has embedded meaningful logical borders that can be could surround a user. The enforcement of such a refined by autonomous context-aware agents. This profile could be a means to preserve the user's personal approach presents some open issues including the privacy. management of a mobile personal profile, and the An alternative solution to preserve privacy could ecurity and the trustability of the autonomous base the main functionalities of the Hww paradigm agents. However, note that some threats to user pri- on anonymous IDs. This solution may require racy still persist, for instance, even turning off the redesigning a part of the current network infrastruc- HWW device could provide information useful to ture, and finding convenient trade-offs between pri undermine the user privacy to some extent. Indeed, vacy and security issues. C the most obvious piece of information is that the user probably does not want to be traced. With the logical REFERENCES order approach a major threat to privacy can there- 1. Borisov, N. et al. Intercepting mobile co ions: The insecurity fore be identified in traffic analysis [7] of 802.11. In Proceedings ofACMHIEEE MOBICOM 2001: 180-189 2. Carman, D W. et al. Constraints and approaches for distributed sensor As for anonymous UIDs, they could be the default network security. NAI Labs Technical Report.(Sept. 2000) operating mode of any HWw devices, that is anonymI ity should be a basic building block of the 3. Chan, H et al. Random key predistribution schemes for sensor net- network infrastructure. In other words, the main (May 2003, Oakland, CA) orks. In Proceedings of the IEEE Symposium on Security and Privacy functionalities of the HWw paradigm--service dis- 4. Coulouris, G et al. Distributed Sytem: Concepts and Deign. Addison covery, advertising, and providing-should be based Wesley, Reading. PA, 2001 5. Di Pietro, R et al. Providing secre ment protocols for Note that the use of anonymous UiDs does not imply 6. Foxe, .irand rbe, s, Security n the move indrect puthe that users would never be identified, since for exam- sing Kerberos. In Proceedings of ACMIIEEE MOB/COM 1996 ple, a user could always prove his/her own identity, at 55-164. 7. Guan, Y et al. Preventing east at the application layer, if so desired. The imple networks. In Proceedings of IEEE Milcom(Nov. 1999), 744-750 mentation of anonymous IDs may require redesign 8. Harter. A. et al. The ing the algorithms and protocols of the current 9. Hermann, R et al. DEAPspace-Transicnt ad hoc networking of per- network infrastructure. Moreover, the redesign asive devices. Computer Networks 35 (2001), 411-4 process should consider the trade-off between privacy 10 Kindberg, Tet al d monet 2 Peopl 2 0a2, thing A.Pcb b5-s7c. for the re and security in the network infrastructure. Indeed, 11. Myers, B.A. Using handhelds and PCs together. Commun. ACM44,11 anonymous IDs could expose any HWW device to (Noy, 2001), 34-41 anonymou Is attacks that could be very difficult to mandatory and discretionary access control policies. ACM Tn trace. On the other hand, a finer control over all the and System Security 3, 2(May 2000)85-100 HWW communications could guarantee a higher level of security but might represent a threat to the user privacy ROBERTo DI PIETRO(dipietro@dsi. uniromal it)is a Ph. D student in the Department of Computer Science at the University of Conclusion Rome "La Sapienza, "Italy. LUIGI V. MANCIN acini@dsi uniromal This article discussed the emergence of networks of Department of Computer Science at the University of Rome"La HWW devices, and the models that could enable Sapienza, " Italy their pervasive and d deployment. Furthe more. a few issues of the to the security of the and of the network如kk时hB:E5h infrastructure, as well as to the user personal privacy cure Information Systems, Fairfax, VA are addressed Permission to make digital or hard copies of all or part of this work for per It appears security concerns can partially benefit for profit or commercial advantage and that copies bear this notice and the full citation from the model and solutions already deployed in the o list, ise args Tor spe fih rewrmeis :iore aulas fe post an servers or to redstribus wired paradigm. In addition, the issues regarding user privacy are more complex and pervasive and require new solutions and further investigation. To our nowledge, research efforts in this direction are not even planned Finally, we emphasize the need for an easy to con- figure and manageable personal profile to control the interactions among the many HWw devices that o 2003 ACM 0002-0782/03/0900$5.00 COMMUNICATIONS OF THE ACM September 2003/Vol 46. Ne. 9 79has embedded meaningful logical borders that can be refined by autonomous context-aware agents. This approach presents some open issues including the management of a mobile personal profile, and the security and the trustability of the autonomous agents. However, note that some threats to user pri￾vacy still persist, for instance, even turning off the HWW device could provide information useful to undermine the user privacy to some extent. Indeed, the most obvious piece of information is that the user probably does not want to be traced. With the logical border approach a major threat to privacy can there￾fore be identified in traffic analysis [7]. As for anonymous UIDs, they could be the default operating mode of any HWW devices, that is, anonymity should be a basic building block of the network infrastructure. In other words, the main functionalities of the HWW paradigm—service dis￾covery, advertising, and providing—should be based on an anonymous UID not related to the real user. Note that the use of anonymous UIDs does not imply that users would never be identified, since for exam￾ple, a user could always prove his/her own identity, at least at the application layer, if so desired. The imple￾mentation of anonymous IDs may require redesign￾ing the algorithms and protocols of the current network infrastructure. Moreover, the redesign process should consider the trade-off between privacy and security in the network infrastructure. Indeed, anonymous IDs could expose any HWW device to anonymous attacks that could be very difficult to trace. On the other hand, a finer control over all the HWW communications could guarantee a higher level of security but might represent a threat to the user privacy. Conclusion This article discussed the emergence of networks of HWW devices, and the models that could enable their pervasive and integrated deployment. Further￾more, a few issues of the HWW environment related to the security of the system, and of the network infrastructure, as well as to the user personal privacy are addressed. It appears security concerns can partially benefit from the model and solutions already deployed in the wired paradigm. In addition, the issues regarding user privacy are more complex and pervasive and require new solutions and further investigation. To our knowledge, research efforts in this direction are not even planned. Finally, we emphasize the need for an easy to con￾figure and manageable personal profile to control the interactions among the many HWW devices that could surround a user. The enforcement of such a profile could be a means to preserve the user’s personal privacy. An alternative solution to preserve privacy could base the main functionalities of the HWW paradigm on anonymous IDs. This solution may require redesigning a part of the current network infrastruc￾ture, and finding convenient trade-offs between pri￾vacy and security issues. References 1. Borisov, N. et al. Intercepting mobile communications: The insecurity of 802.11. In Proceedings of ACM/IEEE MOBICOM 2001; 180–189. 2. Carman, D.W. et al. Constraints and approaches for distributed sensor network security. NAI Labs Technical Report. (Sept. 2000); www.nai.com/research/nailabs/cryptographic/a-communications-secu￾rity.asp 3. Chan, H. et al. Random key predistribution schemes for sensor net￾works. In Proceedings of the IEEE Symposium on Security and Privacy (May 2003, Oakland, CA). 4. Coulouris, G. et al. Distributed Systems: Concepts and Design. Addison Wesley, Reading, PA., 2001. 5. Di Pietro, R. et al. Providing secrecy in key management protocols for large wireless sensor networks. J. Adhoc Networks. To appear. 6. Fox, A. and Gribble, S. Security on the move: Indirect authentication using Kerberos. In Proceedings of ACM/IEEE MOBICOM 1996; 155–164. 7. Guan, Y. et al. Preventing traffic analysis for real-time communication networks. In Proceedings of IEEE Milcom (Nov. 1999), 744–750. 8. Harter, A. et al. The anatomy of a context-aware application. In Pro￾ceedings of ACM/IEEE MOBICOM 1999; 59–68. 9. Hermann, R. et al. DEAPspace—Transient ad hoc networking of per￾vasive devices. Computer Networks 35 (2001), 411–428. 10. Kindberg, T. et al. People, places, things: Web presence for the real world. MONET 7, 5 (Oct. 2002), Kluwer A.P., 365–376. 11. Myers, B.A. Using handhelds and PCs together. Commun. ACM 44, 11 (Nov. 2001), 34–41. 12. Sandhu, R. et al. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Info. and System Security 3, 2 (May 2000) 85–106. Roberto Di Pietro (dipietro@dsi.uniroma1.it) is a Ph.D. student in the Department of Computer Science at the University of Rome “La Sapienza,” Italy. Luigi V. Mancini (mancini@dsi.uniroma1.it) is a professor in the Department of Computer Science at the University of Rome “La Sapienza,” Italy. This work was partially funded by the WEB-MINDS project supported by the Italian MIUR under the FIRB program and by the EU IST-2001-34734 EYES project. This work was written during the authors’ visit to George Mason University’s Center for Secure Information Systems, Fairfax, VA. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. © 2003 ACM 0002-0782/03/0900 $5.00 c COMMUNICATIONS OF THE ACM September 2003/Vol. 46, No. 9 79