Extending context models for privacy in pervasive computing environments Jadwiga Indulska The School of Information Technology and Electrical Engineering, The University of Queensland

Talk outline Pervasive computing Challenges in privacy enforcement Modelling of context information Requirements for ownership definitions Capturing ownership Context schemas Privacy enforcement based on ownership Summary

Pervasive computing Relies on context information to dynamically adapt to user requirements Context information obtained from: Sensors Sensors User profiles User profiles Applications Applications Derivation mechanisms Derivation mechanisms Some types of context info can be sensitive (e.g., user location and activity) Sensitive context needs protection => privacy enforcement

Challenges in privacy enforcement Loose couplings between people and resources Often no direct link between context source and owner (e.g., camera and people captured by camera) Heterogeneous privacy requirements due to: Differences in information sensitivity Differences in information sensitivity Differences in user preferences Differences in user preferences Context-dependent changes in preferences Context-dependent changes in preferences Ownership may be context-dependent

Ownership of context information Issue of context ownership is largely ignored Context management systems either: provide no privacy support, or provide no privacy support, or assume prior organisation of information by owner assume prior organisation of information by owner Our work addresses it directly and integrates ownership information into context models Ownership is captured at level of: Object types Object types Fact types Fact types Situations Situations

Modelling of context information We use a fact-based modelling approach (CML) In approach, developers define: Entity types about which context information is represented Entity types about which context information is represented Types of context information represented (context fact types) Types of context information represented (context fact types) Sources of context information Sources of context information Quality annotations (quality metadata about facts) Quality annotations (quality metadata about facts) Dependencies between facts Dependencies between facts Various other constraints and metadata on fact types Various other constraints and metadata on fact types

Example CML model PersonActivityDevice Place engagedIn locatedAt owns canUse Organis ation ownedBy controlledBy Device Type hasType [] Profiled Sensed Temporal Uniqueness constraints []

Terminology Object type: Modelled as ellipsis in CML Modelled as ellipsis in CML Class of entity described in context information (e.g., Person) Class of entity described in context information (e.g., Person) Fact type: Modelled as role boxes in CML Modelled as role boxes in CML Relation on one or more object types (e.g., locatedAt) Relation on one or more object types (e.g., locatedAt)Object: Instance of Object type (e.g., the person Alice) Instance of Object type (e.g., the person Alice)

Situation: Describes context at higher level than facts Describes context at higher level than facts Defined using variation of predicate logic Defined using variation of predicate logic Expresses conditions on context Expresses conditions on context Evaluates to truth value (true, false, or unknown) Evaluates to truth value (true, false, or unknown) E.g., E.g., Terminology (cont.) MeetingInProgress(room):  person locatedAt[person, room] engagedIn[person, meeting]

Requirements for ownership definitions Context models instantiated as large fact bases => ownership must be scalable Ownership must be definable at: organisational level organisational level individual level individual level Ownership must be context-dependent Owners of context information should have access at all times Context ownership (potentially) shared by multiple entities

Capturing ownership Ownership expressed through SQL-like context schema Our approach has clear benefits: Context can be owned by multiple entities Context can be owned by multiple entities Ownership can be context dependent Ownership can be context dependent Ownership supported on: Object types Object types Fact types Fact types Situations Situations

Ownership of object types 3 classes of ownership for objects types: First class (capable of owning) First class (capable of owning) Second class (can be owned) Second class (can be owned) Third class (never have owners) Third class (never have owners) E.g., a person (first class) owns a laptop (second class), which has a device type (third class) Default ownership of a context fact is defined as the union of the owners of objects participating in roles

Object type classes PersonActivityDevice Place engagedIn locatedAt owns canUse Organis ation ownedBy controlledBy Device Type hasType [] 1 st Class 2 nd Class 3 rd Class

Ownership of fact types Can override default fact ownership by defining ownership explicitly on fact types Facts may have 0, 1 or multiple owners 0 owners: Can be accessed by anyone Can be accessed by anyone No privacy preferences applied No privacy preferences applied 1, multiple owners: Always accessible to owners Always accessible to owners Disclosed according to preferences of all owners Disclosed according to preferences of all owners

Ownership of situations Situations are defined in terms of context facts and logical connectives (and, or, not, exists, forall) Evaluating ownership on each fact is expensive! Assigning ownership to entire situation is cheaper Situations can be: Unowned Unowned Owned by 1 entity Owned by 1 entity Owned by multiple entities Owned by multiple entities

Context schemas Loosely based on SQL Alternative textual format for modelling context Defines object types in domain Fact types defined in terms of object types Situations defined in terms of fact types Used as input for schema compiler which can be hooked up to tools for generating various outputs (e.g., model- specific helper classes for context manipulation) Can be extended with ownership information

First class objects Tagged “ FIRST CLASS ” Tagged “ FIRST CLASS ” e.g., FIRST CLASS Person e.g., FIRST CLASS Person Second class objects Tagged “ SECOND CLASS ” Tagged “ SECOND CLASS ” Must also be “ OWNED BY ” a first class object Must also be “ OWNED BY ” a first class object Ownership may be context-dependent, e.g., Ownership may be context-dependent, e.g., Third class Objects Tagged “THIRD CLASS” Tagged “THIRD CLASS” e.g, THIRD CLASS DeviceType e.g, THIRD CLASS DeviceType Object type declarations SECOND CLASS Device OWNED BY SELECT person FROM Using WHERE using.device = Device

Fact type declarations Fact types declared separately Declaration includes: Object types participating in fact type roles Optional ownership information (default ownership is assumed if not present) For example: CREATE SENSED FACT TYPE locatedAt( Person person KEY, Place place ALTROLE ) OWNED BY person

Situation declarations CREATE SITUATION Engaged(device)… OWNED BY SELECT person FROM owns WHERE owns.device = device UNION SELECT organisation FROM ownedBy WHERE ownedBy.device = device Example situation ownership definition:

Privacy enforcement based on ownership Modelling ownership is a first step towards enforcing privacy However, also require information about owners’ privacy requirements We express these requirements using our previously defined model for context-dependent preferences

Privacy enforcement based on ownership (cont.) Privacy preferences contain: A scope statement (listing activation conditions) A scope statement (listing activation conditions) A scoring expression (oblige or prohibit) A scoring expression (oblige or prohibit) Scope statement can contain the following variables: Requester Requester Owner Owner Purpose Purpose Fact type or situation Fact type or situation Fact type attributes OR situation variables Fact type attributes OR situation variables We are developing an access control scheme that incorporates our ownership and preference models We are developing an access control scheme that incorporates our ownership and preference models

Summary Sensitive context information requires privacy enforcement One of the challenges is in first determining ownership of context information We support ownership declarations as an extension to context models Ownership declarations can be defined at three levels: Object level Object level Fact type level Fact type level Situation level Situation level Ownership information can be combined with context- dependent privacy preferences to provide access control for pervasive computing environments