Issue No. 04 - October-December (2007 vol. 6)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MPRV.2007.74
Jason Hong , Carnegie Mellon University
George Cybenko , Dartmouth College
Mahadev Satyanarayanan , Carnegie Mellon University
In the Internet's early days, few people foresaw the emergence of spam, phishing, and malware such as the viruses, worms, Trojan horses, spyware, and key loggers that plague users today. The widespread deployment of sensor-based systems, wireless networking, mobile and embedded devices, and other pervasive computing technologies poses even greater risks to security and privacy. Devices can be overrun, revealing information about their physical operating environment. Furthermore, new wireless networking technologies might be susceptible to eavesdropping and thus could expose personal information about their users. Even when the technological foundations are secure, users might still reject a system simply because they don't feel comfortable or safe using it.
Fortunately, the research community has been facing these challenges head on—even the Palo Alto Research Center's original papers on ubiquitous computing noted security and privacy concerns. Since then, researchers have continued to discuss how to effectively secure pervasive computing systems and maintain appropriate levels of privacy for users (see the " Related Resources" sidebar). Security and privacy concerns touch on all aspects of pervasive computing, including hardware, operating systems, networks, databases, user interfaces, and applications. The seven articles that we selected for this special issue draw on ideas from many of these fields and provide a flavor of the kinds of security and privacy challenges and opportunities in pervasive computing.
Security for mobile computing
Ensuring security and privacy will require significant advances in pervasive computing's technological underpinnings. Currently, most of us carry around all of our data and computational power. In contrast, two articles discuss the development of a small, mobile device that can leverage the computing infrastructure already in the environment.
In "Securing Pocket Hard Drives," Nishkam Ravi, Chandra Narayanaswami, Mandayam Raghunath, and Marcel-Catalin Rosu introduce the idea of portable storage-based personalization. Users carry a pocket hard drive and then boot a borrowed PC from this device. In "Rapid Trust Establishment for Pervasive Personal Computing," Ajay Surie, Adrian Perrig, Mahadev Satyanarayanan, and David Farber describe their work on Trust-Sniffer, a user-carried device that can verify secure applications and incrementally expand a user's list of trusted applications.
Improvements in wireless networking can also help address security and privacy concerns. "Multichannel Security Protocols," by Ford Long Wong and Frank Stajano, describes how to use multiple wireless channels simultaneously to improve overall security. Their insight is that different channels have different security properties, so we can develop new protocols that combine the best of each.
The user experience
The user interface for security and privacy functions is another important consideration when designing pervasive computing systems. Today's desktop computers typically identify and authenticate users by requesting a username and password. However, this doesn't work well in pervasive computing environments, because a person will likely use multiple systems in a given day and text input is difficult in such environments.
Biometrics, which identifies people on the basis of such features as their fingerprint, iris, or face, is one possible solution to this problem. In "Palmprint Verification for Controlling Access to Shared Computing Resources," Maylor Leung, A.C.M. Fong, and Siu Cheung Hui evaluate a new algorithm for identifying people on the basis of palmprints, with promising results.
Another important aspect of the user experience is how the system lets people manage their privacy. "Physical Access Control for Captured RFID Data," by Travis Kriplean, Evan Welbourne, Nodira Khoussainova, Vibhor Rastogi, Magdalena Balazinska, Gaetano Borriello, Tadayoshi Kohno, and Dan Suciu, discusses the deployment of a building-wide RFID infrastructure that can track people and objects. It also presents a model for physical access control, restricting what historical information a person can see on the basis whether that person was physically present when that information was recorded.
We also need user studies to deepen our understanding of how people use and perceive pervasive computing systems. A key problem in this area is understanding what leads people to accept or reject a pervasive computing system. In "Physical, Social, and Experiential Knowledge in Pervasive Computing Environments," Gillian Hayes, Erika Shehan Poole, Giovanni Iachello, Shwetak Patel, Andrea Grimes, Gregory Abowd, and Khai Truong summarize their evaluation of a pervasive computing system for recording everyday experiences in an informal space. Drawing on these experiences, they present a model for how users use physical, social, and experiential knowledge to decide what level of utility and privacy a new technology offers.
Another open question is, "What kind of personal information is a person willing to share and under what conditions?" In "Privacy in Location-Aware Computing Environments," Denise Anthony, Tristan Henderson, and David Kotz present intriguing results from their study of privacy preferences for location information. The results suggest that important factors include how users define where they are, what they're currently doing, and who they're with.
This issue's articles represent only a snapshot of the ongoing research in privacy and security for pervasive computing. We look forward to practitioners and researchers continuing their attempts to overcome security and privacy challenges so that the grand vision of pervasive computing can come to fruition.
Jason Hong is an assistant professor at Carnegie Mellon University's Human Computer Interaction Institute. His research interests include location-based services and usable security and privacy. He received his PhD in computer science from the University of California at Berkeley. Contact him at email@example.com.
Mahadev Satyanarayanan is the Carnegie Group Professor of Computer Science at Carnegie Mellon University. His research interests include mobile computing, pervasive computing, and distributed systems. He received his PhD in computer science from Carnegie Mellon University. He's a fellow of the ACM and IEEE and the founding editor in chief of IEEE Pervasive Computing. Contact him at the Computer Science Dept., Carnegie Mellon Univ., Wean Hall 4212, 5000 Forbes Ave., Pittsburgh, PA 15213; firstname.lastname@example.org.
George Cybenko is the Dorothy and Walter Gramm Professor of Engineering at Dartmouth College. His research interests include distributed information, control systems, computer security, and signal processing. He received his PhD in mathematics from Princeton University. He's a fellow of the IEEE and a member of the Society for Industrial and Applied Mathematics, and he serves on the boards of the IEEE Computer Society and the Computing Research Association. He was the founding editor in chief of IEEE Security & Privacy. Contact him at email@example.com.