Privacy and Security in smart cities The i-tour contribution to protecting the citizen Scott CADZOW, C3L for i-tour 1
Key contributions Development of assertion notation in ETSI Refinement of existing TPLan to ExTRA, in development for publication late 2013 Refinement of Design for Assurance with members of Common Criteria Recognition board Extending the use of languages such as ExTRA, XACML, SAML as test and notation structures in requirements development that allows evaluators simplified entry to subject matter Development of privacy by design paradigm with key experts across EU Acceptance of multi-parameter modelling Development of multi-parameter model for behavioural metrics in determining privacy and consent assertions 2
Key presentations and outputs Extension of ETSI s TVRA method to cover PIA Development of ETSI TS 102 165-1, ETSI TS 187 001/2/3, ETSI MTS workplan Addressing privacy in ITS Contributions to ITS events and standardisation influencing TS 102 94x series of standards (Qatar, Venice, Vienna, Dublin, London, Birmingham, Sophia Antipolis) Addressing privacy in Smart-Cities The role of Apps in citizen interaction (Edinburgh 2011, 2012) Addressing privacy in HCI How to bring human processing into trust and privacy modelling (HCI2013, Las Vegas, July 24 th 26 th 2013) Formation in planning of new standards group at ETSI ETSI ISG Cyber Security 3
Key technologies From Common Criteria, through TVRA and PIA, to XACML, Java, SAML, Cryptology toolkits Simplifying the root of understanding Natural language assertions translated to machine processable logic NOTE: Doesn t make it easy, does make it repeatable and comparable 4
Unexpected outputs Application to fringe ITS and societal applications Invitation to present the privacy challenge to schools and universities (social networking and societal benefit) Application of 2 driving paradigms to wider machine to machine world Contribution to EU SDO debate on the role of SDOs in privacy standardisation, extending the vision of ISO2700x and ISO SC27.5 to EU context 5
Some statistics Deaths on EU27 roads: Dropped from 56,247 in 2000 to 34,500 in 2009 Downward trend is persistent and ITS should aim to accelerate the trend Vehicles on EU27 roads: Increased from 334/1000 inhabitants in 1991 to 473/1000 in 2009 Assertion: Manufacturers want to continue this increase Public transport use: Flat at 7% for train use in EU27 Flat at 9% for bus use in EU27 Assertion: Directive wants this to change from flat to increase 6
Some figures 1. Safety Traffic carnage in the UK is estimated to cost 1% of GDP ( 18billion) 2. Efficiency Congestion costs an estimated in 1% of EU total GDP or 100B p.a. (or 18billion in the UK alone) 3. Environmental sustainability Transport accounts for 30% of total energy consumption in the EU, with the vast majority being consumed by road transport. 7
Root assertions People can make transport more efficient People need tools and evidence to support their actions i-tour provides a set of tools and evidence Sharing experience makes experience a learning tool 8
Definition of privacy Privacy is defined as the right of the individual to have his identity and agency protected from any unwanted scrutiny and interference. It reinforces the individual's right to decisional autonomy and self-determination. Privacy is a fundamental right protected by the Universal Declaration of Human Rights and by various legislative orders including the EU Convention for the Protection of Human Rights and Fundamental Freedoms 9
ITS and smart cities: a network of sensors 10
What is the new thinking? Use vehicles as sensors Use people as sensors Use vehicles as computing nodes Use people as data sources Distribute knowledge 11
What are the new problems? Use vehicles as sensors Who does it give its sensor data to? Does it trust the receiver will use it well? Use people as sensors What are you sensing? Is this going to come back and adversely affect me? Use vehicles as computing nodes Is this realistic? How much excess computing power is a car maker going to install? Use people as data sources Not just sensor data but opinions too? Distribute knowledge To whom and who pays? 12
What can ITS do with data? Identify virtual communities How people travel and for what may give travel service providers better knowledge of how to ticket, how to schedule, how to better serve, different communities Provide data for recommender systems 13
Top level objectives for privacy ITS has to meet the expectations of privacy established by: OECD Declaration of Human Rights EU Data Protection laws EU Convention on human rights Privacy is a right and expectation and not a technology 14
ITS aim: to improve safety 15
Co-operative awareness Vehicles signalling their presence by radio Where and what I am reported continuously for all to hear Short range radio (5.9GHz, 100mW transmitter, about 200m range) Not cellular, no infrastructure assumed Every vehicle aware of every other vehicle in the local area Raw data for collision avoidance and other applications i-tour citizens sharing their experience of travel Crowd sourced, crowd shared, real-time and historic 16
Event notification messages Geo-routed indication of events Crash, congestion, adverse weather Receiving vehicles forward the message within and towards the affected geographic area Broadcast over radio for all to hear 5.9GHz, low power, short range, no infrastructure Intent is to warn other drivers and get them to change their behaviour Extending the C-ITS Car to Car context to the transport user through i-tour facility 17
Privacy concerns Transmitter has no knowledge of who receives the data Transmitter has no knowledge if the receiver is good (restricts processing to only ITS application) or bad (makes additional use of data) Any potential for bad actors is bad and needs to be designed out of the system 18
Pseudonymity is not an answer pseudonymity: act of ensuring that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use Many aspects of behaviour are carried in immutable data i.e. data that cannot be made pseudonymous CAM and DENM content Network addresses GeoLocations 19
i-tour aim: to improve environment 20
Give feedback to users about environmental consequences of their travel behaviour with a view to encourage change Key pollutants CO 2 climate change PM air quality European standard COPERT IV - model and databases of emission factors 21
Emission calculation Engine Speed Fuel Outside temperature Vehicle - Passenger cars - Motorcycles - Mopeds - Vans / small trucks - Urban buses - Coaches Fuel - Gasoline - Diesel - LPG Engine state - Cold start - Hot start Engine capacity Emission standard 22
Illustration Passenger car Gasoline Engine technology year 2002 Engine capacity of 1.5 litre Cold start Temperature 20 o C Travel distance 18.1 km Travel speed 80 km/h Fuel use PM emission CO 2 emission 128 g 0.022 g 3592 g 23
i-tour aim: to help users to reduce congestion 24
Congestion problem People in location A want to get to location B at the same time as lots of other people Transport network capacity insufficient to meet demand The Dawkins solution: Move/copy what everyone wants at B to A Stagger the journey start times for all travellers 25
Tour aim: encourage use of public transport 26
Objective: to develop a routing system capable to: support multi-modal routing handle real-time information consider multi-criteria evaluation functions increase environmental awareness of travellers generate personalized advice learn preferences of users 27
Privacy and the protection of people 28
Protecting User Privacy Privacy protection protects a person. A person is described by what they do, where they do it, when they do it, what they do it with, and with whom they do it We encourage i-tour users to share their activity with each other and with the system in a social network Need to protect exploit of that data by other parties 31
Combination of technology & process Design for Assurance : Ensure that security provisions can be measured and evaluated Root is "Common Criteria for Security Assurance Evaluation" published as ISO 15408 and interpretation for standards development in ETSI EG 202 387 Privacy by Design: adopt practices throughout the design, implementation and operation that maximise privacy identify data leakage address the human element in system deployment address the policies of the system users, maintainers & managers consider end of life data disposal 32
Protecting User Privacy - risk reduction 33
Content privacy user generated 38 38
Content privacy provided 39 39
Content privacy interactive sessions 40 40
One person multiple persona 41 41
Consequences for ITS ITS carries personal data both directly and indirectly in all its variants: Advanced Traveller Information Systems (ATIS) Location and route is personal information Advanced Traffic Management Systems (ATMS) ITS-Enabled Transportation Pricing Systems Concessionary fares require exchange of personal data Advanced Public Transportation Systems (APTS) Vehicle-to-Infrastructure Integration (VII) ETSI CAM and DENM Vehicle-to-Vehicle Integration (V2V) ETSI CAM and DENM 42 42
Wider concept class IdentityBehaviour Location takes place at Person Exhibits Behav iour consists of Action Determines happens at Time 43 43
User Privacy versus User security Security is not a synonym for privacy But security techniques will give some protection of privacy Security techniques counter risk of Interception, Masquerade, Manipulation, Repudiation 44
Protecting User Privacy Separation of identification and authorisation entities Anonymous at point of service delivery Identity and behaviour made non-linkable without collusion and difficult even with collusion 45
Use case interactions for authorisation uc Actors Define application itour-app-dev eloper «precedes» Prov ide proof of author and integrity of application itour-portal-operator «precedes» «precedes» JavaAppTester Test and verify application Prov ide proof of authority to deploy application Define Authority Schema itour-user Prosumer relationship itour-data-prov ider Request use of Application «invokes» Validate authority to install «precedes» Install authority schema «invokes» «precedes» «precedes» «include» InstallJVM Validate authority to run Multiple authorisations User-machine-provider 46
Privacy protection measures Anonymity Ensures that a user may use a resource or service without disclosing the user's identity Pseudonymity Ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use Unlinkability Ensures that a user may make multiple uses of resources or services without others being able to link these uses together Unobservability ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used 48
Unlinkability The maximising of entropy between messages from the same source Derived from Shannon s work Cryptographic hashing achieves much of the effect but cannot be realised in broadcast network with real world data being transmitted 49
Personal privacy the i-tour user New concerns in i-tour Group membership implied through virtual community analysis may become personal data Recommendations through the recommender engine may become personal data Personalised travel services need knowledge of personal preferences Exploit of such data sets has to be minimised without properly traceable consent 50
Questions 54