Personal Privacy in Ubiquitous Computing Tools and System Support Marc Langheinrich PhD thesis No. 16100 ETH Zurich, Zurich, Switzerland May 2005 Abstract Visions of future computing environments involve integrating tiny microelectronic processors and sensors into everyday objects in order to make them smart. Smart things can explore their environment, communicate with other smart things, and interact with humans, therefore helping users to cope with their tasks in new, intuitive ways. However, this digitization of our everyday lives will not only allow computers to better understand our actions and goals, but also allow others to inspect and search such electronic records, potentially creating a comprehensive surveillance network of unprecedented scale. How should these developments affect our notion of privacy, our right to be let alone, our freedom to determine for ourselves when, how, and to what extend information about us is communicated to others? Should we give up our solitude and anonymity in light of these new technological realities and create a transparent society, in which nothing can be kept secret anymore, for better or for worse? Or do we need to surround ourselves with better security mechanisms that will make our communications and our presence untraceable to anyone but the most determined observer? This thesis argues for a third alternative, a middle ground between the two extremes of abandoning privacy and attempting full-scale anonymity. It proposes an architecture to facilitate the upfront notices of data collections in future computer environments, means to automatically process such announcements and individually configure the available collection parameters, processes to store and subsequently process any such collected data automatically according to the given notices, and tools for individuals to control and inspect their state of privacy in an ever connected world. In particular, this thesis provides for * a method to announce privacy policies in smart environments via privacy beacons and personal privacy assistants, * a method to reason and act upon such policies by automatically configuring the available services with the help of privacy proxies, and * a method to store the collected information and enforce their respective collection and usage policies through privacy-aware databases. Taken together, these mechanisms can provide the technical foundations for future privacy frameworks that provide a level of privacy protection suitable for smart environments: anytime, anywhere, effortless privacy.