Privacy in Mobile and Pervasive Computing

How can future mobile and pervasive computing systems properly take personal privacy concerns and needs into account? How can we ensure that a world full of mobile and pervasive computing will not turn into a dystopian future of mass surveillance? These are hard questions with no simple answers. In this chapter, we discuss key approaches and challenges for respecting and supporting privacy in mobile and pervasive computing. However, none of these approaches alone will “fix” all privacy problems. The previous chapters showed that privacy is a complex topic and protecting privacy in socio-technical systems is a complex challenge. There is no simple technical solution that can fully address all privacy concerns. Nor can technology do so by itself: laws and social norms influence what data practices are deemed acceptable and what should be prevented. Yet, laws and social norms in turn need to be supported by technology, so that they can be implemented in practice. Understanding how mobile and pervasive computing works on a technical level is essential for being able to shape the legal and political privacy discourse, just as it is essential to understand, say, behavioral economics in order to understand decision-making practices of individuals.

Privacy in Mobile and Pervasive Computing

Research groups in both academia and industry have developed prototype systems to demonstrate the benefits of pervasive computing in various application domains. Unfortunately, many first-generation pervasive computing systems lack the ability to evolve as new technologies emerge or as an application domain matures. To address this limitation, the University of Florida's Mobile and Pervasive Computing Laboratory is developing programmable pervasive spaces in which a smart space exists as both a runtime environment and a software library. Service discovery and gateway protocols automatically integrate system components using generic middleware that maintains a service definition for each sensor and actuator in the space. The Gator Tech Smart House in Gainesville, Florida, is the culmination of more than five years of research in pervasive and mobile computing. The project's goal is to create assistive environments such as homes that can sense themselves and their residents and enact mappings between the physical world and remote monitoring and intervention services.

The advent of mobile computing and sensing technologies, in conjunction with omni-present and high-speed mobile networks, allow nowadays the capture of human mobility data at an extremely high fidelity. Modern mobile computing services not only have the capacity to store spatio-temporal mobile data, these nowadays also have the capability to process incoming data in near-real time. As a result, we have a better chance to develop effective strategies and build intelligent systems that play critical roles in areas like public health, traffic engineering, urban planning and economic forecasting. On the other hand, detailed movement data often poses a threat to the privacy and security of users and companies, given that mobile devices are associated with real human custodians. One fundamental question is whether human mobility computing and privacy can co-exist under the same roof, given different cultural, religious, legal, technological and socio-economic backgrounds of societies. This panel will explore how the academia and industry are tackling human mobility computing and privacy challenges at a global scale. It will also identify and debate the key challenges and opportunities, in terms of applications, queries, architectures, to which the mobile data management community should contribute.

Introduction The field of ubiquitous computing was inspired by Mark Weiser's vision of computing artifacts that disappear. "They weave themselves into the fabric of everyday life until they are indistinguishable from it." Although Weiser cautioned that achieving the vision of ubiquitous computing would require a new way of thinking about computers, that takes into account the natural human environment, to date no one has articulated this new way of thinking. Here, we address this gap, making the argument that ubiquitous computing artifacts need to be physically and cognitively available. We show what this means in practice, translating our conceptual findings into principles for design. Examples and a specific application scenario show how ubiquitous computing that depends on these principles is both physically and cognitively available, seamlessly supporting living. The term 'ubiquitous computing' has been used broadly to include pervasive or context-aware computing, anytime-anywhere computing (access to the same information everywhere) and even mobile computing. Work on this 'ubiquitous computing' has been largely application driven, reporting on technical developments and new applications for RF(Radio Frequency) ID technologies, smart phones, active sensors, and wearable computing. The risk is that in focusing on the technical capabilities, the end result is a host of advanced applications that bear little resemblance to Weiser's original vision. This is a classic case of not seeing the forest for the trees. In this article, we want to take a walk in the forest, that is, to suggest a new way of thinking about how computing artifacts can assist us in living. In doing this, we draw on German philosopher Martin Heidegger's analysis of the need for equipment to be 'available.' While several influential studies in human-computer interaction (HCI) have also drawn on Heidegger and the concept of availability, these studies have focused on physical availability. While going some way to identifying and addressing the problems that Weiser identified with traditional computing, they have not gone far enough. Delving deeper into Heidegger's analysis, we can explain why artifacts designed using the traditional model of computing tend to get in the way of what we want to do. This leads us to refine the concept of physical availability and identify the need for computing artifacts to also be cognitively available. We will first draw on Heidegger to explain why it is that computing artifacts designed according to the traditional model are often a hindrance rather than a help. The traditional conception of how we use computing is based on a particular understanding of human action, which we have referred to elsewhere as the deliberative theory of action. According to this deliberative theory of action, humans reflect on the world before acting. Traditionally computing artifacts are designed to assist us through providing a representation of the world which we can reflect on before action. In other words, the traditional computing artifact requires us to move away from acting in the world to 'use' the computer. In the case of the desktop computer, there is an obvious physical move away from acting in the world to 'using' the computer. Mobile technology can bring the computer to the person in the form of laptops, handhelds and so on. However, as Figure 1 illustrates, mobility, in and of itself, does nothing to remove the dichotomy between reflecting on the world and acting in the world. We consider that Heidegger's account of how we act in the world is a truer account of everyday activity than the deliberative theory of action implicit in Figure 1. According to Heidegger's situated theory of action, we are already thrown into the world, continually responding to the situations we encounter. This means that in everyday activity we seldom achieve the level of detachment that allows us to make reflective decisions before we act. Suchman implicitly draws on Heidegger to argue that, because we are absorbed in coping with the present, we do not have time to form a mental model about how to use technology. This analysis has strongly influenced HCI; however, it does not fully address the problems with the traditional model of computing. In order to articulate a model of computing appropriate for the task of achieving Weiser's vision of ubiquitous computing, we must probe further into the situated nature of action and draw explicitly on Heidegger's characterization of equipment that is available. (The original term 'zuhandenheit' is sometimes translated as ready to hand.) Heidegger describes as available that equipment which helps us to deal with the present without interrupting the flow of absorbed coping. Equipment that is available disappears from our awareness. It is only when the equipment doesn't work as expected that it is noticed. Heidegger gives the example of a hammer that is too heavy for the task of nailing a piece of wood. In this case, the user's attention is drawn away from the task and to the hammer itself; in particular, to the fact that the hammer is too heavy. Because the hammer is no longer available, the user has to find another hammer or find some unfamiliar way of using this heavy hammer before they can proceed with the task of nailing a piece of wood. Whether equipment is available or not depends on a combination of the design and location of the equipment, the user's familiarity with it and what they want to use it for; in other words, the term "available" describes a relationship between the equipment, the user and the task. Although availability requires physical proximity to the user, it is much more than this. Equipment that is available as we use it allows us to focus on what we want to do. This is in contrast to equipment that gets in the way of what we want to do, so that we have to deal with the equipment first. When the activity involves the need to know about something, for example, knowing what to do next, then a new aspect of availability is involved. Whereas physical availability depends on a combination of the physical design and location of the equipment, the user's familiarity with it and what they want to use it for, cognitive availability depends also on the amount of interpretation required to use the equipment. This is trivial in the case of a hammer, but not so in the case of computing artifacts. In order for computing artifacts to support our focus on what we want to do, they need to be both physically available and cognitively available. As the following discussion shows, those within HCI have recognized that the level of availability of the traditional computer is a problem that needs to be addressed. However, because no distinction has been made between physical and cognitive availability, the proposed solutions do not adequately address the issue of designing to improve cognitive availability. Both Weiser and Norman have criticized the design of the traditional computer as getting in the way of acting in the world. Weiser says that the traditional computer "fails to get out of the way of work… Rather than being a tool through which we work, and so which disappears from our awareness, the computer too often remains the focus of attention." As Norman comments in his book The Invisible Computer , 'I don't want to use a computer, I want to accomplish something.' Norman's focus, and that of HCI in general, is on physical availability and how the physical availability of artifacts can be increased through exploiting physical affordances in the design of the computing artefact. Exploiting physical affordances goes some way to increasing cognitive availability, but it does not go far enough. Furthermore, approaches under the rubric of 'ubiquitous computing' have generally also failed to address the issue of improving cognitive availability. For example, 'anytime anywhere' computing is a literal translation of ubiquitous computing, emphasizing access to the same information everywhere, whether by computers located everywhere or users carrying a mobile device. It is basically the traditional model of computing on a grand scale. Lyytinen and Yoo consider that the problem with anytime, anywhere computing is that the computing model does not update as we move location. In their work on pervasive computing, they suggest that the way to make the computer invisible is for the computer to automatically update its model of the world from information it obtains from the environment in which it is embedded. However, although this overcomes the need for unnecessary data entry, it still does nothing to increase cognitive availability. A computing artifact is still not available if we have to turn our attention away from what we are doing to using the computing artifact. In particular, having to interpret a model of the world is disruptive to the flow of situated action. It takes the user's attention away from what they are doing to a model

Pervasive human-centric computing, the emerging next-generation computing, focuses on humans rather than machines. Pervasive computing's goal of "all the time, everywhere" access replaces today's mobile and distributed computing's goal of "anytime, anywhere" access. Pervasive computing requires cross-disciplinary collaborations among experts in fields such as intelligent systems, agent technologies, autonomic computing, security and privacy, human factors engineering and ergonomics, human factors psychology, augmented reality computing, wearable computing, wireless and mobile computing, location-and context-aware computing, sensor computing, device technology, and social sciences. Thus, it is crucial to reform software engineering education in order to well prepare software engineers for the new challenges and opportunities presented by pervasive human-centric computing. This paper presents and discusses our project results and the lessons learned about the software engineering education reform

This tutorial presents the definition, the models and the techniques of location privacy from the data privacy perspective. By reviewing and revising the state of art research in data privacy area, the presenter describes the essential concepts, the alternative models, and the suite of techniques for providing location privacy in mobile and ubiquitous data management systems. The tutorial consists of two main components. First, we will introduce location privacy threats and give an overview of the state of art research in data privacy and analyze the applicability of the existing data privacy techniques to location privacy problems. Second, we will present the various location privacy models and techniques effective in either the privacy policy based framework or the location anonymization based framework. The discussion will address a number of important issues in both data privacy and location privacy research, including the location utility and location privacy trade-offs, the need for a careful combination of policy- based location privacy mechanisms and location anonymization based privacy schemes, as well as the set of safeguards for secure transmission, use and storage of location information, reducing the risks of unauthorized disclosure of location information. The tutorial is designed to be self-contained, and gives the essential background for anyone interested in learning about the concept and models of location privacy, and the principles and techniques for design and development of a secure and customizable architecture for privacy-preserving mobile data management in mobile and pervasive information systems. This tutorial is accessible to data management administrators, mobile location based service developers, and graduate students and researchers who are interested in data management in mobile information systems, pervasive computing, and data privacy.

Modern Computer-mediated Communication technologies like Instant Messaging (IM) systems enable spontaneous communication over distance. With the advances in Mobile and Ubiquitous Computing, these technologies move away from the desktop computers of our offices, and become more and more pervasive and interwoven with our daily lives. The introduction of these great possibilities to communicate from everywhere with everyone however comes at a cost: The cost of constantly being available to everybody, everywhere, leading to an increasing number of interruptions in our daily tasks. The challenge is, that current technology does not empower users to manage their availability in an adequate manner. Most IM clients for example, only support one single online status that needs to be managed manually by the user. In this work I am founding the concepts of Presence and Availability on a deep understanding of human privacy needs, derived from literature. Based on this foundation, I show how the selective and dynamic nature of privacy is not sufficiently reflected in current systems. Based on two user studies I reveal patterns for selective information disclosure and present an analysis of Selective Availability needs. With the collected study data, I further show that Selective Availability for nomadic users can be predicted based on sensors installed on the users’ laptop computer with a good accuracy through machine learning. As the personalised nature of the data requires new concepts for building an adaptive system, I introduce the LILOLE Framework. The LILOLE Framework outlines the concept of an adaptive system that relies on stream-based active learning to continuously learn and automatically adapt fine-grained personal availability preferences for individual users. The concept is validated through a proof-of-concept implementation and an evaluation based on real user data. In comparison to related work, the presented work is one of very few examples that goes beyond the pure analysis of the predictability, but provides a concept and an implementation of a real system as validation. My approach is novel by combining concepts from Data Stream Mining and Active Learning to predict availability, thus making it very flexible for different settings. This way I am able to address the selective and dynamic nature of availability preferences for nomadic users.

Mobile and Wireless Network Security and Privacy analyzes important security and privacy problems in the realms of wireless networks and mobile computing. The material includes a report to the National Science Foundation of the United States which will be used by program managers for the foundation in setting priorities for research directions in this area. In the following chapters field experts expand upon the report and provide further information about important research directions in the fields of wireless networks and mobile computing. The chapters are written by the leading international researchers and professionals in thes fields. Each chapter represents state-of-the-art research and includes several influential contributions. A multitude of valuable discussions on relevant concepts, such as the various approaches that define emerging security and privacy in mobile and wireless environment, are featured. The book is useful to researchers working in the fields of mobile and wireless security and privacy and to graduate students seeking new areas to perform research. It also provides information for academics and industry people researching recent trends and developments in the mobile and wireless security fields.

Toward trust based protocols in a pervasive and mobile computing environment: A survey

Introduction Ubiquitous computing is a topic in sciences for almost 3 decades and there are the very first application of ubiquitous computing in real life. People wish with ubiquitous computing to ease in work and allday routines, they hope for a rise of security and to extended their senses and memory. Every day objects would have sensors and/or RFID-tags. These sensors and RFID-tags can be read ubiquitously and personal data are inquired, computed and/or stored. Ubiquitous computing needs an infrastructure of ubiquitous surveillance. In the future many participants, in constantly changing settings, with manifold goals in very different contexts will take part in ubiquitous computing. Systems will organize them selves, unnoticed by the ones affected, and mysterious for them. Privacy laws of today hold for situations with few participants in their straight defined roles. They claim to establish transparency, attachments, needs, control abilities, and participation of the affected ones. But these laws are not made for situations with many participants, in a variaty of constantly changing rules, under different goals in each role. Privacy laws must accommodate to the needs of ubiquitous computing to realize a right to informational selfdetermination (9). New Privacy Laws should address the following principles: data should be fair and be computed law-abiding, data should only computed on their purpose, data should be appropriate, relevant and not excessive, data should be precise and up-to-date, data should remain as local as possible, data shouldn't be stored longer than necessary, appropriate punishments must be possible (11). To realize all this in ubiquitous computing, it is necessary to integrate privacy principles into the technology. In networks of sensors and RFID-Systems privacy is ment to the appropriate handling and transfer of the ubiquitous surveillance infrastructures they realize (9). Surveillance has allways to faces. It is necessary and supportive for securety, crime prevention and crime detection. On the other hand surveillance changes behaviour, people fell unfree and inhibited (6,7). Because of the latter people will stay anonymous in public spaces (6, 11). Concepts like the principle of agreeing with the gethering, computing and storing of data, like we know it today, didn't function in the context of ubiquitous surveillance. "If I couldn't buy some thing to eat without surveillance, how can the acceptance be free?"(6). In future the Focus of privacy law should be more to the person than to the data. Privacy in ubiquitous computing and surveillance is more and more a problem of anonymity and untraceability. But anonymity of users and untraceability of each kind of "items of interest" would make a lot of applications of ubiquitos computing impossible. Though anonymity and untraceability are only senseless against attackers and not the legal users of surveillance. The legality of surveillance in ubiquitous computing and surveillance is to be ruled out in privacy law. Anonymity From the view of technology anonymity is the state of non identifiability within a set of subjects (e. g. people) the anonymity set. The anonymity set is a set of subjects which are able to trigger actions and/or which are addressed by actions. I. e. subjects are sender or receiver within a set of senders respectively a set of receivers. If a attacker is unable to identify the connection between a single user and a specific sender resepctively to receiver, then the user is anonymous. Anonymity is not the anonymity of senders and receivers, it's the anonymity of users (8). Welbourne et. al. have engineered tools for RFID-Systems with which users can delete the data the system has stored about them. The user can easily implement rules about who should read which data when, and which concatenations the system is allowed to do. With this it is possible to implement anonymity ("nobody is allowed to read personal data"), but the system functions nevertheless. Also the requirements of systems and authorities can be implemented and recorded. This is an example for technologies with which anonymity can be implemented in ubiquitous computing and ubiquitous surveillance (12). Untraceability Also untraceability is described from a technological view here. Therefore we define Data, Entities, Identities, Users, Objekts, Subjects, Services, Ressources, and so on, or instances of them as Items of Interest (IOI). IOI are "things" which an attacker is interested in. IOI are untraceable, if an attacker is unable to see a relation between two or more IOI's or to trace an IOI in a network. For instance if in a Car to Car Safety Message System there is a message exchange, then messages has to be untraceable to one of the car's such that there is no possiblity to trace the track of the car (10,2,5,1,3,8). The same holds when clothes have RFID-tag's on it and when they pass different readers in a while (4). Untraceability in this way can be implemented as follows (4): the reader sends a messag to the tag with a nouce-identifier NR. the tag generates a new nouce-identifier NT and sends this, the encrypted tag-ID h(ID) und the encrypted nouce-identifier pair h(ID)(NR,NT) back to the reader. The reader passes that triple to the application system. The application system decodes with the key h and computes with the known nouce-identifier NR the nouce-Identifier NT. With this the application can verify the ID of the tag. If the application system accepts the tag, it computes a new tag-ID. The tag also computes a new tag-ID with the same algorithm. The application system with new tag-ID generates the encrypted message h(ID+1)(NT,NR) and send this to the tag. The tag evaluates the message and the new ID. If the received ID is the same as the ID computed by the tag, the old ID and the nouce-Identifier NT are erased from the tag-store. For an attacker the tag is untraceable, because it changes its ID with each message transfer. Traceability of the tag by the applicationsystem is still possible (4). The above examples presented for implementing anonymity and untraceability show the possibility to implement privacy in ubiquitous systems as it is required by Roßnagel (9). Needed are the legal frameworks to require such privacy features in ubiquitous systems. By defining this sort of legal framework there should be answers to the following questions: Who is the owner of the data an RFID-Reader explores and an application system computes and stores? Are there marking obligations for items with RFID-tags on it (e.g. clothing, food)? Is it necessary to require offical approval for the installation of RFID-readers and sensors? When CCTV in public places appeared in the 1990'iesth Gras (6) showed that it is much more difficult to regulate and rule the use of technologie when already installed, than before installation and use. Therefore it is important that legislation keeps pace with technological progress. References and Notes Arapinis, M.;Chothia, T.;Ritter, E.;Ryan, M.: Analysing Unlinkability and Anonymity Using the Applied Pi Calculus http://www.cs.bham.ac.uk/~tpc/Papers/csf10.pdf, visited 16.12.14 Blues Team: Unverkettbarkeit und Pseudonymität in der digitalen Welt, http://blues.inf.tu-dresden.de/prime/EUT_Tutorial_V0/german/german/Content/Unit2/dig.%20unlink.htm, visited 16.12.14 Brusó, M.; Chatzikokolakis, K.;Etalle, S.; Den Hartog, J.: Linking Unlinkability https://hal.inria.fr/hal-00760150/PDF/Unlinkability.pdf, besucht am 16.12.14 Dimitriou, T: A Lightweight RFID Protocol to protect against Traceability an cloning attacks, http://www.ait.gr/export/TDIM/various/RFID-securecomm05.pdf, visited 18.2.15 Fischer, L.: Measuring Unlinkability for Privacy Enhancing Technologies, http://tuprints.ulb.tu-darmstadt.de/2367/1/lars_fischer_dissertation.pdf, visited 16.12.14 Gras, M. L.: The Legal Regulaiton of CCTV in Europe, http://library.queensu.ca/ojs/index.php/surveillance-and-society/article/viewFile/3375/3338, visited 17.02.15 Gerichtshof der Europäischen Union: "Der Gerichtshof erklärt die Richtlinie über die Vorratsspeicherung von Daten für ungültig", http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054de.pdf, visited 17.02.15 Pfitzmann, A.; Hansen, M.: Anonymity, Unlinkability, Unobservability, Pseudonymity, and Identity Management – A Consolidated Proposal for Terminology, http://freehaven.net/anonbib/cache/terminology.pdf, visited 16.12.14 Roßnagel, A.: Datenschutz in einem informatisierten Alltag, http://library.fes.de/pdf-files/stabsabteilung/04548.pdf, visited 19.11.14 Rost, M.; Pfitzmann, A.: Datenschutzziele, http://download.springer.com/static/pdf/814/art%253A10.1007%252Fs11623-009-0072-9.pdf?auth66=1416396902_c7935e6bcf15afa95108ffb192c1fd9f&ext=.pdf, visited 19.11.14 Taylor, N. : State Surveillance and the Right to Privacy, http://library.queensu.ca/ojs/index.php/surveillance-and-society/article/viewFile/3394/3357, visited 17.02.15 Welbourne, E.; Battle, L.; Cole, G.; Gould, K.; Rector, K.; Raymer, S.; Balazinska, M.; Borriello, G.: Building the Internet of Things Using RFID, http://www.researchgate.net/profile/Kyle_Rector/publication/220491250_Building_the_Internet_of_Things_Using_RFID_The_RFID_Ecosystem_Experience/links/0c960519d82721508d000000.pdf, visited 18.2.15

Ubiquitous computing, mobile computing and the Internet of Things (UMI) have been widely used in several application areas. To date, methods and techniques for the application of these technologies in real life situations have continued to emerge; however, their use in education settings focusing on existing practices remain largely underexplored. A systematic mapping study (SMS) method was herein used to map initially identified 395 articles with the aims of systematically analyzing and presenting the evidence from the literature on the topic, and to identify important gaps as well as promising research directions. An appropriate methodological protocol has been adopted from the literature for the analysis, filtering, evaluation and report of the evidence. As a result, twenty-five studies have been selected and analyzed. The axes of analyzing systematically the literature were inspired by an existing UMI learning ecology. The analysis revealed important characteristics of existing UMI related educational practices in all levels of education, including contexts and actors involved, methods and digital tools used, affordances and learning approaches important for achieving effective learning in IoT, Mobile and Ubiquitous Computing domain.

Shadow attacks on users’ anonymity in pervasive computing environments

Privacy is an important concern for mobile computing. Users might not understand the privacy implications of their actions and therefore not alter their behavior depending on where they move, when they do so, and who is in their surroundings. Since empirical data about the privacy behavior of users in mobile environments is limited, we conducted a survey study of ∼600 users recruited from Florida State University and Craigslist. Major findings include: (1) People often exercise little caution preserving privacy in mobile computing environments; they perform similar computing tasks in public and private. (2) Privacy is orthogonal to trust; people tend to change their computing behavior more around people they know than strangers. (3) People underestimate the privacy threats of mobile apps, and comply with permission requests from apps more often than operating systems. (4) Users' understanding of privacy is different from that of the security community, suggesting opportunities for additional privacy studies.

Modern technology and omnipresent computing and communication facilities are leading us closer to the ubiquitous computing vision. However, the very nature of ubicomp infrastructure, the openness of the environments and the characteristics of the interactions pose unique security and privacy challenges. We anticipate that the vast number of interactions will be unplanned and will occur among mutually unknown and untrusted systems. Mobile components will often find themselves in unfamiliar surroundings, forced to work with infrastructure whose trustworthiness cannot be determined. We must identify and address the security issues inherent in these types of interactions before a large-scale deployment of vulnerable infrastructure begins to pose a serious threat. Current security solutions for mobile computing and wireless communication are not sufficiently scalable or flexible to protect the heterogeneous and highly dynamic systems of the future; they do not even satisfactorily solve current mobile computing security issues. In this paper we address the problems inherent in the infrastructure and in the interacting devices themselves. We also identify device theft as a problem exacerbated by mobile and ubiquitous computing. We emphasize device-based approaches towards handling security and privacy, broadly classifying them into three categories which, when taken collectively, form a three-layer defense for devices. These categories are: 1) resource and content protection mechanisms, 2) secure protocols for service discovery and assignment of resource access, and 3) trust frameworks. These categories are neither mutually exclusive nor exhaustive, yet they collectively address challenges inherent in a wide range of ubicomp scenarios. We emphasize protocol-based solutions and, to a lesser extent, trust frameworks. These aproaches are being investigated in the context of the QED and policy-guided negotiation work currently underway as part of our Panoply ubiquitous computing project.