{"id":260,"date":"2008-11-20T23:57:16","date_gmt":"2008-11-21T07:57:16","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=260"},"modified":"2008-11-24T16:57:49","modified_gmt":"2008-11-25T00:57:49","slug":"security-review-mobile-millennium","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/11\/20\/security-review-mobile-millennium\/","title":{"rendered":"Security Review: Mobile Millennium"},"content":{"rendered":"

(originally written 11\/07\/2008)<\/em><\/p>\n

Early next week, the University of California, Berkeley, in a joint effort with Nokia Research Labs, intends to launch Mobile Millennium<\/a>, a project that aims to capture traffic patterns accurately and in real-time by harnessing cell phones as mobile sensors.\u00a0 Previous work has only considered static sensors explicitly placed at location of interest (e.g. major congested roads); as such, their approach suffers from the inherent existence of blind spots in their analyses.\u00a0 On the other hand, the design of Mobile Millennium lends itself well to monitoring traffic patterns anywhere participating mobile phones receive signal.<\/p>\n

In Mobile Millennium, users will be able to voluntarily download a free Java program onto their mobile devices, which monitors their location, speed and direction of movement.\u00a0 This information will be collected into a large database and analyzed collectively to determine the presence of traffic jams and stranded vehicles, for example.\u00a0 This technology currently targets GPS-enabled phones whose service provider is a GSM network, e.g. AT&T or T-Mobile.\u00a0 Mobile Millennium has set virtual trip lines at certain geographic locations so that whenever a participating device passes through the trip line, information is relayed to the project servers. This project will focus on traffic on major roads between the Bay Area and Sacramento, but intends to expand to arterial roads in the future.<\/p>\n

From a security perspective, the project incorporates “Privacy by Design” principles so that no data point can be directly connected with a particular phone.\u00a0 To achieve this involves stripping incoming data of identifying information in addition to encrypting transmitted data and analyzing data on a need-to-know basis.\u00a0 To further alleviate security fears, Mobile Millennium operates on a completely voluntary-basis and users can stop participating at any time.<\/p>\n

Stakeholders<\/strong>
\nDespite the claims of system anonymity by the creators of Mobile Millennium, users are risking knowledge of their location and identifying information when they volunteer to participate.\u00a0 Even in the case that the the project adheres to the aforementioned principles of Privacy by Design, there are certain cases in which one can infer user identity from location and external knowledge.\u00a0 For example, if a participant habitually travels to an area devoid of other participants, then this individual’s movement can be monitored without the system explicitly mapping her data point to her person.\u00a0 If this area happens to be her home address, then even more information is compromised.<\/p>\n

From a more optimistic perspective, by design, Mobile Millennium can track whether participants are stranded on roads; one could easily imagine how this knowledge might facilitate increased precision and a more speedy response to emergency situations, stranded vehicles, etc.\u00a0 (Thus, perhaps towing companies may be an indirect stakeholder as well.)<\/p>\n

In addition,the participating device may witness a significant computational overhead, as it is constantly streaming data to Mobile Millennium servers.\u00a0 If the technology becomes more main-stream, will this affect how cell phones are created?\u00a0 Will this have an impact on the types of encryption that can be done, now that computing power is even more limited?<\/p>\n

Because users are encouraged to have unlimited plans, the creators of Mobile Millennium themselves may be an indirect stakeholder; if this limitation prevents a certain demographic or region from participating, Mobile Millennium may end up studying traffic patterns of a limited subset of the population and draw biased conclusions.<\/p>\n

In addition, citizens of the targeted region are direct stakeholders, even if they are not participants.\u00a0 Supposedly anyone can check the status of traffic on Mobile Millennium’s website; this technology is intended to relieve areas of major congestion directly, or at least provide the means for the state Department of Transportation to improve infrastructure.\u00a0 (Thus, one might consider the Department of Transportation another indirect stakeholder.)<\/p>\n

Finally, the police department has a potential and indirect interest in the development of Mobile Millennium.\u00a0 The lack of individual privacy in the project implementation (as well as the perception of such) may effect crime on the road.\u00a0 This is further discussed in the “Adversaries” section.<\/p>\n

Assets and Security Goals<\/strong>
\nAs discussed above, the general privacy of participants should be a major concern of Mobile Millennium.\u00a0 While the creators have certainly gone to some length to protect the identities of their users, it is not clear that such measures are enough to maintain true anonymity.<\/p>\n

In addition, personal security may potentially be at stake; a user might not feel comfortable if strangers know that he is stranded on an isolated road in the middle of the night.\u00a0 He might very well prefer to call a friend for help rather than alert Mobile Millennium of his distress.<\/p>\n

Potential Adversaries and Threats
\n<\/strong>Though typically not portrayed as an adversary, the police have strong (and arguably, semi-justified)\u00a0 motivation to infringe on user privacy rights. For example, if one can identify people via Mobile Millennium, it would be easier to find the aggressor of a hit-and-run incident.\u00a0 It might be easier to track the whereabouts of or verify alibis of suspects.\u00a0 Similarly, the federal government has an interest in breaking any privacy-ensuring mechanisms set in place by Mobile Millennium; such a breach would facilitate any tapping and\/or tracking of individuals of interest.<\/p>\n

The government may also have an interest (albeit, a different one) on the state and\/or judicial level.\u00a0 If they can even determine that a certain demographic frequents certain roads in certain patterns, this may induce a bias toward one class (e.g. a wealthier class) over another to increase revenue.<\/p>\n

Potential Weaknesses
\n<\/strong>From a security perspective, there seems to be no way for a user who decides to stop participating to ensure that indeed their information is no longer being tracked by Mobile Millennium.\u00a0 In addition, who is in control of the system?\u00a0 If the control of the system gets into the wrong hands, are there mechanisms in place to ensure that an adversary can still do no harm despite having access to the centralized information?<\/p>\n

Potential Defenses
\n<\/strong>To the weaknesses above, defenses might include mechanisms to ensure that a former participant is indeed no longer participating.\u00a0 An extreme version of such a defense would be to get a new phone, but this is cumbersome; it should not be at the expense of the user to ensure his or her non-participation.\u00a0 The claimed ability to be able to disable participation at any time is already a first line of defense against privacy issues and\/or qualms had by the user.<\/p>\n

Evaluation and Conclusion
\n<\/strong>Mobile Millennium proposes a new technology that allows the tracking of large group of people without explicitly identifying them.\u00a0 However, with this technology comes a lot of privacy issues; in particular, it is questionable how much identifying information could be inferred without explicit mapping of data point to name.\u00a0 Because there will always be conceivably special cases in which little information is needed to deduce a person’s association with a data point, it is extremely difficult to defend against this kind of privacy breach without refusing to participate in the first place.\u00a0 One can think of addressing this potentially contrived case as a “worst case analysis”.\u00a0 Any theoretical defense toward adding data points to make an inferred data point more anonymous debunks the very purpose of this study, which involves understanding the traffic patterns of real people.\u00a0 While it seems that technology of this type poses severe privacy issues, it will inevitably become more mainstream because of the benefits that a system gains from tracking people (or things) within it.\u00a0 In fact, a similar technology is already implemented in many hospitals as a way of tracking equipment, patients and staff.\u00a0 (It should be noted, however, that this technology is restricted to the domain of the hospital and would not, for example, aid the police in tracking their suspects.)\u00a0 Toward that end, it is increasingly necessary to resolve these issues in a way that renders the technology simultaneously respectful of individual privacy and contributing to society as a whole.<\/p>\n","protected":false},"excerpt":{"rendered":"

(originally written 11\/07\/2008) Early next week, the University of California, Berkeley, in a joint effort with Nokia Research Labs, intends to launch Mobile Millennium, a project that aims to capture traffic patterns accurately and in real-time by harnessing cell phones … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":62,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-260","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/62"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":5,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/260\/revisions\/265"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}