Conference PaperPDF Available

Preserving Privacy in Context-Aware Systems

Authors:

Abstract and Figures

Recent years have seen a confluence of two major trends -- the increase of mobile devices such as smart phones as the primary access point to networked information and the rise of social media platforms that connect people. Their convergence supports the emergence of a new class of context-aware geosocial networking applications. While existing systems focus mostly on location, our work centers on models for representing and reasoning about a more inclusive and higher-level notion of context, including the user's location and surroundings, the presence of other people and devices, and the inferred activities in which they are engaged. A key element of our work is the use of collaborative information sharing where devices share and integrate knowledge about their context. This introduces the need for privacy and security mechanisms. We present a framework to provide users with appropriate levels of privacy to protect the personal information their mobile devices are collecting, including the inferences that can be drawn from the information. We use Semantic Web technologies to specify high-level, declarative policies that describe user information sharing preferences. We have built a prototype system that aggregates information from a variety of sensors on the phone, online sources, and sources internal to the campus intranet, and infers the dynamic user context. We show how our policy framework can be effectively used to devise better privacy control mechanisms to control information flow between users in such dynamic mobile systems.
Content may be subject to copyright.
Preserving Privacy in Context-Aware Systems
Pramod Jagtap, Anupam Joshi, Tim Finin, Laura Zavala,
Computer Science and Electrical Engineering
University of Maryland, Baltimore County, Baltimore, MD 21250 USA
pramod1@umbc.edu, joshi@cs.umbc.edu, finin@cs.umbc.edu, rzavala@umbc.edu
Abstract—Recent years have seen a confluence of two major
trends – the increase of mobile devices such as smart phones as
the primary access point to networked information and the rise
of social media platforms that connect people. Their convergence
supports the emergence of a new class of context-aware geosocial
networking applications. While existing systems focus mostly
on location, our work centers on models for representing and
reasoning about a more inclusive and higher-level notion of
context, including the user’s location and surroundings, the
presence of other people and devices, and the inferred activities
in which they are engaged. A key element of our work is the
use of collaborative information sharing where devices share
and integrate knowledge about their context. This introduces
the need for privacy and security mechanisms. We present a
framework to provide users with appropriate levels of privacy
to protect the personal information their mobile devices are
collecting, including the inferences that can be drawn from
the information. We use Semantic Web technologies to specify
high-level, declarative policies that describe user information
sharing preferences. We have built a prototype system that
aggregates information from a variety of sensors on the phone,
online sources, and sources internal to the campus intranet,
and infers the dynamic user context. We show how our policy
framework can be effectively used to devise better privacy control
mechanisms to control information flow between users in such
dynamic mobile systems.
Index Terms—Privacy, social networking, mobile computing,
policy, generalization
I. INTRODUCTION
Phones, especially smartphones, are increasingly the most
common gateway for people to access the information in-
frastructure and services available on the web. Smartphones
are programmable devices that come with variety of powerful
embedded sensors such as GPS, accelerometers, microphones,
cameras, gyroscopes and others. These sensors can be used
to collect information about users and their surroundings
in terms of location, motion, temperature, other people in
the vicinity and so on. This information allows us to infer
a user’s context, and has the potential to change the way
people interact with the information infrastructure. For in-
stance, many new phone based applications enhance the social
networking experience with additional social dynamics that
emerge from allowing users to interact relative to location
and time. Location awareness is one important aspect of a
context-aware system. However, context encompasses more
than just the user’s location, because other things of interest
are also mobile and changing [23]. Other important aspects
include the ambiance, resources and people nearby, and the
activities in which they are engaged. The rise of online
social networking systems along with recent improvements in
mobile technology, smartphones, and sensor networks present
a unique opportunity for context-aware systems.
A very important issue in such applications is that of pri-
vacy. Unfortunately, this is often overlooked, or only superfi-
cially discussed. While context aware systems and applications
face security threats similar to other distributed and mobile
applications, privacy and security aspects are more prominent
due to the sensitive nature of context information. The existing
controls in context-aware systems are based on the static
information (particular users or groups), and predetermined. In
fact, on many smartphone systems, the user is asked to make
the decision to share sensor information such as location at
install time of the application. These controls are not adequate
for context-aware systems, since context is dynamic, and itself
determinative of what data can be shared. For instance, it might
be acceptable to share location and accelerometer information
generally, but not when one is exceeding the posted speed
limit while driving! This environment calls for better access
controls with finer control over the context data to preserve
user privacy. The user needs to be in control of the release of
her personal information at different levels of granularity, from
raw sensed data to high level inferred context information.
What is required is a privacy system that allows a user
to specify policies to control the information flow from
sensors based on the changing context of the users. None
of the existing models allows users to specify information
sharing policies based on such information. In this paper,
we present a semantically rich, policy-based framework to
constrain the information flow in a context-aware system.
It uses an OWL ontology to represent dynamic aspects of
context-aware system, and and a combination of OWL-DL
and Jena rules specifying the policy to perform reasoning.
The dynamic elements such as user context, requester context,
temporal restrictions and context restrictions are taken into
consideration along with static information like profile infor-
mation and social relationships before making access control
decisions to sensed and inferred context data. The framework
also allows for automatic generalization of context attributes
in order to protect user privacy. This allows users to share
context information on different levels of accuracy along with
different types of information, from raw sensed data to inferred
context. The framework can be extended and incorporated
in existing social networks including location-based mobile
social networks. We have validated our architecture in an
on-campus context-aware prototype system that aggregates
information from a variety of sensors on the phone, online
sources, and sources internal to the campus intranet, and
infers the dynamic user context. We show how our policy
framework can be effectively used to devise better privacy
control mechanisms to control information flow between users
in such dynamic mobile systems.
II. RELATED WORK
While context-aware systems have been studied for a long
time, the focus has been mainly on the location and ac-
tivity inference. Recently research about privacy controls in
these systems has received significant attention. AnonySense
[24], a privacy-aware architecture for collaborative pervasive
applications that use mobile sensing. Mobile sensor data is
anonymized before its use by any of the applications. Project
Aware Home [20] captures, processes and stores data (col-
lected by sensors) about home residents and their activities. It
uses access control mechanism based on Role-based Access
Control (RBAC) by defining environment roles similar to
subject roles of RBAC and it is used to capture security-
relevant aspects of the environment in which an application
executes. Context Privacy Service (CoPS) [22] describes the
design and implementation of a privacy service which control
how, when and to whom you could disclose a user’s context
information. Using the end-user survey and results of other
research groups, it has identified requirements for flexible and
efficient privacy service. This system is most closely related
to our work. However, it does not handle context-dependent
privacy policies, which can be specified by users on dynamic
context data. There has been a lot of work done to develop
access control frameworks. Rei [18] is a policy language
designed for pervasive computing applications. It has been
used to built a security framework [17] that addresses the
issues of security for web resources, agents and services in
the Semantic Web. Rein (Rei and N3) [16] is a distributed
framework for describing and reasoning over policies in the
Semantic Web. It supports N3 rules [4] for representing
interconnections between policies and resources.
III. SYSTEM ARCHITECTURE
The major components of this system are client devices,
server side modules and the Internet services that provide
social media. The client devices are location aware smart-
phones. These client devices as well as the server side modules
contain a user profiles repository, a privacy control module and
content preferences. The server side also contains a content
aggregator, a learn and share module and a privacy control
module. The content aggregator combines social media like
event updates, photos, and videos from Internet services like
YouTube, Flickr, Facebook or university information portals.
The learn and share module infers the user’s dynamic context
using sensor data collected by a variety of sensors on the
phone, the information from the content aggregator and online
sources such as user’s calendar. The inferred context is shared
with corresponding client device so that the device along with
the server can handle further context sharing queries from
other clients. The requester queries are passed through the
privacy control module to constrain the information flow and
hence to protect the user privacy. The privacy control module
provides the access control mechanisms and aids in controlling
the information flow within system. On the client device,
it enables privacy sensitive and resource sensitive reasoning
over sensed data along with privacy enforcement between peer
devices sharing contextual information.
The information sharing occurs in three different ways as
(i) context information sharing between the client devices, (ii)
sensor data sharing between a client device and the server, and
(iii) context and sensor information sharing between a client
device and the server. The information sharing is controlled by
the privacy control module in order to preserve user privacy.
Our system uses the Jena Semantic Web software tools [6] on
Android devices [21] to perform reasoning and constraining
sensed data flow according to user-defined privacy policies. We
will focus our discussion on our privacy mechanisms and the
relevant system components which have most direct influence
on the information flow in the system.
A. Privacy Related Components
The privacy control module aims to protect user privacy
by performing reasoning over the context. It deals with the
resource to be protected, the owner of a resource and the
requester who wants to access it. More abstractly, it accepts an
RDF triple (U, C, Q), where Uis the identity of the requester,
Cis the requester’s context (expressed as RDF triples in our
ontology), and Qis the query pertaining to context informa-
tion. The module has access to owner’s profile information and
the group information along with specified privacy policies.
It enforces owner’s privacy policies using static information
about the owner as well as dynamic information observed
and inferred from her context. It consists of, (i) a set of
ontologies for describing activities/context, policies and access
requests, (ii) the knowledge about the owner, (ii) the privacy
preferences, and (iv) a reasoning engine that accepts requests
and performs the reasoning.
1) Context ontology: Our context ontology [13] captures
the user location and surroundings, the presence of other
people and devices, and the inferred activities in which they
are engaged. We adopt description logics (DL), specifically
OWL (Web Ontology Language), and associated inferencing
mechanisms to develop a model of context. The context
ontology captures the semantic notion of context in a mo-
bile context-aware system. Using the ontology, each device
contains a declarative knowledge base with semantically rich
information about user’s information, activities, inferences,
and further contextual information. The knowledge base aligns
with the context ontology which defines the key context con-
cepts used for making access control decisions. The ontology
supports the generalization of context infomation by creating
hierarchical models for different aspects of context viz. activity
and location. It aims to protect user privacy and helps users to
have finer control over their contextual information and hence
allows sharing of context information on different levels of
granularity. The following section describes the generalization
in detail.
2) Generalization: Generalization involves replacing a
value with a less specific but semantically consistent value
in order to protect user data privacy [25]. Our system uses
context-data generalization to allow information sharing on
different levels of granularity.
Location Generalization
The location information is sensitive and hence it should
be shared with legitimate set of people as decided by user.
A privacy policy such as “Share my location with teachers on
weekdays from 9am-5pm” allows a group of people defined by
the user as “teachers” to access user’s GPS location between
the specified hours. In many cases the user might be interested
to share the location but not exactly. For instance, the user
can have privacy policy like “Share my building-wide location
with teachers on weekdays from 9am-5pm” which allows
location sharing but at the same time it does not reveal the
exact location. The system will share the building names
with “teachers” rather than exact GPS position of user. In
order to support the location generalization, our ontology uses
hierarchical model for location. Location is a super class of
Point, Room, Building, City and State classes. The Point
class is used for denoting the GPS coordinates whereas Room
and other subclasses are used to denote different levels of
abstractions for the location. The transitive “Part Of” property
creates a location hierarchy based on some simple axioms like
“Room is a part of Building”. The reasoning engine will use
this ontology to infer the different relations existing between
instances of these subclasses.
Activity Generalization
Along the lines of location generalization, we present ac-
tivity generalization for allowing users to share different de-
scriptions of their current activity to different set of requesters.
Consider a policy like “Share my activity with friends on
weekends”; this will share user’s current activity to the people
belonging to a “Friend” group. In many cases, the user is
willing to share more generalized activity rather than precise
one. For instance, if a user is attending a confidential “project
meeting” then she might want to share it in a more generalized
way as “working” or simply as a “meeting”. In such cases,
the user clearly needs to obfuscate certain pieces of activity
information. We permit the user to differentiate between the set
of activities by attaching a confidentiality parameter e.g. visi-
bility option. The visibility option specifies the sensitivity level
of activity from the user perspective. Our ontology supports
different visibility options such as Public, SemiPublic, Private,
SuperPrivate. The Public option implies that the corresponding
activity is least sensitive whereas SuperPrivate option indicates
that the activity is at most sensitive. The SemiPublic and
Private are listed in increasing order of sensitivity. These
visibility options can be used to share more generalized/less
sensitive/public activities instead of specific/sensitive/private
ones. The activity generalization is supported by using a
hierarchical model of activities.
3) Reasoning Architecture: The reasoning engine handles
the requester queries and performs reasoning for access
control decisions. Our system uses the Jena Semantic Web
framework[6] for performing the reasoning over context data.
Jena inference system allows the support of various inference
engines or reasoners. In our system, the reasoning engine uses
the context ontology, users context information and group
information along with the user-specified privacy rules to
generate an inference model. This inference model is used
for responding to the requester queries.
4) Knowledge about the user: A user can create her per-
sonal profile and put in information like name, email address,
hobbies and interests and can manage different groups of her
friends. Apart from that, the system has dynamic knowledge
information about user’s context including her current activity
and location. Our context ontology defines the entities required
to represent a user information in addition to the FOAF [11]
vocabulary. This knowledge is specified using N3 [4] in our
system. All the attributes in a user’s personal profile as well
as data sensed by mobile devices are considered as resources
to be protected.
5) Privacy preferences: Privacy preferences are access con-
trol rules that describe how a user wants to share which
information, with whom, and under what conditions. All the
privacy preferences are represented as N3 rules in the system.
The user can specify privacy preferences to share personal
information based on her (i) profile and context information,
(ii) requester’s context information, (iii) temporal and spatial
restrictions and (iv) generalization of context data. For exam-
ple, the user can have privacy policy like “Share my activity
with friends all the time except when I am attending a lecture”.
which emphasizes on user’s context and group information. A
privacy policy like “Share my context information with anyone
who is attending same class as me”. considers user’s context
and requester’s context before making information sharing
decision is shown in Table I whereas a privacy policy like
“Do not share my context with anyone during super-private
activities” utilizes activity generalization and ensures activities
with “super-private” property are not shared with anyone.
The user can specify privacy policies to protect the sensed
data. Before the data is collected from sensors or whenever
there is a request for sensed data, the privacy control module
evaluates the user-defined privacy policies and decides which
sensor data can be collected. Only allowed sensors’ data is
collected and sent to the server for further context inferring.
For instance, a user can have policy like “share GPS co-
ordinates on weekdays from 9am-5pm only if he is in office”.
Table II shows it’s corresponding Jena rule.
In our system, negative permission “prohibited” always
takes preference over positive “permitted” permission. It
means, if the output inference model has both “prohibited”
and “permitted” values for predicate such as “contextAccess”
then system assumes information sharing permission is “pro-
hibited”. Along with user-level privacy policies, our system
has provision for system-level policies. The context-aware
systems are used by individuals to organization and from
TABLE I
POLICY TO SHARE CONTEXT INFORMATION BASED ON OWNERS
CO NTE XT A ND RE QUE ST ERS C ON TEX T.
[ShareContextRule:
(?requester ex:requester “True”)
(?requesterActivity platys:is performed by ?requester)
(?requesterActivity platys:occurs at ?requesterPlace)
(?requesterPlace platys:has location ?requesterLocation)
(?requesterLocation platys:part of ?requesterRoom)
(?requesterRoom rdf:type platys:Room)
(?user ex:systemUser “True”)
(?userActivity platys:is performed by ?user)
(?userActivity platys:occurs at ?userPlace)
(?userPlace platys:has location ?userLocation)
(?userLocation platys:part of ?userRoom)
(?userRoom rdf:type platys:Room)
equal(?requesterRoom, ?userRoom)
equal(?requesterActivity, ?userActivity)
equal(?userActivity, platys:Listening To Lecture)
->
(?requester ex:contextAccess ex:userPermitted)
]
TABLE II
POL ICY T O SHA RE GPS COORDINATES. IT STATES T HAT GPS DATA CAN
BE S HAR ED O N WEE KDAYS F ROM 9A M-5 PM O NLY IF U SER I S IN O FFICE .
[ShareGPSRule:
(?request ex:hasRequester ?requester)
(?request ex:requestTime ?localTime)
(?requester ex:systemUser “True”)
(?localTime time:dayOfWeek ?day)
ge(?day, 1) le(?day, 6)
(?localTime time:hour ?hour)
ge(?hour, 9) le(?hour, 17)
(?user ex:latitude ?latitude)
(?user ex:longitude ?longitude)
Equal(?latitude, ?officeLat)
Equal(?longitude, ?officeLong)
->
(?requester ex:canAccessGPSCoordinates “True”)
]
social-networking application to military domains. In case
of military domains or organizations, the user may not be
the sole owner of client device and there is a strong need
of robust security mechanisms. Such organizations can have
system-level privacy policies which should always override
user-specified policies. The system-level policies should be
defined by the system-administrator to ensure that the sensitive
resources are always protected from illegitimate access. For
instance, system-administrator can define a system-level policy
like “Do not share the user’s context with anyone if she is
inside a NSA building 2” which ensures that user’s context is
not shared with anyone if she is inside NSA building numbered
as 2. Our system ensures that user-level permissions are always
overridden by system-level permissions.
IV. SYS TE M IMPLEMENTATION AND EVALUATI ON
Our prototype implementation uses smartphones such as
iPhone or Android phone as client devices. For the detailed
description of server side modules please refer to [8] and [14].
The client device can send different types of access requests
to another client device or the server. The main distinction
between the access requests made by a client device to a
peer device and to a server is that the latter request contains
a specific userId. This userId is used to retrieve specific
user’s information. These requests can be detailed context
access requests or specific resource requests like location or
activity access requests. The access request is processed by the
policy framework present on client device or server.The access
query is processed by the policy framework and its result is
shown to the requester with valid accuracy level. The system
considers contextual information and sensor information as
the resources that changes dynamically for the user, and has
provided mechanisms to specify more expressive policies to
control its sharing. The users can create policies by using
Policy Editor interface. It is a Web interface which can be
used by users from client device to specify and edit privacy
preferences. They can specify access control rule as - ’who’
by selecting friends or groups of friends, ’what’ by selecting
resources such as location or activity, ’conditions’ by selecting
allowed days of the week or specifying the allowed time range
during day or by specifying region on the map as sensitive.
Users can also specify allowable type of activity like sleeping,
eating, working, chilling. The policies are created and stored in
N3 format on both server and client sides in persistent memory
and reloaded when required by reasoning engine.
A. System Evaluation
The goals of evaluation were (i) to see if the system satisfies
a basic criteria by allowing access from privileged user and
restricting illegal user, (ii) to test whether the actual computing
time of reasoning over mobile devices is acceptable and (iii) to
determine how it scales with different size of user information
like number of users in group list. The system behaved as
expected by allowing information access to privileged users
and denying access to illegal users as per user-defined privacy
rules. Here, we define a privileged user as a requester who is
allowed to access user’s context as per user-specified privacy
rules whereas other’s are modeled as illegal users.
We have evaluated the system performance in terms of
reasoning time taken for the requester query. It is measured
when the access requests are made to server PC and to the
android client device. To evaluate scalability of the system, we
varied the number of users in group list and noted the time
taken (reasoning time) by the system to provide access levels
for the requester. Figure 1 shows the results of evaluation
where the obtained values are average of several computations.
It describes the growth of reasoning time (in milliseconds)
against number of users in the group list. It clearly shows
that reasoning on mobile devices can be done without any
scalability issues and it can be efficiently used to enforce
privacy over sensed and contextual data.
V. CONCLUSION AND FUTURE WORK
Our mobile devices are becoming the dominant way we
communicate with people, access information, and consume
Fig. 1. Reasoning time (in milliseconds) for different number of users in
owners group list.
services. As they become more intelligent, they can and will
model our interests, activities and behavior in order to under-
stand our current context and using it, better serve our needs.
When appropriate, aspects of this learned context may be
shared with other devices in order to collaborate and provide
enhanced service. This development introduces a strong need
to allow users greater control of what information is shared
with who and with what level of detail.
We described a policy based framework to control informa-
tion flow in collaborative context aware application. It allows
users to specify a rich suite of privacy preferences that consider
the static and dynamic knowledge about user, along with gen-
eralization rules to regulate the accuracy of results. Protected
resources can be activities, location information, or media
such as photos, videos posted by participants of the social
network. We showed some example policies that state of the
art systems do not support. Our privacy mechanisms constitute
a baseline that can be extended and incorporated by any of the
existing social networks including location based mobile social
networks. We plan to extend the prototype implementation to
address the engineering challenge of scalability. We plan to
carry out user studies to evaluate the utility of the proposed
privacy control mechanisms. We also plan to address the issues
of incorporating incentives to allow for even more flexibility
in the definition of policies for context-dependent release of
information.
ACKNOWLEDGMENT
The research described in this paper was partially supported
by the National Science Foundation (award 0910838) and the
Air Force Office of Scientific Research (MURI Grant FA9550-
08-0265)
REFERENCES
[1] A. Acquisti and R. Gross. Imagined Communities: Awareness, Infor-
mation Sharing, and Privacy on the Facebook. In Proceedings of 6th
Workshop on Privacy Enhancing Technologies, 2006.
[2] D. Beckett. Turtle - Terse RDF Triple Language. Technical report, 2007.
[3] Tim Berners-Lee. Cwm - a general purpose data processor for the
semantic web.
[4] Tim Berners-Lee and Dan Connolly. Notation3 (N3): A readable RDF
syntax. Technical report, 2008.
[5] Tim Berners-Lee, Dan Connolly, Eric Prud’hommeaux, and Yosi Scharf.
Experience with n3 rules. In Rule Languages for Interoperability, 2005.
[6] Jeremy J. Carroll, Ian Dickinson, Chris Dollin, Dave Reynolds, Andy
Seaborne, and Kevin Wilkinson. Jena: implementing the semantic web
recommendations. pages 74–83, New York, NY, USA, 2004. ACM.
[7] Keith Cheverst, Nigel Davies, Keith Mitchell, Adrian Friday, and Chris-
tos Efstratiou. Developing a context-aware electronic tourist guide: some
issues and experiences. In CHI, pages 17–24, 2000.
[8] Audumbar Chormale. Constraining information flow in social networks
with privacy policies. Master’s thesis, University of Maryland, Baltimore
County, 2009.
[9] Jon Doyle. Truth maintenance systems for problem solving. Technical
report, Cambridge, MA, USA, 1978.
[10] Catherine Dwyer, Starr R. Hiltz, and Katia Passerini. Trust and privacy
concern within social networking sites: A comparison of Facebook and
MySpace. In Proceedings of the Thirteenth Americas Conference on
Information Systems (AMCIS), 2007.
[11] Mike Graves. FOAF: Connecting People on the Semantic Web.
[12] Ralph Gross and Alessandro Acquisti. Information revelation and
privacy in online social networks. In Proceedings of the 2005 ACM
workshop on Privacy in the electronic society, WPES ’05, pages 71–80,
New York, NY, USA, 2005. ACM.
[13] Pramod Jagtap. Context ontology, 2011. http://ebiquity.umbc.edu/ file
directory /resources/317.txt.
[14] Pramod Jagtap. Privacy preservation in context-aware systems. Master’s
thesis, University of Maryland, Baltimore County, 2011.
[15] H. Jones and J.H. Soltren. Facebook: Threats to privacy. ethics and the
law on the electronic frontier course, 2005.
[16] Lalana Kagal and Tim Berners-lee. Rein : Where policies meet rules in
the semantic web. Technical report, Laboratory, Massachusetts Institute
of Technology, 2005.
[17] Lalana Kagal, Tim Finin, and Anupam Joshi. A policy based approach
to security for the semantic web. In 2nd International Semantic Web
Conference (ISWC2003), September 2003.
[18] Lalana Kagal, Tim Finin, and Anupam Joshi. A policy language for a
pervasive computing environment. In IEEE 4th International Workshop
on Policies for Distributed Systems and Networks. June 2003.
[19] Lalana Kagal, Chris Hanson, and Daniel Weitzner. Using dependency
tracking to provide explanations for policy management. In Proc. IEEE
Workshop on Policies for Distributed Systems and Networks, pages 54–
61, Washington, DC, 2008. IEEE Computer Society.
[20] Cory Kidd, Robert Orr, Gregory Abowd, Christopher Atkeson, Irfan
Essa, Blair MacIntyre, Elizabeth Mynatt, Thad Starner, and Wendy
Newstetter. The Aware Home: A Living Laboratory for Ubiquitous
Computing Research. volume 1670, pages 191–198. 1999.
[21] Lorecarra. Androjena : Jena android porting, 2009.
[22] Vagner Sacramento, Markus Endler, and Fernando Ney Nascimento. A
privacy service for context-aware mobile computing. In Proceedings of
the First International Conference on Security and Privacy for Emerging
Areas in Communications Networks, pages 182–193, 2005.
[23] Bill Schilit, Norman Adams, and Roy Want. Context-aware computing
applications. In In Proceedings of the Workshop on Mobile Computing
Systems and Applications, pages 85–90, 1994.
[24] Minho Shin, Cory Cornelius, Dan Peebles, Apu Kapadia, David Kotz,
and Nikos Triandopoulos. AnonySense: A system for anonymous
opportunistic sensing. Journal of Pervasive and Mobile Computing,
2010.
[25] L. Sweeney and Latanya Sweeney. Achieving k-anonymity privacy
protection using generalization and suppression. International Journal
on Uncertainty, Fuzziness and Knowledge-based Systems, 10:2002,
2002.
[26] Roy Want, Andy Hopper, Veronica Falc˜
ao, and Jonathan Gibbons. The
active badge location system. ACM Trans. Inf. Syst., 10:91–102, January
1992.
[27] D. A. Waterman and F. Hayes-Roth, editors. Pattern-Directed Inference
Systems. 1978.
... • A privacy protection system Less than 7.6% overhead and high adaptability . • Allows modification of personalized sensor policy for all third-party sensing apps Android Extension[ 17,21] . • Manages information and stops malicious applications Effectively enforces privacy over sensed and contextual data without scalability issues . ...
Chapter
Full-text available
Smartphones are equipped with a wide variety of sensors, which can pose significant security and privacy risks if not properly protected. To assess the privacy and security risks of smartphone sensors, we first systematically reviewed 55 research papers. Driven by the findings of the systematic review, we carried out a follow-up questionnaire-based survey on 23 human end-users. The results reflect that the participants have a varying level of familiarity with smartphone sensors, and there is a noticeable dearth of awareness about the potential threats and preventive measures associated with these sensors. The findings from this study will inform the development of effective solutions for addressing security and privacy in mobile devices and beyond.
... As the application scenario shifts from sharing photos on social networks to the interaction between users and personal assistants, and even as users manage their privacy needs across multiple devices, context has become a focus for researchers [33,19,4]. This notion serves as the impetus for Kokciyan et al. [23] to put forth a situation-based model for privacy protection. ...
Chapter
Full-text available
Personal assistants (PAs) such as Amazon Alexa, Google Assistant and Apple Siri are now widespread. However, without adequate safeguards and controls their use may lead to privacy risks and violations. In this paper, we propose a model for privacy-enhancing PAs. The model is an interpretable AI architecture that combines 1) a dialogue mechanism for understanding the user and getting online feedback from them, with 2) a decision-making mechanism based on case-based reasoning considering both user and scenario similarity. We evaluate our model using real data about users’ privacy preferences, and compare its accuracy and demand for user involvement with both online machine learning and other, more interpretable, AI approaches. Our results show that our proposed architecture is more accurate and requires less intervention from the users than existing approaches.
... Then, we compute precision (ρ) and recall (R) for the responses. [67], [68] • Based on trusted remote data stores and a broker who arbitrates access to the data stores of the users Prevents unauthorized access to sensed data of workers' identity and position Perceptual Assistant [69] • A privacy protection system • Allows modification of personalized sensor policy for all third-party sensing apps Less than 7.6% overhead and high adaptability Android Extension [70], [71] • Manages information and stops malicious applications • Uses semantically rich context models (Xposed framework) ...
... To have a high availability of the user's profile, the profile's context data is distributed among devices from different, trusted users. Another approach, comparable to our approach in GAMBAS, uses a server-side aggregator [JJFZ11] that crawls through different social networks and collaboration tools to retrieve the user's context that should be shared between users and devices. The user needs to specify a common profile and edit her privacy settings, defining a privacy policy. ...
... In addition to user's context, there are other dynamic elements such as the requester context, sources of contextual information which are of varying degrees of trust, the inherent complexity in the contextual information and the contextual norms guiding the appropriateness of information sharing among others that need to be taken into consideration for privacy decision making [10,13]. ...
Conference Paper
Full-text available
The scale, heterogeneity, pervasiveness and dynamism of Internet of Things (IoT) environments introduce some privacy issues for the users and those who are affected by the environments. This is because IoT systems rely heavily on collecting data; and the major areas of concerns include the potential impact of such information flow on the privacy of users. Recently, contextual integrity theory was developed to define context-relative norms for governing information flow. Context-relative norms are characterized by a situation's general institutional and social circumstances; the involved actors and their roles; the information being collected, processed, or shared; and the expected transmission principles. One key issue is that individual users may have varying preferences regarding data collection, retention time and who the collected data can be shared with. In this paper, we provide a motivation for a dialogue between agents (human or artificial) about privacy requirements. Therefore, we introduce an argumentation-based dialogue in which participants interact by exchanging arguments about privacy requirements. Our claim is that such dialogues could help agents in understanding the users' needs in this domain.
... Stevenson, Ye, Dobson and Nixon (2010) proposed LOC8 as a location model and powerful programming framework which is capable of querying the location data of users. Jagtap, Joshi, Finin and Zavala (2011) presented a framework to manage information gathering in collaborative context aware applications so as to enable users with appropriate levels of privacy to protect their personal information. Dao, Jeong and Ahn (2012) proposed the new recommendation model called Context-Aware Collaborative Filtering using Genetic Algorithm (CACF-GA), mainly for the purpose of location-based advertising based on interaction context and user preferences. ...
Article
Ever since the beginning of civilization, travel for various causes exists as an essential part of human life so as travel recommendations, though the early form of recommendations were the accrued experiences shared by the community. Modern recommender systems evolved along with the growth of Information Technology and are contributing to all industry and service segments inclusive of travel and tourism. The journey started with generic recommender engines which gave way to personalized recommender systems and further advanced to contextualized personalization with advent of artificial intelligence. Current era is also witnessing a boom in social media usage and the social media big data is acting as a critical input for various analytics with no exception for recommender systems. This paper details about the study conducted on the evolution of travel recommender systems, their features and current set of limitations. We also discuss on the key algorithms being used for classification and recommendation processes and metrics that can be used to evaluate the performance of the algorithms and thereby the recommenders.
... They prove that using the same preference for both privacy gain and quality of recommendation objectives, a 23% increase in the location entropy of crowd-workers was observed, while an additional 24% detour overhead can be achieved simultaneously. On the other hand, Jagtap et al [11] introduces the need for privacy and security mechanism. The authors proposed a framework to provide users with appropriate levels of privacy protection for their personal information based on the user's devices. ...
Article
Full-text available
Current demands for flexible services based on context-aware applications are mounting. The efficiency of such services mainly depends on acquiring, organizing, accessing, processing and sharing the user’s context. This context usage yield to more concerns and even more worries about the user’s data privacy. Hence, in this work we propose a privacy-aware method to address users privacy protection concerns in context-aware environments through automated decision-making processes by monitoring their privacy behavior and personal data usage.
... The Place ontology represents a high level context ontology by [13]. The concept of a requester of data is defined in the Platys ontology [29], [30]. The PlatMob ontology allows modelling of richer notion of an application's context and developing privacy preservation policies far more complex than that of Android's default all or nothing policy. ...
Chapter
Full-text available
Contemporary smartphones are capable of generating and transmitting large amounts of data about their users. Recent advances in collaborative context modeling combined with a lack of adequate permission model for handling dynamic context sharing on mobile platforms have led to the emergence of a new class of mobile applications that can access and share embedded sensor and context data. Most of the time such data is used for providing tailored services to the user but it can lead to serious breaches of privacy. We use Semantic Web technologies to create a rich notion of context. We also discuss challenges for context aware mobile platforms and present approaches to manage data flow on these devices using semantically rich fine-grained context-based policies that allow users to define their privacy and security need using tools we provide.
Article
Full-text available
The purpose of this research is to study the role of the social media for knowledge sharing. The study presents a comprehensive review of the researches associated with the effect of knowledge management in social media. The study uses Scopus database as a primary search engine and covers 1858 of highly cited articles over the period 1994-2019. The records are statistically analyzed and categorized in terms of various criteria using an open source software package named R. The findings show that researches have grown exponentially during the recent years and the trend has continued at relatively stable rates. Based on the survey, knowledge management is the keyword which has carried the highest citations followed by social media and social networking. Among the most cited articles, papers published by researchers in United States have received the highest citations, followed by United Kingdom and China.
Conference Paper
Full-text available
Along with developing specifications for the description of meta-data and the extraction of information for the Semantic Web, it is important to maximize security in this environment, which is fundamentally dynamic, open and devoid of many of the clues human societies have relied on for security assessment. Our research investigates the marking up of web entities with a semantic policy language and the use of distributed policy management as an alternative to traditional authentication and access control schemes. The policy language allows policies to be described in terms of deontic concepts and models speech acts, which allows the dynamic modification of existing policies, decentralized security control and less exhaustive policies. We present a security framework, based on this policy language, which addresses security issues for web resources, agents and services in the Semantic Web.
Article
Often a data holder, such as a hospital or bank, needs to share person-specific records in such a way that the identities of the individuals who are the subjects of the data cannot be determined. One way to achieve this is to have the released records adhere to k-anonymity, which means each released record has at least (k-1) other records in the release whose values are indistinct over those fields that appear in external data. So, k-anonymity provides privacy protection by guaranteeing that each released record will relate to at least k individuals even if the records are directly linked to external information. This paper provides a formal presentation of combining generalization and suppression to achieve k-anonymity. Generalization involves replacing (or recoding) a value with a less specific but semantically consistent value. Suppression involves not releasing a value at all. The Preferred Minimal Generalization Algorithm (MinGen), which is a theoretical algorithm presented herein, combines these techniques to provide k-anonymity protection with minimal distortion. The real-world algorithms Datafly and μ-Argus are compared to MinGen. Both Datafly and μ-Argus use heuristics to make approximations, and so, they do not always yield optimal results. It is shown that Datafly can over distort data and μ-Argus can additionally fail to provide adequate protection.
Article
This article introduces the Friend Of A Friend (FOAF) vocabulary specification as an example of a Semantic Web technology. A real world case study is presented in which FOAF is used to solve several specific problems of identity management. The main goal is to provide some basic theory behind the Semantic Web and then attempt to ground that theory in a practical solution.
Article
We describe AnonySense, a privacy-aware system for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing tasks to be distributed across participating mobile devices, later receiving verified, yet anonymized, sensor data reports back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our security goals, threat model, and the architecture and protocols of AnonySense. We also describe how AnonySense can support extended security features that can be useful for different applications. We evaluate the security and feasibility of AnonySense through security analysis and prototype implementation. We show the feasibility of our approach through two plausible applications: a Wi-Fi rogue access point detector and a lost-object finder.
Conference Paper
Online social networks such as Friendster, MySpace, or the Facebook have experienced exponential growth in membership in recent years. These networks oer attractive means for inter- action and communication, but also raise privacy and security concerns. In this study we survey a representative sample of the members of the Facebook (a social network for colleges and high schools) at a US academic institution, and compare the survey data to information retrieved from the net- work itself. We look for underlying demographic or behavioral dierences between the communities of the network's members and non-members; we analyze the impact of privacy concerns on members' behavior; we compare members' stated attitudes with actual behavior; and we document the changes in behavior subsequent to privacy-related information exposure. We find that an individual's privacy concerns are only a weak predictor of his membership to the network. Also privacy concerned individ- uals join the network and reveal great amounts of personal information. Some manage their privacy concerns by trusting their ability to control the information they provide and the external access to it. However, we also find evidence of members' misconceptions about the online community's actual size and composition, and about the visibility of members' profiles.
Conference Paper
Participation in social networking sites has dramatically increased in recent years. Services such as Friendster, Tribe, or the Facebook allow millions of individuals to create online profiles and share personal information with vast networks of friends - and, often, unknown numbers of strangers. In this paper we study patterns of information revelation in online social networks and their privacy implications. We analyze the online behavior of more than 4,000 Carnegie Mellon University students who have joined a popular social networking site catered to colleges. We evaluate the amount of information they disclose and study their usage of the site's privacy settings. We highlight potential attacks on various aspects of their privacy, and we show that only a minimal percentage of users changes the highly permeable privacy preferences.