Privacy Preservation in Context-Aware Systems

1
Privacy Preservation in Context-Aware Systems

• By Pramod Jagtap
• Masters Thesis Defense
• Advisor Dr. Anupam Joshi

2
The Wall Street Journal
3
(No Transcript)
4
What We Need !
Static Information
Aspects of Context
Generalization of Context
Temporal Restrictions
Requesters Context
Context Restrictions
5
This Thesis is About !

• Presenting a policy-based framework to protect
  user privacy in context-aware system based on
  context of both owner and requester
• Validation of the framework in a prototype system
• Evaluation of the framework on mobile devices

6
Agenda

• Introduction
• Related Work and Motivation
• System Architecture
• Prototype Implementation
• Results
• Conclusion and Future Work

7
What is Context?

• Set of environmental states and settings in
  which an  application event occurs and is
  interesting to the user (Chen and Kotz - 2000)
• Defined by a combination of relevant
  environmental properties, participants, and
  participant's activities
• User context user's role, location, activity,
  people nearby
• Time context
• Physical context
• Computing context

8
Related Work and Background

• The context-aware electronic tourist guide
  (Cheverst et al. 2000)
• AnonySense (Shin et al. 2010), a privacy-aware
  architecture for collaborative pervasive
  applications that use mobile sensing
• Project Aware Home (Kidd et al. 1999) uses RBAC
  based access control model
• Context Privacy Service (CoPS) (Sacramento,
  Endler, Nascimento 2005) describes the design
  and implementation of a privacy service

9
Related Work

• Rei is a policy language based in OWL-Lite (Kagal
  et al.)
• Rein (Rei and N3) (Kagal Berners-lee 2005)
  Distributed framework for describing and
  reasoning over policies in the Semantic Web
• AIR (Kagal, Hanson, Weitzner 2008) Policy
  language that provides automated justification
  support by tracking dependencies during the
  reasoning process.
• Uses Truth Maintenance System (Doyle 1978) to
  track dependencies.

10
System Architecture
Social Media
DB
Calendar Data
Server side
Content Aggregator
Learn and share
Privacy control module
Privacy enforcement at server side
Network
Privacy enforcement over Sensed data
Privacy control module
Privacy control module
Privacy control module
Client devices
Sensor Data
Sensor Data
Sensor Data
Privacy enforcement between Peer devices
11
Content Aggregation
12
System Architecture
Social Media
DB
Calendar Data
Content Aggregator
Learn and share
Privacy control module
Privacy enforcement at server side
Network
Privacy enforcement over Sensed data
Privacy control module
Privacy control module
Privacy control module
Sensor Data
Sensor Data
Sensor Data
Privacy enforcement between Peer devices
13
Privacy Control Module

• It deals with the resource to be protected, the
  owner of a resource and the requester who wants
  to access it
• Aims to protect user privacy in a context-aware
  system by enforcing user privacy policies

14
Privacy Control Module - Context Ontology
15
Privacy Control Module - Context Ontology

• It captures the user location and surroundings,
  the presence of other people and devices, and the
  inferred activities in which they are engaged

16
Privacy Control Module - Context Ontology

• Supports the generalization of contextual
  information
• Location Generalization
• Activity Generalization

17
Privacy Control Module - Context Ontology

• Location Generalization
• Share my location with teachers on weekdays from
  9am-5pm
• Users exact location in terms of GPS
  co-ordinates is shared
• The user may not be interested to share GPS
  co-ordinates but fine with sharing city-level
  location
• Share my building-wide location with teachers on
  weekdays from 9am-5pm

18
Privacy Control Module - Context Ontology

• Location Generalization
• Our ontology uses hierarchical model of location
  to support location generalization
• The transitive Part Of property creates the
  location hierarchy

19
Privacy Control Module - Context Ontology

• Activity Generalization
• Share my activity with friends on weekends
• Users current activity is shared with friends on
  weekends
• share more generalized activity rather that
  precise
• confidential project meeting gt Working, Date gt
  Meeting
• User clearly needs to obfuscate certain pieces of
  activity information to protect her context
  information
• Share my public activity with friends on weekends
• Public is a visibility option

20
Activity Generalization
21
Privacy Control Module Knowledge About User
22
Privacy Control Module Knowledge About User

• Profile and context information - represented
  using N3

platysProfessor_Meeting a platysActivity
platysis_performed by exAlice
platyshas_participant exAlice, exJohn
platysoccurs_at platysClass LH1
platysoccurs_when 2010-11-19T141242. plat
ysClass LH1 a platysPlace platyshas_location
39.253525, -76.710706. platysGPS a
platysPoint platyspart_of platysITE_325
. platysITE_325 a platysRoom platyspart_of
platysITE . platysITE a platysBuilding
platyspart_of platysBaltimore
. platysBaltimore a platysCity
platyspart_of platysMaryland
. platysMaryland a platysState .
exAlice a foafPerson foafname Alice
exsystemUser true platyshas role
platysStudent .
23
Privacy Control Module Knowledge About User

• Group Information

exHarry a foafPerson foafname Harry
exmemberOf exGroupFamily . exRon a
foafPerson foafname Ron exmemberOf
exGroupFriends . exGroupFamily a foafGroup
foafname Family . exGroupFriends a
foafGroup foafname Friends .
24
Privacy Control Module Privacy Preferences
25
Privacy Control Module - Privacy Preferences

• Access control rules that describes how the user
  wants to share her information, with whom, and
  under what conditions
• Information can be profile information, context
• Different groups of requesters
• Condition can be users or requesters context
• Represented in N3
• User-defined and System-defined privacy policies

26
Privacy Control Module - Privacy Preferences

• User-defined policies specified by the user to
  protect her information
• Share my context with family members all the time
• System-defined policies
• Can be needed for military domains or
  organizations
• Multi-level secure systems where the system-level
  policies must override the user-level policies
• Do not share the users context if she is inside
  a military building BuildingXYZ

27
Policy Editor

• To specify and edit privacy policies. The
  policies are created and stored in N3 format on
  both server and client sides in persistent memory

28
Privacy Control Module Reasoning Engine
29
Privacy Control Module Reasoning Engine

• Handles the requester queries and performs
  reasoning for access control decisions
• Jena Semantic Web framework
• Implement both the RDFS and OWL reasoner
• These reasoners are used to infer additional
  facts from the existing knowledge base coupled
  with ontology and rules

30
Reasoning Architecture
Platys ontology (.owl)
Static user facts (.N3)
OWLReasoner
Save model to file system
Inference Model
Saved Model (RDF/XML)
Load Model
Requesters context information (.N3)
Dynamic knowledge about user (.N3)
Inference Model
System rule-set (.N3)
Generic Rule Reasoner
Inference Model
User-defined rule-set (.N3)
Generic Rule Reasoner
Inference Model
It contains users access levels and
corresponding triples
31
Privacy Preservation

• The users personal information can be shared
  between a client device and the server or between
  two client devices
• Privacy enforcement needs to be done on
• Client devices over sensed data
• Peer client devices
• Server side for contextual information

32
Privacy Enforcement between Client Devices

• Requester another client device
• Can send requesters context along with request
• Resource owners contextual information or
  sensor information.
• Privacy Policies defined by owner of client
  device

33
Sample Privacy Policies

• Policy to share context information based on
  users profile and group information Share
  detailed contextual information with family
  members all the time

AllowFamilyRule (?requester a
exrequester) (?requester exmemberOf
?groupFamily) (?groupFamily foafname
Family) -gt (?requester excontextAccess
exuserPermitted)
34
Sample Privacy Policies

• Policy to share context information based on the
  users context Share my activity with friends
  all the time except when I am attending a lecture

ShareActivityWithFriendsRule (?requester a
exrequester) (?requester exmemberOf
?groupFriends) (?groupFriends foafname
Friends) (?someActivity platysis performed_by
exAlice) notEqual(?someActivity,
platysListening_To_Lecture) -gt (?requester
exactivityAccessRule policy5) ( policy5
exactivityAccess exuserPermitted)
35
Sample Privacy Policies

• Policy for sharing information based on temporal
  restriction
• Do not share my sleeping activity with teachers
  on weekdays from 9am-9pm
• Policy for information sharing based on
  requesters context
• Share my context with anyone attending same class
  as me

36
Sample Privacy Policies

• Policies using generalization for sharing
• Share my activity with friends if its public
• Share my public activity with friends
• Share my city-wide location with everyone
• System-level policies
• Do not share users context if she is inside
  BuildingXYZ

37
Privacy Enforcement over the Sensed Data

• Let users decide how their sensor information is
  released
• Sample Privacy policy share GPS co-ordinates on
  weekdays from 9am-5pm only if he is in office

ShareGPSRule (?requester exrequestTime
?localTime) (?user exsystemUser ?true)
(?localTime timedayOfWeek ?day) ge(?day, 1)
le(?day, 6) (?localTime timehour ?hour)
ge(?hour, 9) le(?hour, 17) (?user exLatitude
?latitude) (?user exlongitude
?longitude) Equal(?latitude, ?officeLat) Equal(?
longitude, ?officeLong) -gt (?requester
excanAccessGPSCoordinates True)
38
Privacy Enforcement over the Sensed Data

• Sample privacy policy Do not allow access to
  recorded audio but allow access to accelerometer
  and WiFi AP ids on weekdays

ShareAccelerometerRule (?requester
exrequestTime ?localTime) (?localTime
timedayOfWeek ?day) ge(?day, 1)
le(?day,6) -gt (?requester excanAccessAcceleromet
erReadings True) (?requester
excanAccessWiFiIds True) (?requester
excanAccessAudioData False)
39
Privacy Enforcement at Server side

• The server has information about all the system
  users whereas a client device has information
  about its owner only
• Request to server should contain the specific
  userId

40
Privacy Enforcement at Serverside

• Allow location access to teachers on weekdays
  only between 9am 6pm

ShareActivityWithTeachersRule (?requester
exmemberOf ?groupTeachers) (?groupTeachers
foafname Teachers) (?requester exrequestTime
?localTime) (?localTime timedayOfWeek ?day)
ge(?day, 1) le(?day, 6) (?localTime timehour
?hour) ge(?hour, 9) le(?hour, 18) (?user
exsystemUser ?true) Equal(?user,
?userId) -gt (?requester exactivityAccessRule
policy6) ( policy6 exactivityAccess
exuserProhibited)
41
Prototype Implementation

• Google Android phone as client devices
• It uses sockets to establish two-way
  communication link between a server and clients
• Defined a generic request and response formats

42
System Implementation

• Android client and server applications user
  interface

Context Request
Send Response
Bobs Phone
Alices Phone
43
System Evaluation

• The goals of evaluation were to
• Verify whether the system satisfies a basic
  criteria by allowing access from privileged users
  and restricting illegal users
• Test whether the actual computing time of
  reasoning over mobile devices is acceptable
• Perform scalability tests determine how it
  scales with different size of user information
  like number of users in group list

44
System Validation

• Designed use cases with sample user information,
  group information and privacy policies.
• Changed the requester or requester context in
  each of these use cases and verified system
  response in terms of access levels for requester
• System-level policies and user-specified policies

45
System Validation

• System-level policies
• Share detailed context information with family
  members
• Share users building-wide location with teachers
  on weekdays only between 9 am and 6 pm
• Share users citywide location with everyone
• Do not share users super-private activities with
  anyone
• User-specified policies
• Do not share my context if I am in a meeting with
  Professor
• Share my Semipublic activity with friends
• Do not share my sleeping activity with teachers
  on weekdays between 9am-9pm
• Do not share my context when I am partying
• Share my working activity with my family
• Share my room-wide location with everyone in the
  same building as me
• Share my context with anyone attending same class
  as me

46
System Validation

• Use case Context access request from requester
  Ron (a family member)
• Expected Response Grant context access by
  system-level policy Share detailed context
  information with family members

47
System Validation

• Use case request from requester Bob (a friend)
• Expected Response
• Not allowed to access users detailed context.
  Only SemiPublic activity and citywide location
  can be shared.
• Share users citywide location with everyone -
  System level policy
• Share my Semipublic activity with friends
  User-specified policy

Response to a context access query.
Response to a activity access query.
Response to a Location access query.
48
System Validation

• Use case Request from unknown requester
• Expected Response
• Share my context with anyone attending same class
  as me

Response to unknown requester with different
context than attending same class as user.
Response to unknown requester attending same
class as user.
49
System Performance

• Measured reasoning time taken for the request on
  both server machine and Android device

Numbers of users On server machine On server machine On Android device On Android device
Numbers of users Reasoning time(ms) Standard deviation Reasoning time(ms) Standard deviation
10 1177 142 1128 13
50 1246 74 1446 46
100 1993 26 1903 118
250 2448 184 2682 165
500 3042 108 4233 245
1000 3715 456 10896 393
50
System Performance

• Reasoning time (in milliseconds) for different
  number of users in owners group list

51
Future Work

• Extend the prototype implementation to address
  the engineering challenge of scalability
• Carry out user studies to evaluate the utility of
  the proposed privacy control mechanisms
• Address the issues of incorporating incentives to
  allow for even more flexibility in the definition
  of policies for context-dependent release of
  information

52
Conclusion

• Described a policy based framework to control
  information flow in collaborative context aware
  geo-social networking application
• Showed example policies that state of the art
  systems do not support
• Our privacy mechanisms constitute a baseline that
  can be extended and incorporated by any of the
  existing social networks including location based
  mobile social networks

53
Dr. Anupam Joshi Dr. Tim Finin Dr. Yelena
Yesha Dr. Laura Zavala
Friends Roommates
54

• ?

55
Introduction

• Context-aware systems consists of heterogeneous
  and dynamic sensors
• Privacy and trust aspects are more prominent
• Sensitive nature of context information
• Users are sensitive about how the sensor
  information is captured and used
• Concerns could affect the adoption and use of
  devices
• Risk of backlash if users don't feel protected

56
Motivation

• Need of privacy control models to control the
  information flow in collaborative context-aware
  geo-social networking applications based on the
  context of both owner and requester
• None of the existing models allow users to
  specify the privacy preferences based on this
  information

57
Introduction

• This environment calls for better access controls
  with finer control over the context data
• Privacy control mechanisms that consider the
  dynamic changes in user context relative to the
  location and time
• The user needs to be in control of the release of
  her personal information at different levels of
  granularity

58
People Opinion about Privacy Concerns

• As per Westin/Harris Privacy Segmentation Model
  basic privacy groups are
• Fundamentalist very high privacy concern
• Pragmatist balanced privacy attitudes
• Unconcerned little to no concern

PAB 03 Sheehan 02
Fundamentalist 36 3
Pragmatist 53 81
Unconcerned 11 16
Table 1 Privacy classifications of PABs
reported numbers from 2003 and Sheehans online
privacy study in 2002.
59
Privacy Controls in Existing Location-sharing
Applications

• Location-Sharing Technologies Privacy Risks and
  Controls  by Janice Y. Tsai et al. 2010
• 89 applications surveyed, 63 are available for
  use on mobile phones. Includes Britekite,
  Foursquare, Google Latitude and Loopt

Category Yes No Unknown Not Applicable
Privacy Policy 66.3 (59) 33.7(30)
Privacy Controls 76.4 (68) 16.9 (15) 1.12 (1) 5.62 (5)
Accessible Privacy Settings 16.9 (15) 75.3 (67) 2.25 (2) 5.62 (5)
60
Sample Privacy Policies

• Policy for sharing information based on temporal
  restriction Do not share my sleeping activity
  with teachers on weekdays from 9am-9pm

ShareActivityWithTeachersRule (?requester a
exrequester) (?requester exmemberOf
?groupTeachers) (?groupTeachers foafname
Teachers) (?requester exrequestTime
?localTime) (?localTime timedayOfWeek
?day) ge(?day, 1) le(?day, 6) (?localTime
timehour ?hour) ge(?hour, 9) le(?hour,
21) (?someActivity platysis_performed_by
exsomeUser) equal(?someActivity,
platysSleeping) -gt (?requester
exactivityAccessRule policy6) ( policy6
exactivityAccess exuserProhibited)
61
Sample Privacy Policies

• Policy for information sharing based on
  requesters context Share my context with
  anyone attending same class as me

Rule7 (?requester exrequester
?someValue) (?requesterActivity
platysis_performed by ?requester)
(?requesterActivity platysoccurs_at
?requesterPlace) (?requesterPlace
platyshas_location ?requesterLocation) (?request
erLocation platyspart_of ?requesterRoom) (?reque
sterRoom rdftype platysRoom) (?user
exsystemUser ?userValue) (?userActivity
platysis_performed by ?user) (?userActivity
platysoccurs_at ?userPlace) (?userPlace
platyshas_location ?userLocation) (?userLocation
platyspart_of ?userRoom) (?userRoom rdftype
platysRoom) equal(?requesterRoom, ?userRoom)
equal(?requesterActivity, ?userActivity) equal(?u
serActivity, platysListening_To_Lecture) -gt (?re
quester excontextAccess exuserPermitted)
62
Sample Privacy Policies

• Policies using activity generalization for
  sharing
• Share my activity with friends if its public
• Share my public activity with friends

Rule4 (?requester exrequester
?someValue) (?requester exmemberOf
?groupFriends) (?groupFriends foafname
Friends) (?someActivity platysis performed_by
?someUser) (?someActivity platyshas_visibility
?visibility) equal(?visibility,
platysPublic) -gt (?requester exactivityAccessRu
le policy4) ( policy4 exactivityAccess
exuserPermitted) ( policy4 exactivityAccessLev
el platysPublic)
Rule4 (?requester exrequester
?someValue) (?requester exmemberOf
?groupFriends) (?groupFriends foafname
Friends) -gt (?requester exactivityAccessRule
policyRule2) ( policyRule2 exactivityAccess
exuserPermitted) ( policyRule2
exactivityAccessLevel platysPublic)
63
Sample Privacy Policies

• System-level policies Do not share users
  context if she is inside BuildingXYZ

Rule6 (?requester exrequester
?someValue) (?someActivity platysis_performed_by
?requester) (?someActivity platysoccurs_at
?requesterPlace) (?requesterPlace
platyshas_location ?requesterLocation) (?request
erLocation platyspart_of ?requesterBuilding) (?r
equesterBuilding rdftype platysBuilding) equal(
?requesterBuilding, platysBuildingXYZ) -gt (?requ
ester excontextAccess exsystemProhibited)