ArticlePDF Available

Context Data Model for Privacy

Authors:

Abstract and Figures

Context-aware applications introduce new privacy risks while uti- lizing user context data. Location is the most benefited context that is taken into consideration within context-aware applications. But there are more context than location and more privacy risks than location privacy risks. In addition, there is a context to context relation in terms of privacy. In this paper, we propose a privacy-aware context data model based on the context data model of Schmidt et al. The pro- posed data model focuses on context privacy and privacy dependence of context-to-context relations.
Content may be subject to copyright.
Context Data Model for Privacy
Emin ˙
Islam Tatlı
Department of Computer Science, University of Mannheim, Germany
tatli@informatik.uni-mannheim.de
PRIME Standardization Workshop
IBM Z¨urich, 06-07 July 2006
Abstract
Context-aware applications introduce new privacy risks while uti-
lizing user context data. Location is the most benefited context that is
taken into consideration within context-aware applications. But there
are more context than location and more privacy risks than location
privacy risks. In addition, there is a context to context relation in
terms of privacy. In this paper, we propose a privacy-aware context
data model based on the context data model of Schmidt et al. The pro-
posed data model focuses on context privacy and privacy dependence
of context-to-context relations.
1 Motivation
Context-aware applications use context as input when delivering a service.
Context-aware applications can be grouped into different six groups [2]:
tracking services, navigation services, information services, communication
services, entertainment services and transaction services. Context can be
described as any information that can be used to characterize the situation
of an entity, like a user’s identity, habits, emotions, etc. Location is the
most dominant context used within applications.
In location-aware applications, users’ absolute or relative location is used
as input to the system and the service is returned accordingly. Geographical
positioning system (GPS) is the common method to compute the location
in outdoor. Wlan and bluetooth access points-based techniques are used
to calculate the location in indoor areas. Even though location enables
very useful functionality, collecting location data and tracking people have
1
become the new privacy risks in location-aware applications. Considering
the risks, the users should be in the position to control their location privacy.
Even though location is the most used context, there are other context
data that increase functionality. Schmidt et al. point out this fact within
their paper titled “There is more to Context than Location[6] and propose
acontext data model which illustrate possible context data stemming from
the user himself and his surroundings.
Supporting more context data means dealing with more privacy risks
about the new context data. Besides, each context data can affect the
privacy level of other context data and this makes the privacy control more
difficult. Future context-aware applications should take into consideration
the context privacy of users and the dependence of context relations. Hence,
a new context data model is required to integrate within future applications.
In this paper, we have reworked the context model proposed by Schmidt et
al. and enhanced it to a new data model with privacy concerns in mind.
The paper is structured as follows: In Section 2, the context data model
of Schmidt et al. is explained. Privacy requirements of context data in the
new data model are discussed in Section 3. The proposed privacy-aware
data model is explained in Section 4. Finally, the paper is concluded.
2 Context Data Model
Schmidt et al. go beyond location and introduce more context data about
a user and his environment. Their proposed data model is illustrated in
Figure 1.
According to the their model, context can originate from human factors
or physical environment. Human factors can be categorized into three as
user (his knowledge, characteristics, habits, etc.), social environment (social
interaction, etc.) and tasks (engaged tasks, general goals, etc.). Physical
environment can be also categorized into three as conditions (light, audio,
temperature, etc.), infrastructure (surroundings for computation and com-
munication) and location (absolute location, relative location, etc.).
The main focus of this data model is the context resources. It does not
consider context privacy and context interactions.
3 Privacy Requirements
Existing works [1, 3, 4, 5] on context privacy consider a small set of context
like location, date and time. But new context-aware applications will use
2
Figure 1: User Context Data Model
more context data and therefore a new privacy-aware data model is needed.
In this new model, the following privacy issues should be defined in details:
a) Context data should be classified as protected and not protected. Not
all context data are shared with others within the applications. The
context-data that are distributed to others should be explicitly defined
within protected context group.
b) Status of a context data can change very often and this change can
affect the user’s privacy preferences over his another context. For
example, the change in the social environment can affect your privacy
concern on location context. You may want to hide your location from
others except your family members.
c) Context blurring enables a user to give away the value of his context
within ranges, instead of giving the exact value. It can be used as
a method to increase privacy. The context data that can be blurred
should be explicitly defined in the new data model.
4 Privacy-aware Context Data Model
Analyzing Schmidt et al.’s context data model and the privacy requirements
in the previous section, we have come up with two main categories in the
privacy-aware context data model. protected context and evaluated context.
The context data in the protected context group are distributed to other
principals in order to increase the functionality and therefore require privacy
3
A. Protected Context Content
1. User Identity personal data like name, address, phone num-
ber, birth date, credit card number, etc.
2. User Profile user interests, characteristics, habits, sched-
ule, etc.
3. Physical Conditions the context around the physical surroundings
like temperature, light, pressure, etc.
4. Location the absolute or relative location of a user
B. Evaluated Context Content
5. User Morale user’s psychological morale status
6. Infrastructure the surrounding resources with communica-
tion capability
7. Social Environment user’s relatives, neighbors, colleagues and their
relationships
8. User Tasks the user’s assigned tasks and aims
9. Time date, time and day of week
Table 1: Privacy-aware Context Data Model
protection. Any context data in this group can get benefit of blurring. The
context data in the evaluated context group are not sent to other principals,
but affect user’s privacy concerns and therefore are used to evaluate the
privacy of the context data in the protected group. Table 1 explains the
context data of each group in details:
Privacy dependence of context data and blurring functionality in our
privacy-aware model are illustrated in Figure 2. In our model supporting
context privacy dependence, the main focus is on the protected context. The
user’s exchanged context should be protected and for this purpose privacy
policies based on context data from both protected and evaluated context
group can be used. As an example of protected2protected context privacy
dependence; a user can reveal his location (context to protect) to only peo-
ple who is at a certain location (context as protector) or who has a certain
identity (context as a protector). As an example of protected2evaluated con-
text dependence; you may not reveal your identity or location (context to
protect) at certain dates (context as protector), e.g. during holiday.
User task is concerned with the tasks and aims of a user and belongs to
the evaluated context data group. User morale (i.e. angry, sad, happy, etc.)
also belongs the evaluated context data group. But they can not be used
4
Figure 2: Context Interaction in Privacy-aware Data Model
directly for context evaluation. But having many tasks, being busy or sad
for a particular period, the user can change his status which then can be
used as a privacy protector to evaluate.
Additionally, context blurring policies can also be defined based on both
protected and evaluated context privacy. As examples, the user can blur his
location if his status is set to away or the user can blur his characteristics
information according to the physical conditions.
5 Conclusion
In this paper, we have proposed a privacy-aware context data model which
can help the management of privacy in context-aware applications. The
proposed data model defines a set of context data as the protected context
group and supports defining privacy policies on the protected group based
on any context data originated from the user himself or his surroundings.
References
[1] Platform for Privacy Preferences(P3P) Project.
http://www.w3c.org/P3P. World Wide Web Consortium.
[2] H. H. Bauer, T. Reichardt, and A. Sch¨ule. Was will der mobile Nutzer?
Forschungsergebnisse zu den Anforderungen von Nutzern an kontextsen-
sitive Dienste. University of Mannheim, 2006.
[3] Ginger Myles et al. Preserving privacy in environments with location-
based applications. IEEE Pervasive Computing, 2(1):56–64, 2003.
5
[4] M. Zuidweg et al. Using p3p in a web services-based context-aware ap-
plication platform. http://www.w3.org/2003/p3p-ws/pp/utwente.pdf.
[5] Marc Langheinrich. A privacy awareness system for ubiquitous comput-
ing environments. In UbiComp ’02: Proceedings of the 4th international
conference on Ubiquitous Computing, London, UK, 2002.
[6] Albrecht Schmidt, Michael Beigl, and Hans-W. Gellersen. There is more
to context than location. Computers and Graphics, 23(6):893–901, 1999.
6
... Thus, smart toys appear in various shapes, and ranging degrees of anthropomorphism, such as humanoid, plush toys, dolls, blocks, tangible robots, companion robots or wearable gadgets [1]. Some authors have attempted to define the general properties of smart toys, considering that: they are 1) pervasive -the smart toy may follow the child through everyday activities, 2) social -social aspects and multiplayer options are becoming an important aspect of interactive Internet of Toys (IoToys) in a one-to-one, one-to-many and many-tomany relations [16], 3) interactive -equipped with sensors and response to input, and 4) connected -contemporary smart toys may connect and communicate with other toys, services and online platforms through Wi-Fi and/or Bluetooth [9,8]. Together with a computing and communication capability, their connectivity is so well integrated with the plaything that the technology "disappears" [13]. ...
... Tatli suggested three main requirements and proposed a context data model to handle privacy-related issues [Tat06]. An interesting particularity of this model is the use of blurring techniques, e.g., to return range values rather than exact ones. ...
Article
The amount of information generated and maintained by information systems and their users leads to the increasingly important concern of information overload. Personalized systems have thus emerged to help provide more relevant information and services to the user. In particular, recommender systems appeared in the mid 1990's and have since then generated a growing interest in both industry and academia. Besides, context-aware systems have been developed to model, capture and interpret information about the user's situation, generally in dynamic and heterogeneous environments. Decision support systems like Business Intelligence (BI) platforms also face usability challenges as the amount of information available to knowledge workers grows. Remarkably, we observe that only a small part of personalization and recommendation techniques have been used in the context of data warehouses and analysis tools. Therefore, our work aims at exploring synergies of recommender systems and context-aware systems to develop personalization and recommendation scenarios suited in a BI environment. In response to this, we develop in our work an open and modular situation management platform using a graph-based situation model. Besides, dynamic aspects are crucial to deal with context data which is inherently time-dependent. We thus define two types of active components to enable dynamic maintenance of situation graphs, activation rules and operators. In response to events which can describe users' interactions, activation rules - defined using the event-condition-action framework - are evaluated thanks to queries on underlying graphs, to eventually trigger appropriate operators. These platform and framework allow us to develop and support various recommendation and personalization scenarios. Importantly, we design a re-usable personalized query expansion component, using semantics of multi-dimensional models and usage statistics from repositories of BI documents like reports or dashboards. This component is an important part of another experimentation we realized, Text-To-Query. This system dynamically generates multi-dimensional queries to illustrate a text and support the knowledge worker in the analysis or enrichment of documents she is manipulating. Besides, we also illustrate the integration and usage of our graph repository and situation management frameworks in an open and extensible federated search project, to provide background knowledge management and personalization.
... In contrast this model does not take any privacy aspect into consideration. It has been extended and enhanced towards a more privacy aware model [183]. This topic is explained in detail in Section 5.3.3. ...
... For example, a user may reveal his location to persons who hold a certain property like being within a certain place. Considering this relation, based on Schmidt et al.'s context data model, we have proposed a privacy-aware context data model [16] which groups context data as protected context and evaluated context as shown in Table 1. The context data in the protected context group is shared with others therefore requires privacy protection. ...
Article
Full-text available
Privacy is a big barrier for the acceptance of mobile business applications. Users require full privacy control over their context data like identity, time schedule, profiles, location, etc. Platform for Privacy Preferences (P3P) from W3C proposes a privacy solution for internet users. The aim of this PhD is to extend P3P to support user-centric privacy aspects in both pull and push services regarding context-aware mobile business applications. As a preliminary work, a privacy context data model from the privacy perspective will be formally described. Afterwards, P3P extension for the privacy architecture and policies will be designed. The required security protocols and cryptographic methods will be developed to enforce privacy with P3P policies. The proposed P3P extension will be integrated within the applications of an existing mobile business framework.
Chapter
Advances in the toy industry and interconnectedness resulted in rapid and pervasive development of Smart Connected Toy (SCT), which built to aid children in learning, socialization, and development. A SCT is a physical embodiment artifact that acts as a child user interface for toy computing services in cloud. These SCTs are built as part of Internet of Things (IoT) with the potential to collect terabytes of personal and usage information. They introduce the concept of increasing privacy, and serious safety concerns for children, who are the vulnerable sector of our community and must be protected from exposure of offensive content, violence, sexual abuse, and exploitation using SCTs. SCTs are capable to gather data on the context of the child user’s physical activity state (e.g., voice, walking, standing, running, etc.) and store personalized information (e.g., location, activity pattern, etc.) through camera, microphone, Global Positioning System (GPS), and various sensors such as facial recognition or sound detection. In this chapter we are going to discuss the seriousness of privacy implication for these devices, survey related work on privacy issues within the domain of SCT, and discuss some global perspective (legislation, etc.) on such devices. The chapter will conclude by proposing some common best practice for parents and toy manufactures can both adopt as part of Smart Connected Toy Privacy Common body of knowledge for child safety.
Article
Editor's Summary Adding contextual information enhances the content and value of communications, yet it can also introduce risk and threaten privacy. A common piece of contextual information is location, but context extends to identity, user profile, e‐mail address, time and more. Understanding context from the standpoint of privacy awareness requires a systematic conceptualization of the concepts of privacy and context, personally identifiable information and the ways information flows, from processing and creation through transfer and acceptance. Numerous examples illustrate the potential chain of connections that could be revealed between a personal subject and context. Such information, made explicit, can undermine privacy policies. Integrating context‐ and location‐aware services in software should be approached cautiously and with full understanding of the implications. Diagrammed scenarios provided can inform considerations and software specification building.
Conference Paper
Context data in context-aware ubiquitous systems usually have private information for customized services. Although access control systems may be used to prevent unpermitted subjects from accessing private data, it would also stop execution of useful customized services. To solve this problem, this paper suggests a method of abstracting context data which enables data owners to deliver less detailed information to data requesters. With a set of intelligent RDF schema, inference rule and negotiation document, it can avoid providing excessive data and can keep service continuity.
Conference Paper
Full-text available
FriendFinder as a location-based service collects location data from mobile users and distributes a particular user's location upon request. Privacy of users data especially location data needs to be guaranteed according to both user and legacy perspectives. W3C's privacy recommendation for internet platform P3P/Appel only considers the privacy relations between the users and the service providers. In this paper, we explain the shortcomings of P3P/Appel for providing privacy in FriendFinder and propose enhancements to the P3P/Appel policy languages.
Article
Full-text available
1 The work described in this paper has been sponsored by Freeband Knowledge Impulse, a joint initiative of Dutch Government, knowledge institutes and industry. Abstract This paper describes a proposal for a privacy control architecture to be applied in the WASP project. The WASP project aims to develop a context-aware service platform on top of 3G networks, using web services technology. The proposed privacy control architecture is based on the P3P privacy policy description standard de-fined by W3C. The paper identifies extensions to P3P and its associated preference expression lan-guage APPEL that are needed to operate in a context-aware environment.
Article
Full-text available
Various aspects of location based applications in privacy issues are discussed. Global Positioning System (GPS) and phone based technologies come under the location based applications. The step in protecting users location privacy is notifying them of requests for the privacy information. LocServ is created to support the various location based applications which is a middleware service that lies between location based application and location tracking technologies. Validators check the acceptability of privacy policy and determines wheather a system should accept a request. Potential validator component includes user conformation, user data and context and external services.
Article
Context is a key issue in interaction between human and computer, describing the surrounding facts that add meaning. In mobile computing location is usually used to approximate context and to implement context-aware applications. We propose that ultra-mobile computing, characterized by devices that are operational and operated while on the move (e.g. PDAs, mobile phones, wearable computers), can significantly benefit from a wider notion of context. To structure the field we introduce a working model for context, discuss mechanisms to acquire context beyond location, and application of context-awareness in ultra-mobile computing. We investigate the utility of sensors for context-awareness and present two prototypical implementations — a light-sensitive display and an orientation-aware PDA interface. The concept is then extended to a model for sensor fusion to enable more sophisticated context recognition. Based on an implementation of the model an experiment is described and the feasibility of the approach is demonstrated. Further, we explore fusion of sensors for acquisition of information on more sophisticated contexts.
Conference Paper
Protecting personal privacy is going to be a prime concern for the deployment of ubiquitous computing systems in the real world. With daunting Orwellian visions looming, it is easy to conclude that tamper-proof technical protection mechanisms such as strong anonymization and encryption are the only solutions to such privacy threats. However, we argue that such perfect protection for personal information will hardly be achievable, and propose instead to build systems that help others respect our personal privacy, enable us to be aware of our own privacy, and to rely on social and legal norms to protect us from the few wrongdoers. We introduce a privacy awareness system targeted at ubiquitous computing environments that allows data collectors to both announce and implement data usage policies, as well as providing data subjects with technical means to keep track of their personal information as it is stored, used, and possibly removed from the system. Even though such a system cannot guarantee our privacy, we believe that it can create a sense of accountability in a world of invisible services that we will be comfortable living in and interacting with.
Was will der mobile Nutzer? Forschungsergebnisse zu den Anforderungen von Nutzern an kontextsensitive Dienste
  • H H Bauer
  • T Reichardt
  • A Schüle
H. H. Bauer, T. Reichardt, and A. Schüle. Was will der mobile Nutzer? Forschungsergebnisse zu den Anforderungen von Nutzern an kontextsensitive Dienste. University of Mannheim, 2006.