In Things We Trust? Towards trustability in the Internet of Things
aa r X i v : . [ c s . CR ] S e p Preprint
Id: cose-essay-body.tex 10 2011-09-12 21:11:25Z jhh
In Things We Trust? Towards trustability in the Internetof Things
Jaap-Henk Hoepman
May 31, 2018
The Internet of Things is nothing new. First introducedas Ubiquitous Computing by Mark Weiser [49] around1990, the basic concept of the “disappearing computer”has been studied as Ambient Intelligence or PervasiveComputing in the decades that followed. Today we wit-ness the first large scale applications of these ideas. Wesee RFID technology being used in logistics, shopping,public transport and the like. The use of smart phonesis soaring. Many of them are able to determine theirlocation using GPS (Global Positioning System). Somephones already have NFC (Near Field Communication)capabilities, allowing them to communicate with ob-jects tagged with RFID directly. Combined with socialnetworking (like Facebook or Twitter), this gives rise toadvanced location based services, and augmented real-ity applications. In fact social networks interconnectingthings as well as humans have already emerged. Exam-ple are Patchube, a web-based service built to managethe world’s real-time data and Flukso, a web-basedcommunity metering application .As the full ramifications of the Internet of Thingsstart to unfold, this confluence of cyberspace and phys-ical space is posing interesting new and fundamental This research is supported by the research program Sentinels( ) as project ’Identity Management on Mo-bile Devices’ (10522). Sentinels is being financed by TechnologyFoundation STW, the Netherlands Organization for Scientific Re-search (NWO), and the Dutch Ministry of Economic Affairs.Jaap-Henk HoepmanTNO ( [email protected] ), andInstitute for Computing and Information Sciences (ICIS), Rad-boud University Nijmegen ( [email protected] ). https://pachube.com/ research challenges. In particular, as we will argue inthis essay, it has a huge impact in the area of security,privacy and trustability. As Bruce Schneier puts it in arecent issue of CryptoGram [38] (while discussing IT ingeneral):“[...] it’s not under your control, it’s doing thingswithout your knowledge and consent, and it’snot necessarily acting in your best interests.”The question then is how to ensure that, despite theseadverse conditions, the Internet of Things is a safe,open, supportive and in general pleasant environmentfor people to engage with, or in fact for people to livein. This essay is structured as follows. We define theInternet of Things in section 2, and describe the mainprivacy, security and trustability issues associated withit in section 3. Solutions to these problems will have todeal with certain constraints, as explained in section 4.Section 5 discusses classical solutions based on dataminimisation techniques, while section 6 discusses morerecent alternative approaches. We conclude with an ex-tensive overview of research challenges in section 7. What exactly is the Internet of Things? Many defi-nitions can be given. At a basic level the Internet ofThings is a dynamic global network infrastructure withself configuring capabilities where physical and virtual“things” have identities, physical attributes, and virtualpersonalities. They use intelligent interfaces, and areseamlessly integrated into the information network [43].Such “things” could be a pair of jeans (with an RFIDtag attached), a light switch, a light bulb, a fridge, a washing machine, or any other sensor or actuator: thelist of things is basically endless. All these things be-come first class members of the Internet, sharing theirdata with the world, and using the world’s data for theirown purposes.Far more interesting is the envisioned applicationsof the Internet of Things to realise the Ambient Intel-ligence (AmI) concept. This concept. . . provides a vision of the Information Societyfuture where the emphasis is on user friendliness,efficient and distributed services support, user-empowerment, and support for human interac-tions. People are surrounded by intelligent intu-itive interfaces that are embedded in all kindsof objects and an environment that is capableof recognising and responding to the presence ofdifferent individuals in a seamless, unobtrusiveand often invisible way. [16]In an ambient intelligence world created using the Inter-net of Things, devices work in concert to support peo-ple in carrying out their everyday life activities, tasksand rituals in easy, natural ways using information andintelligence that is hidden in the network connectingthese devices [1,23,20].Applications of Ambient Intelligence have been pro-posed in a wide variety of areas, like housing (home au-tomation, smart washing machines), smart cities (sus-tainability and energy conservation), mobility (trafficmanagement systems, congestion control, support formulti-modal transport, public transport ticketing), com-merce (inventory management, marketing and advertis-ing, store personalisation), education (digital libraries,digital museums), and health (self-treatment, long-distancemonitoring) [16] to name but a few examples.The Internet of Things may change the way we per-ceive the world completely. For one thing, the worldaround us will start to perceive us as well [18]. Thebook you read may ‘read’ you as well. How will thatinfluence our relationship with the things around us?How will that influence our own self image?2.1 Properties of the IoTA pervasive system like the Internet of Things is char-acterised by the following system properties.
Invisible by design
A pervasive system pervades the hu-man environment, but resides in the periphery orour attention. Pervasive devices are not explicitlythere; they do not take up space on your desk, butare often integrated into other common objects like windows, doors or walls. They may not have a di-rect user interface, and may have limited computing,storage and power resources.
Networked
Devices are interconnected by a seamlesscommunication infrastructure, which is dynamic andmassively distributed.
Many-to-many
Devices do not have a 1-to-1 relation-ship with a user. Where a laptop and a mobile phoneare personal devices used by one user, pervasive de-vices are not restricted to one person as a user. Oneperson can use many pervasive devices, and one per-vasive device can be used by many persons.
Always on
Devices are always active, it is not necessaryto first actively switch them on before any interac-tion can be had with the system.
Distributed
The computing intelligence and effort ofa pervasive system is not restricted to one devicebut is the combined computing effort of multipledevices. Pervasive systems are comprised of widelyheterogeneous devices, and show emergent behaviour.
Context-aware
Pervasive systems have some knowledgeof their context. They may, for example, be awareof other pervasive devices in their vicinity, or theymay be able to measure location or temperature.
Adaptive/spontaneous/autonomic
The information re-trieved from sensors is used by a pervasive system toadapt its behaviour. This adaption is spontaneous,meaning that it is not triggered by a user pushing abutton, but by more implicit actions of somebody,like for example entering a room.
Natural human interface
A pervasive system has an in-tuitive human computer interface. People should notneed to think about how to interact with the sys-tem, as this should be natural, e.g. through speech,touch or movement.With this understanding of the Internet of Things andits properties, we are ready to discuss the potentialproblems with the Internet of Things, and possible ap-proaches to mitigate these problems.
The vision of the Internet of Things outlined aboveis certainly an attractive one. However, the very samecomponents used to build this vision can also be usedto create a totally different future. To prevent this vi-sion to become our worst nightmare, basic guaranteeshave to be implemented that will protect our privacyand will maintain security. This will not happen with-out considerable effort, for the current trend in IT isdetrimental to security and privacy. As Schneier putsit [38]: “the boundary between inside and outside disap- pears ( deperimeterization ), data is increasingly storedand treated in the cloud ( decentralization ), general pur-pose computer is replaced by special purpose devices( deconcentration ), and smart software and devices willincreasingly do things on our behalf ( depersonization )”.We will describe the main privacy, security and trusta-bility issues below.3.1 PrivacyIn a world of sensors and actuators that surround usand support us in our day to day activities, privacy isobviously a big concern.Privacy — sometimes loosely defined as the ‘rightto be let alone’ [45] — is considered a fundamental hu-man right in many societies. It is “essential for freedom,democracy, psychological well-being, individuality andcreativity” [39]. Privacy has many dimensions (corpo-real, relational, etc.), but for the purpose of this essaywe focus on the data protection aspect of it. We wish tostress that data protection is not the same as keepingpersonal information confidential. Data protection lawsand regulations are much broader. They determine theconditions under which businesses and governments areallowed to collect, process and use personal information(proportionality and subsidiarity). They empower cit-izens to determine how personal data about them isused even after it is collected by third parties. Theyallow them to be informed about the use of their per-sonal information, and give them the right to correctpersonal information about themselves.As a consequence, privacy protection in the Internetof Things [17,25] involves much more than data minimi-sation techniques like using pseudonyms and preventingdata collection through proper access control. In fact,the vision of an Internet of Things that intelligentlysupports us in our day to day activities needs to collectlarge amounts of personal information. . . The challengeis to accommodate this need for personal data, whilemaintaining privacy guarantees.3.2 SecuritySerious integrity, authenticity, and availability concernsarise too in the Internet of Things.Consider the use of RFID tags in supply chain man-agement as an example. If the logistics of a companycritically depends on the correct bookkeeping of itemsin stock through RFID tags, then inserting fake or wrongtags in the system can do serious damage. Radio in-terference or outright radio jamming may make inven-tory scanning impossible or highly inaccurate. Swap- ping tags on items in stock may allow customers todefraud store owners. Recent research even indicatesthat (fake) RFID tags can be used to spread computerviruses [35].When the Internet of Things expands to other ap-plication areas, like health care, smart grids, and thelike, the Internet of Things itself becomes a critical in-frastructure. This is especially the case when the nodesare not merely sensors but also actuators, whose actionscontrol critical components. This imposes strong secu-rity requirements. Not so much regarding confidential-ity (although this is a concern with respect to industrialespionage related to supply chain information), but themore so regarding integrity, authenticity, and availabil-ity of the Internet of Things [25].The issue also needs to be addressed at the manage-ment level. Who is in charge? And when something goeswrong, who is responsible? [16] These questions are notso easily answered in a pervasive system like the In-ternet of Things where a single ’point of authority’ islacking.3.3 TrustabilityAn even more principal issue, that partly underlies thesecurity and privacy problems associated with the In-ternet of Things, is that of trust, or rather, trustability.In sociology, trust is defined as follows [21]When an actor trusts another actor, she is will-ing to assume an open and vulnerable position.She expects the other to refrain from opportunis-tic behaviour even if there is the possibility toshow this behaviour.Often designers of ICT infrastructure assume (or rather impose ) the need to trust the infrastructure by its users,because adequate privacy measures are missing, propersecurity is not guaranteed, and risks are not mitigatedin any other way. A paradigm shift is needed away fromthis paternalistic ’trust us’ implementation of the ICTinfrastructure that surround us, to a more user-centric’trustability’ approach where the infrastructure allowsthe user to built up trust using personal tools and othermeans. We propose the following definition.A system is trustable , if the risk of using the sys-tem for a particular purpose can be reliably esti-mated by the user using third party tools underher own control, and/or using third party dataof her own choosing.It is an interesting question how techniques from iden-tity management (and solutions to its associated prob-lems [2]), and the trusted computing paradigm [30] canbe re-applied in this new context.
The previous section has argued that strong privacyand security guarantees have to built in into the Inter-net of Things, in order to prevent disruptions in thescenarios outlined above. However, implementing theseguarantees should not interfere with the realisation ofthe Internet of Things itself. This makes developingsuch guarantees an interesting research challenge, onwhich this essay will expound further. We note thatthe recommendation of the European Commission ofMay 2009 [14] to kill RFID tags at the point-of-saleis a too disruptive in that respect: it strongly protectsthe privacy of the citizen, but makes it much harder touse RFID tags beyond the point-of-sale for all kinds ofbenevolent applications.Classical security countermeasures and privacy en-hancements do not apply to RFID due to their perva-siveness and limited computing power. Low cost RFIDtags do not have the resources to perform any but themost primitive cryptographic operations, and their sheernumber pose scalability problems. Similarly, new mod-els, policies and assessment methodologies need to bedeveloped: the linking of physical objects with the net-worked world through RFID, and the new possibilitiesfor profiling, pose new security and privacy threats thatare not captured by the current state of the art. So-lutions are further constrained by the properties of apervasive system listed in section 2.1.
Most research so far has focused on techniques to min-imise data collection, by implementing certain forms ofauthentication and access control while respecting theresource constraints inherent to RFID based systems.We briefly review the state of the art in this area.Early proposals use relabelling of tag identifiers [37],or re-encryption techniques [26,5,19] that randomly en-crypt the identifier from time to time, so that it canonly be recovered by authorised readers, while beinguntraceable for others.Another approach is to implement some form of au-thentication between tag and reader, and to allow onlyauthorised tags to retrieve the tag identifier. In a publickey setting this would be easy, but RFID tags are gener-ally considered to be too resource poor to accommodatefor that. Therefore, several identification and authenti-cation protocols using hash functions or symmetric keycryptography have been proposed [48,13]. In particu-lar, Ohkubo, Suzuki, and Kinoshita [34] present a tech-nique for achieving forward privacy in tags. This prop-erty means that if an attacker compromises a tag, i.e., learns its current state and its key, she is nonethelessunable to identify the previous outputs of the same tag.In their protocol, a tag has a unique identifier id i , thatis changed every time the tag is queried by a reader. Infact, when queried for the i -th time, the tag respondswith g ( id i ) to the reader, and sets id i +1 = h ( id i ) im-mediately after that. In both cases, if all readers are online , connected with one central database, the readerscan be synchronised and the response of a tag can belooked up immediately in the database . If not, or ifsynchronisation errors occur, a search over all possible(initial) identifiers (expanding hash chains) is necessary.In a symmetric key setting the reader cannot knowthe identifier of the tag a priori, or obtain the identi-fier of the tag at the start of the protocol because ofprivacy concerns. One can give all readers and tags thesame symmetric key, but this has the obvious drawbackthat once the key of one tag is stolen, the whole systemis corrupted. To increase security, tags can be given sep-arate keys, but then the reader must search the rightkey to use for a particular tag. The core challenge istherefore to provide, possibly efficient, trade offs andsolutions for key search and key management. Molnarand Wagner [32] (see also [12]) propose to arrange keysin a tree structure, where individual tags are associatedwith leaves in the tree, and where each tag contains thekeys on the path from its leaf to the root. In subsequentwork Molnar, Soppera, and Wagner [31] explore waysin which the sub-trees in their scheme may be associ-ated with individual tags. In another approach, Avoine,Dysli, and Oechslin [6,7] show how, similar to the thestudy of Hellman to breaking symmetric keys, a time-memory trade off can be exploited to make the searchfor the key to use more efficient. We note that noneof these systems are practical for RFID systems wheremillions of tags possess unique secret keys.We refer to Juels [25] (and the excellent bibliogra-phy maintained by Gildas Avoine) for a much moreextensive survey of proposed solutions, and [27] for amore formal analysis of the privacy properties actuallyachieved by some of the proposed authentication pro-tocols. Spiekermann et al. [40] observe that although thereare many protocols and proposals for limiting accessto RFID tags (either by killing them completely orby requiring the reader to authenticate), few systems Note that the database can keep a shadow copy of id i andhence can precompute the next expected value g ( h ( id i )). have been proposed that allow effective and fine grainedcontrol over access permissions. Recent research effortshave tried to bring the user back into control. Notableexamples are agency tools like the RFID Guardian [36]and the Privacy Coach [11], as well as the “resurrectingduckling” [41] principle of Stajano and Anderson.6.1 Design philosophiesThe “resurrecting duckling” [41] security policy modelof Stajano and Anderson is an example of a generaldesign philosophy applicable to the Internet of Things,that aims to put the user in better control of the de-vices that he owns or the devices that surround him.The principle is based in analogy to the biological prin-ciple of imprinting discovered by Lorentz [29], whichdescribes the initial bonding process between hatchedducklings and their (supposed) parents. In this modela device is in two possible states: imprintable or im-printed . When imprintable, anyone can take ownershipof the device. In doing so, the device becomes imprinted.Only the owner of an imprinted device may cause thedevice to ’die’, bringing it back to its imprintable state(and resetting all other settings to default, essentiallybringing the device back in a virgin, new-born, state).Additionally, an owner of a device may change securitypolicies on the device, granting certain rights to otherusers. This allows an owner of a device to lend the de-vice to another user, and delegate a subset of its powerto this user.More models like this need to be developed to betterunderstand the nature of the Internet of Things.6.2 Agency toolsThe RFID Guardian and the Privacy Coach can beclassified as agency tools : tools that support the userto make choices and to impose those choices on theworld [8]. Such tools put the user at the centre of theInternet of Things.The RFID Guardian [36] is best understood as apersonal firewall between the RFID tags carried by auser, and the world of RFID readers that surround theuser. The user programs the RFID Guardian to grantor deny access to specific tags from certain readers,possibly depending on the current context. The RFIDGuardian performs this task by selectively jamming ra-dio signals if it detects a reader that tries to access atag for which access is denied.The Privacy Coach [11] puts the user in control in adifferent way. It is an application running on a mobilephone equipped with a reader that can read RFID tags. Certain such NFC enabled phones are currently on themarket. The Privacy Coach supports users in makingprivacy decisions when confronted with RFID tags onitems they buy (or otherwise obtain). It functions asa mediator between customer privacy preferences andcorporate privacy policies , trying to find a match be-tween the two, and informing the user of the outcome.The Privacy Coach itself does not block or preventany privacy infringements. Instead, it stores the userprivacy preferences in a profile on the mobile phone.Privacy policies associated with RFID tags are down-loaded from a central database whenever the user scanssuch a tag using the NFC reader. Producers of goodstagged by RFID will similarly store the company pri-vacy policy associated with these tags in a central database.Alternatively, consumer organisations may create suchprivacy policies for companies that do not provide thesepolicies themselves. The remainder of this essay is devoted to describing themain research challenges ahead.7.1 Privacy beyond data minimisationCurrent approaches to protect our privacy focus on dataminimisation. This is as counterproductive in the In-ternet of Things as it is in social networks: both only’work’ if you are willing to share your data. This isnot to say that in order for the IoT to be useful, yourpersonal data needs to be shared with everybody . Likein social networks, context separation [33] will play animportant role in the Internet of Things as well. Butsimply refusing to share your data with anybody willnot be possible (although in certain cases, anonymitymechanisms may still be applicable).This means that privacy enhancing technologies needto be developed that prevent the abuse of personal dataonce it is collected [22], and that prevent the leakage ofinformation from one context to the other (thus main-taining contextual integrity [33]). Design philosophies,and derived design patterns, for the Internet of Thingsneed to be developed that accomplish this. Moreover,a common privacy engineering practise based on theseprinciples needs to be established. These privacy pre-serving approaches need to be applicable to heteroge-neous sets of devices [43], and need to be user friendly.This adds to the research challenge already present.Several approaches can be followed to achieve this.One approach is to collect and maintain user profilesand preferences on a personal device held by the user (like a mobile phone) instead of by the infrastructuredirectly. The core data needed to make the ambientinfrastructure intelligent is then still under control ofthe user. The infrastructure can query the user profilethrough standard interfaces provided by the personaldevice. In a way the personal device operates as a per-sonal firewall. This approach is somewhat similar to re-cent studies into privacy enhanced profiling of websitevisitors. These techniques aim to implement targetedadvertising on websites [3,44] without the usually as-sociated privacy problem of collecting user profiles cen-trally.Alternatively, user profiles can be split into manysmall parts and stored at many different, uncorrelated,locations. This can even be done in such a way thatwrong information is encoded in some of these parts.The parts can be combined using secret sharing tech-niques. In case of wilfully distributing wrong informa-tion, the wrong data can be filtered out using majorityvoting and other fault tolerant techniques [24] once allthe parts (correct and incorrect ones) have been col-lected.7.2 SecurityThe main security properties that are relevant for theInternet of Things are integrity, authenticity, and avail-ability. These need to be achieved in an environmentwhere the endpoints are mostly very resource constrained.Endpoints are typically tags, sensors and actuators,that need to be produced at the lowest possible cost (be-cause a proper implementation of the Internet of Thingswill need so many of these nodes to be deployed). Theseendpoints have little memory, little processing power,and slow, short range and unreliable communicationlinks. Security (and privacy) therefore need to be builtupon resource efficient cryptographic primitives. Thisremains a challenging area of research.Also, the Internet of Things will lack a single cen-tral authority. This calls for models for decentralisedauthentication [43], including strategies for revocationand key-distribution in an ad-hoc fashion. In general,security measures need to support the conflicting re-quirements of multiple stakeholders (e.g., privacy pro-tection versus accountability), in order to support mul-tilaterally secure cooperations [47], and should be de-signed in such a way that they can be used by casualusers. This has to be achieved without the coordinatingrole of a central authority trusted by all stakeholders.The same holds not only for devices. Reliability (orrather integrity) of the data collected by the Internetof Things and provided back to the users is also an issue. Open source data mining tools to verify the re-liability of the data may help in this respect. An ex-ample of an area where this is especially important ishealth care applications of the Internet of Things wherepatients share data to crowd-source knowledge abouttheir diseases, and subsequently use that data to im-prove their standard over living . The diffusion of harm-ful and unsubstantiated knowledge and information isa real possibility. However, experiences with similarlycrowd-sourced knowledge bases like Wikipedia suggestthat in an open system, malicious knowledge tends togradually be muted out [42].We note that security can also benefit from the ex-istence of an Internet of Things. Through the IoT itis much easier to reliably collect information about thecontext in which a certain actor tries to access a cer-tain resource. The current location of the user, whetherthe user is alone in the room, whether someone else isapproaching, whether certain devices are or are not inthe vicinity: all these aspects can be determined. Thisallows us to specify much more fine grained access con-ditions, that can still be fulfilled given a much richerdata set at the time the resource is accessed.7.3 Establishing trustabilityEstablishing trust in the Internet of Things should gobeyond the mere user perception side of the issue, butinstead focus on measurable ways to establish trusta-bility, and on tools to support this. Trustability aims toanswer questions like: How well does the infrastructuresafeguard the data you entrust to it? What are the fu-ture consequences of its use? How clearly and openly doinfrastructure providers advise you of your rights andresponsibilities? What guarantees of future reliabilityand availability does the infrastructure give you?Very few of these tools exist to help the user to de-termine the trustability of the infrastructure it is engag-ing in. The issue is much more complex than simply de-termining whether a certain public terminal is authenticbefore entering your PIN code on it [4] (although cer-tainly knowing the terminal is authentic helps to someextent). Methods based on direct anonymous attesta-tion [10] using Trusted Platform Modules (TPM) (thatestablish that a certain device is a known good state)are of limited value. The sheer heterogeneity of the de-vices that make up the Internet of Things make it im-possible to enumerate all the good states each of thesedevices can be in. Moreover, because the IoT has nocentral authority, and as context matters, the question cf. is who to turn to to tell you what a good state of acertain device is in the first place.Most importantly though, establishing trust is aprocess, a process that progresses over time in whichusers adjust their trust assessment in the devices andinfrastructures they engage in with every transactionthey perform with them. The use of personal, mobile,devices and applications (cf. [46]) to support the userin this process need to be developed. These could forinstance be used to predict the future consequencesof current engagements with the Internet of Things(cf. [22]). These ideas could build upon the results ob-tained in the Smart Products project that aim to em-bed “proactive knowledge” into the IoT and considere.g. usability and security in access control mechanismsbased on machine learning techniques to make the con-figuration of the IoT manageable by casual users.Transparency is a key factor in the aforementionedprocess. Transparency helps the user to assess the trusta-bility of a party in a transaction. It also provides usefulmeta-information that is essential to establish the in-tegrity of the data collected by the IoT. We thereforeneed to engineer built-in transparency for the IoT, anddevelop the concept of transparency by design similarto privacy by design.7.4 Governance[...] the more autonomous and intelligent ’things’get, problems like the identity and privacy ofthings, and responsibility of things in their act-ing will have to be considered [43].Governance can be defined as “the use of institu-tions and structure of authority to allocate resourcesand coordinate or control activity in society” [9]. Thethree main stakeholders (government, the private sectorand the civil society) should be represented in these in-stitutions and structures of authority. But what theseinstitutions should be and what this structure of au-thority should look like is currently unclear for the In-ternet of Things .It is pretty much a chicken-and-egg problem.Because there is no common view on the future anddesign of the Internet of Things, it is hard to definean appropriate governance for it. As particular case inpoint, it has been observed that things are bound tophysical locations. It is therefore foreseen that the In-ternet of Things will have a much more localised naturethan the current Internet. In fact there may not even Private communication, from the Internet of Things ExpertGroup [15] be a single Internet of Things. Instead, there may sev-eral networks of things, perhaps each using differenttechnology, operating as pretty much isolated islandsof interconnected things.On the other hand, because of a lack of governance,there is no (visible and accountable) converging forcethat will slowly bring together the different views anddesigns for the Internet of Things. This lack of trans-parency and openness may have a negative impact onthe acceptance of this new technology in our society.Especially because the consequences of this new tech-nology are quite radical.This chicken-and-egg problem has to be resolved,because governance cannot be retrofitted. The historyof the development of the Internet itself may serve asan example. Even though the Domain Name System(DNS) works, for better or worse, from a technical per-spective, it has severe legitimacy problems because ofdecisions made early on that did not foresee the devel-opment of the Internet as it is now. Trying to changethe governance structure today proves to be very dif-ficult because of vested commercial and governmentalinterests.When setting up a governance structure care has tobe taken not to overdo it. The very power of the Inter-net, that made it grow as fast as it did, is the almost’anarchistic’ nature of the underlying technology [28].This has ensured that no single party can control thewhole network, and that all types of traffic are treatedequal.
I would like to thank the members of Council (Rob vanKranenburg, Erin Anzelmo, Cristiano Storni, James Wall-bank, Tijmen Wisman) and the members of IFIP WG11.2 (Denis Trcek, Stefan Georg Weber, Igor Ruiz-Agundez) for their input to this essay. Jaap-Henk Hoepman is senior scientist at the securitygroup of TNO, the Dutch Organisation for Applied Sci-entific Research. He also holds an associate professorposition at the Digital Security group of the Institutefor Computing and Information Sciences of the Rad-boud University Nijmegen. He is chair of IFIP WG 11.2on Pervasive Systems Security, and member of Coun-cil (a multidisciplinary think tank on the Internet ofThings). References Aarts, E., Harwig, R., and Schuurmans, M.
Ambient in-telligence. In
The Invisible Future: The Seamless IntegrationOf Technology Into Everyday Life , P. Denning, Ed. McGraw-Hill, 2001.2.
Alp´ar, G., Hoepman, J.-H., and Siljee, J.
The identitycrisis. security, privacy and usability issues in identity man-agement, Jan. 2011. eprint CoRR cs.CR:1101.0427.3.
Androulaki, E., and Bellovin, S. M.
A secure andprivacy-preserving targeted ad-system. In
Financial Cryp-tography Workshops (2010), R. Sion, R. Curtmola, S. Diet-rich, A. Kiayias, J. M. Miret, K. Sako, and F. Seb´e, Eds.,vol. 6054 of
Lecture Notes in Computer Science , Springer,pp. 123–135.4.
Asokan, N., Debar, H., Steiner, M., and Waidner, M.
Authenticating public terminals.
Computer Networks 31 , 8(1999), 861–870.5.
Avoine, G.
Privacy ussues in RFID banknotes protectionschemes. In (Toulouse, France, Sept. 2004),pp. 43–48.6.
Avoine, G., Dysli, E., and Oechslin, P.
Reducing timecomplexity in rfid systems. In
Selected Areas in Cryptogra-phy (2005), B. Preneel and S. E. Tavares, Eds., vol. 3897 of
Lecture Notes in Computer Science , Springer, pp. 291–306.7.
Avoine, G., and Oechslin, P.
A scalable and provably se-cure hash-based rfid protocol. In
PerCom Workshops (2005),IEEE Computer Society, pp. 110–114.8.
Bandura, A.
Social cognitive theory: An agentic perspec-tive.
Annual Review of Psychology 52 (2001), 1–26.9.
Bell, S.
Economic Governance and Institutional Dynamics .Oxford University Press, Melbourne, Australia, 2002.10.
Brickell, E. F., Camenisch, J., and Chen, L.
Directanonymous attestation. In
ACM Conference on Computerand Communications Security (2004), V. Atluri, B. Pfitz-mann, and P. D. McDaniel, Eds., ACM, pp. 132–145.11.
Broenink, G., Hoepman, J.-H., van ’t Hof, C., van Kra-nenburg, R., Smits, D., and Wisman, T.
The privacycoach: Supporting customer privacy in the internet of things.In
Pervasive 2010 Conference Workshop on What can theInternet of Things do for the citizen? (Helsinki, Finland,May 17 2010), pp. 72–81.12.
Dimitriou, T.
A secure and efficient RFID protocol thatcould make big brother (partially) obsolete. In
PerCom (2006), IEEE Computer Society, pp. 269–275.13.
Engberg, S. J., Harning, M. B., and Jensen, C. D.
Zero-knowledge device authentication: Privacy & security en-hanced rfid preserving business value and consumer conve-nience. In (Fredericton, New Brunswick, Canada, Oct. 13–15 2004),pp. 89–101.14.
European Commission . Recommendation (2009/387/EC)on the implementation of privacy and data protection prin-ciples in applications supported by radio-frequency identifi-cation, May 2009.15.
European Commission . Decision (2010/c 217/08) settingup the expert group on the internet of things, Aug. 2010.16.
Friedewald, M., and Costa, O. D.
Science and technologyroadmapping: Ambient intelligence in everyday life (amilife).Tech. rep., JRC/IPTS - ESTO, 2003.17.
Garfinkel, S. L., Juels, A., and Pappu, R.
RFID privacy:An overview of problems and proposed solutions.
IEEE Se-curity & Privacy (May June 2005), 34–43.18.
Gershenfeld, N. A.
When things start to think . HenryHolt, 2000.19.
Golle, P., Jakobsson, M., Juels, A., and Syverson, P. F.
Universal re-encryption for mixnets. In
RSA Conf. (San Fransisco, CA, USA, Feb. 23–27 2004), LNCS 2964, pp. 163–178.20.
Greenfield, A.
Everyware: The Dawning Age of UbiquitousComputing . New Riders Publishing, 2006.21.
Hardin, R.
Trust & Trustworthiness . Russell Sage Founda-tion, New York, 2002.22.
Hildebrandt, M.
Behavioural biometric profiling and trans-parency enhancing tools. FIDIS Deliverable 7.12.23.
ISTAG . Ambient intelligence: from vision to reality. Tech.rep., ISTAG, 2003.24.
Jalote, P.
Fault Tolerance in Dsitributed Systems . PrenticeHall, 1994.25.
Juels, A.
RFID security and privacy: A research survey.
IEEE Journal on Selected Areas in Communications 24 , 2(2006), 381–394.26.
Juels, A., and Pappu, R.
Squealing euros: Privacy pro-tection in RFID-enabled banknotes. In (Guadeloupe, French West Indies, Jan. 27–30 2003),R. N. Wright, Ed., LNCS 2742, Springer, pp. 103–121.27.
Juels, A., and Weis, S.
Defining strong privacy for RFID.In (2007), pp. 342–347.28.
Lessig, L.
Code and other laws of cyberspace . Basic Books,1999.29.
Lorenz, K.
Er redete mit dem Vieh, den V¨ogeln und denFischen . Borotha-Schoeler, Wien, 1949.30.
Mitchell, C. J. , Ed.
Trusted Computing . The Institutionof Engineering and Technology, Nov. 2005.31.
Molnar, D., Soppera, A., and Wagner, D.
A scalable, del-egatable pseudonym protocol enabling ownership transfer ofrfid tags. In
Selected Areas in Cryptography (2005), B. Pre-neel and S. E. Tavares, Eds., vol. 3897 of
Lecture Notes inComputer Science , Springer, pp. 276–290.32.
Molnar, D., and Wagner, D.
Privacy and security in li-brary rfid: issues, practices, and architectures. In
ACM Con-ference on Computer and Communications Security (Wash-ington D.C., USA, Oct. 25–29 2004), V. Atluri, B. Pfitzmann,and P. D. McDaniel, Eds., ACM, pp. 210–219.33.
Nissenbaum, H.
Privacy as contextual integrity.
WashingtonLaw Review 79 , 1 (Feb. 2004), 119–158.34.
Ohkubo, M., Suzuki, K., and Kinoshita, S.
Efficient hash-chain based rfid privacy protection scheme. In
InternationalConference on Ubiquitous Computing (Ubicomp), WorkshopPrivacy: Current Status and Future Directions (2004).35.
Rieback, M. R., Crispo, B., and Tanenbaum, A. S.
Isyour cat infected with a computer virus? In
PerCom (2006),IEEE Computer Society, pp. 169–179.36.
Rieback, M. R., Gaydadjiev, G., Crispo, B., Hofman, R.F. H., and Tanenbaum, A. S.
A platform for rfid secu-rity and privacy administration. In
LISA (2006), USENIX,pp. 89–102.37.
Sarma, S. E., Weis, S. A., and Engels, D. W.
Rfid sys-tems, security & privacy implications (white paper). Tech.Rep. MIT-AUTOID-WH-014, Auto-ID Center, MIT, Cam-bridge, MA, USA, 2002.38.
Schneier, B.
Security in 2020. CryptoGram, Jan. 2011.39.
Solove, D. J.
Understanding Privacy . Harvard UniversityPress, 2008.40.
Spiekermann, S., and Evdokimov, S.
Critical rfid privacy-enhancing technologies.
IEEE Security & Privacy 11 , 2(Mar.–Apr. 2009), 56–62.41.
Stajano, F., and Anderson, R.
The resurrecting duckling:Security issues for ad-hoc wireless networks. In
Security Pro-cotols, 7th Int. Workshop (1999), B. Christianson, B. Crispo,and M. Roe, Eds., LNCS, pp. 172–194.42.
Storni, C.
Report on the “reassembling health workshop:exploring the role of the internet of things”.
J. ParticipatMed. (Sept. 27 2010), 2:e10.43.
Sundmaeker, H., Guillemin, P., Friess, P., andWoelffl´e, S.
Vision and Challenges for Realising the In-ternet of Things . No. ISBN 978-92-79-15088-3. PublicationOffice of the European Union, Luxembourg, Mar. 2010. Clus-terbook of CERP-IoT.44.
Toubiana, V., Narayanan, A., Boneh, D., Nissenbaum,H., and Barocas, S.
Adnostic: Privacy preserving targetedadvertising. In (San Diego, CA, USA, Feb. 2010).45.
Warren, S. D., and Brandeis, L. D.
The right to privacy.the implicit made explicit.
Harvard Law Review IV , 5 (Dec.15 1890), 193–220.46.
Weber, S. G., Martucci, L. A., Ries, S., andM¨uhlh¨auser, M.
Towards trustworthy identity and accessmanagement for the future internet. In
The 4th InternationalWorkshop on Trustworthy Internet of People, Things & Ser-vices (Trustworthy IoPTS 2010) co-located with the Internetof Things 2010 Conference, November 2010. (Tokyo, Japan,Nov. 2010).47.
Weber, S. G., and M¨uhlh¨auser, M.
Multilaterally secureubiquitous auditing. In
Intelligent Networking, CollaborativeSystems and Applications (INCoS) (Dec. 2010), S. Caball´e,F. Xhafa, and A. Abraham, Eds., vol. 329 of
Studies in Com-putational Intelligence , Springer, pp. 207–233.48.
Weis, S. A., Sarma, S. E., Rivest, R. L., and Engels,D. W.
Security and privacy aspects of low-cost radio fre-quency identification systems. In (Boppard, Ger-many, Mar. 12–14 2003), D. Hutter, G. M¨uller, W. Stephan,and M. Ullmann, Eds., LNCS 2802, Springer, pp. 201–212.49.
Weiser, M.
The computer for the 21st century.