Rayman Preet Singh, Benjamin Cassell , S. Keshav, Tim Brecht.
Networked sensors and actuators are increasingly permeating our computing devices, and provide a variety of functions for Internet of Things (IoT) devices and applications. However, this sensor data can also be used by applications to extract private information about users. Applications and users are thus in a tussle over access to private data. Tussles occur in operating systems when stakeholders with competing interests try to access shared resources such as sensor data, CPU time, or network bandwidth. Unfortunately, existing operating systems lack a principled approach for identifying, tracking, and resolving such tussles. Moreover, users typically have little control over how tussles are resolved. Controls for sensor data tussles, for example, often fail to address trade-offs between functionality and privacy. Therefore, we propose a framework to explicitly recognize and manage tussles. Using sensor data as an example resource, we investigate the design of mechanisms for detecting and resolving privacy tussles in a cyber-physical system, enabling privacy and functionality to be negotiated between users and applications. In doing so, we identify shortcomings of existing research and present directions for future work.
Public review by Dave Choffnes
Ubiquitous Internet connectivity and sensing is quickly becoming reality. Many of us welcome this new world and its myriad applications ranging from entertainment and communication to health and education. On the other hand, this new functionality comes with an often invisible and thorny cost: exposure of private information. Historically, operating systems have focused on enabling functionality, with privacy controls being blunt, bolt-on features, if present at all. The Yelp app, for example, will use GPS coordinates to identify local businesses, but there is no easy way for the user to negotiate the use of coarser-grained location data for potentially less customized results but without the privacy cost.
In this paper, the authors propose using tussles as a way to manage the trade-offs between functionality and privacy settings that restrict it, and to provide this service at the operating system layer. Specifically, the paper identifies high-level abstractions to specify privacy and functionality requirements, techniques to resolve competing requirements, and mechanism to enforce the resolved behavior. Instead of focusing on any specific solution, the authors survey application functionality and user privacy requirements, and suggest how they might be addressed. Rather than offering a solution to the problem, this work serves as a starting point for a conversation about how to improve OS-level support for privacy.
The reviewers agreed that the authors identified an important problem and proposed an interesting potential direction for addressing it. The case studies in the paper provide supporting evidence that the approach is viable. There were concerns that the paper raises more questions than it answers (which is typical for a position paper) and that privacy negotiations have been proposed in previous work (impacting novelty). Despite these issues, the reviewers agreed that TussleOS is an interesting topic for future work.