DESC:TECHNICAL FIELD

The present disclosure generally relates to the field of security systems. More particularly, the present disclosure relates to a method and a system for implementing privacy compliance associated with host area on agent device.

BACKGROUND

Over the past few years, there has been a rapid increase in availability and ownership of end-user/agent devices. These agent devices may be Unmanned Aerial Vehicles (UAVs), which are also called pilotless mini aircraft, drones, or remote piloted vehicle, which are utilized in numerous commercial purposes. For instance, the agent devices find applications in parcels delivery, acrobatic aerial footage in filmmaking, search and rescue operations, all-weather imaging through clouds, rain, or fog, various events such as, public-service announcements, and patrol locked-down areas for unauthorized social gatherings, in a daytime or night times conditions, all in real-time.

Despite multiple applications being enabled by these agent devices, a lack of tight regulations surrounding their use has led to a plethora of security and privacy problems. For instance, incidents involving systems range from potential system collisions and near-misses, system-sightings causing closures, etc. While rogue systems cause such security and safety related problems, benign devices, e.g., those that may be used for package delivery, also raise serious privacy concerns. Typically, the agent devices such as, the UAV are equipped with a variety of sensors (for example, cameras, GPS, Lidar, etc.) for navigation. The sensors on-board can be used to capture pictures, or video, map a sensitive location or a building, and the like.

Existing agent devices are implemented using Robot Operating System (ROS) system which provides abstractions to transparently execute a variety of applications on any hardware platform, and also interacts with the navigation control software. Typically, ROS is built as a publish/subscribe system, in which ROS applications publish or subscribe to certain topics. ROS simply acts as a matchmaker that pairs publishers and subscribers, following which the pair of applications communicate directly with each other over network sockets. Currently, as such, the existing agent devices with ROS do not incorporate any security mechanisms to regulate application communication. In particular, while ROS applications typically communicate via the publish/subscribe mechanism, they can also communicate directly via other operating system (OS) abstractions, such as raw sockets, shared memory, pipes, and the file system. For example, a pair of applications can bypass the ROS-based publish/subscribe matchmaking mechanism, and directly establish socket connections for communication. While ROS has visibility into the publish/subscribe system and can reason about applications that initiate communication using this system, it cannot reason about low-level communication via Operating System (OS) abstractions. This may cause a malicious ROS application to easily corrupt communication between a pair of genuine applications. As a result, compromising privacy of users. Recognizing the need to prevent such attacks, a Secure ROS (SROS) was introduced to prevent such attacks. However, the mechanisms of SROS alone do not suffice to robustly enforce security policies. Also, existing systems do not suggest a way to enforce these policies beyond seeking an individual’s/user permission. Although SROS prevent a number of basic attacks that are otherwise possible on a ROS system, but they do not suffice to enforce policies end-to-end. Some of design-level shortcomings of SROS are indicated in below points:

1) Lack of end-to-end reasoning: SROS restricts the list of topics to which an application can publish or subscribe via its manifest. However, when an application author specifies this list in the manifest, it does not know a priori what other applications will execute on system platform. This lack of context-specific, end-to-end reasoning about the data produced or consumed by an application restricts ability to enforce policies in arbitrary settings. For example, a ProcessLocally policy prevents any images published by camera from being transmitted outside the system. However, policy “BlurExportedImages” does allow images to leave the system as long as they are scrubbed by another application to blur any privacy-sensitive data in the images. The appliMcation author, who specifies the manifest, has no way to reason about all the contexts in which the application will execute. Without such reasoning about the application’s end-to-end usage, the application author can at best produce a one-size-fits-all manifest that may poorly fit the situation in which the application is used.

2) Lack of control over lower-level abstractions: SROS only imposes constraints on communication that goes via the ROS platform. Applications (both malicious and benign ones) can choose to bypass ROS entirely, and communicate directly with each other via network sockets, shared memory, the file system, or inter-process communication. Such communication happens directly via OS abstractions and therefore completely bypasses SROS enforcement.

In addition to these design-level shortcomings in SROS, there are certain other aspects in its implementation that could lead to unexpected attacks. First, SROS only allows application authors to specify restrictions in the manifest using topic names. Secondly, SROS internally uses full path of the application binary to identify an application at runtime. Using the path rather than the actual executable to determine identity makes the system vulnerable to attacks where the application binary is replaced with a malicious version. SROS will use the same manifest as the original application to determine the list of topics accessible to the malicious application.

Taken together, these aspects enable a malicious system operator to engineer data leaks in certain situations. For instance, suppose CameraStatus application is allowed to upload the camera’s operational status to a network. A well-behaved CameraStatus application only reads data of type CamOutput:: StatusType, but not its image feed (of type CamOutput::ImageType). A system running such an application should therefore be acceptable to a host that wishes to enforce the ProcessLocally policy. However, if SROS were used for policy enforcement, a malicious system operator could violate the ProcessLocally policy by replacing the CameraStatus application binary with a malicious version. The malicious application reads data of type CamOutput::ImageType and leaks it over the network. SROS allows this attack because a) it only uses the topic name in the manifest file to restrict the data channels accessible to the application; and b) it only uses the path name of the binary and does not bind the executable to its identity.

The information disclosed in this background of the disclosure section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.

SUMMARY

In an embodiment, the present disclosure relates to a method for implementing privacy compliance associated with host area on agent devices. The method comprises transmitting, by a compliance system implemented on an agent device, to a central server, information comprising identification details of the agent device, details of destination host area, and a navigation route along with geographical coordinates to the destination host area. The method includes receiving from the central server, an authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas located in the navigation route and of the destination host area upon authentication of the agent device. Further, the method includes monitoring geographical coordinates of the agent device, wherein a notification is triggered by the compliance system when the geographical coordinate of the agent device matches with geographical coordinates of at least one of the one or more intermediate areas located in the navigation route and the destination host area. Thereafter, the method includes implementing one or more privacy policies associated with one of the at least one or more intermediate areas located in the navigation route and the destination host area when the notification is triggered. The one or more privacy policies are implemented by using respective predetermined communication graph.

In an embodiment, the present disclosure may relate to a compliance system for implementing privacy compliance associated with host area on agent devices. The compliance system may comprise a transmitter, a receiver, a processor, and a memory communicatively coupled to the processor. The transmitter transmits to a central server, information comprising identification details of the agent device, details of destination host area, and a navigation route along with geographical coordinates to the destination host area. The receiver receives from the central server, an authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas located in the navigation route and for the destination host area. The memory stores processor executable instructions, which, on execution, may cause the processor to monitor geographical coordinates of the agent device. A notification is triggered when the geographical coordinate of the agent device matches with geographical coordinates of at least one of, one or more intermediate areas located in the navigation route and the destination host area. Further, the processor implements the one or more privacy policies associated with one of, the at least one or more intermediate areas located in the navigation route and the destination host area when the notification is triggered. The one or more privacy policies are implemented by using respective predetermined communication graph.

The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.

BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the figures to reference like features and components. Some embodiments of system and/or methods in accordance with embodiments of the present subject matter are now described, by way of example only, and with reference to the accompanying figures, in which:

Figure 1 illustrates an exemplary embodiment for implementing privacy compliance associated with host area on agent device, in accordance with some embodiments of the present disclosure;

Figure 2 illustrates an exemplary detailed block diagram of compliance system in accordance with some embodiments of the present disclosure;

Figure 3 illustrates an exemplary scenario for implementing privacy compliance associated with host area on agent device in accordance with some embodiments of the present disclosure;

Figure 4a-4c and 5 illustrate exemplary communication graphs in accordance with some embodiments of the present disclosure;

Figure 6 illustrate exemplary web server interface integrating policy specification in accordance with some embodiments of the present disclosure;

Figure 7 illustrate exemplary setup experiments to demonstrate policy implementation in accordance with some embodiments of the present disclosure;

Figure 8 illustrates a flowchart showing a method for implementing privacy compliance associated with host area on agent device in accordance with some embodiments of present disclosure; and

Figures 9-12 show exemplary table experiments to demonstrate policy implementation in accordance with some embodiments of the present disclosure in accordance with some embodiments of present disclosure.

It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be substantially represented in computer readable medium and executed by a computer or processor, whether or not such computer or processor is explicitly shown.

DETAILED DESCRIPTION

In the present document, the word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or implementation of the present subject matter described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example in the drawings and will be described in detail below. It should be understood, however that it is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternative falling within the spirit and the scope of the disclosure.

The terms “comprises”, “comprising”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, device, or method that comprises a list of components or steps does not include only those components or steps but may include other components or steps not expressly listed or inherent to such setup or device or method. In other words, one or more elements in a system or apparatus proceeded by “comprises… a” does not, without more constraints, preclude the existence of other elements or additional elements in the system or method.

In the following detailed description of the embodiments of the disclosure, reference is made to the accompanying drawings that form a part hereof, and in which are shown by way of illustration specific embodiments in which the disclosure may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosure, and it is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the present disclosure. The following description is, therefore, not to be taken in a limiting sense.

Embodiments of the present disclosure relate to a method and a system for implementing privacy compliance associated with host area on agent devices. Particularly, the present disclosure allows host areas such as, a corporate or university campus, a city neighbourhood, or an apartment complex, and the like to ensure that agent devices entering them are implementing policies associated with the host areas. For example, a host can specify a policy that requires any agent device that enters the host area to refrain from wirelessly transmitting or locally storing (e.g., in an on-board SD card) any images or video that it captures when within the host area. The present disclosure enhances the agent devices with mechanisms that allow agent device to implement privacy policies associated with the host area and prove to the host that they are in compliance.

Figure 1 illustrates an exemplary embodiment for implementing privacy compliance associated with host area on agent device, in accordance with some embodiments of the present disclosure.
As shown in Figure.1, an environment 100 includes an agent device 101 connected through a communication network 105 to a central server 103. The agent device 101 may be associated with a user or an entity for performing one or more operations. For instance, the one or more operations may include performing service delivery to one or more customers, or surveillance, mapping, search and rescue, weather reporting, and the like. In an embodiment, the agent device 101 may include, Unmanned Aerial Vehicles (UAVs), drones, or remote piloted vehicle, which are utilized in the one or more operations. The central server 103 is an entity which maintain information about the agent devices and authorizes the agent devices. In an embodiment, the central server 103 may be specific to location, country, and the like. The central server 103 may include one or more privacy policies associated with different areas and provided by respective control device. The central server 103 may include, but not limited to, a computing device such as, desktop computers, network servers, laptops, and the like. Further, the agent device 101 includes a compliance system 102 in order to implement privacy compliance associated with a host area. In an embodiment, the compliance system 102 may include, but not limited to, a computing device such as, desktop computers, network servers, laptops, and the like. The compliance system 102 includes a transmitter 107, a receiver 109, a memory 111, and a processor 113. The compliance system 102 is explained in detail in subsequent part of the description.

The agent device 101 may include an identity (e.g., a public key) that may be registered with the central server 103. Further, the agent device 101 may be equipped with a hardware Trusted Execution Environment (TEE) to store private key.

Whenever the agent device 101 is moving or is required to move from one location to another, for instance to a destination host area for performing one or more operations, the compliance system 102 may transmit information to the central server 103. In an embodiment, the destination host area may include airspace associated with the destination host. The information may include identification details of the agent device, details of destination host area, and a navigation route along with geographical coordinates to the destination host area. The identification details comprise a registered public key associated with the agent device 101. Upon transmitting, the central server 103 may authenticate the agent device 101. The authentication of the agent device 101 may include, but not limited to, checking whether the navigation route intersects any sensitive zones and altitude restrictions. For example, if the navigation route intersects any military areas. Upon authentication, the compliance system 102 may receive from the central server 103, an authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas located in the navigation route and of the destination host area. Particularly, the one or more intermediate areas may include the areas through which the agent device 101 may pass while navigating to the destination host area. In an embodiment, the one or more intermediate areas may include intermediate airspaces.

Once the agent device 101 navigates through the navigation route, the compliance system 102 may monitor geographical coordinates of the agent device 101 and trigger a notification whenever the geographical coordinates of the agent device 101 matches with geographical coordinates of at least one of the one or more intermediate areas located in the navigation route and the destination host area. Particularly, on reaching each intermediate areas, the notification may be triggered. Thereafter, the compliance system 102 may implement the one or more privacy policies associated with one of the at least one or more intermediate areas located in the navigation route and the destination host area when the respective notification is triggered. The one or more privacy policies are implemented by using respective predetermined communication graph. Upon implementing, the compliance system 102 may confirm to control devices associated with at least one or more intermediate areas and destination host area regarding implementation of one or more predefined applications in the agent device 101 via the hardware attestation. The one or more predefined applications are provided by the respective control device of the at least one or more intermediate areas and destination host area. The communication graph identifies a list of permitted flows between one more application in the compliance system 102. Further, the TEE attestation may also be configured with control devices of at least one of the one or more intermediate areas and the destination host area to verify integrity of the policy enforcement system implemented on the agent device 101. In an embodiment, the compliance of the one or more policies may be challenged by the at least one or more intermediate areas and the destination host area. In such case, the compliance system 102 verifies integrity of the agent device 101 by performing hardware attestation of the compliance system 102 to the at least one or more intermediate areas and the destination host. Further, the compliance system 102 may implement a mandatory access control (MAC) mechanism at operating system (OS) of the compliance system 102 to regulate inter-application communication. The MAC mechanism includes, but not limited to, allowing restrictions to applications communicate directly via operating system (OS) abstractions or bypassing of the compliance system 102, allowing modifications enabling the OS about the abstractions, and redirecting communication via one or more predefined application.

Figure 2 illustrates an exemplary detailed block diagram of compliance system in accordance with some embodiments of the present disclosure.

The compliance system 102 may include the transmitter 107, the receiver 109, the memory 111, and the processor 113. In some embodiments, the memory 111 may be communicatively coupled to the processor 113. The memory 111 stores instructions executable by the processor 113. The processor 113 may comprise at least one data processor for executing program components for executing user or system-generated requests. The memory 111 stores instructions, executable by the processor 113, which, on execution, may cause the processor 113 to perform one or more operations.

In an embodiment, the memory 111 may include one or more modules 211 and data 200. The one or more modules 211 may be configured to perform the steps of the present disclosure using the data 200. In an embodiment, each of the one or more modules 211 may be a hardware unit which may be outside the memory 111 and coupled with the compliance system 102. As used herein, the term modules 211 refers to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a Field-Programmable Gate Arrays (FPGA), Programmable System-on-Chip (PSoC), a combinational logic circuit, and/or other suitable components that provide described functionality. The one or more modules 211 when configured with the described functionality defined in the present disclosure will result in a novel hardware.
Further, the transmitter 107 is coupled with the processor 113 through which an input signal or/and an output signal is communicated.

For example, the transmitter 107 may transmit to the central server 103 information comprising identification details of the agent device 101, details of destination host area, and a navigation route along with geographical coordinates to the destination host area. The receiver 109 may be coupled with the processor 113 through which an input signal or/and an output signal is communicated. For example, the receiver 109 may receiver from the central server 103 the authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas located in the navigation route and for the destination host area. In an embodiment, the one or more policies may include process locally policy. Typically, independently directed systems capture images or video of their surroundings. These images/videos may be processed on-board by a computer vision application to detect obstacles. A host may wish to ensure that the images/video captured by such a system are only used by the computer vision application, which in turn communicates this information only to navigation board. In particular, the images/video must not be transmitted outside the system via its network interfaces. These may also not be stored in the system for retrieval by the system operator at a later point in time. This policy is expressed using restrictions that prevent any network-facing application from connecting to the application that publishes the camera feed and prevent a camera application from writing to a file system mounted on s storage card/device. A navigation application may consume the output of the camera feed, but the policy may place the same restrictions on the navigation application (i.e., no network or file system communication) to prevent a leak of data from the navigation application. This refers to the process locally policy. Further, the one or more policies may include blur exported image policy. This policy is compiled down to a restriction which implies that all images from the camera is required to be passed through a blurring application before they are consumed by a network-facing application. The blurring application is entrusted with the task of identifying and blurring out faces, car number plates, and other sensitive data.
Another type of policy may be use system lanes policy. The host relating to the intermediate area or destination area may require agent device 101 to navigate only within designated system lanes to ensure safety and privacy. For instance, in a campus or university setting, campus security may identify system lanes that are away from sensitive installations within the campus. This policy is compiled to a restriction that the output of GPS feed must pass through a trusted logger that stores the GPS feed in tamper-proof storage, e.g., either in an audit log within the hardware TEE, or in a trusted cloud server.

The one or more policies may also include any other policies defined by the host, not mentioned herein explicitly.

In an embodiment, the one or more policies may be tailored to abilities of the agent device 101. For example, a self-governing system can operate under process locally, but a semi-programmed or manual system may require blur exported images.

In one implementation, the data 200 may include, for example, transmission data 201, authorization certificate 203, notification data 205, communication graph data 207, and other data 209.

The transmission data 201 may include the data transmitted to the central server 103. The data may include identification details of the agent device 101, details of destination host area, and the navigation route along with geographical coordinates to the destination host area.

The authorization certificate 203 is the certificate provided by the central server 103 upon authenticating the agent device 101 based on the transmitted data.

The notification data 205 may include details about notification which may be triggered for the at least one intermediate area and the destination host area.

The communication graph data 207 may include a list of permitted flows between the one more application in the compliance system 102.

The other data 209 may store data, including temporary data and temporary files, generated by modules 211 for performing the various functions of the compliance system 102.

In one implementation, the modules 211 may include, for example, a monitoring module 213, a policy implementation module 215, a TEE attestation module 217, a verification module 219, and other modules 221. It will be appreciated that such aforementioned modules 211 may be represented as a single module or a combination of different modules.

The monitoring module 213 may be configured to monitor the geographical coordinates of the agent device 101. Based on the monitoring, the monitoring module 213 may trigger a notification in the compliance system 102 when the geographical coordinates of the agent device 101 matches with geographical coordinates of at least one of, the one or more intermediate areas located in the navigation route and the destination host area,

The policy implementation module 215 may implement the one or more privacy policies associated with one of, the one or more intermediate areas located in the navigation route and the destination host area when the notification is triggered. The policy implementation module 215 may implement the one or more privacy policies by using respective predetermined communication graph. Figure 4a-4c and 5 illustrate exemplary communication graphs in accordance with some embodiments of the present disclosure. Figure 4a-4c depicts the communication graphs imposed by various restrictions of policies. As shown, the compliance system 102 may rely on trusted applications (e.g., the blurring application and trusted logger), to permit data flows. Typically, the host that specifies the policy must also specify any trusted applications that may be needed to implement the policy. As shown in the Figures 4a-4c, consider implementing the BlurExportedImages policy on system which includes a navigator application that uses images of the camera to make local navigation decisions. However, suppose that the navigator application needs to occasionally transmit some of these images over a network to a cloud server for further analysis. Thus, to implement the BlurExportedImages policy, all images sent out over the network may need to be processed by a trusted BlurFilter application. The compliance device 101 in such case may the BlurExportedImages policy by placing restrictions on application communication. This is shown with the help of communication graph in Figure 4c, where restriction is placed such that the output of the camera can only be used by a BlurFilter, whose output in turn can be used by navigator and other applications. However, this is clearly not the only way to express this policy and may in fact be restrictive. For example, the navigator application may require a high-fidelity image stream to make decisions, and the images processed by BlurFilter may not be of the desired quality. In this case, the communication graph as shown in Figure 5 may be utilized. To realize this communication graph, the compliance system 102 may implement two instances of the BlurFilter application (as different processes), one for each node shown in the communication graph; or may only run one BlurFilter process but modify the application to decouple the two logical flows. To process the first flow, BlurFilter may subscribe to CameraOutput and publish that stream after processing to SanitizedStatus. To process the second flow, it may subscribe to navigator output and publish scrubbed images to the network.

The TEE attestation module 217 may attest applications by performing hardware attestation of the compliance system 102 to the destination host area. The TEE attestation module 217 may store the private key of the agent device 101. In an embodiment, the TEE attestation module 217 may obtain and stores integrity measurements of compliance system 102. These measurements can be used in remote attestations to verify integrity of the agent device 101. The TEE attestation module 217 may generate an attestation report which includes a log of the applications initiated by the compliance system 102 in the at least one or more intermediate areas and the destination area.

The verification module 219 may verify the integrity of the agent device 101 upon being challenged by the destination host area based on the attestation report generated by the TEE attestation module 217.

Figure 6 illustrate exemplary web server interface implementing policy specification in accordance with some embodiments of the present disclosure.
Figure 6 shows a screenshot of the web server interface in which a system operator indicated a delivery zone. The agent device 101 in this case intersects two host area, who have declared their privacy requirements. Figure 6 also shows a red zone (in this case, the Parliament house in New Delhi).

Figure 7 illustrate exemplary setup experiments to demonstrate policy implementation in accordance with some embodiments of the present disclosure.
As shown in Figure.7, consider a camera application that publishes to a topic called CameraOutput. The application publishes two types of data under this topic, i.e., and image feed from the camera under type CameraOutput:: ImageType, and its status, under type CameraOutput:: StatusType. The primary goal of publishing CameraOutput::StatusType is so that it can be consumed by CameraStatus, which is a genuine application that subscribes to the topic CameraOutput only to read the data published under the type CameraOutput::StatusType. This application periodically uploads the camera’s operating status to the system operator’s server.

Figure 8 illustrates a flowchart showing a method for implementing privacy compliance associated with host area on agent device in accordance with some embodiments of present disclosure.

As illustrated in Figure 8, the method 800 includes one or more blocks for implementing privacy compliance associated with host area on agent device. The method 800 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, and functions, which perform particular functions or implement particular abstract data types.

The order in which the method 800 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method. Additionally, individual blocks may be deleted from the methods without departing from the scope of the subject matter described herein. Furthermore, the method can be implemented in any suitable hardware, software, firmware, or combination thereof.

At block 801, the information is transmitted by the compliance system 102 to the central server 103 regarding identification details of the agent device 101, details of destination host area, and the navigation route along with geographical coordinates to the destination host area. The identification details comprise the registered public key.

At block 803, the authorization certificate is received by the compliance system 102 from the central server 103 for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas located in the navigation route and of the destination host area upon authentication of the agent device 101. The authentication of the agent device 101 includes checking whether the navigation route intersects any sensitive zones and altitude restrictions.

At block 805, the geographical coordinates of the agent device 101 is monitored by the compliance system 102. A notification is triggered by the compliance system 102 when the geographical coordinate of the agent device 101 matches with geographical coordinates of at least one of the one or more intermediate area located in the navigation route and the destination host area.
At block 807, the one or more privacy policies associated with one of the at least one or more intermediate areas located in the navigation route and the destination host area is implemented by the compliance system 102 when the notification is triggered. The one or more privacy policies are implemented by using respective predetermined communication graph. The communication graph identifies a list of permitted flows between one more application in the compliance system 102. Figure 3 illustrates an exemplary scenario for implementing privacy compliance associated with host area on agent device in accordance with some embodiments of the present disclosure. Figure 3 shows an exemplary scenario of delivery system, wherein an agent device such as a drone 301 is used for performing delivery. Consider, the drone 301 may be used to perform a delivery to a destination area 307 which is a library. Also, while navigating to the destination area 307, the drone 301 may pass through two intermediate areas such as, a school 303 and a city neighbourhood 305. In such case, the drone 301 may receive the one or more policies related to the school 303 and a city neighbourhood 305 area from the central server 103 upon transmitting the information regarding the navigation. Thus, the drone 301 (compliance system 102 configured on the drone 301) may implement the one or more policies of the school 303 and city neighbourhood 305, upon passing the school 303 and the city neighbourhood 305, respectively. Finally, upon reaching the destination area 307, the compliance system 102 of the drone 301 may implement the one or more policies associated with the library. Figures 9-12 illustrates exemplary table experiments to demonstrate policy implementation in accordance with some embodiments of the present disclosure in accordance with some embodiments of present disclosure.

In an embodiment of the present disclosure, policy specification can be integrated with upcoming system regulatory platforms.
An embodiment of the present disclosure imposes low overheads on latency and power consumption.
The terms "an embodiment", "embodiment", "embodiments", "the embodiment", "the embodiments", "one or more embodiments", "some embodiments", and "one embodiment" mean "one or more (but not all) embodiments of the invention(s)" unless expressly specified otherwise.

The terms "including", "comprising", “having” and variations thereof mean "including but not limited to", unless expressly specified otherwise.

The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms "a", "an" and "the" mean "one or more", unless expressly specified otherwise.

A description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments of the invention. When a single device or article is described herein, it will be readily apparent that more than one device/article (whether or not they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be readily apparent that a single device/article may be used in place of the more than one device or article or a different number of devices/articles may be used instead of the shown number of devices or programs. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality/features. Thus, other embodiments of the invention need not include the device itself.

The illustrated operations of Figure 8 show certain events occurring in a certain order. In alternative embodiments, certain operations may be performed in a different order, modified, or removed. Moreover, steps may be added to the above described logic and still conform to the described embodiments. Further, operations described herein may occur sequentially or certain operatios may be processed in parallel. Yet further, operations may be performed by a single processing unit or by distributed processing units.

Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based here on. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

While various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

REFERRAL NUMERALS:

Reference number Description
100 Environment
101 Agent device
102 Compliance system
103 Central server
105 Communication network
107 Transmitter
109 Receiver
111 Memory
113 Processor
200 Data
201 Transmission data
203 Authorization certificate
205 Notification data
207 Communication graph data
209 Other data
211 Modules
213 Monitoring module
215 Policy implementation module
217 TEE attestation module
219 Verification module
221 Other modules
301 Drone
303, 305 Intermediate areas
307 Destination area

,CLAIMS:1. A method of implementing privacy compliance associated with host area on agent devices, the method comprising:
transmitting, by a compliance system (102) implemented on an agent device (101), to a central server (103), information comprising identification details of the agent device (101), details of destination host area (307), and a navigation route along with geographical coordinates to the destination host area (307);
receiving, by the compliance system (102), from the central server (103), an authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas (303, 305) located in the navigation route and of the destination host area (307) upon authentication of the agent device (101);
monitoring, by the compliance system (102), geographical coordinates of the agent device (101), wherein a notification is triggered by the compliance system (102) when the geographical coordinates of the agent device (101) match with geographical coordinates of at least one of, the one or more intermediate areas (303, 305) located in the navigation route and the destination host area (307); and
implementing, by the compliance system (102), the one or more privacy policies associated with one of the at least one or more intermediate areas (303, 305) located in the navigation route and the destination host area (307) when the notification is triggered, wherein the one or more privacy policies are implemented by using respective predetermined communication graph.

2. The method as claimed in claim 1, wherein the identification details comprise a registered public key.

3. The method as claimed in claim 1, wherein authentication of the agent device (101) comprises checking whether the navigation route intersects any sensitive zones and altitude restrictions.

4. The method as claimed in claim 1 further comprising providing a Trusted Execution Environment (TEE) attestation to at least one of the one or more intermediate areas (303, 305) and the destination host area (307) to verify integrity of the policy enforcement system implemented on the agent device (101).

5. The method as claimed in claim 1, wherein the one or more privacy policies associated with each intermediate areas (303, 305) is provided by the respective control device to the central server (103).

6. The method as claimed in claim 1 further comprising verifying integrity of the agent device (101), upon being challenged by destination host area (307), by performing hardware attestation of the compliance system to the destination host area (307).

7. The method as claimed in claim 6, wherein each of the agent device (101) is equipped with a hardware TEE to store respective private key.

8. The method as claimed in claim 1 further comprising confirming to control devices associated with at least one or more intermediate areas (303, 305) and destination host area (307) regarding implementation of one or more predefined applications in the agent device (101) via hardware attestation, wherein the one or more predefined applications are provided by the respective control device of the at least one or more intermediate areas (303, 305) and the destination host area (307).

9. The method as claimed in claim 1 further comprising implementing a mandatory access control (MAC) mechanism at operating system (OS) of the compliance system to regulate inter-application communication, wherein the MAC mechanism comprises allowing restrictions to applications communicate directly via operating system (OS) abstractions or bypassing of the compliance system (102), allowing modifications enabling the OS about the abstractions, and redirecting communication via one or more predefined application.

10. The method as claimed in claim 1, wherein the communication graph identifies a list of permitted flows between one more application in the compliance system (102).

11. A compliance system (102) for implementing the method of privacy compliance associated with host area on agent devices, comprising:
a transmitter (107) to:
to transmit to a central server (103), information comprising identification details of the agent device (101), details of destination host area (307), and a navigation route along with geographical coordinates to the destination host area (307);
a receiver (109) to:
receive from the central server (103), an authorization certificate for using the navigation route along with one or more privacy policies associated with at least one or more intermediate areas (303, 305) located in the navigation route and for the destination host area (307);
a processor (113); and
a memory (111) communicatively coupled to the processor (113), wherein the memory (111) stores processor instructions, which on execution, causes the processor (113) to:
monitor geographical coordinates of the agent device (101), wherein a notification is triggered when the geographical coordinates of the agent device (101) match with geographical coordinates of at least one of, one or more intermediate areas (303, 305) located in the navigation route and the destination host area (307); and
implement the one or more privacy policies associated with one of, the at least one or more intermediate areas (303, 305) located in the navigation route and the destination host area (307) when the notification is triggered, wherein the one or more privacy policies are implemented by using respective predetermined communication graph.

12. The compliance system (102) as claimed in claim 11, wherein the identification details comprise a registered public key.

13. The compliance system (102) as claimed in claim 11, wherein the processor (113) authenticates the agent device (101) by checking whether the navigation route intersects any sensitive zones, altitude restrictions.

14. The compliance system (102) as claimed in claim 11, wherein the processor (113) provides a Trusted Execution Environment (TEE) attestation to at least one of the one or more intermediate areas (303, 305) and the destination host area (307) to verify integrity of the policy enforcement system implemented on the agent device (101).

15. The compliance system (102) as claimed in claim 11, wherein the one or more privacy policies associated with each intermediate areas (303, 305) is provided by respective control device to the central server (103).

16. The compliance system (102) as claimed in claim 11, wherein the processor (113) verifies integrity of the agent device (101), upon being challenged by destination host area (307), by performing hardware attestation of the compliance system to the destination host area (307).

17. The compliance system (102) as claimed in claim 16, wherein each of the agent device (101) is equipped with a hardware TEE to store respective private key.

18. The compliance system (102) as claimed in claim 11, wherein the processor (113) confirms regarding implementation of one or more predefined applications in the agent device (101) via hardware attestation to control devices associated with the at least one or more intermediate areas (303, 305) and destination host, wherein the one or more predefined applications are provided by the respective control device of at least one or more intermediate areas (303, 305) and the destination host area (307).

19. The compliance system (102) as claimed in claim 11, wherein the processor (113) implements a mandatory access control (MAC) mechanism at operating system (OS) of the compliance system to regulate inter-application communication, wherein the MAC mechanism comprises allowing restrictions to applications communicate directly via operating system (OS) abstractions or bypassing of the compliance system, allowing modifications enabling the OS about the abstractions, and redirecting communication via one or more predefined application.

20. The compliance system (102) as claimed in claim 11, wherein the communication graph identifies a list of permitted flows between one more application in the compliance system.