Privacy Sensitive Location Information Systems in Smart Buildings

1. Privacy Sensitive Location Information Systems in Smart Buildings Jodie P. Boyer, Kaijun Tan, Carl A. Gunter Midwest Security Workshop, 2006 In the proceedings of Security in Pervasive Computing, York, UK 2006

2. Motivating Scenario • Face to face meetings are important in many work scenarios • Much time can be wasted looking around the office for people • How could we facilitate this? • Many solutions • Add an expensive location tracking system • Make use of the information your smart building already gathers

3. Smart Buildings • Many new buildings are being built with complex building automation systems • Sensors and control systems create rich information streams • Access to these streams is restricted • This information could be useful to building users as well as administrators

4. Location Information Systems • Allows building users to gain and control information about tracked users and objects in a building • Works by aggregating BAS information, together with other sources of raw data

5. Case Study: The Siebel Center • Andover Continuum BAS • Uses electronic door locks and occupancy sensors • Case study for a Location Information System

6. Janus’s Map • A prototype LIS for the Siebel Center • Uses e-locks and occupancy sensors for location estimation • Privacy is enforced using user specified rules

7. Architecture for Janus’s Map Rule Database Door Rights List Rules Owners Door Access Database Access Control Module Alice’s door accesses Alice? Location Service Data Aggregator Alice’s Location For Bob Aggregated Data Data Cleaner Internet Occupancy Sensor System Room Occ.

8. Rules in Janus’s Map • 3 Parts • Targets • Data Access • Visibility • Example: • Target: Bob, Carol • Number of past entries: 5 • Event types: Valid Access, DoorAjar, OccupancySensor True • Event time: Between 9am and 5pm • Rooms: All • Granularity: Floor

9. An Example: System Events • Who owns these events? • What happens when Bob searches for Alice?

10. An Example: Enforcing Privacy • Alice “owns” her events and has to allow Bob access to them to find her • She allows him access to events that happened after 9am and of type ValidAccess, DoorAjar and OccupancySensorTrue • After the filtering policy is applied:

11. An Example: Event deduction • We can deduce that Alice is probably in SC4309

12. An Example: Granularity • Alice may wish to prevent Bob from knowing too much about her exact location • Alice can specify a granularity to which Bob can find her, in this case: floor • Bob is finally returned that Alice was on the 4th floor at 10:01

13. How to Build an LIS • Define an ownership model • Determine the environment events of interest and how to deduce them • Develop a model for privacy-information sharing for events

14. Ownership Model • U, set of users • L, setof locations • S, set of system events • T, a set of values with a linear ordering, signifying time • time : STwhich determines the time of an event • user : SU U {} which determines the users associated with an event • loc : S  L which determines the location in which an event occurred • o : L 2U which determines the owner of a location •  : S2U which determines the owner of an event

15. Janus’s Map: Ownership • Events • Defined as a tuple (UU {}) x L x T x  •  is a set of event types • type : S  returns the type of an event • ois static policy that maps room ownership •  assigns ownership of an event s first to the user(s) and then to o(loc(s))

16. Environmental Events • An aggregate event • Deduced from a set of system events • E is the set of environment events in an LIS • induce : 2S2E determines the set of environment events that can be deduced from a set of system events • Applies a set of deduction rules of the following form:

17. Janus’s Map: Environment Events • The main goal of Janus’s Map is to determine location information about users in the building • E is defined as a set of tuples U x L x T x P • P = {In,Near} defines a users proximity to a location

18. Privacy Policy • System events protected to protect user’s privacy • We define 2 index families of functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • Users are able to define 2 functions that establish their privacy policy • filteruv : 2S2S • maskuv : 2E2E

19. Janus’s Map: Privacy Policy • Locations in Siebel Center • G={floor, wing, room}, the set of location granularities • Lfloor L, Lwing L, Lroom L • Locations are defined as a tuple: Lfloor x (Lwing U {})x (Lroom U {}) • Users define rules from which the functions filteruv and maskuv are derived • System events are filtered based on time, date, event type, and location • Environment events are masked to hide detailed location information

20. Formal Definition • A Location Information System (LIS), L, between an ownership model and set, E, of environment events consists of three functions: • filter : UxU(2S2S) • mask : UxU(2E2E) • induce : 2S2E

21. Reveal • We also define a family of functions reveal : UxU(2S2E) which performs a look of environment events in an LIS • revealuvis the function that v calls when he wishes to learn something about u

22. Conclusion • Developed a location system for smart buildings • Doesn’t require specialized equipment • Privacy sensitive • Generalized the scheme to work on any building • Future Work • Integrating more systems to improve accuracy • Policy conflicts • Policy management schemes

23. Questions?

24. Raw Data Sources • Door Lock System • Occupancy Sensors • Network Jack Activity • Application Software, such as AIM • Video Surveillance • Wireless Network • GPS • RFID Tags • Telephone