Private Information Sharing Under Uncertainty: Dynamic consent-decision making mechanisms

Pełen tekst

(1)Private Information Sharing under Uncertainty Dynamic consent decision-making mechanisms.

(2)

(3) Private Information Sharing under Uncertainty Dynamic consent decision-making mechanisms. PROEFSCHRIFT. ter verkrijging van de graad van doctor, aan de Technische Universiteit Delft, op gezag van de Rector Magnificus Prof. dr. ir. J.T. Fokkema voorzitter van het College van Promoties, in het openbaar te verdedigen op maandag 4 december 2006 om 15:00 uur door. Amr Mohamed Thabet ALI ELDIN Master of Science degree in automatic control engineering, Universiteit van Mansoura, Egypté. Geboren te Cairo, Egypté.

(4) Dit Proefschrift is goedgekeurd door de promotor: Prof. Dr. R.W. Wagenaar. Samenstelling promotiecommissie: Rector Magnificus, Voorzitter Prof. dr. R.W. Wagenaar, Technische Universiteit Delft, promotor Prof. dr. ir. W.G. Vree, Technische Universiteit Delft Prof. dr. ir. M.J. van den Hoven, Technische Universiteit Delft Prof. dr. ir. R.L. Lagendijk, Technische Universiteit Delft Prof. dr. C. Carlsson, IAMSR, Abo Akademi University, Finland Prof. dr. ir. S.M. Heemstra de Groot, Technische Universiteit Delft Dr. ir. J. van den Berg, Technische Universiteit Delft.

(5) To my family.

(6) Published and distributed by: Amr M.T. Ali Eldin Egelsingel 18 2623 BK Delft The Netherlands Phone: +31 (0) 654955565. Delft University of Technology Faculty of Technology, Policy and Management Jaffalaan 5 2628 BX Delft, The Netherlands Phone: +31 (0) 15 2781131 Fax: +31 (0) 15 2783741. This research was funded partly by the BETADE project of Delft University of Technology and the BSIK Mulimedian project ALTER EGO, subcontracted through the Telematica Institute, Enschede. Printing: Gilde Print – www.gildeprint.nl, Enschede Cover Design: Ahmed Ali Eldin English editor: Gert Stronkhorst Amr M.T. Ali Eldin Private Information Sharing under Uncertainty: Dynamic consent decision-making mechanisms, Doctoral Dissertation, Delft University of Technology, the Netherlands. ISBN-10: 90-9021372-4 ISBN-13: 978-90-9021372-9 Keywords: Information Privacy, User Preferences Description and Design Architectures, User Consent, Fuzzy Logic Inference Systems, Context-aware Mobile Services. Copyright © 2006 by Amr M.T. Ali Eldin All rights reserved. No parts of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the written permission of the author..

(7) VII. Preface Lately, privacy and identity management have increasingly been the focus of attention, especially with the growing threat of terrorism. Many research projects aim at providing innovative technological solutions to protect all of us against terrorism. At the same time, large amounts of information are being collected about citizens by government institutes, without it being clear who uses the information and to what end. On the one hand the information is collected to increase our safety, for instance by security cameras installed everywhere on streets, in public places or in trains. On the other hand, this is a development that poses a potential threat to people’s privacy. There is always a trade-off between our interests and those of others, which means that to a certain extent governments may justify their collection of information. The same problem applies to the Internet, where there is always a potential clash between our need for information or services and our concerns about privacy. Although electronic privacy has been of major concern over the last two decades, current solutions still do not allow users to maintain control over their privacy. Additionally, and with the increased development of mobile and wireless networks and associated contextaware and mobile services, privacy threats will increase due to the ubiquitous collection of personal information and due to the lack of control on the part of users. Furthermore, users should be given control in such a way that it takes their context into account and minimizes the need for interactions. Privacy control mechanisms should allow users to control their information in a flexible and a user-friendly way. In this thesis, we focus on providing users with greater control capabilities by developing consent decision-making mechanisms that automate this control in a dynamic way and allow users to override when they need to do so. While doing this research, I got support from others the issue that I would like to acknowledge. First of all, I would like to thank GOD, the Most Gracious, the Most Merciful, for His marvellous support without which I would not have completed my PhD. When I started this PhD project almost in the beginning of 2002, I was highly optimistic that I would meet the four year deadline perspective and I paid much attention to issuing a PhD proposal that was well-planned and rather realistic and challenging at the same time. However, by the end of the third year of my PhD, when I was finalizing the testing studies, and about to start writing my thesis, I suffered from unexpected physical health problems, which distracted me from working on my PhD according to my PhD proposal for quite a long period. During this remarkable period of my life, I realised how merciful and powerful GOD is. When someone does his duties and for some other reasons things do not go as planned, then only GOD can provide the strength and concentration needed to overcome these difficulties. Although this was a tough period in my life, it also allowed me to take another look at myself and at others as well. Furthermore, it gave me the opportunity to assess my achievements so far and to rethink my future plans. I have to say that I learned a lot in this period about many things in life, science and religion. During this research, I had the chance to discuss and collaborate with many researchers who helped me during the PhD cycle. I am indebted to my supervisor Professor René Wagenaar for his valuable support and his fruitful scientific and professional supervision. I would like to thank you René a lot for your faith in my capabilities to finish my PhD, despite the difficult and unexpected circumstances that I found on my way in the course of writing this thesis. During my position in Delft University of Technology, I had an outstanding opportunity to work on different research and industrial projects. These projects are:.

(8) VIII. Preface. BETADE, FRUX, MIES and ALTER EGO. This gave me quite a good knowledge of software architecture design methodologies, development and management and their applicability in real business applications. Consequently, my PhD was influenced by different technological disciplines and research methodologies in computer science, and information systems. I am quite grateful to Ajantha Dahanayake, currently Professor at Georgia College and State University because she is the one who helped me come to the Netherlands and offered me this marvellous opportunity to do my PhD here in Delft University of Technology and to do my PhD project fully funded by the BETADE project. Increasingly, she provided me with the support and guidance during the first one and half years of my PhD, as my daily supervisor. I learned a lot from her knowledge and expertise in the fields of Information Systems design methodologies and model-driven architectures which has influenced my PhD in its beginning phase in a dramatic way. In this period, the BETADE project offered me a tremendous research environment which helped me a lot during the initial phase of my PhD, the issue that I would like very much to acknowledge. Furthermore, I would like to acknowledge the support I got from Professor Alexander Verbraek. I would like to acknowledge the wonderful discussions I had with Professor Wim Vree which were a combination of research issues, together with his thoughts about science and life that helped me broaden my view on science and technology. Furthermore, I would like to thank Jan van den Berg for his valuable and fruitful comments, and for our discussions which helped me in my research. I would like to thank Jean Camp, Indiana University, for her valuable comments. Furthermore, I would like to thank the committee members for accepting my thesis and for their useful reviews which helped me improve my thesis. I would like to express my appreciation for Gert Stronkhorst for his comments which helped me improve my English and for my students; Xiaodi Jin, and Indira Nurtani for their assistance. I would like to acknowledge the support I had from MIES project members and management board especially the support I got from Else van de Kar. Additionally, many thanks to Harry Bouwman for his cooperation and support especially during my participation in the FRUX project. In addition, I would like to acknowledge the support we got from the Multimedian project “ALTER EGO” team and management. Furthermore, I had the chance to discuss research and other interesting topics with my colleagues and PhD peers, who were friends as well as being an audience and I would like to thank them all for their comments, advice, coffee, and lunch breaks, and for their jokes about PhD which helped me survive the difficult times. I would like to express special thanks to Zoran Stojanovic, Semir Daskapan, Nadia Ayad, Lotte Asveld, Heleen de Vlaam, Jan-Pascal, Marnix Kaart, Tamratt Tewolderberhan, and Nong Chen. Furthermore, many thanks to the members of the information and communications technology section for providing me with the right atmosphere and environment needed to fulfil my duties. Certainly, there are friends whose support has contributed to my PhD as well. They provided me with a wonderful atmosphere that helped me when I occasionally felt homesick. Many thanks to all friends here in the Netherlands and abroad. Last and not least, I am indebted to my family for their delightful and unlimited support. I want to thank my parents from the bottom of my heart for their support and prayers.. Amr Ali Eldin October, 2006..

(9) IX. Table of Contents 1. INTRODUCTION ..................................................................................................................................... 11 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8. 2. RESEARCH BACKGROUND................................................................................................................. 25 2.1 2.2 2.3 2.4 2.5. 3. INTRODUCTION ................................................................................................................................... 77 MIES TECHNICAL FEATURES ............................................................................................................. 78 DESIGN FEATURES AND FUNCTIONALITIES ......................................................................................... 78 AUTOMATIC PRIVACY EVALUATION ................................................................................................... 84 RESULTS ANALYSIS ............................................................................................................................ 87 EVALUATION TESTS............................................................................................................................ 93 CONCLUSIONS..................................................................................................................................... 96. A PRIVACY PREFERENCES ARCHITECTURE ............................................................................... 99 6.1 6.2 6.3 6.4 6.5. 7. CONSENT DECISION DEPENDENCES .................................................................................................... 65 A FUZZY LOGIC CONSENT DECISION MAKER (CONSENT DECIDER) ARCHITECTURE .......................... 67 CORRECTION OF THE ESTIMATED PERMISSIONS .................................................................................. 70 CONCLUSIONS..................................................................................................................................... 73. PROTOTYPES AND USER EXPERIMENTS....................................................................................... 77 5.1 5.2 5.3 5.4 5.5 5.6 5.7. 6. PRIVACY PRINCIPLES AND REQUIREMENTS ......................................................................................... 49 PRIVACY CONTROL FUNCTIONAL REQUIREMENTS ............................................................................. 50 A PRIVACY MANAGEMENT SYSTEM ................................................................................................... 54 SHEM EXTERNAL INTERACTIONS ....................................................................................................... 61 CONCLUSIONS..................................................................................................................................... 62. CONSENT DECISION MAKING........................................................................................................... 65 4.1 4.2 4.3 4.4. 5. MOBILE WIRELESS COMMUNICATION NETWORKS EVOLUTION AND CHALLENGES ............................ 25 PERSONALIZATION.............................................................................................................................. 27 CONTEXT-AWARENESS ....................................................................................................................... 28 PRIVACY ............................................................................................................................................. 32 CONCLUSIONS..................................................................................................................................... 45. FUNCTIONAL REQUIREMENTS FOR PRIVACY MANAGEMENT............................................. 49 3.1 3.2 3.3 3.4 3.5. 4. INTRODUCTION ................................................................................................................................... 11 A MOTIVATING SCENARIO ................................................................................................................... 12 PRIVACY AND CONTEXT ...................................................................................................................... 13 PRIVACY AND UNCERTAINTY .............................................................................................................. 14 PRIVACY AND DYNAMICS.................................................................................................................... 14 RESEARCH OBJECTIVE AND QUESTIONS ............................................................................................. 15 RESEARCH APPROACH ........................................................................................................................ 17 THESIS OUTLINE.................................................................................................................................. 21. INTRODUCTION ................................................................................................................................... 99 PREFERENCES DESCRIPTION ............................................................................................................. 100 RULE ENGINE DESCRIPTION ............................................................................................................. 105 A SIMULATION TOOL ........................................................................................................................ 107 CONCLUSIONS................................................................................................................................... 113. A SIMULATION STUDY AND USERS SURVEY.............................................................................. 115 7.1 7.2 7.3 7.4 7.5 7.6 7.7. HYPOTHESES TESTING ...................................................................................................................... 115 USERS SURVEY ................................................................................................................................. 116 DATA ANALYSIS METHOD ................................................................................................................ 117 TEST RESULTS .................................................................................................................................. 118 REFLECTIONS FROM DATA ANALYSIS RESULTS ............................................................................... 119 DEFAULT PRIVACY PREFERENCES SETS............................................................................................ 125 CONCLUSIONS................................................................................................................................... 126.

(10) X. Table of Contents. 8. EPILOGUE.............................................................................................................................................. 129 8.1 8.2 8.3 8.4. INTRODUCTION ................................................................................................................................. 129 RESEARCH FINDINGS ........................................................................................................................ 129 MAIN CONTRIBUTIONS COMPARED TO RELATED WORK .................................................................. 133 FURTHER RESEARCH......................................................................................................................... 133. REFERENCES.................................................................................................................................................. 136 APPENDIX A CONSENT EVALUATOR PROCEDURES ......................................................................... 144 APPENDIX B EVALUATION QUESTIONNAIRE...................................................................................... 145 APPENDIX C FINAL PRIVACY PREFERENCES SETS........................................................................... 146 APPENDIX D LIST OF ABBREVIATIONS & SYMBOLS ........................................................................ 149 CD-ROM APPENDICES ................................................................................................................................. 150 SUMMARY ....................................................................................................................................................... 151 SAMENVATTING............................................................................................................................................ 153 ABOUT THE AUTHOR .................................................................................................................................. 157.

(11) 11. 1 1.1. INTRODUCTION. 1. Introduction. In the last two decades, the Internet has played an increasingly important role in our daily lives. Although the Internet has developed into a huge collection of services, in addition to providing a veritable wealth of information, and though many organizations put their business onto the Internet to make it available for their customers electronically in what is known as electronic business, users privacy is still a major concern of customers and of organizations which can hinder the acceptance and the spread of these services. Recently, there have been a rapid development in mobile communication networks and smart mobile devices, that can run on a variety of networks such as WiFi, GPRS, Bluetooth and UMTS, and that have paved the way for a new computing paradigm known as anytime and anywhere, or ubiquitous computing together with a new market domain known as mobile business (Samulowitz, 2000). The vision behind these mobile applications is to be user centric with the user context playing an important role in the type of information and services he or she gets on his or her device. Context-awareness is needed to react to changes in the user’s context and to cope with the limitations in information exchange in such environments. Increasingly, users will find themselves surrounded by a variety of smart devices with communication capabilities. As the user context changes, the type of information and/or services content being offered will also change. Examples of the user context are the users’ environment, the available network resources, the user’s preferences, the time of the day, the user location and situation of the user, etc. Advances in mobile network access technology with increasingly higher bandwidth capacity, intelligent mobile devices, and smart miniaturized sensors, have opened up a whole range of new possibilities. Ubiquitous computing brings new challenges to information and computer science; one of those challenges is to deal with privacy threats, how to present sensitive information about individuals such as location, preferences and activities. In addition, the possibility that users’ profiles may be shared among different parties without the user’s consent may also pose a serious threat to user privacy. For example, mobile health applications make it possible to monitor patients who might become ill due to a disease: for instance to prevent epileptic seizures or hypoglycaemic conditions in case of diabetics, especially during times when their treatment is being set-up or adjusted. Small medical sensors combined with higher bandwidth and more reliable mobile network technologies make it possible for such patients to be monitored and even treated anytime and anywhere. This allows patients to live more ‘normal’ lives, and it helps improve their quality of life and well-being. However, it also has a serious impact on a patient’s privacy, a factor that should be given serious consideration. There is a trade off between a user’s privacy requirements and the reasons he or she may have to allow information to be made available. Complete privacy is impossible in a society where a user has to interact with other members of the society such as colleagues, friends, or family members. Each flow of user information will reveal some private information about the user at least to the information receiver. Since this flow of information is needed, and maybe self-initiated by the user, a user needs to make sure that the other party (the destination) is going to adhere to his or her privacy requirements. 1. The results of this chapter were published in (A. Ali Eldin, 2003).

(12) Chapter One. 12. Privacy policies and legal contracts can be used to help users and service providers reach an agreement on the type of privacy users will have. However, these contracts do not provide enough flexibility for users with respect to choosing the type of privacy they need. They also do not guarantee that a user’s privacy will not be violated but what they do is that they give the user the right to sue an organization if the privacy contract was broken.. 1.2. A motivating scenario. In this section, we introduce a scenario that is used to explain in a pragmatic way the privacy issue in context-aware systems (see Figure 1.1): System engineer Jo works for a system developing international company which supports different oil refining sites located in the Arabian Gulf. If Jo wants to leave one site to go to another, he requests a helicopter to pick him up from the place where he is. BeThere, the company providing the logistic services to the sites, also has business partners in each location: tourist guides, hotels and restaurants. Jo has a GPS-enabled mobile device. BeThere will also like to collect Jo’s personal information such as name, identity etc., payment information, location information, and calendar information. Personal Payment Third Parties. Entertaining. Personal Payment Location Restaurant. Personal Payment Location. Personal Payment Traveling. Tourist. Personal Payment Location Calendar First Party. Be There Personal Payment Location Calendar. Figure 1.1 Jo, BeThere and BeThere related business parties. BeThere third parties will also like to have some of Jo’s private information for their services provisioning or promotions, but they prefer to obtain Jo’s information from their agreements with BeThere. This means that Jo will not know that they collect private information unless it is clearly stated in the BeThere privacy policy when the contract is drawn up. Furthermore, Jo will not be able to know which party collects what information from BeThere until when he is offered their push services. Among these third parties are some tourist guides, hotels and restaurants in each of the locations Jo will visit. Tourist guides will.

(13) Introduction. 13. like to collect Jo’s personal, and location information to provide customized guiding. They will collect payment information as well. Travelling agencies will be interested in information regarding Jo’s identity and payment to recommend accommodation in each location. Restaurants will be interested in location, eating preferences, and schedules to provide suitable meals. Although Jo’s initial privacy preferences will not to allow anybody access to his information, he may be interested in using specific services, depending on his situation. The issue is not that he is not interested in the services that he will be offered. In fact, it is highly likely that some offers may be hard to refuse. However, he will want the process involved in obtaining these services to be reliable, simple, flexible and safe. Jo is very concerned about maintaining complete control over his privacy at all times. Accordingly Jo, as a customer of BeThere, will like to be able to express his privacy preferences when using BeThere’s services. Initially, he may well allow travel agencies and tourist guides access to his information, while stipulating that entertainment providers are to be blocked. Having said that, it is possible that his preferences will change at some point in the future, which makes managing his privacy preferences more complex.. 1.3. Privacy and context. Although there has been a lot of discussion on privacy protection in the literature (Ackerman, Darrell, & Weitzner, 2001; Camenisch & Herreweghen, 2002; Casal, 2001; Clifton , Kantarcioglu, Vaidya, Lin, & Zhu, 2002; Langheinrich, 2001; Warren & Brandeis, 1890), not many have discussed the idea that privacy might be negotiable. Jo may be willing to share his information with BeThere’s partners in return for a cheaper service or a better offer. What makes this situation complex is that people’s concerns about their privacy may be affected by largely unknown factors such as culture, age, etc. and by the context or situation at the time the information is requested. This becomes especially noticeable in environments where user context is expected to change. Context may be defined as any information that can be used to characterize the situation of an entity, where an entity can be a person, place, physical or computational object that is considered relevant to the interaction between an entity and an application (Salber, Dey, & Abowd, 1999). Contextual information matches any relevant object in the user’s environment or user description: examples will be Jo’s location, time, identity, available resources, Jo’s mobile device capabilities, network bandwidth, etc. Contextual information can come from different network locations, protocol layers and device entities. Context-aware applications are applications that collect users’ context and give content that is adapted to it. For example, when a restaurant guide gets to know Jo’s location, and sees from his calendar that he has no appointments at the moment, it can recommend a snack meal to Jo. The restaurant guide has collected Jo’s context and thus is regarded as a context-aware service. Many scenarios have been used to describe what a context-aware application should look like (Davies , Mitchell, Cheverest, & Blair, 1998; Gemo, Vanderdonckt, Florins, & Macq, 2002; S.Pokraev et al., 2002; Salber, Dey, & Abowd, 1999). Mainly, the idea is that the users’ environment is populated with large numbers of sensors that collect information about users to offer relevant content or services that are adapted to their context. Although this personalised approach will in many cases be seen as useful, it does give organizations access to sensitive information, which may violate user privacy, unless the applications involved have been designed to take privacy-related issues into account. Context-aware systems have features and design perspectives that are different from traditional information systems, an issue that will influence the effective protection of users privacy. This raises a number of questions: How can Jo define his privacy preference with.

(14) Chapter One. 14. regard to these service providers in such a way that is convenient for his context? How can Jo’s privacy preferences be described to facilitate easy and effective privacy control? For example, when Jo gets push services he will like to know what the service providers do with his collected data and he will like to evaluate the service providers and to make the right consent decisions. Informed consent is one of the requirements of the European directives (EuropeanDirective, 2002). Accordingly, Jo should be asked to give his informed consent before any context related data is collected. From a practical point of view, it will be difficult to let Jo enter his response each time context is collected. Increasingly, the type of data collected on Jo will strongly influence his privacy concerns (See section 1.5).. 1.4. Privacy and uncertainty. The problem becomes more complex when more than one party gets involved in collecting users information, for example third parties. Third parties of a certain information collector represent unknown parties to the user. Although the first information collector may state in his privacy policy that users information is being given to those third parties in one way or another, it is not yet possible in the literature (Camenisch & Herreweghen, 2002; Casal, 2001; L. Cranor, Langheinrich, Marchiori, Presler-Marshall, & Reagle, 2004; Christian Hauser & Kabatnik, 2001; Hull et al., 2004; Langheinrich, 2002; Nilsson, Lindskog, & Fischer-Hübner, 2001) to provide a means for the user to know which party collects which information. Thus in the case of Jo, uncertainty takes over when he gets pushed information or services from unknown collectors, taking into account that although Jo has not authorised unrelated third parties to collect his information in an explicit way, he does not want to block them in advance either. People feel differently about the extent to which they wish to protect their privacy, making it impossible to determine what information should be generally available. In this sense, Jo should be able to define how he thinks his personal information should be dealt with, which information practices are acceptable and which ones are not permitted in his privacy preferences description. Although this might look simple, defining effective preferences that match each user and that describe efficiently their privacy needs is still an immature science. The more application domains involved in exchanging Jo’s information with different types of information demands and different types of services, the more complex the process of managing these preferences becomes.. 1.5. Privacy and dynamics. In context-aware systems such as mobile location-based services, mobile healthcare services, etc., users’ context can be expected to change from time to time, due to changes in surrounding circumstances and environmental influences. Users’ privacy preferences will also change to reflect their new situations. For example, Jo preference of blocking entertainment services may change one day when he is finished early with work. If he is in a meeting, he may switch his mobile off, but if he is somewhere else, he may accept incoming requests. In other words, a user's privacy preference will be context-dependent as well as context-driven. Current privacy preferences architectures such as P3P (L. Cranor, Langheinrich, Marchiori, Presler-Marshall, & Reagle, 2004) do not support this feature of context-aware systems. Additionally, the user is more burdened with taking care of self-updating his privacy preferences, an issue that adds more complexity for users attempting to maintain their privacy..

(15) Introduction. 1.6. 15. Research Objective and Questions. Although privacy-enhancing technologies (PET) are assumed to help reduce privacy threats, they have yet to be effectively implemented. Privacy threats emerge as a result of the linkage between identities and users contextual data. Therefore, most literature has focused on the separation between both types of information: whether to control users identities, by deterring identity capturing through anonymity solutions (Camenisch & Herreweghen, 2002; Chaum, 1985; Lysyanskayal, Rivest, Sahai, & Wolf, 1999), or to control private information perception such as water marking (Rakesh Agrawal & Kiernan, 2002), distributing and encrypting of data packets (Clifton , Kantarcioglu, Vaidya, Lin, & Zhu, 2002) and physical security through limiting data access within a specified area (Langheinrich, 2001). The assumption of untrustworthy information collectors, leading to removing users’ identities as in most anonymity solutions does not seem to be applicable in daily life interactions. This is especially the case in context-aware systems where users’ information is passively collected through a number of context sensors and delivered to a number of third parties. It seems clear that most researchers have paid more attention to protecting users’ identity information as an approach to protecting users’ privacy. We assume that it is not only users’ identity information that has to be protected. Other information with different degrees of confidentiality also needs to be protected. Controlling users contextual information perception implies the user taking decisions as to whether or not to allow contextual entities to be collected by a certain party. This is known as user consent decisions. User consent, before exchanging user information, is very important to protect a user’s private information from being abused by other parties. Further, information owners may be concerned about monitoring their information usage to see who has access to the information, and what type of access they have. We assume, therefore, that private information control can represent a more realistic approach for privacy protection. There have been some efforts made towards privacy control in context-aware environments such as (Langheinrich, 2002), and (Zuidweg & van Sinderen, 2003). However, this control can be cumbersome when it comes to context-aware systems since existing approaches to supporting data privacy do not support the possibility that users privacy issues will depend on their context. In context-aware systems, users’ context is considered to be the main governor of the services and content that users might receive. One of the privacy requirements set by the European directive on data protection (EuropeanDirective, 2002) is to support users explicit consent for sharing their personal information. In a dynamic data changing environment such as the mobile environment where users’ sensitive information can continuously be collected, we assume that user consent will always have a dynamic nature and therefore should always be requested before any collection of any contextual information in order to get relevant content and services. Increasingly, this request for mobile users consent should be carried out in an autonomous, flexible and userfriendly way. To meet this requirement, users’ privacy requirements should be effectively mapped onto rules that govern their consent decision-making. P3P and APPEL (L. Cranor, Langheinrich, & Marchiori, 2002; L. Cranor, Langheinrich, Marchiori, Presler-Marshall, & Reagle, 2004) have gone to great lengths to take users’ privacy preferences into account and to match them with the privacy policies of information collectors. In P3P and APPEL (L. Cranor, Langheinrich, & Marchiori, 2002; L. Cranor, Langheinrich, Marchiori, PreslerMarshall, & Reagle, 2004), it is assumed that users consent should be given as one entity per all collected information. Furthermore, when the evaluation of the information collector information practices results in a limited consent, only data pertaining to a person’s identity.

(16) 16. Chapter One. will be blocked. In this thesis, we assume that all information items may have different consent values. For example, users may want to provide their professional information to a certain information collector, but not their location. In addition, the question whether or not certain information is highly sensitive depends on a number of factors, such as a person’s cultural, religious and social tendencies. One of the important challenges of privacy control in context-aware systems is that the dynamics and the huge amounts of information that will most likely be exchanged between the various actors will increase the amount of time and efforts users will have to spend. One approach to reducing the amount of users’ involvement will be to enrich these systems with artificial intelligence techniques that can help automate the consent decision process by dealing with uncertainty. Another approach will be to ask users for their privacy preferences. A well known contribution to the management of users privacy through preferences has been made by the platform of privacy preferences (P3P) (L. Cranor, Langheinrich, Marchiori, Presler-Marshall, & Reagle, 2004). P3P is a privacy preferences and policy description language developed by the World Wide Web consortium (W3C). P3P made it possible to automatically evaluate service providers’ privacy policies according to users’ privacy preferences which give users more awareness of their privacy threats. However, P3P was designed for static environments such as Internet where users’ privacy preferences are not expected to change. Another effort on privacy control through preferences, Jiang and Landay (2002) propose a privacy control system based on defining information spaces. Preferences or credentials in this case, are represented through metadata attached to a document. This metadata describes which users can perform which operations within a certain information space. However, their metadata system does not manage the dynamics expected according to each user’s context or situation. Rodden et al. (2002) propose a minimal asymmetry approach to control personal location information. A trusted party keeps location information structured in such a way that other parties cannot have full access privileges until they have reached a service agreement. Moreover, user identities are replaced with pseudonyms when other parties collect the location information. Although this approach gives users more control capabilities, it does not provide a means of reducing the intensive involvement of users. The Houdini framework (Hull et al., 2004) is another privacy preferences based control system which is based mainly on users self-provisioning of preferences, and rules. In this approach, users are assumed to be heavily involved which represents a challenge when considered in context-aware mobile environment due to the time strictness and complexity of managing preferences manually. The objective of this research, thus, was to: support user dynamic consent decision making in a flexible and a user-friendly way The focus of this research has been on developing a smart architecture that allows users to make automatic consent decisions regarding their privacy. This architecture had to be able to make dynamic and automatic recommendations to users about their consent decisions. Flexibility means that the recommendation allows users to change their preferences in response to changing circumstances. Users will have different functionalities of dealing with their privacy. User-friendliness refers to the minimization of the level of user involvement that is required..

(17) Introduction. 17. The main research question was: How can users be supported dynamically so that they can make the right consent decisions on their private information collection with the minimum requirement for their intervention? In order to answer this question, the following questions needed to be answered as well: What are the functional requirements for consent decision-making as a means for privacy control in context-aware architectures? As discussed above, users explicit consent is one of the requirements of users personal data privacy as set by the European directive (EuropeanDirective, 2002). In context-aware applications, and before any collection of context, users should be able to give their consent. In this environment, we assume that users will be unable to make the right consent decisions due to the fact that these environments require an immediate response, which may lead to decision that does not reflect their real needs. In this research, we propose that there is a need for an automatic mechanism that can help users make better consent decisions. A literature survey was carried out to determine the shortcomings in current approaches based on which required functionalities were deduced for dynamic consent decision-making in context-aware systems. How can we develop a dynamic way to estimate user consent decisions that represent their informed consent and minimize their interactions? Based on the functional requirements defined by answering the previous research question, a model was designed to develop a dynamic consent decision. This model had to be able to deal with uncertainty and dynamics. A good description of users privacy preferences was required that copes with the dynamic needs of context-aware environments. This description model was used to represent the building blocks of any privacy preferences architecture. Furthermore, mechanisms were required that provide dynamic, autonomous and manual ways of dealing with users privacy preferences.. 1.7. Research Approach. The historical developments have shown a large number of sciences emerges as a result of interactions between other sciences. For example, the first computer built in the 1940s was an outcome of the interaction between physics, mathematics and logical sciences. After words, a new science, computer science emerged to meet the need to develop new computing technologies to serve humanity. Computer science still has its roots in mathematical logic and mathematics but increasingly physics, chemistry and biology and even medicine and psychology have become important for progress in the field of computer science (Dodig-Crnkovic). This research tackles a practical and multi-disciplinary real life problem where legal, ethical, social and information and technology domains are providing solutions. One cannot make a claim that a separate domain to have provided an absolute solution for this problem. In this research, we focus on the information technology part of the privacy solutions. The main concern which triggered this research was the need for a mechanism to ensure that users are able to control their private information in a flexible and effective manner by making correct consent decisions in context-aware environments in which a number of challenges exits such as uncertainty, dynamics and time criticality. A research approach maybe defined as following a research strategy in which some research instruments are applied to acquire knowledge and to collect information and to analyze the problem being studied guided by a certain philosophy (Vreede, 1995). In this.

(18) Chapter One. 18. section, we introduce the research philosophy, strategy and instruments that we applied to answer the research questions and pursue the objective above mentioned. 1.7.1. Research Philosophy. A research philosophy is considered to be the way a researcher addresses the phenomenon being studied epistemologically. Epistemology refers to assumptions made about knowledge and how it can be acquired (Hirschheim, 1992). There are two popular and modern philosophies in the natural and social science research; positivism and interpretivism. Positivism generally assumes that reality is objectively given and can be described based on its measurable properties, which are independent of the observer (researcher) and his or her instruments. Positivist researchers generally test a theory, in an attempt to increase the predictive understanding of phenomena. Positivist research instruments often include laboratory and field experiments. Orlikowski and Baroudi (1991) claim information systems (IS) research can be called positivist if there is evidence of formal propositions, quantifiable measures of variables, testing of hypotheses, and the drawing of inferences about a phenomenon from the sample to a stated population. Interpretive researchers assume that access to reality, whether given or socially constructed, is only possible through social constructions such as language, consciousness and shared meanings. Interpretive researchers generally attempt to understand phenomena through the meanings that people assign to them and interpretive methods of research in IS are aimed at producing an understanding of the context of the information system, and the process whereby the information system influences and is influenced by the context (Walsham, 1993). Interpretative research makes use of action research, descriptive research and grounded theory. Positivist and interpretive schools are arguably the most dominant research philosophies in (IS) research (Morrison & George, 1995). Similar to positivists and interpretive research, another paradigm, design science has been shown to produce scientific knowledge (March & Smith, 1995). In IS research, positivist and interpretive research is more concerned with organizational settings rather than with developing or extending new technologies (Gregg, Kulkarni, & Vinze, 2001). Further, Gregg, Kulkarni et al. (2001) argue that the positivist and interpretive research does not consider the software or system development as part of the building knowledge process needed. They propose to add the Meta level assumptions of design science research, which they call the socio-technologist/developmentalist approach, to the work of positivists and interpretivists. In the socio-technologist paradigm, they assume that socially created realities are influenced by a need of technology. Their work is considered to meet with what is emphasized by March and Smith (1995) about the design science paradigm. While the keyword of positivists is “acceptance/falsification” or simply “confirmation”, through an understanding of the phenomenon, design science is more a “creative” or “improving” paradigm, in that it is used to design and build artefacts that serve mankind (Gregg, Kulkarni, & Vinze, 2001; March & Smith, 1995). This work is influenced by both paradigm assumptions; positivists and design research. Consequently, the choice of research instruments used to conduct this research was mainly determined by both paradigms. 1.7.2. Research Strategy. The choice of the research strategy depends primarily on the research problem and on the status of the theory development in the research area (Vreede, 1995). There have been a number of research methodologies for information systems and computer/information science research schools. The research strategy adopted in this research was influenced mainly by two.

(19) Introduction. 19. research methods; the inductive hypothetic method and the design science method. In this section, we elaborate on the research strategy perspectives as they were applied on this research. The inductive hypothetic method, also known as the scientific method (Giere & Westfall, 1974), is widely used in natural science and starts with many observations from reality, with the goal of finding a few powerful statements about how reality works in the form of laws and theories. Aristotle’s ideas on empiricism can be regarded as an early means of induction (Wikipedia, 2006). Empiricism is simply a theory of knowledge that is closely related to experience, in the form of deliberate experimental arrangements (Wikipedia, 2006). In recent scientific discoveries, the inductive hypothetic method was used and observations represented the authority that guided the acceptance of the end results. Buschdahl (1974) argues that Matthias Schleiden should be honoured for his contribution to science. Based on his observations of plants, he induced the origins of the modern cell theory. However, a long time before Matthias Schleiden, induction was used as a source of knowledge and to establish new rules and laws. For example, induction represents a main source of knowledge after Quran and Sira, in Islamic religion in what is known as ijtihad and is guided by Quran and Sira to deal with new matters in religion and life not previously addressed. Accordingly, this Islamic philosophy has lead to scientific developments in the middle Ages by the Muslim world such as the correct theory on optical vision by Alhazan Ibn El-Haitham, theories on medical surgery and medical tools for surgery by Ibn Sina and the invention of the zero by AlKhwarizmi etc. Wikipedia (2006) argues that the inductive hypothetic method was developed in its modern shape by the efforts of Muslim philosophers and scientists in the Middle Ages before their work was translated into Latin and used by European scientists and philosophers. During the 12th century and based on Aristotle and Alhazan ideas, Grosseteste developed the "resolution and composition" principle or what are called the dual paths; concluding from particular observations into a universal law, and then back again: from universal laws to the prediction of particulars. Furthermore, Grosseteste assumed that both paths should be verified through experimentation in order to verify the induced principals (Crombie, 1971). Roger Bacon, an English philosopher who placed considerable emphasis on empiricism, defined a repeating cycle of observation, hypotheses, experimentation and verification inspired by the writings of Muslim scientists (particularly Alhazan) and built on Aristotle's principle of induction. He recorded the manner in which he conducted his experiments in precise detail so that others could reproduce and independently test his results. Later, a number of theories and scientific discoveries helped improve the scientific method by treating experiments as a research instrument or tool such as the work of Galileo, and Francis Bacon. Galileo combined quantitative experimentation and mathematical analysis to define the general laws of physics. Isaac Newton systematized these rules in the Principia, which became a model that other sciences sought to emulate (Wikipedia, 2006). As we discussed above, the inductive hypothetic method has existed since Aristotle although it has evolved with time. Walsham (1993) argues that the inductive hypothetic method is useful for experimental research in information and computer systems. Another method that is most frequently used by mathematicians is the deductive hypothetic method, also known as the scientific method (Ciborra, 2004; Myers, 1994; Walsham, 1993). The deductive hypothetic method starts with a small number of true statements about reality (facts) and tries to generalize or deduce new knowledge using logic (Hesa, 1974). While the deductive method needs to start with true statements or facts, the inductive hypothetic method starts with observations from reality which need to be explained or verified. Based on these.

(20) Chapter One. 20. observations, hypotheses are made after which predictions or propositions are formulated and tested by experiments. In design science research, computer/information science knowledge is used to solve practical problems. Two strategies are used for design research in computer/information science; the human behavioural paradigm and the design science paradigm. The former has its roots in natural science research methods which focus on developing and justifying theories about the use, analysis, and management of information systems (Hevner, March, Park, & Ram, 2004). Design science has its roots in engineering. According to (March & Smith, 1995), design science creates artefacts that serve human purposes, as opposed to natural and social sciences, which try to understand reality. Design science is a problem-solving paradigm (Hevner, March, Park, & Ram, 2004) with the emphasis on the end product, the solution, rather than the research method as a research objective (Purao, 2002; Rossi & Sein, 2003). Design science products come in four types: constructs or concepts that define the terms used when describing an artefact, models that are used to describe and represent the relationships among concepts, methods that are used to represent algorithms or approaches on how to do a certain task and finally implementations that are used to realize the artefacts. The general research approach in design science research consists of four main steps; awareness of the problem, suggestion, development, and evaluation (Vaishnavi & Kuechler, 2004). Awareness of the existing problem and a good understanding of its dimensions and related concepts is required before a suggestion or a proposal can be introduced. The proposal, or sometimes called a tentative design, should be worked out as a preliminary to solving the problem. As mentioned above, the research strategy adopted here is influenced by both strategies; the inductive hypothetic method and design science method. The former has influenced the research in its early and final phases through the observations to be made about reality helping in defining shortcomings or hypotheses about how reality should work defined either implicitly or explicitly. Furthermore, models, algorithms and artefacts of the proposed solution have been constructed based on these hypotheses in a way similar to the design science paradigm. These models and concepts have later been prototyped and implemented. Additionally, we have tested several hypotheses which is typical of the inductive hypothetic approach. 1.7.3. Research Instruments. The type of research instruments applied to collect and analyze knowledge is defined mainly by the research philosophy and strategy adopted in the research. In this section, we present the research instruments we applied to pursue the research objectives. 1. Literature study A reasonable and common starting point is to carry out a survey of the relevant literature. Literature study is an important instrument of every research aimed at obtaining information about the problem and determining how much previous research has been conducted in the field. This leads to a better understanding of how the problem should be specified and the way it should be addressed. A literature research is useful in evaluating current research in comparison with others. According to Galliers (1992), an in-depth literature review can lead to new advances in and development of current theories..

(21) Introduction. 21. 2. Subjective/Argumentative Analysis and Conceptual Research A subjective and argumentative studying of the problem in question and a conceptual and deep thinking were performed in the research that was conducted parallel to the literature review. This conceptual development can lead to creative research that is based on opinion and speculation rather than on observation (Vogel & Wetherbe, 1984). Furthermore, it can lead to new and creative ideas and after being tested, can contribute to the building of theory (Galliers, 1992). 3. Case Study Research Case studies are a convenient way of identifying key events and actors within a situation and to link them in a coherent way (Yin, 1994). In a case study research, the researcher goes through the phases of design, data collection and analysis, and evaluation (Yin, 1994). According to Stake (1995): “a case study is the study of the particularity and complexity of a single case, coming to understand its activity within important circumstances”. An important issue when conducting a case study research, is the choice of cases which is often an opportunistic rather than a rationalistic one (Yin, 1994). Additionally, the number of case studies carried out can influence the research results when it comes to generalization of the case studies results (Stojanovic, 2005). However, Yin (1994) argues that a single case study when selected carefully can be highly successful in terms of theory formulation and testing. In this research, we used two intensive case studies to test and validate the research hypotheses and the developed architectural functionalities. 4. Experimental Research Experiments represent an instrument for theory testing and exploration (Denning, 1981). Experiments test theoretical predictions against reality (Dodig-Crnkovic). There are two types of experiments, which differ in the size, and actuality of the phenomenon being studied; field experiments and laboratory experiments. The former are based on actual problem with limited variables while the latter are based on controlled variables in an artificial problem setting. In this research, we used both types of experimental research. 5. User surveys A user survey is an investigation of a certain case based on data collection from users usually in the form of a questionnaire. User surveys are carried out to evaluate the satisfaction level of the developed consent decision making-mechanisms by potential users on a quantitative and qualitative basis.. 1.8. Thesis outline. In this section, we introduce the thesis outline which is also presented in Figure 1.2. The research was carried out in three stages: perception and suggestions, design and development and finally analysis and evaluation. In the following, we elaborate on these phases. In the perception and suggestion phase, the phenomenon being studied is explored and shortcomings are defined. The research problem, motivation, objective and questions are presented in chapter one. The research philosophy, strategy and instruments are also introduced there. Concepts pertaining to the phenomenon being studied are presented in chapter two in addition to an overview and critical evaluation of the research background and the state of the art in the field of privacy support architectures in context-aware systems; existing methods, concepts and technology infrastructures are given. In this phase, the research strategy is influenced by the inductive hypothetic method outlined in section 1.7.2..

(22) 22. Chapter One. In the design and development phase, the research strategy is influenced by the design research methodology outlined in section 1.7.2 where functional architectures were developed to address the phenomenon being studied. Requirements concerning privacy control and consent decision-making are given in chapter three. An architecture for privacy management (control) is also proposed in chapter three. The architecture functionalities are based on the privacy requirements and specifications defined in chapter three. Increasingly, to meet the flexibility and expendability requirements such that more functionality can be added according to the changes in the business and users requirements, we adopted a componentbased design approach to develop and model the proposed functionalities of the architecture. Component-based development can be seen as a divide and conquer strategy where complex problems are divided into smaller groups of small problems that are easier to deal with in a shorter time. In addition to making it easier to solve a problem in a more flexible way, this approach supports extendibility and maintainability of the system (Verbraek et al., 2002). A next step is to define the functionalities needed for consent decision-making which is discussed in chapter four which presents the details of the consent decider model. In chapter six, we use the inductive hypothetic method where observations from reality are represented by the lack of dynamics in P3P specifications to suit the context-aware environment and hypotheses are mentioned implicitly and based on them users’ privacy preferences models are proposed. Furthermore, in chapter seven, we present these hypotheses explicitly together with the related models. The final phase of the research is the analysis and evaluation phase. In chapter five, a case study is presented where the consent decision-making process is implemented and tested. A field experiment, in the form of a prototype implementation with industrial partners, is introduced as well in this chapter that helps in the realization of the technical feasibility of the proposed solution and gives an indication of the applicability of such approaches in reality as well. In chapter seven, another case study is presented, where hypotheses with respect to privacy preferences models presented in chapter six, were tested against observations from users’ collected data in order to conclude and verify the applicability and significance of the proposed dynamic privacy preferences models. A simulation-based case study is introduced there where a user survey has been carried out to verify and validate the proposed privacy preferences model. The analysis and evaluation of the obtained results is presented as well. The research findings and recommendations are discussed in chapter eight..

(23) Introduction. 23. Figure 1.2 Thesis Outline.

(24) Chapter One Introduction. Research Problem, Objective, Questions and Approach. Chapter Two Research Background. Perceptions and Suggestions. Shortcomings and Limitations of Current Approaches. Chapter Three Functional Requirements of Privacy ShEM Architecture Description. Chapter Four Consent Decision Making. Design and Development. Chapter Six A Privacy Preferences Architecture. Proposed Models, Methods and Algorithms. Chapter Five Prototypes and User Experiments. Chapter Eight Epilogue. Chapter Seven A Simulation Study and Users Survey. Analysis and Validation.

(25) 25. 2. RESEARCH BACKGROUND. As mentioned in chapter one, our research objective is to help users control their privacy in dynamic environments such as context-aware applications by offering them an informed way to make consent decisions. In this chapter, we give an overview of what has been done so far in the research field of context-awareness and privacy. Additionally, we present concepts and definitions to help the reader get familiar with this research.. 2.1. Mobile Wireless Communication Networks Evolution and Challenges. 2.1.1. Evolution of Mobile Wireless Networks. Mobile telecommunication technology has developed enormously during the last two decades, from analogue networks up to fourth generation networks. First-generation mobile wireless networks were targeted primarily at voice and data communications at low data rates. Recently, we have seen the evolution of second- and third-generation wireless systems that incorporate the features provided by broadband networks GSM (Global System for Mobile communication), the second generation of mobile networks, operates in frequency bands between 900 MHz and 1800 MHz. When we started our research, GSM networks were widely used in Europe and most of Asia-Pacific area (Siau, 2001). Analogue networks used to be the common networks, but most mobile networks gradually replaced them by digital networks, because analogue networks bandwidth was very low with a top of 4.8Kbps. In Australia, analogue networks were phased out from the beginning of the new millennium. In Europe and Asia most users already use digital networks. The most common digital networks in Western world are GSM and CDMA (Code Division Multiple Access) (S. Singel et al., 2001). Based on GSM technology, other networks have been developed as well, such as the HSCSD (High Speed Circuit Switched Data), a circuit-switched protocol based on GSM. It can reach data transmission speeds of up to 57.6 Kbps, by using four radio channels at the same time. Additionally, GPRS (General Packet Radio Service) is a packet-switched wireless protocol based on GSM that offers instant access to data networks. It makes it possible to keep the mobile terminal connected to the network at all times, and network capacity is used only when data is transmitted. Transmission speeds of GPRS networks can reach up to 115Kbps. EDGE (Enhanced Data Rates for Global Evolution) is a faster version of GPRS with a speed reaching 384Kbps, and it also represents an evolution of GSM. Both GPRS and EDGE are called 2.5 generation technology (Siau, 2001). The IMT-2000 (International Mobile Telecommunications 2000) 3G systems provide access to a wide range of telecommunication services supported by the fixed telecommunication networks and to other services that are specific to mobile users using one or more radio links. A range of mobile terminal types is included and the terminals may be designed for mobile or fixed use. UMTS (Universal Mobile Telecommunications System) is the third generation mobile phone system that has currently penetrated the mobile market and many services are being developed based on this new generation mobile networks. UMTS supports user bit rates up to 2Mbps (Hartmann, Görg, & Farjami, 1998). Fixed wireless LAN technology has evolved to extend the existing wired networks. Local area networks (LANs) are mostly based on Ethernet media access technology that consists of an interconnection of hosts and routers. Currently, an increasing number of wireless LANs (WLANs) are being deployed in offices..

(26) Chapter Two. 26. The IEEE has standardized 802.11 protocols to support WLANs media access. A radio base station can be installed in a network to serve multiple wireless hosts over 100-200 metres. Consequently, users can be ubiquitously connected to the network via a wireless device, which means that they can perform all network-related functions as long as they stay within reach of the radio base station. With the enormous developments that currently take place in wireless technology, wireless is fast becoming a viable alternative to (wired) DSL, cable, and fiber optics. Personal Area Networks (PAN) are becoming more popular now due to the fact that they offer similar support, albeit across a smaller range, using low-power radio transmission-based networking systems like Bluetooth at a speed of 1 Megabit per second or less. PANs are formed by wireless communications between devices using Bluetooth and wireless technologies. One of the biggest issues with PANs is the ability for devices to interact not only via pre-established networks of devices, but also using inter-vendor equipment connections. If seamless communication is to be established, this is a major issue. Seamless or sometimes called unconscious communication refers to communication between devices in the PAN that is initiated automatically and without user intervention. PANs may be very useful in mobile commerce applications and in safety applications such as emergency mobile context-aware services. 2.1.2. Mobile Wireless Communication Challenges. Although mobile wireless networks are developing very fast, it will take a while before existing problems will be solved. In this subsection, we provide an overview of these limitations. Firstly, mobile wireless networks have considerably longer latencies than fixed wireless networks (Small & Haas, 2005). Network latency is the amount of time a message takes to travel from one network entity to another. Mobile wireless networks vary in their latencies between less than one second to 2 or 4 seconds. Latency time estimations are important for applications as applications estimate the expected performance of a server and the transmission protocol makes estimations regarding the delivery of messages. In wired networks, this latency can be approximated with some certainty, but in wireless networks it is much more difficult to make such estimations. With regard to wireless applications, unestimated delays in packets reception can cause degradation of applications performance, and make it more difficult to reassemble the packets that have been received in the correct order. The WAP Forum proposed the WAP protocol suite that would allow the interoperability of mobile equipment and software with many different network technologies. WAP is designed to support connectivity between mobile devices and internet applications. Secondly, mobile wireless networks have lower bandwidth than fixed wireless networks (Hartmann, Görg, & Farjami, 1998; S. Singel et al., 2001). Bandwidth is the amount of data transfer per time unit and it measures the communication media capacity of transferring data. The higher the bandwidth, the higher the volume of data that can be transferred. However, technologies such as GPRS and UMTS supports increased data transmission capacities and pave the way for advanced mobile services such as videoconferences and multimedia transmission (Tseng, Wu, Liao, & Chao, 2001). Thirdly, mobile wireless services are much more expensive than those provided by fixed wireless networks are. Connecting to the Internet via a mobile device and mobile network is considered very expensive compared to normal wireless Internet connection. Fourthly, the reliability of mobile wireless networks is affected mainly by the communication errors between the network operator and the Internet service provider, or by the wireless connection. Within the wireless domain more errors occur, both in frequency and duration, than in traditional networks. The error rates highly depend on the situation of the mobile user, whether he or she is stationary, surrounded by high buildings or obstacles, or.

(27) Research Background. 27. moving with a certain speed. In which case, the information flow is affected by the Doppler Effect, by reflection of the original signal or by a complete loss of that signal. Cellular networks use the “handing off” process to switch a user from one transmitter to another to manage communication bandwidth capacity or to move users to transmitters that are closer. In analogue networks, handing off causes a 10 milliseconds loss of the wireless signal. Although in digital networks handing off takes place more quickly, it still has an impact on the wireless signal. These kinds of errors do not cause major problems in voice communication, because the human brain can adapt to slightly fuzzy information and remove extraneous signals. However, they will have a major impact on the correctness and success of mobile services when they occur in data transmissions such as bank account details, personal information, or ordering details (S. Singel et al., 2001). Last and not least, mobile devices have constraints compared to desktops and laptops and whether or not they deliver content and services to mobile devices successfully depend on the extent to which these constraints are resolved. Mobile devices have limited processing power, limited energy, limited memory, limited screen capabilities, and limited input keys functions (Hartmann, Görg, & Farjami, 1998; Mahmoud, 2001). Recently, however, this limitation seems to be diminishing with the development of the new generation smart mobile phones.. 2.2. Personalization. As we mentioned earlier, mobile technology has developed rapidly over the last twenty years. Bluetooth technology, GPRS and UMTS networks have paved the way for a new computing paradigm known as anywhere and anytime computing. Consequently, attention has been given to provide applications that allow people nomadic access to services and functionalities and to adapt existing e-business applications and models to a mobile environment. Personalization is a key factor in the design of mobile information services. Given the limitations of mobile devices and mobile wireless networks as discussed in section 2.1.2, personalization can help overcome such limitations since only relevant information is transmitted. Personalization may be defined as tailoring the mobile services and/or content for the user in a way that satisfies a user’s uniqueness and needs. For effective personalization, all available data must be taken into consideration, such as user profiles, user context, location, time, authorized services, device capabilities, historical data, site content, and site structure. Important challenges flow out from the size and the heterogeneity of the data itself, the dynamic nature of user interactions, the changeable user interests, the context-awareness requirements, and human to mobile device interactions (Billsus, Brunk, Evans, Gladish, & Pazzani, 2002). Approaches to personalization can be categorized into three main categories: customization or manual personalization, collaboration filtering, and adaptive personalization. In the case of customization, websites allow users to submit their interests themselves through a questionnaire, such as the ones offered by Microsoft Network, MyYahoo and Excite. These sites allow users to customize their home pages based on a selection of available content, such as favourite stock portfolios, news, web pages, movies and weather. The more detailed the data provided by the user, the greater the personalization benefits are likely to be. However, this approach is unlikely to work in a mobile environment. In addition, it does not allow users access to information they have not included among their personal preferences. Although some websites allow users to change their interests using a fixed Internet connection, and then to access the site using a mobile device, this is not convenient for mobile users, and it no longer guarantees access to information anytime and from anywhere (Billsus, Brunk, Evans,.