Grant Agreement No.: UCN. D 5.1a: Preliminary UCN Use Cases and Applications - Supplement. Submission date:

Transcription

1 Grant Agreement No.: Instrument: Call Identifier: Objective 1.6: Collaborative Project FP7-ICT Connected and Social Media D 5.1a: Preliminary Use Cases and Applications - Supplement Submission date: Note: this document complements D5.1 Start date of project: October 1 st 2013 Duration: 36 months Project Manager: Henk HEIJNEN - Technicolor TRDF Author(s): Fraunhofer FOKUS Intamac Technicolor NICTA University of Nottingham University of Cambridge Portugal Telecom Editor: Fraunhofer FOKUS Revision: v.1.0 Abstract This deliverable contains case studies based on the demo scenarios due to be implemented in the projects. It supplements the earlier 5.1 deliverable, which was based on a number of more generic application scenarios that might utilize the platform.

2 D 5.1a: Preliminary Use Cases and Applications Supplement Project co-funded by the European Commission in the 7 th Framework Programme ( ) Dissemination Level PU Public ü PP Restricted to other programme participants (including the Commission Services) RE Restricted to a group specified by the consortium (including the Commission Services) CO Confidential, only for members of the consortium (including the Commission Services) 1

3 D 5.1a: Preliminary Use Cases and Applications Supplement Table of Contents 1 INTRODUCTION PURPOSE OF THIS DOCUMENT USE CASES USE CASE: SMART TV MOVIE RECOMMENDATION USE CASE: ASSISTED LIVING SERVICES USE CASE: HOME NETWORK MONITORING AND DIAGNOSIS USE CASE: POPULATION PRESENCE ESTIMATION CONCLUSIONS AND OUTLOOK

4 D 5.1a: Preliminary Use Cases and Applications Supplement 1 INTRODUCTION 1.1. PURPOSE OF THIS DOCUMENT The deliverable 5.1 covered user expectations and generic use cases. The user expectations were based on interviews with users about their knowledge, concerns and expectations about handling of privacy relevant data. As these were open-form interviews, users often did express their needs and requirements in unspecific terms, which weren t always applicable to or addressable by the project. The interviews, however, provided a good representation of the mood of the general public concerning privacy and user-centric issues and served to determine a problem space to be addressed by the project, even though they didn t lead to specific, implementable requirements. Based on the interviews, typical (existing and in-development) smart home and TV usage scenarios involving privacy and user-centric themes were selected and described, leading to a set of more detailed set of requirements and a better understanding of the problem scape. As a result, a set of applications were defined to be developed in the project with the purpose to test and showcase the platform. The applications are intended to have a typical and representative set of requirements and demonstrate that the platform is able to support these. The purpose of this supplement to the original 5.1 deliverable is to describe the scenarios embodied by the demonstrator applications and list the requirements of these scenarios, where these are relevant to the scope of the project. 3

5 D 5.1a: Preliminary Use Cases and Applications Supplement 2 USE CASES 2.1 USE CASE: SMART TV MOVIE RECOMMENDATION An IPTV recommendation system that is capable of working with different levels of knowledge about the user preferences and user context. BACKGROUND: Recommendation can generally be improved by utilizing increasingly detailed information about the user s behaviour. In increasing order of available information, some possible basis for providing recommendations are: Advertisement payment based recommendation If the movie summary contains certain keywords, one of a selection of paid for movie advertisements is suggested e.g., for all sci-fi selections, the Marvel movie is suggested, for all action movies the current Movie metadata based recommendation E.g. if a user watches a movie with Arnold Schwarzenegger, other available movies with the same actor are recommended Bond movie Initial assessment based recommendation I.e. the user goes through an initial assessment and provides an order of preference for a number of well-known movies. Based on that initial assessment, viewing behaviour of users with a similar preference is used to provide the recommendation. Viewing behaviour based recommendation The viewing behaviour of a user is matched to other users with a similar viewing pattern and their viewings are used for recommendation. Rating based recommendation The user provides more feedback regarding the movies watched, such as direct rating by the movie or implied ratings, based on behaviour, such as skipping, fast forward or repeat viewing. Additional context based recommendation In addition to the information available on the recommendation target system (such as the VOD provider) itself, additional behaviour and interest information are used for recommendations, like movies watched on television or using other services and devices. Information about the viewing situation (watching alone, with friends, with family) and information from external sources (Facebook, Twitter) can be evaluated as well. Depending on the recommendation method use, they require different level of information from and about the user, raising privacy concerns for many users. DESCRIPTION: The recommender demonstrated in is capable of utilizing different levels of knowledge about the user movie preferences and the user context, giving the user more control about the amount of privacy related information to be provided. 4

6 D 5.1a: Preliminary Use Cases and Applications Supplement Data about the user s behaviour from multiple sources is stored in the PIH. This not only includes movies watched and the ratings provided by the user, but also additional context information.. Based on the information that the user is willing to share with the service, the service is able to deliver better movie recommendations taking into account both the user s preferences and their current context. The user controls what information is provided by the PIH to the recommendation service. For the demonstrator, it is currently envisioned to provide three methods to handle user specific information. 1. No additional user specific information If the user provides no access to the data, the system will provide generic recommendations based on public databases (such as IMDB) and available movie reviews to provide movies with similar metadata to a movie just watched by the user. 2. Information handling in the cloud This is currently the most common scenario. The user provides a specific service access to all data regarding movie consumptions and ratings. These are securely transferred to a service provider (encrypted before leaving the PIH) and then used to provide recommendations. 3. Local information processing The user provides data available, including contextual data like activity logs, but the handling of the data is performed local to the user. This requires the provision of storage and computing facilities by the user, either on the PIH or an authorized device, but ensures that user specific data does not leave the user s private domain. STAKEHOLDER ISSUES: The user does wants recommendations of movies that match the viewer s interest at the time, but is concerned about providing information to the recommendation service. The VoD provider wants to give sufficiently good recommendation to keep the user interested in coming back to the portal and watching more movies. For the purpose of movie recommendation, the VoD provider is not necessarily interested in specific customers and their behaviour. However providing information about the user to other interested parties (such as advertisement agencies) can provide additional sources or revenue. An advertisement company wants to put targeted advertisements on the VoD portals navigation screens. The ad agency is interested to match the ad banners as closely as possible to the customer s preferences to increase chances of the customer reacting to the advertisement. REQUIREMENTS: The scenario results in the following specific requirements: The PIH must be able to identify a cloud service and securely exchange data with it. 5

7 D 5.1a: Preliminary Use Cases and Applications Supplement The PIH must be able to collect and store information about user behaviour, comprising of user initiated information (movie selection, rating) and automatically gathered or derived information (location, devices, number of people present). The PIH must be able to provide a secure and constrained execution environment for external application, either on the PIH itself or a locally connected resource. The PIH must directly or indirectly provide an interface that allows a user to state and modify privacy preferences in a simple manner. STAKEHOLDER BENEFITS: The primary benefit of applying concepts is obviously the user, who has more control over the use of the data. The user is now able to strike a balance, according to personal preferences, between providing more data to a recommendation service in exchange for more accurate and useful recommendation. The user can also select a method where no sensitive data leaves the local network. The benefits for VoD and advertisement providers are less obvious. But beyond the potential political benefits of providing a system that concedes more control to the user, allowing a more finely grained control of the data than either providing no data at all (akin to disallowing the use of cookies in browsers) or providing full access to data, may lead to a larger number of users that allow at least limited access to personal data, who would otherwise have opted out of giving information completely. 6

8 D 5.1a: Preliminary Use Cases and Applications Supplement 2.2 USE CASE: ASSISTED LIVING SERVICES This application will help elderly and people with chronic illness to monitor their health status frequently. DESCRIPTION: The application will demonstrate how an assisted living (AL) system can be supported b providing different interested parties clearly defined access rights to users biometrics. As such data is particularly sensitive, the PIH encrypt the date before sending it for storage to a private cloud, which runs middleware where external services can subscribe to the user s medical and health data. Access control policies will filter the kind of information available for each service/consumer. Filtering will not only be based on the type of health data, but also allow specification of notifications based on derived data, such as exceeding a given threshold or having a value that significantly differs from preceding values. The health data will cover information from a range of sensors, such as weight, blood sugar, blood pressure and pulse. STAKEHOLDER ISSUES: As health data is particularly sensitive, user require a higher amount of confidence in the secure handling of and restricted access to the data than for any other kind of personal information. While the user will typically be willing to provide full access to all health relevant information to his physician, the user wants to be sure that the data is no longer accessible to the physician once he changes the family doctor. Beyond that, there are often only subsets of the data that a user is willing to provide to other data consumers. For example, a user might subscribe to a weight loss programme and be willing to provide daily updates on weight and body mass and some index denoting the amount and relative strength of daily physical activity, but may not be willing to provide specific information about the specific times of that activities or even the exact pules rates measured. Similarly, a user is likely to appreciate the automatic or semi-automatic alert of emergency services in case of lifethreatening medical conditions, but be generally unwilling to provide information to such services when he is of normal health. For data consumers it is currently an issue that there is a wide variety of sensors available, but in often the data is collected in a number of separate silos and most data consumers only have access to data from devices that they provided to the consumer themselves. Securely storing all available data at an access site that provides a well-defined, fine grained access system to the sensitive date, which is under control of the user, can help to encourager users to pool their sensor data at one site and provide more fit for purpose combination sets of sensor based data than currently available to health agencies and other consumer of medical data. REQUIREMENTS: The scenario results in the following specific requirements: 7

9 D 5.1a: Preliminary Use Cases and Applications Supplement The PIH must be able to collect data from a wide variety of health and medical sensors. The data exchanges within the home network should already be secure and encrypted. The PIH must be able to identify a cloud service and securely exchange data with it. The PIH must directly or indirectly provide an interface that allows a user to state, modify and revoke privacy preferences in a simple manner. The cloud service needs to be capable of providing a (limited) set of processing of the data, such as calculating derived values (BMI) or determining trends in the data and significant deviations from them, as well as data or groups of date exceeding pre-set threshold values. STAKEHOLDER BENEFITS: The user remains in control of his health data, but with a trusted system to distribute that data or specific subsets to physicians and other health monitoring organizations, is will benefit from better medical support and ultimately by better health. The system also provides a better chance of fast and appropriate reaction to medical emergencies, especially for elderly people or those with known health risks. The benefit for medical and health services is a central go-to-point for a more health related sensor data than currently provided by most manufacturer specific solutions and a high grade of assurance that such a service can be certified and will be in line with legal requirements regarding the handling of personal data than this is currently the case with provider ad-hoc solutions. 8

10 D 5.1a: Preliminary Use Cases and Applications Supplement 2.3 USE CASE: HOME NETWORK MONITORING AND DIAGNOSIS The goal of this application is to assist users and their ISPs in diagnosing network performance problems in the home. DESCRIPTION: Most users are not experts in networking and consequently are helpless when applications utilizing the network perform poorly. In many cases, their resort is to call their ISP. Without adequate and detailed information, the ISP can often only provide generalized solutions to the user s problem. Installing tools to inspect data flow and IP packets on a low level can help ISPs to determine where the performance degradation occurs. Such tools can indicate whether the problem is within the user s local network, the connection to the ISP or caused by a specific device or application within the network. However, the implementation of this scenario requires access to potentially privacy sensitive user data (e.g., applications running on the users device, packet headers). The use case will demonstrate how utilize the PIH to store data safely and securely can preserve the user s privacy in such a scenario. The PIH will host applications that process data collected from the user devices and home gateway to: o infer the user activity; o predict user satisfaction with application performance and automatically identify when users are dissatisfied with application performance; o to help users identify whether performance problems lie in the home wireless network or the access link The first two applications require training of models of user activity and satisfaction. The training can be done locally on the PIH (limited to user or household specific models), or in the cloud using data from multiple users. Access to the raw data for training is controlled by the PIH. Users can access a dashboard on the PIH to get more information about the network status and identified performance problems. Moreover, users can give access to limited data about their home network usage to the network operator. The operator will then analyse the data per home and across homes through a visualization interface to further diagnose the problems STAKEHOLDER ISSUES: The primary interests of the home user are a well-tuned and efficient home network, a quick response from his ISP if problems occur and the protection of personal and privacy sensitive data from external access. To reduce cost and time spent on customer support, network service and maintenance, the ISP requires in-depth information about the data flow in the user s network. Without such 9

11 D 5.1a: Preliminary Use Cases and Applications Supplement information, remote customer support is usually limited to providing vague, general recommendations ( Turn the router off and on again. ). In most cases, the ISP does not need to have access to the content part of IP packets, but only needs access to the packet headers and routing information. REQUIREMENTS: The scenario results in the following specific requirements: The PIH must be able to collect and store non-trivial amounts of data (estimated ~50GB per year) from data collectors running on end-user devices and on the home gateway. The PIH must be capable of allowing access to the stored data by local analysis tools The PIH must directly or indirectly provide an interface that allows a user to state and modify privacy preferences in regard of giving access to the ISP or other 3 rd party cloud service to parts of the stored data or to accessing the live data flow on the network (e.g. access to packet headers only, but not to the content itself). STAKEHOLDER BENEFITS: The benefit for the user is a faster and more accurate response from the ISP to any network problems (home-network or external connection), while at the same time not exposing privacy relevant information to an external party. This is of special interest to the user, as data sent on the home network can contain highly private or sensitive content, which is not intended for any form of outside access or consumption. The benefit to the ISP lies in the capability to provide faster and more accurate help to their customers, reducing service costs and increasing customer satisfaction. At the same time, a set of tools that decouples gathering of information on a home network from the access to subsets of routing and networking data under the control of the user, will reduce concerns of users regarding the use of their data by external data consumers. Such concerns are increasingly common (most notably recently in the reporting by non-technical newspapers regarding the Windows 10 default privacy settings). Use of a platform that reduces exposure of usage data to external parties (in this case the ISP) can be seen as a feature in favour of an ISP provider and attract customers. 10

12 D 5.1a: Preliminary Use Cases and Applications Supplement 2.4 USE CASE: POPULATION PRESENCE ESTIMATION The goal of this demonstrator is to showcase the use of privacy preserving arithmetic functions. DESCRIPTION: Most scenarios assume that the consumer of data needs to have at least read access to the individual data sets of all data providers (users) to provide a useful service. Most privacy protection use cases therefore focus on the authentication of both sides of the communication and the secure transfer between these two stakeholders. It is implicitly assumed that the consumer of the data will decrypt the information at some point and that this date will be handled securely and responsibly by that service provider, using adequate internal handling of the data. In some cases, however, the service provider may not require information about the individual users and aggregated data for a group of customers will be sufficient to provide a service. In such cases, especially if the underlying data is highly sensitive in the regard of privacy and personal risks, the use of privacy preserving arithmetic functions can be an option. Privacy preserving arithmetic functions allow the calculation of simple arithmetic functions (such as calculating a sum) over encrypted operands, revealing only the result of the operation, without exposing access to the individual input values. In the scenario, individual households in a community provide information about whether someone is currently present in the house. Such information is obviously highly sensitive and house owners might not be willing to provide such information to an external service due to the fear of misuse for criminal purposes. On the other hand, generalized information about the average number of empty houses in a neighbourhood can help the police or private security services to increase the number of patrols in some areas, without the need to know which specific houses are currently empty. STAKEHOLDER ISSUES: The primary interests of the home owner is to provide a high level of security against criminal activities, while not giving out information that may ultimately decrease security if handled improperly by an external service. A service may not need data that is mapable to individual customers to perform a service. In a number of cases, it is sufficient if summary or average value can be calculated. In such cases, in cases where information is leaked somewhere, it might be advantageous for liability reasons if the service provider can demonstrate that no access to individual user existed. Ot also reduces the data security and protection requirements on the service provider s side, if no user specific data is ever handled in unencrypted form 11

13 D 5.1a: Preliminary Use Cases and Applications Supplement REQUIREMENTS: The scenario results in the following specific requirements: The PIH must be able to identify a cloud service and securely exchange data with it. The service provider should never have a key that enables him to decrypt the original data. The service provider needs to be able to perform simple operations (in this use case: addition) on the user data sets without access to the original data and without sending the user data to a third party. STAKEHOLDER BENEFITS: The user can more freely provide data to interested parties when knowing that his individual data cannot be read by an external party. This is especially relevant for data that has security or legal implications. While the current use case is only concerned with security applications, there are also possible scenarios where users provide GPS based speed data to allow the improvement of traffic flow, but do not want external parties to trace any cases of speeding back to the individual car. One benefit for the data consumer is, as already stated, the lack of requirement to be able to handle sensitive data in-house in unencrypted form. In addition, users are likely to be more willing to provide data to external data consumers when they can be sure that the individual source data cannot be read by data consumers unknown to or not fully trusted by the users. For example, users might not be willing to provide income data to an Internet survey performed by a university department or unknown survey agency, due to security or misuse concerns. With privacy preserving arithmetic functions, the user only needs to have trust in the key provider and can, as long as the key provider acts responsibly, be sure that only accumulated data will be available to a third party. 12

14 D 5.1a: Preliminary Use Cases and Applications Supplement 7 CONCLUSIONS Determining the needs and requirements for a platform is always a challenge, as it is often difficult to separate the requirements for applications utilizing the platform from the requirements that need to be fulfilled by the platform itself. While the purpose and function of an individual application can largely be defined in advance, a platform must be capable of not only supporting needs of current applications, but also support future applications, where the requirements cannot be clearly defined in advance. Defining a set of showcase and demonstrator applications, if they are selected to cover a reasonably wide span of needs in the current and estimated future use in the field can provide a set of more specific requirements. These will not comprise a complete set of platform requirement, but serve to set a basic threshold of concrete and testable requirements the platform needs to support and give confidence in its applicability for use by future applications. 13