In this chapter we propose a decision support system for privacy management of context-aware technologies, which requires the alignment of four dimensions: business, regulation, technology, and user behavior. We have developed a middleware model able to achieve compliance with privacy policies within a dynamic and context-aware risk management situation. We illustrate our model in more details by means of a small prototype that we developed, and we present the current outcomes of its implementation to derive some pointers for the direction of future investigation.
TopIntroduction
Privacy is generally referred as “a state in which one is not observed or disturbed by others” (Oxford Dictionary, 2010), and privacy management for pervasive technologies can be treated as an information security issue. Security experts have been advocating that information security should result from the alignment of the technical, business, and regulatory dimensions (Anderson, 2001), suggesting an information risk management approach to let the user achieve the best security level according to the environmental threats (Blakley et al. 2001). Therefore one should also look at how to manage the risk that privacy is not assured, before looking at how to achieve privacy from a technical point of view.
Contingency theory is a class of behavioral theory that claims that the optimal course of action is contingent upon both the internal and external situations. Such theory postulates that impacts of environmental factors are systemic, rather than entirely situational. That fits the case of mobile payment services that differ between markets, in ways linked to their particular systems, for instance there are differences in payment technology infrastructure, regulation, laws, or habits. Therefore contingency theory can be used as a reference framework to assess the literature on mobile payment published in information system, electronic commerce, and mobile commerce journals, and conference proceedings (Dahlberg et al. 2007). It appears that a contingency factor (Changes in Technological Environment) has been intensively studied, two contingency factors (Changes in Commerce Environment and Changes in Legal, Regulatory, and Standardization Environment) have been addressed by not more than twenty articles, whereas one contingency factor (Changes in Social/Cultural Environment) was not treated in any article.
Literature on privacy risk management can be assessed using three contingency factors suggested by Anderson (2001): technology, business, and legal. To address the gap underlined by Dahlberg et al. (2007) we add a fourth dimension: the user’s perception of its environment.
Awareness of Changes in the Technology Environment
Technology awareness concerns the understanding of the technological options for privacy management that are offered in a particular moment in time to the user. The link between pervasive computing and user’s privacy risk has been addressed by many researchers, mostly in the field of location privacy. In his literature review of computational location privacy Krumm (2009) claims that “location data can be used to infer much about a person, even without a name attached to the data.”(p. 4). Most applications focus on controlling access and use of user’s data, or they propose security algorithms to protect/obfuscate the communication of data between two users. Krumm (2009) lists a set of solutions for location computational privacy. For example “blurring” is a security algorithm, which ensures a certain degree of location privacy by using inaccurate or at least not so accurate location information, in order to obfuscate the communication of users. Another algorithm is “Access control”, which ensures that the sensitive data is only accessed by authorized people, in order to protect user’s information privacy.
Middleware development has been adapting to evolving technology, and in this sense we mention a solution that deals with conflicting privacy policies (Capra et al., 2003) and another solution that uses an extended version of a privacy policy language that takes into consideration the time dimension (Hong et al., 2005).
In this paper we present the design of software for decision support regarding privacy risk management for pervasive technologies, with a particular interest in context-aware applications, as described by Schilit et al. (1994) and Chen and Kotz (2000). Thus we aim at increasing the user’s acceptance of the privacy management system. The theoretical foundation can be found in the technology adoption model proposed by Davis (1989), which assess that user’s behavioral intention to adopt a system depends on the perception of usefulness and ease of use. Thus a context-aware privacy management system should protect the user’s data and it should reduce the number of actions requested to the user.