In an ubiquitous computing environment, sensors are actively collecting data, much of which can be very sensitive. Protecting this private data is a central concern for the users to have a trust relationship with the environment. There are a few challenges that make ubicomp security different from other system protection: (1) The environment is often unfamiliar to the users. They will not have a trust relationship with the owners of the environment as they might with their local system administrator appropriate for handling their private information. (2) Data is often generated dynamically, streams at high rates, and must be processed in real time. (3) Users' access rights change dynamically with respect to their relationship with the mechanisms by which data is generated. For example, a number of users can form an ad hoc group and record their meeting using a camera that is administered by the environment. They should only have access to the video produced during the meeting period. We are investigating schemes for protecting user data in a ubicomp environment. The key principle we propose is "data discretion," which grants access to information only to individuals who would have "real-world" access to the data. We have devised a protocol that is based on hybrid secret-key and public-key cryptography to enforce this principle. Our protocol allows for legitimate sharing and collaboration, yet stops any efforts to physically track the users by anyone, thus protecting user anonymity and privacy.