Title: PRIVACY ENHANCED AMBIENT INTELLIGENCE PROFILING

Context

Contrary to the example of the Smart Home, we now focus on contexts that are not trusted for the user. That is, we do not consider a domestic network here given that the data gathered by sensors or devices in the home environment may be controlled by a home (trusted) computer, and is therefore under the control of the user. Rather, the techniques proposed here could be used for interacting with devices located outside the personal sphere (e.g., public spaces, pubs, stores, offices, etc.). 

We consider two different sorts of AmI devices: High power and low power. In the next two sections, we present the technologies that can be implemented for these two types of devices. Although the techniques are radically different, they both share a common requirement: The user must have an identity management device with sufficient storage capacity and computing power to perform the protocols and build profiles. 

The burden of the personal data management is at the user side. Note that in such a model, large databases which store the data of all users are no longer needed, as data is stored in a distributed form, i.e., each user must take care of his own data. 

We consider a model in which the user has a powerful identity management device, and interacts with untrusted devices. 

Anonymous credentials

Anonymous credentials are a powerful identity management technique with strong privacy and security features. One of the systems that implement these credentials is ‘Idemix’, which has been explained in detail in FIDIS deliverable 3.3. Here, we give a brief summary of this system in order to indicate its possible uses in certain ambient intelligence contexts.  

Anonymous credential protocols require costly operations, and can only be performed by devices with high computing power. Many ambient intelligence contexts may therefore not be suited to implement this technology. Anonymous credentials work as follows: users may establish unlinkable pseudonyms with different organisations (in this context, these organisations are the ones providing the ambient intelligence services), obtain credentials signed by these organisations certifying certain attributes, and prove these attributes to verifying devices.  

By using this system, users have control on their identity attributes. They can choose which attributes they want to show or prove to a certain device. The system allows for minimal data leakage, as well as for pseudonymous identity management. It also implements accountability mechanisms, allowing for de-anonymisation under certain conditions.  

Such a system should be implemented in the contexts in which the user wishes to maintain a permanent pseudonymous identity, and for access control purposes. For example, it could be used in order to grant access to certain buildings or rooms (the user should prove that he is authorised to access the resource). These credentials can also be used to implement secure anonymous electronic cash payments for small purchases.  

Dynamic user-generated profiles

Many ambient intelligence devices are designed to provide the user with a customised service, by taking into account the user’s preferences. One possibility is to implement such a system by identifying the users and maintaining internal information about their behaviour and preferences. In this scheme, the data of all users must be kept in a database, accessible to devices.  

Such a system collects personal information on users in a way these cannot control. From a privacy perspective, it would be desirable that users have control over their own personal data. We propose a system in which the behavioural data of the user is kept in the user IMD. When the user interacts with a device, the IMD provides the preferences of the user for the particular service the device is providing. If there is any feedback information extracted by the behaviour of the user, it is transferred by the ambient intelligence device to the IMD, so it can update the internal information of the user for later transactions. 

The IMD builds the preferences presented to the device according to the previous behaviour of its owner. Users who have the same preferences for a service will appear as the same user to the device. If a user changes his behaviour of preferences, it will appear as different from previous transactions to the device. Note that, in this scheme, IMDs do not identify themselves, and the profiles presented do not contain a unique identifier.

Let us illustrate this system with an example. Consider a coffee machine that is equipped with an ambient intelligence device. When users want to get a cup of coffee, the machine must be able to produce the coffee according to the taste of the user (strong, weak, big, small, with or without milk, with or without sugar, etc.). The user sets in the IMD his profile or preferences for the coffee machine. 

If dynamic user-generated profiles are implemented, the IMD contacts the machine and orders a coffee with the given set of preferences (e.g., strong, small, without milk and with sugar). The coffee machine is unable to distinguish between two users who like coffee the same way, as the preferences showed by the IMD are identical. Note that the IMD does not present a unique identifier for the user. If for example, a user goes on diet and decides to skip sugar, the preferences change in the IMD, and the user appears as different from previous times to the coffee machine. 

This technique has been proposed for targeted advertising, given that the advertisements are more effective if selected according to the preferences of the user. As ambient intelligence also works on profiles and preferences, the technique can be adapted to this context.