The privacy demands of users in ubiquitous computing environments can be satisfied through the synergy of theoretical security models to expose potential threats to users, expressive policy specification languages based on qualitative and quantitative properties to express a
user’s perceived threat, and efficient algorithms for enforcing privacy policies based on these models and specifications.
This thesis addresses the following privacy issues:
3.2.1 Communication privacy and trustworthy routing
In Section 2.3 we discussed various protocols that aim to provide communication privacy properties such as sender/receiver anonymity and anonymous connec- tions. The main drawback with such approaches is that they assume a uniform attack model, and treat all nodes equally. The user does not have the power to re- strict or prefer nodes in the network based on trust relationships. Protocols such as Crowds [RR98] prove statistical anonymity, which has more credence in a widely distributed setting. Furthermore, these services focus on sender anonymity. These limitations, along with the lack of an infrastructure to separate identity from loca- tion, inspired us to develop Mist [AMCK+02], a protocol for location privacy. Using Mist, users can access services with their regular system identities while keeping their locations hidden from these services. Our main contribution was to provide users with the facility to choose varying granularities for their advertised locations, trading communication efficiency for location privacy.
While various anonymous routing systems, including Mist, can be used to achieve location privacy, as argued above, users must be given the additional power to specify qualitative and quantitative constraints for their communication in more restricted settings such as within an organization. This will improve the ’‘quality of protection” (QoP) or trustworthiness of their routes used for location privacy. For example, all routers may be under the control of a single administrator. Pro- viding an appropriate model that allows users to express discretionary security and privacy policies for trustworthy routing will allow users to communicate pri- vately in environments that have traditionally specified network security policies of a mandatory nature. Since each individual has his or her own notion of pri- vacy, a model for such a system should allow users to specify a rich set of privacy policies based on their own perceived threat, while keeping the algorithms to satisfy these policies efficient. Indeed a user may demand a path that is a solution to an NP-hard problem. Hence it is important to identify and study what models and policy languages allow for efficient trustworthy routing.
3.2.2 Audit-log unlinkability
After using suitable location privacy and secure routing mechanisms to hide the identity and/or location of a user, audit information of that user’s accesses to var- ious services is stored across various databases. It is possible for other users such as system administrators to correlate transaction information, including timing, across audit logs to expose identity, location, transaction history, and other sen- sitive attributes of a user. In Section 2.6 we discussed several approaches to this problem. Cryptographic approaches such as anonymous credentials suffer from the problem that audit records might still contain semantic information (e.g., tim- ing) that allows the linking of records. Cryptographic approaches are not sufficient protection against these attacks. Traditional policies for separation of duty (SoD) apply to accesses to a single object. While it is easy to satisfy SoD constraints for a single object, it is difficult to regulate accesses to related objects and their replicas without history based approaches as with Chinese Wall [BN89] policies. Decentral- ized approaches for ensuring unlinkability of such records are needed, along with an analysis of the security properties provided by such models. Since each user will have different privacy requirements, the model must allow users to specify unlink- ability polices based on their perceived threat to unlinkability. In this thesis we explore an approach based on access control for regulating access to audit records based on negotiated policies, and explore the properties that can be guaranteed by our model.
We present the results of our work in Chapter 5.
3.2.3 Privacy-preserving feedback
In Section 2.7 we discuss several techniques to hide policy authorizations. How- ever, these approaches do not address the issue of providing users with useful feed- back on access control decisions. In most cases, revealing policies is considered to be a security breach because this reveals too much information to the denied user, who is potentially malicious. Furthermore, access denials imply that users do not have sufficient credentials to access the resources. Ubiquitous computing environ- ments add more challenges by basing system policy on contextual information. Access control decisions no longer depend on credentials alone. To avoid the con- fusion and frustration of users who could access resources previously (e.g., “just an hour ago”), a system of feedback is needed for its users. Furthermore, there are privacy implications of revealing too much information about the system’s policies to its users. For example, a professor’s permission set might be kept secret from
students. Hence, a model for feedback should also include some form of policy protection to maintain the confidentiality of sensitive access permissions.
We present our model Know in Chapter 6, which addresses the issue of useful feed- back and policy protection in ubiquitous computing environments.