15 Minutes of Privacy

R. Gill April 8, 2011

Abstract This paper is a casual saunter through issues of privacy, trust and security in the ubiquitous computing domain. The transition to ubquitous environments has created a problem regarding the type context information to monitor with or without a users consent. This paper presents work that demonstrates ubiquitous monitoring eects human behaviour and human notions of privacy is context sensitive. The paper also shows progress in transient trust mechanism in the ubiquitous environment.

Introduction

15 Minutes of Privacy, on rst reading this option for a review assignment the author assumed artistic pretension to modify such an iconic phrase from an iconic icon such as Warhol [Kaplang92a]. However, on further reection the mobile distributed digitally credited packets dropped, of course!, are we on route to a world in which privacy is something of a fantasy achievable by a few, and in the main eeting; something that once achieved can disappear, rendering the person a has been with only memories and souvenirs of a life with privacy. Or a brief experience when a person can do, think, say, or act in anyway they wish within the connes of their own space, without fear of redress from the dreaded multi-context and location aware nanobot sensors liberally peppered and embedded in our house, our clothes, our cosmetics, our medicines, our food, in us! In the not to distant future will we visit a doctor because we have a sensor virus causing congestion in our digestive tract sensor cluster? However fanciful a scenario this may seem, Weisers [Weiser91a] vision of ubiquitous instant and spontaneous invisible technology, coupled with progress in medical nanotechnology [Zhou05a], and miniaturisation [Ratner02a], brings 24hr monitoring and archiving of all human behaviour and habits, even emotions [Picard02a] a step closer to a practical reality. In such a potential future scenario, security and privacy or the lack of it, shall and must be high on the agenda for discussion. This paper reviews some instances of ubiquitous technology and discusses privacy in the context of social behaviour and trust, and touches on technical aspects of security in transient use of computers. Firstly, an extended introduction is provided to intoduce the notion of privacy, habits and behaviours.

2 Privacy, Habits and Behaviour - an extended introduction

What is privacy?, we often hear the phrases such as an invasion of privacy, in the privacey of ones own home. The dictionary [OED10a] denition of privacy is: The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion. The denition supports the notion of privacy being some kind of invisible force eld in place to ward o attacks from intruders, in which there is a choice of who may penetrate and who may not. Starkly missing from the denition is the word individual, is this implicit or intentionally left out of the denition. If implicit, then how can an individual be fully aware of any monitoring or survielance mechanisms that might be in place? If intentionally left out, then, privacy cannot be regarded as an individual choice, rather a choice made on our behalf. Historically, great emphasis on privacy has been a commodity attainable by the rich and privileged, or viewed as an eccentric behaviour that can only be indulged in if you have the money to do so. Conspiracy theorists and the powers that be simply turn a blind eye, while continuously monitoring events. When monitored behaviour becomes untenable, the viel of privacy is publicly lifted. Lifting of these viels makes for inquisitive feeding frenzies of the general public, eager to penetrate the privacy of celebrities through media coverage. What is it that make use want to know the habits of celebrities, is it that day to day habitual behaviour breaks down our feeling of unworthiness buy knowing that celebrities as really just as normal as anyone. Such divulgences of personal habits can also be positive. It was reported that the her majesty Queen Elisabeth the II of England, habitually eats breakfast served from tupperware tubs [Tweedie03a]. Rather than be shocked that the Queen of England does not eat from ornate gold plated tableware, the public were simply warmed, knowing that although being a Queen, she is human like all of us, and increased her once plummiting popularity, as well as share price of Tupperware whose brand image went from fancy plastic food containers, to food container with royal approval. Is eating from a tupperware tub a behavour or a habit?, both of which are changeable over time. For such an article to be released in a reputable broadsheet, was not because of tupperware but because the intrusion of privacy was regarded as a breach of security on a national level, and a full enquirey ensued. However, it was the Tupperware habit that consumed peoples interest. Ubiquitous computing professionals described here as UbiComers often sidestep the thorny issue of privacy by replacing the word privacy with habits instead of personal habits, and behaviours instead of personal behaviour, when reporting the latest ubiquitous working application. Ubiquitous computing technology is essentially centered around smartifying everyday objects and how people interact with these objects to carry out habits and behaviour, as individuals and in groups. As with

most technology, ubquitous computing can be used for purposes other than the original intended one. Still in its infancy, ubiquitous computing is wild with excitment about the advances being made. As yet no real incident has occurred that we know of, in which a breach of privacy from ubqiutous computing services has led to any kind of lawsuit or court action. However, just as concerns have grown regarding privacy in social networking sites, it is just a matter of time that the same concerns are raised for ubiquitous computing on a global scale, once it becomes a mainstream technology. Social networking sites such as Facebook [Facebook11a] and global information providers such as Google [Google11a], accrue vast revenue through ownership of information, which is distilled to specication and sold on. Just as a pimp hands information of potential johns to his workers, who then accidentally catch eye of the listed, in the same fashion as models draped over the petrol tank of a new Harley Davidson at a motor show, or the tabloid newspaper editor who carefully chooses words and phrases they themselves would never use, for the next days front page headline, they know their demograph. If this is abuse then surely this is abuse of information rather than of privacy, information pertaining to demography rather than the individual. It is the accumulation of individual private information then, that is the real concern. Social networking sites unknowingly furnish personal individual information, to the would-be stalker, paedophile or identity thief. Will ubiquitous computing unknowingly furnish personal habits and behaviours to the would-be fundamentalist, dictator, blackmailer? One major dierence between the privacy issues of online social networks and ubiquitous computing is that in ubiquitous computing the user does not need to be online, or even have an internet connection. The sure way of not providing information online is simply not to take part, not to go online and not to provide information, we have the choice to turn o the computer, modem, or mobile device. This poses a dilemma because ubiquitous and pervasive computing by vision, is non intrusive, invisible and everywhere, however to function and provide context aware personalised services, the technology demands intrusion in the form of monitoring, surveillance and access to personal information, patterns of behaviour and habit [Jonsson06a], [Cas05a], [Lyytinen02a],[Koskela03a]. Once mainstream, ubiquitous technology will generate a terabyte mountain range of personal private information, far surpassing granularity of detailed demographics, national sensors and social network proles, much valued by governmental taxation departments, and corporate advertising executives alike. For ubiquitous technology to reach its full potential, it requires personal individual information and has the potential to record, track, and predict with a certain probability, an individuals habits and behaviours, in order to provide a service to the user. The issue of ownership and access to this information can often be overshadowed by the white heat of ubiquitous technology. Authors such as Bell and Dourish [Bell07a] assert that ubiquitous computing is already upon us. Add to this Wiesers [Wieser91a] assertion that technology will itself become invisible, available anytime and anywhere, the need for cast iron, or in this case tungsten carbide measures and guidelines for privacy and security

measures regulating this ow of information lifeblood of ubiquitous computing are necessary. Although some initiatives on guidelines for privacy in ubiquitous computing are underway [Lahlou05a], privacy issues are not taken seriously by Ubicomers who seem to regard privacy as secondary to project deliverables and design requirements [Lahlou05b]. One only needs note the scarcity of serious literature underpinning the inequality of privacy legislation compared to advances in technical achievement in ubiquitous computing.

3 Ubiquitous surveillance and its eect on human social behaviour

Surveillance and monitoring in the ubiquitous domain diers from traditional data acquisition systems in ve basic ways. 1. Scale of Data Collection - Monitoring has a wider range of areas and objects that can be monitored such as houses, oces, fridges, humans, ovens, almost anything that can carry or have an embedded networked sensor. 2. Manner of Collection - We are unaware that monitoring is taking place. 3. Type of Data Collected - Anything that can be transcribed into a digital signature can be collected accurately, from location, movement, environmental changes, even emotion. 4. Motivation to collect Data - All and any data in digital form is analysable and considered valuable. 5. Accessibility of Data - Ubiquitous surveillance demands collection of large volumes of data to provide context aware services to users. Providing the surveyed user privacy options that limit any of the ve points listed above only fuels the conict between principles of protecting privacy, and the main thrust of ubiquitous computing. On the one hand, ubiquitous computing requires access to any and all collectable data in order to provide context aware services, and on the other hand; it is practically dicult to inform the user of what data is being collected (as this is dynamic) and fundamentally goes against the ubiquitous mantra of being invisible and unobtrusive in every day behaviour. The work of Jonsson [Jonsson06a], argues that by embedding surveillance technology in the physical environment, the technology and cues of surveillance become literally and virtually concealed from the user. Realistically, the user is or should be aware that surveillance is ongoing, and the only realistic attitude of human beings living in such environments is to assume that any activity or inactivity is being monitored, analyzed, transferred, stored and maybe used in any context in the future [Lyytinen02a] . By doing so, direct reminders of surveillance are embedded together with the technology, creating an embedded panopticon. Here the panopticon is used as a metaphor for surveillance, because the environmental description is comparable to a panoptic society [Koskela03a]. Originally, a design to illicit self control of prisoners, the panopticon was an architectural design of a circular prison complex, in which all prison cell doors (with bars) faced a central observation tower. The prisoners did not know exactly when they were being watched or who was watching them, so they

assumed they were being watched all the time. The omnipresence of the central observation tower reminded prisoners of the possibility of being watched at anytime. The panoptic eect enforced a self control over prisoners visible behaviour. In the context of ubiquitous computing monitoring, applying the panoptic metaphor for surveillance is not straight foreword because there is no omnipresent central reminder of monitoring taking place. Behaviour in ubiquitous panoptic monitoring also diers, in that resistance of the monitored in the original prison environment was replaced by an accepting resolve; however in a ubiquitous computing environment resistance behaviour takes place. Such resistance takes the form of the monitored tampering with the monitoring infrastructure to determine when monitoring takes place, instead of accepting constant monitoring as a collective group. Comparisons with a group of incarcerated prisoners that society does not trust, and humans free to roam and act as they wish, has obvious dierences. However, the panoptic has been shown to be a powerful inuence on human behaviour and to a certain extent on self control over human behaviour, incarcerated or not. Ubiquitous monitoring of user location and location context awareness is high on the ubiquitous agenda because it is no longer driven by the user carrying a mobile device, but the ubquitous embedded environment the user nds themselves in. A seminal work of location awareness by Adelsee [Adlesee01a] is typical of the kind of ubiquitous monitoring system currently implemented, but goes further to model real world environments, metaphorically the application as a personal assistant and diary. Adelsee [Adlesee01a] introduces the notion of a sentient infrastructure that models a real indoor environment in real time, based on sensor information of user location and personal preferences. Moreover, the modelled environment personalises devices and applications within the real environment, thereby customising each device and application. Sentient computing is described as a method of managing mobile devices to suite the context of use; such management includes conguring devices to user needs. The sentient system updates software objects based on information received about what state and location the real world object is in. Sensors emit an ultrasonic pulse to xed location receivers in the environment; the location is calculated by triangulation of time of ight. Sensor location is determined by synchronising sensors in a wireless cellular network, and also receivers are reset by base stations which communicate with sensor over wireless, and reset receivers over xed wire within the real infrastructure. The system uses 200 sensors, 3 wireless cells and 750 receivers. 95sensor location has accuracy within 3 cm, each base station can address 3 sensors simultaneously, within each radio cell 150 updates per second. This kind of accuracy was a majour step in these kinds of location aware systems, far more accurate than previous badge based systems [Want02a]. Base stations run scheduling algorithms for sensors to reduce power consumption in times of non scheduled use, in so doing the expected quality of service for each sensor varied. When the sensor is actively in use by the user, by pressing a button, Over the Air (OTA) message to base stations automatically start the location procedure. The OTA message contains sensor Unique Identiers (UID), and while within base station vicinity, a sensor uses a temporary ID provided by the base station. When sensor

is out of base station vicinity, local ID is retrieved by base station. This limits number of sensors using the base station concurrently, and reduces addressing messages and so less power consumption. Further power savings are introduced when the sensor is xed to stationary device, here location procedure is limited and sensor placed in sleep mode until movement is detected. The work puports that such power saving features allow battery lifetime for up to 24 months. The sentient system was powerful enough to extract enough context aware information to be able to create real time virtual world of people, objects and their juxtaposition and orientation. The sentient project took place within a the context of a controlled work environment, all locations were conned to the the workplace. If any of the participants were to be asked where they were by someone outside of the project, no doubt the answer would have been Im at work. Sharing this information does not compromise any issues of privacy, unless of course the person is not supposed to be at work. Otherwise, we assume most workers would not have privacy issues in sharing the fact that they are at work, during working hours. A ubiqutous environment is not conned to the workplace, in fact the vision is that it is not conned to any location at all. A study by Anthony and Kotz [Anthony07a] examined the willingness of 25 undergraduate students to share their current real time location over a period of seven consecutive days, to see if change in location eects their privacy preferences with the social context of the real time location. Each day, the participants were paged at random time intervals (minimum interval between pages was 45 minutes) up to a maximum of seven pages per day. At each page the participant lled in a questionnaire with regard to their current real time location, and their current actvities. Questions revolved around the preference of what type of information the participant would use to share and communicate their current location, for example for using GPS coordinates or a house or building name or number. Following on from that question, each participant had three categories of requestors, representing anyone who requested the information; anyone who had sent an email to the participant; and anyone from a list of individuals the participant had previously made themselves. Throughout the pageing period, participant online usage was also monitored. The results of the study underpinned the notion that social context is an important aspect of location, and factors such as what they are doing and who are they with, in combination, dene a place/location for an individual. The participants were more willing to share their current location when they were at home or in the college library, compared to when they were in a public place or at a friends house, and were more willing to share with their own listed requestors than the emailed group or anyone group. While the later point was expected, the unwillingness to divulge location when out with friends more than when at home or in the college library is contrary to previous research in the area [Consolvo05a]. Other than location, current activity and who the participants were with also played a majour role in willingness to share . The participants emerged as three types of privacy shareres, each type with their own consistant pattern of sharing. the three types were labled as consistant-private (CP), consistant-share-

with-friends (CSWF), and variable-privacy (VP). The main ndings of study conclude that privacy is both a dynamic social process with aspects of something dichotomous and statelike, similar to the CP and VP privacy sharer type behaviour.

In silicon we trust

Trust plays a vital role in relationships, providing personal information of any kind is a transaction based on trust in some form. The interaction between man and machine in the age of information technology has formed an unconscious insidious trust, that makes us divulge personal information to a machine, far more readily than we would to another human being. We are more comfortable punching our credit card numbers into a hand held device in a restaurant or shopping arcade, than allowing a human being to write it down and pass it on the a bank. Questioning the integrity of the human is acceptable, however it is quite normal behaviour not to question the integrity or security of the machine itself. If the human was indeed interested in your credit card details, they would simply present a false rogue machine that records your details, condent that the machine will be trusted to be secure. A well researched vision of a potential ubiquitous computing future is presented by the movie Minority Report [Spielberg02a], in which trust is based on identication of a human through retinal scanning, both in public and private environments. In public environments such as a shopping arcade intelligent advertising screens identify and interact with humans to provide context aware personalised information designed to make us buy consumer goods. In the lm, resistance to panoptic monitoring is demonstrated by the lead character who circumvents the monitoring system to change his identity, comically the ubiquitous panoptic monitoring system displays a aw, in being fooled into identifying an obvious western male human as a far eastern male human, something that a human monitoring system would most likely query. In the private environment, a more sinister and highly intrusive identication method is employed. A gang of mechanical intelligent networked robots (called spiders) act as law enforcement agents, authorised to access all areas of private dwellings and perform retinal scans of any and all humans therein. The humans being scanned by the spiders exhibit a complete resolve to high impact intrusive monitoring, perhaps identifying the spiders with authority or perhaps simply indoctrinated over time into forgoing any right to privacy, the lm does not make clear which, and is left to the viewer to ponder. Alternatively, one could argue that the panoptic subterfuge has indoctrinated the human perception of the spider robot retinal scan as unconscious events, without memory. Eectively, pushing the experience of retinal scanning so deep into the subconscious, that it becomes a non event, cloaking the spiders for what they represent. Cloaking to such an extent the spiders and the technology behind them becomes invisible. Allowing agents to make trust judgement decisions on our behalf is peculiar to ubiquitous computing, because of the rate of trust judgements required for ubiquitous computing to monitor large volumes of diverse

contextual data at any one time [Sillence08a]. This does not suggest human are comfortable with not being in the trust judgement process all together. The work of Roussos [Roussos04a] studied a ubiquitous ecommerce environment and found that an end user is more comfortable using the system if they feel they can anonymously intervene. Anonymity ( the cloaking of identity),

Security or Secure Entity

In traditional distributed systems, the notion of trust between entities such as humans and machines is fundamental in-interdomain authentication protocols. The work of Yahalom [Yahalom93a] analysed and compared trust relationships between entities of known authentication protocols in distributed systems. The entity itself was not important, rather the nature of operations that the entity attempts or performs. A secure system is deemed as one in which control is exercised over which entity can perform which operation. Before trust is established between entities either local or interdomain and operations carried out, certain criteria must be satised. Typical criteria to be satised is unique identication, unique but common message manipulation and unique acknowledgements, between entities. Normally, such criteria is resolved using cryptographic software, electronic signatures and secure certicates on authentication servers. To establish trust then, on a traditional distributed system between entities an existing trusted entity is required to begin with. In a pervasive and ubiquitous computing environment, in which use of an entity such as a desktop computer is transient, a user has no idea if the entity is corrupt or untrustworthy. Internet Suspend/Resume (ISR) [Satyanaranyanan07a] is a mobile computing model based on the concept of a user never having to save any les or proles on any entity hardrive, instead all the users les, applications desktop settings etc are located on a safe server somewhere, and downloaded onto an entity as a virtual drive whenever the user requires. Once nished, the updated virtual PC state transports the changes back to the safe server. The virtual desktop is not closed down, simply suspended and restored to the last checkpoint when required. To resolve the problem of quickly establishing trust on an unknown shared entity, as a transient user, a tool called Trust Sniffer [Satyanaranyanan07b] incrementally establishes trust, with the entity. The concept behind Trust Snier is that a user carries around their own mini operating system on a memory stick. With use of ISR in mind, when connected to a PC entity the Trust Snier only validates (establishes trust) with software on the entity the user requires to carry out an operation on. The Trust Snier uses its own mini linux kernel that boots completely seperately from the PC entity OS. On system boot, a trust extender kernel module uses Integrity Measurement Architecture (IMA) for Linux SHA-1 (sha1sum) hash measurements of any executable code, and checks the IMA measurements with trusted IMA aggreagated measurements stored in the its Trusted Platform Module. If IMA measurements of executable code and TPM measurement list mismatch, the user is note-

ed by a trust alerter. Here any untrusted code is detected before it can be loaded. The Trust Snier gradually trust validates each component of the PC entities boot OS, before the PC entity OS is allowed to fully boot. During this process of establishing a root trust, Trust Snier loads validated IMS measurement list on the PC entity OS, which the PC entity then uses to validate other code. Once root trust is established, it can be extended to PC entity applications or simply to interact with the users ISR virtual machine. In eect, Trust Snier is a local manual techique to resolve initial trust criteria without the need to trust an untrusted entity to start the trust validation process, prior to inter-domain communication between the PC-entity and ISR.

Conclusion

The gathering and monitoring of contextual sensor information is an intrinsic part of ubiquitous computing. Technical challanges to acquire and gain acces to such detailed information as location, juxstaposition, habits behaviours and emotions are all but addressed. In addressing these challanges, ubiquitous computing has inadvertantly created a edgling a ponopticesch society, in which ubiquitous panoptic monitoring aects human behaviour. Ubiquitous computing poses unique challanges to address issues of security, user privacy and access to contextual user inforamtion. The single challange which alludes UbiComers is to nd a balance between unobtrusive services and services that make trust and privacy decisions on behalf of the user.

References
[Adlesee01a] M. Adlesee, R. Curwen, S. Hodges, P. Steggles, A. Ward, A. Hopper, Implementing a Sentient Computing System, In Computer, vol 34, No 8, pp. 50-56 August 200 [Bell07a] G. Bell, P, Dourish,Yesterdays tomorrows: notes on ubiquitous computings dominant vision, In Journal of Personal and Ubiquitous Computing, vol 11, Issue 2, January 2007 [Cas05a] J. Cas, Privacy in pervasive computing environments: A contradiction in terms , In IEEE Technology and Society Magazine, pp. 24-33 2005 [Consolvo05a] S. Consolvo, Location Disclosure to Social Relations: Why, When and What People Want to Share, In Proceedings of SIGHI Conference on Human Factors, ACM Press pp. 81-90 2005 [Facebook11a] Facebook.com 2011 [Google11a] Google.com 201 [Jonsson06a] K. Jonsson, The Embedded Panopticon: Visibility Issues of Remote Diagnostics Surveillance , In Scandinavian Journal of Information Systems, vol 18, Issue 2 pp. 7-28 2006 [Kaplang92a] J. Kaplang, Warhol photo exhibition, Stockholm, 1968:, In Bartletts Familiar Quotations, 16th Edition, p. 758 1992

[Koskela03a] H. Koskela, Cam Era: The contemporary urban Panopticon , In Surveillance and Society, vol 1, Issue 3, pp. 292-313 2003 [Anthony07a] D. Anthony, D. Kotz, T. Henderson Privacy in LocationAware Computing Environments, In IEEE Pervasive Computing, vol 6, Issue 4, pp. 64-72 2003 [Lahlou05a] S. Lahlou, F. Jegou, European Disappearing Computer Privacy Design Guidelines V1.0. Ambient Agoras Report D15.4., The Disappearing Computer Initiative October 2003 S. Lahlou, M. Langheinrich, C. Rocker Privacy and Trust Issues with Invisible Computers, In Communications of the ACM, vol 48, No 3, pp. 37-42 March 2002 [Lahlou05b] [Lyytinen02a] K. Lyytinen, Issues and challenges in ubiquitous computing , In Communications of the ACM , vol 45, No 12, pp. 63-65 2002 [Spielberg02a] S. Spielberg, Minority Report, A Steven Spielberg Film 2002 [OED10a] The Oxford English Dictionary, Oxford University Press, 2010 [Picard02a] R.W. Picard, J. Klien, Computers that recognise and respond to user emotion: theoretical and practical implications , In Interacting with Computers, Elsevier, pp. 141-169 February 2002 [Ratner02a] M. Ratner, D. Ratner, Nanotechnology: a gentle introduction to the next big idea, Published by Prentice Hall Press, ISBN:0-13-1014005 2002 [Roussos04a] G. Roussos, T. Moussouri, Consumer perceptions of privacy, security and trust in ubiquitous commerce, In Personal and Ubiquitous Computing, vol 8, No 6 pp. 416-429 2004 [Sillence08a] E. Sillence, P. Briggs, Ubiquitous Computing Trust Issues for a Healthy Society, In Social Science Computer Review, vol 26, No 1 pp. 6-12 February 2008 [Satyanaranyanan07a] M. Satyanaranyanan, Pervasive Personal Computing in an Internet Suspend/ Resume System,, In IEEE Internet Computing, vol 11, No 2 pp. 16-25 2007 [Satyanaranyanan07b] M. Satyanaranyanan, Rapid Trust Establishment for Pervasive Personal Computing,, In IEEE IComputer Society, vol 6, No 4 pp. 24-30 2007 [Tweedie03a] M. Tweedie,Footman exposes Tupperware secret of the Queens table, The Telegraph Newspaper, England 20th November 2003 [Want02a] R. Want, The Active Badge Location System, In ACM Transactions, Information Systems, pp. 91-102 1992 [Weiser91a] M. Weiser, The Computer for the 21st Century, In Scientic America, September 1991 [Yahalom93a] R. Yahalom, B. Klein, T. Beth, Trust Relationships in Secure Systems - A Distributed Authentication Perspective, In Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 150-164 1993 [Zhou05a] T. Zhou, L. Chen, K. Aihara, Molecular Communication through Stochastic Synchronization Induced by Extracellular Fluctuations, In Journal of Physical Review Letters, vol 95, Issue 17 2005

10