Data management, security, data privacy

This section contains an overview of the data-privacy management and how to remove any privacy-sensitive data from the robot.

The informations on this page might help preparing a data management plan and ensuring your system is GDPR-compliant.

Caution

The page assumes you are using the robot under its default (‘out-of-the-box’) configuration.

As an open platform, you can freely modify the behaviour of the robot (for instance, by connecting to cloud-based services). If you do so, please be fully aware of the privacy-related consequences of such modifications.

Data management on the robot

Out-of-the-box, ARI does not rely on any cloud-based services. The robot does not require any Internet connection for most of its operations.

In particular, all data processing (like speech recognition, face recognition) is performed on-board by the robot (edge computing), and no data ever leaves the robot.

Note

Some optional chat skills (like asking the robot for the current weather) do require a working Internet connection. However, none of these behaviours include communication of privacy-sensitive data, and they are all optional (ie, the robot will simply report that eg “it cannot check the weather right now” when no Internet connection is available).

Privacy-sensitive data

The robot does not even store any non-anonymous privacy-sensible data: no video or audio recordings of persons are stored on the robot; face recognition relies on anonymous facial embeddings.

In addition, the next section explains how to easily delete all files containing (anonymised) personal data.

Data logging and privacy

Depending on your application, you might want to log data from the robot, typically using ROS bag.

If you record data like images from the robot’s cameras or audio streams, be aware that this data is likely to contain privacy-sensitive data, and need to be carefully handled.

As a rule of thumb, we strongly recommend not to systematically record camera and microphone data, and only do so for specific, time-limited purposes.

Clearing privacy-sensitive data

You can easily clear all files containing personal data on the robot.

Warning

After doing so, the robot will not recognised anymore people that were previously seen, and all knowledge in the robot’s knowledge base will be deleted.

Access ARI’s WebCommander from a web browser (phone, tablet, laptop) at the following address http://ari-0c:8080/.

On the left side of the HOME tab, several labels will appear. Select the label Privacy. On the right hand side a panel will display a message and a button. It also list of files that will be deleted.

A dialogue will appear when the button is pressed. The dialogue warns the user that this operation cannot be undone.

If the Cancel button is pressed, the operation does not take place. If the OK button is pressed, a 3-seconds message will appear indicating whether the files have been deleted or whether no files have been deleted because there is no privacy-related data generated.

Security

Attention

We do not consider ARI to be a hardened IT system. If your use-case implies exposure to IT/networking risks, we strongly recommend implementing mitigations at the level of your network infrastructure and controlling the physical access to the robot.

Out-of-the-box, your robot’s main computer exposes multiple open networking ports, accessible both via the Wifi interface, and the Ethernet wired interface.

These ports are either:

• ROS-managed ports, that enable peer-to-peer communication between ROS nodes (port 11311 plus one additional port per node);

• or one of the following ones:

  • Port 80: HTTP - WebGUI & REST interface

  • Port 8080: HTTP - Webcommander

  • Port 3000: HTTP - Graphana monitoring

  • Port 9090: Websocket - ROS communication bridge

  • Port 11011: HTTP - Screen contents

  • Port 22: SSH connectivity

None of these ports are strictly required for the robot to work, and they can be closed if necessary. However, we strongly recommend to keep at least port 22 for ssh access, and port 9090 and 11011 for the touchscreen to work.

The robot runs a regular Ubuntu linux system: if you wish to close specific ports, you can easily install a firewall (like ufw) and configure it.

Note

Communication between the robot’s main computer and its secondary computers (ARI head’s raspberry pi and the (optional) Jetson accelerator) takes place on an independent network (with a different physical network interface). These secondary computers are not directly accessible from outside of the robot.

If you configure a firewall on the robot, make sure to only block ports on the external interfaces (Wifi and ethernet socket available at the back of the robot), so that communication between the robot’s computers is maintained.

The rear panel of ARI gives physical access to several of the main computer ports. The panel is protected with four standard hex screws, that could be easily removed with regular allen keys.

If physical access to the rear panel is a concern, we recommend replacing the screws with security screws with non-standard heads.

See also: Mitigation of Meltdown and Spectre vulnerabilities.

Advanced: privacy plugin configuration

If you decide to store additional privacy-sensitive data on the robot, you might want to configure the WebCommander data clearing plugin to delete additional files.

The configuration of the Privacy plugin contains a file_path parameter containing the absolute path of the text file containing the list of files to be deleted.

wt:
    "10. Privacy":
        type: "Privacy"
        parameters:
            file_path: "/home/user/.pal/wt/privacy_files.db"

Privacy-related file syntax

The files to be deleted are listed in the ~/.pal/wt/privacy_files.db file. Each file shall be located in a different line and comments are allowed by using the # symbol at the beginning of the line.

# Privacy files to be deleted. Add a line per file

/home/user/.pal/kb/kb-default.rdf

/home/user/.pal/face_db/face_db.json