User-Controllable Security and Privacy for Pervasive Computing, at Hotmobile2007

User-Controllable Security and Privacy forPervasive Computinghttp://www.cs.cmu.edu/~sadeh/user_controllable_security_and_privacy.htm© Ian Fette 2007, All Rights Reserved

User-Controllable Security and User-Controllable Security and Privacy for Pervasive Computing Privacy for Pervasive Computing

Jason Cornwell, Jason Cornwell, Ian FetteIan Fette, Gary Hsieh, Madhu Prabaker, , Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman

SadehSadeh February 26, [email protected]

• School of Computer Science •© Ian C. Fette 2007, All Rights Reserved • http://www.ianfette.com/ 2

What’s wrong?What’s wrong?


Even worse…Even worse…


The ProblemThe Problem Mobile devices are becoming integrated into Mobile devices are becoming integrated into

everyday lifeeveryday life Mobile communications Sharing location information with others Remote access to home Mobile e-commerce

Managing Security and privacy policies is hardManaging Security and privacy policies is hard Preferences hard to articulate Policies hard to specify Limited input and output

Leads to new sources of vulnerability and Leads to new sources of vulnerability and frustrationfrustration


The ObjectiveThe Objective ObjectiveObjective

Develop and validate techniques to empower end-users to manage their policies

Evaluate tradeoffs between expressiveness, tolerance for errors, burden on users and overall user acceptance

Understand how much we can realistically hope to delegate to users – business and policy implications

Large multi-disciplinary team and projectLarge multi-disciplinary team and project Six faculty, 1.5 postdocs, 10 graduate students Roughly 1.5 years into project


OverviewOverview MotivationMotivation

Domains we’re InvestigatingDomains we’re Investigating Contextual Instant Messaging Access Control of Resources with Grey People Finder

Problems We’re Looking At Prior Studies in Lab

Difficulty of Specifying Preferences Ability to Learn Preferences

Current Work Field Deployment and Study More Comprehensive Rule Specification Mechanism

Conclusions


Contextual Instant MessagingContextual Instant Messaging Facilitate coordination and communication by Facilitate coordination and communication by

letting people request contextual information via letting people request contextual information via IMIM Interruptibility (via SUBTLE toolkit) Location (via Place Lab wifi positioning) Active window

Developed a custom client and robot on top of Developed a custom client and robot on top of AIMAIM Client (Trillian plugin) captures and sends context to

robot People can query imbuddy411 robot for info

“howbusyis username” Robot also contains privacy rules governing disclosure


Contextual Instant Messaging (2)Contextual Instant Messaging (2)


Access Control of Resources with Access Control of Resources with GreyGrey

Distributed smartphone-based Distributed smartphone-based access control system access control system physical resources like office doors,

computers, and coke machines electronic ones like computer

accounts and electronic files

currently only physical doors

Proofs assembled from Proofs assembled from credentialscredentials No central access control list End-users can create flexible

policies


People FinderPeople Finder Allow users to request each Allow users to request each

others’ locationothers’ location Useful for meeting up Checking up on someone

Involves…Involves… Eliciting users’ privacy

preferences Allowing users to audit the

incoming request history Attempting to learn users’

preferences automatically Making “smart” suggestions to

users for how to fix problems … and lots of behind-the-scenes

work


People Finder (2)People Finder (2) Problems we’re investigating:Problems we’re investigating:

How to allow users to specify rules What to include in rules

Time Date Person / Group Location Calendar Activities Anything else…

As an example, how to specify locations in rules? Minimum Bounding Rectangles? Labeled Spaces … or more complex ontologies (“in a bar”, “at home”, “at a

colleague’s house”… …yet more expressiveness may not necessarily increase

user’s sense of control and satisfaction.


People Finder (3)People Finder (3) Current SystemCurrent System


People Finder (4)People Finder (4)• Results so far (lab

study)– Users take a long time

to specify rules– Users take a long time

to revise rules

0

170

340

510

680

850

User 2

User 4

User 6

User 8

User 1

0

User 1

2

User 1

4

Rule Creation Time Rule Revision Time

Mean (sec) Standard

Deviation (sec)

Rule Creation 321.53 206.10

Rule Maintenance 101.15 110.02

Total 422.69 213.48


People Finder (5)People Finder (5) … … and yet, even after spending all this time, and yet, even after spending all this time,

users are still unable to craft policies that users are still unable to craft policies that completely express their intent…completely express their intent…

……but there’s hope, as we seem to be able to do a but there’s hope, as we seem to be able to do a good job at learning preferences based on audit good job at learning preferences based on audit historyhistory

0.0

7.5

15.0

22.5

30.0

User 2

User 3

User 4

User 5

User 6

User 7

User 8

User 9

User 1

0

User 1

1

User 1

2

User 1

3

User 1

4

Original Rules

Modified Rules (in-study)

Modified Rules (post-study)

Case-Based Reasoner

6167

72

82

0

20

40

60

80

100

Original

Rules

Modif

ied

Rules (

in-st

udy)

Modif

ied

Rules (

post-s

tudy

)

Case-B

ased R

easoner

% Correct Disclosures


People Finder (6)People Finder (6) Current WorkCurrent Work

Field Deployment and Study Giving out cell phones to users Observing the rule-creation behavior Analyzing accuracy of rules, and attempting to use

machine learning to do better than the users’ own rules

More Comprehensive Rule Specification Mechanism

Allow users to create hierarchal groups Allow location to be a part of rule specification


People Finder (7)People Finder (7) Current SystemCurrent System


People Finder (8)People Finder (8)


People Finder (9)People Finder (9)


People Finder (10)People Finder (10) Future Work:Future Work:

Better visualization of policies Better explanation of options to correct policies Utilization of additional semantic information

Calendaring Directory services Location services


USABLE POLICY AUTHORING: A PEOPLE FINDER EXAMPLEUSABLE POLICY AUTHORING: A PEOPLE FINDER EXAMPLE

Scenario IllustrationNewTechnology

Policy Creation

Policy Enforcement

Policy Auditing &Refinement

My colleagues can see my location

on weekdays between 8am and 5pm

Jane

Time

Jane is in Oakland but I can’t access Eric’s location

Jane and Eric are late for our meeting. Show me where they are!

Bob’sPhone

Bob

Why couldn’t Bob see where I was?

Bob is a colleague. So far only your friends can see where you are

Eric

Step

What if my colleagues could see my location too?Eric

In the past you denied access toyour colleague Steve

OK, make it just my superiors

PolicyVisualization

PolicyEnforcingEngines

Explanation

Dialog

Learningfrom the past


ConclusionsConclusions Traditional security paradigms do not directly translate to mobile and Traditional security paradigms do not directly translate to mobile and

pervasive computingpervasive computing

Users are responsible for increasing number of policies, and need Users are responsible for increasing number of policies, and need help to express their desireshelp to express their desires

Machine learning can be a part of helping users craft better policiesMachine learning can be a part of helping users craft better policies

Explanation technologies will be key to helping users understand Explanation technologies will be key to helping users understand problems and their solutionsproblems and their solutions

There is a tradeoff between expressiveness of policies and both the There is a tradeoff between expressiveness of policies and both the ability of users to create these policies, and the accuracy of the ability of users to create these policies, and the accuracy of the created policies, which must be further exploredcreated policies, which must be further explored

Better interfaces, combined with learning and explanation support, Better interfaces, combined with learning and explanation support, may alter the expressiveness-cost,accuracy tradeoffmay alter the expressiveness-cost,accuracy tradeoff


AcknowledgementsAcknowledgements Thanks to the members of the team:Thanks to the members of the team:

Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea,Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, Norman Sadeh*

*my advisor

Special thanks to Jason Hong and Norman Sadeh for Special thanks to Jason Hong and Norman Sadeh for sharing some of their slidessharing some of their slides

… … and to our sponsors. and to our sponsors. This work is supported by NSF Cyber Trust grant CNS-0627513,

NSF grant CNS-0433540, and ARO research grant DAAD19-02-1-0389 to Carnegie Mellon University's CyLab.

Contact: Ian Fette or Norman Sadeh (icf,sadeh)@cs.cmu.edu

Carnegie Mellon University, School of Computer Science

5000 Forbes Ave, Pittsburgh PA 15213