Untitled SENSORS WHICH DETECT SENSORS

As already mentioned in the introduction one of the most challenging problems regarding privacy in AmI spaces is the question of control of the data collected by sensors. The existence of this data is an essential and necessary part of AmI and can not be avoided without losing much of the ‘intelligent’ behaviour of AmI. 

The solutions proposed so far of usage of user centric identity management systems are only the second step. This kind of user controlled release of personal data only becomes meaningful if the direct (i.e. uncontrolled) ways of accessing that information are impossible or at least exorbitant costly. But this is not the case with AmI as it is envisaged today, where a huge amount of fixed sensors are distributed in the AmI environment. These sensors could be used to collect all kinds of personal data of a given person without even informing them that the sensors exist at all. 

This leads to the general problem that despite the presence of laws which forbid the unauthorised collection of personal data by means of sensors, they would very likely have little influence in practice, when their violation is not even (in theory) detectable. Different solutions are proposed to cope with this problem - besides the trivial solution to accept the privacy and data protection problems in favour of the benefits offered by sophisticated AmI spaces. All of them are in an early (research) stage of development and could be understood as emerging technologies. They all need support by policy makers (resp. the society at large) and appropriate regulations, which define the general direction of acceptable solutions for the society. 

One possible route to give the control of personal data back to the effected individual would involve the development of sensors which are able to detect (the existence) of sensors. These detectors should ideally be mobile so that each interested person can carry them with them. Notwithstanding the existence of rules which regulate the deployment and usage of sensors in AmI spaces, this gives every person at least the option to make an informed decision regarding their presence in certain environments.

But also detectors which are not mobile (in the sense that one can easily carry them everyday) are useful, if rules and regulations forbid the uncontrolled usage of sensors in AmI spaces. The very existence of these detectors can then be used as deterrence in order to prevent the illegal deployment of sensors - assuming that the related penalties are effective. 

In general techniques for detecting sensors could be classified in different categories according to the ‘part’ of the sensor they in fact can detect. Possible categories are: 

1. Detection of the sensor device itself (or more precisely the process of collecting sensor data). This is principally feasible as long as the sensors are ‘active’ in the sense that they emit some signal (e.g. electromagnetic waves, ultrasonic waves, light etc.), which could be intercepted by the detector. Clearly it is much harder to detect ‘passive sensors’, which just receive signals without emitting any. Prominent examples are optical sensors and (passive auto-focus or fixed focus) cameras. However, such devices could theoretically be detected, if the ‘processing’ of the signal it detects leads to the some form of other emission. This could be for instance the release of electromagnetic waves as a side effect of an amplifier which is used in pre-processing the signal. It could also be detected through a variance of the electromagnetic field surrounding the sensor. Generally the detection of passive sensors is highly related to the area of active probing.

2. Detection of the transmission of the collected data. In order to use the collected data for profiling in AmI space, the data has to be transmitted from the sensor to the processing unit. This is especially possible if radio transmission is used for communication - which makes sense if the sensors need to be deployed within existing buildings without the need to lay new cables for them. But even wired transmission of sensor data could be detected - even though the necessary effort is much higher. A supporting fact is that in AmI scenarios very often the collected data needs to be processed (and thus transmitted) as soon as it is available. This increases the chance of detection compared to scenarios where the collected sensor data can be stored temporarily and only transmitted once a day or a week.
   An interesting questions is how “bad” sensors could be detected, if the “good” sensors will sent all the time (e.g. if they utilise so called “dummy traffic”—a common privacy enhancing-method to hide if and when a sensor has to transmit some real data). In general the “bad” sensors could hide their traffic into the “noise” that all the other sensors produce. But on the other side it would be sufficient if a detecting device can investigate the number of available sensors (e.g. because of (sender) addresses use within the data transmission stream).    

3. Detection of the power supply. Most sensors need some kind of energy to work properly. Often this energy is provided by means of some kind of power supply. Assuming that in AmI spaces a huge amount of sensors need to be deployed making it impossible to lay a power cable to all these destinations one can deduce that the (local) power supply of a sensor will have only limited capacity making energy a valuable resource which should be used sparingly. Hence power save mechanisms like pulsed power supplies will most likely be used which could be detected using radio receivers.     

The most common devices able to detect sensors are so called bug detectors. A bug - also known as covert listening device - is usually a combination of a miniature radio transmitter with a microphone. Most bug detectors in fact do not detect the bug itself but the radio transmission (as described above).

Bug detectors are available on the market in many different types (see ) and have been under active development for a long time. However, despite this their effectiveness is quite questionable.

Figure : Different types of Bug Detectors for different purposes

Not much is known about available detectors for other kinds of sensors. A reason for this could be that such development is not within the scope of industry and academic researchers. Another possible explanation is that the strong natural interests of law enforcement and intelligence agencies to keep the information about sensors which could detect other sensors secret leads to missing literature about them. The latter is a general problem which might indicate a need for new laws or regulations regarding the availability of such detectors for private persons. Once again there exists conflict between the interests of law enforcement agencies performing surveillance and the data protection interests of citizens in counter surveillance. 

But even if one assumes that the usage of sensor detectors is lawful, it can be anticipated that for certain areas of application a race between sensor and sensor detector manufactures will take place. From an electro technical point of view - given our current knowledge - one can assume that the detection of well designed sensors will always be a hard task - if not impossible. This means that, in the long run, the sensor manufactures might win the race. Therefore besides sensor detectors, other possible technologies need to be discussed in order to solve the privacy problem within AmI spaces, as mentioned above.

One possibility is to perturb the effectiveness of the sensors. A well known approach is to emit jamming signals which can either influence the sensing device directly or could try to disrupt the (wireless) communication of the sensor. The latter is known as radio jamming. 

In general it seems to be easier to disturb sensors than to actually detect them. Nevertheless it is still a challenging task, especially if the jamming device has to be mobile so that everyone can carry it with them. Moreover it again becomes a question regarding laws and regulations, because the emission of jamming signals in a given AmI space may also influence the effectives of the sensors regarding other people (and therefore the quality of service which could be offered to them). Hence it seems to be necessary to hold a general decision regarding whether sensors deployed in AmI space are allowed and whether jamming them or not shall consequently be allowed or prohibited. Taking this decision is even more necessary, if it comes to a more irreversible disturbance of sensors, i.e. their destruction. 

In the case where it is decided to allow the deployment of huge amounts of undetectable sensors within AmI spaces, the laws and regulations shall be adapted in order to demand that every lawful sensor emits information about itself in a machine-readable manner. These data (following the privacy law principles) shall at least include information about the location of the sensor, its purpose and capabilities and information about who will process the collected data, for what reason (the data controller) etc. The regulations of today, which only require the placement of a sign somewhere in the environment (e.g. in case of video surveillance), is far behind the needs arising in AmI spaces. Although simple signs are not useful for all people (e.g. they can not be read by blind people), the vast amount of sensor-related signs will overload the perceptional capabilities of human beings. Therefore one needs some informational condensing, which can be realised via a personal device, which runs a similar identity management system, as to that described in D7.3. This device can create warnings based on the measured and calculated privacy risk implied by the environment and the preferences regarding privacy and protection of personal data of the user. 

Mobile sensors for AmI

The question may arise as to why one should trust that an operator of a given AmI space will not deploy ‘unmarked’(i.e. hidden / undetectable) sensors, whereas at the same time one may not trust that the operator will not misuse the collected data (this is why PET technologies are used at all). Possible answers might be that it is always more difficult to detect things which happen in cyberspace than detecting the existence of physical objects or indeed imposing penalties for the deployment of forbidden sensors may prevent their use. Furthermore in an AmI space a service provider might not even have the full control over who is processing the collected data, for which purpose etc., but he might more easily control which sensors are deployed in his facility. 

Being aware of all the privacy problems arising from fixed sensors deployed in AmI environments one could question this concept as a whole. Although at the moment a frontier research area, one can speculate that mobile sensors may be a future emerging technology for AmI. The central idea is that instead of embedding sensors and computing devices into the fixed environment (floors, walls, streets, pedestrian zones, …) or semi-fixed environment (cars, railways, …), sensors and their directly attached evaluation by computing are embedded in our mobile environment (clothes, shoes, glasses, wrist-watches, mobile phones, pens, …). Then, the communication between humans with their fixed or semi-fixed environment can exclusively (or at least mainly) be by means of their mobile environment using a digital (wireless) interface to the fixed or semi-fixed environment. This digital interface gives individuals a much more reasonable degree of control over which personal information is communicated and therefore is known (potentially forever) within the fixed or semi-fixed environment. This application scenario largely assumes that sensors in the fixed and semi-fixed environment are banned and/or jammed by the mobile environment and their functioning including the computing of their signals is closely regulated and monitored. Computation of personalised filtering and interpretation by the mobile devices enables a change in the main direction of information flow from (semi-)fixed environments to the individual instead of vice-versa. This change of direction enables a quantum leap in privacy by avoiding creating possibilities to gather huge amounts of personal data. As a special case of this reversed information flow, the environment could give all kinds of safety and security advice (including advices for privacy) to the individual. 

Summarising one can say that deploying huge amounts of sensors would lead to a massive loss of control over personal data. All users should be informed about this and the alternative possibilities, in order to make sure that any decisions made are based on the correct information. In any case the regulations should be changed in a way that obliges operators of sensors to communicate information about the sensors in a machine-readable and easy to access way and provide for fines, in cases of breach of this obligation.