An investigation into controlling access to personal location data.

INTRODUCTION
Technological advances have made the collection and storing of data relating to the location of individuals more widespread. It is now possible to track the movements of individuals using the data stored as the result of everyday activities, e.g. mobile phone use, Internet access etc. Applications are currently in use for the deliberate use of mobile phones for tracking purposes, e.g. ChildLocate [1], and these largely rely on identity based access control (IBAC) methods.

As tracking using such methods becomes more common it is likely that there will be opportunities to develop applications requiring more complex access controls. It is envisaged that a major part could be played in allowing the person who is having their location monitored to have control over who can see their data. As the legal framework surrounding such applications develops it is also anticipated that location privacy policies, and the ability to demonstrate that they are adhered to, will also have a major role.

We believe that by extending the Tees Confidentiality Model (TCM), a model that has been successfully applied to healthcare records in the UK, to include spatial and temporal data, we can provide the complex access controls required and at the same time allow demonstration of adherence to location privacy policies [2]. Alongside this, the availability of Geographic Information Systems (GIS) allow for the provision of user interfaces displaying the results in an easily understandable format that can be scaled for use in portable devices.

Current Literature
Concerns often arise over location privacy due to a combination of data collection, access to data and data usage, and the combination of these three factors can make the control of privacy difficult [3]. This has led to attempts to provide a level of anonymity where the identity of users is hidden within certain geographical zones or by repeatedly changing user identities [4]. There are those, however, that point out some disadvantages to such an approach [5] and it is obvious that in the case of the use of traceable devices, such as mobile phones, there is a need for the billing organisation to know who the device belongs to. In fact, although the design of systems to enforce location privacy lies in the realms of computer science and electronic engineering, there are many legal, economic and social aspects to location privacy [6, 7] and these cannot be ignored in the design of any systems.

Others have suggested that the key areas for privacy design are personalised disclosure, transparency and ambiguity [8]. Any system that addresses these areas would have to allow those who are having their data collected to also have some control over who can see the data. Alongside this there needs to be control of the level of detail on view to users (granularity) and viewing of how users would see the data (via user interfaces). This would provide transparency to the operation of the system, demonstrating that any location privacy policies are adhered to.

Simple applications could have access controls based upon a Role-Based Access Control (RBAC) model. However, some of the applications suggested in the literature to date [8] need a more complex access control model. Such models already exist and have been applied to other areas, for example the Tees Confidentiality Model, has successfully been applied to healthcare records in the UK, [9] and it is envisaged that these may be expanded to provide the kind of access control required of a generalised location privacy model. Such complex models do not exclude the ability to have a RBAC approach within the same framework.

Some commentators suggest that Assisted-Global Positioning System (A-GPS) technology will become the norm for mobile phone technology [10] and this will provide positional accuracy of less than 20 metres. When this is allied to the fact that there were approximately 80 mobile phone subscriptions per 100 inhabitants of the EU in 2003 [11] then the ability to accurately track a large proportion of the population will soon be available. This technology will equip the population with devices that will allow accurate spatiotemporal measurement of their location and provide for applications using finer-scaled geography in urban locations than has previously been possible [12]. This in turn makes it likely that there will be an expansion of the market for the provision of mobile location based services and a similar rise in the requirement for complex access control.

Methodology
The main objective of the research is to develop access control methods to personal location data and to provide means of displaying the results of queries to location data based upon these methods. Complex access control methods, and the requirements for an interface that allows a layperson to see how their data would be viewed by others, suggest the use of a relational database and a Geographical Information System (GIS) that would allow for the viewing of location data in map form.

In terms of developing applications the following steps will be taken:

• Investigate how mainstream GIS can be applied to this topic, initially by constructing a suitable geodatabase of the experimental area and generating simulated tracking data. Ordnance Survey has kindly supplied the necessary data for this.
• Construct scenarios for Location Privacy/Location Tracking (LPLT) applications, in collaboration with external parties, which will replicate the requirements of real-world systems. Such scenarios would include authorisation aspects and any other relevant security measures.
• Develop a general workstation LPLT application, using generated location data (which will be eventually supplied by a tracking system), and utilise GIS to provide a visual user interface.
• Develop a portable, PDA-based, LPLT system based upon the above.

The following theoretical models and systems development tools will be developed to facilitate this:

• A generalised model of the application of complex authorisation methods to the field of location privacy. This model to explain the operation and power of the authorisation methods in a form accessible to those in the field without a computer-science background. Work has already begun in developing the Access Privacy Matrix, an adaptation and extension of the Privacy Matrix [3].
• A general UML-based model of LPLT systems based upon the specific demonstrations developed. This model will provide the basis for any future implementation of location privacy systems.
• General software tools for developing LPLT applications. These will provide a toolkit for developers to create their own LPLT applications based upon the UML model.
• A general framework for LPLT, to incorporate general policies, systems development strategies, and software development tools. This framework will provide a method for the development of LPLT applications from requirements analysis through to implementation.

Data Collection and Analysis
In the initial stages a set of location data will be generated for a single subject and constraints will be placed upon access to this data for a range of users. As well as the usual constraints of the identity and role of the user these constraints could take the form of temporal factors (e.g. only viewing the last recorded location or only seeing the location during working hours), spatial factors (e.g. only seeing the location when the subject is on campus or only seeing the location if the viewer is within 1km of the subject), or the granularity of the data (e.g. only see that the subject is in Cleveland or see which square km the subject is in). Our model will also allow for any combination of these factors.

The first stages will seek to develop the access controls via SQL procedures and the display of the results via the use of GIS as a desktop application. The project will then be developed further by increasing the number of subjects and range of access controls. This will allow for the determination of the success, or otherwise, of our model as we can easily determine the expected results from a relatively small sample of controlled data.

The second stage will involve the generation of location data via GPS tracking of individuals and the application of the access controls and display methods to real data. This will allow for the examination of the effect of any spatial errors in the data collection which are a natural part of GPS and often more evident in an urban environment due to the effects of tall buildings. It will also allow for examination of issues arising for differences in co-ordinate systems between data collection and map display.

The final stages will develop the same applications but allowing a user to view results via a PDA. This will require an examination of methods for displaying results on a device with little memory and the development of suitable system architecture. It will also allow for the examination of controlling access based upon the location of the user as well as the subject. Throughout the lifetime the results will be used to model the systems.

The Ultimate Direction
It is hoped that at the end of the research period there will be a full model of a Location Privacy/Location Tracking system allied to a set of software tools allowing a developer to create an application with complex access controls. The development of both a theoretical framework and the development tools for both desktop and portable applications could prove important, not only for the development of these applications but also for proving adherence to any legal and social policies that may develop with the technology.

References
[1] http://www.childlocate.co.uk

[2] J.J. Longstaff, M.A. Lockyer & G. Capper (2004), The Tees Confidentiality Model: Towards a Conceptual Frame work for Authorisation, Location Privacy Workshop, Maine, USA, 5-7 August 2004 http://locationprivacy.objectis.net/program

[3] C.A. Gunter, S. Wachter & P. Wagner (2004), Location-Based Services in the Privacy Matrix, Location Privacy Workshop, Maine, USA, 5-7 August 2004 http://locationprivacy.objectis.net/program

[4] A.R. Beresford & F. Stajano, Location Privacy in Pervasive Computing, IEEE Pervasive Computing, 2(1) pages 46-55, 2003. IEEE

[5] D.G. Johnson and K. Miller, Anonymity, pseudonymity, or inescapable identity on the Net, In Proceedings of the ACM Policy Conference, pages 37-38, Washington DC, May 1998.

[6] M. Langheinrich, Privacy by design – principles of privacy-aware ubiquitous systems, In Abowd, G., Brumitt, B., Shafer, S., eds.: Proceedings of Ubicomp 2001. Volume 2201 of Lecture Notes in Computer Science, pages 273–291, Springer 2001.

[7] Y. Duan & J. Canny, Designing for Privacy in Ubiquitous Computing Environments, Working paper http://www.cs.berkeley.edu/~duan/research/drafts/ubicompsec.pdf

[8] L. Terveen, R. Akolkar, P. Ludford, C. Zhou, J. Murphy, J. Konstan & J. Riedl, Location-Aware Community Applications: Privacy Issues and User Interfaces, Location Privacy Workshop, Maine, USA, 5-7 August 2004, available at http://locationprivacy.objectis.net/program

[9] J.J. Longstaff, M.A. Lockyer, J. Nicholas, The Tees Confidentiality Model: an authorisation model for identities and roles, Proceedings of ACM SACMAT 2003, pages 125-133, ACM

[10] N. Faggion & A. Trocheris, Location Based Services strengthen the strategic position of mobile operators, Alacatel Telecommunications Review, 4th Quarter 2003/1st Quarter 2004, available at http://www.alacatel.com/atr/DATR_quarterly_issues_listing.jhtml

[11] Eurostat, Telecommunications in the EU, News Release 20/2005 – 7 February 2005

[12] P. Mateos & P.F. Fisher, Accuracy of Current Mobile Phone Location: Limitations on the New Cellular Geography, Proceedings of the GIS Research UK 13th Annual Conference, pages 136-142, University of Glasgow 2005