owners) E.g., a person (first class) owns a laptop (second class), which has a device type (third class) Default ownership of a context fact is defined as the union of the owners of objects participating in roles
Object type classes Device Type Person Device [] Activity Organisation Place 1st Class 2nd Class 3rd Class canUse hasType engagedIn owns ownedBy locatedAt controlledBy
Ownership of fact types Can override default fact ownership by defining ownership explicitly on fact types Facts may have 0, 1 or multiple owners 0 owners: Can be accessed by anyone No privacy preferences applied 1, multiple owners: Always accessible to owners Disclosed according to preferences of all owners
Ownership of situations Situations are defined in terms of context facts and logical connectives (and, or, not, exists, forall) Evaluating ownership on each fact is expensive! Assigning ownership to entire situation is cheaper Situations can be: Unowned Owned by 1 entity Owned by multiple entities
Context schemas Loosely based on SQL Alternative textual format for modelling context Defines object types in domain Fact types defined in terms of object types Situations defined in terms of fact types Used as input for schema compiler which can be hooked up to tools for generating various outputs (e.g., model-specific helper classes for context manipulation) Can be extended with ownership information
First class objects Tagged “FIRST CLASS” e.g., FIRST CLASS Person Second class objects Tagged “SECOND CLASS” Must also be “OWNED BY” a first class object Ownership may be context-dependent, e.g., Third class Objects Tagged “THIRD CLASS” e.g, THIRD CLASS DeviceType Object type declarations SECOND CLASS Device OWNED BY SELECT person FROM Using WHERE using.device = Device
CREATE SENSED FACT TYPE locatedAt( Person person KEY, Place place ALTROLE ) OWNED BY person Fact type declarations • Fact types declared separately • Declaration includes: • Object types participating in fact type roles • Optional ownership information (default ownership is assumed if not present) • For example:
Situation declarations Example situation ownership definition: CREATE SITUATION Engaged(device)… OWNED BY SELECT person FROM owns WHERE owns.device = device UNION SELECT organisation FROM ownedBy WHERE ownedBy.device = device
Privacy enforcement based on ownership Modelling ownership is a first step towards enforcing privacy However, also require information about owners’ privacy requirements We express these requirements using our previously defined model for context-dependent preferences
Privacy enforcement based on ownership (cont.) • Privacy preferences contain: • A scope statement (listing activation conditions) • A scoring expression (oblige or prohibit) • Scope statement can contain the following variables: • Requester • Owner • Purpose • Fact type or situation • Fact type attributes OR situation variables • We are developing an access control scheme that incorporates our ownership and preference models
Summary Sensitive context information requires privacy enforcement One of the challenges is in first determining ownership of context information We support ownership declarations as an extension to context models Ownership declarations can be defined at three levels: Object level Fact type level Situation level Ownership information can be combined with context-dependent privacy preferences to provide access control for pervasive computing environments