World-Driven Access Control for Continuous Sensing Franziska Roesner David Molnar Alexander Moshchuk University of Washington Microsoft Research Microsoft Research Tadayoshi Kohno Helen J. Wang Microsoft Research and Microsoft Research University of Washington ABSTRACT Modern applications increasingly rely on continuous moni- toring of video, audio, or other sensor data to provide their functionality, particularly in platforms such as the Microsoft Kinect and Google Glass. Continuous sensing by untrusted applications poses significant privacy challenges for both de- vice users and bystanders. Even honest users will struggle to manage application permissions using existing approaches. We propose a general, extensible framework for controlling access to sensor data on multi-application continuous sens- ing platforms. Our approach, world-driven access control, Figure 1: Sensor Privacy Concerns. Camera restrictions allows real-world objects to explicitly specify access policies. are common in sensitive locations like locker rooms, where both This approach relieves the user's permission management device users' and bystanders' privacy are at risk from untrusted applications. Continuous sensing platforms like Google Glass will burden while mediating access at the granularity of objects make it harder for honest users to mitigate such risks by manag- rather than full sensor streams. A trusted policy module on ing applications' permissions. World-driven access control allows the platform senses policies in the world and modifies appli- real-world objects to push policies to devices. cations' \views" accordingly. For example, world-driven ac- cess control allows the system to automatically stop record- ing in bathrooms or remove bystanders from video frames, without the user prompted to specify or activate such poli- 1. INTRODUCTION cies. To convey and authenticate policies, we introduce pass- Continuous sensing is an emerging technology that en- ports, a new kind of certificate that includes both a policy ables new classes of applications. New platforms, such as and optionally the code for recognizing a real-world object. Microsoft Kinect [37], Google Glass [14], and Meta Space- We implement a prototype system and use it to study the Glasses [26], fundamentally rely on continuous video and feasibility of world-driven access control in practice. Our depth cameras to support natural user input via gestures evaluation suggests that world-driven access control can ef- and continuous audio sensing for voice commands. Applica- fectively reduce the user's permission management burden tions on these platforms leverage these capabilities to deliver in emerging continuous sensing systems. Our investigation new functionality to users. For example, WordLens [34] is a also surfaces key challenges for future access control mecha- Google Glass and iPhone application that uses the camera to nisms for continuous sensing applications. continuously scan for words in the real world. It then shows translations of these words overlaid on the user's vision. Categories and Subject Descriptors These new capabilities raise serious privacy concerns. Con- D.4.6 [Operating Systems]: Security and Protection|Ac- sider a user who enters a locker room while wearing a Google cess controls; H.5.1 [Information Interfaces and Pre- Glass. We identify four classes of privacy concerns in this sentation]: Multimedia Information Systems scenario. First, Word Lens or other untrusted applications running on the Glass may see sensitive video data, both Keywords about the user and about bystanders. Second, the user may Access control; permissions; continuous sensing; wearable; accidentally record bystanders by forgetting to turn off the augmented reality camera while entering the locker room. Third, the user may Permission to make digital or hard copies of all or part of this work for personal or record herself in a locker room mirror and accidentally share classroom use is granted without fee provided that copies are not made or distributed the recording on social media. Finally, malicious users could for profit or commercial advantage and that copies bear this notice and the full citation use the Glass to record others without their knowledge. on the first page. Copyrights for components of this work owned by others than the The first three classes of privacy concerns have honest author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or users who want to protect against untrusted applications republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. and user error. While protecting against malicious users is CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA. also important, current approaches for addressing these pri- Copyright is held by the owner/author(s). Publication rights licensed to ACM. vacy concerns do not work well even for honest users. In ACM 978-1-4503-2957-6/14/11 ...$15.00. this paper we thus assume that users are honest, but that http://dx.doi.org/10.1145/2660267.2660319. they may run untrusted applications. Our threat model is or activate policies, but can instead rely on their device to similar to the smartphone model, where users are trusted automatically detect and enforce policies broadcast by real- but applications are not. world objects. For example, a world-driven access control Sensitive locations like locker rooms and bars commonly enabled version of Google Glass would enable a locker room handle these concerns today by posting explicit policies that to broadcast a policy stating \no recording" via Bluetooth or prohibit recording or the presence of recording devices (in- other means. The Glass would detect this policy, then auto- cluding Google Glass [15]), as in Figure 1. This approach, matically stop recording based on the locker room's policy. however, is hard to enforce and does little to protect a user Our design thus protects the user from untrusted applica- from untrusted applications or user error. Users must notice tions while relieving the user of explicit permission manage- the sign, then remember to turn off their device. ment. While users can override policies communicated by passports, applications cannot. A new access control challenge. A natural way to ad- Passports are intended to help users avoid accidentally dress these privacy concerns is with application permissions sharing or allowing applications to access sensitive data. For in the operating system. However, continuous sensing and example, a workplace can publish a passport stating that natural user input pose new challenges to access control de- whiteboards are sensitive, helping the user avoid recording sign. Today, platforms like Android, iOS, and Windows 8 (and later accidentally sharing on social media) photos of deny untrusted applications default access to sensitive re- confidential information on the whiteboard. In the locker sources like the camera and GPS. To determine which per- room, a \no-record" policy helps the user avoid accidentally missions to grant, these OSes put the user in the loop: with allowing an untrusted application to access the video feed of manifests at application installation time (Android, Win- herself undressing in the mirror. dows 8) or prompts at the time of sensitive data access (iOS). Passports can also help users respect others' wishes with- Previous work [12, 35], however, has shown that these out requiring onerous manual configuration. At the Ada- permission models are flawed. Manifests are out of context Camp conference, for example, attendees wear red lanyards with applications' use of sensitive data, making it hard for to opt out of photography [3]. A world-driven access control users to understand what permissions applications need and policy can tell the policy module to remove those attendees why. Prompts are disruptive and cause \prompt fatigue," from video streams and photos before applications see them. conditioning users to simply click yes. The user does not need to manually check lanyards or re- User-driven access control [35] addresses these flaws by move the device entirely. Our approach allows dynamically coupling permission granting with user actions within an ap- changing application permissions based on context, such as plication (e.g., clicking a special embedded camera button). being at a conference, without explicit user actions. Unfortunately, this approach is not well-suited for contin- Making world-driven access control work requires over- uous sensing because it relies on explicit user interactions coming multiple challenges. First, there are many differ- with the device. By contrast, continuous sensing applica- ent policy communication mechanisms, ranging from QR tions are, almost by definition, designed to automatically codes and Bluetooth to object recognition, each with dif- \do things for you" without any such explicit actions. ferent tradeoffs. Second, recognizing passports and comput- Further, for applications with natural user input, like ges- ing policy decisions induces latency for applications. Third, ture or voice, the input method itself relies on the camera or policy decisions may have false positives and false negatives. microphone being always accessible. In these settings, per- Finally, our approach creates a new problem of policy au- mission granting models that allow or deny access to entire thenticity as adversaries may attempt to move, modify, or sensor streams are too coarse-grained.