Chapter 1: Introduction. This short chapter motivates the need for this book and outlines its contents.
• Chapter 2: Understanding Privacy. This chapter offers an in-depth discussion on what privacy is, i.e., what it means to “have privacy”, and why we may want and need privacy. It does so by examining the concept of privacy from three perspectives: legal perspectives on privacy (also with a view towards their historic context); motivations for having (or not having) privacy; and more general conceptualizations of privacy. These perspectives support assessment of the often nuanced privacy implications of new technologies.
• Chapter 3: Mobile and Pervasive Computing (MPC). This chapter summarizes the key defining characteristics of mobile and pervasive computing. While mobile and pervasive computing systems feature privacy issues inherent in any computer system in general (e.g., interconnectivity), aspects such as context awareness and implicit interaction pose new privacy challenges unique to mobile and pervasive computing.
• Chapter 4: Privacy Implications of MPC. This chapter explores the specific privacy implications of mobile and pervasive computing in order to determine the challenges that must be addressed in order to create more privacy-friendly mobile and pervasive computing systems. It groups these around three core aspects: (1) the digitization of everyday life; (2) the ability of automatic data capture; and (3) the ability of using data to predict behavior. While none of these trends are new, mobile and pervasive computing systems exacerbate these issues greatly.
• Chapter 5: Supporting Privacy in MPC. This chapter discusses seven key directions and associated challenges for building privacy-friendly mobile and pervasive computing systems: (1) privacy-friendly defaults; (2) adequate privacy-risk communication; (3) privacy management assistance; (4) context-adaptive privacy mechanisms; (5) user-centric privacy controls; (6) algorithmic accountability; and (7) privacy engineering methodologies. While there is no silver bullet to remedy all privacy implications of any mobile and pervasive computing system, the presented approaches constitute an essential toolbox for building privacy into mobile and pervasive computing systems.
• Chapter 6: Conclusions. This chapter provides a brief outlook and stipulates key challenges for privacy that the authors see.
FOCUS AND AUDIENCE OF THIS BOOK
This book is intended as a brief introduction into the multidisciplinary area of privacy research, with a focus on its applicability to mobile and pervasive computing systems. The presented material is not meant to be comprehensive—privacy research spans a vast array of scientific disciplines and research, to which this book often only provides initial pointers. However, this book should provide readers with a basic understanding of the issues, complexities, and approaches involved in building privacy-aware mobile and pervasive computing systems.
The prime target audience of this lecture are researchers and practitioners working in mobile and pervasive computing who want to better understand and account for the nuanced privacy implications of the technology they are creating. Armed with the knowledge in this book, we hope they will avoid opting for simple solutions that fail to address the true complexity of the problem, or even deciding not to address privacy issues at all.
At the same time, researchers working in the areas of privacy and security in general—but without a background in mobile and pervasive systems—might want to read this lecture in order to learn about the core properties and the specific privacy challenges within the mobile and pervasive computing domains.
Last but not least, graduate and undergraduate students interested in the area should be able to gain an initial overview from this book, with enough pointers to start exploring the topic in more depth.
Marc Langheinrich and Florian Schaub
October 2018
Acknowledgments
It may come as no surprise that a project like this always takes longer than one originally anticipates. Sometimes much longer. We are thus deeply grateful to Michael Morgan, President and CEO of Morgan & Claypool Publishers, and Mahadev “Satya” Satyanarayanan, the Mobile and Pervasive Computing-Series Editor, for their patience and unwavering support over the years. We also greatly benefited from the helpful feedback from both Satya and Nigel Davies, who read through countless early versions of this lecture and offered important insights on how to make this text more accessible. All of the remaining issues in this final version are fully our fault!
We also would like to thank all the staff and students at our respective universities that have supported us in our work, as well as our many collaborators near and far who help shape our research and provided us with guidance and inspiration over the years.
Marc Langheinrich and Florian Schaub
October 2018
CHAPTER 1
Introduction
In 1999, Robert Rivera slipped on some spilled yogurt in a Vons supermarket in Southern California. With a shattered kneecap as a result, Rivera sought compensation from the supermarket chain—not only to pay for his medical bills, but also to compensate for the loss of income, as he had to quit his job due to the injury. However, his effort to negotiate an out-of-court settlement fell short, according to the LA Times [Silverstein, 1999], when the supermarket’s designated mediator produced Rivera’s shopping records. Rivera was a regular Vons customer and had used their loyalty card for several years. The mediator made it clear that should this case go to court, Vons could use Rivera’s shopping record to demonstrate that he regularly bought large quantities of alcohol—a fact that would surely weaken his case (who is to say that Rivera wasn’t drunk when he slipped?). While Vons denied any wrongdoings, Rivera claimed that this threat prompted him to drop the case against the company.
Shopping records are a great example of the minute details that companies are interested in collecting about their customers. At first glance, it looks like a good deal: in exchange for swiping a loyalty card at the checkout,1 consumers receive anywhere from small discounts to substantial savings on their daily grocery shopping bill. The privacy implications seem negligible. After all, the store already has a record of all items you are buying right there at checkout, so why worry about the loyalty card that helps you save money? While the difference is not obvious, the loyalty card allows for much more detailed data collection than just the payment transaction. Even though it seems as if a regular credit card not issued by the store or other cashless payment methods would be just as problematic, data flows for such cards are different: the supermarket only receives information about successful payment, but no direct identifying information about the customer; similarly, the credit card company learns that a purchase of a certain amount was made at the supermarket, but not what items were purchased. Only by also swiping a loyalty card or using a combined credit-and-loyalty card, a store is able to link a customer’s identity to a particular shopping basket and thus track and analyze their shopping behavior over time.
So what is the harm? Most of us might not regularly buy “large quantities” of alcohol, so we surely would never run into the problem of Robert Rivera, where our data is used “against us”. Take the case of the U.S.-American firefighter Philip Scott Lyons. A long-time customer of the Safeway supermarket chain, Lyons was arrested in August 2004 and charged with attempted arson [Schneier, 2005]. Someone had tried to set fire to Lyons’ house. The fire starter found at the scene matched fire starters Lyons had previously purchased with his Safeway Club Card. Did he start the fire himself? Luckily for Lyons, all charges against him were eventually dropped in January 2005, when another person confessed
