Keeping ubiquitous computing to yourself: a practical model for user control of privacy

As with all the major advances in information and communication technology, ubiquitous computing (ubicomp) introduces new risks to individual privacy. Our analysis of privacy protection in ubicomp has identified four layers through which users must navigate: the regulatory regime they are currently in, the type of ubicomp service required, the type of data being disclosed, and their personal privacy policy. We illustrate and compare the protection afforded by regulation and by some major models for user control of privacy. We identify the shortcomings of each and propose a model which allows user control of privacy levels in a ubicomp environment. Our model balances the user's privacy preferences against the applicable privacy regulations and incorporates five types of user controlled 'noise' to protect location privacy by introducing ambiguities. We also incorporate an economics-based approach to assist users in balancing the trade-offs between giving up privacy and receiving ubicomp services. We conclude with a scenario and heuristic evaluation which suggests that regulation can have both positive and negative influences on privacy interfaces in ubicomp and that social translucence is an important heuristic for ubicomp privacy interface functionality

Deriving implementation-level policies for usage control enforcement

Usage control is concerned with how data is used after access to it has been granted. As such, it is particularly relevant to end users who own the data. System implementations of access and usage control enforcement mechanisms, how-ever, do not always adequately reflect end user requirements. This is due to several reasons, one of which is the problem of mapping concepts in the end user’s domain to technical events and artifacts. For instance, semantics of basic oper-ators such as “copy ” or “delete”, which are fundamental for specifying privacy policies, tend to vary according to con-text. For this reason they can be mapped to different sets of system events. The behaviour users expect from the sys-tem, therefore, may differ from the actual behaviour. In this paper we present a translation of specification-level us-age control policies into implementation-level policies which takes into account the precise semantics of domain-specific abstractions. A tool for automating the translation has also been implemented