D3.3: Study on Mobile Identity Management

Study on Mobile Identity Management PRIVACY RISK OF USER AGENT SYSTEMS IN WAP BASED SYSTEMS

Privacy Risk of User Agent Systems in WAP based Systems

Well-known privacy problems of the traditional Internet, as caused by cookies, customer and communication profiling or SPAM, are also issues in the mobile Internet. One of the major new privacy problems introduced by mobile Internet architectures is the problem of location privacy. Data about the precise geographic location of the user (or more precisely user device) are perceived as sensitive and therefore according to Art.9 EU Directive 2002/58/EC need special protection. 

In addition to location data, further kinds of personal data are needed in the mobile Internet environments for personalisation, content adaptation to minimising performance costs as well as for context-aware services. In the mobile Internet, where restricted devices with small screens are in use, personalisation is a much bigger issue than in the traditional Internet, where personalisation of sites is rather a matter of convenience to the end user. 

Information about the device capabilities and user’s preferences in so called User Agent Profiles can be especially useful to allow the service provider to generate content tailored to the characteristics and user interface of the requesting device and thus enhance the mobile user’s experience and minimise the use of bandwidth. The Composite Capabilities/Preference Profile (or short: CC/PP) recommendation (CC/PP) by W3C specifies how a client side user agent, such as web browser in a PC or a mobile phone, can deliver a description of its capabilities and user’s settings to a content server. The User-Agent Profile (or short: UAProf) Drafting Committee of the WAP Forum (now: Mobile Internet Alliance) created a specification (UAProf) based on the original CC/PP note (CC/PP Note 1999) including some WAP specific extensions. CC/PP allows origin servers to generate content that is adapted to the requesting user agent and the user’s preferences by sending Capabilities and Preference Information (CPI) within an HTTP or WSP request to the origin server. CPI is represented by means of a profile, which comprises a set of components. In UAProf, these include hardware platform, software platform, network characteristics and personal settings. The UAProf specification also defines location as a reserved attribute. Profile Unified Resource Identifiers (URI) are sent using the profile header inside the HTTP request. The URI refers to the location of the profile in a profile repository. Intermediate network entities may optionally add content transforming capabilities or location information to the profile by adding a special header called Profile-diff, devoted to the purpose of conveying single or few attributes. 

CPI in User Agent Profiles also comprises personal data about the device holders, which if used in a certain context or for a certain purpose can become very sensitive. For instance, the information that someone has a very expensive mobile device could be used by mobile marketing services to provide more exclusive and expensive offers and could in combination with the user’s location data also be of special interest to burglars. The fact that a user is choosing settings for larger letters or voice only could lead to the conclusion that the user is visually handicapped. In (Nilsson, Lindskog and Fischer-Hübner 2001; Fischer-Hübner, Nilsson and Lindskog 2002) privacy problems of capability and preference information are discussed. CPI in user agent profiles is therefore also part of a mobile user’s identity and the mobile users needs to have the possibility be in control over it. 

In (Fischer-Hübner, Nilsson and Lindskog 2002), results of the PiMI prototype project with participants from Ericsson AB and Karlstad University are presented. In the PiMI project a browser built-in and a proxy-based P3P (P3P) user agent for controlling the dissemination of CPI in mobile Internet environments by the means of Minimal Profile Conveyance was developed. The approach of Minimal Profile Conveyance requires that the user defines a minimal CPI profile, containing only information that the user considers completely harmless, or where there is an understanding that this information may be necessary for some reason. In the extreme case, the profile could be empty. This minimal profile can be used: 

1. for accessing non-P3P enabled web sites or web sites that do not meet the user’s P3P privacy preferences  

2. for serving third party requests to the WAP Gateway for cached profiles (such as for WAP push content generation)  

3. for communication in the “safe-zone” (as defined in P3P) before a P3P agreement  

The end user also has to define a full CPI profile to be used when there is a successful P3P agreement, i.e. the site is P3P compatible and the site’s P3P policy file matches the end user’s privacy preferences.  

Even though P3P can enhance transparency and control over data disclosure for users, it has also been criticised as it does not ensure compliance of privacy policies with privacy laws, it does not guarantee a minimum and non-negotiable level of privacy protection for individuals and in its current form it does not fulfil the legal requirements for obtaining technically user consent. 

Privacy-enhanced mobile identity management systems can go a step further and should provide a means for privacy control (consent, objection, disclosure, correction, deletion and addition) and for privacy-compliant data processing of CPI and other personal data belonging to a user’s mobile identity.