The prime target audience of this lecture are researchers and practitioners working in mobile and pervasive computing who want to better understand and account for the nuanced privacy implications of the technology they are creating. Armed with the knowledge in this book, we hope they will avoid opting for simple solutions that fail to address the true complexity of the problem, or even deciding not to address privacy issues at all.
At the same time, researchers working in the areas of privacy and security in general—but without a background in mobile and pervasive systems—might want to read this lecture in order to learn about the core properties and the specific privacy challenges within the mobile and pervasive computing domains.
Last but not least, graduate and undergraduate students interested in the area should be able to gain an initial overview from this book, with enough pointers to start exploring the topic in more depth.
Marc Langheinrich and Florian Schaub
October 2018
Acknowledgments
It may come as no surprise that a project like this always takes longer than one originally anticipates. Sometimes much longer. We are thus deeply grateful to Michael Morgan, President and CEO of Morgan & Claypool Publishers, and Mahadev “Satya” Satyanarayanan, the Mobile and Pervasive Computing-Series Editor, for their patience and unwavering support over the years. We also greatly benefited from the helpful feedback from both Satya and Nigel Davies, who read through countless early versions of this lecture and offered important insights on how to make this text more accessible. All of the remaining issues in this final version are fully our fault!
We also would like to thank all the staff and students at our respective universities that have supported us in our work, as well as our many collaborators near and far who help shape our research and provided us with guidance and inspiration over the years.
Marc Langheinrich and Florian Schaub
October 2018
CHAPTER 1
Introduction
In 1999, Robert Rivera slipped on some spilled yogurt in a Vons supermarket in Southern California. With a shattered kneecap as a result, Rivera sought compensation from the supermarket chain—not only to pay for his medical bills, but also to compensate for the loss of income, as he had to quit his job due to the injury. However, his effort to negotiate an out-of-court settlement fell short, according to the LA Times [Silverstein, 1999], when the supermarket’s designated mediator produced Rivera’s shopping records. Rivera was a regular Vons customer and had used their loyalty card for several years. The mediator made it clear that should this case go to court, Vons could use Rivera’s shopping record to demonstrate that he regularly bought large quantities of alcohol—a fact that would surely weaken his case (who is to say that Rivera wasn’t drunk when he slipped?). While Vons denied any wrongdoings, Rivera claimed that this threat prompted him to drop the case against the company.
Shopping records are a great example of the minute details that companies are interested in collecting about their customers. At first glance, it looks like a good deal: in exchange for swiping a loyalty card at the checkout,1 consumers receive anywhere from small discounts to substantial savings on their daily grocery shopping bill. The privacy implications seem negligible. After all, the store already has a record of all items you are buying right there at checkout, so why worry about the loyalty card that helps you save money? While the difference is not obvious, the loyalty card allows for much more detailed data collection than just the payment transaction. Even though it seems as if a regular credit card not issued by the store or other cashless payment methods would be just as problematic, data flows for such cards are different: the supermarket only receives information about successful payment, but no direct identifying information about the customer; similarly, the credit card company learns that a purchase of a certain amount was made at the supermarket, but not what items were purchased. Only by also swiping a loyalty card or using a combined credit-and-loyalty card, a store is able to link a customer’s identity to a particular shopping basket and thus track and analyze their shopping behavior over time.
So what is the harm? Most of us might not regularly buy “large quantities” of alcohol, so we surely would never run into the problem of Robert Rivera, where our data is used “against us”. Take the case of the U.S.-American firefighter Philip Scott Lyons. A long-time customer of the Safeway supermarket chain, Lyons was arrested in August 2004 and charged with attempted arson [Schneier, 2005]. Someone had tried to set fire to Lyons’ house. The fire starter found at the scene matched fire starters Lyons had previously purchased with his Safeway Club Card. Did he start the fire himself? Luckily for Lyons, all charges against him were eventually dropped in January 2005, when another person confessed to the arson attempt. Yet for over six months, Lyons was under heavy suspicion of having set fire to his own home—a suspicion particularly damaging for a firefighter! A similar incident occurred in 2004 in Switzerland, when police found a supermarket-branded contractor’s tool at the scene of a fire in the Canton of Berne. The local court forced the corresponding supermarket chain, Migros, to release the names of all 113 individuals who had bought such a tool in their stores. Eventually, all 113 suspects were removed from the investigation, as no single suspicion could be substantiated [20 Minuten].
In both the Safeway and the Migros cases, all customers who had bought the suspicious item in question (fire starters and a contractor’s tool, respectively) instantly became suspects in a criminal investigation. All were ultimately acquitted of the charges against them, although particularly in the case of firefighter Lyons, the tarnished reputation that goes with such a suspicion is hard to rebuild. News stories tend to focus on suspects rather than less exciting acquittals—the fact that one’s name is eventually cleared might not get the same attention as the initial suspicion. It is also often much easier to become listed in a police database as a suspect, than to have such an entry removed again after an acquittal. For example, until recently, the federal police in Switzerland would only allow the deletion of such an entry if the suspect would bring forward clear evidence of their innocence. If, however, a suspect had to be acquitted simply through lack of evidence to the contrary—as in the case of the Migros tool—the entry would remain [Rehmann, 2014].
The three cases described above are examples of privacy violations, even though none of the data disclosures (Vons’ access of Robert Rivera’s shopping records, or the police access of the shopping records in the US or in Switzerland) were illegal. In all three cases, data collected for one purpose (“receiving store discounts”) was used for another purpose (as a perceived threat to tarnish one’s reputation, or as an investigative tool to identify potential suspects). All supermarket customers in these cases thought nothing about the fact that they used their loyalty cards to record their purchases—after all, what should be so secret about buying liquor (perfectly legal if you are over 21 in the U.S.), fire starters (sold in the millions to start BBQs all around the world) or work tools? None of the customers involved had done anything wrong, yet the data recorded about them put them on the defensive until they could prove their innocence.
A lot has happened since Rivera and Lyons were “caught” in their own data shadow—the personal information unwittingly collected about them in companies’ databases. In the 10–15 years since, technology has continued to evolve rapidly. Today, Rivera might use his Android phone to pay for all his purchases, letting not only Vons track his shopping behavior but also Google. Lyons instead might use Amazon Echo2 to ask Alexa, Amazon’s voice assistant, to order his groceries from the comfort of his home—giving police yet another shopping record to investigate. In fact, voice activation is becoming ubiquitous: many smartphones already feature “always-on” voice commands, which means they effectively listen in on all our conversations in order to identify a particular activation keyword.3