Our Computer Security Research Group within the Computer Science Department at Karlstad University has recently started to work on the project "Enhancing Privacy for Web-based Services in wireline and wireless Networks". Within the project, we assess privacy threats and problems for the Mobile Web and work on privacy-enhancing technologies for protecting personal information. One major research issue is how the Composite Capability/Preference Profile (CC/PP) information can be protected by using CC/PP with P3P (Platform for Privacy Preferences) and how P3P can be enhanced.
We expect that privacy problems and risks in the Mobile Web environment will be made clear. Besides, specific legal provisions to protect privacy in the mobile web needed in addition to existing general data protection legislation should be suggested. Privacy is increasingly becoming an international problem, because communication data often crosses state borders. An international harmonization of privacy legislation is necessary, but hardly achievable due to cultural differences (see also [Fischer-Hübner 2000]. The recent transatlantic debate about the adequacy of the Safe Harbor privacy principles in comparison with the EU data protection Directive has demonstrated the difficulty of harmonizing data protection regulations. For this reason and also because law is not an ultimate protection, it is important to protect and enforce privacy also by technology. Our main expectation on the final outputs of the workshop is therefore that privacy enhancing technologies for protecting the mobile web users should be discussed and suggested.
In the networked society, the individual´s privacy is at risk. A side-effect of global wireline or wireless communication is that transactional data of the users can be collected at different sites (e.g., service provider site, server site, sites passing on messages) and can be used to create communication or consumer profiles.
WAP gateways receive, translate and forward all requests telling who requests what using what device and thus can easily create extensive personal user profiles.
Personal user data can also be accumulated at the origin server´s site. Web or WAP server sites often ask for user- and user-side specific data to offer customized services or for market analysis purposes. Input parameters to a mobile context aware service can be the user identity, user location, device type and capabilities, user settings in the device, the user's previous behavior as well as PIM (personal information management) data.
The user identity can often be retrieved by the origin server behind the user's back, by using MSISDN number forwarding or user-id forwarding from the WAP gateway or an access server. Whether or not the user's actual identity can be retrieved depends on the type of subscription that the user has for the specific service. In most countries MSISDN forwarding to outside the operator's environment is forbidden by law, but it is sometimes possible to extend the operator's environment to include content providers. If user-id forwarding from other components in the network is not used, HTTP basic authentication (HTTP 401) or a simple web page logon procedure can be used to reveal the user´s identity.
Standard HTTP behavior is to have the browser name passed on with the request. However, in the mobile Internet world, passing on this information does not only tell the receiving application what application the user is running, as in the web case. From the browser name, the device type and version can usually be redrawn as well.
The Composite Capability/Preference Profiles (CC/PP) are proposed by W3C as a collection of capabilities and preferences associated with users and the user agents to access the World Wide Web. Particularly in wireless networks CC/PP is intended to provide information necessary to adapt the content and the content delivery mechanisms to best fit the capabilities and preferences of the users and their agents. However, the capabilities and preference information (CPI) contains detailed characteristics about the user´s device, software, network and personal settings, which can be unique for a specific user with a specific device. Thus, the CPI can serve as a unique identifier and can, like a user-id, be used to trace a user´s request activities at the origin server´s site. CPI in combination with the user-id can tell what device, software or network a user is using. Such information can be misused for launching attacks against the user, if it gets into the wrong hands.
The User Agent Profile (UAProf) specification, which seeks interoperability with the CC/PP standard, also defines the user location as a reserved attribute. The user's location can be retrieved in two ways. Either by using GPS or similar integrated with the device, and then send the information with the request, or by having the application retrieve the user's position through the knowledge that the operator has based on radio base station information. Sending the position with the request can be done in several ways: by using the UAProf attribute, or a proprietary HTTP header.
Thus at the server site, different personal characteristics of users can be available, which could be used to trace their requests, habits, preferences and movements and to create user profiles. For context-aware services, extensive storage of user data is necessary. On the other hand, the user´s privacy rights and interests have to be protected as well.
The CC/PP working group has already expressed the design goal that P3P
is to be used as a management mechanism for the privacy of profiles. P3P
by W3C is a protocol designed to inform Web users of the data-collection
and data-use practices (P3P policy) of web-sites and to help users to
reach a semi-automated agreement with web-sites with regard to the
processing of an individual´s personal data.
P3P can be used to enhance the user´s privacy by transmitting CPI (and possibly other other personal characteristics) only if there is an informed consent by the user about the origin server´s site data collection and use practices (how and for what purpose CPI will be used, with whom data will be shared, how long the data will be retained).
Thus, in order to use CC/PP with the P3P standard, the CC/PP exchange protocol should first use a GET request that carries a profile with only minimal information about device properties (such as screen size, voice/ graphic capabilities), to which a service would respond with a reference to a P3P policy. The user agent would then fetch the policy and compare it with the user´s preferences to determine whether CPI should be transmitted. The user should have the possibility to choose the level of protection by defining privacy preferences for the whole CPI, or different preferences for CPI components and/or attributes.
Whereas P3P can implement informed consent, P3P alone does not support other basic provisions of the EU data protection directive, such as purpose restriction (Art. 6b: legitimacy), necessity of data collection and processing (Art. 6c: adequacy) and the right of access (Art.12). Thus P3P alone is not a sufficient solution.
Within a former research project, a formal privacy model has been developed and implemented according the Generalized Framework of Access Control- Approach in the Linux system kernel [Fischer-Hübner / Ott 1998]. The privacy model was designed as a security model that can technically enforce legal privacy requirements such as purpose restriction and necessity of data processing. It is planned to adapt the privacy model implementation, so that it can be used in combination with third party monitoring and assurance to protect P3P data elements at the server´s site, so that personal data elements are collected and processed only as far as necessary and only used for the specified purposes.
The use of privacy-enhancing technologies such as for instance Mix nets for providing anonymity at the WAP gateway site should be examined. A Mix net introduced by D. Chaum [Chaum 1981] can realize unlinkability of sender and recipient and sender anonymity against the recipient. If a request would be send through a mix net to the gateway, the user identity could be hidden from the gateway.
[Chaum 1981] David Chaum, "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms", Communications of the ACM, 24 (2). 1981, pp. 84-88, http://world.std.com/~franl/crypto/chaum-acm-1981.html
[Fischer-Hübner/Ott 1998] Simone Fischer-Hübner, Amon Ott, "From a Formal Privacy Model to its Implementation", Proceedings of the 21st National Information Systems Security Conference, Arlington, VA, October 5-8, 1998
[Fischer-Hübner 2000] Simone Fischer-Hübner, "Privacy and Security at Risk in the Global Information Society", in: D.Thomas, B.Loader (Eds.): Cybercrime, Routledge, London and New York, 2000