Upload
ashley-parks
View
213
Download
0
Embed Size (px)
Citation preview
11© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Security and PrivacySecurity and Privacy
Dan SiewiorekDan Siewiorek
June 2012June 201211
22© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Outline
Overview Privacy Access/Security Trust
33© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Security and Privacy
Privacy/Location» Pseudonyms [Beresford]
» Spatial/Temporal Cloaking [Gruteser]
» Rule Based [Myles]
Access/Security» Transient Authentication [Corner]
» RFID [Kriplean]
» Photographic [Pering]
» Monitoring [Bahl]
» Keypad [Geambasu]
Trust» Public Kiosks [Gariss]
» Trust-Sniffer [Surie]
44© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Outline
Overview Privacy Access/Security Trust
55© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Blueroof Model Smart Cottage
66© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Cottage Sensor Network
1
2
3 4
56
7
8910
11
1 2
13
14
15
16
17
18
DiscreteStove & oven on/offWasher and dryer on/off
Refrigerator & freezer doorKitchen cabinets & drawersShower, faucet runningCommode fillingToothbrush on/offSofa, chair occupiedBed occupiedTV on/offPhone in useInterior motionFront door, back doorCloset doors
OtherIP camerasMedication drawer
77© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Smart Homes and Communities
McKeesport Independence Zone
(McKIZ)Move the paradigm of
an aware and assistive home to an aware and assistive
community
Blueroof Independence Module (BIM)
88© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Privacy Attitudes: National Web Survey
Scott R. Beach Kate Seelman
Richard Schulz Bruce Barron
Julie S. Downs Laurel P. Mecca
Judith T. Matthews
99© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Overview
National web-based survey
» Online survey panel maintained by Survey Sampling International (SSI, Inc.)
» Non-probability sample, but demographically and geographically diverse
» Targeted middle aged and older adults with and without disability– potential users of QoLT(N=1610)
Reference: Beach et al. (2009). Disability, Age, and Informational Privacy Attitudes in Quality of Life Technology Applications: Results from a National Web Survey. Transactions on Accessible Computing (TACCESS), Special Issue on Aging and Information Technologies.
1010© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Background
Privacy concerns may affect public acceptance of monitoring technology, depending on
Type of behavior» Vital signs, moving about the home, taking medication,
cognitive ability, driving, toileting
Recipient of the data» You, family, doctor, researchers, insurance company,
government
Method of data collection/recording and sharing» Video with sound, video without sound, sensor
1111© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Privacy Results: Type by Recipient
Insurance companies and government least acceptable as recipient
Driving information sensitive outside family contexts
1
2
3
4
5
6
7
8
9
10
You
Family
Docto
r
Resea
rch
Insu
ranc
eGov
t
Recipient
Acc
epta
bili
ty r
atin
g
Vital
Move about
Meds
Cog Ab
Drive
Toilet
1212© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Privacy Results: Method by Recipient
Video and video with sound less acceptable than sensors
Some types of information (e.g., toileting) may be totally out of bounds for visual access 1
2
3
4
5
6
7
8
9
10
Video withsound
Videowithoutsound
Sensor
Method
Acc
epta
bili
ty r
atin
g
Vital
Move about
Meds
Cog Ab
Drive
Toilet
1313© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
4
5
6
7
8
Non-disabled IADL only ADL + IADL
Age 45-64
Age 65+
Acceptability of Sharing /Recording Health Information by Disability Level and Age
Controlling for gender, education, race, general technology attitudes, and assistive device use
1414© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
4
5
6
7
8
Non-disabled Disabled
Internet user
No internet use
Acceptability of Sharing/Recording Health Information by Disability Level and Internet
Use: Web Survey Replication
1515© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Summary / Conclusions
Disabled individuals are more accepting of sharing / recording health information than non-disabled (replicated with computer users vs. not)
Dose response effect: ADL > IADL > Non-disabled Found among both boomers (45-64) and older adults
(65+) Suggests trade-offs of privacy for enhanced function
1616© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Background
Explored trade-offs between: Reduced Privacy vs. Independence Reduced Privacy vs. Functional Benefits System Demands vs. Functional Benefits Loss of Social Interaction vs. Functional Benefits
1717© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Overview
Mail survey of local gerontology research registry members
Includes primarily older adults with and without disability – potential users of QoLT (N=350)
40% response rate (350/882)
64% female 95% age 60 or older 23% high school or less; 42% college grads 64% internet users; 36% non-users 40% report activity limitations
1818© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Acceptance of Differing Levels of Home Monitoring and Target Recipients to PREVENT GOING TO A
NURSING HOME
1919© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Acceptance of Varying LEVELS OF HOME MONITORING with Technology Providing Varying
Types of Assistance
2020© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Acceptance of REDUCED EFFICIENCY RELATIVE TO HUMAN with Technology Providing Varying Levels of
Assistance
2121© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Acceptance of Varying TRAINING REQUIREMENTS with Technology Providing Varying Levels of
Assistance
2222© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Acceptance of Varying DAILY MAINTENANCE REQUIREMENTS with Technology Providing
Varying Levels of Assistance
2323© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Summary / Conclusions
Respondents less accepting of video monitoring – especially when done in the bedroom and bathroom – than sensors; and of sharing information with insurance companies, even if they would prevent loss of independence
Respondents generally rejected technology that limited social interaction and required intense training to learn how to use, regardless of the type of assistance provided by the technology
2424© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Summary / Conclusions
Tipping point for acceptance of time to perform task: twice as long as human attendant (30 % drop in acceptability)
Tipping point for acceptance of time for daily maintenance: 1 hour (40 % drop in acceptability)
Results provide initial evidence for the implicit trade-offs that users make when deciding whether to adopt QoLT, which have important implications for design
2525© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Privacy
Centralized Service» Policy Based Contracts
» Spatial/Temporal Cloaking - resolution of location information in space/time (k-anonymous)
» Pseudonyms - mixing zone
Distributed Service» Abstractions
2626© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Location Service Architecture Alternatives
2727© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
“Sometimes Less is More”: Multi-Perspective Exploration of
Disclosure Abstractions in Location-Aware Social Apps
Karen P. Tang
2828© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Privacy Risks = Adoption Barrier
location is now easier to sense, share & access privacy risks leads to adoption barrier [hong, ‘03]
day-to-day risks extreme risks
within your social network
over-protection, over-monitoring
embarrassment, reputation loss
government
civil liberties
stalkers
well-beingsafety
businesses
spamdata mining
2929© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Problem: Privacy vs. Utility Tradeoff
3030© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Problem: Privacy vs. Utility Tradeoff
share nothing & no social
benefits
share precise location (GPS) &
max social benefits
3131© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Solution: Privacy vs. Utility Scaffolding
share nothing &no social benefits
share precise location (GPS) &
max social benefits
use location abstractions to scaffold privacy
concerns
use location abstractions to scaffold privacy
concerns
3232© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Types of Location Abstractions
location information abstraction type
(40.444507, -79.948530)(specific) geographic417 S. Craig St, Pittsburgh, PA
15213
Starbucks(specific) semantic
My favorite coffee shop
Coffee shop (general) semantic
Oakland, Pittsburgh, PA
(general) geographicPittsburgh, PA
Pennsylvania
USA
[no information]
spec
ifici
ty
3333© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Why Use Location Abstractions?
Useful properties of abstractions » supports plausible deniability [lederer, ‘03; hong, ‘04]
» provides degrees of privacy [hong, ‘05; solove, ‘08]
» mimics conversational dialogue [weilenmann, ‘03]
3434© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Spectrum of Location Sharing Applications
push-based sharinguser or event driven
(“I’m here now”)
pull-based sharingrequest-driven
(“where is Alice now?”)
synchronous
asynchronous
sharingcurrent location
sharingpast locations
3535© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
activecampus[griswold ’03]
lemming[hong ’04]
Past Research Examples of LSAs
2003 2004 2005 20082007 2009
esm study[consolvo ’05]
reno[smith ’05]
whereabouts[brown ’07]
watchme[marmasse ’04]
contextcontacts[raento ’05]
connecto[barkhuus ’08]
locaccino[sadeh ’09]
1992
active badge[want,’92]
2001
connexus[tang ’01]
3636© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
activecampus[griswold ’03]
lemming[hong, ’04]
Past Research Examples of LSAs
2003 2004 2005 20082007 2009
esm study[consolvo ’05]
reno[smith ’05]
whereabouts[brown ’07]
watchme[marmasse ’04]
contextcontacts[raento, ’05]
connecto[barkhuus, ’08]
locaccino[sadeh ’09]
1992 2001
connexus[tang ’01]
active badge[want ’92]
Groups of people who regularly wanted to hold meetings could find each other easily with very little notice.Groups of people who regularly wanted to hold meetings could find each other easily with very little notice.“
3737© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
activecampus[griswold ’03]
lemming[hong, ’04]
Past Research Examples of LSAs
2003 2004 2005 20082007 2009
esm study[consolvo ’05]
reno[smith ’05]
whereabouts[brown ’07]
watchme[marmasse, ’04]
contextcontacts[raento ’05]
connecto[barkhuus ’08]
locaccino[sadeh ’09]
1992
active badge[want ’92]
2001
connexus[tang, ’01]
Given mobile users’ fragmented attention, the time it takes to make a phone call must remain extremely short…These [context] cues [which include location] should facilitate decisions about whether to call, and if so, which communication channel to use.
Given mobile users’ fragmented attention, the time it takes to make a phone call must remain extremely short…These [context] cues [which include location] should facilitate decisions about whether to call, and if so, which communication channel to use.
“
3838© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
activecampus[griswold ’03]
lemming[hong, ’04]
Past Research Examples of LSAs
2003 2004 2005 20082007 2009
esm study[consolvo ’05]
reno[smith ’05]
whereabouts[brown ’07]
watchme[marmasse, ’04]
contextcontacts[raento, ’05]
connecto[barkhuus, ’08]
locaccino[sadeh ’09]
1992
active badge[want ’92]
2001
connexus[tang, ’01]
Phoebe wonders what she and her husband, Ross, will do for the evening, so she sends a location query to Ross. While he is waiting at the bus stop near his office, Ross sends a location update to Phoebe. Phoebe receives the message at home, eagerly anticipating Ross’ arrival home. When Ross gets off the bus, a location update is sent to Phoebe and she knows that he’s only 10 minutes away. She sets out dinner just in time for her husband’s arrival.
Phoebe wonders what she and her husband, Ross, will do for the evening, so she sends a location query to Ross. While he is waiting at the bus stop near his office, Ross sends a location update to Phoebe. Phoebe receives the message at home, eagerly anticipating Ross’ arrival home. When Ross gets off the bus, a location update is sent to Phoebe and she knows that he’s only 10 minutes away. She sets out dinner just in time for her husband’s arrival.
“
3939© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Common Themes for Location Sharing
often driven by functional purposes» coordination
» collaboration
» interruptibility
» event planning
4040© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Industry Trends for Information Sharing
Online social networks (OSNs)
» diverse networks, lots of weak links [wellman ‘01]
» very large networks [donath ‘04]
Sharing is often not because one needs to share, but because one wants to share
Driven by a social reason for sharing
4141© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Commercial Examples of LSAs
Mostly aimed at social-driven sharing
2005 2006 2009 20102007 2008
4242© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Commercial Examples of LSAs
Mostly aimed at social-driven sharing
2005 2006 2009 20102007 2008
“I'm just down the street!” Never miss another chance to connect when you happen to be at the same place at the same time. [facebook places]
Find out who’s around, what to do, and where to go. Introducing…the new Loopt so you can always stay connected… [loopt]
Share your location and stay connected with your friends. [plazes]
“I'm just down the street!” Never miss another chance to connect when you happen to be at the same place at the same time. [facebook places]
Find out who’s around, what to do, and where to go. Introducing…the new Loopt so you can always stay connected… [loopt]
Share your location and stay connected with your friends. [plazes]“
““
4343© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Framework for Location Sharing
4444© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Pseudonyms [Beresford]
Register for a location specific call back but the application is untrusted
» Anonymity Set – set of all possible subjects who might cause an action
» Application Zone – where user has registered for a call back
» Mix Zone – spatial region where none of the users has registered any application call back
User changes pseudonym in mixing zone» Application seeing user emerge from mixing zone
cannot distinguish from other users in mixing zone
4545© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Spatial and Temporal Cloaking [Gruteser]
Anonymous use of location based services Adjusts resolution of location information in
space/time to anonymity constraints of location service users within an area
K-anonymous – indistinguishable from at least k-1 others
Adaptive Interval Cloaking » Sub-divide area around subject until number of
subjects in area falls below Kmin
4646© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Location-Based Applications [Myles]
Machine readable privacy policies and user preferences to automate privacy management
Rule Based» Organization
» Service
» Time
» Location
» Request Type
» Context
4747© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Policy rule base for a general-purpose validator describing Sally’s
preferences [Myles]
employer employer restaur, fun time taxi fun time find friend
4848© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Outline
Overview Privacy Access/Security Trust
4949© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Security and Privacy
Privacy/Location» Pseudonyms [Beresford]
» Spatial/Temporal Cloaking [Gruteser]
» Rule Based [Myles]
Access/Security» Transient Authentication [Corner]
» RFID [Kriplean]
» Photographic [Pering]
» Monitoring [Bahl]
» Keypad [Geambasu]
Trust» Public Kiosks [Gariss]
» Trust-Sniffer [Surie]
5050© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Security Attacks
Attack Type Description Defense
Eavesdropping Passively Listen Encryption
Replay Capture and Rebroadcast Detection, Isolation
Denial of Service Overload service with repeated requests
Detection, Isolation
Phishing Lure unsuspecting clients to reveal personal information
Education
Malicious Software Keystroke logger, rogue virtual machine
Detection, Isolation
Rogue Wireless Access Point
Plug unauthorized access point into network
Detection, Isolation
5151© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Dense Arrays of Inexpensive Radios [Bahl]
Add wireless to desktop machines Look for Rogue Access Points bridging
to wired network Detect variations of Denial of Service
Attacks» Disassociation/Deauthentication messages
» Messages with large duration values in header
5252© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Dense Arrays of Inexpensive Radios [Bahl]
Passive – listen for beacons Active – probe, wait for responses Tests
» Association – AirMonitor associates, pings, wired network
» Source/Destination address – check if suspect address on corporate network
» Replay frames from suspect, look for duplication
» DHCP Signature format of known models on network
5353© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Transient Authentication [Corner]
Continuously authenticate user’s presence over short range wireless
» When user departs, user processes suspended and in-memory pages encrypted
» When user returns – pages decrypted and process restarted
RSA Encryption » Public and private keys. Data encrypted with
public key. Only private key can decrypt
» Private key can be used to sign messages – anyone can verify using public key
5454© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
RFID [Kriplean]
RFID Ecosystem collects data and stores on centralized server
Physical Access Control (PAC) protects privacy by constraining the data a user can obtain to those events that occurred when and where they were physically present
5555© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Photographic Authentication [Pering]
Authentication through untrusted public internet to withstand replay attacks
User identifies their own photos» Works with home server that has user’s
photographs, account information
5656© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Keypad: Auditing File System [Geambasu]
Encryption plus remote key storage Audit server involved with protected file
access Alert audit server after theft to refuse to
return a particular file’s key Audit server logs so knows which files
attempted to access
5757© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Outline
Overview Privacy Access/Security Trust
5858© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Security and Privacy
Privacy/Location» Pseudonyms [Beresford]
» Spatial/Temporal Cloaking [Gruteser]
» Rule Based [Myles]
Access/Security» Transient Authentication [Corner]
» RFID [Kriplean]
» Photographic [Pering]
» Monitoring [Bahl]
» Keypad[Geambasu]
Trust» Public Kiosks [Gariss]
» Trust-Sniffer [Surie]
5959© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Public Kiosks [Garriss]
Personal device to establish trust in a public computing Kiosk
Determines identity and integrity of all software on the Kiosk
6060© 2010-2011-2012 Daniel P. Siewiorek
Mobile Computing
Rapid Trust Establishment [Surie]
Use with ISR Fetches execution environment from a
trusted server over an encrypted channel Only have to verify integrity of small core of
local ISR and Linux software Trust initiator device - examines local disk to
verify safe for a normal boot Trust extender – kernal module Trust alerter – user space notifier application