Privacy Implications of Mobile and Pervasive Computing
In his seminal 1991 Scientific American article, Mark Weiser already cautioned that “hundreds of computers in every room, all capable of sensing people near them and linked by high-speed networks, have the potential to make totalitarianism up to now seem like sheerest anarchy” [Weiser, 1991]. Chapter 3 presented some of the reasons for this: mobile systems come in highly portable form factors that make it easy to always carry them with us; their powerful communication capabilities encourage data offloading to the cloud; the potential of context awareness and novel low-power sensors make continuous data collection the default; and thriving app ecosystems challenge traditional trust relationships. The vision of pervasive systems furthermore makes it difficult to tell when one is detected and potentially recorded by invisible devices; its focus on understanding user intent drives ever expanding data collection; and the ubiquity of smart devices and environments offers the tantalizing promise of better “managing” and “optimizing” society.
Data collection and processing are core aspects of mobile and pervasive systems and they create a dual-use dilemma. Consider the example of the smart fridge that automatically re-orders food from the grocery store. This functionality clearly benefits the user, as it obviates the need for last-minute trips to the grocery store. However, at the same time, the consumption patterns and eating habits implied in the fridge’s store orders could be used by the store for targeted advertising, or even to create personalized adjustments of prices. Assuming that the user sees this more as “manipulation” than a useful service, this would clearly be a drawback [Langheinrich, 2009]. Even more critical, such detailed grocery lists are likely sufficient to infer a person’s (or a whole family’s) health risks, something that an insurance company might be interested in buying from the store as part of a background check before offering a new insurance contract. Obviously, this could also be viewed as beneficial: a consumer with a smart fridge who keeps a healthy diet might pay less for health insurance if the individual would explicitly allow such data sharing; maybe also in exchange for additional benefits, such as personalized health tips and recipes.
Weiser [1991] noted that “fortunately, cryptographic techniques already exist to secure messages from one ubiquitous computer to another and to safeguard private information stored in networked systems.” However, the mere existence of cryptographic techniques is obviously insufficient to address the problem of privacy. Take email for example: more than 25 years later we are still unable to effectively safeguard the transmission of personal email on any useful scale. Safeguarding complex systems takes far more than cryptography [Anderson, 2008]. In addition, as we discussed in Chapter 2, simply “ensur[ing] that private data does not become public” [Weiser, 1991] is not sufficient to provide privacy [Langheinrich, 2009].
In this section, we explore the specific privacy implications of mobile and pervasive computing technology, in order to determine the challenges that need to be tackled if we want to provide privacy-friendly technology, systems and applications. Much of what we discuss here of course also applies to computers, servers and cloud infrastructures. In fact, Abowd [2012] argues that ubiquitous computing has become almost indistinguishable from general computing, as most recent computing advances could also be considered ubicomp advances and vice versa. We thus start each section by discussing the general implications of computers with respect to privacy, before moving on to focus on mobile and pervasive applications in particular.
Privacy implications of large-scale data collections have been recognized as early as the 1970s (see Section 2.1.1). Paul Sieghart, one of the authors of the influential UK White Paper on Computers and Privacy in 1975 (see Douglas [1976]), described the effects of the computerization of daily life—the “information society”—as follows.
More transactions will tend to be recorded; the records will tend to be kept longer; information will tend to be given to more people; more data will tend to be transmitted over public communication channels; fewer people will know what is happening to the data; the data will tend to be more easily accessible; and data can be manipulated, combined, correlated, associated and analyzed to yield information which could not have been obtained without the use of computers [Sieghart, 1976].
Computers are responsible for three core developments that greatly shape our information society: the “digitization” of everyday life; the automation of capturing real-world processes; and profiling.
4.1 DATA SHADOWS–THE DIGITIZATION OF DAILY LIFE
The first core driver of how computers affect privacy is their ability to “digitize” our daily lives—to map the complexity of the real-world to a set of bits. The phenomenon of digitization of our lives began in the 1960s and 1970s, when the first databases allowed governments to take stock of their citizens—not only in terms of population numbers, but also their demographics and how they live—through large-scale censuses. However, censuses only captured a single moment in one’s life and relied on self-reported data, making the quality of the mapping relatively coarse. Today’s digital traces are much more comprehensive.
In the following (and in subsequent sections in this chapter), we will first briefly describe the technology behind each of the core developments (digitization, automated capture, and profiling), before discussing their privacy implications—both for computers in general, and in particular given the capabilities of mobile and pervasive computing.
4.1.1 TECHNOLOGICAL DEVELOPMENT
The early censuses of the 1970s were the first attempt to build a digital representation of a country’s citizens. Today, the often-quoted “transparent citizen” has become a reality, as we will illustrate in five sample domains: payment systems, interpersonal communication, media consumption, physical movement (transport), and physical activity.
One of the earliest commercial drivers of digitization were cashless payments in the form of credit and debit cards. Card-based payment systems increased digitization considerably, both in terms of detail and reach. At first, mostly a tool to arrange international travel (e.g., hotel and rental car booking), card-based payment systems have since expanded to also cover many of our everyday purchases. Innovations such as NFC-based contactless payments—either with a payment card or a compatible smartphone—seek to lower the barrier of use for such systems in order to encourage cashless payments even for small everyday purchases (e.g., a cup of coffee or a bus ticket). E-Commerce was an early driver of this process, as cashless payments are often the only way to transact business online. While consumers value the convenience of cashless payment (less small change to carry around; no need to have enough cash with you; better protection from theft), both industry and government also significantly profit from the traceability of transactions: cashless purchases enhance the creation of consumer profiles and thus improve marketing, while fewer cash transactions mean that less money can potentially be hidden from the tax office.
The second wave of digitization came in the form of email and text messaging (e.g., through pagers and texting). Written digital communication has moved much of our daily interactions—some of which we might have had face-to-face or over the (analog) phone—into the digital realm. Digital communication offers countless benefits: the ability to chat from a multitude of devices, often free of charge, including the exchange of images, files, and video; the ability to exchange arbitrary amount of text, as well as documents and pictures in high quality with practically anybody in the world; the ability to communicate quickly yet asynchronously (i.e., no need for the conversation partner to be available at the same moment). Later on, the ability to transport voice over the Internet (VoIP) allowed not only telecommunication providers to lower their infrastructure cost, but also allowed end-users to both receive and field calls on their mobile, their computer, or a (VoIP-enabled) desktop phone, depending on their current location and preferences. Finally, video telephony—the vision from the 1960s that just never seemed to catch on—took off when software such as Skype transformed any computer with a cheap webcam into a telepresence device. Video conferencing, often from smartphones, is know common for both business and personal interactions. Digital communication has truly transformed our ability to keep in touch and work together across time and space. Yet digital communication inherently allows for the capture of detailed “connection metadata,” i.e., who communicates with whom, when, and for how long, and, depending on the communication means, also its contents. Even “normal” landline telephony is nowadays mostly implemented digitally (i.e., as VoIP), as, of course, is mobile telephony, which means that meticulous call records can be easily maintained by telecommunications companies and government agencies—including foreign and domestic intelligence agencies, as evidenced by the Snowden revelations on the large-scale data collection by the NSA, GCHQ, and other intelligence services [Landau, 2013, 2014].
The development of digital formats for media—initially ebooks and subsequently music and video—represents a third wave of digitization. Today, music and videos are more and more delivered and consumed online via streaming services, while ebooks and their corresponding reading devices are replacing traditional books. Music streaming has started to fundamentally change the media consumption behavior of a generation, as more and more young people do not buy individual albums or even songs anymore (and certainly not on a physical medium such as a CD!) but simply pay a monthly fee for accessing a more or less unlimited amount of music. The video industry similarly uses video streaming to both simplify the distribution process (no lengthy downloads of huge video files) and to combat piracy (as no digital file is ever available to customers for illegal sharing). Increasingly, even traditional TV content is—now in a fully digital format—being provided on-demand (e.g., Netflix) or consumed through cloud-based streaming services that allow consumers to pause live content or re-watch missed shows. Last but not least, ebooks and other digital content are not only often cheaper than printed books and physical media (certainly for the publisher as no actual printing and shipping takes place, but also for the consumer) but can also be created on-demand and instantaneously (hence no warehouses needed for storage) and can be carried around by the thousands on a small memory card (thus allowing consumers to take an entire library to the beach).
The flip-side of streamed media is the ability for publishers to track listening and watching habits. While ebooks in principle do not suffer from this problem (they are small enough to be downloaded in their entirety), ebook readers offer consumers to keep track of their books and the current page through cloud services that sync reading state across ebook readers and reading apps on mobile devices. This information could be easily shared with publishers to provide insight not only on how many books are sold but also how long it takes people to read a book or where they stop reading.
Many consumers also do not realize that acquiring electronic media often does not constitute ownership, as it was the case with regular books or records or DVDs and Bluray discs. Instead, consumers typically license (i.e., “rent”) a certain item. This means that publishers cannot only at any point remove access (e.g., delete the ebook from the reading device [Stone, 2009]), but also that re-sale or gifting such media is typically prohibited [Bogle, 2014].
A fourth example of everyday digitization can be found in transport. Both airline travel and railway companies pushed the concept of digital “print-at-home” tickets, while public transport companies are increasingly supporting “on-the-go” payment schemes via NFC-enabled cards and smartphone apps. Such digital records thus follow our international, national, and even local traffic in ever increasing detail. Many car rental companies today track the position of their vehicles, not only to prevent theft, but also to enforce adherence to road safety [McGarvey, 2015]. Several car manufacturers offer roadside assistance programs that continuously track the position of the car and automatically alert emergency services in case of an accident (e.g., if the airbags are triggered). Moreover, modern cars are increasingly driven “by wire,” i.e., steering and pedals are analog devices whose input is digitized and used to control motors that adjust the angle of the wheels, the pressure of breaks, and the amount of fuel injected into the motor. Countless sensors collect additional information on road conditions (e.g., temperature and slipperiness), allowing for the detailed data capture of an entire road trip [Musk, 2013].
Note that location capture is not restricted to transportation: many door locks—not only in offices and hotels, but also private residences—do not rely on physical keys anymore but use remotely-programmable chip cards or mobile apps. Every time someone opens them, another event is added to the data log. Internet-connected locks and security cameras provide detailed audit logs of who is coming and going in our homes [Ur et al., 2014]. In fact, today’s home automation solutions already explicitly target the capture of home presence patterns in order to optimize heating systems, while electronic “smart meters” are being deployed to provide utility providers with instant information about energy and water use. If fine-grained enough, such energy data cannot only detect use of individual appliances but even allow inference of the TV program one is watching [Greveler et al., 2012]. Such detailed records of our activities can also be inferred from the data we actively publish about ourselves: many people today continuously update their social media “status” to share their activities with others on social networking sites, such as Facebook, Instagram or Twitter. Those status updates may not only include a textual description but also location information, pictures, and explicit co-location information of others.
In short, most of our life today has a digital “data shadow” that represents an electronic record of our “analog” reality. Such data shadows are a core enabler of modern life, as they allow us to efficiently deal with much of its inherent complexity. They enable our highly mobile lifestyles, allowing us to communicate on-the-go (instead of having to wait for physical letters to arrive or finding a fixed-line telephone) and to organize our business and our private lives wherever we are (using mobile apps on our phones or tablets for everything from company work to private banking or home automation). The ability to access these data shadows from almost anywhere also supports our interactions with others, e.g., when we use credit cards to pay in a foreign country. The concept of “anticipatory computing” [The Economist, 2014] uses our data shadows to anticipate our future plans and behavior in order to provide us with information right when we need it, e.g., reminding us when to leave for an appointment based on our current location, the appointment’s location, and the current traffic conditions between them [Google, 2014].
While digitization is a key enabler for our highly efficient lifestyles, it does come with significant privacy implications that are only exacerbated by mobile and pervasive computing, for two main reasons.
First, mobile and pervasive computing poses a shift in what kind of information is collected about users and at what scale [Langheinrich, 2009] compared to previous databases or even data collection on the Internet. The creation of such data shadows relies on the collection of “real-world” data about us and the digital storage of this data. Both mobile devices and pervasive computing systems greatly simplify the continuous collection of such day-to-day information about an individual. Rather than requiring users to explicitly provide information, sensors in mobile and pervasive environments enable the invisible collection of information [De Hert et al., 2009], extending to location, health, and behavioral information about specific individuals. Sensing here does not necessarily entail a physical sensing device—one of the most revealing “sensors” is a piece of plastic: the credit card. In today’s commercial environment, the increasingly ubiquitous credit cards provides detailed movement and consumption data from which further inferences, such as our behavior and activities, can be drawn [Ackermann and Mainwaring, 2005]. The potential for extensive realtime monitoring and permanent recording of minutiae of a user’s everyday life would lead to “surveillance of the ordinary” [Langheinrich, 2009] on a pervasive scale [Cas, 2005, De Hert et al., 2009]. This issue is exacerbated by the fact that associated information flows and uses of data are obscured from users [Lederer et al., 2005], due to the embedded nature of many mobile and pervasive computing systems.
Second, today’s cheap and advanced storage capacities [Waldo et al., 2007] make it highly likely that the collected information is stored permanently. Waldo et al. [2007] note that developing procedures for limiting data retention and deleting data is often considered more expensive by companies than just keeping the data. As a result, previously transient information becomes permanent, which crosses the ephemeral and transitory borders defined by Marx [2001] (see Section 2.3.3) [Bohn et al., 2005, Langheinrich, 2002b]. Once collected and never deleted, data is thus much more likely to be used for emerging purposes that were not considered or available at the time of collection. For example, when an earthquake hit California in August 2014, fitness wearables manufacturer Jawbone analyzed sleep tracking data collected by its users’ fitness trackers to study how the earthquake affected the sleep patterns of people living in different parts of California [Mandel, 2014]. Google uses aggregated information about certain health-related search terms to estimate flu activity and detect flu epidemics in the United States [Ginsberg et al., 2009]. While in both cases analysis results are based on aggregated data, it is conceivable that the same data could be misused by healthcare providers or employers to determine health risks of individuals, which could then be reflected in increased insurance costs, or decreased chance of being considered for a promotion.
4.2 FROM ATOMS TO BITS–AUTOMATED REAL-WORLD DATA CAPTURE
The second core driver of how computers affect privacy is our increasing ability to seamlessly capture real-world events. Traditionally, digitizing data meant that information had to be entered manually into a computer system. With the help of additional computing power, such “media breaks”1 can be greatly reduced. An example of a media break would be when goods arriving at a warehouse are not properly added to the inventory database [Fleisch et al., 2003]. Computing has long been a key component for reducing media breaks along the supply chain. For example, instead of entering prices manually into a cash register, a barcode allows a properly equipped cash register to not only avoid errors in producing the total price, but also to keep track of the product being sold, not just its price. Mobile and pervasive computing will greatly improve this process and allow information processes to further close the gap between the real world and the virtual world. A truck’s on-board tracking unit (OBU) can provide logistics companies with instant fleet management, allowing them to know at any point in time where their trucks are. Similar units mounted to shipping containers have revolutionized international shipping, making it much easier to track individual shipments across the globe. On a smaller scale, delivery agents scan barcodes with their mobile devices when they process or deliver a package, allowing a parcel service to instantaneously update the shipping status of each parcel.
4.2.1 TECHNOLOGICAL DEVELOPMENT
The ability of mobile and pervasive computing to eliminate “media breaks” also applies across other areas of life, beyond the industrial supply chain. In fact, the massive digitization of our lives described in the previous section is only possible due to our ability to use mobile and pervasive computing to track and capture real-world processes in almost real time. Smartphones in our pockets capture our position instantaneously and continuously, making it possible to record comprehensive movement logs over days and months. Moreover, collected sensor data is also easily shared between applications and even across devices. A mobile browser can easily query a mobile device for its location in order to provide localized search results using HTML5’s geolocation API [Mozilla Foundation, 2018]. An application on a mobile phone can query a body-worn health sensor for physiological data (e.g., heart rate) and use it to provide exercise advice and dietary suggestions [Katz, 2015]. Centralized profiles such as one’s Google, Apple, Amazon, or Microsoft account allow one to continue an activity, e.g., a browsing session, started on a desktop computer later on with a mobile device or continue a chat on a mobile device on one’s laptop.2 Sensors in vehicles, ships, and airplanes allow for the servicing of engines and other parts even before a potential failure occurs, simply by continuously logging and transmitting key operational parameters to a service center [Tel, 2010]. Similar technology has long been in use in vending machines to alert the operator of potential out-of-stock situations before they occur,3 while early prototypes already exist that try to offer a similar functionality for supermarket shelves [Koesters, 2018].
Modern sensor technology is key for eliminating media breaks. Today’s sensors use less and less power, making it possible to both embed them into ever smaller packages (as they do not need a large battery) and to run them for longer periods of time. For instance, positioning information used to be available only through the use of power-hungry GPS sensors, which meant that consumers had to choose between battery life or detailed localization. Today, those GPS sensors have not only become much more power efficient, but they are also used together with accelerometer sensors to better understand when the device is actually moving and hence position information needs to be updated. Power-efficient WiFi chipsets complement GPS-based location information—in particular indoors—by using WiFi fingerprinting technology [Husen and Lee, 2014]. Some sensors can also harvest the required power from the measurement process itself, making it possible to forego a battery completely.4 Alternatively, infrastructure-based sensors “piggyback” onto the power grid or plumbing of a house and infer occupancy information or individual device use simply by observing consumption patterns [Cohn et al., 2010, Froehlich et al., 2009, Gupta et al., 2010, Patel et al., 2007, 2008].
Continuous sensing significantly changes not only the accuracy of data collection, but also the manner in which such data collection is taking place. Instead of closing a shop and manually taking an inventory of what is on its shelves, a sensor-equipped smart shelf “knows” at any point in time what products are on its shelves. While this is of course greatly reducing costs (e.g., by reducing the above-mentioned “media breaks”) it also has implications for human perception of such collections. The more these “points of capture” move into the background, into the fabric of the infrastructure, the less awareness can there be for such processes. A “smart home” may need no cameras to know what its inhabitants are doing at any point in time, as the electric wires embedded in its walls are able to pinpoint the exact location of each person within a few meters [Adib et al., 2015]. As mentioned in the previous section, a “smart meter” enables the utility company to remotely gather information a household’s power consumption, usually in real-time, with the potential to infer in real-time household presence, appliance use [Gupta et al., 2010], and what TV program is being watched [Greveler et al., 2012]. A “smart car” may continuously relay its current location, speed, number of passengers, and even the radio station currently tuned into, to a central traffic system or the car’s manufacturer, without any speed cameras, surveillance cameras, or toll checkpoints around. Sensor-based systems have made data collection so easy that it has become the default, not the exception.
This always-on sensing (and collecting) has significant security implications. In a 2015 report [Federal Trade Commission, 2015], the US Federal Trade Commission estimated that today’s nascent “Internet of Things” already connects over 25 billion devices, and points out that companies with a large store of consumer data will become “a more enticing target for data thieves or hackers.” A second implication of such seamless data collections is that it exacerbates what Solove [2013] calls the “consent dilemma.”
Consent has been one of the cornerstones of modern privacy legislation (see Section 2.1.1), stipulating that many data collections are legal if the data subject has (explicitly or implicitly)5 given their consent. In fact, the latest EU privacy law, the GDPR (see Section 2.1.2), has significantly increased the requirements for data collectors to obtain consent (Article 4.11, GDPR).6 Solove points out two key problems with consent. First, Solove points out cognitive problems that severely “undermine …individuals’ ability to make informed, rational choices about the costs and benefits of consenting to the collection, use, and disclosure of their personal data.” Second, Solove identifies what he calls structural problems of asking individuals for consent: first, there are “too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity;” and second, many privacy harms are “the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information …” In a sensor-based environment, giving “unambiguous” consent may be impossible for two reasons: first, there may not be any explicit dialog between the system and the user, e.g., in a smart office building that automatically tracks all visitors; and second, the sheer number of service may overwhelm the cognitive capacity of users, who, according to Solove [2013], already are barely able to keep track of these data collections within the Web context.
4.3 PROFILING–PREDICTING BEHAVIOR
Profiling is a practice that in principle is as old as human relationships [Solove, 2008]. In their “Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation,” the Article 29 Data Protection Working Party [2013]7 defines profiling as follows.
“Profiling” means any form of automated processing of personal data, intended to analyze or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behavior, location or movements.
Profiling is one of the most critical aspects of any privacy law today, as its potential for both benefiting users—in the form of better services—and harming users—by increasing, e.g., their vulnerability to manipulation—is tremendeous.
4.3.1 TECHNOLOGICAL DEVELOPMENT
In the past, small store owners would get to know their customers over time and begin to anticipate their needs, e.g., by pre-ordering the customer’s favorite items. Computers allow this prediction to become automated and externalized, allowing the operator of such a profiling operation to predict a person’s desires, fears, or actions without having even met the person. Today, information collected online, e.g., on e-commerce sites, forums, and search sites, is routinely integrated with databases containing detailed records about our offline lives, e.g., household income, profession, marital status, credit scores, in order to, e.g., assess individual affluence, interests, and creditworthiness—all in real-time, as we are “surfing the Web” or using our smartphones. Such “online behavioral advertising (OBA)” tracks individuals across websites and online services to infer their interests and estimate their propensity to purchase specific products and, thus, their susceptibility to targeted advertising [Rao et al., 2014]. Online behavioral information may further be enriched by an individual’s purchase history from multiple websites, as well as offline purchases. For instance, in the United States data brokers legally obtain information about a person’s prescription drug purchases and usage related information, compile it into prescription drug reports, which are then bought by insurance companies to estimate health risks of applicants and to decide whether they will be insured [Privacy Rights Clearinghouse, 2012]. There is an active market for personal information collected online and offline [Schwartz, 2004]. A particularly morbid illustration of what information is stored in such profiles came to light in 2014, when Mike Seay, whose teenage daughter had died nine months earlier, received a junk-mail letter from OfficeMax with a second address line reading “Daughter Killed in Car Crash” [Hill, 2014].
The information collected by mobile and pervasive computing systems makes even more fine-grained information available for aggregation, but also provides additional data points to attach external information to. Fine-grained sensor, location, and activity data can be correlated with public or personal events, venue information, and social media activity. The result will be comprehensive and holistic profiles that map out a person’s life. Today’s online social networks, with their wealth of pictures posted from a huge variety of social situations (holidays, meetings, parties, sports, events), already allow for unprecedented aggregation, consolidation, and de-anonymization. Advanced machine learning methods allow us to classify human interests and personalities from seemingly unrelated information, such as call logs or texting behavior [Chittaranjan et al., 2011]. For example, Acquisti et al. [2014] were able to infer both the interests and the social security number8 of total strangers only from their picture—by using face recognition, data mining algorithms, and statistical re-identification techniques.
Information aggregation and comprehensive profiling have multiple potential privacy implications. An obvious issue is that profiles may contain incorrect information. Factual information may have been inaccurately captured, associated with the wrong person due to identical or similar names, or may have been placed out of context as part of aggregation. Inferences made from collected data may be incorrect and potentially misrepresent the individual (see, e.g., Charette [2018]). Inaccurate information in an individual’s profile may just be “a nuisance,” such as being shown improperly targeted ads, but consequences can also be dire, such as having to pay a higher premium for health insurance, a higher interest rate for a loan, being denied insurance, or being added to a no-fly list. Some options exist to correct inaccurate information. Credit bureaus provide mechanisms to access and correct credit reports; online data brokers often provide access to one’s profile and may allow for corrections [Rao et al., 2014]. However, correcting inaccurate information can still be difficult or even impossible because it is difficult for an individual to determine the original source of some misinformation, especially if it is used and disseminated by multiple data brokers.
Even if information aggregated about an individual is correct, privacy issues arise. Based on a profile’s information individuals may be discriminated against in obvious as well as less perceptible ways. Price discrimination is a typical example. For instance, the online travel agency Orbitz was found to display more expensive hotel and travel options to Apple users than Windows users based on the transferred browser information [Mattioli, 2012]. Acquisti and Fong [2014] studied hiring discrimination in connection with candidate information available on online social networks. They find that online disclosures of personal traits, such as being Christian or Muslim, significantly impacted wether a person was invited for a job interview. It is imaginable that inferences about an individual’s health based on prescription drug use, shopping history (e.g., weight loss pills or depression self-help books) or other indicators may also lead to discrimination. A key approach in addressing the risks stemming from profiling is thus also the need to disclose information about the algorithm(s) used to rank or classify an individual (see Section 5.6).
Large-scale collection and aggregation of information can also lead to inadvertent disclosure of some information about individuals that they would have preferred to keep private. For instance, Jernigan and Mistree [2009] used social network analysis to predict with high accuracy a person’s sexual orientation based on their friends’ sexual orientation disclosed on online social networks. Information shared in mobile messaging apps about when a user is active or “available to chat” is sufficient to infer a user’s sleep times, chat partners, and activities [Buchenscheit et al., 2014]. Mobile devices and laptop computers continuously send service announcements in order to enable interconnectivity and seamless interaction between devices, but may also leak a user’s presence and identity when devices are connected to open wireless networks [Könings et al., 2013].
Three fundamental trends in mobile and pervasive computing have a significant impact on our privacy: the digitization of our everyday life; the continuous data capture with the help of sensors; and the construction of detailed profiles. While none of these trends are new, mobile and pervasive computing exacerbate these issues greatly. As a consequence, we have an ever increasing amount of information captured about us, often well beyond what is directly needed. The ability to use advanced sensing to collect and record minute details about our lives forms the basis for detailed personal profiles, which, with the help of data mining techniques and machine learning, provide seemingly deep insights into one’s personality and psyche. At the same time, this information allows for unprecedented levels of personalized systems and services, allowing us to manage an ever-increasing amount of information at an ever-increasing pace. Left unchecked, however, these powerful services may make us vulnerable to theft, blackmail, coersion, and social injustice. It requires us to carefully balance the amount of “smartness” in a system with usable and useful control tools that fit into our social and legal realities.
1“Media break” is a term from (German) business informatics that describes a missing link in the information flow of a business.
2For example, Apple Continuity (https://www.apple.com/macos/continuity/) enables activity transitions among different Apple devices.
3For instance, NetVends (http://www.netvends.com) offers such remote vending solutions.
4See, for example, products by EnOcean, https://www.enocean.com/.
5An example of implicit or implied consent is an “opt-out” system that pre-ticks a “I consent” box but allows users to deselect it. Explicit or informed consent would require users to actively opt-in, i.e., manually tick said “I consent” dialog box.
6It now requires an “unambigious” indication by “a statement or by a clear affermative action”—the previous Privacy Directive 95/46/EC only required “informed” consent.
7The Article 29 Working Party was a European data protection advisory body consisting of representatives from the data protection authorities of each EU member state and the European data protection supervisor. With the GDPR, the Article 29 Working Party has been reconstituted as the European Data Protection Board.
8In the U.S., the social security number is a de-facto universal identifier that is used as an authentication token in many situations. Knowing a person’s name and social security number is usually enough to impersonate that person in a range of situations (e.g., opening accounts, obtaining a credit card, etc.) [Berghel, 2000].