FrameworkforSecurityandPrivacyin AutomotiveTelematics SastryDuri,MarcoGruteser,XuanLiu, PaulMoskowitz,RonaldPerez,MoninderSingh,Jung-MuTang IBMThomasJ.WatsonResearchCenter 19SkylineDrive Hawthorne,NewYork10532 mobilecommerceservicesmaybedelivered.Theservicesbeing delivered today on a regular basis and projected for the near ABSTRACT future include navigation information, emergency roadside Automotive telematics may be defined as the information- assistance, location-based services, delivery of digital intensive applications that are being enabled for vehicles by a information such as e-mail, entertainment, diagnostics and combination of telecommunications and computing technology. prognostics, and pay-for-use rental and insurance. These Telematics by its nature requires the capture of sensor data, applicationsareenabledbythecollectionanduseofdatawhich storageandexchangeofdatatoobtainremoteservices.Inorder mayincludeinformationonthelocationofavehicleasafunction forautomotivetelematicstogrowtoitsfullpotential,telematics of time, emergency situations including accidents and personal datamustbeprotected.Dataprotectionmustincludeprivacyand healthemergencies,diagnosticdataonthemanysystemswithin security for end-users, service providers and application the vehicle, services and entertainment that are selected by the providers.Inthispaper,weproposeanewframeworkfordata vehicle occupants, the demographics of the driver and protectionthatisbuiltonthefoundationofprivacyandsecurity passengers,andthebehaviorofthevehicledriver. technologies. The privacy technology enables users and service providerstodefineflexibledatamodelandpolicymodels.The Wecancomparethegrowingautomotivee-commercetelematics security technology provides traditional capabilities such as industrywiththatoftheWeb.Thegrowthofe-commerceonthe encryption, authentication, non-repudiation. In addition, it World Wide Web has been limited by the reluctance of provides secure environments for protected execution, which is consumers to release personal information. In “Building essentialtolimitingdataaccesstospecificpurposes. ConsumerTrustinOnlineEnvironments”[1]theauthorsfindthat “Fully94percentofWebusershavedeclinedtoprovidepersonal informationtoWebsitesatonetimeoranotherwhenaskedand CategoriesandSubjectDescriptors 40percentwhohaveprovideddemographicdatahavegonetothe D.4.6 [Operating Systems]: Security and Protection – Access trouble of fabricating it”. If potential automotive telematics controls,Informationflowcontrols users sharetheconcernsofWebusers,thenalargesegmentof thepotentialtelematicsmarket,perhapsasmuchasfiftypercent GeneralTerms maybelost. Security. Thereisasignificantpotentialforthemisuseofcollecteddata. Endusersorconsumersmaysubstitutefalsedataorhackintoin- Keywords vehicle applications. Telematics service providers and AutomotiveTelematics,Privacy,PrivacyPolicies,Security application providers may sell consumers’ data to third parties withoutthepermissionoftheconsumers.Although,thereareno current US regulations in place to “safeguard” the information collected,certainexistingEuropeanregulations,andpendingUS 1. INTRODUCTION and European statutes may soon impose strict controls on the collection, use, and storageofinformationaboutindividuals.In Automotive telematics may be defined as the information- general, telematics applications will be successful if providers intensive applications that are being enabled for vehicles by a knowthatthedatathattheyreceiveisaccurateandifendusers combination of telecommunications and computing technology. knowthattheirprivacyisassured.Thus,datamustbeprotected. The automobile is, in effect, a computing platform to which Users must be assured that their privacy is respected and the Permission to make digital or hard copies ofallorpartofthisworkfor security is in place to protect data from being divulged to personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare unauthorizedentities.Dataprotectionconsistsofprovidingboth notmadeordistributedforprofitorcommercialadvantageandthatcopies bearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,or privacy and security protection. Our goal is to achieve that republish,topostonserversortoredistributetolists,requirespriorspecific protectionwhileenablingthesharingofdata. permissionand/orafee. WMC’02,September28,2002,Atlanta,Georgia. Privacyprotectiontodayatafundamentallevelrequiresauserto Copyright2002ACM1-58113-000-0/00/0000…$5.00. trustserviceproviderstohandlepersonaldataaccordingtostated terms. There isacertaindegreeofgoodwillthatisatstaketo Figure1AutomotiveTelematicsSystemOverview prevent a service provider from using the data in an detail proposed data protection framework, and conclude the inappropriatemanner.However,therearenosafeguardsinplace paperwithasummaryofourwork. to prevent inappropriate use of data; and no protection from insiderabuse. 2. AUTOMOTIVETELEMATICS Likewise, there are no protections to assure a vehicle userthat APPLICATION applicationsthatarerunninginthecararesecure.Kingpinand Figure 1 shows an overview of a typical automotive telematics Mudge [2][3]analyze the susceptibility of portable devices, application. Cars shown in the picture are equipped with a primarily PDAs, to attack by malicious code. They make the wireless communication device, variety of sensors, and a car pointthatyoucannothaveasecureapplicationwithoutasecure computer that has a display, sufficient memory, storage, and foundation.AswithPDAs,itiskeytothefutureofautomotive processing to run complex embedded applications and telematics that end users, telematics and application service middleware.Thecarcomputerinterfacestocarbusandothercar providersbeassuredofthesecurityoftheirsystemsfromend-to- sensors, for example, Global Positioning System (GPS) sensor, end. Security is a broadtermencompassingmanyconceptsand andcollectscarengineperformancedata,safetyinformation,and elements including confidentiality/secrecy (including privacy), carlocation. integrity, and availability [15]. Security and privacy threats to Caruserssubscribetoatelematicsserviceprovider(TSP)toget systemssimilartothoseusedandbeingproposedforautomotive variety of services from application service providers (ASP) telematicsinfrastructureshavebeenstudiedforquitesometime whichincludePay-for-UseInsurance,Information,andCarCare (e.g., see [16,23]). Here, our security focus willbeonassuring andEmergencyAssistanceasshowninFigure1.Inordertoget the privacy and integrity of telematics information – user data, services from a ASP, a car user needs to send some or all the vehicledata,timeandlocationinformation,andevenexecutable information collected by the car computer to the ASP. In the software–thatisgeneratedorstoredin,ortransmittedto/from, setup shown above each car transmits data as necessary to thein-vehicleclientplatformduringitslifecycle. telematicsserviceproviderwhichthenprovidesdatatodifferent Inthefollowingsectionsofthispaperweprovideadescriptionof ASPsasneeded.Inthiscase,thetelematicsserviceprovideracts an automotive telematics application and a scenario, the asaserviceaggregatorandadatabroker.Inadditiontothedata challengesposedbyautomotivetelematicsdata,andanoverview transmitted by cars the TSP stores user preferences and user ofprivacytechnologyusedintheproposedframework.Wethen subscriptionstoservices. AsshowninFigure1differentASPsneeddifferentuserdataand use it for different purposes. The Pay-for-Use Insurance ASP needsuseridentificationdata,GPSdata,milesdriventocompute premiumsandperformriskanalysis.TheInformationASPneeds 2.1.2 Driving-DataAggregation userlocation,anduserpreferencestosendbackinformationon That evening when Jane starts her car, she is pleased to see a local attractions. The data identifying user need not be sent to message appear on the navigation screen- “PFU” system now this service provider. The Car Care and Emergency Assistance running - press # 1 for charges incurred this month”. Jane ASP needs car engine performance and safety information on presses # 1, only to see the message “Cumulative Charges for regularbasis,andcarlocationincaseofemergency. January 2003 - $0.00”. Of course, she has yet to drive any distance.Shetries#1againafterreturninghome.Thistimethe 2.1 PayforUseInsuranceScenario screen reads “Cumulative Charges for January 2003 - $1.00”. The following scenario,takenfromthepointofviewofauser, Jane does a quick calculation; at 5 cents per mile, her yearly illustrates how a customer may choose among a set of privacy insurancebillforthe15,000milesthatshenormallydriveswill policiesandhowdatamaybeaggregatedbyatelematicsservice beonly$750.Thisrepresentsasavingsofmorethan$250per providerandusedtocalculatethecustomer’sbill. yearoverherpreviousinsurancerates. 2.1.1 Enrollment AsJanedrives,herdataisaccumulatedattheCarAidcenterina Janeisaworkingprofessionalwhousesherautomobileonlyto trustedcomputingsystemthatisnotdirectlycontrolledbyGiant. commute a short twenty miles to work and for local shopping. CarAidisatelematicsserviceproviderthatdeliversavarietyof She uses a rental car for company business trips.Thus,sheis services to Jane’s vehicles: emergency assistance, navigation, interestedinthenewpay-for-use(PFU)programthatisoffered concierge services. Monthly reports on total mileage for urban by her insurance company, Giant Inc. The description of the andsuburbanareaswhereJanehasdrivenaresentbyCarAidto program that she received in the mail indicates that she can the Giant billing computer. Specific location information is enrollbycallingan800numberorbyusingthecompany’sweb divulged to Giant and third parties with personal information site.Janechoosesthewebsite. deletedinconformancewithpolicy2.TheGiantbillingcomputer calculates charges based upon cumulative mileage and sends Jane enters the URL of the site on her laptop at home and billstoJane.Janeispleasedtoseethatthechargesinthebills quickly sees the page for the Giant PFU program. The page correspond to the chargesthatshehasbeeninformedofbyher explains that PFU subscribers will be charged only when they in-cardevice. usetheircar.Rateswillbebaseduponmilesdrivenandwhether thedrivingisdoneinanurbanareaorasuburbanareasuchas the one in which Jane lives.Thepagealsoexplainsthatthere 3. PRIVACY areseveralprivacypolicesavailable. In a general sense, privacy may be defined as the ability of individuals to decide when, what, and how information about Policy 1 – This policy provides the greatestdegreeofpersonal them is disclosed to others. Privacy principles [27][28]demand protection. Only Jane's cumulative data, not detailed location that systems minimize personal data collection, for example data,willbeavailabletotheinsurancecompanywithoutJane’s through anonymization [28]. Before personal data can be explicitconsent. collected,consentfromthedatasubjectneedstobeobtainedby notifying about the nature and purpose of their data-collection Policy2–ThispolicyallowsGiantfullaccesstoJane’sdriving data after all personal identification information has been and offering policy choices. Furthermore, it also requires the strippedfromthedata.Onlysummaryreportsoftotalcumulative application of privacy preferences, either through technology, mileagearesenttoGiantwithJane’sIDattached.Italsoallows businesspractices,laws,orsomecombinationthereof,intheuse Giant to sell anonymous data to third parties. This policy is andfurtherdisseminationofthedisclosedinformation offeredatafivepercentdiscountwithrespecttopolicy1. Several approaches to handling privacy preferences during personal information exchanges have beenproposedinthepast Policy 3 – This policy offers the protection of the Location Privacy Protection Act with respect to the disclosure of Jane’s (the interesteduserisreferredtoBohreretal.[4][5]foramore data to third parties. However, it allows Giant full access to detaileddiscussionofthesemethods).Someofthesetechniques, Jane's driving and personal information to enable Giant to suchase-WalletandDataVaultproductsandservices,provide provide Jane with special offers. This policyisofferedataten individuals with the ability to store, and sometimes share, percentdiscountwithrespecttopolicy1. personalinformation,alongwithtoolstoenablethemtodragand drop their stored data onto Web forms as needed. Examplesof Policy4–ThispolicyallowsGiantandthirdpartiesfullaccess suchproductsincludeMicrosoft’sInternetExplorerandPassport to Jane’s driving data and personal information. This policy is service, Novell’s digitalMe, Lumeria’s SuperProfile and offeredatafifteenpercentdiscountwithrespecttopolicy1. ZeroKnowledge’s Freedom[6][7][8]. Microsoft’s .NET MyServicesoffering[9]isanextensiontoitsPassportservicethat JanechoosesPolicy2.Shedoesnotmindhavingheranonymous providesindividualsarepositorytostoretheirpersonaldata,and drivingdatausedbyGiantandthirdparties.Theenrollmentweb allows them to grant permission to third party services and pageasksJanetoenterherinsuranceIDnumbertoconfirmher applications to access that data. Other approaches, such as the choice.Janeinstallsnecessarysoftwareinhercarandisreadyto AT&T Privacy Minder [10], provide Web-privacy enforcing go. Figure2GenericDataProtectionPlatformArchitecture agents that enable individuals to formally express their privacy identificationinformation,asignificantamountofdatagenerated preferences in P3P (Platform forPrivacyPreferences)[11],and inthevehicleisdynamic.Therearealargeandgrowingnumber automaticallymatchthemtotheprivacypolicyofanyWebsites ofelectroniccontrolunits(ECUs)whichconstantlymonitorand visited by the individual. Standards have also been developed adjustvehicleparameters,andthedatageneratedbyanECUis that promote the exchange of data through non-Webmessaging availabletoexternalmonitoringbywayofthecarbus.Examples systems. The Customer Profile Exchange Specification or of dynamic data may include parameters for emission controls, CPExchange[12]isastandardthatdefineshowaP3Ppolicycan engineoperation,brakeapplication,andthespeedofthevehicle. be associated with personal data in an XML message. This This information may be linked to position data obtained from provides a general way for an enterprise to include the privacy GPS sensors and to personal information to provide a detailed policywhenexchangingpersonaldata. picture of the operation of the vehicle and the actions of the vehicle driver. Such use of information can be desirable. For The IBM Privacy Services (IPS) system [4][5]provides a set of instance, General Motors' OnStar® uses the deployment of an core components, based on IBM’s Enterprise Privacy automobile's airbags to alert a call center that emergency Architecture(EPA),[13][14]toprovideindividualswithgreater assistance may be needed and uses the GPS data from that flexibilityinspecifyingtheirownprivacypreferencesaswellas vehicle to inform the call center where to send emergency greater control over the distribution of their data. Of all the assistance. On the other hand the GPS data obtained from a privacy-related products and services in themarket,IPSisbest vehiclemaybeusedinappropriatelytotrackindividualsasthey suited for handling privacy concerns for automotive telematics goabouttheirdailybusiness. applications. First, an individual can specifyrelativelycomplex privacypoliciesoverdatathatiscapturedandstoredbyasmart- Dynamicallygeneratingdatawithinanautomobilecreatesunique clientwithinanautomobile,aswellasoverdatathatisreleased challenges. The sheer amount of the data generated makes it to one or more external parties, such as service providers. difficult, if not impossible, to store it within the automobile Second, IPS provides the means for automatic and manual itself. Thus, decisions about what to store, and where, become authorizationforreleaseofthisdatabymatchingtheindividual’s veryimportant.Thisissueisamplifiedbytheprivacyconcernof privacy policies with those of data-requesters, automatic datastorage.Moreimportantly,incaseswherecertainpiecesof response to such requests for information, logging requests, as data are not stored withintheautomobile(orbyatrustedthird well as interaction with the individual to obtain manual party on behalf of the individual), the retention aspect of the authorization,ifrequired. individual’sprivacypoliciesbecomesimportant.Oncethedatais destroyed,thereisnowaytorecoveritlater. 4. CHALLENGES Moreover,unlikestaticdata,whichhastobecollectedonlyonce There are security and privacy issues which are unique to by any interested party, dynamic data has to be collected automotive telematics. Automobiles are sensor-rich repeatedlybyaserviceprovidertokeepitup-to-date.Thus,there environments, thus in addition to static data such as vehicle has to be a continuous transfer of dynamic data from many Figure3ExampleBlackboardInteractions vehicles through the telematics service provider to application themselves. It also means providing user access to all logs and service providers. This requires an efficient and scalable repositoriesconcerninguserdata.Trustcanbeachievedinpart evaluationofconstraintsintheprivacypolicies. by avoiding "security through obscurity", developing an architecture based on open standards and accepted practices Furthermore, telematics location data is very precise. For wheretheyexist,byinsistingonopennesswerenewinnovations example,locationinformationforvehiclescanbecollectedfrom are necessary, and by subjecting the architecture and its a GPS receiver with 3m accuracy [29], compared to the 125m componentstoappropriatereviewandsecurityevaluations. accuracy required for E-911 mobile phone services [25]. Such accuracy challenges privacy-enhancing techniques like anonymization and pseudonym switching [24]. If identifiers are removedfromvehicleGPSdata,anattackerostensiblycouldstill 5. DATAPROTECTIONFRAMEWORK identify vehicles based on their overnight parking location (at least in suburbian areas). If a car switches it’s pseudonym, an 5.1 Approach attackercancorrelatenewandoldpseudonymbasedonthecars TheprimarygoaloftheDataProtectionFramework(DPF)isto location. However, not all applications require such accuracy, enable building telematics computing platforms that can be whichmotivatesflexibledataaggregationmechanisms. trustedbybothusersandserviceproviders.Forexample,users In-vehicle applications, providing services to the vehicle needtotrustthemtoprotectprivacyoftheirpersonalinformation occupant(s) on behalf of the telematics service providers, may andserviceprovidersneedtotrustthemtoprotectintegrityofthe need access to data from particular vehicle sensors (e.g., GPS data. The framework employs three key concepts to build this coordinates), and/or actuators (e.g., navigation display unit). trust. First, it uses defense-in-depth approach to build secure However,directaccessbyapplicationstosensorsandactuatorsis platform from the ground up. Second, the framework enables undesirable,forsafetyandliabilityreasonsaswellasforsecurity dataaggregationclosetosourceonthecomputingsystemtrusted and privacy reasons Therefore, the challenge for the data by the user. Third, the framework uses user defined privacy protection frameworkwillbetoprovideauthenticatedaccessto policies for obtaining user consent before data collection and sensors and actuators in a manner that can be agreed to in usage. advancesuchthateachaccesscaneasilybeverifiedandlogged. Finally,oneofthemostimportantanddifficultchallengesfacing 5.2 DataProtectionPlatformFramework securityandprivacyinautomotivetelematicsistrust.Trustmust be established by both the users and service providers that the Figure2showsthegenericdataprotectionplatformarchitecture. end-to-end system is doing the "right thing" at all times. This This architecture can be instantiated in vehicle, in telematics meansestablishingtrustinthehardwareandsoftwarethatmake service provider and in application service provider settings by up the in-vehicle client and service provider platforms choosing appropriateimplementationsofthetwobottomlayers. In a car environment, we expect a real-time operating system physically and logically secure subsystems that operate in such as QNX, whereas the TSP and ASP will use server conjunction with a local host system, employing cryptographic operatingsystemssuchasLinux.Forapplicationserver,in-car acceleration hardware, and providing a secure execution environments typically use the OSGi-based [30]platformswhile environmentfortheprogramsthataresupposedtoberun.Such serverproviderplatformsuseatypicalWebApplicationServer. securecoprocessorsexisttoday,asexemplifiedbytheIBM4758 The Platform Protection Manager, which is a part of OS, PCICryptographicCoprocessor[17],aproductusedextensively monitorstheintegrityofallsystemsoftwareincludingtheData in servers for applications requiring the highest levels of Protection Manager and provides security functions such as assurance (e.g., banking and financial applications, electronic verifying signatures on applications.TheCommunicationslayer commercesystems).Furthermore,theneartermfuturepromises handles encrypted, authenticated, and monitored network similar devices for mobile and client platforms, at prices connections. For example, it supports protocols like SSL or commensuratewithsuchclientdevices,andofferingperformance IPSec. TheDBMSlayerprovidesbasicstoragecapabilitiesfor capabilities surpassing the current generation ofserver-oriented theDataProtectionManager. securecoprocessors[18].Pervasivelow-endsecurecoprocessors (e.g.,smartcards,securetokens),usedforkeystorageanduser Applications follow the blackboard architectural style shown in authentication, are also currently available and may provide Figure 3 for communicating with data sources, with other limited security assurances in lieu of more comprehensive and applications, and with external world. The Data Protection capabledevices. Managerprovidesaninterfaceforinformationproducerssuchas sensors or aggregation applications to publish data on the Both client and server platforms should allow for secure blackboard. Information consumers access this data through configuration, update, and execution (booting) of system and periodic queries or through a subscription/notification application software. Typically, this functionality must exist mechanism.Wealsoextendtheblackboardparadigmacrossthe primarilyinthefirmware/softwarethatisinitiallyexecutedupon network. That is, applications at the TSP or ASP can submit power-on (e.g., BIOS or system boot firmware). This power-on queries to or receive notifications from the in-car blackboard software layer is often in read-only memory, it should have mechanism. minimal complexity and size, and should be able to [cryptographically] authenticate/verify a minimal set of The example illustrates how applications are composed in this commandsanddatathatenabletheconfigurationandupdateof framework.TheGPSsensorperiodicallypublisheslocationdata the subsequent software layer (e.g., the system software or items in the Data Protection Manager. The Classified Mileage operating system layer).Oncetheplatformsystemsoftwarehas CalculatorcansubscribetotheGPSdataandcomputewiththe beensecurelyconfigured/updated,thepower-onsoftwarelayeris helpofaroadmapthetotalmileagedrivenondifferenttypesof responsible for authenticating the system software before each roads. The results are again published in the Data Protection execution/instantiation.Thisisoftencalledsecureboot[19]. Manager.ARiskAnalysisapplicationrunningontheinsurance server remotely subscribes to the aggregated and classified The operating system, like the power-on software and physical mileagedata. platformbefore,mustalsoprovidecertainsecurityfeatures,such as access control, in order to support overall system and data Blackboard-based architectures provide a simple paradigm for protection.Thereisagreatdealofongoingworkintheareaof composing sensor-basedapplications.Itisacommonchoicefor secureoperatingsystems(e.g.,see[20]and[21]).Elementsofthe building ubiquitous computing smart spaces, which dependon application and application support layer may be highly aggregated and interpreted sensor data. However, blackboards integratedwiththeoperatingsystem.Together,theselayersmay exhibit another key advantage for our privacy protection providesupportforcryptographicprogramminglibraries,secure framework. Every data access passes through the central Data communication protocols, encrypted file systems or databases, ProtectionManager.Thissimplifiesverifyingthatdataaccesses firewall and intrusion detection capabilities, and even virtual complywiththeprivacypolicies. machine application authentication, and execution. Further, 5.2.1 DefenseinDepth because application isolation is important when applications potentially come from competing or otherwise mutually hostile Tobuildacomputingsystemthatistrustworthyforboththedata parties, the application support layer itself may provide virtual subject (driver) and application service providers, we take a environments/machines for the purpose of protecting these bottom-up approach. Each layer of hardware and software applications from interfering with each other or the operating providesitsownsecurityfunctions.Thisapproachisoftencalled system. defense-in-depth. Ideally,physicallyandlogicallysecuresystemswouldbeusedfor Asalludedtoabove,thesamehardwareandsoftwarelayers,and thein-vehicleclientsaswellasservicesandsolutionsproviders’ their respective security features, described for the in-vehicle servers--i.e.,systemsthatwouldresistmostphysicalandlogical client platform are also required for the various telematics attacks (e.g., physical penetration, voltage or temperature service provider servers. We are able to assure end-to-end and attacks, power analysis, monitoring of electromagnetic lifecycleprotectionofrelevantdataonlywhenthesamelevelof emissions), and sensing and responding to all others before a securityisemployedacrosstheentiresystem. system compromise (e.g., by rendering sensitive data inaccessible). However, such systems do not currently exist 5.2.2 DataAggregationClosetoSource commercially. What does exist are secure coprocessors: Usertrustcanbefurtherenhancedbyminimizingtheamountof privatedatathatleavesthecomputingsystemtrustedbytheuser. To this end service providers who need access to private data automotive telematics; George Salmi and Barbara Churchillfor deploy data aggregation applications inside the computing providinguswiththeirautomotivetelematicsdomainexpertise; system. Only the aggregated results can be sent back to the PaulB.Chouforhissupportandencouragement. service provider. However, it difficult to ensure that the aggregationapplicationsdonotmisbehavei.e.,leakprivatedata, orcarryoutdenialofserviceattacks. 8. REFERENCES [1] Hoffman, D.L., Novak, T.P., and Peralta, M.A. "Building We use the following mechanisms to monitor and control Consumer Trust Online," Communications of the ACM, application behavior. First, the computing system verifies that Volume42(4),80-85,April,1999. each deployed application has proper credentials. Second, it places each application in a sandbox to protect itself and other [2] Kingpin and Mudge, “Analysis of Potable Devices and applications. This sandbox allows us to define individual Their Weaknesses Against Malicious Code Threats”, RSA application access privileges for system resources suchasfiles, Conference,SanFrancisco,CA,April11,2001. sockets.Italsopreventsdirectcommunicationbetweendifferent [3] Kingpin and Mudge, “Security Analysis of the Palm applications. In order to prevent any malicious transmission of Operating System and its Weaknesses Against Malicious private data all application modules are denied network Code Threats”, Proceedings of the 10th USENIX Security privileges. All local and network communication is through Symposium,Washington,DC,August13-17,2001. framework data protection manager which checks privacy policiesandgeneratesanaudittrailforlaterverification. [4] Bohrer,K.,Liu,X.,Kesdogan,D.,Schonberg,E.,Singh,M. andSpraragen,S.L.“PersonalInformationManagementand 5.2.3 UserPrivacyPolicies Distribution”,Proceedings of the 4th International Privacy principlesrequirenotifyingusersandobtainingconsent ConferenceonElectronicCommerceResearch,Dallas,TX, beforedatacollection.User-definedpoliciesspecifyingpersonal November8-11,2001. data handling preferences, and solution provider policies [5] Bohrer, K., Kesdogan, D., Liu, X., Podlaseck, M., attesting to user data handling practices will together form Schonberg,E.,Singh,M.andSpraragen,S.L.“HowtoGo virtual contracts between users and solutions providers. The Shopping On the World Wide Web Without Having Your framework will enable enforcement of these policies by Privacy Violated”,Proceedings of the 4th International classifying data and defining data handling rules according to ConferenceonElectronicCommerceResearch,Dallas,TX, classificationsandpolicies,andbyassuringapplication/solution November8-11,2001. compliancetotherules.Enforcementofpoliciesandcompliance Novell Inc, “digitalMe: Making life easier on the net,” assurancewillextendfromthein-vehicleclienttothesolutionor [6] http://www.digitalme.com serviceproviderback-endsystems,andcanbeextendedtothird- partyinteractionswithinthedomainoftheframework. [7] Lumeria, “AnInformediaryApproachtoPrivacyProblem,” http://www.lumeria.com/whitepaper.shtml Internally, the Privacy Enabled Resource Manager (PERM) component,showninFigure2handlesrequestsforprivatedata. [8] Zero-Knowledge-Systems, Inc. “The Freedom Network A typical request for data includes application credentials, Architecture,”http://www.freedom.net/ privacy policy concerning data, and description of data items. [9] Microsoft Inc., “A platform for user-centric application,” ThePERMfirstverifiesapplicationcredentials.Uponsuccessful http://www.microsoft.com/myservices/ verification of credentials the PERM compares application privacy policy with the user’s privacy policy to determine [10]AT&T, “Privacy Minder,” whethertograntaccessornot.Formoredetailspleasereferto http://www.research.att.com/projects/p3p/pm [4][5]. [11]“The Platform for Privacy Preferences 1.0 (P3P1.0) Specification”.April,2002http://www.w3.org/TR/P3P 6. SUMMARY [12]CPExchange, “ Global standards for privacy-enabled Inthispaper,wehavedealtwiththeprotectionofprivatedatain customer data exchange,” theautomotivetelematicsdomain.Aswehavestated,ourgoalis http://www.cpexchange.org/standard/ to enable the controlled sharing of private data according to policies agreed to by the owner of the data. Further,wewould [13]IBM, “Enterprise Privacy Architecture (EPA),” like to assure services providers that the data is not tampered http://www.ibm.com/services/security/epa.html with at its point of origin or anywhere intheprocessingchain. [14]Karjoth,G.,Schunter,M.,andWaidner,M.,“Platformfor Wehaveoutlinedthevariouschallengestoprotectingautomotive Enterprise Privacy Practices: Privacy-enabled Management telematicsdata,andhavepresentedaframeworktoaddressthese of Customer Data”,Proceedings of the 2nd Workshop on challenges. Next, we intend to implement the proposed data PrivacyEnhancingTechnologies,2002. protection framework within an end-to-end solution in order to enablerealworldapplications. [15]Russell, D., and Gangemi Sr., G.T. “Computer Security Basics”,O’Reilly&Associates,Inc.1991. 7. ACKNOWLEDGMENTS [16]Karger,P.,Yair,F.,“SecurityandPrivacyThreatstoITS”, The authors thank their colleagues: Charles Tressor for The Second World Congress on Intelligent Transport challenging us to explore issues of privacy and security for Systems,pp.2452-2458,November1995 [17]Smith, S.W., and Weingart,S.H.(April1999)“Buildinga 911 Requirement for Location Service," IEEE High-Performance, Programmable Secure Coprocessor”, CommunicationsMagazine,30-37,April1998. Computer Networks (Special Issue on Computer Network [26]Covington, M.J., Long, W., Srinivasan, S., Dey, A.K., Security),31:831-860 Ahamad, M., and Abowd, G.D.. Securing context-aware [18]Dyer, J., Perez, R., Sailer, R., Van Doorn, L., “Personal applications using environment roles. In 6th ACM FirewallsandIntrusionDetectionSystems”,2ndAustralian Symposium on Access Control Models and Technologies Information Warfare and Security Conference 2001, (SACMAT2001).2001. November2001. [27]Simone Fischer-Hubner, editor. IT-Security and Privacy - [19]Arbaugh, W.A., Farber, D.J., and Smith, J.M . “A Secure DesignandUseofPrivacy-EnhancingSecurityMechanisms. andReliableBootstrapArchitecture.”1997. LNCS.Springer.2001. [20]Security-EnhancedLinux,http://www.nsa.gov/selinux [28]Pfitzmann, A., and Koehntopp, M.. Anonymity, unobservability, and pseudonymity - a proposal for BastilleLinux,http://www.bastille-linux.org [21] terminology. In Workshop on Design Issues in Anonymity [22]Langheinrich, M., “Privacy by Design -- Principles of andUnobservability.2000. Privacy-AwareUbiquitousSystems,"ACMUbiComp,2001. [29]Blacksher, S., Foley.T. Boulder HOPs Aboard GPS [23]Agre, P., “Looking Down the Road: Transport Informatics Tracking.InGPSWorld,January01,2002 and the New Landscape of Privacy Issues”, CPSR [30]OpenServicesGatewayInitiative,http://www.osgi.org/ Newsletter13(3).1995. [24]Samfat, D., Molva, R., Asokan, N., “Untraceability in MobileNetworks”,Mobicom.1995. [25]Reed, J., Krizman,K., Woerner, B., Rappaport, T., "An OverviewoftheChallengesandProgressinMeetingtheE-