UW Computer Security Research and Course Blog

(originally written 11/07/2008)

Early next week, the University of California, Berkeley, in a joint effort with Nokia Research Labs, intends to launch Mobile Millennium, a project that aims to capture traffic patterns accurately and in real-time by harnessing cell phones as mobile sensors.  Previous work has only considered static sensors explicitly placed at location of interest (e.g. major congested roads); as such, their approach suffers from the inherent existence of blind spots in their analyses.  On the other hand, the design of Mobile Millennium lends itself well to monitoring traffic patterns anywhere participating mobile phones receive signal.

In Mobile Millennium, users will be able to voluntarily download a free Java program onto their mobile devices, which monitors their location, speed and direction of movement.  This information will be collected into a large database and analyzed collectively to determine the presence of traffic jams and stranded vehicles, for example.  This technology currently targets GPS-enabled phones whose service provider is a GSM network, e.g. AT&T or T-Mobile.  Mobile Millennium has set virtual trip lines at certain geographic locations so that whenever a participating device passes through the trip line, information is relayed to the project servers. This project will focus on traffic on major roads between the Bay Area and Sacramento, but intends to expand to arterial roads in the future.

From a security perspective, the project incorporates “Privacy by Design” principles so that no data point can be directly connected with a particular phone.  To achieve this involves stripping incoming data of identifying information in addition to encrypting transmitted data and analyzing data on a need-to-know basis.  To further alleviate security fears, Mobile Millennium operates on a completely voluntary-basis and users can stop participating at any time.

Stakeholders
Despite the claims of system anonymity by the creators of Mobile Millennium, users are risking knowledge of their location and identifying information when they volunteer to participate.  Even in the case that the the project adheres to the aforementioned principles of Privacy by Design, there are certain cases in which one can infer user identity from location and external knowledge.  For example, if a participant habitually travels to an area devoid of other participants, then this individual’s movement can be monitored without the system explicitly mapping her data point to her person.  If this area happens to be her home address, then even more information is compromised.

From a more optimistic perspective, by design, Mobile Millennium can track whether participants are stranded on roads; one could easily imagine how this knowledge might facilitate increased precision and a more speedy response to emergency situations, stranded vehicles, etc.  (Thus, perhaps towing companies may be an indirect stakeholder as well.)

In addition,the participating device may witness a significant computational overhead, as it is constantly streaming data to Mobile Millennium servers.  If the technology becomes more main-stream, will this affect how cell phones are created?  Will this have an impact on the types of encryption that can be done, now that computing power is even more limited?

Because users are encouraged to have unlimited plans, the creators of Mobile Millennium themselves may be an indirect stakeholder; if this limitation prevents a certain demographic or region from participating, Mobile Millennium may end up studying traffic patterns of a limited subset of the population and draw biased conclusions.

In addition, citizens of the targeted region are direct stakeholders, even if they are not participants.  Supposedly anyone can check the status of traffic on Mobile Millennium’s website; this technology is intended to relieve areas of major congestion directly, or at least provide the means for the state Department of Transportation to improve infrastructure.  (Thus, one might consider the Department of Transportation another indirect stakeholder.)

Finally, the police department has a potential and indirect interest in the development of Mobile Millennium.  The lack of individual privacy in the project implementation (as well as the perception of such) may effect crime on the road.  This is further discussed in the “Adversaries” section.

Assets and Security Goals
As discussed above, the general privacy of participants should be a major concern of Mobile Millennium.  While the creators have certainly gone to some length to protect the identities of their users, it is not clear that such measures are enough to maintain true anonymity.

In addition, personal security may potentially be at stake; a user might not feel comfortable if strangers know that he is stranded on an isolated road in the middle of the night.  He might very well prefer to call a friend for help rather than alert Mobile Millennium of his distress.

Potential Adversaries and Threats
Though typically not portrayed as an adversary, the police have strong (and arguably, semi-justified)  motivation to infringe on user privacy rights. For example, if one can identify people via Mobile Millennium, it would be easier to find the aggressor of a hit-and-run incident.  It might be easier to track the whereabouts of or verify alibis of suspects.  Similarly, the federal government has an interest in breaking any privacy-ensuring mechanisms set in place by Mobile Millennium; such a breach would facilitate any tapping and/or tracking of individuals of interest.

The government may also have an interest (albeit, a different one) on the state and/or judicial level.  If they can even determine that a certain demographic frequents certain roads in certain patterns, this may induce a bias toward one class (e.g. a wealthier class) over another to increase revenue.

Potential Weaknesses
From a security perspective, there seems to be no way for a user who decides to stop participating to ensure that indeed their information is no longer being tracked by Mobile Millennium.  In addition, who is in control of the system?  If the control of the system gets into the wrong hands, are there mechanisms in place to ensure that an adversary can still do no harm despite having access to the centralized information?

Potential Defenses
To the weaknesses above, defenses might include mechanisms to ensure that a former participant is indeed no longer participating.  An extreme version of such a defense would be to get a new phone, but this is cumbersome; it should not be at the expense of the user to ensure his or her non-participation.  The claimed ability to be able to disable participation at any time is already a first line of defense against privacy issues and/or qualms had by the user.

Evaluation and Conclusion
Mobile Millennium proposes a new technology that allows the tracking of large group of people without explicitly identifying them.  However, with this technology comes a lot of privacy issues; in particular, it is questionable how much identifying information could be inferred without explicit mapping of data point to name.  Because there will always be conceivably special cases in which little information is needed to deduce a person’s association with a data point, it is extremely difficult to defend against this kind of privacy breach without refusing to participate in the first place.  One can think of addressing this potentially contrived case as a “worst case analysis”.  Any theoretical defense toward adding data points to make an inferred data point more anonymous debunks the very purpose of this study, which involves understanding the traffic patterns of real people.  While it seems that technology of this type poses severe privacy issues, it will inevitably become more mainstream because of the benefits that a system gains from tracking people (or things) within it.  In fact, a similar technology is already implemented in many hospitals as a way of tracking equipment, patients and staff.  (It should be noted, however, that this technology is restricted to the domain of the hospital and would not, for example, aid the police in tracking their suspects.)  Toward that end, it is increasingly necessary to resolve these issues in a way that renders the technology simultaneously respectful of individual privacy and contributing to society as a whole.