PRESERVATION
Algorithm 6.1: Distributed Coloring Require: INPUT
7.4 Privacy-Preserving Approaches in Smart Buildings .1 Wireless LAN privacy-preserving approaches
7.3.2.2 RFID privacy issues
The privacy issue comes from the fact that an RFID tag and reader do not have to be in line of sight. An unauthorized RFID reader at a distance or beyond the wall(s) may try to get access to the tag information and the tag owner may not be aware that his/her tag is being read.
7.3.3 Visual privacy
Visual privacy refers to the private information in the form of image or video.
Today, streets of modern cities and almost all closed public places are equipped with surveillance cameras in order to track suspicious activity and identify crim- inals. We expect that, in the near future, the number of cameras will increase even further with the introduction of smart cameras and vision-based intelligent surveillance systems. Surveillance cameras may also be used as part of ambient- assisted living systems in support of autonomy and well-being of older or dis- abled people. In any case, videos or images of a person carry the richest privacy information about a person and his/her environment. Not only the face of a per- son, but also the clothes, posture, gait, time, and environment can reveal sensitive information.
7.4 Privacy-Preserving Approaches in Smart Buildings
signal strength from the device. This will reduce the number of APs which are able to receive the transmission [28]. Finally, if the attacker has prior knowledge about the environment (e.g., building layout, office assignment, working sched- ule of the employees, etc.), he/she can use this information to better identify the user [25].
The goals of applying anonymization are threefold. First, the identifier should be unlinkable, that is, the new and old identifiers from the same client node should be dissociated. Secondly, anonymization should cause minimum network disruption. In order to achieve this goal, proper timing is needed. The address switching may close network connections in real-time applications such as voice over IP (VoIP) or long communication sessions like streaming media. Finally, the solution should be readily applicable to the current IEEE 802.11 standard [4]. The key challenges in anonymization are
1. Address selection. The addresses (any including fake ones to disguise the real ones) must still be valid and follow the standard, which requires 48-bit MAC addresses, consisting of 24 bits for the Organization Unique Iden- tifier (OUI) and another 24 bits as assigned by the NIC vendor so that it will not be rejected or ignored due to incompatibility reasons.
2. Address uniqueness. All nodes or users sharing a network source should have a unique address. Thus, we need a detection and prevention mech- anism for duplicate addresses. If it is a large network with many users, address collision becomes a problem, especially if each user indepen- dently generates its own fake MAC address. One solution to this problem is to configure the AP to provide a pool of MAC addresses and to assign a MAC address to the node or user that joins it. In this case, the user or client needs to request a MAC address when joining the AP. The problem here is that the request must be attributable, which means it must contain the real MAC address of the user, in which case the user identity will again be revealed. To solve this problem, Jiang et al. [28] proposed using a joint address (i.e., group address) within the request for concealment purposes and a 128-bit nonce (one-time code) to provide uniqueness.
3. Integration with port authentication. Other identifiers besides MAC addresses (in protocols such as EAP-TLS, CHAP, RADIUS) should also be taken into account so that eavesdroppers will not use them to track the user.
An important issue to consider is how to unlink different MAC addresses of the same user when frequent address changes are employed, that is, how to reduce the correlation of two addresses of the same user and increase the entropy in address selection.
One solution is to use a silent period after performing address changes [27]. In this approach, the users intentionally do not transmit within a certain
period of time after the address change has occurred. The goal is to obscure the address change event by the presence of incoming users or clients. This is, of course, practical when user density is high enough to mask the address change event. Since forced silent periods without user intervention can dis- rupt communications, the concept of an opportunistic silent period is introduced [27], where address changes are performed during the idle time between users’
communications, thus minimizing the negative effect on established communi- cations, and hence enhancing the quality of service.
Another solution is employing mix-zone areas [7, 21] which can be described as the spatial version of the silent period approach so that clients are not allowed to transmit in predefined areas. This involves middleware installed on mobile devices to preset the physical location so that all users in this area are indis- cernible. All clients may change their pseudonyms (e.g., MAC addresses) in the mix-zone but they are not allowed to transmit there. A mix-zone for a group of users is defined as a connected spatial region of maximum size where none of these users register for an application. In contrast, an application zone is an area where a user can register for an application callback. When a client that has just changed its pseudonym moves out from the mix-zone and starts to trans- mit again, an adversary or location-based service (LBS) application will not be able to relate the new pseudonym, to a specific old pseudonym, since this new detected pseudonym may come from any client that has just entered the mix- zone. This approach works well when many clients enter or exit the mix-zone at the same time. In order to increase anonymity, the application may be configured not to transmit or not to send any location update if the mix-zone has fewer than kusers.
7.4.2 RFID privacy-preserving approaches
There are various proposed solutions to privacy problems caused by RFID devices, including (1) hiding and blocking and (2) rewriting and encryption [32].
In hiding and blocking, the tag is silenced through jamming the radio channel used for RFID communication and providing the reply only to readers with proper credentials. In rewriting and encryption, the access to the tag is con- trolled securely by using techniques such as anonymization through hash-based approaches. Using a hash-lock scheme [54], unauthorized reader access to the tag is prevented, since the tag is, by default, locked and only opened when the correct key is introduced to it. To open the tag, the reader requests the metaID (hashed ID) and tries to find the key and the ID in the back-end server. The back end sends information (key, ID) to the reader and the reader sends the key to the tag. Then, the tag hashes the key and compares it to the metaID. If there is a match, the tag is unlocked.
While preserving privacy at a certain level and having a short search time because the database is implemented by a hash table, tracking is still possible in
Database Reader Tag Query metaID MetaID
Key (a)
(b)
Key ID
Database Reader Tag
Query R,h(IDk‖R) Get all IDs
ID1, ID2,…, IDn
Key
Figure 7.6: (a) Hash locking: a reader unlocking a hash-locked tag; (b) randomized hash locking: a reader unlocks a tag whose ID is kin the randomized hash-lock scheme. (Redrawn from S.A. Weis et al. in D. Hutter et al. [eds].Security in Pervasive Computing, Springer, Berlin, 2004.)
the hash lock scheme since a fixed metaID is used (i.e., a single pseudonym). To overcome this problem, a randomized hash-lock scheme is proposed. Here, the tag output changes each time it is accessed, since each time a reader accesses the tag, the tag replies with a random string plus the hash of the concatenated tag ID, which means that the pseudonym will change in each access each time the tag is accessed and will prevent unauthorized readers tracking the user. Tags in this randomized scheme ensure full privacy. However, it is not scalable for a large number of tags, since a huge number of hash operations must be performed at the back-end database. Furthermore, this protocol does not guarantee forward privacy, since the stored information in a compromised tag reveals much data about the previous communications of that tag [11]. Figure 7.6 shows how these two approaches work.
To overcome the forward security issue, a hash-chain scheme is proposed [44], where the basic idea is to refresh the tag identifier each time the tag is queried by a reader. The scheme can be achieved via a low-cost hash-chain mech- anism. However, this scheme is also not scalable because of the exhaustive search process that must be performed by the back-end server.
Override gives access to video
Hide times Hide identity
Alert on event
Hide actions Hide locations
Average flow patterns Alert me if x shows up How many
people
Statistics
Rerendering
Video
Law enforcement access video on emergency or court order Privileged users
access more information Ordinary users access statistics
e.g., Anonymous elevator Air-conditioning
Figure 7.7: Layered approach for accessing video surveillance information.
(Redrawn from A. Senior et al.Security Privacy, IEEE, 3(3), 2005).
7.4.3 Video surveillance privacy-preserving approaches
Since video surveillance and associated intelligent monitoring systems provide the richest privacy information about subjects, the solutions for preserving visual privacy should be defined accordingly, preferably starting at the design phase, such as whether to choose a high- or low-resolution camera, whether or not to use encryption, and so on.
An important issue is the definition of access control for different types of users having access to video surveillance data. As depicted in Figure 7.7, a layered approach is proposed by Senior et al. [50], providing capability to deter- mine who can view what data under what circumstances. In this model, three different types of users have access at three different levels: Ordinary users can only access statistical information about the video; privileged users can access to rerendered and limited information; and finally, law enforcement agencies may have full access, including raw video and related individual identity informa- tion. Such a system should comprise video analysis, encoding/decoding, stor- age facilities, and basic security functions such as authentication, accounting, and encryption.
Considering the temporal aspect, visual privacy preservation mechanisms can be applied either in real time during the acquisition of the image or video, or after its acquisition. A real-time example proposed by Zhang et al. [58] uses two cam- eras, IR and RGB, to capture video simultaneously. The thermal IR camera is used to discriminate the face region and other parts of the human body based
Cold mirror
IR sensor
Thermal image Generate mask
pattern
Mask Privacy protected image
SLM CCD
VIS IR
Scene
Figure 7.8: Concept of the anonymous camera system. (From Y. Zhang et al.Pattern Recognition (ICPR), 2014 22nd International Conference on, 2014).
on the fact that human skin radiates shorter wavelengths (∼10 µm). Thermal imaging generates a mask pattern corresponding to the position of the face of the subject. A spatial light modulator (SLM) (e.g., LCD) is inserted in front of the CCD/CMOS image sensor of the RGB camera, which applies the thermal imag- ing mask and prevents the face of the subject being recorded (see Figure 7.8).
Since this implementation only protects the subject’s face or open extremities, valuable privacy information can still be obtained from the clothing of the sub- ject or the environment if prior information is available.
To preserve privacy, applicable methods can be considered in five different categories [45]: intervention, blind vision, secure processing, redaction, and data hiding.
1. Intervention methods involve prevention of visual data being captured from the environment by physically interfering with the camera devices, for instance, by creating excessive illumination.
2. Blind visionimplementation consists of image or video processing in an anonymous way using cryptographic techniques, such as secure multiparty computation (SMC), where a contributing party is using the algorithm of the another party and does not know the details of it.
3. Secure processingmethods involve video processing techniques other than SMC to preserve privacy.
4. Redaction methods, with many subcategories, such as image filtering, encryption,k-same family, object/people removal, and visual abstraction, are the most common preservation methods, of which we will provide some examples in the following paragraphs.
Hiva-Network.Com
5. Data hidingmethods are based on hiding the original image data inside a cover message which can be used for retrieval if needed in the future.
In image filtering, a Gaussian blur or Gaussian smoothing filter is applied to modify each pixel in the image by using neighboring pixels. As an example, an image is divided into 8×8 pixel blocks and the average color of the pixels in that block is calculated. The result is then used as the new color for all the pixels in that block.
Encryption of video and images uses either traditional encryption, like DES, AES, and RSA, which is generally slow for real time, or lightweight encryp- tion, which is faster but less secure. Encryption techniques help to scramble the region of interest by pseudorandomly flipping bits. They can be used for the compressed video/image (code-stream) domain, the spatial domain, and the fre- quency domain [9, 15].
In face deidentification techniques, the goal is to alter the face region so that face recognition systems will be unable to recognize it. One of most robust meth- ods, thek-same family algorithm, which is an implementation of thek-anonymity concept, computes the average ofkimages in a set and replaces the cluster with the average image obtained (see Figure 7.9) [41]. On the other hand, object/peo- ple removal is performed by removing a private object or people from the original image. The issue here is how to refill the void area after removal, and the solu- tion relies on using inpainting methods to restore the damaged portion. While still image inpainting is easier, since it should take care of spatial consistencies only, video inpainting has to deal with both spatial and temporal consistencies [24]. Finally, the goal of visual abstraction/object replacement is to protect pri- vacy while maintaining the object activity, including position, pose, and orien- tation. For this purpose, image filtering and deidentification techniques can be used [13].