Conference Paper

Privacy Threat Model in Lifelogging

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The lifelogging activity enables a user, the lifelogger, to passively capture multimodal records from a first-person perspective and ultimately create a visual diary encompassing every possible aspect of her life with unprecedented details. In recent years it has gained popularity among different groups of users. However, the possibility of ubiquitous presence of lifelogging devices especially in private spheres has raised serious concerns with respect to personal privacy. Different practitioners and active researchers in the field of lifelogging have analysed the issue of privacy in lifelogging and proposed different mitigation strategies. However, none of the existing works has considered a well-defined privacy threat model in the domain of lifelogging. Without a proper threat model, any analysis and discussion of privacy threats in lifelogging remains incomplete. In this paper we aim to fill in this gap by introducing a first-ever privacy threat model identifying several threats with respect to lifelogging. We believe that the introduced threat model will be an essential tool and will act as the basis for any further research within this domain.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Operational Inferences Inferring sensitive attributes about individuals and organizations. Note that even with perfect disclosure controls to inhibit re-identification inferences, operational inferences unrelated to PII may still be possible, depending on the threat model [29,67]. ...
Article
Full-text available
The NIST Privacy Framework describes itself as a comprehensive approach to organization-wide privacy program management. However, inferences can yield sensitive information of identities or attributes from nonsensitive information. Privacy governance must protect this information. Although many people and organizations are expanding their privacy definitions to include inferences, our gap analysis reveals that the framework's mapped controls are insufficient for managing inference-driven risk. The framework does not attend organizational focus to privacy inference risk sufficiently to support its stated claim of comprehensive risk management. Applying the framework to past incidents where ostensibly protected information was re-inferred, we analyze how organizations can better mitigate inference-based privacy violations. Finally, we recommend detailed improvements to the framework's controls to account better for inferences. Our recommendations encompass augmenting and mapping additional privacy risk controls to increase implementing organizations' awareness of inference risks, updating controls that depend on protecting specific PII categories, and enhancing organizations' proficiency in translating legal and policy requirements into technical implementations.
... As a consequence, they observed that such capture of private spaces as well as the presence of specific objects in images made users concerned about their privacy. Similar privacy concerns with images showing specific objects or taken at particular locations, but also portraying other known people, bystanders or user activities, have also been observed by other studies [16,24,27]. Price et al. [39] noticed that users are less concerned in sharing images with a group of other lifeloggers than with non-lifeloggers, further suggesting that this could re-define what a private space means when lifelogging in a group. ...
Conference Paper
Today's sensor-rich mobile and wearable devices allow us to seamlessly capture an increasing amount of our daily experiences in digital format. This process can support human memory by producing "memory cues", e.g., an image or a sound that can help trigger our memories of a past event. However, first-person captures such as those coming from wearable cameras are not always ideal for triggering remembrance. One interesting option is thus to combine our own capture streams with those coming from co-located peers, in or even infrastructure sensors (e.g., a surveillance camera) in order to create more powerful memory cues. Given the significant privacy and security concerns of a system that shares personal experience streams with co-located peers, we developed a tangible user interface (TUI) that allows users to in-situ control the capture and sharing of their experience streams through a set of five physical gestures. We report on the design of the device, as well as the results of a user study with 20 participants that evaluated its usability and efficiency in the context of a meeting capture. Our results show that our TUI outperforms a comparable smartphone application, but also uncovers user concerns regarding the need for additional control devices.
... There are other works, as presented in [16,17,18,19], which discuss and present a threat model in lifelogging, mathematical representation of identity and trust issues. Even though they are not strictly related to the scope of current paper, we have drawn motivations on how to model an attack from these works. ...
Article
Full-text available
In this article, we present a model of cyber attacks which can be used to represent a cyber attack in an intuitive and concise way. With ever-increasing popularities of online services, we have seen a growing number of cyber attacks targeted towards large online service providers as well as individuals and the IoT devices. To mitigate these attacks, there is a strong urge to understand their different aspects. Creating a model is a widely used method towards this goal. Unfortunately, the number of models for cyber attacks is pretty low and even the existing models are not comprehensive. In this paper, we aim to fill this gap by presenting a comprehensive cyber attack model. We have used this model to represent a wide range of cyber attacks and shown its applicability and usefulness. We believe that our model will be a useful tool for the formal analysis of cyber attacks.
... With these gaps in mind, we have made the following contributions in our previous work [4]: ...
Article
The visual lifelogging activity enables a user, the lifelogger, to passively capture images from a first-person perspective and ultimately create a visual diary encoding every possible aspect of her life with unprecedented details. In recent years, it has gained popularities among different groups of users. However, the possibility of ubiquitous presence of lifelogging devices specifically in private spheres has raised serious concerns with respect to personal privacy. In this article, we have presented a thorough discussion of privacy with respect to visual lifelogging. We have readjusted the existing definition of lifelogging to reflect different aspects of privacy and introduced a first-ever privacy threat model identifying several threats with respect to visual lifelogging. We have also shown how the existing privacy guidelines and approaches are inadequate to mitigate the identified threats. Finally, we have outlined a set of requirements and guidelines that can be used to mitigate the identified threats while designing and developing a privacy-preserving framework for visual lifelogging.
Chapter
A new visualization user experience is expected to be empowered with XR technologies. XR accommodates a wide range of computerized reality technology, such as AR (Augmented Reality), MR (Mixed Reality), and VR (Virtual Reality). XR is providing more immerse and entertaining user experience. The number of devices increases and it is leveraging a wide range of applications. As consumer XR applications start to grow, it is important to understand the privacy threats. The author describes privacy threats in XR. First, the author discusses privacy threat elements. Second, the author describes a 3-dimensional model of privacy threats in XR. It clarifies the XR-specific privacy threats in addition to other sensor API-enabled applications.
Conference Paper
Full-text available
There exist disparate sets of definitions with different se-mantics on different topics of Identity Management which often lead to misunderstanding. A few efforts can be found compiling several related vocabularies into a single place to build up a set of definitions based on a common semantic. However, these efforts are not comprehensive and are only textual in nature. In essence, a mathematical model of iden-tity and identity management covering all its aspects is still missing. In this paper we build up a mathematical model of different core topics covering a wide range of vocabular-ies related to Identity Management. At first we build up a mathematical model of Digital Identity. Then we use the model to analyse different aspects of Identity Management. Finally, we discuss three applications to illustrate the ap-plicability of our approach. Being based on mathematical foundations, the approach can be used to build up a solid understanding on different topics of Identity Management.
Article
Full-text available
We routinely hear vendors claim that their systems are "secure." However, without knowing what assumptions are made by the vendor, it is hard to justify such a claim. Prior to claiming the security of a system, it is important to iden-tify the threats to the system in question. Enumerating the threats to a system helps system architects develop realis-tic and meaningful security requirements. In this paper, we investigate how threat modeling can be used as foundations for the specification of security require-ments. Although numerous works have been published on threat modeling, there is a lack of integrated, systematic ap-proach toward threat modeling for complex systems. We ex-amine the differences between modeling software products and complex systems, and outline our approach for identify-ing threats of networked systems. We also present three case studies of threat modeling: Software-Defined Radio, a net-work traffic monitoring tool (VisFlowConnect), and a clus-ter security monitoring tool (NVisionCC).
Article
Full-text available
Rather than try to capture everything, system design should focus on the psychological basis of human memory.
Article
Full-text available
In the last couple of years, several European countries have started projects which intend to provide their citizens with electronic identity cards, driven by the European Directive on Electronic Signatures. One can expect that within a few years, these smart cards will be used in a wide variety of applications. In this paper, we describe the common threats that can be identified when using security tokens such as smart cards in web applications. We illustrate each of these threats with a few attack scenarios. This paper is part of a series of papers, written by several academic teams. Each paper focuses on one particular technological building block for web applications. Full Text at Springer, may require registration or fee
Article
Full-text available
In this paper we examine the potential of pervasive computing to create widespread sousveillance, which will complement surveillance, through the development of life-logs—sociospatial archives that document every action, every event, every conversation, and every material expression of an individual’s life. Reflecting on emerging technologies, life-log projects, and artistic critiques of sousveillance, we explore the potential social, political, and ethical implications of machines that never forget. We suggest, given that life-logs have the potential to convert exterior generated oligopticons to an interior panopticon, that an ethics of forgetting needs to be developed and built into the development of life-logging technologies. Rather than seeing forgetting as a weakness or a fallibility, we argue that it is an emancipatory process that will free pervasive computing from burdensome and pernicious disciplinary effects.
Chapter
Threat analysis of a web application can lead to a wide variety of identified threats. Some of these threats will be very specific to the application; others will be more related to the underlying infrastructural software, such as the web or application servers, the database, the directory server and so forth. This paper analyzes the threats that can be related to the use of web services technology in a web application. It is part of a series of papers, written by different academic teams, that each focus on one particular technological building block for web applications.
Article
A 2-phase factor analytic study attempted to determine types of privacy. In Phase 1, 96 items were collected, administered to 166 Ss, and factor analyzed. For Phase 2, items were retained, revised, added, or deleted to form a condensed pool of 30 items of greater factorial purity. This revised questionnaire was given to 188 university students and then factor analyzed. Six independent factors of privacy were obtained, and factor scales to measure them were developed consisting of 5 factor-pure items per factor. The privacy factors identified were labeled Reserve, Isolation, Solitary, Intimacy with Family, Intimacy with Friends, and Anonymity. (13 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Conference Paper
People are limited in their resources, i.e. they have limited memory capabilities, cannot pay attention to too many things at the same time, and forget much information after a while; computers do not suffer from these limitations. Thus, revealing personal data in electronic communication environments and being completely unaware of the impact of privacy might cause a lot of privacy issues later. Even if people are privacy aware in general, the so-called privacy paradox shows that they do not behave according to their stated attitudes. This paper discusses explanations for the existing dichotomy between the intentions of people towards disclosure of personal data and their behaviour. We present requirements on tools for privacy-awareness support in order to counteract the privacy paradox.
Article
Threat analysis of a web application can lead to a wide variety of identified threats. Some of these threats will be very specific to the application; others will be more related to the underlying infrastructural software, such as the web or application servers, the database, the directory server and so forth. This paper analyzes the threats that can be related to the use of web services technology in a web application. It is part of a series of papers, written by different academic teams, that each focus on one particular technological building block for web applications. Full Text at Springer, may require registration or fee
Conference Paper
This paper tries to serve as an introductory reading to privacy issues in the field of ubiquitous computing. It develops six principles for guiding system design, based on a set of fair information practices common in most privacy legislation in use today: notice, choice and consent, proximity and locality, anonymity and pseudonymity, security, and access and recourse. A brief look at the history of privacy protection, its legal status, and its expected utility is provided as a background.
A privacy by design approach to lifelogging
  • C Gurrin
  • R Albatal
  • H Joho
  • K Ishii
Gurrin, C., Albatal, R., Joho, H., & Ishii, K. (2014). A privacy by design approach to lifelogging. Digital Enlightenment Yearbook 2014: Social Networks and Social Machines, Surveillance and Empowerment, 49.
Digital Enlightenment Yearbook 2014: Social Networks and Social Machines Surveillance and Empowerment 49
  • C Gurrin
  • R Albatal
  • H Joho
  • K Ishii