Conflicting Issues: Security and Privacy
By Wendy M. Grossman, Mon Aug 27 00:00:00 GMT 2001

The service wants you to authenticate yourself, but you want them not to necessarily know who you are.

If someone asked you if you wanted to carry around a device that would let anyone who happened to be interested - the government, say, or a large number of corporations who wanted - to sell you things, track your every move and association, you would probably say no. Yet, this is in fact one of the possible consequences of the plan to offer location-based services via the mobile phone, especially given laws such as the US's E911 initiative.

To see how powerful the monitoring inherent in such a world would be, Alberto Escudero Pascual set up a network to test the consequences of such a world at the Royal Institute of Technology in Sweden, where he is a PhD researcher. By correlating the position information of the devices carried by the network's 400 users for a month, he says he found it easy to see which users were friends. "You don't need to know the names. You know how much time they spend together in the same radio cell, and you can see when they move from one cell to another."

In fact, much of this information is available to network operators now, simply because they have to know where your phone is in order to be able to connect your call and keep it seamlessly connected while you move between cells.

But there is a big difference in precision between today's triangulating software and the best areas covered by GPS, which can spot your location to a great degree of accuracy, and which is being talked about as one option for the future of the mobile world. (It's not the only one. Arguing that GPS will be too expensive to build into mobile handsets, UK-based Cambridge Positioning Systems uses techniques developed for radio astronomy to provide 50 meter-accuracy with GSM phones, expecting to deliver greater accuracy with 3G systems.)

Location-based services

Location-based services are, one of the chief ways that network operators hope to make back some of the huge sums of money they've spent on 3G licenses. A research report released in May by Forrester suggests that at least some such services will be popular with users. Of the top ten services 8,000 mobile phone users in Germany and France said they would be most interested in, seven depended on or could be enhanced by location information. These included traffic information, walking or driving directions, and weather reports.

In fact, a couple of the most wanted services that Forrester put in the location-irrelevant category could also be enhanced by location information, notably online games (some ideas for competitive location-enhanced games are already being developed), ticket purchases, and product research.

One set of protections against the monitoring scenario comes from Openwave, the manufacturer of the most widely used WAP software. According to Nigel Oakley, the company's EMEA marketing director, its back-end software includes a feature that allows the subscriber to choose whether location information will be given out, even to the point of selecting which application provider is allowed to have it.

"The operators are very keen on this," he says when asked about the likelihood that such a scheme will be widely adopted. And given Europe's data protection laws and the sensitivity of location information, it seems likely that it will be necessary.

The report of the joint meeting of WAP Forum and the World Wide Web Consortium last November makes precisely these points and says bluntly that privacy should be seen as a business opportunity, noting that laws and technology will have to work together if privacy is to be protected.

Mobile IP

This is precisely what a group of researchers from such diverse affilliations as NEC's research lab in Heidelberg, Ericsson, Nokia, Siemens, Lucent, and the University of Karlsruhe are trying to figure out how to do. Where today's location information is known only to network operators and their partners, Mobile IP, the protocol for connecting mobile devices of all types to the Internet, adds many of the risks familiar from todayıs Internet.

Standard Internet connections proceed on the assumption that Internet numbers relate to fixed network locations - even if your computer is assigned a different Internet number by your ISP every time you dial in, the number itself always belongs to your ISP, and the routers know this and direct traffic accordingly. A moving device switching between cells of connectivity of necessity changes its IP address.

Mobile IP solves this problem by assigning the device two IP numbers, one that represents its fixed home address, and the other a "care-of" address that changes as the device moves around. Even with the enhanced security built into IPv6 (the latest version of the Internet protocols, which is rolling out achingly slowly), header information including these addresses is forwarded in plain text for every packet of data as part of the Internet's routing system. The data itself may be encrypted to protect it from unauthorized access, but the ability to perform traffic analysis and accurately diagram the personal or business relationships of the correspondents is just as possible given the header information as it was in Pascal's demonstration network.

NEC research staff member Dirk Westhoff says the three-year research project has a tough task ahead of it. "You have to ask first what trust model you want to assume. Do we want to hide the communication relationship and location against a third party, including the provider, or also against the current communications partner?

The more attackers we assume, the stronger the protection scheme has to be." Also unlike the flat-rate, all-you-can-eat Internet world, the mobile world is a culture where every minute you talk on the phone is billable.

The solution?

Authentication, authorization, and accounting: the three requirements of any system that eventually gets developed. The problem, as Westhoff's colleague Amardeo Sarma says, is that privacy and security needs often conflict.

Network operators need to know who users are for billing purposes, and to ensure that they are using only the services they're entitled to. Users may not mind being known to their local operator, but they may not want to be known to the foreign operator whose node they've roamed to - and may not need to be known to the foreign operator for billing back to the home node to take place.

In addition, the person who uses the phone is often not the person who pays the bills: should your employer have the right to the location data to track your movements?

The difficulty of the researchers' task is exacerbated by the fact that unlike the Internet world, where everyone uses the same protocols, in the mobile world everyone does things differently. "You have to guarantee security associations between entities that do not come from the same provider.

So, for example, if you want to use a mobile node to access a foreign-administered domain and you want to guarantee that no one can spy out information over the wireless link, first you have to generate a secure association. That's just possible if you have agreed on some keys."

Keys means, cryptographic keys, and whether or not these are agreed in advance (in public-key cryptography, which is most commonly used on the Net for things like SSL, which protects ecommerce transactions in progress) you immediately raise the problem of how to manage all the keys that would be needed.

The common answer is to create a public-key infrastructure, but, says Westhoff, "PKI for all mobile phones won't work. We have to find other solutions, and look at what kind of features an authentication scheme has to guarantee, and create a security infrastructure from that."

So, the goal is to create a scalable approach for anonymous connections that doesn't degrade network performance (because in the mobile world everything must happen immediately), that can cope with different trust models, and that integrates location privacy into Mobile IP(v6). Stay tuned.

Wendy M. Grossman is a freelance writer based in London, and author of net.wars. Her new book, From Anarchy to Power: The Net Comes of Age is out.