180 likes | 287 Views
Privacy-Aware Design for Physical Infrastructure. Prof. Stephen Wicker Cornell University. Sensor Networks for Infrastructure Protection. Protecting Infrastructure Opportunities for embedding sensor networks Power Grid/SCADA Transportation Water and Fuel
E N D
Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University
Sensor Networks for Infrastructure Protection • Protecting Infrastructure • Opportunities for embedding sensor networks • Power Grid/SCADA • Transportation • Water and Fuel • Driven by development of supporting technology for randomly distributed, wireless sensors • Buildings • Combine surveillance with energy control • Integrate into building materials • Open Spaces (parks, plazas, etc.) • Combine surveillance with environmental monitoring • Line-of-sight surveillance technologies
Privacy Issues • Sensor networks collect data. Privacy issues follow. • Standard Problems: Data Security and Integrity • Protection against hackers, etc. • Evolving Problem: Data Presence • We need protection against those who collect the data. • Cellular Service Providers • ISPs • …
A Moral Hazard:The Market for Information • The goal of information collection is discrimination • Oscar Gandy, The Panoptic Sort • Highly-focused marketing strategies make money • Telemarketing is a $662 billion a year industry in 2003
The Impact of Pervasive Surveillance • Big Brother Syndrome – passive behavior in response to surveillance (epistemic impact) • Kafka Syndrome - an extreme imbalance between the individual and private and public bureaucracies “A new mode of obtaining power of mind over mind, in a quantity hitherto without example.” Jeremy Bentham, The Panopticon Writings “Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. ” Michel Foucault, Discipline and Punish
Mitigation: Electronic Communications Privacy Act of 1986 • Amendment to Title III of Omnibus Crime Control Bill (1968 Wire Tap Statute) • Title I: Electronic Communications in Transit • Content of communication • Strictest standards for warrants • Title II: Stored Electronic Communication • Weaker standards • Where does e-mail fit in? • Title III: Pen Register/Trap and Trace Devices • Context of communication • Information obtained must be relevant and material to an ongoing investigation • Weakened by PATRIOT Act “National Security Letters”
Obtaining Cellular Records • Prior to 2005, law enforcement agencies routinely granted access to location data without judicial oversight • “Relevant and material” is pretty weak… • August 2005 – Federal District Court in NY turns down request for cellular data • Required evidence of probable cause. • Undeniable good can be done • Thief stole a woman’s car with phone and child inside. Location data used to find and stop car within 30 minutes • Uncountable E911 calls • But… • People should have a choice • The presence of the data remains a threat. • Money too attractive • Potential for governmental abuse too great
A General Solution:Privacy-Aware Design • Design systems so as to minimize privacy threat. • Such design practices are a moral obligation given the potential harm to the individual. • Argument for another day: • Kantian emphasis on individual vs. Benthamite stress on greatest good for the greatest number.
Privacy-Aware Design Practices • Provide full disclosure of data collection • Require consent to data collection • Minimize collection of personal data • Minimize identification of data with individuals • Minimize and secure retained data. • Analogous to 1973 U.S. Fair Information Practices and 1980 OECD Guidelines.
Provide Full Disclosure of Data Collection • Description requirement • Enforceability requirement • FTC – privacy statements • Irrevocability requirement • Intelligibility requirement • Require Consent to Data Collection • Acknowledgement requirement • Opt-in requirement • See U. S. West v. Federal Communications Commission (182 F. 3d 1224, 10th Circuit 1999)
Minimize Collection of Personal Data (1) • Establish functional requirement for collection • Match data to the mission • Type, resolution • Collection must be necessary to the functionality of the communication system • Not just an easier or cost-effective alternative • Collection of data for “testing” is a grey area
Minimize Collection of Personal Data (2) • Distributed processing requirement • Process data as close to the source as possible • Functional/destructive processing • Aggregation prior to centralized collection • Limits potential for re-use and hacking
Technical Problem! • Demand-Response without centralized data collection • Develop architecture that supports demand-response without collecting fine-grained power consumption data. • Secure local processing loop
Minimize Identification with Individuals Does the technology require association of data with individual or with his/her equipment? • Non-Attribution Requirement • Track equipment, not the user • Separate Storage Requirement • Authentication/billing records should be separate from “functional” records. • Isolation of records should be cryptographically secure.
Technical Problem! • Private use of public service. • Assume a pool of valid users. • How does a user show that they are in the pool without identifying his or herself? • Cryptographic primitives?
Minimize and Secure Data Retention • Functional Requirement for Retention • Retention should be directly connected to functionality • Otherwise, opt-in required (at a minimum) • Basic Security Requirement • Inadvertent disclosure should be difficult to impossible. • Non-Reusability Requirement • Use of data in an undisclosed manner is difficult to impossible
Example: Privacy-Aware Cellular Registration • What is required for registration? • HLR/home MSC needs to know how to route incoming calls • VLR/gateway MSC needs to authenticate user • MS Registration - Data minimal solution • Token identifies MS’s associated HLR • Provide sufficient info to HLR for authentication • Public-key encrypted ID • Zero-knowledge proof • HLR Operation • Return authentication to VLR/GMSC • Associate current GMSC and registration number with user phone number • No way around this – needed for incoming calls • No need for further location resolution • No need for long-term retention after user moves on.
Conclusion • Sensor networks offer a powerful means for securing and monitoring critical infrastructure. • Data collection creates a clear problem for the individual and the collecting authority. • Seemingly impersonal data can still be a problem. • Particular issue in the EU, where extensive regulations protect the individual against corporate abuse. • Privacy-aware design rules provide an important tool as sensors are deployed to protect critical infrastructure.