Access control and privacy in location-aware applications

The topic addressed in this thesis concerns the relationship between spatial knowledge and information protection in a mobile setting. The proliferation of mobile devices in an increasingly connected world raises growing concern for information security and privacy. For example, sensitive data recorded in corporate and networked information systems can be accessed from uncontrolled locations, downloaded on mobile terminals and disclosed to unauthorized third parties. The protection of information against improper use and modification in a mobile context poses research questions which solicit the investigation of unconventional protection strategies. In such a perspective, this thesis investigates how to provide strong control over information access based on knowledge of location and movement of individuals. Indeed, the use of spatial information for secure access support has been prospected in mid nineties, yet such a vision has not had a significant follow-up at research level. This work focuses on the definition of a comprehensive framework for the specification and enforcement of spatially-aware access control policies. Policies are spatially-aware in that the access authorization depends on the position of users. The core contribution of this work is the GEO-RBAC model, a role-based access control model that complies with current standards in access control and geo-spatial data representation. In addition, two further models have been specified, which are, to some extent, complementary to GEO-RBAC: the former is a decentralized administration model for the specification of GEO-RBAC access control policies in large organizations; the latter is a location privacy model which can be integrated into the GEO-RBAC framework to protect personal location information, for example in Location Based Services applications. The thesis addresses also issues related to the design of a system based on GEO-RBAC: an architecture has been defined based on which a prototype has been then developed. The use of geographical knowledge in security is a novel area of research and that motivates the existence of several open issues. Some of these have been discussed in the dissertation and a possible direction of research has been finally prospected for future activity.