Catálogo de publicaciones - libros

Initially Mike and I had the idea that we would each take sides; one would be accountability, one would be privacy, and we’d debate, but actually both of us wanted to be on the privacy side. So instead I’ll talk for a while about this apparent conflict between privacy on the one hand and accountability on the other. We’ll look at a number of existing technologies, some open questions, and although I guess there’s no new research in the paper now, the hope is that looking at things through this lens might ultimately lead to new solutions. We’re all aware that change in technology is making privacy much harder: we have much more use of computers, computers are heavily networked, storage costs are going way down, and computers are getting more powerful, so we have increased ability to process and store large amounts of data. So whereas it used to be we had to work hard to make information public – that’s what a lot of computer science was about, getting information from one place to another in a reliable and persistent way – now the infrastructure has evolved to make that very easy. What’s become harder is to keep the information private, understanding where it flows, when it flows, and the fallout of it all. And the issue of privacy has become much more critical as public awareness increases of this new world that we’re in and as potential misuse starts to be on the rise, and also I think as these conflicting roles increase: the desire for privacy on the one hand, and the desire for using this information on the other hand.

Computer and network security researchers usually focus on the security of computers and networks. Although it might seem as if there is more than enough insecurity here to keep all of us fully occupied for the foreseeable future, this narrow view of our domain may actually be contributing to the very problems that we are trying to solve. We miss important insights from, and opportunities to make contributions to, a larger world that has been grappling with security since long before the computer was invented.

In keeping with the tradition of this workshop this is actually a position paper in the sense that it represents work that’s not done and ideas for work that could be done, rather than simply a paper that got rejected from a bunch of other conferences. [Laughter]

This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the user’s identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, intermediaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the user’s access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked.

This is work not yet done by myself and Alf Zugenmaier at Microsoft Research here in Cambridge. With Alf being a privacy person we’re starting to think about the kind of threats there are to a wireless mobile user’s privacy. We thought these threats actually matter to the user, and so what can we do about them? Especially, what can we do at the time of attack, or when designing network protocols to improve the users privacy? This is a position paper about the kinds of things we think probably matter and should be done.

Many Ubiquitous Computing applications require tags and sensors that track the daily activates of people and things. For example, tags might be placed on objects to allow a system to remind people of the object’s location. In another application, caretakers of the elderly may wish to monitor the daily activities of those under their care, in order to track decline in functioning and offer appropriate medical care. These forms of tracking, however, raise privacy concerns. A person does not want to be tracked by everybody, but rather only by those that are trusted and only during certain times. We present a method of building tags and tracking devices that ensure a person is tracked only by those that have been granted that right, and only during the times specified.

Our group is looking for applications in everyday life that involve information processing. Not Internet connected things, not things that are on the network, but things that are in everyday life. For instance, you may forget to buy milk; that’s an information processing problem. If your car gets a flat tyre, that’s probably not an information processing problem, but there may be information processing that can assist you.

One basic idea is to track your daily activities for your personal benefit. For instance, you may use devices that give you location awareness, or detect categories in your daily routine. If every Tuesday you throw your laundry in the car and go to the dry cleaners, then a device could conceivably detect this, and if on Tuesday morning it finds you in your car and you don’t have your laundry with you, it lets you know, beep, and tells you that something’s different; and you can either choose to ignore it or run back and get your laundry.

In this paper, we present a security framework that provides identity protection against active and passive attacks for end-points. The framework is based on a two-round-trip authenticated Diffie-Hellman key exchange protocol that identifies the end-points to each other and creates a security association between the peers. The protocol hides the public key based identifiers from attackers and eavesdroppers by blinding the identifiers. We complete the identity protection by offering location privacy with forwarding agents. To our knowledge, our privacy enhanced protocol is the first denial-of-service resistant two-round-trip key exchange protocol that offers identity protection for both communicating peers.

In the JFK paper we made the kind of throw away assertion, a very trivial assertion, that the reason that you can’t have identity protection for both parties in the presence of an active attack is that someone has to reveal their identity first, unless you know something about each other that’s secret in advance. Assuming certificates and so on is themeans for identification, someone has to identify first, you can’t say, I’ll only tell you who I am if you tell me who you are.

Now that was an assertion of a trivial fact rather than a proof. I’m wondering if you believe, under the assumptions we had, that that was true?

The last years have seen a peak in privacy related research. The focus has been mostly on how to protect the individual from being tracked, with plenty of anonymizing solutions.

We advocate another model that is closer to the “physical” world: we consider our privacy respected when our personal data is used for the purpose for which we gave it in the first place.

Essentially, in any distributed authorization protocol, credentials should mention their purpose beside their powers. For this information to be meaningful we should link it to the functional requirements of the original application.

We sketch how one can modify a requirement engineering methodology to incorporate security concerns so that we explicitly trace back the high-level goals for which a functionality has been delegated by a (human or software) agent to another one. Then one could be directly derive purpose-based trust management solutions from the requirements.