Modeling Privacy Control in Context-Aware Systems

M any worry that existing privacy problems will only worsen in context-aware pervasive computing environments. 1,2 Ubiquitous sensing and the invisible form factor of embedded computing devices have made it easier than ever to collect and use information about individuals without their knowledge. Sensitive private information might live indefinitely and appear anywhere at anytime. Moreover, the ability of context-aware systems to infer revealing information from loosely related personal data has even more troubling implications for individual privacy. The risks are high: even a few privacy violations could lead to user distrust and abandonment of context-aware systems and to lost opportunities for great enhancements. In this article, we describe a theoretical model for privacy control in context-aware systems based on a core abstraction of information spaces. We have previously focused on deriving socially based privacy objectives in pervasive computing environments. 3 Building on Ravi Sandhu's four-layer OM-AM (objectives, models, architectures, and mechanisms) idea, 4 we aim to use information spaces to construct a model for privacy control that supports our socially based privacy objectives. 3 We also discuss how we can introduce decentralization, a desirable property for many pervasive computing systems, into our information space model, using unified privacy tagging. We use a hypothetical example to illustrate how you can use decentralized information spaces to model privacy control in a smart office environment. Imagine that Bob, a sales representative from company A, visits Carol, company B's senior manager , at B's headquarters to discuss a potential deal. Bob brings his own laptop, on which a trusted privacy runtime system has been preinstalled. On entering the building, Bob was given a visitor badge and an ID tag for his laptop, both enabled by radio frequency technologies, so that RF readers in the building constantly track his laptop's location. Bob first meets Carol in her office. As part of the discussion, Carol sends Bob's laptop some internal documents to review and specifies that these documents should only persist for the period of their meeting. The trusted privacy runtime system on Bob's laptop can enforce Carol's preference over data persistence if all documents were properly tagged. Although these documents reside on Bob's laptop, these " privacy tags " dictate that Carol controls them. In effect, such tags define an information space that Carol owns. After the meeting, Bob and Carol head toward a meeting where employees in Carol's department will discuss the deal with …