Location-Based Services in the
Privacy Matrix
Carl A. Gunter - Engineering
Susan Wachter - Business
Polk Wagner – Law
University of Pennsylvania
The Privacy Matrix
Access
Collection
Use
Example: observation of your walk down the street.
Points about the Privacy Matrix




Thinking about privacy for LBS will be
incomplete without understanding each
dimension of the privacy matrix.
Legal or regulatory efforts that fail to account for
the complexities of the matrix will be
suboptimal.
Complexities inherent in the matrix forecast
significant problems in resolving issues.
Understanding LBS in the privacy matrix
suggests the role that technology itself plays in
privacy.
A Technical Study of Privacy for LBS





The privacy matrix argues that privacy is not
only access control and confidentiality.
This research: we aim to augment traditional
access control ideas with privacy concepts and
promote an architecture for deployment
Formalism: privacy systems
Architecture: Personal Digital Rights
Management (PDRM)
Case study: Location Based Services (LBS)
www.cis.upenn.edu/gunter/dist/GunterMS04.pdf
Carl A. Gunter, Michael May, Stuart Stubblebine
Related Work

Protection Systems




Graham and Denning, 1972
Lampson, 1974
Harrison, Ruzzo, Ullman, 1976
Digital Rights Management


Open Digital Rights Language (ODRL)
eXtensible Rights Management Language
(XrML) [ContentGuard]
Related Work, cont.

Privacy Specification Languages




Platform for Privacy Preferences (P3P) [W3C]
A P3P Preference Exchange Language
(APPEL) [W3C]
Enterprise Privacy Authorization Language
(EPAL) [IBM]
Geographic Privacy


Geopriv workgroup [IETF]
Snekkenes, 2001
Location Based Services




Services based on the location of a principal:
maps, activities, emergency response, law
enforcement, inventory control, geo-fencing,
demographic data collection, and so on.
Technical drivers: cell phones, GPS and
telematics, RFID tags, DHCP and 802.11.
Growing field: estimated at $4 billion in the U.S.
and $30 billion worldwide by the end of 2004.
Rules for archiving, redistribution, and usage
must be addressed at individual and group
levels.
LBS Scenarios


Subjects: individuals
concerned about
privacy.
Holders: principals
willing and able to
collection location
information about
subjects.




CellTrek
Autorealm
Canada On Line
Spartan Chemicals

Subscribers: providers
of LBS.




Friendsintown.com
Market Models
What’s Here!
Travel Archive
Privacy Fundamentals




Transfer: What is the right of a principal p to
transfer an object x to a principal q where x is
about a subject r?
Action: What is the right of a principal p to carry
out an action that affects the privacy of a
principal q?
Creation: Which principals p are allowed to
create objects x whose subject is q?
Right Establishment: How are rights established
for a principal p?
Fundamentals Illustrated




Right Establishment
Creation
Action
Transfer
Limitations of Existing Access
Control Matrix Solutions






No explicit representation of the idea that an object is
private data about a given subject
Only a limited analysis of the rights that exist between
principals (as opposed to the rights between principals
and objects)
No explicit representation of the way in which the
objects are transferred (distributed) between the
principals
Concept of delegation is too limited
No explicit representation for the idea that information
transfers and actions are collaborations between
principals
No concept of the transfer of an object after a privacyenforcing transformation
Notation
Assume we are given the following:






Objects x, y, z O
Principals p, q, r P
Actions a, b, c A
Time t
Each object x has a subject subj(x) that the
object is “about” and a creation time ct(x)
when it was made
Null object ^O and null principal ^P
Privacy System






A privacy system is a tuple: <S, T, U, V, W>
S is a set of rights
 ^SS is a distinguished null right
T: S  S  O    O is a publish/subscribe
rights function
U  S  A   is an action rights relation
V  S  O   is a creation rights relation
W  S  S  S  R   is a right establishment
relation
Architecture: Personal Digital Rights
Management (PDRM)

Turn Digital Rights Management on its head


Users manage permissions on their data through
rules and enforcements mechanisms


Those who the data is about can manage how it is
used
Use existing languages and software for DRM
If DRM can be used to specify that a movie can
be watched only a specific number of times,
PDRM can be used to specify that personal
information can only be used in a certain way a
particular number of times
Case Study: AdLoc



AdLoc system allows for permission-based
advertising based on geo-location information
Allows PDA users to discover their geo-location
and send it to a central database where it can
be accessed only with a digital license
Architectural elements




GeoLocation Service (GLS)
GeoInformation Service (GIS)
AdLoc PDA Application
AdLoc Merchant Application
Pieces of the LBS Puzzle and Ties
to Formal System





User Device
Location Server
Content Server
Merchant/Tracking
Company
Government

Subject
Holder

Subscribers

Discovering Location
Holder
Private Data
Subject
Collecting Data
Subject
Policy
Database
Holder
Subscriber
Collecting a License
Approval
Granted
Rights
Action – Sending an Ad
Action as approved by
license
Sample license allowing retention,
limited redistribution, and sending
<!--The period for which the company ads
<p3p:RETENTION>
<?xml version="1.0" encoding="utf-8" ?>
<core:licenseGroup
xmlns:core="http://www.xrml.org/schema/2001/11/xrml2core"
xmlns:cx="http://www.xrml.org/schema/2001/11/xrml2cx"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
xmlns:sx="http://www.xrml.org/schema/2001/11/xrml2sx"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:priv="http://www.pdrm.org/XrMLPrivacy"
xmlns:p3p="http://www.w3.org/2002/01/P3Pv1"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:schemaLocation=
"http://www.xrml.org/schema/2001/11/xrml2cx ../schemas/xrml2cx.xsd">
may track the user. -->
<core:license
licenseId="http://www.pdrm.org/examples/2003/SendAnyAd">
<core:inventory>
<!-- Device with ad -->
<priv:mobile licensePartId="mobiledevice">
<priv:locator>
<priv:id>[email protected]</priv:id>
</priv:locator>
</priv:mobile>
</core:inventory>
<!-- The person allowing the company to track him/her-->
<core:issuer>
<sx:commonName>John Doe</sx:commonName>
</core:issuer>
<p3p:STATEMENT>
<p3p:CONSEQUENCE>
We collect your location information for development
purposes and for tracking your individual movement hab
</p3p:CONSEQUENCE>
<!-- Why we use it -->
<p3p:PURPOSE>
<p3p:develop/>
<p3p:individual-analysis/>
<p3p:individual-decision/>
<p3p:current/>
</p3p:PURPOSE>
<p3p:legal-requirement/>
<!--The period for which the company may track the user. -->
</p3p:RETENTION>
<core:validityInterval licensePartId="trackingPeriod">
<core:notBefore>2004-05-20T19:28:00</notBefore>
<core:notAfter>2004-07-29T19:28:00</notAfter>
</core:validityInterval>
<!--Grants Company the right to track the user through the
permission period. -->
<core:grant>
<priv:PrivacyPolicy>
<!-- Disclosure-->
<p3p:ACCESS>
<p3p:all/>
</p3p:ACCESS>
<p3p:RECIPIENT>
<p3p:ours/>
<!-- Disputes -->
</p3p:RECIPIENT>
<p3p:DISPUTES-GROUP>
<core:grantGroup>
<!--The company that is tracking us' specific key.-->
<core:keyHolder>
<core:info>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>...</dsig:Modulus>
<dsig:Exponent>...</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</core:info>
</core:keyHolder>
<sx:x509SubjectName>CN=The Mobile Ad Company</sx:x509SubjectName>
<p3p:DISPUTES
resolution-type="service"
short-description="Customer service will
remedy your complaints.">
<p3p:REMEDIES>
<p3p:correct/>
</p3p:REMEDIES>
</p3p:DISPUTES>
</p3p:DISPUTES-GROUP>
<!--The rights that we are
giving-->
<priv:sendanyad/>
<!-- Who else can get this data -->
<p3p:RECIPIENT>
<p3p:ours/>
</p3p:RECIPIENT>
<!-- How long do we hold onto the data for -->
<p3p:RETENTION>
<p3p:legal-requirement/>
</p3p:RETENTION>
</p3p:STATEMENT>
</priv:PrivacyPolicy>
<!--The mobile device from the inventory-->
<priv:mobile licensePartIdRef="mobiledevice"/>
<!--The rights that we are giving-->
<priv:sendanyad/>
</core:grant>
</core:grantGroup>
</core:license>
</core:licenseGroup>
References

XrML


P3P


http://www.w3.org/P3P/
EPAL


http://www.xrml.org
http://www.zurich.ibm.com/security/enterpriseprivacy/epal/
GeoPriv

http://www.ietf.org/html.charters/geopriv-charter.html
Conclusions




The privacy matrix provides a useful framework for
discussing privacy in general and LBS in particular.
Privacy systems provide an analog of access control
matrices with an emphasis on privacy rights.
PDRM provides an architectural strategy for privacy
negotiations.
Location Based Services raise interesting privacy
challenges that can be addressed with privacy systems
and PDRM.
Descargar

The Privacy Matrix