• No results found

USING CONTEXT FOR PRIVACY BOUNDARY CONTROL IN RFID APPLICATIONS

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "USING CONTEXT FOR PRIVACY BOUNDARY CONTROL IN RFID APPLICATIONS"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

USING CONTEXT FOR PRIVACY BOUNDARY CONTROL

IN RFID APPLICATIONS

Shin'ichi Konomi

Center for LifeLong Learning and Design (L3D) University of Colorado, Boulder, CO 80309, U.S.A

[email protected]

Chang S. Nam

Department of Industrial Engineering

University of Arkansas, Fayetteville, AR 72701, U.S.A [email protected]

Abstract

Creating a usable system that supports users’ in-situ control over their privacy boundaries is a challenging problem. We propose process and data models for providing feedback that better supports RFID users’ privacy boundary regulation. Our context-aware feedback approach uses activity hierarchies to represent context around the use of RFID applications and support privacy critic agents to adapt feedback and information disclosure processes according to users’ changing needs.

Key Words

RFID, privacy, critic agents, disclosure models, context-awareness

1. Introduction

As the cost of RFID tags drops, they are used for an increasing number of physical objects in the world. For example, cases of item-level tagging, i.e., attaching RFID tags to individual sales items, are emerging in the retail arena. Item-level tagging creates exciting opportunities to design applications for so-called “Internet of things.” However, there are serious privacy concerns about unobtrusive monitoring using ubiquitous RFID tags. There is a need for tools that support people to control their privacy boundaries and protect their privacy according to their needs.

Context is essential in any systems that support users to control their privacy boundaries. Boundaries that separate and connect one’s personal information spaces and the rest of the world are shaped by context including one’s activities and social environments. For example, information about things one touches can be public when one is at work in a warehouse. How much one considers RFID data private is also influenced by the cost of removal. For example, RFID train passes carried by a person can be removed from the person more easily than medical RFID implants.

However, conventional approaches to privacy-preserving RFID systems (see Table 1) rarely consider context in a systematic manner. Implicit in most

conventional approaches is the use of static privacy preferences that cannot address dynamic changes of privacy needs.

Table 1. Existing Approaches to RFID privacy issues

Approach Description

Killing tags Destroying, removing, or permanently inactivating RFID tags.

Faraday cage Shielding RFID tags by using a container made of materials that block radio signals

Active jamming Shielding RFID tags by using a device that actively broadcast radio signals so as to block the operation of nearby RFID readers.

Sophisticated tags Controlling access to information on RFID tags by locking, encrypting, changing and manipulating data Blocker tags [1] Blocks access to RFID tags by using a

device that announces itself as all or a range of possible RFID tags.

Local computation

Personal devices provide services to users without sending IDs to infrastructure

Information management

Controls storage, flow and processing of information in databases.

Social regulation Guidelines and laws to regulate capture and use of sensitive privacy information.

This paper proposes process and data models for providing feedback that supports RFID users’ in-situ privacy boundary regulation. In our context-aware feedback approach, activity hierarchies are used to represent context around the use of RFID applications. Privacy critic agents use the hierarchies to adapt feedback and information disclosure processes according to users’ changing needs. These models can be used to develop privacy assistants on mobile devices [2].

In the next section, we first discuss how easily privacy regulation in RFID applications can break down. Following this, we describe a framework for feedback and control proposed to support users’ information disclosure processes. We then describe two generic models for characterizing RFID users’ information disclosure processes. An approach for providing feedback that better

(2)

supports RFID users’ privacy boundary regulation is also presented. Finally, we present some concluding remarks and our vision for the next steps.

2. Challenges

Part of the privacy problems of RFID systems lies in the architecture that makes it difficult to gain information about and control how one is presenting oneself to others [2].

2.1 Scenario

Imagine a “smart shelf” in a retail store, which constantly scans RFID tags of all products on it. If someone removes a product from the shelf, it can tell what was taken away and possibly who took it away. For example, a customer A picks up a bottle of a flu medicine and puts it back on the shelf. The customer may or may not be aware that the store’s marketing team can interpret this as her interest in flu medicines. Now, another customer B accidentally hits a flu medicine bottle with her elbow, it drops on the floor, and she puts it back on the shelf.

2.2 Difficulty in gaining information about others

Customers’ activities are interleaved with moments of communication between RFID readers and tags, which we call scans. Scans can be visible or invisible, voluntary or involuntary, intentional or unintentional, and may or may not require user intervention (e.g., pressing a “scan button”). Scans announce various relationships among people and things and trigger chains of information flows that go out of and come into people’s personal information spaces.

The first customer doesn’t clearly know who is monitoring her actions (or who will search records of her actions) and has little knowledge about how her actions are viewed and interpreted by others. She may only be notified of the result of her action when she gets a marketing email from the store.

2.3 Difficulty in conveying information

Actions of the second customer can easily be misinterpreted as her interest in flu medicines if there are no sensors that detect the fall of the bottle. Even when such sensors exist, the bottle may drop outside a sensor-enabled area or even into someone else’s shopping cart. Moreover, the marketing team may only be monitoring the data about the shelf and not the floor. If a sales agent is physically in proximity to the customer, these communication errors occur less frequently and customers and store staff can detect and fix problems through face-to-face interactions.

2.4 Difficulty in gaining information about oneself

Scans, like clicks in hypertext systems, are problematically small interaction units that challenge users’ ability to understand and anticipate how their actions and information appear to others. Assessing the efficacy of strategies for withholding or disclosing information is inescapably based on this reflexive interpretation [3].

Thimbleby et al. [4] proposed the notion of reflexive CSCW that considers the difficulty of tracking personal work distributed in both place and time. The cost of tracking can be high when users attempt to maintain many interleaved activities over long periods. Reflexive CSCW is mainly concerned with better understanding of one’s actions in one’s world. This paper adopts a broader view of reflexive CSCW by incorporating self-awareness of one’s exposure to external worlds.

3. Designing for Feedback and Control

The challenges discussed in the previous section suggest the need for better supporting users’ information disclosure processes. We use the framework proposed by Bellotti and Sellen [5] to first analyze types of feedback and control involved in RFID users’ information disclosure processes, which is characterized by capture, construction, accessibility and purposes (see Table 1). Then, we discuss privacy critics for supporting users deal with necessary feedback and control and finally derive eight design principles for feedback.

3.1 A Framework for Feedback and Control

When RFID users make their information available to others, different kinds of things take place in terms of capture, construction, accessibility and purposes, which users may or may not be aware of. Table 2 highlights existing and potential places where there may be a room for providing increased feedback and control to RFID users.

3.2 Privacy Critics

Privacy regulation for RFID tags can be a complex task if users must deal with all kinds of feedback and control. Also, the task of managing privacy may interfere users’ other important tasks. However, a simplified, intuitive user interface for a complex privacy management may remove important details for some users.

A privacy critic is a type of intelligent agent that provides privacy-related feedback and suggestions as users go about their ordinary tasks. Ackerman and Cranor [6] describe two kinds of privacy critics for Web

(3)

browsing, which are based on the critic-based architectures proposed by Fischer et al. [7] and Fischer et al. [8]. One critic provides suggestions based on a database of consumer complaints about a website. The other critic warns a user when the information about to be disclosed can be used in combination with what’s already known to identify the user.

Proposed here is a suite of privacy critics for RFID users, which make privacy suggestions from four different perspectives corresponding to the categories in Table 2. Capture critics make suggestions about scans, construction critics about data manipulation, accessibility critics about access control, and purposes critics about declared or inferred purposes.

Table 2. A framework for analysing feedback and control involved in RFID users’ privacy regulation processes.

Feedback About Control Over

Capture (RFID reader obtains RFID data from my RFID tag) Existence and

capabilities of RFID tags and readers.

Occurrences of scans. Contents and types of information capture.

Removing or disabling tags and readers. Which of my tags are read by which readers and when. Intentional degradation of information, anonymity, and pseudonymity Construction (How my RFID data are combined with other data and processed)

Existence, types, and contents of primary data sources that manage information about my tags and secondary data sources that may be used together with primary data sources. When and how my information is stored, copied, used, or integrated with other information.

Removing, adding and changing my

information in any data sources. Which of my information are stored, copied, used, or integrated with other information. Requiring my permission or supervision when something happens to my information. Accessibility (Who/what accesses my RFID-relevant data)

Which people, software applications, and middleware components have access to my tags, readers, and primary/ secondary data sources.

Who and what has access to which information about me and how. Access control models, authentication, and encryption. Purposes (What purposes my RFID-relevant data are used for)

What people intend to use my information for (can be a part of privacy statement or a P3P-like declaration). Inference of purposes by tracking uses of my information

Restricting intrusion, unethical, illegal and misappropriating usage of my information. Social control can be exercised with technological support similar to P3P.

3.3 Design Principles

The following eight design principles are derived by applying the framework to the specific issues identified in Section 2. Our focus here is on designing for feedback that is a prerequisite for effective privacy control. Mechanisms for supporting privacy control such as “kill”

commands, encryption, access control and data correction are complementary to the approach of this paper.

(1) Make scans visible: Indicate existence of RFID readers and tags. Visual/auditory feedback when a scan occurs.

(2) Show who accesses my data about scans and what their purposes are: Pessimistic, optimistic, or interactive access control processes [9]. Mechanisms that support reciprocal disclosure (“If I see you, you see me.”)

(3) Show queries that access my data about scans: Systems could keep a record of queries that use my data and make the record accessible by me.

(4) Distinguish types of scans: Attach data that describe types of scans to scan records. Types may include user-initiated scans, unobtrusive scans, etc. (5) Group and structure scans according to context:

Group scan records and organize them in hierarchies that reflect users’ context.

(6) Show what information flows a scan triggers: Provide feedback on where a scan record travels and which external data sources are used for aggregation. This could be a policy statement along with or without a mechanism for detecting violations. (7) Show where and how data about scans are stored:

This could also be a policy statement with or without a mechanism for detecting violations.

(8) Show when and how data about scans are modified or aggregated: This could be a policy statement with or without a violation detection mechanism.

(1) is a common approach in existing proposals[10,11] for protecting consumers’ privacy around the use of RFID. In relation to (2), researchers have studied privacy preferences [12] that specify who gets access to what information. Floerkemeier et al. [13] proposes RFID communication protocols that embody fair information practices and allow for declaration of 15 different purposes of scans. Issues related to (3) are discussed in Database Security and Medical Information Systems. For example, Wiederhold [14] proposed checking mechanisms for queries as well as their results. There are few existing works that can deal with the issues of (4) and (5) for the purposes of RFID privacy. Designing purely technological solutions for (6)-(8) can be difficult because of the complexity of distributed systems.

In the next sections, we will discuss disclosure models as a framework for integrating various

(4)

privacy-enhancing techniques and a context-aware feedback model for supporting principles (4) and (5).

4. Disclosure Models

We will use the following two generic models for characterizing RFID users’ information disclosure processes.

4.1 Information Flow Model

RFID systems can be roughly classified into the following three types according to the ownership of RFID readers and tags.

In Figure 1, users own RFID tags. RFID readers are either public or owned by someone. Records of scans are disclosed from the environment. Users can generally control the information flows indicated with solid-line arrows using conventional methods (e.g., using “kill” kiosks, faraday cages, etc.).

Figure 1. Type I

In Figure 2, users own RFID readers. RFID tags are either public or owned by someone. Records of scans are disclosed from the users. Users can generally control the information flows indicated with solid-line arrows using conventional methods (e.g., turning on/off readers, controlling access to readers’ data, etc.).

Figure 2. Type II

In Figure 3, Type I and Type II information flows coexist. Records of scans are disclosed from the users and the environment. Users can generally control the information flows indicated with solid-line arrows using conventional methods.

Figure 3. Type III

4.2 Disclosure Process Model

Most of the design principles described in the previous section assume disclosure processes that allow users to obtain some feedback and make decisions as to whether or not to disclose scans.

Figure 4 has two paths p and p’, which has the same start and end nodes. p corresponds to the full disclosure process and p’ the degenerated process. In the full disclosure process, users have detailed interactive control over disclosure of each scan. However, cognitive workload for the full process can be very high if users must deal with large number of RFID tags individually.

In contrast, the degenerated process does not allow interactive control at all. Systems automatically disclose or conceal scans based on predefined default settings, thereby minimize users’ cognitive workload for privacy regulation.

Figure 4. Disclosure processes

Type I information flows cannot support the full disclosure process unless the environment provides the user with feedback and control. This could be remedied by a device that functions as a kind of a personal firewall router. However, due to the limitation of space, discussions on such a device are beyond the scope of this paper.

For Type II information flows, a system can be built to support both full and degenerated processes regardless of the environment. The challenge is to support a user with an appropriate process at the “right” time.

Type III is a combination of Type I and Type II. Therefore, the full disclosure process can only be supported in some part of the system.

RFID tag and reader

RFID tag and reader User Environment RFID reader RFID tag User Environment RFID tag RFID reader User Environment Scan Feed-back Control Disclo-sure p p’

(5)

5. Context-Aware Feedback

This section introduces an approach for providing feedback that better supports RFID users’ privacy boundary regulation.

5.1 Representing Context

Context is difficult to define [15] and representing it is a non-trivial task. Some context can be captured automatically using sensors (e.g., location, time, presence of people and things). Others are difficult to capture automatically.

Our approach is to provide a data model that represents context of a scan, a basic action unit involved in uses of any RFID systems. The data model is extensible and designed for managing both automatically and manually captured context.

The model consists of the following three major components:

(1) Scan Record

Scan records are generated after RFID middleware processes and filters data. Radio communications and RFID readers’ raw data must be protected in a physical layer with strict privacy and security policies. Scan records belong to a logical layer that handles dynamic privacy boundary control.

A scan record consists of IDs and other data generated by middleware along with the following four groups of attributes:

• Capture Attributes: Whether or not capture is automatic/ intentional/ voluntary, etc.

• Construction Attributes: Pointers to relevant information sources along with cryptographic keys for accessing them, etc.

• Accessibility Attributes: Pointers to corresponding access records in relevant information sources, etc.

• Purpose Attributes: Privacy policy descriptions.

(2) Scan Group

Scan records can be grouped automatically based on contextual cues such as location, time, presence, etc. They can also be grouped based on user inputs made on site or in post processing. A scan record can participate in more than one scan group. Each scan group is associated with user-modifiable attributes that characterize the group.

(3) Activity Hierarchy

As shown in Figure 5, hierarchies can be constructed by linking scan groups to activity units. A scan group can participate in more than one activity unit. Each hierarchy is associated with user-defined attributes that describe meanings of the activity.

Figure 5. Activity hierarchy

5.2 Using Context

The proposed data model allows for context-aware feedback and supports RFID users’ privacy regulation. Privacy critics’ primary functions include provision of user feedback by examining the information stored in scan records based on users’ specific privacy preferences and generic rules.

Scan groups and activity units allow critics to consider group-wise and activity-wise privacy implications. Furthermore, different privacy preferences and rules can be assigned to each activity so as to provide users with different feedback according to users’ activities.

Privacy critics also regulate feedback at a meta-level. For example, they decide which disclosure process to use based on context.

5.3 Prototype Design and Development

A prototype of context-aware feedback is being designed for Type II environments based on a system called QueryLens [16, 17]. QueryLens is an ID-based information sharing environment that allows users to share and accumulate queries and answers in relation to RFID-tagged physical objects. It uses a metaphor of a lens through which users can view and manipulate information that is associated with a physical object.

Figure 6: Using the QueryLens system activity units scan groups

(6)

QueryLens uses mobile databases that run on Palm OS PDAs and synchronizes with a network server. The database schema that incorporates rule-driven stored procedures can be extended for proposed data model and disclosure processes. We are also extending the design for other mobile computing platforms that allow privacy critics to provide multi-modal feedback.

6. Conclusion

This paper discussed design principles and models for a new class of privacy-enhancing technologies for RFID applications. The proposed models facilitate design of critic-based feedback mechanisms that understand usage context and provide appropriate feedback. We are building on our existing RFID system that allows us to develop some components easily in a straightforward fashion. We hope our models and guidelines serve as a first step towards a solution to emerging privacy issues in new business practices [18] and everyday life.

We are planning to conduct user experiment of the context-aware feedback mechanism, which has not been done previously, in order to uncover implications of context-aware feedback in designing privacy-preserving technologies.

References:

[1] A. Jules, R.L. Rivest, & M. Szydlo, The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. Proc. of ACM Conf. on Computer and Communications Security, ACM Press, 2003, 103-111.

[2] S. Konomi, Personal Privacy Assistants for RFID Users. Int'l Workshop Series on RFID – Information Sharing and Privacy --, Tokyo, Japan, 2004. http://www.slrc.kyushu-u.ac.jp/rfid-workshop/

[3] L. Palen & P. Dourish, Unpacking “Privacy” for a Networked World. Proc. of CHI’03, ACM Press, 2003. [4] H. Thimbleby, S. Anderson & I. Witten, Reflexive

CSCW: Supporting Long-Term Personal Work.

Interacting with Computers, 2(3), Elsevier Science, 1990, 367-381.

[5] V. Bellotti & A. Sellen, Design for Privacy in Ubiquitous Computing Environments. Proc. of the 3rd European Conference on Computer-Supported Cooperative Work (ECSCW’93), Kluwer Academic Publishers, 77-92.

[6] M.S. Ackerman & L. Cranor, Privacy Critics: UI Components to Safeguard Users’ Privacy. Proc. of CHI’99, ACM Press, 1999, 258-259.

[7] G. Fischer, A.C. Lemke & T. Mastaglio, Using Critics to Empower Users. Proc. of CHI’90, ACM Press, 1990, 337-347.

[8] G. Fischer, K. Nakakoji, J. Ostwald, G. Stahl & T. Sumner. Embedding Computer-based Critics in the Contexts of Design. Proc. of INTERCHI’93, ACM Press, 1993, 157-164.

[9] J. Grudin & E. Horvitz, Presenting choices in context: approaches to information sharing. Proceedings of Ubicomp 2003 Privacy Workshop.

[10] Guidelines on EPC for Consumer Products. http://www.epcglobalinc.org/public_policy/public_policy _guidelines.html

[11] S. Garfinkel, An RFID Bill of Rights. Technology

Review, October 2002.

http://www.technologyreview.com/articles/02/10/garfinke l1002.asp

[12] J.S. Olson, J. Grudin & E. Horvitz, A Study of Preferences for Sharing and Privacy. Proc. of CHI’05, ACM Press, 2005, 1985-1988.

[13] C. Floerkemeier, R. Schneider & M. Langheinrich, Scanning with a Purpose – Supporting the Fair Information Principles in RFID protocols. Proc. of the 2nd Int'l Symposium on Ubiquitous Computing Systems (UCS 2004), Tokyo, Japan, 2004.

[14] G. Wiederhold, Future of Security and Privacy in

Medical Information.

http://www-db.stanford.edu/pub/gio/TIHI/healthsecurity.htm

[15] T. Moran & P. Dourish, Human Computer Interaction, 16, Special Issue on Context-Aware Computing, 2001.

[16] S. Konomi, QueryLens: Beyond ID-based information access, Proc. of the Int'l Conf. on Ubiquitous Computing (UbiComp), 2002, 210-218.

[17] C.S. Nam & S. Konomi, Usability Evaluation of QueryLens: Implications for Context-Aware Information Sharing Using RFID, Proc. of the IASTED Int'l Conf. on Human-Computer Interaction, Phoenix, USA, 2005. [18] H. Galanxhi-Janaqi & F. F.-H. Nah, U-commerce: emerging trends and research issues. Industrial Management & Data Systems, (104) 9, Emerald Group Publishing, 2004, 744-755.

References

Download now ( PDF - 6 Page - 94.03 KB )

Related documents

A Detailed Look into Power Consumption of Commodity 60 GHz Devices

On the other hand, the first generation of commercial WiGig 1 [18] and 802.11ad devices use a simple single-carrier (SC), SISO PHY layer that is more power efficient compared to

An Analysis of Nigerian Seaborne Trade (Dry Bulk) and the Demand for Transport.

The aim of this research is to analysis Nigerian dry bulk cargoes, in order to determine the demand for transport in it most trading regions in the world and shipping

National Institute of Fashion Technology, Patna (Govt. of India, Ministry of Textiles) 2 nd Floor, Udyog Bhawan, East Gandhi Maidan, Patna

The manpower supplier firm will be responsible for making the payment directly to the supplied manpower; since there may be delay in releasing payment by NIFT to the Firm/ Agency

THE UNIVERSITY OF DODOMA OFFICE OF THE DEPUTY VICE CHANCELLOR ACADEMIC, RESEARCH AND CONSULTANCY DIRECTORATE OF GRADUATE STUDIES

Holders of pass degree in a scientific or technical discipline such as mathematics, information systems, computing, IT, Engineering or Computer Science of any

Product Specification (Preliminary)

(GND) - R R The supporting pins can reduce the influences from stresses on the function pins.. Note 2: When this module is used beyond the above absolute maximum ratings,

Comparative Analysis of Organizational Forms in the Software Industry and Legal Services

In the reverse case of capitalist firms, due to the nature of software development process and inalienability of firm specific human assets (just like in legal ser- vices), the

JUDGE NOT! QUESTION? Now how do you know a dog or swine UNLESS YOU JUDGE THEM?

pluck up that w hich is planted; A time to kill, and a time to heal; a time to break down, and a time to build up; A time to weep, and a time to laugh; a time to mourn, and a

Locating the International Interest in Intranational Cultural Property Disputes

General Assembly resolutions offer a further window into the spirit that animates the binding treaties discussed in the previous Subsection. These resolutions have