Personal Privacy Assistants for RFID Users

1
Personal Privacy Assistants for RFID Users

• Shinichi Konomi
• University of Colorado, Boulder
• konomi_at_cs.colorado.edu

2
RFID why important?
People Things
Network
RFID
3
Privacy problems
Network
People Things
4
Existing approaches

• Killing tags
• Faraday cage
• Active jamming
• Sophisticated tags
• Blocker tags
• Local computation
• Information management
• Social regulation

Mostly technologies for isolation
People Things
Network
5
What is privacy?

• Traditional view
• the right to be left alone
• Alternative view (Altman, 1975 Palen and
  Dourish, 2003)
• selective control of access to the self (or to
  ones group)

6
Towards a new class of privacy-enhancing
technologies
Network
People Things
Privacy problems
control
Network
Network
People Things
People Things
B. Technologies for boundary control
A. Technologies for isolation
7
Breakdown of privacy regulation

• Consumers activities are interleaved with scans
• Invisible scans
• Unintentional scans
• Scans announce relationships among people and
  things
• Scans trigger chains of incoming and outgoing
  information flows

Smart Shelf (Auto-ID Center, 2002)
Whos monitoring what?
Can I convey information to others?
8
Reflexive interpretations of actions

• Understanding and anticipating how ones actions
  and information appear to others
• Important for assessing the efficacy of
  withholding and disclosing information
• Technology support for reflexive interpretations
• Self-traceability of how ones actions and
  information are exposed to others over time (c.f.
  reflexive CSCW)

How am I presenting myself to others?
9
Traceability and identity

• Companies building better brand identities by
  making food traceability information (private
  information) available to consumers
• In contrast, consumers using supermarket loyalty
  cards generally dont have such a sense of
  control about their identities

10
Designing for privacy the feedback-control
approach

• Designing for privacy in multimedia, ubiquitous
  computing environments (Bellotti and Sellen,
  1993)
• Key issue appropriate feedback and control

Capture
Existence of database records, Stored?,
Copied?, Integrated? Where? How?
Existence of tags/readers, Occurrences of scans,
Who?, What?, When?
Construction
Removing tags, Which readers?, Anonymity and
pseudonymity
Modifying database records, Restricting
operations, Permissions, Supervision
When and who accessed my information on RFID
tags, readers, and database records
Accessibility
Purposes
Why? Privacy policies, Inferred purposes
Social control with technological support
(e.g., something like P3P)
Access control, Authentication, Encryption
11
Other dimensions of design space
Support mechanisms
Process
Practice
Optimistic
Pessimistic
Protection by disclosureStill asleep dont
disturb
Privacy policies
hypocrisy ?
Reciprocal disclosure if I see you, you see me
Interactive
Feedback leads to information overload
Cost
Defaultsetting
Context-aware user interfaces
Cultural context
Ambient media
Activities
Contextualfactor
Many users dont changedefault settings
Control introduces additional tasks
Places
Privacy critics and agents
Social context
Personalization
Context-aware reuse
12
Contributions and limitations of the
feedback-control approach

• Contributions
• Allows for dynamic, moment-by-moment assessment
  and control
• Limitations
• More RFID tags in the world, more cost for
  privacy regulation

RFID tags in the world
Cognitive resources of humans
2004
? Important challenge usable and useful
mechanisms for feedback control
13
Privacy critics for RFID

• Privacy critics for using RFID
• A type of intelligent agent that helps users
  manage complex privacy control by providing
  feedback and suggestions as user go about their
  ordinary tasks
• Computer-based critics first proposed by Fischer
  et al. (1990)
• Privacy critics for web browsing proposed by
  Ackerman and Cranor (1999)
• Critics give suggestions from different
  perspectives
• Capture critics
• Construction critics
• Accessibility critics
• Purposes critics
• Reflexivity critics

14
Personal privacy assistants (PPA)

• A mobile appliance to view and control all
  incoming and outgoing information about me

control
PPA
Network
People Things
Privacy boundary
Desirable hardware platforms - Wireless PDAs,
Mobile phones, or Smart wristwatches with
integrated RFID readers - R/W RFID tags w/
cryptography communication range 2-3m
According to XXX, disclosure of this scan leads
to severe privacy risks such as...
Beep!
(Conceptual illustration)
15
PPA Software architecture
Mobile User Interface
Critics (capture, construction, accessibility,
purposes, reflexivity)
Contextual Information Management
Disclosure granularity
Semantics of scans
Personal Database
Privacy transactions
Reflexive datastore
Personal Area Networking
Personal firewall
Cryptography
Use of intermediary agent/agency
16
Integrating PPA into practices

• these different behaviors (? mechanisms for
  regulating privacy boundaries) operate as a
  unified system, amplifying, substituting, and
  complementing one another (Altman, 1975)
• Genres of disclosure (Palen and Dourish, 2003)
• Socially constructed patterns of privacy
  management
• Expectations around representations
• Integration into social practices

17
Conclusions and future work

• Dynamic boundary control rather than isolation
• Requirements and architecture of personal privacy
  assistants (PPA)
• Feedback and control
• Privacy critics
• Still an early stage of research