1 USING CONTEXT FOR PRIVACY BOUNDARY CONTROL IN RFID APPLICATIONS Shin'ichi Konomi Center for LifeLong Learning and Design (L 3 D) University of Colorado, Boulder, CO 80309, U.S.A Chang S. Nam Department of Industrial Engineering University of Arkansas, Fayetteville, AR 72701, U.S.A Abstract Creating a usable system that supports users in-situ control over their privacy boundaries is a challenging problem. We propose process and data models for providing feedback that better supports RFID users privacy boundary regulation. Our context-aware feedback approach uses activity hierarchies to represent context around the use of RFID applications and support privacy critic agents to adapt feedback and information disclosure processes according to users changing needs. Key Words RFID, privacy, critic agents, disclosure models, contextawareness 1. Introduction As the cost of RFID tags drops, they are used for an increasing number of physical objects in the world. For example, cases of item-level tagging, i.e., attaching RFID tags to individual sales items, are emerging in the retail arena. Item-level tagging creates exciting opportunities to design applications for so-called Internet of things. However, there are serious privacy concerns about unobtrusive monitoring using ubiquitous RFID tags. There is a need for tools that support people to control their privacy boundaries and protect their privacy according to their needs. Context is essential in any systems that support users to control their privacy boundaries. Boundaries that separate and connect one s personal information spaces and the rest of the world are shaped by context including one s activities and social environments. For example, information about things one touches can be public when one is at work in a warehouse. How much one considers RFID data private is also influenced by the cost of removal. For example, RFID train passes carried by a person can be removed from the person more easily than medical RFID implants. However, conventional approaches to privacypreserving RFID systems (see Table 1) rarely consider context in a systematic manner. Implicit in most conventional approaches is the use of static privacy preferences that cannot address dynamic changes of privacy needs. Table 1. Existing Approaches to RFID privacy issues Approach Killing tags Faraday cage Active jamming Sophisticated tags Blocker tags  Local computation Information management Social regulation Description Destroying, removing, or permanently inactivating RFID tags. Shielding RFID tags by using a container made of materials that block radio signals Shielding RFID tags by using a device that actively broadcast radio signals so as to block the operation of nearby RFID readers. Controlling access to information on RFID tags by locking, encrypting, changing and manipulating data Blocks access to RFID tags by using a device that announces itself as all or a range of possible RFID tags. Personal devices provide services to users without sending IDs to infrastructure Controls storage, flow and processing of information in databases. Guidelines and laws to regulate capture and use of sensitive privacy information. This paper proposes process and data models for providing feedback that supports RFID users in-situ privacy boundary regulation. In our context-aware feedback approach, activity hierarchies are used to represent context around the use of RFID applications. Privacy critic agents use the hierarchies to adapt feedback and information disclosure processes according to users changing needs. These models can be used to develop privacy assistants on mobile devices . In the next section, we first discuss how easily privacy regulation in RFID applications can break down. Following this, we describe a framework for feedback and control proposed to support users information disclosure processes. We then describe two generic models for characterizing RFID users information disclosure processes. An approach for providing feedback that better
2 supports RFID users privacy boundary regulation is also presented. Finally, we present some concluding remarks and our vision for the next steps. 2. Challenges Part of the privacy problems of RFID systems lies in the architecture that makes it difficult to gain information about and control how one is presenting oneself to others . 2.1 Scenario Imagine a smart shelf in a retail store, which constantly scans RFID tags of all products on it. If someone removes a product from the shelf, it can tell what was taken away and possibly who took it away. For example, a customer A picks up a bottle of a flu medicine and puts it back on the shelf. The customer may or may not be aware that the store s marketing team can interpret this as her interest in flu medicines. Now, another customer B accidentally hits a flu medicine bottle with her elbow, it drops on the floor, and she puts it back on the shelf. 2.2 Difficulty in gaining information about others Customers activities are interleaved with moments of communication between RFID readers and tags, which we call scans. Scans can be visible or invisible, voluntary or involuntary, intentional or unintentional, and may or may not require user intervention (e.g., pressing a scan button ). Scans announce various relationships among people and things and trigger chains of information flows that go out of and come into people s personal information spaces. The first customer doesn t clearly know who is monitoring her actions (or who will search records of her actions) and has little knowledge about how her actions are viewed and interpreted by others. She may only be notified of the result of her action when she gets a marketing from the store. 2.3 Difficulty in conveying information Actions of the second customer can easily be misinterpreted as her interest in flu medicines if there are no sensors that detect the fall of the bottle. Even when such sensors exist, the bottle may drop outside a sensorenabled area or even into someone else s shopping cart. Moreover, the marketing team may only be monitoring the data about the shelf and not the floor. If a sales agent is physically in proximity to the customer, these communication errors occur less frequently and customers and store staff can detect and fix problems through faceto-face interactions. 2.4 Difficulty in gaining information about oneself Scans, like clicks in hypertext systems, are problematically small interaction units that challenge users ability to understand and anticipate how their actions and information appear to others. Assessing the efficacy of strategies for withholding or disclosing information is inescapably based on this reflexive interpretation . Thimbleby et al.  proposed the notion of reflexive CSCW that considers the difficulty of tracking personal work distributed in both place and time. The cost of tracking can be high when users attempt to maintain many interleaved activities over long periods. Reflexive CSCW is mainly concerned with better understanding of one s actions in one s world. This paper adopts a broader view of reflexive CSCW by incorporating self-awareness of one s exposure to external worlds. 3. Designing for Feedback and Control The challenges discussed in the previous section suggest the need for better supporting users information disclosure processes. We use the framework proposed by Bellotti and Sellen  to first analyze types of feedback and control involved in RFID users information disclosure processes, which is characterized by capture, construction, accessibility and purposes (see Table 1). Then, we discuss privacy critics for supporting users deal with necessary feedback and control and finally derive eight design principles for feedback. 3.1 A Framework for Feedback and Control When RFID users make their information available to others, different kinds of things take place in terms of capture, construction, accessibility and purposes, which users may or may not be aware of. Table 2 highlights existing and potential places where there may be a room for providing increased feedback and control to RFID users. 3.2 Privacy Critics Privacy regulation for RFID tags can be a complex task if users must deal with all kinds of feedback and control. Also, the task of managing privacy may interfere users other important tasks. However, a simplified, intuitive user interface for a complex privacy management may remove important details for some users. A privacy critic is a type of intelligent agent that provides privacy-related feedback and suggestions as users go about their ordinary tasks. Ackerman and Cranor  describe two kinds of privacy critics for Web
3 browsing, which are based on the critic-based architectures proposed by Fischer et al.  and Fischer et al. . One critic provides suggestions based on a database of consumer complaints about a website. The other critic warns a user when the information about to be disclosed can be used in combination with what s already known to identify the user. Proposed here is a suite of privacy critics for RFID users, which make privacy suggestions from four different perspectives corresponding to the categories in Table 2. Capture critics make suggestions about scans, construction critics about data manipulation, accessibility critics about access control, and purposes critics about declared or inferred purposes. Table 2. A framework for analysing feedback and control involved in RFID users privacy regulation processes. Capture (RFID reader obtains RFID data from my RFID tag) Construction (How my RFID data are combined with other data and processed) Accessibility (Who/what accesses my RFID-relevant data) Purposes (What purposes my RFID-relevant data are used for) 3.3 Design Principles Feedback About Existence and capabilities of RFID tags and readers. Occurrences of scans. Contents and types of information capture. Existence, types, and contents of primary data sources that manage information about my tags and secondary data sources that may be used together with primary data sources. When and how my information is stored, copied, used, or integrated with other information. Which people, software applications, and middleware components have access to my tags, readers, and primary/ secondary data sources. What people intend to use my information for (can be a part of privacy statement or a P3P-like declaration). Inference of purposes by tracking uses of my information Control Over Removing or disabling tags and readers. Which of my tags are read by which readers and when. Intentional degradation of information, anonymity, and pseudonymity Removing, adding and changing my information in any data sources. Which of my information are stored, copied, used, or integrated with other information. Requiring my permission or supervision when something happens to my information. Who and what has access to which information about me and how. Access control models, authentication, and encryption. Restricting intrusion, unethical, illegal and misappropriating usage of my information. Social control can be exercised with technological support similar to P3P. The following eight design principles are derived by applying the framework to the specific issues identified in Section 2. Our focus here is on designing for feedback that is a prerequisite for effective privacy control. Mechanisms for supporting privacy control such as kill commands, encryption, access control and data correction are complementary to the approach of this paper. (1) Make scans visible: Indicate existence of RFID readers and tags. Visual/auditory feedback when a scan occurs. (2) Show who accesses my data about scans and what their purposes are: Pessimistic, optimistic, or interactive access control processes . Mechanisms that support reciprocal disclosure ( If I see you, you see me. ) (3) Show queries that access my data about scans: Systems could keep a record of queries that use my data and make the record accessible by me. (4) Distinguish types of scans: Attach data that describe types of scans to scan records. Types may include user-initiated scans, unobtrusive scans, etc. (5) Group and structure scans according to context: Group scan records and organize them in hierarchies that reflect users context. (6) Show what information flows a scan triggers: Provide feedback on where a scan record travels and which external data sources are used for aggregation. This could be a policy statement along with or without a mechanism for detecting violations. (7) Show where and how data about scans are stored: This could also be a policy statement with or without a mechanism for detecting violations. (8) Show when and how data about scans are modified or aggregated: This could be a policy statement with or without a violation detection mechanism. (1) is a common approach in existing proposals[10,11] for protecting consumers privacy around the use of RFID. In relation to (2), researchers have studied privacy preferences  that specify who gets access to what information. Floerkemeier et al.  proposes RFID communication protocols that embody fair information practices and allow for declaration of 15 different purposes of scans. Issues related to (3) are discussed in Database Security and Medical Information Systems. For example, Wiederhold  proposed checking mechanisms for queries as well as their results. There are few existing works that can deal with the issues of (4) and (5) for the purposes of RFID privacy. Designing purely technological solutions for (6)-(8) can be difficult because of the complexity of distributed systems. In the next sections, we will discuss disclosure models as a framework for integrating various privacy-
4 enhancing techniques and a context-aware feedback model for supporting principles (4) and (5). 4. Disclosure Models We will use the following two generic models for characterizing RFID users information disclosure processes. User Figure 3. Type III RFID tag and reader Environment RFID tag and reader 4.1 Information Flow Model RFID systems can be roughly classified into the following three types according to the ownership of RFID readers and tags. In Figure 1, users own RFID tags. RFID readers are either public or owned by someone. Records of scans are disclosed from the environment. Users can generally control the information flows indicated with solid-line arrows using conventional methods (e.g., using kill kiosks, faraday cages, etc.). User RFID tag Figure 1. Type I Environment RFID reader 4.2 Disclosure Process Model Most of the design principles described in the previous section assume disclosure processes that allow users to obtain some feedback and make decisions as to whether or not to disclose scans. Figure 4 has two paths p and p, which has the same start and end nodes. p corresponds to the full disclosure process and p the degenerated process. In the full disclosure process, users have detailed interactive control over disclosure of each scan. However, cognitive workload for the full process can be very high if users must deal with large number of RFID tags individually. In contrast, the degenerated process does not allow interactive control at all. Systems automatically disclose or conceal scans based on predefined default settings, thereby minimize users cognitive workload for privacy regulation. p In Figure 2, users own RFID readers. RFID tags are either public or owned by someone. Records of scans are disclosed from the users. Users can generally control the information flows indicated with solid-line arrows using conventional methods (e.g., turning on/off readers, controlling access to readers data, etc.). Scan p Figure 4. Disclosure processes Control Feedback Disclosure User RFID reader Figure 2. Type II Environment RFID tag In Figure 3, Type I and Type II information flows coexist. Records of scans are disclosed from the users and the environment. Users can generally control the information flows indicated with solid-line arrows using conventional methods. Type I information flows cannot support the full disclosure process unless the environment provides the user with feedback and control. This could be remedied by a device that functions as a kind of a personal firewall router. However, due to the limitation of space, discussions on such a device are beyond the scope of this paper. For Type II information flows, a system can be built to support both full and degenerated processes regardless of the environment. The challenge is to support a user with an appropriate process at the right time. Type III is a combination of Type I and Type II. Therefore, the full disclosure process can only be supported in some part of the system.
6 QueryLens uses mobile databases that run on Palm OS PDAs and synchronizes with a network server. The database schema that incorporates rule-driven stored procedures can be extended for proposed data model and disclosure processes. We are also extending the design for other mobile computing platforms that allow privacy critics to provide multi-modal feedback. 6. Conclusion This paper discussed design principles and models for a new class of privacy-enhancing technologies for RFID applications. The proposed models facilitate design of critic-based feedback mechanisms that understand usage context and provide appropriate feedback. We are building on our existing RFID system that allows us to develop some components easily in a straightforward fashion. We hope our models and guidelines serve as a first step towards a solution to emerging privacy issues in new business practices  and everyday life. We are planning to conduct user experiment of the context-aware feedback mechanism, which has not been done previously, in order to uncover implications of context-aware feedback in designing privacy-preserving technologies. References:  A. Jules, R.L. Rivest, & M. Szydlo, The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. Proc. of ACM Conf. on Computer and Communications Security, ACM Press, 2003,  S. Konomi, Personal Privacy Assistants for RFID Users. Int'l Workshop Series on RFID Information Sharing and Privacy --, Tokyo, Japan,  L. Palen & P. Dourish, Unpacking Privacy for a Networked World. Proc. of CHI 03, ACM Press,  H. Thimbleby, S. Anderson & I. Witten, Reflexive CSCW: Supporting Long-Term Personal Work. Interacting with Computers, 2(3), Elsevier Science, 1990,  V. Bellotti & A. Sellen, Design for Privacy in Ubiquitous Computing Environments. Proc. of the 3rd European Conference on Computer-Supported Cooperative Work (ECSCW 93), Kluwer Academic Publishers,  G. Fischer, A.C. Lemke & T. Mastaglio, Using Critics to Empower Users. Proc. of CHI 90, ACM Press, 1990,  G. Fischer, K. Nakakoji, J. Ostwald, G. Stahl & T. Sumner. Embedding Computer-based Critics in the Contexts of Design. Proc. of INTERCHI 93, ACM Press, 1993,  J. Grudin & E. Horvitz, Presenting choices in context: approaches to information sharing. Proceedings of Ubicomp 2003 Privacy Workshop.  Guidelines on EPC for Consumer Products. _guidelines.html  S. Garfinkel, An RFID Bill of Rights. Technology Review, October l1002.asp  J.S. Olson, J. Grudin & E. Horvitz, A Study of Preferences for Sharing and Privacy. Proc. of CHI 05, ACM Press, 2005,  C. Floerkemeier, R. Schneider & M. Langheinrich, Scanning with a Purpose Supporting the Fair Information Principles in RFID protocols. Proc. of the 2nd Int'l Symposium on Ubiquitous Computing Systems (UCS 2004), Tokyo, Japan,  G. Wiederhold, Future of Security and Privacy in Medical Information.  T. Moran & P. Dourish, Human Computer Interaction, 16, Special Issue on Context-Aware Computing,  S. Konomi, QueryLens: Beyond ID-based information access, Proc. of the Int'l Conf. on Ubiquitous Computing (UbiComp), 2002,  C.S. Nam & S. Konomi, Usability Evaluation of QueryLens: Implications for Context-Aware Information Sharing Using RFID, Proc. of the IASTED Int'l Conf. on Human-Computer Interaction, Phoenix, USA,  H. Galanxhi-Janaqi & F. F.-H. Nah, U-commerce: emerging trends and research issues. Industrial Management & Data Systems, (104) 9, Emerald Group Publishing, 2004,  M.S. Ackerman & L. Cranor, Privacy Critics: UI Components to Safeguard Users Privacy. Proc. of CHI 99, ACM Press, 1999,