Privacy Challenges for the Mobile Internet

1
Privacy Challenges for the Mobile Internet

• Simone Fischer-Hübner
• Department of Computer Science
• Karlstad University
• simone_at_cs.kau.se

2
Privacy Definition- Alan Westin, 1967

• Privacy is the claim of individuals, groups and
  institutions to determine for themselves, when,
  how and to what extent information about them is
  communicated to others

3
WAP Privacy Issues

• Origin Server
• WAP Device WAP
  Gateway/Proxy
• Anonymisation enabled, but - user ID
  pwd, MSISDN
• Complete profile of user activities -
  CPI (device, software,
• incl. user location
  network, pers.settings)
• - user location
• - requests, parameters,
• content
• - cookies

4
MobileIP Privacy Issues

• HAB(Home Agent)
• A
• Eve
• COAB (Care of Address)
• ? Eve and HAB can trace Bs positions

A B M
HA COAB
A B M
5
Location data in Mobile IPv6 traffic data
Binding updates
Mobile Node (MN)
Binding Update
Home Link
Foreign Link
Home Agent
Binding Update
Home Address CoA
Correspondent Node (CN)
6
Mobile IP Privacy Problems

• Home Agent, CN, eavesdropper can trace mobile
  nodes position and movements
• Relative Positioning of two mobile nodes
  possible
• -gt Traffic Data contains sensitive Location
  Information

7
EU directive for privacy in the electronic
communication sector

• Traffic data (Art.6)
• Must be erased or made anonymous upon completion
  of transmission
• Processing for billing purposes permissible
• Processing for the purposes of value added
  services/marketing with the consent of the
  subscriber/user

8
EU directive for privacy in the electronic
communication sector

• Location data other than Traffic data (Art.9)
• May only be processed when made anonymous, or
  with the informed consent of the user/subscriber
• Where consent has been obtained, the
  user/subscriber must still have possibility of
  temporarily refusing the processing of location
  data

9
Need for Privacy-Enhancing Technologies (PET)

• Control of data collection/processing according
  to legislation
• P3P (Platform for Privacy Preferences Protocol)
• Identity Managment
• Privacy Access Control Models / Enterprise
  Privacy Policies
• Minimizing/ avoiding personal data
• Mix nets
• Crowds

10
PiMI Prototype (Ericsson KaU cooperation)
11
mCrowds
WAP 1.X case with WAP Gateway/Proxy
12
Conclusions

• Location privacy not sufficently addressed by
  legislation
• PETs needed to address Mobile Internet privacy
  problems

13

• Questions ?
• http//www.cs.kau.se/simone/

14
Composite Capabilities/ Preference
Profiles(CC/PP), UAProf

15
IPv6 address
64-bit routing prefix
64-bit interface identifier
For routing packets to the right network,
identifies the current link of a Mobile Node
Identifies the specific node on the network
16
P3P for informed consent
User Agent
request P3P policy reference files
Web Server
send P3P policy reference files
request P3P privacy policy
send P3P privacy policy
request web page
?
User Preferences
Privacy policy
17
P3P to protect CC/PP, UAProf

• Minimal profile conveyance
• Users select two profiles
• One for trust relations
• One for relations
• Before P3P agreement (within safe zone)
• With non-P3P enabled sites
• With non-reliable sites
• For push initiators

18
Mix nets for anonymous communication

• Sender Receiver
• msg
• B C dest, msg KC KB KA
• C dest, msg KC KB dest, msg
  KC

Mix C
Mix A
Mix B
19
Mix nets for the Internet

• Onion Routing (Naval Research Center)
• Freedom Net (Zero Knowledge Inc.)
• Web Mixes (TU Dresden)
• Flying Freedom (KTH / Sweden)

20
Mobile Internet - Exposed data
MSISDN UserID pwd Content, Requests
UAProf (Position)
MSISDN URLparams UserID pwd
UAProf (Position)
MSISDN URLparams UserID pwd
UAProf (Position)