Privacy Protection

Commenting on the rubric of privacy protection in sections 3.1 and 3.2, we now have a brief understanding that the paradigm of integrating and maintaining privacy remains quite challenging in a pervasive computing environment. However theoretical our discussion, however, it is the pragmatic and tactical applications that generate the necessity for more aggressive protection steps.

Unobtrusiveness Verses Notice and User consent

Scenario: ABC is a very well-known software company. In past few years, however, there have been numerous instances in which employee laptops have either been lost or stolen. As a result, ABC faced both financial and data losses, as well as a threat to their internal privacy. To mitigate this issue, ABC decided to attach RFID tags to the laptops, allowing the units to be tracked if reported stolen Since the main goal of pervasive computer is to reduce demand on the human interaction (3.2.2), the company’s it department placed the RFID tag in a covert location that is both undetectable and difficult to remove. A new employee, Bob, joins the ABC team, and is provided with a laptop per company policy. However, Bob is not told about the RFID chip, nor does he know about the tracking policy. After a few days, Bob was asked into his manager’s office, and was very surprised when he was questioned about his frequent visits to a local HIV clinic.

While the above scenario is fictional, there are numerous issues, rules, and regulations that point to a clear misuse of personal data, however altruistic and common this type of tracking might be in a pervasive computing environment.

Data collection is often part of the corporate environment, done in an invisible and innocuous manner (see 3.2.3). In the scenario above, three actions occurred that not only made the issue uncomfortable for Bob, but quite illegal for ABC. 1) Bob was never notified that there was a tracking device on the laptop, which should be part of the documents signed when he checked out the system; 2) the purpose of the tracking device, as stated by ABC’s it Department, was specifically to monitor equipment that was reported stolen or missing — neither of which happened in this case; and, 3) if Bob was visiting a clinic during his lunch or personal time, his whereabouts are of no concern to the company, and not only should not have been monitored, but there was no purpose in talking with him about his clearly personal issues. Most of the situation might have been solved if an appropriate “release” document had been signed, although the manager who brought up the issue of the clinic clearly requires additional training.

To prevent situations of untoward eavesdropping and unauthorized tracking, a legal requirement is required when a company uses any sort of tracking system or data collection without the knowledge or consent of the individual.

The purpose of said legislation, although only viable with member countries, is to ensure greater privacy by establishing a chain of consent, making the data collection process less obtrusive and more discernible

Paradoxically, however, the challenge for ABC, and other organizations, is the duality of protecting privacy rights while still maintaining the rigorous security issues surrounding pervasive computing (see 3.1 and the discussion regarding privacy issues).

3.3.2 Context dependency

Scenario: Alice is a 10-year-old diabetic who attends public school. When Alice is at school, her parent’s worry that she will remain healthy, and are continually concerned that she is eating regularly and properly. To ensure Alice’s health, a system of tracking would not only be helpful to Alice’s health, but also take the burden of worry away from her parents. To mitigate this situation, Alice’s parents have registered for a service, specifically designed for diabetic patients. Using a microchip, this service is able to continuously track Alice’s location and level of insulin, informing her parents and relevant medical services in the event of an emergency.

At first blush, the service above appears extremely beneficial. Alice is a minor, so her parents have the legal right to monitor her activities and health concerns. However, there are situations when this type of data could be used for nefarious purposes. For example, if Alice’s parents were wealthy or influential, the data might be captured and Alice kidnapped or put in harm’s way. What provisions, then, are applicable to ensure that a high level of security and privacy exists in monitoring someone’s condition? Because there is often a human on the monitoring end, is society continually subjected to the concerns of greed and avarice?

Under the paradigm of pervasive computing, however, the application for such a service is interdependent upon the contextual information necessary for the specific application (see 3.24.) it is this contextual information, and the way it is used, that form the ethical and moral background of a system that is tactical and non-judgmental. Utilizing contextual information that provides sensitive information (location, unique individual profiles, etc.) require additional privacy protection techniques — challenging programmers to offer the important service necessary without compromising the individual. Clearly, advanced encryption and safeguards are necessary under certain conditions.

3.3.3 Minimizing amount of data collection

Scenario: Mike, an avid cyclist who also uses his bicycle as transportation to and from work, has been the victim of several bicycle thefts. He decided to register for a service that will track his bike by implanting a small, unobtrusive, RFID under the seat.

Again, the ethical considerations of this scenario, as opposed to a traditional computing environment, allows pervasive computing to collected even more data. It is not the collection of the data, however, but the use of said data that can cause an ethical conundrum. Mike actively sought out this service, and one would hope that it is not constantly active, tracking Mike’s travels. Instead, like many automobile-monitoring services, Lojack, for instance, the system is only activated when the registered user reports a theft. In the pervasive computing world, data may be collected from numerous sources. Different data sets may be valuable in different ways to disparate groups. However, central to the collection of data is the individual’s right to control who and when that data is accessed. By putting the control in the purchaser’s hands, this potential problem is mitigated; providing peace of mind for Mike, as well as protecting his own privacy.

3.3.4 Role of service provider

Scenario: 59-year-old Robert Rivera slipped while in a Los Angeles supermarket, injuring his knee. He claimed it was spilled yogurt that caused the injury, and Rivera sued to recover hospitalization and lost wages. The case was ultimately dismissed for lack of evidence, but Rivera claimed a mediator contacted him prior to the verdict and encouraged him to settle, or records of his substantial alcohol purchases would be released.

Clearly, this scenario illustrates the importance of individual service providers, and their ethical limitations for information dissemination. It is likely that the Judge would refuse to hear evidence collected in such a manner, but perdition by a service provide opens up a frightening world of surveillance and a complete lack of privacy. For pervasive computing to work within the legal and ethical requirements of society, however, labeling protocols such as P3P must be embedded to ensure that each data request by the provider legally specifies the purpose, retention and recipients of data.

4.4 Analysis of PETs

From the above comparison it is quite evident that the above PETs and privacy models follow clearly two distinct lines of approaches. First, extremely rigorous external technical protection (encryption tools, anonymizer products, etc.), which manipulate or transform the data by hiding sensitive data. Second, privacy protection relying on social and regulatory pressures (PawS, P3P). Both approaches have strengths and weaknesses; external protection lacks user control; and PawS and P3P are difficult to control once the data leaves the service proxy.

Additionally, PawS is inherently able to specify only very simple privacy preferences and P3P is not really suitable for expressing privacy preferences within the rubric of pervasive computing.

Scenario: Alice is a nurse in a hospital. She has a mobile device that continuously tracks her location and enables her colleagues and friends to locate her. Today is Bob’s (Alice’s friend) birthday, and she wants to give him a surprise gift. Alice took an hour’s break and went to the gift shop to buy a gift for Bob. During this time frame Alice does not want Bob to know her location.

In this scenario strong encryption mechanisms can be used which can secure the information passing between Alice and her service provider so that no third party can access the information. But there is no way that by encryption Alice can control micro-periods. Other techniques, such as pseudonyms mix zones and echo agent, are also unable to ensure the results Alice wants. Technical means, then, cannot ensure full privacy — instead, other measures (shutting off the device, or having control to put it on hold) by the individual are necessary considerations. Even using multiple approaches to the technical issues of micro-privacy issues, full protection remains illusive.

Confab, however, is an architecture that is able to bypass these limitations and combine both approaches. It is limited, though, and a true pervasive environment calls for complex preferences that can be easily manipulated by the end user.

Moreover, all these approaches are not completely sufficient in meeting the challenges mentioned in section 3.2. For instance, PETs and privacy models do not explicitly contribute in a reduction of data collection, nor is that their intent or purpose. Although anonymous data collection is based on the assumption that if data is collected anonymously then it cannot be linked with any individual, and if data cannot be related to an individual then it poses no threats in terms of privacy. Thus, detailed privacy policies and safeguards for data are not seen as critical in this model. By collecting anonymous data, one may argue that a true minimum amount of personal data is being collected. However, ensuring complete anonymity remains both technically and practically difficult.

For example, mix zones and changing pseudonyms are used to maintain anonymity but it is also possible to break the anonymity and track a user in a mix zone. Pervasive computing, then, needs other, more robust means to minimize the amount of data collection. Moreover, there are usability and efficiency issues that arise with any of these approaches. Testing, for example, is typically done in a controlled environment under limited conditions. The effectiveness of many of these solutions, then, has not been adequately tested under typical, real-world, conditions. In a true pervasive computing environment, users will move extensively between different computing environments and will interact with various devices (e.g. starting from small portable hand held device to large wall sized displays), and applications. It is difficult to predict how privacy solutions will perform in a true user-environment under more typical conditions.

Thus, it will be necessary to find and incorporate a unique privacy model that accentuates both social and legal norms, while ensuring the technical ability to protect privacy.

Newman, a. 2008, Protectors of Privacy: Regulating Personal Data in the Global Economy, Cornell University Press.

Miller, S. And J. Weckert 2000, “Privacy, the Workplace and the Internet,” Journal of Business Ethics, Vol. 28, no. 3, pp. 255-65.

OECD — Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, (September 1980), cited in: http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html

See also: Caloyannides, M 2004, Privacy Protection and Computer Forensics, 2nd ed., Artech House; Bennett, C.J. And C. Raab 2006, the Governance of Privacy: Policy Instruments in Global Perspective, MIT Press.

For additional discussions on the efficacy of sensitive monitoring devices, see: Glasziou, P., et.al., eds., 2008, Evidence-Based Medical Monitoring: From Principles to Practice, BMJ Press; Jovanov, M. And D. Raskovic, 2000, “Issues in Wearable Computing for Medical Monitoring Applications,” Wearable Computers: The Fourth International Symposium, pgs. 43-49, Cited in: http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=888463

See: Blanchard, J. 2004, “Ethical Considerations of Home Monitoring Technology,” Telemedicine Information Exchange, vol. 1, no. 4, pp. 63-64, Cited in: http://tie.telemed.org/articles/article.asp?path=homehealth&article=ethicsAndHomeTech_jb_hhct04.xml

See: Yamada & Kamioka 2005.

See: International Telecommunications Union 2005, “Privacy and Ubiquitous Network Societies,” ITU Workshop on Ubiquitous Network Societies, New Initiatives Program, April 5-8, 2005; Cited in: http://www.itu.int/osg/spu/ni/ubiquitous/Papers/Privacy%20background%20paper.pdf

Do you really need this here? If you do, a complete scholarly reference will be necessary. I was not able to find one that fit your paragraph’s intent.

See the technical discussion in: Golle, P. et.al.,n.d. “Data Collection With Self-Enforcing Privacy,” Cited in: http://crypto.stanford.edu/~pgolle/papers/selfprivacy.pdf

See: Aceituno, V. 2005, “On Information Security Paradigms,” ISSA Journal,

September; Casey, E 2004, Digital Evidence and Computer Crime, 2nd ed., Academic Press.