Context-aware Authorization in Highly Dynamic Environments

Highly dynamic computing environments, like ubiquitous and pervasive computing environments, require frequent adaptation of applications. Context is a key to adapt suiting user needs. On the other hand, standard access control trusts users once they have authenticated, despite the fact that they may reach unauthorized contexts. We analyse how taking into account dynamic information like context in the authorization subsystem can improve security, and how this new access control applies to interaction patterns, like messaging or eventing. We experiment and validate our approach using context as an authorization factor for eventing in Web service for device (like UPnP or DPWS), in smart home security

Non-Invasive User Tracking via Passive Sensing: Privacy Risks of Time-Series Occupancy Measurement

ABSTRACT A large-scale sensing infrastructure can collect ample data to benefit many real-world applications. One promising application scenario is building management. However, exposure of the sensor data potentially reveals private details about building users. In this paper, we investigate indoor location privacy as a motivating example to manifest potential privacy risks in smart buildings. We apply inference techniques to reconstruct users' location traces from room-level occupancy data. Unlike other types of surveillance that are dedicated to explicit tracking such as security cameras, time-series occupancy traces, as aggregated environmental measurements, are typically deemed privacy-preserving. Unfortunately, it may still reveal some of the same sensitive information as privacy-invasive sensing such as video surveillance. We conduct experiments using a publicly available dataset and synthetic data. Our results demonstrate the underlying privacy leakage via occupancy data. We further show how our evaluation can enable adaptive privacy mechanisms to control the information leakage by the sensing system

Avoiding Privacy Violations Caused by Context-Sensitive Services

The increasing availability of information about people's context makes it possible to deploy context-sensitive services, where access to resources provided or managed by a service is limited depending on a person's context. For example, a location-based service can require an individual to be at a particular location in order to let the individual use a printer or learn her friends' location. However, constraining access to a resource based on confidential information about a person's context could result in privacy violations. For instance, if access is constrained based on a person's location, granting or rejecting access will provide information about this person's location and could violate the person's privacy. We introduce an accesscontrol algorithm that avoids privacy violations caused by context-sensitive services. Our algorithm exploits the concepts of access-rights graphs, which represent all the information that needs to be collected in order to make a contextsensitive access decision. Moreover, we introduce hidden constraints, which keep some of this information secret and thus allow for more flexible access control. We present a distributed, certificate-based access-control architecture for context-sensitive services that avoids privacy violations, a sample implementation, and a performance evaluation

Dynamic Privacy Management In Services Based Interactions

Technology advancements have enabled the distribution and sharing of users personal data over several data sources. Each data source is potentially managed by a different organization, which may expose its data as a Web service. Using such Web services, dynamic composition of atomic data items coupled with the context in which the data is accessed may breach sensitive data that may not comply with the users preference at the time of data collection. Thus, providing uniform access policies to such data can lead to privacy problems. Some fairly recent research has focused on providing solutions for dynamic privacy management. This thesis advances these techniques, and fills some gaps in the existing works. In particular, dynamically incorporating user access context into the privacy policy decision, and its enforcement