1

Privacy in the next generation Privacy in the next generation InternetInternet

Data Protection in the context ofData Protection in the context of European Union Policy European Union Policy

A thesis submitted to KTH in partial fulfillment ofA thesis submitted to KTH in partial fulfillment ofthe requirements for the Doctorate of Technology degree.the requirements for the Doctorate of Technology degree.

4th December 2002 4th December 2002 Room C1 – ElectrumRoom C1 – Electrum Kista – Stockholm Kista – Stockholm

SWEDENSWEDEN

PhD Candidate: Lic. Tekn. Alberto Escudero-PascualPhD Candidate: Lic. Tekn. Alberto Escudero-Pascual

Advisors: Prof. Bjorn Pehrson and Prof. Gerald Q. Maguire Jr. Advisors: Prof. Bjorn Pehrson and Prof. Gerald Q. Maguire Jr.

2

MotivationMotivation

Me

Alberto Escudero-PascualSpanish29 years oldGraduate studentRoyal Institute of Technology

<who:ID> <when:Time> <what:Action> <where:Position>

Mobile Internet and Location PrivacyData Protection and Cybercrime

Identity Management

And my E-MeSP-Y997936721205-8347aep@it.kth.se +46 70286 798900:60:1D:F1:64:D4192.16.125.240 qwerty.ssvl.kth.se3ffe:200:15:2:260:1dff:fef1:64d416/01/2000,04/12/2002N59.40.54, E19.094.3

3

Dissertation Dissertation PhD proposal (13/12/2001)PhD proposal (13/12/2001)

Identify timely important emerging areas for privacy in the next generation Internet.

Study if the European Union Data legal provisions are suitable to deal with new telecommunication infrastructures.

Provide recommendations to technical and regulatory bodies to enhance next generation Internet privacy.

4

AgendaAgenda1. Background

• Next generation Internet • European Union Data Protection Policy

2. Three privacy areas• Unique identifiers and privacy

preferences observability• Privacy enhanced location based

services• Legal threatment of ’traffic data’

3. Summary of recommendations• Technical • Legal

4. Future work

FUTURE WORK

RECOMMENDATIONS

PRIVACY AREAS

BACKGROUND

5

BackgroundBackground

””Living in an all-IP E-world Living in an all-IP E-world with new E-Laws”with new E-Laws”

6

BackgroundBackground”The All-IP E-world””The All-IP E-world”

The next generation InternetThe next generation Internet

WHAT HOW

All IP-network IPv6

Convergence of core and wireless 2.5G, 3G ,4G

Native IP mobility and security MobileIPv6 and IPSEC

Self-configurationIPv6 Service discovery and autoconfiguration

7

BackgroundBackgroundIPv6/MobileIPv6IPv6/MobileIPv6

Ethernet IPv6 Header ESP TCP | HTTP

SOURCE ADDRESSCare-of-address(t)

Destination OptionMobile Node

Home network (t1)

Mobile NodeForeign Network

(t2)

DEST. ADDRESSwww.epic.org

HOME ADDRESS

Ethernet IPv6 Header Mobility Header

HOME ADDRESS

Care-of-address(t2)

SPI

Correspondent Node

1. AlwaysAddressable

by home address

2. Native integrity, Authentication,

and confidentiality

3. Self-Configuration 4. Route Optimitation

8

BackgroundBackground”The new E-laws””The new E-laws”

European Union New E-regulatory frameworkEuropean Union New E-regulatory framework

July 2000

- European Commission proposed 5 packages of measures for a new E-regulatory framework

- COM(2000)385: Updates Data Protection Directive (97/66/EC)

July 2002

- ”E”-Data Protection Directive (2002/58/EC)

9

BackgroundBackground(2002/58/EC)(2002/58/EC)

1. Aims to update (97/66/EC) 2. Technology-neutral policy3. Data Protection Directive Areas

Location data processing of traffic data (§6, §9)Security and confidentialityPrivacy-compliant soft and hardwareEx-directory defaultUnsolicited commercial communications

10

Three privacy areas Three privacy areas

in the next in the next generation generation

InternetInternet

1

2

3

11

Papers Papers

[P1] A. Escudero, M. Hedenfalk, and P.Heselius, Location Privacy in Mobile Internet - An extension to Freedom Network. Internet Society Conference (INET2001). Stockholm, Sweden. June 2001.

[P2] A. Escudero, Location Privacy in IPv6: ’Tracking binding updates’. Tutorial at Interactive Distributed Multimedia Systems (IDMS2001). Lancaster, UK. September 2001.

[P3] A. Escudero, Requirements for unobservability of privacy extension in IPv6. Radio Vetenskap 2002. Stockholm, Sweden. June 2002, pp. 58.

[P4] A. Escudero, Privacy enhanced architecture for location based services in the next generation wireless networks. 11th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN2002). Stockholm, Sweden. August 2002, pp. 169-172.

[P5] A. Escudero and G.Q. Maguire Jr., Role(s) of a proxy in location based services. 13th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications. (PIMRC2002). Lisbon. Portugal. September 2002, Vol.3 pp. 1252-1257. © IEEE

[P6] A. Escudero and I. Hosein, The hazards of technology-neutral policy: questioning lawful access to traffic data.To appear in Communications of the Association for Computer Machinery (CACM) Journal. Accepted on the 5th September 2002 - Reviewed 19th October 2002. © ACM

[P7] A. Escudero,Privacy in mobile Internet in the context of the European Union data protection policy. Internet Society Conference (INET2002). Washington DC. USA. June 2002.

[P8] A. Escudero, T. Holleboom, and S. Fischer-Huebner, Privacy for location data in Mobile Networks (NORDSEC2002). Karlstad, Sweden. November 2002, pp. 220-232.

P

12

Papers and Privacy AreasPapers and Privacy Areas

Privacy threats

Unique Identifiers

Location PrivacyPrivacy in LBS

Traffic Data Policy

INET2001

IDMS2001

RVK02

LANMAN2002

PIMRC2002 © IEEE

CACM © ACM

INET2002

NORDEC2002 NORDSEC2002

13

11

IPv6 Unique IPv6 Unique IdentifiersIdentifiers

and privacy preferences observabilityand privacy preferences observability

Analysis of privacy extension for IPv6 Analysis of privacy extension for IPv6 address autoconfiguration: RFC3041address autoconfiguration: RFC3041

1

14

IPv6IPv6Unique IdentifiersUnique Identifiers

RFC2373 - IPv6 addressing architecture

RFC2374 - IPv6 aggregatable global unicast address

RFC2462 - IPv6 address autoconfiguration

IEEE 80200:60:1D:F1:64:D4

EUI-6400:60:1D:FF:FE:F1:64:D4

IPv6 IID0 60:1D FF:FE F1:64 D4

Router Advertisement3FFE:200:15:2

U/L bit

”EUI-64 based” IPv6 Interface Identifier(IID) is a unique identifer.

64 right bits remain contantU/L bit: CLAIM of uniqueness

1 00 0

2

15

Location Privacy Location Privacy implicationsimplications

Escudero A. ”Location Privacy in IPv6, tracking the binding updates”, Tutorial at IDMS2001, Lancaster. UK, September 2001.

It is possible to track a device by checking the global unicast address with same Interface Identifer.

It is possible to track a device by observing MobileIPv6 ”binding updates” (plain text).

Some proposals that try solve the problem• Privacy extensions for MobileIPv6 and Hierachical MIP

[Castellucia & Soliman]• Privacy exntesion for stateless address autoconfiguration

RFC3041 [Narten & Draves]

P2

P2

16

Analysis of RFC3041 Analysis of RFC3041

Escudero A. ”Requirements for unobservability of privacy extension in IPv6”, Radio Vetenskap, Stockholm, Sweden. June 2002.

• :

While the u bit indicates that the IID is not globaly unique, reveals under certain scenerios that an user wants to protect his/her privacy

RFC3041 ”privacy extension for address autoconfiguration” Suggests:

1. to generate the IID randomly2. change the u/l bit u=0 to indicate not globaly unique

P3

P3

U/L bit

0 00 0

17

Limitations of RFC3041Limitations of RFC3041Privacy Preferences ObservabilityPrivacy Preferences Observability

CGAManual

RFC3041

ManualRFC3041DHCPv6

CGAManual

RFC3041DHCPv6

U=0

ManualRFC3041

CGA

RFC3041

DHCP

Manual

m1,d=0

cga

m1,d=1

m0,d=1

m0,d=0

cga

dhcp

rfc3041

manual

!cga

!cga

!dhcp

RFC3041 u=0

u=0 RFC3041

18

Technical recommendationTechnical recommendation

1. All Interface identifiers are generated randomly (change RFC2373). ”Privacy by default”

2. The (U/L) ”claim bit” is not used. Use Duplicate Address Detection instead (DaD)

3. Create a ”pseudo-random interface identifier” based on link level information

19

22

Location Privacy in Location Privacy in Location BasedLocation Based

ServicesServices

Privacy Enhanced LBS architecturePrivacy Enhanced LBS architecture

2

20

Previous workPrevious workUntraceable Mobility Support Untraceable Mobility Support in the Freedom PIP network.in the Freedom PIP network.

• Proposal to extend the Zero Knowledge Systems’ Freedom network to support mobility.

• Application of Chaum-mixes + Hierarchical MobileIP inside of a Pseudonymous IP network.

• Addressed in detail in my Lic. Thesis

Escudero A., Hedenfalk M. and, Heselius P. ”Location privacy in mobile internetworking. Protocol Extensions to the Freedom Netowork”, INET2001, Stockholm. June 2001.

P1

P1

21

Seamless Mobility in Seamless Mobility in Freedom NetworkFreedom Network™™

Mobility supportPartial routes are re-created

AIP exit doesn’t see the micro mobility

AIPentry(2)

AIP2

AIPexit

AIPentry(1)

Complex Solution in the IP layer and up!Big infrastructure

Scalability

22

Privacy Enhanced Location Privacy Enhanced Location Based Services ArchitectureBased Services Architecture

Escudero A.”Privacy enhanced architecture for location based services in the next generation Internet”. LANMAN2002, Stockhoklm. Sweden. August 2002.

Escudero A and Maguire G. ”Role(s) of proxy in location based services”. PIMRC2002, Lisbon. Portugal. September 2002.

Location Data

Transport

SOAP Request

XML Location Data

Transport

LBS Proxy Server

S2 S1 S3

P4

P5

P4

P5

23

Technical recommendationTechnical recommendation• Proxy acts as:

– A SOAP class displatcher– PE-LBS proxy can act as a Chaum-Mix– Intelligent Software Agent

PE-LBS:– Suitable arquitecture for 3G networks– ”XML encryption” only requirement– Transport Independent

24

33

Legal Aspects of Legal Aspects of Internet Traffic DataInternet Traffic DataAnalysis of Data Protective Directive Analysis of Data Protective Directive

(2002/58/EC)(2002/58/EC)Location and Traffic DataLocation and Traffic Data

3

25

Legal aspects of “traffic and Legal aspects of “traffic and content data”content data”

The “Current” legal definitions of Internet trafficdata are a threat for privacy

Definitions

a) "traffic data": all data processed which relate to the routing of a communication by an electronic communications network.

b) "communication": all information exchanged or routed between a finite number of parties via an electronic communications network accessible to the public.

c) "Telecommunications service": services which consist in total or in part of the transmission and routing of signals on telecommunications networks, with the exception of radio and television.

26

Technology ITechnology IThe Phone – Call Data RecordsThe Phone – Call Data Records

Traffic data in POTS

EVENT: Someone makes a phone call

19991003070824178 165 0187611205 46732112106 ----------001------003sth 46 4673000-----0013 1410260

1999100307083041 33 01541011341 46708314801 ----------001------003sth 46 4670000--8 0013 11 10260

1999100307162963 51 0187614815 46739112106 ----------001------003sth 46 4673000-----0013 13 10260

1999100307182788 74 015410124301 46708314801 ----------001------003sth 46 4670000--8 0014 11 10260

1999100307204736 18 0187614805 46739112106 ----------001------003sth 46 4673000-----0013 14 10260

1999100307222326 20 01317023888 46706263087 ----------001------003sth 46 4670000--6 0013 1 10260

1999100300131791 90 0131654200 46854543084 ----------001------002sth 46 46 001-----0014 14 10260

27

Technology ITechnology IThe Phone – Call Data RecordsThe Phone – Call Data Records

Someone makes a phone call for 3 minutes and 20 seconds

1999-10-03 07:08:24 from telephone 46 732112106 to telephone 46

4673000

28

EVENT: Someone dials with a traditional telephone line using a modem to an Internet provider

Fri Oct 19 11:30:40 2001User-Name = "aep@somedomain.org"NAS-IP-Address = 62.188.74.4NAS-Port = 3239NAS-Port-Type = AsyncAcct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = "324546354"Acct-Authentic = RADIUSCalling-Station-Id = "01223461172"Called-Station-Id = "9061000"Framed-Protocol = PPPFramed-IP-Address = 62.188.17.227Proxy-State"PX01\0\0`\0xcdntg\0x13\0xdfV\0xa4\[...]\0xfc\0x8c"

Technology IITechnology II Radius – Internet Dialup recordsRadius – Internet Dialup records

29

Technology IITechnology II Radius – Internet Dialup recordsRadius – Internet Dialup records

User: aep@somedomain.org Place of call: Cambridge (UK) 01223461172

Calling to: London (UK) 9061000 IP address: 62.188.17.227

Durantion of call: 21 Seconds Type of connection: ASYNC MODEM

Date and time: from Fri Oct 19 11:30:40 2001 to Fri Oct 19 11:31:00 2001

30

Technology IIITechnology IIIWireless radio cell authenticationWireless radio cell authentication

EVENT: User A and B using WLAN network

time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:20:47:24 (A)time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:04:29:30 (B)time GMT=20010810010852 Cell ID=115 MAC ID=00:60:1D:21:C3:9Ctime GMT=20010810010853 Cell ID=129 MAC ID=00:02:2D:04:29:30time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:1F:53:C0time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:04:29:30 (B)time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:20:47:24 (A)time GMT=20010810010856 Cell ID=41 MAC ID=00:02:2D:0A:5C:D0time GMT=20010810010856 Cell ID=41 MAC ID=00:02:2D:1F:78:00time GMT=20010810010856 Cell ID=41 MAC ID=00:60:1D:1E:D4:53time GMT=20010810010858 Cell ID=211 MAC ID=00:60:1D:F0:E4:D8time GMT=20010810010900 Cell ID=154 MAC ID=00:30:65:00:62:27time GMT=20010810010900 Cell ID=154 MAC ID=00:02:2D:05:0B:25time GMT=20010810010900 Cell ID=154 MAC ID=00:60:1D:22:26:A7time GMT=20010810010900 Cell ID=154 MAC ID=00:02:DD:30:06:90time GMT=20010810010900 Cell ID=154 MAC ID=00:02:2D:0D:27:D3

31

Technology IIITechnology III Wireless radio cell authenticationWireless radio cell authentication

The 2001-08-10 01:08:52 AM (A) was in radio cell 115 with user (B)

and move together at 01:08:54 AM to cell 129.

Radio cell 115 is covering the Electrum C1 Radio cell 129 is covering the Electrum Resturant

32

Technology IVTechnology IVWeb server logsWeb server logs

EVENT: User A connects to a webserver B

295.47.63.8 - - [05/Mar/2002:15:19:34 +0000] "GET/cgi-bin/htsearch?config =htdigx&words=startrek HTTP/1.0"20 2225

295.47.63.8 - - [05/Mar/2002:15:19:44 +0000] "GET/cgi-bin/htsearch?config =htdig&words=startrek+avi HTTP/1.0"200x

215.59.193.32 - - [05/Mar/2002:15:20:17 +0000] "GET/cgi-bin/htsearch?config= htdig&words=Modem+HOWTO …

192.77.63.8 - - [05/Mar/2002:15:20:35 +0000] "GET/cgi-bin/htsearch?config =htdig&words=conflict+war HTTP/1.0"200

211.164.33.3 - - [05/Mar/2002:15:21:32 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=railway+info …

211.164.33.3 - - [05/Mar/2002:15:21:38 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=tickets HTTP/1.0" 200

211.164.33.3 - - [05/Mar/2002:15:22:05 +0000] "GET/cgi-bin/htsearch?config =htdigx&words=railway+info+London

212.164.33.3 - - [05/Mar/2002:15:22:35 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=union+strike HTTP/1.0…

82.24.237.98 - - [05/Mar/2002:15:25:29 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=blind+date HTTP/1.0

33

Technology IVTechnology IVWeb server logsWeb server logs

The 2002-04-05 at 15:21:32PMUser 211.164.33.3 searches for info about:

railway, tickets, London, union, strike

34

Where is the content?Where is the content?Where is traffic? Where is traffic?

SIGNALINGPhone numbers/Time

CONTENTThe Conversation

INTERNETPOTS

35

Where is the content?Where is the content?Where is traffic? Where is traffic?

Ethernet IPv6 Header ESP TCP | HTTP

SOURCE ADDRESSCare-of-address(t)

Destination Option

Mobile Node (t1)

Mobile Node (t2)

DEST. ADDRESSwww.epic.org

HOME ADDRESS

Ethernet IPv6 Header Mobility Header

HOME ADDRESS

Care-of-address(t2)

SPI

Correspondent Node

http://www.epic.org

36

Traditional legal, regulatory and technical provisions were established with traditional technological environments in mind. The traditional classification of data based on the functional channel is no longer valid.

Data Protection policies should consider the sensitivity of the amount of personal identifiable information of a ’data set’ and not insist in applying traditional powers to new infrastructures.

Escudero A and Hosein I. ”The hazards of technology-neutral policy: questioning lawful access to traffic data". CACM.

Escudero A.”Privacy in the next generation Internet in the context of the European Union Policy” INET2002, Washington DC. USA: June 2002.

P6

P7

Legal recommendationLegal recommendation

37

Summary of Summary of recommendationsrecommendationsand contributionsand contributions

38

Summary and resultsSummary and results

CONCRETE RESULTOpinion 2/2002 Article 29 Data Protection Working Group

Concerning Unique identifiers:

- Show how IPv6 Unique Interface Identifiers are a threat for privacy.

- Show how IP addresses are Personal Identifiable Information.

- Show how IPv6 RFC3041 is not enough privacy protection.

- Propose changes to RFC2373, RFC2374, RFC2462.

ApA

39

CONCRETE RESULT PE-LBS architecture applied to ”road pricing”

Summary and resultsSummary and results

Concerning location based services:

- Propose a PE-LBS architecture suitable for 3G networks and compliant with Data Protection Directive (2002/58/EC).

- Propose the use of Platform for Privacy Preferences W3C P3P for obtaining informed consent. P8

40

Summary and resultsSummary and results

Concerning legal treatment of traffic data:

- Propose that Data Protection policies should consider the sensitivity to the amount of personal identifiable information of a ’data set’ and not insist in applying traditional powers to new infrastructures.

CONCRETE RESULT Journal Article - Wide Disemination

ApB

41

Future workFuture work

42

Future research Future research

• Role of Simple Unique Cryptographically Verifiable (SUCV) or Cryptographically generated addresses (CGA) in identity management as a privacy enhancing technology while retaining strong authentication.

• Intelligent Software Agents in location based services and their role in the infrastucture

• Anonymising techniques for ’traffic data’ compliant with Data Protection Directive (2002/58/EC)

43

Thanks!Thanks! Electronic version of the PhD thesishttp://www.it.kth.se/~aep/PhD

Isafjordsgatan, 39. Plan 8KTH/IMIT/TSLABSE-16440 Kista – Stockholmaep@it.kth.se +46702867989

Google (Alberto Escudero)TITRA-IMIT-TSLAB AVH 02:01

ISSN 1651-4114