Controlled sharing of body-sensor data for sports analytics using code consent capabilities

Abstract

With the advent of body sensor technology, athletes can easily record individual physiological metrics such as heart rate, steps, and blood sugar. In parallel, there is an increasing number of web services that use the raw body-sensor data as input to sports analytics. For the individual athletes, this can yield valuable insights on their performance and suggestions on individual training programs, which consequently aid their development. Once the data is imported into these analytics systems, the athletes are however left with little control over their data. This thesis presents code consent, a user-centric mechanism which combines informed consent and capabilities to enables athletes to share their private data in a more controllable manner. Furthermore, it gives both the athletes and analytical services the extensibility, flexibility to delegate the authority across protect domains by chaining keyed cryptographic hashes. The action and terms of informed consent are transformed to the reference to the source code and attributes of a capability. When executing a capability, the policy of access control to the resource is enforced, and the operation to the resource is performed in OpenCPU server which is a R sandbox. With a use case, we demonstrate now a user is able to share with others a graph of his aggregated data by delegating a capability. This paper details the implementation of constructing a code consent capability, and verification, delegation, execution of a capability. The security of the prototype is also discussed when users revokes capabilities. In the prototype implementation, we also evaluate the end-to-end latency of executing a capability, which includes the time of verifying the signature, the time of executing the program code, as well as downloading the output file. The analysis of the performance guides us to investigate the optimization of our prototype such as capability cache and function chaining.