Location Privacy in Multiple Social Contexts

1
Location Privacy in Multiple Social Contexts

• Ian Elcoate
• Jim Longstaff
• Paul Massey

2
Outline

• The wider project.
• Tracking Systems.
• Future Trends.
• Access Controls for Personal Location Data.
• Demo application.
• Conclusions and future work.

3
The Wider Project

• Access control model developed called the Tees
  Confidentiality Model (TCM).
• Initially access controls for Electronic Health
  Records (EHR) in UK Health Service.
• Allows/denies access to subsets of data based
  upon complex criteria initially developed with
  NHS consultants.

4
TCM Example

• Patient
• pregnancy termination when she was 16.
• Acutely psychotic at 49.
• Privacy Constraint
• I do not wish the members of the hospital team
  who carried
• out my termination operation to be ever able to
  see my
• psychosis data, except if they are viewing in a
  psychiatric
• role. (This constraint to be in force throughout
  the careers
• of those professionals concerned).

5
TCM Example
6
Extending the TCM

• Include Location Privacy.
• Where data has a spatial and temporal element
  access may be restricted based upon location and
  time
• Only allow access to data recorded in certain
  locations and at certain times.
• Only allow access to users in certain locations
  and at certain times.
• Assuming some tracking or calls for current
  location involved.

7
Tracking Systems

• Categorised as
• Compulsory
• e.g. tracking prisoners on parole.
• Semi-compulsory
• e.g. tracking of mobile workforce, logging mobile
  phone calls.
• Voluntary
• e.g. buddy systems.

8
Ambient Intelligence

• How does this fit in with ambient intelligence?
• Some systems envisage knowing location of
  individual. Access controls developed could
  allow/prevent/limit this.
• Others essentially broadcast info. Access
  controls could determine which broadcasts are
  acted upon.

9
Communication Application

• Have begun modelling and will create prototype
  based upon doctor on call.
• Doctors PDA will have database storing
• Times on call
• Areas covered
• Central control broadcast patient postcode to all
  doctors.
• Position returned for all on-call doctors.
• Nearest despatched to patient.

10
Design
11
Will such controls be used?

• Are the controls feasible?
• Technically YES
• BUT Is there a demand?
• A number of organisations are interested in our
  work.
• Many factors influencing success/failure.

12
Economic Trends

• Commercial benefit from having info. about
  customers and potential customers.
• Costs money to implement privacy.
• Modern networks make info. sharing easy.
• Power imbalance between large organisations and
  individual customers.
• BUT
• May be sufficient demand and organisations may
  provide privacy to gain commercial advantage.

13
Social Trends

• We act differently in different roles
• Parent
• Worker
• Friend
• Therefore, we have different privacy requirements
  to match each social context.
• Individual management of privacy controls and
  local data storage enables this.

14
Legal Trends

• Takes time to create new laws.
• Advances in computing and sensor technology are
  rapid.
• Organisations exist that lobby for greater
  privacy, e.g. Trade Unions.
• Privacy controls producing an audit trail would
  enhance trust and enable proof of adherence to
  policies/laws.

15
The Future Our View

• Ability to control access based upon user, role,
  etc.
• Ability to disclose information at different
  levels including use of spatial and temporal
  boundaries.
• Controls easily created by the Tracked Entity.
• Provision of overrides, for specifically
  authorised Users with automatic notification to
  the Tracked Entity and/or relevant authorities.
• An audit trail of access including by whom, when,
  where, etc.

16
Location Privacy

• The project is currently focussing on controlling
  access to tracking data.
• The controls developed can prevent/allow access
  to subsets of data based upon temporal and
  spatial constraints.
• Could be used to prevent/allow communication
  between user and other agent based upon same
  constraints.

17
The Prototype

• Simply shows stored locations matching spatial
  and temporal constraints.
• Same constraints could be applied to allow/deny
  communications or software operations.
• Demo.

18
Further Work

• Develop application based upon on-call doctors.
• Further develop simplification of spatial
  boundaries for use in portable devices.
• Further develop mathematical model of controls.
• Fully model access controls (UML) to allow
  development of a variety of applications.

19
Conclusions

• A set of access controls has been developed that
  may be used to control access to location data
  and/or general software operations based upon
  temporal and spatial constraints.
• These could be implemented by non-technical users
  for a variety of applications and operate
  automatically thus controlling ubiquitous
  information exchange.

20
Thank You

• Any questions?