In 2nd UK-UbiNet Workshop, Security, trust, privacy and theory for ubiquitous computing. 5-7th May 2004, University of Cambridge, UK
Abstract: This paper discusses how the public setting of a situated display acts as a resource for security. The very publicness creates a social auditability that prevents certain kinds of abuse. This is illustrated through our experience with Hermes - a situated door display that allows electronic notes to be left. Potential 'security' threats have not materialised due, we believe, to the physical setting of the devices. There are an increasing number of situated displays "in the wild" and these need both control but also freedom of access. The use of space may be powerful means to enable this in suitable circumstances.
Keywords: situated displays, social space, privacy, authentication
Situated displays are now ubiquitous from the red LED arrow pointing to an available cashier at a Post Office to the cinema-sized screens found in many city centres. While these are merely displays there are few special security issues beyond those of physical security of equipment. However as situated displays become interactive, issues of security and potential misuse become more important. Most research systems are in 'safe' environments such as laboratories or are being monitored as part of an experiment. Once these systems are "in the wild" of streets and open spaces how do we manage security. As display surfaces they are available to all. Can they be made equally available as interaction surfaces without requiring pre-authentication or other complex means that exclude casual use?
The Hermes system
Hermes is a system of office door displays installed at Lancaster University [1,2]. The Hermes system has been in use for two years now and we have been able to gather data on actual usage patterns. As important, however, the very act of deployment has enabled a richer envisionment of further scenarios as well as establishing a core of users who are able to articulate their feelings about potential extensions or changes.
The Hermes system allows the door owner to leave notes for visitors to see. Notes can either be entered via a web interface or simply drawn onto the Hermes unit. Visitors can leave notes for the door owner by sketching them on the Hermes unit. The door owner is then informed by SMS and can view notes through a web interface or at the unit itself.
The Hermes system has basic authentication allowing door owners to log in via the web or at the doorplate itself and leave messages for visitors. Each doorplate is also equipped with an iButton socket so that iButtons can be used as physical authentication. We have also discussed using Bluetooth phone ids for authenticating visitors. However the more interesting 'security' issues arise due to the situatedness of the displays.
As well as the ability to leave 'permanent' messages for visitors, the door owner can also leave a 'temporary' message such as "out for lunch". This can also be set by the web like the permanent message. To ease the use of this the door owner can leave a temporary message on the door by simply touching the door display for a few seconds. A menu then appears of 'stock' messages and touching one of these selects the relevant temporary message. This menu list can be personalised via the web interface. On returning to the office, the door display (now showing the temporary message) is simply touched again and the message goes away.
This feature has been used heavily by several door owners including a department administrator who used to have a paper list on her door and has now replaced the paper list entirely with the use of the doorplate.
Potential for misuse
Note that the setting of a temporary message does not require authentication; anybody who comes to the door could in principal change this temporary message. This feature could easily be misused: someone might come past the door, notice the permanent message says "not in today" and then set the temporary message to say "out for 5 minutes". Any subsequent visitor wanting to see the door owner might repeatedly come back thinking they were simply missing the door owner by a few minutes.
So why, given it is so easy to subvert, has this not proved a problem? It is clearly not just that everybody who visits the university is scrupulously honest and above board. At one stage, a Hermes unit, which was not secured using security screws, was stolen. Although safer than most city centre campuses, we cannot assume absolute integrity. Furthermore, the potential misuse is more of a prank and would be perhaps a good 'trick' for a student to play on a lecturer.
The answer seems to be simply one of location. Although anyone could come up to the door and change the display, to do so they would be very public. Anyone attempting to 'muck' around with the displays like this would be likely to be noticed if anyone came down the corridor.
In security there are two major weapons against misuse: on the one hand there is authentication and protection preventing abusers from accessing resources, but on the other hand there is audit and traceability so that abusers can be exposed or caught. Both can be used to prevent misuse: the first makes misuse impossible, the second, by increasing the likelihood of being 'caught', makes misuse unattractive. The public nature of the displays is effectively a form of the latter.
This is rather like a street operating "Neighbourhood Watch". Any burglar is aware that twitching curtains may hide someone ready to ring the police.
This publicness as constraint is important in other areas. It would be perfectly possible to use the door displays to leave abusive anonymous message. However, this has rarely occurred nd not been serious. Although this was inituially a concern for door owners after a period of use it is no longer seen as a significant problem due again to the exposed state of anyone leaving such messages. In fact, where there has been minor abuse it has been late at night when the corrodors were empty.
In discussing extensions to Hermes and future situated display work, these issues recur. One possibility is to allow visitors to leave notes that other visitors can see. Currently only the door owner gets to see the visitors' notes. This is rather like someone leaving a note on another person's door - perhaps saying it is their birthday! Options for this include (i) allowing authenticated physical visitors to leave such messages, (ii) allowing anonymous physical visitors to do this, (iii) allowing authenticate users to enter notes on other's doors via a web interface, (iv) allowing people to anonymously do this via the web. Although (ii) sounds potentially worrying it is far 'safer' than (iv) because anyone entering a message is clearly visible.
Soon we will be deploying a major installation of situated displays of many sizes and types across Lancaster University campus. As well as prosaic uses such as displaying timetables, we would like more interactive uses allowing the technology to be appropriated into the campus environment. A distinctive feature of campus life are the concrete pillars with layer upon layer of posters stuck on top of one another. Some form of electronic notice board, or blog-like discussion set in the central square would be one way to capture some of this spirit, with information entered by text from mobile phones or remote web interfaces.
Abusive use of this is clearly a risk. Using mobile phones would mean that in principle there is an audit path back to the person posting messages. However another option is to use a standard keyboard or perhaps a more innovative input mechanism set in very visible part of the square. This would, like the doorplates, use situatedness to establish social control.
The design of defensive space has been an important issue in urban architecture. Security is ensured not by restricting access but by making activities visible. If we want to reduce graffeti in a public place we might use special anti-graffeti surfaces, or mount frequent security patrols. However, instead we may choose to cut back trees and bushes that hide potential artists.
Physical public displays such as notice boards are common. Sometimes these are sealed, but often they are accessible by all - relying on visibility for security. In the same way we have seen how 'publicness' can be a significant element in preventing misuse in electronic public displays in the wild.
Alan Dix 15/4/2004