Physical Access Control for Captured RFID Data

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p> 2007 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or </p><p>for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be </p><p>obtained from the IEEE. </p><p> For more information, please see </p><p>MOBILE AND UBIQUITOUS SYSTEMS </p><p>Physical Access Control for Captured RFID Data </p><p>Travis Kriplean, Evan Welbourne, Nodira Khoussainova, Vibhor Rastogi, Magdalena Balazinska, Gaetano Borriello, Tadayoshi Kohno, and Dan Suciu </p><p> Vol. 6, No. 4 </p><p>OctoberDecember 2007 </p><p>This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works </p><p>may not be reposted without the explicit permission of the copyright holder. </p></li><li><p>48 PERVASIVEcomputing Published by the IEEE Computer Society 1536-1268/07/$25.00 2007 IEEE</p><p>Physical Access Controlfor Captured RFID Data</p><p>Radio frequency identification tech-nology has become popular as aneffective, low-cost solution for tag-ging and wireless identification.Although early RFID deployments</p><p>focused primarily on industrial settings, successeshave led to a boom in more personal, pervasiveapplications such as reminders1 and eldercare.2</p><p>RFID promises to enhance many everyday activ-ities but also raises great challengesin particu-lar, with respect to security and privacy.</p><p>At the University of Washington, weve de-ployed the RFID Ecosystem, a pervasive com-</p><p>puting system based on a build-ing-wide RFID infrastructurewith 80 RFID readers, 300antennas, tens of tagged people,and thousands of tagged ob-jects.3 The RFID Ecosystem isa capture-and-access systemthat streams all data from thereaders into a central database,where applications can access</p><p>it. Our goal is to provide a laboratory for long-term research in security and privacy, as well asapplications, data management, and systems is-sues for RFID-based, community-oriented per-vasive computing.</p><p>RFID security is a vibrant research area, withmany protection mechanisms against unautho-rized RFID cloning and reading attacks emerg-ing.4 However, little work has yet addressed thecomplementary issue of protecting the privacy ofRFID data after an authorized system has cap-tured and stored it. Weve investigated peer-to-</p><p>peer privacy for personal RFID data through anaccess-control policy called Physical Access Con-trol. PAC protects privacy by constraining the dataa user can obtain from the system to those eventsthat occurred when and where that user was phys-ically present. While strictly limiting informationdisclosure, PAC also affords a database view thataugments users memory of places, objects, andpeople. PAC is appropriate as a default level ofaccess control because it models the physicalboundaries in everyday life. Here, we focus on theprivacy, utility, and security issues raised by itsimplementation in the RFID Ecosystem.</p><p>Privacy and utility in pervasivearchitectures</p><p>The 18th-century legal philosopher JeremyBentham first described the perfect architecturefor surveillance: the panopticon, a prison thatarranges its cells about a central tower fromwhich a guard can monitor every cell whileremaining invisible to the inmates. The architec-tures innovation is that the guards presencebecomes unnecessary except for occasional pub-lic demonstrations of power. Many privacy con-cerns in pervasive computing stem from a similarpotential for an unseen observer to access and acton data about someone else. Under these condi-tions, the state of conscious and permanent vis-ibility [assures] the automatic functioning ofpower5 because individuals must constantlyconform to the code of conduct their peers orsuperiors hold them to.</p><p>Just as surveillance can be built into an archi-tecture, so can privacy assurances. Our funda-</p><p>To protect the privacy of RFID data after an authorized system captures it,this policy-based approach constrains the data users can access to systemevents that occurred when and where they were physically present.</p><p>S E C U R I T Y &amp; P R I V A C Y</p><p>Travis Kriplean, Evan Welbourne,Nodira Khoussainova, VibhorRastogi, Magdalena Balazinska,Gaetano Borriello, TadayoshiKohno, and Dan SuciuUniversity of Washington</p></li><li><p>mental conviction regarding privacy inthe RFID Ecosystem is that privacy mustbe designed into the system from theground up. The challenge in architectingprivacy into a pervasive-sensing systemis to provide enough utility to supportthe desired applications suite while care-fully controlling what information todisclose, to whom, how, and under whatconditions. Effective decisions must ho-listically trade off privacy and utility.6 Inparticular, a proposed privacy mecha-nism must consider perspectives andmethods from computer security, data-bases, human-computer interaction, andthe social sciences. Only in this way canwe understand the mechanisms securityvulnerabilities, how well it matchesusers expectations of privacy, how easyit is to understand, and its utility.</p><p>Most pervasive-sensing systems rep-resent one of two architectural models:wearable or infrastructure. Generallyspeaking, each model makes differenttrade-offs between privacy and utility.The wearable model processes and storessensors and data on devices that the userowns and wears. MyLifeBits embodiesthis model: users wear microphones,video cameras, and other sensors thatcontinually record sensor data.7 Suchsystems can put the device wearer in con-trol if they store the data locally and dis-close no information without the usersexplicit consent. These perfect mem-ory systems, however, pose privacyconcerns for others who encounter theuser but dont consent to informationcapture.8 Plausible deniability is lost:although human memory is lossy, cap-tured sensor data isnt.</p><p>In contrast, the infrastructure modelhas a central authority that manages sen-sor data on users behalf. This modelgives rise to the threat of permanent vis-ibility, but we adopted it for the RFIDEcosystem because it enables muchricher services through data and resourcesharing. Its also less expensive because</p><p>cost is amortized over many users. More-over, a central database allows a systemto leverage database security and privacytechniques such as privacy-preservingdata mining9 and k-anonymity.10 Thesetechniques enable privacy-preserving sta-tistical queries that complement andextend the utility of careful access con-trol for point queries, such as When didI see Bob today? A principled, privacy-sensitive framework for managing datashould employ both statistical and pointqueriesas in a Hippocratic database,11</p><p>for example. However, our focus here ison point queries under one possibleaccess control policy.</p><p>PAC: How it worksWe could define many access-control</p><p>policies for captured RFID data. Forexample, policies might allow a managerto track employee location during workhours, support staff to locate inventoryobjects, and individual users to grantconditional tracking permissions to theirfriends. However, these policies presentproblems when applied as a default. Themanagerial example raises surveillanceconcerns, the object finder can be abusedto track people, and user-defined poli-</p><p>cies often lack foresight and vigilance.12</p><p>On the other hand, a restrictive policythat lets users access only their own dataprecludes many interesting applicationsthat might be safe.</p><p>Marc Langheinrich argues that prox-imity-based disclosure could limit thesurveillance threat.13 PAC implementsthis proposal. It attempts to realize thespatial privacy features of wearable sys-</p><p>tems within an infrastructure architec-tural model. We propose it as a defaultaccess-control policy because it modelsspatial privacy in everyday life. It placesupper and lower bounds on accessibleinformation, restricting the informationusers can obtain to what they could haveobserved in person. Specifically, a usercan see other users and her owntagged objects at any time and placewhen she was physically present, butcant see the other users objects. Foreach user, the database stores a persis-tent record of all encountered personsand personal objects. PAC thus respectsYitao Duan and John Cannys data dis-cretion principle,14 which states thatusers should have access to mediarecorded when they were physically pre-sent and shouldnt when they werentpresent. We believe that PAC providesan intuitive, easily understandable flowof captured information.12</p><p>Although PAC is conservative in theinformation it reveals, its memory-likeview of the data provides useful serviceprimitives. For example, a users queryon the location of his lost object willreturn the location where he last sawita likely answer. Queries over a</p><p>users entire history of activities couldenable other personal-memory appli-cationsfor example, a reminder ser-vice that alerts users when they forget totake an item with them as they go homefor the day.1 This balance betweenprivacy and utility makes PAC a suit-able default access-control policy fora pervasive RFID deployment. More-over, privacy-preserving extensions and </p><p>OCTOBERDECEMBER 2007 PERVASIVEcomputing 49</p><p>A proposed privacy mechanism </p><p>must consider perspectives and methods </p><p>from computer security, databases, HCI, </p><p>and the social sciences. </p></li><li><p>relaxations of PAC could enable an evengreater range of applications. As such,rather than plunge a community into aninformation-promiscuous environment,our strategy is to start with informationdisclosure commensurate with everydaylife and carefully extend it as needed foruseful applications.</p><p>ImplementationRFID systems collect data as a stream</p><p>of triples having the form (Identity, Location,Time). PAC defines a database view con-sisting of only those triples representinga users own location and the locationsof users and objects he or she could plau-sibly have seen. A database respectingthe PAC policy always responds to ausers queries through her view, ratherthan the complete datain other words,PAC employs a Truman model.15 Forexample, if a user asks, How many peo-ple were on the fourth floor yesterday?the system effectively responds, Yousaw five people on the fourth floor,instead of You saw five out of the 11total people on the fourth floor.</p><p>A PAC implementation thus requires</p><p>a procedure for inferring when a usercould plausibly have seen another useror object. Our implementation relies ona notion of mutual visibility for this pro-cedure. Two users or a user and an objectare mutually visible if they share anunobstructed line of sight. Every suchinstance of mutual visibility is called avisibility event. </p><p>Consider the scenario in figure 1. Itpresents a snapshot of six users, AF,going about their daily routines and atable enumerating all visibility events.</p><p>This definition of mutual visibility isan ideal that the system must approxi-mate using captured sensor data. In theRFID Ecosystem, the mutual-visibilitycomputation incorporates the spatio-temporal relationships between theRFID tag reads that antennas collect.The RFID Ecosystems formal definitionof mutual visibility depends on theserelations between tag reads:</p><p> Spatial. Determining the unobstructedline of sight between two tag readsposes two challenges. First, a sightedtags exact location is unknown; in-</p><p>stead, the antennas location serves asa proxy for the tags location. Second,two tags might be mutually visible yetread by two different antennas, whichmotivates the definition of mutuallyvisible antennas: pairings of antennasA1 and A2 such that the system caninterpret a tag read at A1 as mutuallyvisible with a tag read at A2.</p><p> Temporal. By protocol, each antennareads tags rapidly and in sequence, sotwo tags are rarely read at exactly thesame time. We therefore use a para-meterizable time window, , that de-fines how close in time two tag readsmust occur for the tags to be consid-ered mutually visible.</p><p>We can now express a formal defini-tion of mutual visibility in terms of thedata captured by the system: Two tagsX and Y are mutually visible if X isread by antenna A1 at time tX and Y isread by antenna A2 at time tY, such that|tX tY| and A1 and A2 are mutuallyvisible.</p><p>This definition yields the visibilityevents marked in figure 1. In this sce-</p><p>50 PERVASIVEcomputing</p><p>S E C U R I T Y &amp; P R I V A C Y</p><p>FF, E 12 -15</p><p>Detected</p><p>--x</p><p>xx</p><p>15</p><p>99</p><p>End</p><p>9</p><p>57</p><p>Start</p><p>9</p><p>77</p><p>2</p><p>A, EC, ED, ED, CA, C</p><p>Visibilityevent</p><p>16171819</p><p>1</p><p>2</p><p>3</p><p>4 5 6 7 8 9 10 11</p><p>15 14 13 12</p><p>Antenna</p><p>Antennacoverage</p><p>D6</p><p>D</p><p>E</p><p>E7</p><p>E8</p><p>E9E101</p><p>E11</p><p>E12E</p><p>A 11A2 A3 A4</p><p>7A5</p><p>A6</p><p>C</p><p>C21</p><p>C3 C44C5 C6</p><p>2C7</p><p>C</p><p>A7</p><p>A8 A9</p><p>A</p><p>B2</p><p>B3</p><p>A B C D E F</p><p>Person A Person B Person C Person D Person E Person F</p><p>2m</p><p>B</p><p>B</p><p>E6</p><p>Figure 1. Six people moving over the course of 15 time steps. Each users location is annotated with the time stamp at which theymove to the space. No time stamp indicates that they remain in that space. The table shows visibility events between users. Thelast column shows visibility events inferred by the system when the parameterizable time window is 1 and antennas 13, 411,and 1219 are mutually visible.</p></li><li><p>nario, antennas 18 and 15 are mutuallyvisible, so the system will correctly inter-pret A and C as mutually visible at t = 3.In contrast, antennas 11 and 12 are notmutually visible, so E and C wont beconsidered mutually visible. Note howvarying tunes mutual visibilitys strict-ness. In figure 1, = 1, so the systemnever detects D and A as mutually visi-ble; however, if = 2, then they are mutu-ally visible during time steps 5 to 7.</p><p>Users, objects, and ownershipWe distinguish between user tags and</p><p>object tags. A user can see an objectslocation only when the user and objectare mutually visible and the user ownsthat object. The ownership restriction isrequired because RFID tags are readablethrough opaque materials, such as back-packs. X-ray vision is not part of thePAC information ethic. In our currentmodel, ownership is simple: each objectis singly owned. However, our goal is tostudy community-oriented systems, sofuture work will need to investigate howPAC can operate with shared objects.</p><p>Measuring mutual visibilityGiven a pair of antennas Ai, Aj, we</p><p>would like to label them as mutually vis-ible or not in a way that minimizes falsevisibility events. Our approach has beento label each antenna pair with the prob-ability that two tags in these coverageareas share a line of sight. The motiva-tion is to give system administrators away to systematically reason about po-tential information leakage.</p><p>One method is to sample a large num-ber of points from each antennas ex-pected coverage area and calculate thefraction of point pairs that share a lineof sight. Let Ci and Cj be two sets ofpoints uniformly drawn from Ais andAjs respective coverage areas and letvisiblePoin...</p></li></ul>