Contextual privacy and the proliferation of location data Project summary in layman’s terms (max. 200 words). Location privacy has come to the fore due to increasingly widespread practices that involve the storage and analysis of location data. Traffic monitoring, friend finding services, tracking and tracing of mobile communication devices, contextual or behavioural advertising, and location based services all thrive on capturing and mining location data. Location privacy has received much attention from both legal and technical experts. There is, however, a good deal of confusion as to how location privacy is understood, how it relates to notions like contextual privacy, anonymity, unlinkability, autonomy and control. Within the legal domain there is confusion about the difference between privacy and data protection, controversy about which data must be qualified as personal data and about the extent to which consent, purpose limitation and adequate feedback are at stake in particular situations. Within the technical domain we lack a grounded conceptual and methodological foundation for the design and analysis of location privacy technologies; existing solutions and evaluation methods are ad-hoc and can neither be assessed outside a narrow context, nor compared to each other. This project aims to provide a framework for lawyers and computer scientists to (1) negotiate a shared understanding of what is at stake and to (2) examine to what extent location privacy technologies can integrate the more ambiguous and dynamic nature of legal and ethical notions of contextual location privacy. Furthermore, we will develop original contributions to both law and computer science. In the face of an overwhelming proliferation of data and increased sophistication of data analysis some have claimed that ‘you have zero privacy anyway. Get over it’ (Sun Microsystems’ CEO Scott McNeally in 1999). It seems that privacy is one of the fundamental challenges for our society in the next decade. Though lawyers and policy makers may call for new legislation to ward of further intrusions, we note a growing awareness that merely adding to the existing legal framework will not suffice to sustain the value, interest and right of privacy. Concepts like ‘values in design’ [Ni10], ‘privacy by design’ [Ca09] and ‘ambient law’ [HK10] suggest that specific social and/or legal values, notably privacy, require technological articulation to be sustainable in a high tech environment. This project seeks to translate the diversity of societal, ethical and legal notions of privacy into a set of technical requirements and tools that provide citizens with a measure of feedback and control regarding their location data. From the perspective of computer science location privacy has been described as ‘the ability to prevent other parties from learning one’s current or past location’ [BS03]. In ubiquitous computing environments the collection and processing of location data may be necessary to provide useful services. Knowledge of these patterns may, however, constitute major privacy invasions [HCL04]. Various types of location privacy tools have been developed [Kr09] but we must note that the problem of rerecognition and subsequent identification [Do05, GP09] creates uncertainty about the extent to which a sufficient degree of protection is indeed achieved. Furthermore, the big picture gets more complicated as location data is implicitly or explicitly available in many system layers: at the physical layer, personal devices can be identified and tracked based on radio fingerprinting [BM+09]; traffic analysis and inference attacks on anonymous data may reveal enough to enable pseudonymous profiling and eventual user re-identification [Kr07]; and at the identity layer we must take into account the linkability of pseudonyms within or across applications [TC+10]. A wellfounded, comprehensive assessment of location privacy technologies requires analysis methodologies that take into account the technical details of the basic techniques, their context of usage and application, and possible interactions with other technologies that operate on a different layer of abstraction. Project outline (max. 4 pages, incl. reference list). Give a short overview of previous research activities which are related to this proposal. If it considers a new topic, describe the abilities your research group has to conduct the proposed research. Describe the methodology of the project, the collaboration and coordination between the different participating research groups and the role of the different units and promoters. Provide references of the most significant international literature on the topic. From the perspective of law and ethics the proliferation and analysis of location data present a series of problems that relate to privacy in the broad sense of identityformation and autonomy [AR01, DG03, RPP03]. As the work of Danezis et al. [DLA05] suggests, people may not attach much value to location privacy if understood in terms of hiding one’s location data. Instead Zimmer [Zi05] broadens the scope by explaining how vehicle safety communication technologies ‘might disrupt the “contextual integrity” of personal information flows’ and ‘threaten one’s “privacy in public.”’ We think that Roussos’ [RPP03] description is particularly apt here, distinguishing a ‘locality principle’ that refers to the different contexts in which identity is constructed rather than just physical location; a ‘reciprocity principle’ that requires some measure of ‘knowledge- symmetry’ between data subject and data controller; and the ‘principle of mutual understanding’ that highlights the need for two-way communication between whoever is being located and whoever is using the location data. This project seeks to engage lawyers and computer scientists in a collaborative effort to provide adequate technological articulations for the protection of personal identity and autonomy. It aims to relate the protection of discrete data to the goal of protecting privacy, instead of reducing privacy to the protection of personal data. Objectives and approach This research project focuses on infringements of one particular type of privacy, namely location privacy. Depending on how one defines privacy (warding off any knowledge of one’s private life; being in control of which data are provided and to whom; negotiating the boundaries of one’s personal space in the physical, social and virtual sense of the term), many different dimensions or incarnations of location privacy can be conceptualized. A person may wish to hide her whereabouts from a specific organisation or person, in a specific instance, or with regard to a particular place. She may, on the other hand, not mind sharing isolated pieces of information on her whereabouts with particular organisations or persons, whereas she does not want information about different locations to be linked up together. A conventional way of defining location privacy would be that users are able to follow up on a legitimate desire to withhold location information in an easy and convenient manner, while preserving the functionality of the environment. Tools must therefore be developed to translate the concept of ‘location privacy’ into the technical infrastructure that could otherwise simply render the concept entirely impractical and thus void. These tools require a translation of social and legal concepts of ‘location privacy’ into technical – computational – terms, taking into account that this articulation has to be defined in a machine-readable manner. This will unavoidably challenge conventional meanings of privacy and location privacy, requiring, in turn, a translation of the technical possibilities of location privacy methods into the social, ethical, legal and political dimensions. This project aims to work on both sides of the translation: (1) translating the social, ethical, legal and political concept of location privacy into computational models that can operationalize its meaning in a high tech environment and (2) translating the various technological location privacy models into their social, ethical, legal and political implications. 1. Conceptual framework The term location privacy takes very different meanings depending on the context in which it is used. Indeed, location privacy seems to be not a monolithic concept but rather a family of related concepts. Some examples of technical notions of location privacy include considering that it is achieved when pieces of a pseudonymous user trajectory cannot be linked together [BS03, HG05]; when an adversary’s reconstruction of the user trajectory is sufficiently distorted [SF+09]; when users are anonymous in a region containing at least k people [GG03]; or when coarse information about a user’s location is revealed, but her precise location cannot be established [XC09]. Within the legal context ‘location privacy’ refers on the one hand to the notion of privacy as defined in art. 8 European Convention of Human Rights (the right to private life, protection of the home and correspondence) and to various rights and obligations stipulated in the European Data Protection Directive 95/46/EC and the Directive on Privacy and Electronic Communications 2002/58/EC. In both directives the focus is on the protection of personal data, which has resulted in a concurrent focus on anonymity. In its opinion on the use of location data for value-added services, the art. 29 Working Party notably speaks of ‘the freedom to come and go anonymously’ [WP05]. This project will raise the question of (1) to what extent anonymity is a categorical or a statistical attribute and (2) to what extent anonymity of location data is an adequate solution for privacy problems in the era of profiling. As to the last point we note that surveillance based on group profiles mined from anonymous data cannot be solved by means of anonymization [RG09]. The first objective then, will be to develop a conceptual framework that expresses the various location privacy notions existing within both domains and their interrelations. This will require mapping the relationships between the technical, legal and ethical concepts (and terms); identifying technical properties not usually captured in the legal and ethical domains; and identifying legal and ethical concepts not yet articulated in technology. Furthermore, we will investigate which notions imply others, which overlap and which are in conflict with each other, within and across domains. The close collaboration between the researchers from both groups will be invaluable to deepen the understanding of location privacy in its many dimensions, and lead to new insights that will enrich both disciplines. 2. Ethical and legal framework Building on the conceptual framework, we will develop an ethical and legal framework for targeting location privacy, involving concepts such as ‘privacy in context’ [Gu02, Ni10], ‘digital territories’ [DM07], and the ‘reciprocity principle’ [RPP03]. We will investigate the links between privacy and location in the physical sense as well as the more complex notion of context, referring to the fact that one physical location will often involve both private and public contexts (e.g. a person using her home pc for both work and leisure). To come to terms with the opacity of the ‘hidden complexity’ of the processing of location data, we will develop the notion of access to the ‘logic of processing’, as stipulated in art. 12 of D95/46/EC. We will take this as a starting point to construct ‘a right to know’ about how location data is processed, considering not only personally identifiable data but also pseudonymous and anonymous data. The analytical framework described in the third objective (below) will be key here to provide an understanding of the extent to which “anonymous data” can be used to construct location profiles, re-recognize, and eventually re-identify the individuals who generated the data, who can in turn then be associated to their behaviour, whereabouts and movements. Even when full re-identification is avoided, the association of anonymous individuals with inferred group profiles may suffice to intrude into their privacy. This implies that privacy is defined as more than mere anonymity [DS+02], taking into account its relation to identity-construction and autonomy [AR01] [Z0203]. 3. Analytical framework In order to technologically sustain conceptual, legal and ethical notions of location privacy we must first understand what current technologies can offer and which are their limitations with respect to well-understood privacy requirements. Currently this is a difficult task, as every new technique relies on a different set of arbitrary assumptions, defines its own notion of location privacy (which is often tied to the specific technical details of the application and hard to interpret in a broader context), and proves its validity through an ad-hoc analysis. Therefore, we identify the need for a general, systematic analysis methodology to evaluate location privacy technologies under comparable conditions. This analytical framework must be able to capture and exploit data leakages from multiple system components, and model the inferences that could be made from combining pieces of anonymous data. For this we will explore advanced Bayesian inference techniques, in particular Markov Chain Monte Carlo Methods [Ma03]. These algorithms use sampling to efficiently analyze complex systems with a large number of possible states, and subject to multiple constraints. Moreover, they provide the right level of abstraction to analyze arbitrary system configurations in a general, rather than ad-hoc, manner. Together with the definition of appropriate location privacy metrics, this framework will allow us to assess the extent to which the identified conceptual, legal and ethical notions are satisfied, and facilitate the design of systems that offer well-understood privacy guarantees. Methodology The project work will be organized along three work packages, each addressing one of the objectives identified above, and executed by two Ph.D. students. One of the students will have a legal (and preferably also philosophical) background and will be supervised by Prof. Serge Gutwirth and Prof. Mireille Hildebrandt, who bring to the project extensive expertise in studying the impact of emerging technologies on core tenets of democracy and the rule of law, notably on privacy, non-discrimination and due process. The second student will have a technical background, and will be supervised by Prof. Bart Preneel and Dr. Claudia Diaz, who are experts in computer security and privacy. The fulfilment of the project objectives will require that both students work in close collaboration, as specified in the description of the objectives, which provides the basis for the workplan for their interaction. In more detail: we plan for a monthly seminar during the first year, alternating between Leuven and Brussels, inviting experts and debating in function of the first objective. This should result in a co-authored paper by both students in an international peer reviewed journal that caters to interdisciplinary research, as well as separate articles in journals and top conferences within the respective disciplines. During the following two years similar seminars will be organised to work on the second and third objectives, again resulting in one or two co- authored publications, separate publications, and an international working conference on the topic. During the fourth year we expect that all attention will go to finalizing the PhD theses. The experiences of interdisciplinary cooperation between our two research groups in the context of the EU FIDIS Network of Excellence suggests that this joint undertaking will prove to be highly successful. The PhD student working within the technical discipline will prepare a PhD thesis on the subject of computational location privacy, focused on developing the analytical framework described in the third objective. The added value of the input from the legal and ethical domain will be that privacy attributes taken for granted within computer science will be challenged and rethought in order to develop a more comprehensive understanding of the nature of privacy beyond the hiding of discrete personal data. This will include an analysis of the extent to which the ambiguity inherent in a broader notion of privacy can be translated into mathematical models. It is expected that this will augment the chances that these technologies will be taken up by society, instead of remaining a tool for a minority of privacy advocates. The PhD student working within the disciplines of law and ethics will prepare a PhD thesis on the subject of location privacy as contextual privacy, investigating to what extent the dynamics and ambiguity of the ethical value and legal right of privacy can be translated into the analytical framework described in the third objective. The added value of the input from the computer science domain will be that it requires the lawyer (philosopher) to investigate the implications of computational location privacy for the legal (and ethical) domain, thus inviting a much needed reflection on the effectiveness and the legitimacy of written law as compared to its articulation in ICT infrastructures. Bibliography [AR01] P.E. Agre, M. Rotenberg (eds.). “Technology and Privacy: The New Landscape”. Cambridge, Massachusetts, MIT, 2001. [BS03] A. Beresford, F. Stajano. “Location privacy in pervasive computing”. IEEE Pervasive Computing 2(1):46-55, 2003. [BM+09] K. Bauer, D. McCoy, B. Greenstein, D. Grunwald, D. Sicker. “Physical Layer Attacks on Unlinkability in Wireless LANs”. In 9th Privacy Enhancing Technologies (PETS’09), Springer LNCS 5672, pp. 108-127, 2009. [Ca09] A. Cavoukian. “Privacy by design... take the challenge”. Information and Privacy Commissioner of Ontario (Canada), 2009. https://ozone.scholarsportal.info/bitstream/1873/14203/1/291359.pdf [DS+02] C. Diaz, S. Seys, J. Claessens, B. Preneel. “Towards measuring anonymity”. In 2nd Privacy Enhancing Technologies (PET’02), Springer LNCS 2482, pp. 54-68, 2002. [DM07] B. Daskala, I. Maghiros. “D1gital Territ0ries. Towards the protection of public and private space in a digital and Ambient Intelligence environment”. Institute for Prospective Technology Assessment (IPTS), 2007. [DLA05] G. Danezis, S. Lewis, R. Anderson. “How much is location privacy worth?” In 4th Workshop on the Economics of Information Society (WEIS’05), online proceedings, 2005. [Do05] F. Dötzer. “Privacy Issues in Vehicular Ad Hoc Networks”. In Privacy Enhancing Technologies (PET’05), Springer LNCS 3856, pp. 197-209, 2005. [DG03] P. De Hert, S. Gutwirth. “Making sense of privacy and data protection. A prospective overview in the light of the future of identity, location based services and the virtual residence”. In IPTS JRC Security and Privacy for the Citizen in the Post- September 11 Digital Age. A prospective overview, Report to the European Parliament Committee on citizens’ Freedoms and Rights, Justice and Home Affairs (LIBE), IPTS-Technical Report Series, EUR 20823 EN. 2003. p. 111–162 [GP09] P. Golle, K. Partridge. “On the anonymity of home/work location pairs”. In Pervasive Computing, Springer LNCS 5538, pp. 390-397, 2009. [GG03] M. Gruteser, D. Grunwald. “Anonymous usage of location-based services through spatial and temporal cloaking”. In proceedings of MobiSys '03. ACM, 31-42, 2003. [Gu02] S. Gutwirth. “Privacy in the information age”. Rowman & Littlefield, 2002. [HCL04] J.-P. Hubaux, S. !apkun, J. Luo. “The security and privacy of smart vehicles”. IEEE Security and Privacy 2(3): 49-55, 2004. [HK10] M. Hildebrandt, B. J. Koops. “The challenges of Ambient Law and legal protection in the profiling era”. Modern Law Review 73(3), 2010 (forthcoming). [HG05] B. Hoh, M. Gruteser. “Location privacy through path confusion”. In IEEE Security and Privacy for Emerging Areas in Communication Networks (SecureComm), IEEE Computer Society, pp. 194-205. 2005. [Kr07] J. Krumm. “Inference attacks on location tracks”. In Pervasive Computing, Springer LNCS 4480, pp. 127-143, 2007. [Kr09] J. Krumm. “A survey of computational location privacy”. Personal and Ubiquitous Computing 13(6): 391-399, 2009. [Ma03] D. Mackay. “Information theory, inference, and learning algorithms”. Cambridge Univ. Press, 2003. [Ni10] H. Nissenbaum. “Privacy in context: technology, policy, and the integrity of social life”. Stanford Law Books, 2010. [SF+09] R. Shokri, J. Freudiger, M. Jadliwala, J.-P. Hubaux. “A distortion-based metric for location privacy”. In 8th ACM Workshop on Privacy in the Electronic Society (WPES), pp. 21-30, ACM, 2009. [Sw02] L. Sweeney. “k-anonymity: a model for protecting privacy”. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5): 557-570. 2002. [RG09] C. Raab, B. J. Goold. “Putting surveillance on the political agenda. A short defence of surveillance, citizens and the state”. Surveillance & Society 6 (4) 2009, 408413. [RPP03] G. Roussos, D. Peterson, U. Patel. “Mobile identity management: an enacted view”. International Journal of Electronic Commerce 8(1): 81-100, 2003. [TC+10] C. Troncoso, E. Costa, S. Schiffner, C. Diaz. “How the Vehicle Infrastructure Integration anonymous certificates enable the tracking and re-identification of vehicles”. COSIC technical report, 15 p, 2010. [WP05] Art. 29 Working Party. WP 115. “Opinion on the use of location data with a view to providing value- added services”. November 2005. [XC09] T. Xu, Y. Cai. “Feeling-based location privacy protection for location-based services”. In 16th ACM conference on Computer and communications security (CCS’09), pp. 348-357, ACM, 2009. [Zi05] M. Zimmer. “Surveillance, privacy and the ethics of vehicle safety communication technologies”. Ethics and Inf. Technol. 7: 201-210, 2005
© Copyright 2024 Paperzz