TRUST, Washington, D.C. Meeting January 9–10, 2006 Securing Public Spaces with Sensor Networks: Science, Technology, and Privacy Stephen Wicker Cornell University

TRUST, Washington, D.C. Meeting January 9–10, 2006 TRUST Activity TRUST is engaged in the development of embedded secure sensor networks – Integrated center R&D at all levels Sensor Technology Networks Applications Policy/Legal Issues Activity at several members schools and Oak Ridge is being merged into capstone projects – Goal: Demonstration technologies and implemented policies

TRUST, Washington, D.C. Meeting January 9–10, 2006 Sensor Technology - The Mote

TRUST, Washington, D.C. Meeting January 9–10, 2006 Sensors for Bio-Defense Bi-layer lipid membrane used to create designer bio- sensors – When target analyte binds to protein, ion channel conductivity increases. Currently considering use in water supply protection. Sensor performance statistics used to define networking requirements. Outside Player: NY Dept of Health/ Wadsworth Laboratories

TRUST, Washington, D.C. Meeting January 9–10, 2006 Long-Term Power Sources for Embedded Sensors Radiation-powered batteries for embedded sensor platforms – Radio-isotopes have the possibility of a 50 year life with a continuous power density of ma/cm 3. SiC based beta-voltaic cell has been developed and tested. Best measured power density for Ni-63 source 5.6nW/cm 2 with 4.4% efficiency. Best measured power density for tritium source ~1uW/cm 2 with 10% efficiency.

TRUST, Washington, D.C. Meeting January 9–10, 2006 Sensor Platform Technologies CU Asynchronous Processor – Event-driven execution is ideal for sensor platforms Clockless logic – Spurious signal transitions (wasted power) eliminated – Hardware only active if it is used for the computation MIPS: high- performance – 24pJ/ins and V ProcessorBusYearE/opOps/sec Atmel8200?1-4 nJ4 MIPS StrongARM32200?1.9 nJ130 MIPS MiniMIPS nJ*22 MIPS Amulet3i nJ*80 MIPS 80C51 (P) nJ**4 MIPS Lutonium pJ4 MIPS SNAP pJ28 MIPS

TRUST, Washington, D.C. Meeting January 9–10, 2006 Designer OS for Sensor Networks Tiny OS – Large, active open source community: – 500 research groups worldwide – OEP for DARPA Network Embedded Systems Technology – Thousands of active implementations - the world’s largest (distributed)sensor testbed MagnetOS: Provide a unifying single- system image abstraction – The entire network looks like a single Java virtual machine – MagnetOS performs automatic partitioning Converts applications into distributed components that communicate over a network – MagnetOS provides transparent component migration Moves application components within the network to improve performance metrics MagnetOS Rewriter

TRUST, Washington, D.C. Meeting January 9–10, 2006 Sextant: Node Localization Use of large numbers of randomly distributed nodes creates need to discover geographic location – GPS is bulky, expensive, power-hungry Set up a set of geographic constraints and solve it in a distributed fashion – Aggressively extract constraints – Use just a few landmarks (e.g. GPS nodes) to anchor the constraints Can determine node location with good accuracy, without GPS or other dedicated hardware

TRUST, Washington, D.C. Meeting January 9–10, 2006 SHARP: Hybrid Routing Protocol Two extremes in routing – Proactive: disseminate routes regardless of need – Reactive: discover routes when necessary Neither are optimal for dynamic sensor networks SHARP adaptively finds the balance point between reactive and proactive routing – Enables multiple nodes in the network to optimize the routing layer for different metrics – Outperforms purely reactive and proactive approaches across a range of network conditions

TRUST, Washington, D.C. Meeting January 9–10, 2006 Self-Configuration at all Levels Motivations for Game Theory/Mechanism Design – Efficiency: ability of market-based distributed control mechanisms to move complex networks toward optimal operating points. – Scalability:distributed decision-making inherent in market settings. Interaction and decisions are local, obviating the need for a global perspective (which is both memory- and computationally-intensive). Critical Tools: Equilibrium concepts, utility-based decision making, and bargaining. ECE, CS, and Economics at several schools

TRUST, Washington, D.C. Meeting January 9–10, 2006 Securing the Sensor Network Key Thrust at CMU – Secure building blocks Secure key distribution Secure node-to-node and broadcast communication Secure routing Secure information aggregation – Real-time aspects and security – Secure middleware – Secure information processing – Sensing biometrics – Sensor database processing – Internet-scale sensor networks

TRUST, Washington, D.C. Meeting January 9–10, 2006 Application: Security in Public Spaces July 2005 London bombings highlights need for sensors in public places – Also the extent of ongoing surveillance – See also Tokyo gas attacks, etc. More modern infrastructure in most US urban settings creates opportunities.

TRUST, Washington, D.C. Meeting January 9–10, 2006 Sensor Networks in Public Places Protecting Infrastructure – Opportunities for embedding sensor networks Transportation Storage and Delivery of Water and Fuel Power Grid – TRUST is emphasizing development of supporting technology for randomly distributed sensors Buildings – Combine surveillance with energy control – Integrate into building materials Open Spaces (parks, plazas, etc.) – Combine surveillance with environmental monitoring – Line-of-sight surveillance technologies

TRUST, Washington, D.C. Meeting January 9–10, 2006 Oak Ridge/SensorNet Network Services Single Domain Multiple Domains Regional Level National Warning and Alert System

TRUST, Washington, D.C. Meeting January 9–10, 2006 Transportation Based Threat Assessment Demonstration Trucks can by-pass Mobile system under development Rapidly Deployable Low profile Integrated into Law Enforcement Establish truck RAD profile Predict manifest RAD profile Fuse external data sources Compare with past scans Determine if acceptable

TRUST, Washington, D.C. Meeting January 9–10, 2006 Privacy Issues Arise*… Technology leaves policy behind – Internet-controllable cameras in Berkeley plaza – Kyllo case Many sensor networks collect personally identifiable information (PII) – (Intended) Monitoring activities of the elderly so they can safely live at home – Network of highway monitors that can sense FastTRAK transponders in automobiles – (Unintended) - Sensing persons in buildings as part of embedded sensing for disaster preparedness or light savings Comprehensive information privacy regulations in EU and other countries, but not in US *Thanks to P. Samuelson, D. Mulligan, Bolt School of Law

TRUST, Washington, D.C. Meeting January 9–10, 2006 Constitutional Boundaries? US v. Miller: persons have no protectable privacy interest in data about them held by third parties – e.g., images of personal checks held by banking institutions – sensor network data will be in hands of others Kyllo v. US: use of heat-sensing technology violated 4 th A. (5-4 decision) – "[w]here, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant.” Justice Scalia – "observations were made with a fairly primitive thermal imager that gathered data exposed on the outside of [Kyllo's] home but did not invade any constitutionally protected interest in privacy," and were, thus, "information in the public domain.” Justice Stevens, in dissent

TRUST, Washington, D.C. Meeting January 9–10, 2006 Policy Development Extend Fair Information Practices – Limitations on collection of data (only get what you need); destroy data after need is fulfilled – Right to collect data for specific purpose only (if want to reuse for other purpose, you have to get new permission) – Notice of data collection/purpose and consent – Obligations to keep data accurate, secure – Subject has right of access to check data accuracy, insist on changes – Accountability if data is incorrect or disclosed

TRUST, Washington, D.C. Meeting January 9–10, 2006 TRUST Capstone Projects Integrate Science, Technology, and Policy – Oak Ridge SensorNet Project Balancing security against privacy Issues: Limiting acuity to meet security needs only – Remote Sensing/Medical Portal Project Remote monitoring of cardiac patients Issues: Privacy-aware transport, variable levels of access – Museum Project Expressive AI projects using sensors to monitor patrons at public demonstrations Issues: Minimization of acuity, single-use, notification Policy Development – Cross-cutting effort to refine best practices in light of new and future sensor technologies.

TRUST, Washington, D.C. Meeting January 9–10, 2006 Security Thrusts Develop Taxonomy of Attacks – Attacks with and without defined defenses – Generic basis on which to evaluate new networks Characterizing Worst-Case Results – Statistical learning proposed as a means for determining what can be inferred from data – One basis for evaluating privacy concerns Ties into privacy road map

TRUST, Washington, D.C. Meeting January 9–10, 2006 Privacy Thrusts Noted that policy instruments lag technology development Proposed development of Privacy Road Map that will frontload policy development – Map sensor capabilities and network mission into deployment and data use rules – Key near-term: RFIDs, broad-based visual surveillance – Raises issue of impact of network configuration and heterogeneity on road map Approach: Extend fair information practices to cover sensor nets at regulatory or legislative level – Consent enablement is an important issue