Location-Based Services in the Privacy Matrix Carl A. Gunter - Engineering Susan Wachter - Business Polk Wagner – Law University of Pennsylvania The Privacy Matrix Access Collection Use Example: observation of your walk down the street. Points about the Privacy Matrix Thinking about privacy for LBS will be incomplete without understanding each dimension of the privacy matrix. Legal or regulatory efforts that fail to account for the complexities of the matrix will be suboptimal. Complexities inherent in the matrix forecast significant problems in resolving issues. Understanding LBS in the privacy matrix suggests the role that technology itself plays in privacy. A Technical Study of Privacy for LBS The privacy matrix argues that privacy is not only access control and confidentiality. This research: we aim to augment traditional access control ideas with privacy concepts and promote an architecture for deployment Formalism: privacy systems Architecture: Personal Digital Rights Management (PDRM) Case study: Location Based Services (LBS) www.cis.upenn.edu/gunter/dist/GunterMS04.pdf Carl A. Gunter, Michael May, Stuart Stubblebine Related Work Protection Systems Graham and Denning, 1972 Lampson, 1974 Harrison, Ruzzo, Ullman, 1976 Digital Rights Management Open Digital Rights Language (ODRL) eXtensible Rights Management Language (XrML) [ContentGuard] Related Work, cont. Privacy Specification Languages Platform for Privacy Preferences (P3P) [W3C] A P3P Preference Exchange Language (APPEL) [W3C] Enterprise Privacy Authorization Language (EPAL) [IBM] Geographic Privacy Geopriv workgroup [IETF] Snekkenes, 2001 Location Based Services Services based on the location of a principal: maps, activities, emergency response, law enforcement, inventory control, geo-fencing, demographic data collection, and so on. Technical drivers: cell phones, GPS and telematics, RFID tags, DHCP and 802.11. Growing field: estimated at $4 billion in the U.S. and $30 billion worldwide by the end of 2004. Rules for archiving, redistribution, and usage must be addressed at individual and group levels. LBS Scenarios Subjects: individuals concerned about privacy. Holders: principals willing and able to collection location information about subjects. CellTrek Autorealm Canada On Line Spartan Chemicals Subscribers: providers of LBS. Friendsintown.com Market Models What’s Here! Travel Archive Privacy Fundamentals Transfer: What is the right of a principal p to transfer an object x to a principal q where x is about a subject r? Action: What is the right of a principal p to carry out an action that affects the privacy of a principal q? Creation: Which principals p are allowed to create objects x whose subject is q? Right Establishment: How are rights established for a principal p? Fundamentals Illustrated Right Establishment Creation Action Transfer Limitations of Existing Access Control Matrix Solutions No explicit representation of the idea that an object is private data about a given subject Only a limited analysis of the rights that exist between principals (as opposed to the rights between principals and objects) No explicit representation of the way in which the objects are transferred (distributed) between the principals Concept of delegation is too limited No explicit representation for the idea that information transfers and actions are collaborations between principals No concept of the transfer of an object after a privacyenforcing transformation Notation Assume we are given the following: Objects x, y, z O Principals p, q, r P Actions a, b, c A Time t Each object x has a subject subj(x) that the object is “about” and a creation time ct(x) when it was made Null object ^O and null principal ^P Privacy System A privacy system is a tuple: <S, T, U, V, W> S is a set of rights ^SS is a distinguished null right T: S S O O is a publish/subscribe rights function U S A is an action rights relation V S O is a creation rights relation W S S S R is a right establishment relation Architecture: Personal Digital Rights Management (PDRM) Turn Digital Rights Management on its head Users manage permissions on their data through rules and enforcements mechanisms Those who the data is about can manage how it is used Use existing languages and software for DRM If DRM can be used to specify that a movie can be watched only a specific number of times, PDRM can be used to specify that personal information can only be used in a certain way a particular number of times Case Study: AdLoc AdLoc system allows for permission-based advertising based on geo-location information Allows PDA users to discover their geo-location and send it to a central database where it can be accessed only with a digital license Architectural elements GeoLocation Service (GLS) GeoInformation Service (GIS) AdLoc PDA Application AdLoc Merchant Application Pieces of the LBS Puzzle and Ties to Formal System User Device Location Server Content Server Merchant/Tracking Company Government Subject Holder Subscribers Discovering Location Holder Private Data Subject Collecting Data Subject Policy Database Holder Subscriber Collecting a License Approval Granted Rights Action – Sending an Ad Action as approved by license Sample license allowing retention, limited redistribution, and sending <!--The period for which the company ads <p3p:RETENTION> <?xml version="1.0" encoding="utf-8" ?> <core:licenseGroup xmlns:core="http://www.xrml.org/schema/2001/11/xrml2core" xmlns:cx="http://www.xrml.org/schema/2001/11/xrml2cx" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:sx="http://www.xrml.org/schema/2001/11/xrml2sx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:priv="http://www.pdrm.org/XrMLPrivacy" xmlns:p3p="http://www.w3.org/2002/01/P3Pv1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:schemaLocation= "http://www.xrml.org/schema/2001/11/xrml2cx ../schemas/xrml2cx.xsd"> may track the user. --> <core:license licenseId="http://www.pdrm.org/examples/2003/SendAnyAd"> <core:inventory> <!-- Device with ad --> <priv:mobile licensePartId="mobiledevice"> <priv:locator> <priv:id>[email protected]</priv:id> </priv:locator> </priv:mobile> </core:inventory> <!-- The person allowing the company to track him/her--> <core:issuer> <sx:commonName>John Doe</sx:commonName> </core:issuer> <p3p:STATEMENT> <p3p:CONSEQUENCE> We collect your location information for development purposes and for tracking your individual movement hab </p3p:CONSEQUENCE> <!-- Why we use it --> <p3p:PURPOSE> <p3p:develop/> <p3p:individual-analysis/> <p3p:individual-decision/> <p3p:current/> </p3p:PURPOSE> <p3p:legal-requirement/> <!--The period for which the company may track the user. --> </p3p:RETENTION> <core:validityInterval licensePartId="trackingPeriod"> <core:notBefore>2004-05-20T19:28:00</notBefore> <core:notAfter>2004-07-29T19:28:00</notAfter> </core:validityInterval> <!--Grants Company the right to track the user through the permission period. --> <core:grant> <priv:PrivacyPolicy> <!-- Disclosure--> <p3p:ACCESS> <p3p:all/> </p3p:ACCESS> <p3p:RECIPIENT> <p3p:ours/> <!-- Disputes --> </p3p:RECIPIENT> <p3p:DISPUTES-GROUP> <core:grantGroup> <!--The company that is tracking us' specific key.--> <core:keyHolder> <core:info> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>...</dsig:Modulus> <dsig:Exponent>...</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </core:info> </core:keyHolder> <sx:x509SubjectName>CN=The Mobile Ad Company</sx:x509SubjectName> <p3p:DISPUTES resolution-type="service" short-description="Customer service will remedy your complaints."> <p3p:REMEDIES> <p3p:correct/> </p3p:REMEDIES> </p3p:DISPUTES> </p3p:DISPUTES-GROUP> <!--The rights that we are giving--> <priv:sendanyad/> <!-- Who else can get this data --> <p3p:RECIPIENT> <p3p:ours/> </p3p:RECIPIENT> <!-- How long do we hold onto the data for --> <p3p:RETENTION> <p3p:legal-requirement/> </p3p:RETENTION> </p3p:STATEMENT> </priv:PrivacyPolicy> <!--The mobile device from the inventory--> <priv:mobile licensePartIdRef="mobiledevice"/> <!--The rights that we are giving--> <priv:sendanyad/> </core:grant> </core:grantGroup> </core:license> </core:licenseGroup> References XrML P3P http://www.w3.org/P3P/ EPAL http://www.xrml.org http://www.zurich.ibm.com/security/enterpriseprivacy/epal/ GeoPriv http://www.ietf.org/html.charters/geopriv-charter.html Conclusions The privacy matrix provides a useful framework for discussing privacy in general and LBS in particular. Privacy systems provide an analog of access control matrices with an emphasis on privacy rights. PDRM provides an architectural strategy for privacy negotiations. Location Based Services raise interesting privacy challenges that can be addressed with privacy systems and PDRM.