BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @InProceedings{khanafer:discovery, author = {Mounib Khanafer and Logan Kostick and Chixiang Wang and Wondimu Zegeye and Weijia He and Berkay Kaplan and Nurzaman Ahmed and Kevin Kornegay and David Kotz and Timothy Pierson}, title = {Device Discovery in the Smart Home Environment}, booktitle = {Proceedings of the IEEE/ACM Workshop on the Internet of Safe Things (SafeThings)}, year = 2024, month = {May}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/khanafer-discovery/index.html}, note = {Accepted for publication}, abstract = {With the availability of Internet of Things (IoT) devices offering varied services, smart home environments have seen widespread adoption in the last two decades. Protecting privacy in these environments becomes an important problem because IoT devices may collect information about the home's occupants without their knowledge or consent. Furthermore, a large number of devices in the home, each collecting small amounts of data, may, in aggregate, reveal non-obvious attributes about the home occupants. A first step towards addressing privacy is discovering what devices are present in the home. In this paper, we formally define device discovery in smart homes and identify the features that constitute discovery in that environment. Then, we propose an evaluative rubric that rates smart home technology initiatives on their device discovery capabilities and use it to evaluate four commonly deployed technologies. We find none cover all device discovery aspects. We conclude by proposing a combined technology solution that provides comprehensive device discovery tailored to smart homes.}, } @Article{mangar:framework, author = {Ravindra Mangar and Timothy J. Pierson and David Kotz}, title = {A framework for evaluating the security and privacy of smart-home devices, and its application to common platforms}, journal = {IEEE Pervasive Computing}, year = 2024, month = {June}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2024.3421668}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mangar-framework/index.html}, note = {Accepted for publication}, abstract = {In this article, we outline the challenges associated with the widespread adoption of smart devices in homes. These challenges are primarily driven by scale and device heterogeneity: a home may soon include dozens or hundreds of devices, across many device types, and may include multiple residents and other stakeholders. We develop a framework for reasoning about these challenges based on the deployment, operation, and decommissioning life cycle stages of smart devices within a smart home. We evaluate the challenges in each stage using the well-known CIA triad---Confidentiality, Integrity, and Availability. In addition, we highlight open research questions at each stage. Further, we evaluate solutions from Apple and Google using our framework and find notable shortcomings in these products. Finally, we sketch some preliminary thoughts on a solution for the smart home of the near future.}, } @Article{pierson:inspector, author = {Timothy J. Pierson and Cesar Arguello and Beatrice Perez and Wondimu Zegeye and Kevin Kornegay and Carl Gunter and David Kotz}, title = {We need a ``building inspector for IoT'' when smart homes are sold}, journal = {IEEE Security \& Privacy}, year = 2024, month = {April}, publisher = {IEEE}, copyright = {Open access}, DOI = {10.1109/MSEC.2024.3386467}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-inspector/index.html}, note = {Accepted for publication}, abstract = {IoT devices (such as smart refrigerators) left behind when a home is sold create numerous security and privacy concerns for both the prior and new residents. We envision a new professional, a ``building inspector for IoT'' with specialized tools and knowledge to help securely facilitate transfer of the home.}, } @InProceedings{arguello:battery, author = {Cesar Arguello and Beatrice Perez and Timothy J. Pierson and David Kotz}, title = {Detecting Battery Cells with Harmonic Radar}, booktitle = {Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)}, year = 2024, month = {May}, pages = {231--236}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3643833.3656137}, URL = {https://www.cs.dartmouth.edu/~kotz/research/arguello-battery/index.html}, abstract = {Harmonic radar systems have been shown to be an effective method for detecting the presence of electronic devices, even if the devices are powered off. Prior work has focused on detecting specific non-linear electrical components (such as transistors and diodes) that are present in any electronic device. In this paper we show that harmonic radar is also capable of detecting the presence of batteries. We tested a proof-of-concept system on Alkaline, NiMH, Li-ion, and Li-metal batteries. With the exception of Li-metal coin cells, the prototype harmonic radar detected the presence of batteries in our experiments with 100\% accuracy.}, } @InProceedings{he:ci-survey, author = { Weijia He and Nathan Reitinger and Atheer Almogbil and Yi-Shyuan Chiang and Timothy J. Pierson and David Kotz }, title = {Contextualizing Interpersonal Data Sharing in Smart Homes}, booktitle = {Proceedings of the Privacy Enhancing Technologies Symposium (PETS)}, year = 2024, month = {July}, volume = 2024, number = 2, pages = {295--312}, copyright = {Creative Commons Attribution 4.0}, DOI = {10.56553/popets-2024-0051}, URL = {https://www.cs.dartmouth.edu/~kotz/research/he-ci-survey/index.html}, abstract = { A key feature of smart home devices is monitoring the environment and recording data. These devices provide security via motion-detection video alerts, cost-savings via thermostat usage history, and peace of mind via functions like auto-locking doors or water leak detectors. At the same time, the sharing of this information in interpersonal relationships---though necessary---is currently accomplished on an all-or-nothing basis. This can easily lead to oversharing in a multi-user environment. Although prior work has studied people's perceptions of information sharing with vendors or ISPs, the sharing of household data among users who interact personally is less well understood. Interpersonal situations make data sharing much more context-based and, thus, more complicated. In this paper, we use themes from the theory of contextual integrity in an online survey (n{$=$}1,992) to study how people perceive data sharing with others in smart homes and inform future designs and research. Our results show that data recipients in a smart home can be reduced to three major groups, and data types matter more than device types. We also found that the types of access control desired by users can vary from scenario to scenario. Depending on whom they are sharing data with and about what data, participants expressed varying levels of comfort when presented with different types of access control (e.g., explicit approval versus time-limited access). Taken together, this provides strong evidence that a more dynamic access control system is needed, and we can design it in a more usable way.}, } @InProceedings{perez:range, author = {Beatrice Perez and Cesar Arguello and Timothy J. Pierson and Gregory Mazzaro and David Kotz}, title = {Evaluating the practical range of harmonic radar to detect smart electronics}, booktitle = {Proceedings of the IEEE Military Communications Conference (MILCOM)}, year = 2023, month = {October}, pages = {528--535}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MILCOM58377.2023.10356371}, URL = {https://www.cs.dartmouth.edu/~kotz/research/perez-range/index.html}, abstract = {Prior research has found that harmonic radar systems are able to detect the presence of electronic devices, even if the devices are powered off. These systems could be a powerful tool to help mitigate privacy invasions. For example, in a rental property devices such as cameras or microphones may be surreptitiously placed by a landlord to monitor renters without their knowledge or consent. A mobile harmonic radar system may be able to quickly scan the property and locate all electronic devices. The effective range of these systems for detecting consumer-grade electronics, however, has not been quantified. We address that shortcoming in this paper and evaluate a prototype harmonic radar system. We find the system, a variation of what has been proposed in the literature, is able to reliably detect some devices at a range of about two meters. We discuss the effect of hardware on the range of detection and propose an algorithm for automated detection.}, } @InProceedings{hardin:amanuensis2, author = {Taylor Hardin and David Kotz}, title = {Amanuensis: provenance, privacy, and permission in TEE-enabled blockchain data systems}, booktitle = {Proceedings of the IEEE International Conference on Distributed Computing Systems}, year = 2022, month = {July}, pages = {144--156}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/ICDCS54860.2022.00023}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-amanuensis2/index.html}, abstract = { Blockchain technology is heralded for its ability to provide transparent and immutable audit trails for data shared among semi-trusted parties. With the addition of smart contracts, blockchains can track and verify arbitrary computations -- which enables blockchain users to verify the provenance of information derived from data through the blockchain. This provenance comes at the cost of data confidentiality and user privacy, however, which is unacceptable for many sensitive applications. The need for verifiable yet confidential data sharing and computation has led some to add trusted execution environment (TEE) hardware to blockchain platforms. By moving sensitive operations (e.g., data decryption and analysis) off of the blockchain and into a TEE, they get both the confidentiality of TEEs and the transparency of blockchains without the need to completely trust any one party in the data-sharing ecosystem.In this paper, we build on our TEE-enabled blockchain data-sharing system, Amanuensis, to ensure the freshness of access-control lists shared between the blockchain and TEE, and to improve the privacy of users interacting within the system. We also detail how TEE-based remote attestation help us to achieve information provenance -- specifically, how to achieve information provenance in the context of the Intel SGX trusted execution environment. Finally, we present an evaluation of our system, in which we test several real-world machine-learning applications (logistic regression, kNN, SVM) to determine the run-time overhead of information confidentiality and provenance. Each machine-learning program exhibited a slowdown between 1.1 and 2.8x when run inside of our confidential environment, and took an average of 59 milliseconds to verify the provenance of an input data set.}, } @PhdThesis{hardin:thesis, author = {Taylor Hardin}, title = {Information Provenance for Mobile Health Data}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-thesis/index.html}, abstract = { Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Many believe that combining the data produced by these mHealth apps and devices may give healthcare-related service providers and researchers a more holistic view of an individual's health, increase the quality of service, and reduce operating costs. For such mHealth data to be considered useful though, data consumers need to be assured that the authenticity and the integrity of the data has remained intact --- especially for data that may have been created through a series of aggregations and transformations on many input data sets. In other words, \emph{information provenance} should be one of the main focuses for any system that wishes to facilitate the sharing of sensitive mHealth data. Creating such a trusted and secure data sharing ecosystem for mHealth apps and devices is difficult, however, as they are implemented with different technologies and managed by different organizations. Furthermore, many mHealth devices use ultra-low-power micro-controllers, which lack the kinds of sophisticated Memory Management Units (MMUs) required to sufficiently isolate sensitive application code and data. \par In this thesis, we present an end-to-end solution for providing information provenance for mHealth data, which begins by securing mHealth data at its source: the mHealth device. To this end, we devise a memory-isolation method that combines compiler-inserted code and Memory Protection Unit (MPU) hardware to protect application code and data on ultra-low-power micro-controllers. Then we address the security of mHealth data outside of the source (e.g., data that has been uploaded to smartphone or remote-server) with our health-data system, Amanuensis, which uses Blockchain and Trusted Execution Environment (TEE) technologies to provide confidential, yet verifiable, data storage and computation for mHealth data. Finally, we look at identity privacy and data freshness issues introduced by the use of blockchain and TEEs. Namely, we present a privacy-preserving solution for blockchain transactions, and a freshness solution for data access-control lists retrieved from the blockchain. }, } @MastersThesis{malik:thesis, author = {Namya Malik}, title = {SPLICEcube Architecture: An Extensible Wi-Fi Monitoring Architecture for Smart-Home Networks}, school = {Dartmouth Computer Science}, year = 2022, month = {May}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/malik-thesis/index.html}, abstract = { The vision of smart homes is rapidly becoming a reality, as the Internet of Things and other smart devices are deployed widely. Although smart devices offer convenience, they also create a significant management problem for home residents. With a large number and variety of devices in the home, residents may find it difficult to monitor, or even locate, devices. A central controller that brings all the home's smart devices under secure management and a unified interface would help homeowners and residents track and manage their devices.\par We envision a solution called the SPLICEcube whose goal is to detect smart devices, locate them in three dimensions within the home, securely monitor their network traffic, and keep an inventory of devices and important device information throughout the device's lifecycle. The SPLICEcube system consists of the following components: 1) a main \emph{cube}, which is a centralized hub that incorporates and expands on the functionality of the home router, 2) a \emph{database} that holds network data, and 3) a set of support \emph{cubelets} that can be used to extend the range of the network and assist in gathering network data.\par To deliver this vision of identifying, securing, and managing smart devices, we introduce an architecture that facilitates intelligent research applications (such as network anomaly detection, intrusion detection, device localization, and device firmware updates) to be integrated into the SPLICEcube. In this thesis, we design a general-purpose Wi-Fi architecture that underpins the SPLICEcube. The architecture specifically showcases the functionality of the cubelets (Wi-Fi frame detection, Wi-Fi frame parsing, and transmission to cube), the functionality of the cube (routing, reception from cubelets, information storage, data disposal, and research application integration), and the functionality of the database (network data storage). We build and evaluate a prototype implementation to demonstrate our approach is \emph{scalable} to accommodate new devices and \emph{extensible} to support different applications. Specifically, we demonstrate a successful proof-of-concept use of the SPLICEcube architecture by integrating a security research application: an "Inside-Outside detection" system that classifies an observed Wi-Fi device as being inside or outside the home.}, } @Misc{vandenbussche:thesis, author = {Adam Vandenbussche}, title = {TorSH: Obfuscating consumer Internet-of-Things traffic with a collaborative smart-home router network}, school = {Dartmouth Computer Science}, year = 2022, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/vandenbussche-thesis/index.html}, note = {Undergraduate Thesis}, abstract = {When consumers install Internet-connected "smart devices" in their homes, metadata arising from the communications between these devices and their cloud-based service providers enables adversaries privy to this traffic to profile users, even when adequate encryption is used. Internet service providers (ISPs) are one potential adversary privy to users' incoming and outgoing Internet traffic and either currently use this insight to assemble and sell consumer advertising profiles or may in the future do so. With existing defenses against such profiling falling short of meeting user preferences and abilities, there is a need for a novel solution that empowers consumers to defend themselves against profiling by ISP-like actors and that is more in tune with their wishes. In this thesis, we present The Onion Router for Smart Homes (TorSH), a network of smart-home routers working collaboratively to defend smart-device traffic from analysis by ISP-like adversaries. We demonstrate that TorSH succeeds in deterring such profiling while preserving smart-device experiences and without encumbering latency-sensitive, non-smart-device experiences like web browsing.}, } @Article{spangler:privacy, author = { Spangler, Hillary B. and Driesse, Tiffany M. and Lynch, David H. and Liang, Xiaohui and Roth, Robert M. and Kotz, David and Fortuna, Karen and Batsis, John A. }, title = {Privacy Concerns of Older Adults Using Voice Assistant Systems}, journal = {Journal of the American Geriatrics Society}, year = 2022, month = {August}, day = 26, volume = 70, number = 12, pages = {3643--3647}, publisher = {Wiley}, copyright = {The American Geriatrics Society}, DOI = {10.1111/jgs.18009}, URL = {https://www.cs.dartmouth.edu/~kotz/research/spangler-privacy/index.html}, abstract = {Voice assistant systems (VAS) are software platforms that complete various tasks using voice commands. It is necessary to understand the juxtaposition of younger and older adults' VAS privacy concerns as younger adults may have different concerns impacting VAS acceptance. Therefore, we examined the differences in VAS related privacy concerns across the lifespan. }, } @Article{hardin:amanuensis, author = {Taylor Hardin and David Kotz}, title = {Amanuensis: Information Provenance for Health-Data Systems}, journal = {Journal of Information Systems Management and Security}, year = 2021, month = {March}, volume = 58, number = 2, articleno = 102460, numpages = 21, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.ipm.2020.102460}, URL = {https://www.cs.dartmouth.edu/~kotz/research/hardin-amanuensis/index.html}, abstract = {Mobile health (mHealth) apps and devices are increasingly popular for health research, clinical treatment, and personal wellness, as they offer the ability to continuously monitor aspects of individuals' health as they go about their everyday activities. Combining the data produced by these mHealth devices may give healthcare providers a more holistic view of a patient's health, increase the level of patient care, and reduce operating costs. Creating a trusted and secure data sharing ecosystem for mHealth devices is difficult, however, as devices are implemented with different technologies and managed by different organizations. To address these issues, we present \emph{Amanuensis:} a concept for a secure, integrated healthcare data system that leverages Blockchain and Trusted Execution Environment (TEE) technologies to achieve information provenance for mHealth data. By using a blockchain to record and enforce data-access policies, we remove the need to trust a single entity with gate-keeping the health data. Instead, participating organizations form a consortium to share responsibility for verifying data integrity and enforcing access policies for data stored in private data silos. Data accesses and computations take place inside of TEEs to preserve data confidentiality and to provide a verifiable attestation report that can be stored on the blockchain for the purpose of information provenance. We evaluate a prototype implementation of Amanuensis -- built using Intel SGX trusted execution hardware and the VeChain Thor blockchain platform -- which shows that Amanuensis is capable of supporting up to 14,256,000 mHealth data sources at \$0.07 per data source per day.}, } @InProceedings{martinez:poster, author = {Eduardo Antonio Ma{\~{n}}as-Mart{\'{\i}}nez and Elena Cabrera and Katarzyna Wasielewska and David Kotz and Jos{\'{e}} Camacho}, title = {Mining social interactions in connection traces of a campus Wi-Fi network}, booktitle = {Proceedings of the SIGCOMM Poster and Demo Sessions}, year = 2021, month = {August}, numpages = 3, pages = {6--8}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3472716.3472844}, URL = {https://www.cs.dartmouth.edu/~kotz/research/martinez-poster/index.html}, abstract = {Wi-Fi technologies have become one of the most popular means for Internet access. As a result, the use of mobile devices has become ubiquitous and instrumental for society. A device can be identified through its MAC address within an autonomous system. Although some devices attempt to anonymize MAC addresses via randomization, these techniques are not used once the device is associated to the network. As a result, device identification poses a privacy problem in large-scale (e.g., campus-wide) Wi-Fi deployments: if the mobile device can be located, the user who carries that device can also be located. In turn, location information leads to the possibility to extract private knowledge from Wi-Fi users, like social interactions, movement habits, and so forth. \par In this poster we report preliminary work in which we infer social interactions of individuals from Wi-Fi connection traces in the campus network at Dartmouth College. We make the following contributions: (i) we propose several definitions of a pseudocorrelation matrix from Wi-Fi connection traces, which measure similarity between devices or users according to their temporal association profile to the Access Points (APs); (ii) we evaluate the accuracy of these pseudo-correlation variants in a simulation environment; and (iii) we contrast results with those found on a real trace.}, } @Article{sen:vibering-j, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, journal = {Journal of Pervasive and Mobile Computing}, year = 2021, month = {December}, volume = 78, articleno = 101505, numpages = 16, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2021.101505}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-j/index.html}, abstract = {Many Internet of Things (IoT) devices are capable of sensing their environment, communicating with other devices, and actuating on their environment. Some of these IoT devices, herein known as ``smartThings'', collect meaningful information from raw data when they are in use and in physical contact with their user (e.g., a blood-glucose monitor); the smartThing's wireless connectivity allows it to transfer that data to its user's trusted device, such as a smartphone. However, an adversary could impersonate the user and bootstrap a communication channel with the smartThing while the smartThing is being used by an oblivious legitimate user. \par To address this problem, in this paper, we investigate the use of \emph{vibration}, generated by a smartRing, as an out-of-band communication channel to unobtrusively share a secret with a smartThing. This exchanged secret can be used to bootstrap a secure wireless channel over which the smartphone (or another trusted device) and the smartThing can communicate. We present the design, implementation, and evaluation of this system, which we call \emph{VibeRing}. We describe the hardware and software details of the smartThing and smartRing. Through a user study we demonstrate that it is possible to share a secret with various objects quickly, accurately and securely as compared to several existing techniques. Overall, we successfully exchange a secret between a smartRing and various smartThings, at least 85.9\% of the time. We show that \emph{VibeRing} can perform this exchange at 12.5 bits/second at a bit error rate of less than 2.5\%. We also show that \emph{VibeRing} is robust to the smartThing's constituent material as well as the holding style. Finally, we demonstrate that a nearby adversary cannot decode or modify the message exchanged between the trusted devices. }, } @Misc{gralla:inside-outside, author = {Paul Gralla}, title = {An inside vs. outside classification system for Wi-Fi IoT devices}, school = {Dartmouth Computer Science}, year = 2021, month = {June}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/gralla-inside-outside/index.html}, note = {Undergraduate Thesis}, abstract = {We are entering an era in which Smart Devices are increasingly integrated into our daily lives. Everyday objects are gaining computational power to interact with their environments and communicate with each other and the world via the Internet. While the integration of such devices offers many potential benefits to their users, it also gives rise to a unique set of challenges. One of those challenges is to detect whether a device belongs to one's own ecosystem, or to a neighbor -- or represents an unexpected adversary. An important part of determining whether a device is friend or adversary is to detect whether a device's location is within the physical boundaries of one's space (e.g. office, classroom, home). In this thesis we propose a system that is able to decide with 82\% accuracy whether the location of an IoT device is inside or outside of a defined space based on a small number of transmitted Wi- Fi frames. The classification is achieved by leveraging a machine-learning classifier trained and tested on RSSI data of Wi-Fi transmissions recorded by three or more observers. In an initialization phase the classifier is trained by the user on Wi-Fi transmissions of a variety of locations, inside (and outside). The system can be built with off-the-shelf Wi-Fi observing devices that do not require any special hardware modifications. With the exception of the training period, the system can accurately classify the indoor/outdoor state of target devices without any cooperation from the user or from the target devices.}, } @TechReport{landwehr:thaw-tr, author = {Carl Landwehr and David Kotz}, title = {THaW publications}, institution = {Dartmouth Computer Science}, year = 2020, month = {December}, number = {TR2020-904}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/landwehr-thaw-tr/index.html}, abstract = {In 2013, the National Science Foundation's Secure and Trustworthy Cyberspace program awarded a Frontier grant to a consortium of four institutions, led by Dartmouth College, to enable trustworthy cybersystems for health and wellness. As of this writing, the Trustworthy Health and Wellness (THaW) project's bibliography includes more than 130 significant publications produced with support from the THaW grant; these publications document the progress made on many fronts by the THaW research team. The collection includes dissertations, theses, journal papers, conference papers, workshop contributions and more. The bibliography is organized as a Zotero library, which provides ready access to citation materials and abstracts and associates each work with a URL where it may be found, cluster (category), several content tags, and a brief annotation summarizing the work's contribution. For more information about THaW, visit thaw.org.}, } @InProceedings{sen:vibering, author = {Sougata Sen and David Kotz}, title = {VibeRing: Using vibrations from a smart ring as an out-of-band channel for sharing secret keys}, booktitle = {Proceedings of the International Conference on the Internet of Things (IoT)}, year = 2020, month = {October}, articleno = 13, numpages = 8, publisher = {ACM}, copyright = {ACM}, ISBN13 = 9781450387583, DOI = {10.1145/3410992.3410995}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering/index.html}, abstract = {With the rapid growth in the number of IoT devices that have wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a \emph{secret}, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this paper, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smart ring, to share a secret with a smart IoT device. This exchanged secret can be used to bootstrap a secure wireless channel over which the devices can communicate. We believe that in future IoT devices can use such a technique to seamlessly connect with authorized devices with minimal user interaction overhead. In this paper, we specifically investigate (a) the feasibility of using vibration generated by a custom wearable for communication, (b) the effect of various parameters on this communication channel, and (c) the possibility of information manipulation by an adversary or information leakage to an adversary. For this investigation, we conducted a controlled study as well as a user study with 12 participants. In the controlled study, we could successfully share messages through vibrations with a bit error rate of less than 2.5\%. Additionally, through the user study we demonstrate that it is possible to share messages with various types of objects accurately, quickly and securely as compared to several existing techniques. Overall, we find that in the best case we can exchange 85.9\% messages successfully with a smart device.}, } @Article{greene:sharehealth, author = {Emily Greene and Patrick Proctor and David Kotz}, title = {Secure Sharing of mHealth Data Streams through Cryptographically-Enforced Access Control}, journal = {Journal of Smart Health}, year = 2019, month = {April}, volume = 12, pages = {49--65}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.smhl.2018.01.003}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-sharehealth/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareHealth, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design and prototype implementation of this system make three contributions: (1) they apply cryptographically-enforced access-control measures to stream-based (specifically mHealth) data, (2) they recognize the temporal nature of mHealth data streams and support revocation of access to part or all of a data stream, and (3) they depart from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @InProceedings{sen:vibering-poster, author = {Sougata Sen and Varun Mishra and David Kotz}, title = {Using vibrations from a SmartRing as an out-of-band channel for sharing secret keys}, booktitle = {Adjunct Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp)}, year = 2019, month = {September}, pages = {198--201}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/3341162.3343818}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sen-vibering-poster/index.html}, abstract = {With the rapid growth in the number of Internet of Things (IoT) devices with wireless communication capabilities, and sensitive information collection capabilities, it is becoming increasingly necessary to ensure that these devices communicate securely with only authorized devices. A major requirement of this secure communication is to ensure that both the devices share a secret, which can be used for secure pairing and encrypted communication. Manually imparting this secret to these devices becomes an unnecessary overhead, especially when the device interaction is transient. In this work, we empirically investigate the possibility of using an out-of-band communication channel -- vibration, generated by a custom smartRing -- to share a secret with a compatible IoT device. Through a user study with 12 participants we show that in the best case we can exchange 85.9\% messages successfully. Our technique demonstrates the possibility of sharing messages accurately, quickly and securely as compared to several existing techniques.}, } @Article{reza:nocloud, author = {Reza Rawassizadeh and Timothy Pierson and Ronald Peterson and David Kotz}, title = {NoCloud: Experimenting with Network Disconnection by Design}, journal = {IEEE Pervasive Computing}, year = 2018, month = {January}, volume = 17, number = 1, pages = {64--74}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2018.011591063}, URL = {https://www.cs.dartmouth.edu/~kotz/research/reza-nocloud/index.html}, abstract = {Application developers often advocate uploading data to the cloud for analysis or storage, primarily due to concerns about the limited computational capability of ubiquitous devices. Today, however, many such devices can still effectively operate and execute complex algorithms without reliance on the cloud. The authors recommend prioritizing on-device analysis over uploading the data to another host, and if on-device analysis is not possible, favoring local network services over a cloud service.}, } @InProceedings{kotz:safethings, author = {David Kotz and Travis Peters}, title = {Challenges to ensuring human safety throughout the life-cycle of Smart Environments}, booktitle = {Proceedings of the ACM Workshop on the Internet of Safe Things (SafeThings)}, year = 2017, month = {November}, pages = {1--7}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3137003.3137012}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-safethings/index.html}, abstract = {The homes, offices, and vehicles of tomorrow will be embedded with numerous ``Smart Things,'' networked with each other and with the Internet. Many of these Things are embedded in the physical infrastructure, and like the infrastructure they are designed to last for decades -- far longer than is normal with today's electronic devices. What happens then, when an occupant moves out or transfers ownership of her Smart Environment? This paper outlines the critical challenges required for the safe long-term operation of Smart Environments. How does an occupant identify and decommission all the Things in an environment before she moves out? How does a new occupant discover, identify, validate, and configure all the Things in the environment he adopts? When a person moves from smart home to smart office to smart hotel, how is a new environment vetted for safety and security, how are personal settings migrated, and how are they securely deleted on departure? When the original vendor of a Thing (or the service behind it) disappears, how can that Thing (and its data, and its configuration) be transferred to a new service provider? What interface can enable lay people to manage these complex challenges, and be assured of their privacy, security, and safety? We present a list of key research questions to address these important challenges.}, } @InProceedings{prasad:enact, author = {Aarathi Prasad and David Kotz}, title = {ENACT: Encounter-based Architecture for Contact Tracing}, booktitle = {Proceedings of the ACM Workshop on Physical Analytics (WPA)}, year = 2017, month = {June}, pages = {37--42}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3092305.3092310}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-enact/index.html}, abstract = {Location-based sharing services allow people to connect with others who are near them, or with whom they shared a past encounter. Suppose it were also possible to connect with people who were at the same location but at a different time -- we define this scenario as a \emph{close encounter}, i.e., an incident of spatial and temporal proximity. By detecting close encounters, a person infected with a contagious disease could alert others to whom they may have spread the virus. We designed a smartphone-based system that allows people infected with a contagious virus to send alerts to other users who may have been exposed to the same virus due to a close encounter. We address three challenges: finding devices in close encounters with minimal changes to existing infrastructure, ensuring authenticity of alerts, and protecting privacy of all users. Finally, we also consider the challenges of a real-world deployment.}, } @InProceedings{prasad:spice, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {SPICE: Secure Proximity-based Infrastructure for Close Encounters}, booktitle = {Proceedings of the ACM Workshop on Mobile Crowdsensing Systems and Applications (CrowdSense)}, year = 2017, month = {November}, pages = {56--61}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/3139243.3139245}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-spice/index.html}, abstract = {We present a crowdsourcing system that extends the capabilities of location-based applications and allows users to connect and exchange information with users in spatial and temporal proximity. We define this incident of spatio-temporal proximity as a \emph{close encounter}. Typically, location-based application users store their information on a server, and trust the server to provide access only to authorized users, not misuse the data or disclose their location history. Our system, called SPICE, addresses these privacy issues by leveraging Wi-Fi access points to connect users and encrypt their information before it is exchanged, so only users in close encounters have access to the information. We present the design of the system and describe the challenges in implementing the protocol in a real-world application.}, } @TechReport{greene:thesis, author = {Emily Greene}, title = {ShareABEL: Secure Sharing of mHealth Data through Cryptographically-Enforced Access Control}, institution = {Dartmouth College, Computer Science}, year = 2017, month = {July}, number = {TR2017-827}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/greene-thesis/index.html}, abstract = {Owners of mobile-health apps and devices often want to share their mHealth data with others, such as physicians, therapists, coaches, and caregivers. For privacy reasons, however, they typically want to share a limited subset of their information with each recipient according to their preferences. In this paper, we introduce ShareABEL, a scalable, usable, and practical system that allows mHealth-data owners to specify access-control policies and to cryptographically enforce those policies so that only parties with the proper corresponding permissions are able to decrypt data. The design (and prototype implementation) of this system makes three contributions: (1) it applies cryptographically-enforced access-control measures to wearable healthcare data, which pose different challenges than Electronic Medical Records (EMRs), (2) it recognizes the temporal nature of mHealth data streams and supports revocation of access to part or all of a data stream, and (3) it departs from the vendor- and device-specific silos of mHealth data by implementing a secure end-to-end system that can be applied to data collected from a variety of mHealth apps and devices.}, } @Article{kotz:agenda, author = {David Kotz and Carl A. Gunter and Santosh Kumar and Jonathan P. Weiner}, title = {Privacy and Security in Mobile Health~-- A Research Agenda}, journal = {IEEE Computer}, year = 2016, month = {June}, volume = 49, number = 6, pages = {22--30}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MC.2016.185}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-agenda/index.html}, abstract = {Mobile health technology has great potential to increase healthcare quality, expand access to services, reduce costs, and improve personal wellness and public health. However, mHealth also raises significant privacy and security challenges.}, } @InProceedings{pierson:wanda-demo, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Demo: Wanda, securely introducing mobile devices}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2016, month = {June}, pages = 113, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2938559.2938581}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-demo/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We developed Wanda -- a `magic wand' that accomplishes all three of the above goals -- and will demonstrate a prototype implementation.}, } @TechReport{pierson:wanda-tr, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Wanda: securely introducing mobile devices -- Extended version}, institution = {Dartmouth Computer Science}, year = 2016, month = {February}, number = {TR2016-789}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda-tr/index.html}, note = {Expanded version of the INFOCOM 2016 paper by the same title.}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals simply, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation. This Tech Report contains supplemental information to our INFOCOM 2016 paper titled, ``Wanda: securely introducing mobile devices.'' Much of the additional information is in Section II, III, and VI.}, } @InProceedings{pierson:wanda, author = {Timothy J. Pierson and Xiaohui Liang and Ronald Peterson and David Kotz}, title = {Wanda: securely introducing mobile devices}, booktitle = {Proceedings of the IEEE International Conference on Computer Communications (INFOCOM)}, year = 2016, month = {April}, pages = {1--9}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFOCOM.2016.7524366}, URL = {https://www.cs.dartmouth.edu/~kotz/research/pierson-wanda/index.html}, abstract = {Nearly every setting is increasingly populated with wireless and mobile devices -- whether appliances in a home, medical devices in a health clinic, sensors in an industrial setting, or devices in an office or school. There are three fundamental operations when bringing a new device into any of these settings: (1) to configure the device to join the wireless local-area network, (2) to partner the device with other nearby devices so they can work together, and (3) to configure the device so it connects to the relevant individual or organizational account in the cloud. The challenge is to accomplish all three goals \emph{simply}, securely, and consistent with user intent. We present a novel approach we call Wanda -- a `magic wand' that accomplishes all three of the above goals -- and evaluate a prototype implementation.}, } @PhdThesis{prasad:thesis, author = {Aarathi Prasad}, title = {Privacy-preserving controls for sharing mHealth data}, school = {Dartmouth College Computer Science}, year = 2016, month = {May}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2016-794.}, abstract = {Mobile devices allow people to collect and share health and health-related information with recipients such as health providers, family and friends, employers and insurance companies, to obtain health, emotional or financial benefits. People may consider certain health information sensitive and prefer to disclose only what is necessary. In this dissertation, we present our findings about factors that affect people's sharing behavior, describe scenarios in which people may wish to collect and share their personal health-related information with others, but may be hesitant to disclose the information if necessary controls are not available to protect their privacy, and propose frameworks to provide the desired privacy controls. We introduce the concept of close encounters that allow users to share data with other people who may have been in spatio-temporal proximity. We developed two smartphone-based systems that leverage stationary sensors and beacons to determine whether users are in spatio-temporal proximity. The first system, ENACT, allows patients diagnosed with a contagious airborne disease to alert others retrospectively about their possible exposure to airborne virus. The second system, SPICE, allows users to collect sensor information, retrospectively, from others with whom they shared a close encounter. We present design and implementation of the two systems, analyse their security and privacy guarantees, and evaluate the systems on various performance metrics. Finally, we evaluate how Bluetooth beacons and Wi-Fi access points can be used in support of these systems for close encounters, and present our experiences and findings from a deployment study on Dartmouth campus.}, } @Article{kotz:frontiers, author = {David Kotz and Kevin Fu and Carl Gunter and Avi Rubin}, title = {Security for Mobile and Cloud Frontiers in Healthcare}, journal = {Communications of the ACM}, year = 2015, month = {August}, volume = 58, number = 8, pages = {21--23}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/2790830}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-frontiers/index.html}, abstract = {Designers and developers of healthcare information technologies must address preexisting security vulnerabilities and undiagnosed future threats.}, } @Article{shin:anonytiles, author = {Minho Shin and Cory Cornelius and Apu Kapadia and Nikos Triandopoulos and David Kotz}, title = {Location Privacy for Mobile Crowd Sensing through Population Mapping}, journal = {Sensors}, year = 2015, month = {June}, volume = 15, number = 7, pages = {15285--15310}, publisher = {open access}, copyright = {the authors}, DOI = {10.3390/s150715285}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-anonytiles/index.html}, abstract = {Opportunistic sensing allows applications to ``task'' mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street or users' mobile phones to locate (Bluetooth-enabled) objects in their vicinity. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk: even if identifying information has been removed from a report, the accompanying time and location can reveal sufficient information to de-anonymize the user whose device sent the report. We propose and evaluate a novel spatiotemporal blurring mechanism based on tessellation and clustering to protect users' privacy against the system while reporting context. Our technique employs a notion of probabilistic k-anonymity; it allows users to perform local blurring of reports efficiently without an online anonymization server before the data are sent to the system. The proposed scheme can control the degree of certainty in location privacy and the quality of reports through a system parameter. We outline the architecture and security properties of our approach and evaluate our tessellation and clustering algorithm against real mobility traces.}, } @Article{mare:hns-j, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {Hide-n-Sense: preserving privacy efficiently in wireless mHealth}, journal = {Mobile Networks and Applications (MONET)}, year = 2014, month = {June}, volume = 19, number = 3, pages = {331--344}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/s11036-013-0447-x}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-j/index.html}, note = {Special issue on Wireless Technology for Pervasive Healthcare}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Furthermore, individuals can become better engaged in monitoring and managing their own health. Although some work on mHealth sensing has addressed security, achieving strong privacy for low-power sensors remains a challenge. We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties at the link layer, with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized Message Authentication Codes; and asymmetric resource requirements, in recognition of the limited resources in tiny mHealth sensors. Second, we demonstrate its feasibility by implementing a prototype on a Chronos wrist device, and evaluating it experimentally. Third, we provide a security, privacy, and energy analysis of our system.}, } @InProceedings{mm:amulet-poster, author = {Andr{\'{e}}s Molina-Markham and Ronald A. Peterson and Joseph Skinner and Ryan J. Halter and Jacob Sorber and David Kotz}, title = {Poster: Enabling Computational Jewelry for mHealth Applications}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2014, month = {June}, pages = {374--375}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2601454}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mm-amulet-poster/index.html}, abstract = {We are developing wearable devices as the foundation for a consistently present and highly available body-area mHealth network. Our vision is that a small device, such as a bracelet or pendant, will provide the availability and reliability properties essential for successful body-area mHealth networks. We call this class of device computational jewelry, and expect it will be the next frontier of mobile systems. We prototyped our first piece of computational jewelry, which we call Amulet, to enable our previously proposed vision. It runs applications that may collect sensor data from built-in sensors or from other devices, analyze and log the data, queue information for later upload, and interact with the wearer. Independent developers can develop applications that can be vetted and installed on an Amulet.}, } @InProceedings{molina-markham:wmmadd, author = {Andr{\'{e}}s Molina-Markham and Ronald Peterson and Joseph Skinner and Tianlong Yun and Bhargav Golla and Kevin Freeman and Travis Peters and Jacob Sorber and Ryan Halter and David Kotz}, title = {Amulet: A secure architecture for mHealth applications for low-power wearable devices}, booktitle = {Proceedings of the Workshop on Mobile Medical Applications-- Design and Development (WMMADD)}, year = 2014, month = {November}, pages = {16--21}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2676431.2676432}, URL = {https://www.cs.dartmouth.edu/~kotz/research/molina-markham-wmmadd/index.html}, abstract = {Interest in using mobile technologies for health-related applications (mHealth) has increased. However, none of the available mobile platforms provide the essential properties that are needed by these applications. An mHealth platform must be (i) secure; (ii) provide high availability; and (iii) allow for the deployment of multiple third-party mHealth applications that share access to an individual's devices and data. Smartphones may not be able to provide property (ii) because there are activities and situations in which an individual may not be able to carry them (e.g., while in a contact sport). A low-power wearable device can provide higher availability, remaining attached to the user during most activities. Furthermore, some mHealth applications require integrating multiple on-body or near-body devices, some owned by a single individual, but others shared with multiple individuals. In this paper, we propose a secure system architecture for a low-power bracelet that can run multiple applications and manage access to shared resources in a body-area mHealth network. The wearer can install a personalized mix of third-party applications to support the monitoring of multiple medical conditions or wellness goals, with strong security safeguards. Our preliminary implementation and evaluation supports the hypothesis that our approach allows for the implementation of a resource monitor on far less power than would be consumed by a mobile device running Linux or Android. Our preliminary experiments demonstrate that our secure architecture would enable applications to run for several weeks on a small wearable device without recharging.}, } @InCollection{prasad:bfitbit, author = {Aarathi Prasad and Jacob Sorber and Timothy Stablein and Denise Anthony and David Kotz}, title = {Understanding User Privacy Preferences for mHealth Data Sharing}, booktitle = {mHealth: Multidisciplinary Verticals}, editor = {Sasan Adibi}, year = 2014, month = {November}, chapter = 30, pages = {545--570}, publisher = {Taylor \& Francis (CRC Press)}, copyright = {Taylor \& Francis}, ISBN13 = {978-1-4822-1480-2}, DOI = {10.1201/b17724-34}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-bfitbit/index.html}, } @InProceedings{prasad:mobisys-poster, author = {Aarathi Prasad and Xiaohui Liang and David Kotz}, title = {Poster: Balancing Disclosure and Utility of Personal Information}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2014, month = {June}, pages = {380--381}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2594368.2601448}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-mobisys-poster/index.html}, abstract = {The ubiquity of smartphones and mobile and wearable devices allow people to collect information about their health, wellness and lifestyle and share with others. If it is not clear what they need to share to receive benefits, \emph{subjects} (people whose information is collected) might share too much, thus disclosing unnecessary private information. On the other hand, concerned about disclosing personal information, subjects might share less than what the recipient needs and lose the opportunity to enjoy the benefits. This balance of disclosure and utility is important when the subject wants to receive some benefits, but is concerned about disclosing private information. \par We address this problem of balancing disclosure and utility of personal information collected by mobile technologies. We believe subjects can decide how best to share their information if they are aware of the benefits and risks of sharing. We developed ShareBuddy, a privacy-aware architecture that allows recipients to request information and specify the benefits the subjects will receive for sharing each piece of requested information; the architecture displays these benefits and warns subjects about the risks of sharing. We describe the ShareBuddy architecture in this poster.}, } @Article{anthony:sith3, author = {Denise Anthony and Andrew Campbell and Thomas Candon and Andrew Gettinger and Carl A. Gunter and M. Eric Johnson and David Kotz and Lisa Marsch and Andr{\'{e}}s Molina-Markham and Karen Page and Sean Smith}, title = {Securing Information Technology in Healthcare}, journal = {IEEE Security \& Privacy}, year = 2013, month = {November}, volume = 11, number = 6, pages = {25--33}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MSP.2013.104}, URL = {https://www.cs.dartmouth.edu/~kotz/research/anthony-sith3/index.html}, note = {Invited paper}, abstract = {Information technology (IT) has great potential to improve healthcare quality while also improving efficiency, and thus has been a major focus of recent healthcare reform efforts. However, developing, deploying and using IT that is both secure and genuinely effective in the complex clinical, organizational and economic environment of healthcare is a significant challenge. Further, it is imperative that we better understand the privacy concerns of patients and providers, as well as the ability of current technologies, policies, and laws to adequately protect privacy. The Securing Information Technology in Healthcare (SITH) workshops were created to provide a forum to discuss security and privacy for experts from a broad range of perspectives, from officers at large healthcare companies, startups and nonprofits, to physicians, researchers and policy makers.}, } @InProceedings{prasad:nethealth13, author = {Aarathi Prasad and Ronald Peterson and Shrirang Mare and Jacob Sorber and Kolin Paul and David Kotz}, title = {Provenance framework for mHealth}, booktitle = {Proceedings of the Workshop on Networked Healthcare Technology (NetHealth)}, year = 2013, month = {January}, pages = {1--6}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2013.6465599}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-nethealth13/index.html}, abstract = {Mobile health technologies allow patients to collect their health information outside the hospital and share this information with others. But how can data consumers know whether to trust the sensor-collected and human-entered data they receive? Data consumers might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the \emph{provenance} of the data. We propose a provenance framework for mHealth devices, to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive. This paper describes the programming model for this framework, which describes the rules to be implemented for providing provenance-collecting capabilities to an mHealth application.}, } @Article{avancha:survey, author = {Sasikanth Avancha and Amit Baxi and David Kotz}, title = {Privacy in mobile technology for personal healthcare}, journal = {ACM Computing Surveys}, year = 2012, month = {November}, volume = 45, number = 1, articleno = 3, numpages = 54, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2379776.2379779}, URL = {https://www.cs.dartmouth.edu/~kotz/research/avancha-survey/index.html}, abstract = {Information technology can improve the quality, efficiency, and cost of healthcare. In this survey, we examine the privacy requirements of \emph{mobile} computing technologies that have the potential to transform healthcare. Such \emph{mHealth} technology enables physicians to remotely monitor patients' health, and enables individuals to manage their own health more easily. Despite these advantages, privacy is essential for any personal monitoring technology. Through an extensive survey of the literature, we develop a conceptual privacy framework for mHealth, itemize the privacy properties needed in mHealth systems, and discuss the technologies that could support privacy-sensitive mHealth systems. We end with a list of open research questions.}, } @InProceedings{fazio:sampling, author = {Phillip A. Fazio and Keren Tan and David Kotz}, title = {Effects of network trace sampling methods on privacy and utility metrics}, booktitle = {Proceedings of the Annual Workshop on Wireless Systems: Advanced Research and Development (WISARD)}, year = 2012, month = {January}, pages = {1--8}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2012.6151387}, URL = {https://www.cs.dartmouth.edu/~kotz/research/fazio-sampling/index.html}, abstract = {Researchers choosing to share wireless-network traces with colleagues must first anonymize sensitive information, trading off the removal of information in the interest of identity protection and the preservation of useful data within the trace. While several metrics exist to quantify this privacy-utility tradeoff, they are often computationally expensive. Computing these metrics using a \emph{sample} of the trace could potentially save precious time. In this paper, we examine several sampling methods to discover their effects on measurement of the privacy-utility tradeoff when anonymizing network traces. We tested the relative accuracy of several packet and flow-sampling methods on existing privacy and utility metrics. We concluded that, for our test trace, no single sampling method we examined allowed us to accurately measure the tradeoff, and that some sampling methods can produce grossly inaccurate estimates of those values. We call for further research to develop sampling methods that maintain relevant privacy and utility properties.}, } @InProceedings{prasad:fitbit, author = {Aarathi Prasad and Jacob Sorber and Timothy Stablein and Denise Anthony and David Kotz}, title = {Understanding Sharing Preferences and Behavior for mHealth Devices}, booktitle = {Proceedings of the Workshop on Privacy in the Electronic Society (WPES)}, year = 2012, month = {October}, pages = {117--128}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2381966.2381983}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-fitbit/index.html}, abstract = {mHealth devices offer many potential benefits to patients, health providers and others involved in the patients' healthcare. If patients are not in control of the collection and sharing of their personal health information, they will have privacy concerns even while enjoying the benefits of the devices. We investigated patients' willingness to share their personal health information, collected using mHealth devices, with their family, friends, third parties and the public. Our findings are based on a user study conducted with 41 participants. The best way to understand people's privacy concerns is to give them the opportunity to use the device and actually share the information, and to the best of our knowledge, ours is the first study that does so. We discovered that patients want to share, selectively, their health information with people other than their doctors. We also show that privacy concerns are not static; patients may change their sharing decisions over time. Based on our findings, we suggest that privacy controls for mHealth systems should be flexible to allow patients to choose different settings for different recipients, and to change their sharing settings at any time.}, } @InProceedings{prasad:provenance-poster, author = {Aarathi Prasad and Ronald Peterson and Jacob Sorber and David Kotz}, title = {A Provenance Framework for mHealth}, booktitle = {Proceedings of the Workshop for Mobile Systems, Applications, and Services for Healthcare (mHealthSys) Poster Track}, year = 2012, month = {November}, articleno = 9, numpages = 2, publisher = {ACM}, copyright = {ACM}, location = {Toronto}, DOI = {10.1145/2396276.2396287}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-provenance-poster/index.html}, abstract = {How can data consumers know whether to trust the sensor-collected and human-entered data they receive from mHealth devices? What confidence do they have that it is accurate and authentic? Data recipients might be able to verify the accuracy and authenticity of the data if they have information about its origin and about changes made to it, i.e., the provenance of the data.We define provenance in mHealth as contextual information that can attest to the authenticity and accuracy of the data and can help the recipient in interpreting the data. To realize this vision, we propose a provenance framework for mHealth. The primary function of the framework is to collect and share provenance metadata and help the data consumer verify whether certain provenance properties are satisfied by the data they receive.}, } @InProceedings{sorber:amulet, author = {Jacob Sorber and Minho Shin and Ronald Peterson and Cory Cornelius and Shrirang Mare and Aarathi Prasad and Zachary Marois and Emma Smithayer and David Kotz}, title = {An Amulet for trustworthy wearable mHealth}, booktitle = {Proceedings of the Workshop on Mobile Computing Systems and Applications (HotMobile)}, year = 2012, month = {February}, articleno = 7, numpages = 6, publisher = {ACM}, copyright = {ACM}, location = {San Diego, California}, DOI = {10.1145/2162081.2162092}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sorber-amulet/index.html}, abstract = {Mobile technology has significant potential to help revolutionize personal wellness and the delivery of healthcare. Mobile phones, wearable sensors, and home-based tele-medicine devices can help caregivers and individuals themselves better monitor and manage their health. While the potential benefits of this ``mHealth'' technology include better health, more effective healthcare, and reduced cost, this technology also poses significant security and privacy challenges. In this paper we propose \emph{Amulet,} an mHealth architecture that provides strong security and privacy guarantees while remaining easy to use, and outline the research and engineering challenges required to realize the Amulet vision.}, } @MastersThesis{prasad:msthesis, author = {Aarathi Prasad}, title = {Exposing Privacy Concerns in mHealth Data Sharing}, school = {Dartmouth College Computer Science}, year = 2012, month = {February}, copyright = {Aarathi Prasad}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-msthesis/index.html}, note = {Available as Technical Report TR2012-711}, abstract = {Mobile health (mHealth) has become important in the field of healthcare information technology, as patients begin to use mobile devices to record their daily activities and vital signs. These devices can record personal health information even outside the hospital setting, while the patients are at home or at their workplace. However, the devices might record sensitive information that might not be relevant for medical purposes and in some cases may be misused. Patients need expressive privacy controls so that they can trade potential health benefits of the technology with the privacy risks. To provide such privacy controls, it is important to understand what patients feel are the benefits and risks associated with the technology and what controls they want over the information. \par We conducted focus groups to understand the privacy concerns that patients have when they use mHealth devices. We conducted a user study to understand how willing patients are to share their personal health information that was collected using an mHealth device. To the best of our knowledge, ours is the first study that explores users' privacy concerns by giving them the opportunity to actually share the information collected about them using mHealth devices. We found that patients tend to share more information with third parties than the public and prefer to keep certain information from their family and friends. Finally, based on these discoveries, we propose some guidelines to developing defaults for sharing settings in mHealth systems.}, } @InProceedings{fazio:netsani, author = {Phil Fazio and Keren Tan and Jihwang Yeo and David Kotz}, title = {Short Paper: The NetSANI Framework for Analysis and Fine-tuning of Network Trace Sanitization}, booktitle = {Proceedings of the ACM Conference on Wireless Network Security (WiSec)}, year = 2011, month = {June}, pages = {5--10}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1998412.1998416}, URL = {https://www.cs.dartmouth.edu/~kotz/research/fazio-netsani/index.html}, abstract = {Anonymization is critical prior to sharing wireless-network traces within the research community, to protect both personal and organizational sensitive information from disclosure. One difficulty in anonymization, or more generally, sanitization, is that users lack information about the quality of a sanitization result, such as how much privacy risk a sanitized trace may expose, and how much research utility the sanitized trace may retain. We propose a framework, NetSANI, that allows users to analyze and control the privacy/utility tradeoff in network sanitization. NetSANI can accommodate most of the currently available privacy and utility metrics for network trace sanitization. This framework provides a set of APIs for analyzing the privacy/utility tradeoff by comparing the changes in privacy and utility levels of a trace for a sanitization operation. We demonstrate the framework with an quantitative evaluation on wireless-network traces.}, } @InProceedings{kotz:mHealth-threats, author = {David Kotz}, title = {A threat taxonomy for mHealth privacy}, booktitle = {Proceedings of the Workshop on Networked Healthcare Technology (NetHealth)}, year = 2011, month = {January}, articleno = 1, numpages = 6, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2011.5716518}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-mHealth-threats/index.html}, abstract = {Networked mobile devices have great potential to enable individuals (and their physicians) to better monitor their health and to manage medical conditions. In this paper, we examine the privacy-related threats to these so-called \emph{mHealth} technologies. We develop a taxonomy of the privacy-related threats, and discuss some of the technologies that could support privacy-sensitive mHealth systems. We conclude with a brief summary of research challenges.}, } @InProceedings{mare:healthsec11, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {Adaptive security and privacy for mHealth sensing}, booktitle = {Proceedings of the USENIX Workshop on Health Security (HealthSec)}, year = 2011, month = {August}, numpages = 5, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-healthsec11/index.html}, note = {Short paper.}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile Health (mHealth) sensing technologies promise a new opportunity. However, the privacy concerns associated with mHealth sensing are a limiting factor for their widespread adoption. The use of wireless body area networks pose a particular challenge. Although there exist protocols that provide a secure and private communication channel between two devices, the large transmission overhead associated with these protocols limit their application to low-power mHealth sensing devices. We propose an adaptive security model that enables use of privacy-preserving protocols in low-power mHealth sensing by reducing the network overhead in the transmissions, while maintaining the security and privacy properties provided by the protocols.}, } @TechReport{mare:hns-tr, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {Hide-n-Sense: Privacy-aware secure mHealth sensing}, institution = {Dartmouth Computer Science}, year = 2011, month = {September}, number = {TR2011-702}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-tr/index.html}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Furthermore, individuals can become better engaged in monitoring and managing their own health. Although some work on mHealth sensing has addressed security, achieving strong privacy for low-power sensors remains a challenge. \par We make three contributions. First, we propose an mHealth sensing protocol that provides strong security and privacy properties with low energy overhead, suitable for low-power sensors. The protocol uses three novel techniques: adaptive security, to dynamically modify transmission overhead; MAC striping, to make forgery difficult even for small-sized MACs; and an asymmetric resource requirement. Second, we demonstrate a prototype on a Chronos wrist device, and evaluate it experimentally. Third, we provide a security, privacy, and energy analysis of our system.}, } @InProceedings{mare:hns-w, author = {Shrirang Mare and Jacob Sorber and Minho Shin and Cory Cornelius and David Kotz}, title = {Adapt-lite: Privacy-aware, secure, and efficient mHealth sensing}, booktitle = {Proceedings of the Workshop on Privacy in the Electronic Society (WPES)}, year = 2011, month = {October}, pages = {137--142}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/2046556.2046574}, URL = {https://www.cs.dartmouth.edu/~kotz/research/mare-hns-w/index.html}, abstract = {As healthcare in many countries faces an aging population and rising costs, mobile sensing technologies promise a new opportunity. Using mobile health (mHealth) sensing, which uses medical sensors to collect data about the patients, and mobile phones to act as a gateway between sensors and electronic health record systems, caregivers can continuously monitor the patients and deliver better care. Although some work on mHealth sensing has addressed security, achieving strong security and privacy for low-power sensors remains a challenge. \par We make three contributions. First, we propose Adapt-lite, a set of two techniques that can be applied to existing wireless protocols to make them energy efficient without compromising their security or privacy properties. The techniques are: adaptive security, which dynamically modifies packet overhead; and MAC striping, which makes forgery difficult even for small-sized MACs. Second, we apply these techniques to an existing wireless protocol, and demonstrate a prototype on a Chronos wrist device. Third, we provide security, privacy, and energy analysis of our techniques.}, } @InProceedings{prasad:healthsec11, author = {Aarathi Prasad and Jacob Sorber and Timothy Stablein and Denise Anthony and David Kotz}, title = {Exposing privacy concerns in mHealth}, booktitle = {Proceedings of the USENIX Workshop on Health Security (HealthSec)}, year = 2011, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-healthsec11/index.html}, note = {Position paper.}, abstract = {We conducted several exploratory focus groups to understand what privacy concerns Patients might have with the collection, storage and sharing of their personal health information, when using mHealth devices. We found that Patients want control over their health information, and we noticed privacy trends that were particular to Patients in the same age group and with similar health experiences.}, } @Article{shin:anonysense, author = {Minho Shin and Cory Cornelius and Dan Peebles and Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {AnonySense: A System for Anonymous Opportunistic Sensing}, journal = {Journal of Pervasive and Mobile Computing}, year = 2011, month = {February}, volume = 7, number = 1, pages = {16--30}, publisher = {Elsevier}, copyright = {Elsevier}, DOI = {10.1016/j.pmcj.2010.04.001}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-anonysense/index.html}, abstract = {We describe AnonySense, a privacy-aware system for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing \emph{tasks} to be distributed across participating mobile devices, later receiving verified, yet anonymized, sensor data \emph{reports} back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our security goals, threat model, and the architecture and protocols of AnonySense. We also describe how AnonySense can support extended security features that can be useful for different applications. We evaluate the security and feasibility of AnonySense through security analysis and prototype implementation. We show the feasibility of our approach through two plausible applications: a Wi-Fi rogue access point detector and a lost-object finder.}, } @InProceedings{sorber:pnt-poster, author = {Jacob Sorber and Minho Shin and Ron Peterson and David Kotz}, title = {Poster: Practical Trusted Computing for mHealth Sensing}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2011, month = {June}, pages = {405--406}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1999995.2000058}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sorber-pnt-poster/index.html}, abstract = {Mobile sensing technologies present exciting opportunities for healthcare. Wireless sensors can automatically provide sensor data to care providers, dramatically improving their ability to diagnose, monitor, and manage a wide range of medical conditions. Using mobile phones to provide connectivity between sensors and providers is essential to keeping costs low and deployments simple. Unfortunately, software-based attacks against phones, which can have significant consequences for patients, are also on the rise. \par This poster describes a simple, flexible, and novel approach to protecting both the confidentiality and integrity medical sensing and data processing on vulnerable mobile phones, using plug-in smart cards---even a phone compromised by malware. We describe our design, implementation, and initial experimental results using real smart cards and Android smartphones.}, } @TechReport{tan:crf-tr, author = {Keren Tan and Guanhua Yan and Jihwang Yeo and David Kotz}, title = {Privacy Analysis of User Association Logs in a Large-scale Wireless LAN}, institution = {Dartmouth Computer Science}, year = 2011, month = {January}, number = {TR2011-679}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-crf-tr/index.html}, abstract = {User association logs collected from a large-scale wireless LAN record where and when a user has used the network. Such information plays an important role in wireless network research. One concern of sharing these data with other researchers, however, is that the logs pose potential privacy risks for the network users. Today, the common practice in sanitizing these data before releasing them to the public is to anonymize users' sensitive information, such as their devices' MAC addresses and their exact association locations. In this work, we demonstrate that such sanitization measures are insufficient to protect user privacy because the differences between user association behaviors can be modeled and many are distinguishable. By simulating an adversary's role, we propose a novel type of correlation attack in which the adversary uses the anonymized association log to build signatures against each user, and when combined with auxiliary information, such signatures can help to identify users within the anonymized log. On a user association log that contains more than four thousand users and millions of association records, we demonstrate that this attack technique is able to pinpoint the victim's identity exactly with a probability as high as 70\%, and narrow it down to a set of 20 candidates with a probability close to 100\%. We further evaluate the effectiveness of standard anonymization techniques, including generalization and perturbation, in mitigating this correlation attack; our experimental results reveal only limited success of these methods, suggesting that more thorough treatment is needed when anonymizing wireless user association logs before public release.}, } @InProceedings{tan:crf, author = {Keren Tan and Guanhua Yan and Jihwang Yeo and David Kotz}, title = {Privacy analysis of user association logs in a large-scale wireless LAN}, booktitle = {Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM) mini-conference}, year = 2011, month = {April}, pages = {31--35}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/INFCOM.2011.5935168}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-crf/index.html}, abstract = {User association logs collected from a large-scale wireless LAN record where and when a user has used the network. Such information plays an important role in wireless network research. One concern of sharing these data with other researchers, however, is that the logs pose potential privacy risks for the network users. Today, the common practice in sanitizing these data before releasing them to the public is to anonymize users' sensitive information, such as their devices' MAC addresses and their exact association locations. In this work, we aim to study whether such sanitization measures are sufficient to protect user privacy. By simulating an adversary's role, we propose a novel type of correlation attack in which the adversary uses the anonymized association log to build signatures against each user, and when combined with auxiliary information, such signatures can help to identify users within the anonymized log. Using a user association log that contains more than four thousand users and millions of association records, we demonstrate that this attack technique, under certain circumstances, is able to pinpoint the victim's identity exactly with a probability as high as 70\%, or narrow it down to a set of 20 candidates with a probability close to 100\%. We further evaluate the effectiveness of standard anonymization techniques, including generalization and perturbation, in mitigating correlation attacks; our experimental results reveal only limited success of these methods, suggesting that more thorough treatment is needed when anonymizing wireless user association logs before public release.}, } @InCollection{tan:survey, author = {Keren Tan and Jihwang Yeo and Michael E. Locasto and David Kotz}, title = {Catch, Clean, and Release: A Survey of Obstacles and Opportunities for Network Trace Sanitization}, booktitle = {Privacy-Aware Knowledge Discovery: Novel Applications and New Techniques}, editor = {Francesco Bonchi and Elena Ferrari}, year = 2011, month = {January}, chapter = 5, pages = {111--141}, publisher = {Chapman and Hall/CRC Press}, copyright = {Chapman and Hall/CRC Press}, ISBN13 = 9781439803653, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-survey/index.html}, abstract = {Network researchers benefit tremendously from access to traces of production networks, and several repositories of such network traces exist. By their very nature, these traces capture sensitive business and personal activity. Furthermore, network traces contain significant operational information about the target network, such as its structure, identity of the network provider, or addresses of important servers. To protect private or proprietary information, researchers must ``sanitize'' a trace before sharing it. \par In this chapter, we survey the growing body of research that addresses the risks, methods, and evaluation of network trace sanitization. Research on the risks of network trace sanitization attempts to extract information from published network traces, while research on sanitization methods investigates approaches that may protect against such attacks. Although researchers have recently proposed both quantitative and qualitative methods to evaluate the effectiveness of sanitization methods, such work has several shortcomings, some of which we highlight in a discussion of open problems. Sanitizing a network trace, however challenging, remains an important method for advancing network--based research.}, } @TechReport{fazio:thesis, author = {Phillip A. Fazio}, title = {Effects of network trace sampling methods on privacy and utility metrics}, institution = {Dartmouth College, Computer Science}, year = 2011, month = {June}, number = {TR2011-697}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/fazio-thesis/index.html}, abstract = {Researchers studying computer networks rely on the availability of traffic trace data collected from live production networks. Those choosing to share trace data with colleagues must first remove or otherwise anonymize sensitive information. This process, called sanitization, represents a tradeoff between the removal of information in the interest of identity protection and the preservation of data within the trace that is most relevant to researchers. While several metrics exist to quantify this privacy-utility tradeoff, they are often computationally expensive. Computing these metrics using a sample of the trace, rather than the entire input trace, could potentially save precious time and space resources, provided the accuracy of these values does not suffer. In this paper, we examine several simple sampling methods to discover their effects on measurement of the privacy-utility tradeoff when anonymizing network traces prior to their sharing or publication. After sanitizing a small sample trace collected from the Dartmouth College wireless network, we tested the relative accuracy of a variety of previously implemented packet and flow-sampling methods on a few existing privacy and utility metrics. This analysis led us to conclude that, for our test trace, no single sampling method we examined allowed us to accurately measure the trade-off, and that some sampling methods can produce grossly inaccurate estimates of those values. We were unable to draw conclusions on the use of packet versus flow sampling in these instances.}, } @PhdThesis{tan:thesis, author = {Keren Tan}, title = {Large-scale Wireless Local-area Network Measurement and Privacy Analysis}, school = {Dartmouth College Computer Science}, year = 2011, month = {August}, copyright = {Keren Tan}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2011-703}, abstract = {The edge of the Internet is increasingly becoming wireless. Understanding the wireless edge is therefore important for understanding the performance and security aspects of the Internet experience. This need is especially necessary for enterprise-wide wireless local-area networks (WLANs) as organizations increasingly depend on WLANs for mission-critical tasks. To study a live production WLAN, especially a large-scale network, is a difficult undertaking. Two fundamental difficulties involved are (1) building a scalable network measurement infrastructure to collect traces from a large-scale production WLAN, and (2) preserving user privacy while sharing these collected traces to the network research community. In this dissertation, we present our experience in designing and implementing one of the largest distributed WLAN measurement systems in the United States, the Dartmouth Internet Security Testbed (DIST), with a particular focus on our solutions to the challenges of efficiency, scalability, and security. We also present an extensive evaluation of the DIST system. To understand the severity of some potential trace-sharing risks for an enterprise-wide large-scale wireless network, we conduct privacy analysis on one kind of wireless network traces, a user-association log, collected from a large-scale WLAN. We introduce a machine-learning based approach that can extract and quantify sensitive information from a user-association log, even though it is sanitized. Finally, we present a case study that evaluates the tradeoff between utility and privacy on WLAN trace sanitization.}, } @TechReport{peebles:anonytl, author = {Dan Peebles and Cory Cornelius and Apu Kapadia and David Kotz and Minho Shin and Nikos Triandopoulos}, title = {AnonyTL Specification}, institution = {Dartmouth Computer Science}, year = 2010, month = {January}, number = {TR2010-660}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/peebles-anonytl/index.html}, abstract = {We provide a specification of \emph{AnonyTL}, a domain-specific language that describes sensing tasks for mobile devices in a manner that facilitates automated reasoning about privacy.}, } @InProceedings{prasad:healthsec10, author = {Aarathi Prasad and David Kotz}, title = {Can I access your Data? Privacy Management in mHealth}, booktitle = {Proceedings of the USENIX Workshop on Health Security (HealthSec)}, year = 2010, month = {August}, numpages = 2, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/prasad-healthsec10/index.html}, note = {Position paper}, abstract = {Mobile health (mHealth) has become important in the field of healthcare information technology, as patients begin to use mobile medical sensors to record their daily activities and vital signs. Since their medical data is collected by their sensors, the patients may wish to control data collection and distribution, so as to protect their data and share it only when the need arises. It must be possible for patients to grant or deny access to the data on the storage unit (mobile phones or personal health records (PHR)). Thus, an efficient framework is required for managing patient consent electronically, i.e.to allow patients to express their desires about what data to collect, what to store, and how to share. We describe several challenges posed by privacy management in mobile health.}, } @InProceedings{tan:crf-s3, author = {Keren Tan and Guanhua Yan and Jihwang Yeo and David Kotz}, title = {A Correlation Attack Against User Mobility Privacy in a Large-scale WLAN network}, booktitle = {Proceedings of the ACM MobiCom S3 workshop}, year = 2010, month = {September}, pages = {33--35}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1860039.1860050}, URL = {https://www.cs.dartmouth.edu/~kotz/research/tan-crf-s3/index.html}, abstract = {User association logs collected from real-world wireless LANs have facilitated wireless network research greatly. To protect user privacy, the common practice in sanitizing these data before releasing them to the public is to anonymize users' sensitive information such as the MAC addresses of their devices and their exact association locations. In this work,we demonstrate that these sanitization measures are insufficient in protecting user privacy from a novel type of correlation attack that is based on CRF (Conditional Random Field). In such a correlation attack, the adversary observes the victim's AP (Access Point) association activities for a short period of time and then infers her corresponding identity in a released user association dataset. Using a user association log that contains more than three thousand users and millions of AP association records, we demonstrate that the CRF-based technique is able to pinpoint the victim's identity exactly with a probability as high as 70\%.}, } @InProceedings{kapadia:metrosec-challenges, author = {Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {Opportunistic Sensing: Security Challenges for the New Paradigm}, booktitle = {Proceedings of the International Conference on COMmunication Systems and NETworkS (COMSNETS)}, year = 2009, month = {January}, numpages = 10, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/COMSNETS.2009.4808850}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kapadia-metrosec-challenges/index.html}, note = {Invited paper}, abstract = {We study the security challenges that arise in \emph{opportunistic people-centric sensing}, a new sensing paradigm leveraging humans as part of the sensing infrastructure. Most prior sensor-network research has focused on collecting and processing environmental data using a static topology and an application-aware infrastructure, whereas opportunistic sensing involves collecting, storing, processing and fusing large volumes of data related to everyday human activities. This highly dynamic and mobile setting, where humans are the central focus, presents new challenges for information security, because data originates from sensors carried by people--- not tiny sensors thrown in the forest or attached to animals. In this paper we aim to instigate discussion of this critical issue, because opportunistic people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new sensing paradigm.}, } @InProceedings{kotz:mhealth-spimacs, author = {David Kotz and Sasikanth Avancha and Amit Baxi}, title = {A privacy framework for mobile health and home-care systems}, booktitle = {Proceedings of the Workshop on Security and Privacy in Medical and Home-Care Systems (SPIMACS)}, year = 2009, month = {November}, pages = {1--12}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1655084.1655086}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-mhealth-spimacs/index.html}, abstract = {In this paper, we consider the challenge of preserving patient privacy in the context of mobile healthcare and home-care systems, that is, the use of mobile computing and communications technologies in the delivery of healthcare or the provision of at-home medical care and assisted living. This paper makes three primary contributions. First, we compare existing privacy frameworks, identifying key differences and shortcomings. Second, we identify a privacy framework for mobile healthcare and home-care systems. Third, we extract a set of privacy properties intended for use by those who design systems and applications for mobile healthcare and home-care systems, linking them back to the privacy principles. Finally, we list several important research questions that the community should address. We hope that the privacy framework in this paper can help to guide the researchers and developers in this community, and that the privacy properties provide a concrete foundation for privacy-sensitive systems and applications for mobile healthcare and home-care systems.}, } @InCollection{sriram:challenges, author = {Janani Sriram and Minho Shin and David Kotz and Anand Rajan and Manoj Sastry and Mark Yarvis}, title = {Challenges in Data Quality Assurance in Pervasive Health Monitoring Systems}, booktitle = {Future of Trust in Computing}, editor = {David Gawrock and Helmut Reimer and Ahmad-Reza Sadeghi and Claire Vishik}, year = 2009, month = {July}, chapter = 0, pages = {129--142}, publisher = {Vieweg+Teubner Verlag}, copyright = {Vieweg+Teubner Verlag}, ISBN13 = {978-3-8348-9324-6}, DOI = {10.1007/978-3-8348-9324-6_14}, URL = {https://www.cs.dartmouth.edu/~kotz/research/sriram-challenges/index.html}, abstract = {Wearable, portable, and implantable medical sensors have ushered in a new paradigm for healthcare in which patients can take greater responsibility and caregivers can make well-informed, timely decisions. Health-monitoring systems built on such sensors have huge potential benefit to the quality of healthcare and quality of life for many people, such as patients with chronic medical conditions (such as blood-sugar sensors for diabetics), people seeking to change unhealthy behavior (such as losing weight or quitting smoking), or athletes wishing to monitor their condition and performance. To be effective, however, these systems must provide assurances about the quality of the sensor data. The sensors must be applied to the patient by a human, and the sensor data may be transported across multiple networks and devices before it is presented to the medical team. While no system can guarantee data quality, we anticipate that it will help for the system to annotate data with some measure of \emph{confidence}. In this paper, we take a deeper look at potential health-monitoring usage scenarios and highlight research challenges required to ensure and assess quality of sensor data in health-monitoring systems.}, } @TechReport{yeo:poll-tr, author = {Jihwang Yeo and Keren Tan and David Kotz}, title = {User survey regarding the needs of network researchers in trace-anonymization tools}, institution = {Dartmouth Computer Science}, year = 2009, month = {November}, number = {TR2009-658}, copyright = {the authors}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/yeo-poll-tr/index.html}, abstract = {To understand the needs of network researchers in an anonymization tool, we conducted a survey on the network researchers. We invited network researchers world-wide to the survey by sending invitation emails to well-known mailing lists whose subscribers may be interested in network research with collecting, sharing and sanitizing network traces.}, } @InProceedings{cornelius:anonysense, author = {Cory Cornelius and Apu Kapadia and David Kotz and Dan Peebles and Minho Shin and Nikos Triandopoulos}, title = {AnonySense: Privacy-Aware People-Centric Sensing}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2008, month = {June}, pages = {211--224}, publisher = {ACM}, copyright = {ACM}, DOI = {10.1145/1378600.1378624}, URL = {https://www.cs.dartmouth.edu/~kotz/research/cornelius-anonysense/index.html}, abstract = {Personal mobile devices are increasingly equipped with the capability to sense the physical world (through cameras, microphones, and accelerometers, for example) and the network world (with Wi-Fi and Bluetooth interfaces). Such devices offer many new opportunities for cooperative sensing applications. For example, users' mobile phones may contribute data to community-oriented information services, from city-wide pollution monitoring to enterprise-wide detection of unauthorized Wi-Fi access points. This people-centric mobile-sensing model introduces a new security challenge in the design of mobile systems: protecting the privacy of participants while allowing their devices to reliably contribute high-quality data to these large-scale applications. \par We describe AnonySense, a privacy-aware architecture for realizing pervasive applications based on collaborative, opportunistic sensing by personal mobile devices. AnonySense allows applications to submit sensing \emph{tasks} that will be distributed across anonymous participating mobile devices, later receiving verified, yet anonymized, sensor data \emph{reports} back from the field, thus providing the first secure implementation of this participatory sensing model. We describe our trust model, and the security properties that drove the design of the AnonySense system. We evaluate our prototype implementation through experiments that indicate the feasibility of this approach, and through two applications: a Wi-Fi rogue access point detector and a lost-object finder.}, } @InProceedings{kapadia:anonysense, author = {Apu Kapadia and Nikos Triandopoulos and Cory Cornelius and Dan Peebles and David Kotz}, title = {AnonySense: Opportunistic and Privacy-Preserving Context Collection}, booktitle = {Proceedings of the International Conference on Pervasive Computing (Pervasive)}, series = {Lecture Notes in Computer Science}, year = 2008, month = {May}, volume = 5013, pages = {280--297}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-540-79576-6_17}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kapadia-anonysense/index.html}, abstract = {Opportunistic sensing allows applications to ``task'' mobile devices to measure context in a target region. For example, one could leverage sensor-equipped vehicles to measure traffic or pollution levels on a particular street, or users' mobile phones to locate (Bluetooth-enabled) objects in their neighborhood. In most proposed applications, context reports include the time and location of the event, putting the privacy of users at increased risk---even if a report has been anonymized, the accompanying time and location can reveal sufficient information to deanonymize the user whose device sent the report. \par We propose AnonySense, a general-purpose architecture for leveraging users' mobile devices for measuring context, while maintaining the privacy of the users. AnonySense features multiple layers of privacy protection---a framework for nodes to receive tasks anonymously, a novel blurring mechanism based on tessellation and clustering to protect users' privacy against the system while reporting context, and k-anonymous report aggregation to improve the users' privacy against applications receiving the context. We outline the architecture and security properties of AnonySense, and focus on evaluating our tessellation and clustering algorithm against real mobility traces.}, } @InProceedings{shin:senseright-poster, author = {Cory Cornelius and Apu Kapadia and David Kotz and Dan Peebles and Minho Shin and Patrick Tsang}, title = {Poster Abstract: Reliable People-Centric Sensing with Unreliable Voluntary Carriers}, booktitle = {Proceedings of the International Conference on Mobile Systems, Applications, and Services (MobiSys)}, year = 2008, month = {June}, numpages = 1, publisher = {ACM}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/shin-senseright-poster/index.html}, abstract = {As sensor technology becomes increasingly easy to integrate into personal devices such as mobile phones, clothing, and athletic equipment, there will be new applications involving opportunistic, people-centric sensing. These applications, which gather information about human activities and personal social context, raise many security and privacy challenges. In particular, data integrity is important for many applications, whether using traffic data for city planning or medical data for diagnosis. Although our AnonySense system (presented at MobiSys) addresses privacy in people-centric sensing, protecting data integrity in people-centric sensing still remains a challenge. Some mechanisms to protect privacy provide anonymity, and thus provide limited means for accountability; data integrity becomes even more difficult to protect. \par We propose SenseRight, the first architecture for high-integrity people-centric sensing. The SenseRight approach, which extends and enhances AnonySense, assures integrity of both the sensor data (through use of tamper-resistant sensor devices) and the sensor context (through a time-constrained protocol), maintaining anonymity if desired.}, } @TechReport{fielding:thesis, author = {Jeffrey Fielding}, title = {Linkability in Activity Inference Data Sets}, institution = {Dartmouth Computer Science}, year = 2008, month = {June}, number = {TR2008-623}, copyright = {the author}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/fielding-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Report TR2008-623}, abstract = {Activity inference is an active area of ubiquitous computing research. By training machine learning algorithms on data from sensors worn by volunteers, researchers hope to develop software that can interact more naturally with the user by inferring what the user is doing. In this thesis, we use the same sensor data to infer which volunteer is carrying the sensors. Such inference could be useful -- for example, a mobile device might infer who is carrying it and adapt to that user's preferences. It also raises some privacy concerns, since an attacker could learn more about a user by linking together several sensor traces from the same user. We develop a model to differentiate users based on their sensor data, and examine its accuracy as well as the potential benefits and pitfalls.}, } @Article{anthony:pervasive, author = {Denise Anthony and Tristan Henderson and David Kotz}, title = {Privacy in Location Aware Computing Environments}, journal = {IEEE Pervasive}, year = 2007, month = {October}, volume = 6, number = 4, pages = {64--72}, publisher = {IEEE}, copyright = {IEEE}, DOI = {10.1109/MPRV.2007.83}, URL = {https://www.cs.dartmouth.edu/~kotz/research/anthony-pervasive/index.html}, abstract = {As location-aware and pervasive computing technologies become more prevalent, privacy concerns are becoming increasingly more important. User preferences about location privacy may depend on place, not only in terms of their physical location but also in terms of their social context: how they define where they are, what they are doing, and whom they are with at the time. Using the experience sampling method, the authors explored the privacy preferences of 25 users during one week. They found that participants were more willing to share location information when at home or alone than when at other locations or with friends. Most participants were consistent in their location privacy preferences across requester categories and regardless of place. Some participants, however, varied in their willingness to share location information depending on where they were, who they were with, and who was requesting the information. Those participants tended to be more concerned about privacy in general. These findings are useful for designing future privacy policies and user interfaces for pervasive computing. This article is part of a special issue on security and privacy.}, } @TechReport{johnson:metrosec-challenges-tr, author = {Peter Johnson and Apu Kapadia and David Kotz and Nikos Triandopoulos}, title = {People-Centric Urban Sensing: Security Challenges for the New Paradigm}, institution = {Dartmouth Computer Science}, year = 2007, month = {February}, number = {TR2007-586}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/johnson-metrosec-challenges-tr/index.html}, abstract = {We study the security challenges that arise in \emph{people-centric urban sensing}, a new sensor-networking paradigm that leverages humans as part of the sensing infrastructure. Most prior work on sensor networks has focused on collecting and processing ephemeral data about the environment using a static topology and an application-aware infrastructure. People-centric urban sensing, however, involves collecting, storing, processing and fusing large volumes of data related to every-day human activities. Sensing is performed in a highly dynamic and mobile environment, and supports (among other things) pervasive computing applications that are focused on enhancing the user's experience. In such a setting, where humans are the central focus, there are new challenges for information security; not only because of the complex and dynamic communication patterns, but also because the data originates from sensors that are carried by a person---not a tiny sensor thrown in the forest or mounted on the neck of an animal. In this paper we aim to instigate discussion about this critical issue---because people-centric sensing will never succeed without adequate provisions for security and privacy. To that end, we outline several important challenges and suggest general solutions that hold promise in this new paradigm of sensor networks.}, } @InProceedings{kapadia:walls, author = {Apu Kapadia and Tristan Henderson and Jeffrey Fielding and David Kotz}, title = {Virtual Walls: Protecting Digital Privacy in Pervasive Environments}, booktitle = {Proceedings of the International Conference on Pervasive Computing (Pervasive)}, series = {Lecture Notes in Computer Science}, year = 2007, month = {May}, volume = 4480, pages = {162--179}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/978-3-540-72037-9_10}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kapadia-walls/index.html}, abstract = {As pervasive environments become more commonplace, the privacy of users is placed at an increased risk. The numerous and diverse sensors in these environments can record contextual information about users, leading to users unwittingly leaving ``digital footprints.'' Users must therefore be allowed to control how their digital footprints are reported to third parties. While a significant amount of prior work has focused on location privacy, location is only one specific type of footprint, and we expect most users to be incapable of specifying fine-grained policies for a multitude of footprints. In this paper we present a policy language based on the metaphor of physical walls, and posit that users will find this to be an intuitive way to control access to their digital footprints. For example, users understand the physical privacy implications of conducting a meeting in a room enclosed by physical walls. By allowing users to deploy ``virtual walls,'' they can control the privacy of their digital footprints much in the same way they control their privacy in the physical world. We present a policy framework and model for virtual walls with three levels of transparency that correspond to intuitive levels of privacy. We also describe the results of a user study (N {$=$} 23) that indicates that our model is easy to understand and use.}, } @TechReport{kotz:privacy, author = {David Kotz}, title = {Technological Implications for Privacy}, institution = {Dartmouth Computer Science}, year = 2004, month = {June}, number = {TR2004-505}, copyright = {the author}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-privacy/index.html}, note = {Originally written during Summer 1998 Ethics Institute at Dartmouth College}, abstract = {The World-Wide Web is increasingly used for commerce and access to personal information stored in databases. Although the Web is ``just another medium'' for information exchange, the fact that all the information is stored in computers, and all of the activity happens in computers and computer networks, makes it easier (cheaper) than every to track users' activities. By recording and analyzing user's activities in the Web, activities that may seem to be quite private to many users, it is more likely than ever before that a person's privacy may be threatened. In this paper I examine some of the technology in the Web, and how it affects the privacy of Web users. I also briefly summarize some of the efforts to regulate privacy on the Internet.}, } @TechReport{kotz:dwta-tr, author = {David Kotz and Robert Gray and Daniela Rus}, title = {Future Directions for Mobile-Agent Research}, institution = {Dartmouth Computer Science}, year = 2002, month = {January}, number = {TR2002-415}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-dwta-tr/index.html}, note = {Based on a conversation with Jeff Bradshaw, Colin Harrison, Guenter Karjoth, Amy Murphy, Gian Pietro Picco, M. Ranganathan, Niranjan Suri, and Christian Tschudin.}, abstract = {During a discussion in September 2000 the authors examined the future of research on mobile agents and mobile code. (A mobile agent is a running program that can move from host to host in network at times and to places of its own choosing.) In this paper we summarize and reflect on that discussion. It became clear that the field should shift its emphasis toward mobile code, in all its forms, rather than to continue its narrow focus on mobile agents. Furthermore, we encourage the development of modular components, so that application designers may take advantage of code mobility without needing to rewrite their application to fit in a monolithic mobile-agent system. There are many potential applications that may productively use mobile code, but there is no ``killer application'' for mobile agents. Finally, we note that although security is an important and challenging problem, there are many applications and environments with security requirements well within the capability of existing mobile-code and mobile-agent frameworks.}, } @Article{kotz:dwta, author = {David Kotz and Robert Gray and Daniela Rus}, title = {Future Directions for Mobile-Agent Research}, journal = {IEEE Distributed Systems Online}, year = 2002, month = {August}, volume = 3, number = 8, numpages = 6, publisher = {IEEE}, copyright = {IEEE}, URL = {https://www.cs.dartmouth.edu/~kotz/research/kotz-dwta/index.html}, note = {Based on a conversation with Jeff Bradshaw, Colin Harrison, Guenter Karjoth, Amy Murphy, Gian Pietro Picco, M. Ranganathan, Niranjan Suri, and Christian Tschudin.}, abstract = {The field of mobile agents should shift its emphasis toward mobile code, in all its forms, rather than continue focusing on mobile agents. The development of modular components will help application designers take advantage of code mobility without having to rewrite their applications to fit in monolithic, mobile agent systems.}, }