Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University.

Published bySharon Bell Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University."— Presentation transcript:

1 Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University

2 Sensor Networks for Infrastructure Protection Protecting Infrastructure ◦ Opportunities for embedding sensor networks  Power Grid/SCADA  Transportation  Water and Fuel ◦ Driven by development of supporting technology for randomly distributed, wireless sensors Buildings ◦ Combine surveillance with energy control ◦ Integrate into building materials Open Spaces (parks, plazas, etc.) ◦ Combine surveillance with environmental monitoring ◦ Line-of-sight surveillance technologies

3 Privacy Issues Sensor networks collect data. Privacy issues follow. Standard Problems: Data Security and Integrity ◦ Protection against hackers, etc. Evolving Problem: Data Presence ◦ We need protection against those who collect the data.  Cellular Service Providers  ISPs  …

4 A Moral Hazard: The Market for Information The goal of information collection is discrimination Oscar Gandy, The Panoptic Sort Highly-focused marketing strategies make money ◦ Telemarketing is a $662 billion a year industry in 2003

5 The Impact of Pervasive Surveillance Big Brother Syndrome – passive behavior in response to surveillance (epistemic impact) Kafka Syndrome - an extreme imbalance between the individual and private and public bureaucracies “A new mode of obtaining power of mind over mind, in a quantity hitherto without example.” Jeremy Bentham, The Panopticon Writings “Hence the major effect of the Panopticon: to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power. ” Michel Foucault, Discipline and Punish

6 Mitigation: Electronic Communications Privacy Act of 1986 Amendment to Title III of Omnibus Crime Control Bill (1968 Wire Tap Statute) ◦ Title I: Electronic Communications in Transit  Content of communication  Strictest standards for warrants ◦ Title II: Stored Electronic Communication  Weaker standards  Where does e-mail fit in? ◦ Title III: Pen Register/Trap and Trace Devices  Context of communication  Information obtained must be relevant and material to an ongoing investigation Weakened by PATRIOT Act “National Security Letters”

7 Obtaining Cellular Records Prior to 2005, law enforcement agencies routinely granted access to location data without judicial oversight “Relevant and material” is pretty weak… August 2005 – Federal District Court in NY turns down request for cellular data ◦ Required evidence of probable cause. Undeniable good can be done ◦ Thief stole a woman’s car with phone and child inside. Location data used to find and stop car within 30 minutes ◦ Uncountable E911 calls But… ◦ People should have a choice ◦ The presence of the data remains a threat.  Money too attractive  Potential for governmental abuse too great

8 A General Solution: Privacy-Aware Design Design systems so as to minimize privacy threat. Such design practices are a moral obligation given the potential harm to the individual. ◦ Argument for another day:  Kantian emphasis on individual vs. Benthamite stress on greatest good for the greatest number.

9 Privacy-Aware Design Practices 1. Provide full disclosure of data collection 2. Require consent to data collection 3. Minimize collection of personal data 4. Minimize identification of data with individuals 5. Minimize and secure retained data. Analogous to 1973 U.S. Fair Information Practices and 1980 OECD Guidelines.

10 Provide Full Disclosure of Data Collection ◦ Description requirement ◦ Enforceability requirement  FTC – privacy statements ◦ Irrevocability requirement ◦ Intelligibility requirement Require Consent to Data Collection ◦ Acknowledgement requirement ◦ Opt-in requirement  See U. S. West v. Federal Communications Commission (182 F. 3d 1224, 10 th Circuit 1999)

11 Minimize Collection of Personal Data (1) Establish functional requirement for collection ◦ Match data to the mission  Type, resolution ◦ Collection must be necessary to the functionality of the communication system  Not just an easier or cost-effective alternative  Collection of data for “testing” is a grey area

12 Minimize Collection of Personal Data (2) Distributed processing requirement ◦ Process data as close to the source as possible  Functional/destructive processing  Aggregation prior to centralized collection ◦ Limits potential for re-use and hacking

13 Technical Problem! Demand-Response without centralized data collection ◦ Develop architecture that supports demand-response without collecting fine-grained power consumption data. ◦ Secure local processing loop

14 Minimize Identification with Individuals Does the technology require association of data with individual or with his/her equipment? Non-Attribution Requirement ◦ Track equipment, not the user Separate Storage Requirement ◦ Authentication/billing records should be separate from “functional” records. ◦ Isolation of records should be cryptographically secure.

15 Technical Problem! Private use of public service. ◦ Assume a pool of valid users. ◦ How does a user show that they are in the pool without identifying his or herself? ◦ Cryptographic primitives?

16 Minimize and Secure Data Retention Functional Requirement for Retention ◦ Retention should be directly connected to functionality ◦ Otherwise, opt-in required (at a minimum) Basic Security Requirement ◦ Inadvertent disclosure should be difficult to impossible. Non-Reusability Requirement ◦ Use of data in an undisclosed manner is difficult to impossible

17 Example: Privacy-Aware Cellular Registration What is required for registration? ◦ HLR/home MSC needs to know how to route incoming calls ◦ VLR/gateway MSC needs to authenticate user MS Registration - Data minimal solution ◦ Token identifies MS’s associated HLR ◦ Provide sufficient info to HLR for authentication  Public-key encrypted ID  Zero-knowledge proof HLR Operation ◦ Return authentication to VLR/GMSC ◦ Associate current GMSC and registration number with user phone number  No way around this – needed for incoming calls  No need for further location resolution  No need for long-term retention after user moves on.

18 Conclusion Sensor networks offer a powerful means for securing and monitoring critical infrastructure. Data collection creates a clear problem for the individual and the collecting authority. ◦ Seemingly impersonal data can still be a problem. Particular issue in the EU, where extensive regulations protect the individual against corporate abuse. Privacy-aware design rules provide an important tool as sensors are deployed to protect critical infrastructure.

Download ppt "Privacy-Aware Design for Physical Infrastructure Prof. Stephen Wicker Cornell University."

Similar presentations

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.
IETF ECRIT SDO Emergency Services Coordination Workshop 5 & 6 Oct 2006 – New York Alain Van Gaever DG Information Society & Media European Commission.

IETF ECRIT SDO Emergency Services Coordination Workshop 5 & 6 Oct 2006 – New York Alain Van Gaever DG Information Society & Media European Commission.
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
TRUST Fall Meeting November 10 - 11, 2010 │Stanford, California A Privacy-Aware Architecture For Demand Response Systems Steve Wicker, Bob Thomas School.

TRUST Fall Meeting November , 2010 │Stanford, California A Privacy-Aware Architecture For Demand Response Systems Steve Wicker, Bob Thomas School.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Criminal Procedure for the Criminal Justice Professional 11 th Edition John N. Ferdico Henry F. Fradella Christopher Totten Prepared by Tony Wolusky Searches.

Criminal Procedure for the Criminal Justice Professional 11 th Edition John N. Ferdico Henry F. Fradella Christopher Totten Prepared by Tony Wolusky Searches.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.

The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 353-7848.

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.

Legal Issues Computer Forensics COEN 252 Drama in Soviet Court. Post-Stalin (1955). Painted by Solodovnikov. Oil on Canvas, 110 x 130 cm.
1 Book Cover Here Copyright © 2014, Elsevier Inc. All Rights Reserved PART C FOLLOW-UP MEASURES: REAPING INFORMATION Criminal Investigation: A Method for.

1 Book Cover Here Copyright © 2014, Elsevier Inc. All Rights Reserved PART C FOLLOW-UP MEASURES: REAPING INFORMATION Criminal Investigation: A Method for.
EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.

EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.
Data Retention LIS 550 Winter 2010 Unsworth Tuesday, March 02, 2010.

Data Retention LIS 550 Winter 2010 Unsworth Tuesday, March 02, 2010.
Jan. 28, 2004UCB Sensor Nets Day1 TOWARD A LEGAL FRAMEWORK FOR SENSOR NETWORKS Pamela Samuelson, Law/SIMS UCB Sensor Nets Day January 28, 2004.

Jan. 28, 2004UCB Sensor Nets Day1 TOWARD A LEGAL FRAMEWORK FOR SENSOR NETWORKS Pamela Samuelson, Law/SIMS UCB Sensor Nets Day January 28, 2004.
Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.

Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.
Slides prepared by Cyndi Chie and Sarah Frye A Gift of Fire Third edition Sara Baase Chapter 2: Privacy.

Slides prepared by Cyndi Chie and Sarah Frye A Gift of Fire Third edition Sara Baase Chapter 2: Privacy.
The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.

The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Similar presentations

Ads by Google