Franziska Roesner
ABSTRACT
Modern applications increasingly rely on continuous monitoring of video, audio, or other sensor data to provide their functionality, particularly in platforms such as the Microsoft Kinect and Google Glass. Continuous sensing by untrusted applications poses significant privacy challenges for both device users and bystanders. Even honest users will struggle to manage application permissions using existing approaches.
We propose a general, extensible framework for controlling access to sensor data on multi-application continuous sensing platforms. Our approach, world-driven access control, allows real-world objects to explicitly specify access policies. This approach relieves the user's permission management burden while mediating access at the granularity of objects rather than full sensor streams. A trusted policy module on the platform senses policies in the world and modifies applications' "views" accordingly. For example, world-driven access control allows the system to automatically stop recording in bathrooms or remove bystanders from video frames,without the user prompted to specify or activate such policies. To convey and authenticate policies, we introduce passports, a new kind of certificate that includes both a policy and optionally the code for recognizing a real-world object.
We implement a prototype system and use it to study the feasibility of world-driven access control in practice. Our evaluation suggests that world-driven access control can effectively reduce the user's permission management burden in emerging continuous sensing systems. Our investigation also surfaces key challenges for future access control mechanisms for continuous sensing applications.
- ZXing.Net. http://zxingnet.codeplex.com/.Google Scholar
- Abrash, M. Latency -- the sine qua non of AR and VR, 2012. http://bit.ly/UbrBL0.Google Scholar
- Ada Initiative. Another way to attract women to conferences: photography policies, 2013. http://bit.ly/1bc3x3O.Google Scholar
- Ardagna, C. A., Cremonini, M., di Vimercati, S. D. C., and Samarati, P. Privacy-enhanced Location-based Access Control. In Handbook of Database Security. 2008, pp. 531--552.Google Scholar
- Bauer, L., Garriss, S., McCune, J. M., Reiter, M. K., Rouse, J., and Rutenbar, P. Device-enabled authorization in the Grey system. In International Conference on Information Security (2005). Google ScholarDigital Library
- Borisov, N., and Brewer, E. A. Active certificates: A framework for delegation. In Network and Distributed System Security Symposium (NDSS) (2002).Google Scholar
- Brassil, J. Technical Challenges in Location-Aware Video Surveillance Privacy. In Protecting Privacy in Video Surveillance, A. Senior, Ed. 2009, pp. 91--113.Google Scholar
- Cammozzo, A. TagMeNot. http://tagmenot.info/.Google Scholar
- Clark, J., and van Oorschot, P. C. SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. IEEE Symposium on Security & Privacy (2013). Google ScholarDigital Library
- CNXSoft. Qualcomm fast computer vision sdk, 2011. http://bit.ly/rUY7Pa.Google Scholar
- Denning, T., Dehlawi, Z., and Kohno, T. In situ with bystanders of augmented reality glasses: Perspectives on recording and privacy-mediating technologies. In ACM CHI (2014). Google ScholarDigital Library
- Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Symposium on Usable Privacy and Security (SOUPS) (2012). Google ScholarDigital Library
- Geambasu, R., Levy, A. A., Kohno, T., Krishnamurthy, A., and Levy, H. M. Comet: An active distributed key-value store. In USENIX OSDI (2010). Google ScholarDigital Library
- Google. Google Glass. http://glass.google.com/.Google Scholar
- Gray, R. The places where Google Glass is banned, Dec. 2013. http://www.telegraph.co.uk/technology/google/10494231/The-places-where- Google-Glass-is-banned.html.Google Scholar
- Halderman, J. A., Waters, B., and Felten, E. W. Privacy Management for Portable Recording Devices. In Workshop on Privacy in Electronic Society (2004). Google ScholarDigital Library
- Hudson, S., Fogarty, J., Atkeson, C., Avrahami, D., Forlizzi, J., Kiesler, S., Lee, J., and Yang, J. Predicting human interruptibility with sensors: a wizard of oz feasibility study. In ACM CHI (2003). Google ScholarDigital Library
- Jana, S., Molnar, D., Moshchuk, A., Dunn, A., Livshits, B., Wang, H. J., and Ofek, E. Enabling Fine-Grained Permissions for Augmented Reality Applications with Recognizers. In USENIX Security Symposium (2013). Google ScholarDigital Library
- Jana, S., Narayanan, A., and Shmatikov, V. A Scanner Darkly: Protecting User Privacy from Perceptual Applications. In IEEE Symposium on Security and Privacy (2013). Google ScholarDigital Library
- Kotadia, M. Jamming device aims at camera phones, 2003. http://cnet.co/HEvS8b.Google Scholar
- Lasecki, W., Song, Y. C., Kautz, H., and Bigham, J. Real-time crowd labeling for deployable activity recognition. In Computer Supported Cooperative Work (CSCW) (2013). Google ScholarDigital Library
- Lee, S., Wong, E., Goel, D., Dahlin, M., and Shmatikov, V. PiBox: A platform for privacy preserving apps. In USENIX Symposium on Networked Systems Design and Implementation (NSDI) (2013). Google ScholarDigital Library
- LiKamWa, R., Priyantha, B., Philipose, M., Zhong, L., and Bahl, P. Energy characterization & optimization of image sensing toward continuous mobile vision. In MobiSys (2013). Google ScholarDigital Library
- Lioy, A., and Ramunno, G. Trusted computing. In Handbook of Information and Communication Security, Stavroulakis and Stamp, Eds. 2010, pp. 697{717.Google Scholar
- Marlinspike, M. Convergence. http://convergence.io/.Google Scholar
- Meta. Spaceglasses. http://spaceglasses.com.Google Scholar
- Microsoft. App. Domains. http://msdn.microsoft.com/en-us/library/2bh4z9hs(v=vs.110).aspx.Google Scholar
- Microsoft. Creating your own code access permissions, 2013. http://bit.ly/HFzDKD.Google Scholar
- O'Brien, K. Swiss Court Orders Modifications to Google Street View, 2012. http://nyti.ms/L3cdNZ.Google Scholar
- Panzarino, M. Inside the revolutionary 3d vision chip at the heart of google's project tango phone, Feb. 2014. http://tcrn.ch/1fkCuWK.Google Scholar
- Paruchuri, J. K., Cheung, S.-C. S., and Hail, M. W. Video data hiding for managing privacy information in surveillance systems. EURASIP Journal on Info. Security (Jan. 2009), 7:1--7:18. Google ScholarDigital Library
- Patel, S. N., Summet, J. W., and Truong, K. N. BlindSpot: Creating Capture-Resistant Spaces. In Protecting Privacy in Video Surveillance, A. Senior, Ed. 2009.Google Scholar
- Priyantha, N. B., Miu, A. K. L., Balakrishnan, H., and Teller, S. J. The cricket compass for context-aware mobile applications. In Mobile Computing and Networking (2001). Google ScholarDigital Library
- Quest Visual. WordLens: See the world in your language. http://questvisual.com/.Google Scholar
- Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H. J., and Cowan, C. User-driven access control: Rethinking permission granting in modern operating systems. In IEEE Symposium on Security and Privacy (2011). Google ScholarDigital Library
- Schiff, J., Meingast, M., Mulligan, D. K., Sastry, S., and Goldberg, K. Y. Respectful Cameras: Detecting Visual Markers in Real-Time to Address Privacy Concerns. In International Conference on Intelligent Robots and Systems (2007).Google ScholarCross Ref
- Shotton, J., Fitzgibbon, A., Cook, M., Sharp, T., Finocchio, M., Moore, R., Kipman, A., and Blake, A. Real-time human pose recognition in parts from a single depth image. In Computer Vision & Pattern Recognition (2011). Google ScholarDigital Library
- Starner, T. The Challenges of Wearable Computing: Part 2. IEEE Micro 21, 4 (2001), 54--67. Google ScholarDigital Library
- Templeman, R., Korayem, M., Crandall, D., and Kapadia, A. PlaceAvoider: Steering first-person cameras away from sensitive spaces. In Network and Distributed System Security Symposium (NDSS) (2014).Google ScholarCross Ref
- Tennenhouse, D. L., Smith, J. M., Sincoskie, W. D., Wetherall, D. J., and Minden, G. J. A Survey of Active Network Research. IEEE Communications 35 (1997), 80--86. Google ScholarDigital Library
- The 5 Point Cafe. Google Glasses Banned, Mar. 2013. http://the5pointcafe.com/google-glasses-banned/.Google Scholar
- Tom Simonite. Bringing cell-phone location-sensing indoors. http://bit.ly/TVyMEx.Google Scholar
- Wendlandt, D., Andersen, D. G., and Perrig, A. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Security Symposium (2008). Google ScholarDigital Library
- Zimmermann, P. R. The Official PGP User's Guide. MIT Press, Cambridge, MA, USA, 1995. Google ScholarDigital Library
Index Terms
- World-Driven Access Control for Continuous Sensing
Recommendations
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12: Proceedings of the 2012 IEEE Symposium on Security and PrivacyModern client platforms, such as iOS, Android, Windows Phone, Windows 8, and web browsers, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications ...
Permission based granular access control pattern
PLoP '14: Proceedings of the 21st Conference on Pattern Languages of ProgramsEnterprise applications are designed to address specific business needs and are generally run within the internal corporate networks. Access to enterprise applications is controlled by various corporate policies, based on numerous widely accepted ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Comments