Embed Size (px)
Citation preview
CS 680: Special TopicsPrivacy
Instructor: Rachel Greenstadt
September 23, 2013
Monday, September 23, 13
Introductions
• Hopefully, we’ve all done online introductions
• Your name
• Program
• Interest in privacy/this course
• Something else interesting about you
Monday, September 23, 13
High Level Information
• Instructor: Rachel Greenstadt
• Office: UC 140
• Office Hours (Monday 3-4 pm)
• Feel free to email or stop by or use wimba
• Course website
• http://www.cs.drexel.edu/~greenie/privacy/
Monday, September 23, 13
Overview• About this class
• Topics Covered
• Structure/Syllabus
• Final Project
• About Privacy
• Mini Lecture Cryptography
Monday, September 23, 13
Course Objectives
• Read and discuss papers about privacy as it relates to computer science
• Paper presentations and discussion
• Learn how to conduct research in this area
• Final research project
Monday, September 23, 13
Research Topics• Basic Cryptography
• Privacy foundations / theory of privacy
• Privacy Enhancing Technologies
• Anonymous communication
• Data/Database privacy
• Privacy and E-commerce
• Web Privacy
• Bitcoin / ecash
• Social network privacy
• Privacy usability/engineering
• Privacy and Gov’t/Policy
Monday, September 23, 13
Readings• September 23: Welcome to CS 680
◦ Intro to Privacy and Syllabus• September 26 (Online)
◦ Privacy Foundations: 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy (local cached copy) Daniel J. Solove, San Diego Law Review, Vol. 44, 2007
• September 30 (In Class)◦ Mini-Lecture - Intro to cryptography◦ Slides on Ethical Research : Jack Mendencorp
and slides◦ Leaked Prism Collection slides◦ David Brin. The Transparent Society (WIRED,
circa 1996, later expanded into a book)• October 3 : PETs for the Internet (online)
◦ Privacy-enhancing Technologies for the Internet (local cached copy)Ian Goldberg, David Wagner, Eric Brewer, IEEE COMPCON 1997
• October 7 : Privacy and Cryptography Dreams (in class)◦ David Chaum. Security without Identification:
Card Computers to make Big Brother Obsolete (1985)
◦ Eric Hughes. A cypherpunk's manifesto. (short essay, 1993.)
• October 10 : Privacy Engineering (online)◦ Engineering Privacy.(local cached copy)
S. Spiekermann and L. Cranor. IEEE Transactions on Software Engineering, 35(1), 2009, pp. 67-82.
• October 14 : Crypto for Privacy (in class)◦ Alma Whitten and Doug Tygar. Why Johnny
Can't Encrypt: A Usability Evaluation of PGP 5.0
◦ Nikita Borisov, Ian Goldberg, Eric Brewer. Off-the-Record Communication, or, Why Not To Use PGP
Monday, September 23, 13
Readings continued• October 17: Stylometry (online)
◦ Michael Brennan, Sadia Afroz, and Rachel Greenstadt. Adversarial Stylometry: Circumventing Authorship Recognition to Preserve Privacy and Anonymity. ACM Transactions on Information and System Security (TISSEC).Volume 15 Issue 3, November 2012, Article No. 12
• October 21 : Notice and Choice (in class)◦ Proposals due◦ L.F. Cranor. Necessary But Not Sufficient:
Standardized Mechanisms for Privacy Notice and Choice. Journal of Telecommunications and High Technology Law, Vol. 10, No. 2, 2012.
◦ A Comparative Study of Online Privacy Policies and Formats(local cached copy)Aleecia M. McDonald, Robert W. Reeder, Patrick Gage Kelley and Lorrie Faith Cranor. PETS 2009.
• October 24 Data Privacy (online)◦ Robust De-anonymization of Large Sparse
Datasets. (local cached copy)Arvind Narayanan and Vitaly Shmatikov. Proceedings of the 2008 IEEE Symposium on Security and Privacy (S&P 2008).
• October 28 (in class)◦ Paul Ohm. Broken Promises of Privacy:
Responding to the Surprising Failure of Anonymization
◦ How Unique Is Your Web Browser?(local cached copy) Peter Eckersley, PETS 2010.
• October 31 (online)◦ To Signal is Human (local cached opy) Sandy
Pentland, American Scientist, 2010.◦ Reality Mining for Android◦
Monday, September 23, 13
Readings continued• November 4 Tor (online!)
◦ Videos◦ Towards an Analysis of Onion Routing
Security(local cached copy)Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. Workshop on Design Issues in Anonymity and Unobservability, July 2000,
◦ Tor: The Second-Generation Onion Router Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004
• November 7 (online)◦ Andrew Odlyzko. Privacy, Economics, and Price
Discrimination on the Internet• November 11 Data Tracking (in class)
◦ Mini-Lecture e-cash techniques◦ New York Times. How Companies Learn Your
Secrets◦ Julia Angwin. The Web's New Gold Mine: Your
Secrets (First in the Wall Street Journal's What They Know series)
• November 14 Ads (online)◦ A. Korolova. "Privacy Violations Using
Microtargeted Ads: A Case Study," IEEE
International Workshop on Privacy Aspects of Data Mining (PADM 2010).
• November 18 Bitcoin◦ Satoshi Nakamoto. Bitcoin: A Peer-to-Peer
Electronic Cash System◦ Fergal Reid, Martin Harrigan. An Analysis of
Anonymity in the Bitcoin System• November 21 (online)
◦ To Join or not to Join: The Illusion of Privacy in Social Networks with Mixed Public and Private User Profiles.(local cached copy) E. Zheleva, L. Getoor. 18th International World Wide Web Conference (WWW) 2009.
• November 25 : Social Network Privacy (In class)◦ Mao, Xin Shuai, and Apu Kapadia, "Loose
Tweets: An Analysis of Privacy Leaks on Twitter," In Proceedings of the 2011 ACM Workshop on Privacy in the Electronic Society (WPES '11), Chicago, Illinois, October 17, 2011.
◦ Y. Wang, G. Norcie, S. Kmanduri, P. Leon, L. Cranor, A. Acquisti "I regretted the minute I pressed share": A Qualitative Study of Regrets on Facebook SOUPS 2011
Monday, September 23, 13
What is a seminar course?
• Classic graduate style, but one you may not have been exposed to
• A key focus of this course is on reading and discussing research on privacy
• You will be learning from each other as much as or more than from the instructor
• Why the course, despite few prereqs is “Advanced”
• Important to come to class prepared having read and thought about the papers
Monday, September 23, 13
Course Structure
• Traditional graduate seminar EXCEPT
• hybrid online/in-person class
• This is the beta-release of this class
• Aspects will be experimental and subject to change
• Feedback welcome
Monday, September 23, 13
Grades
• Facilitation: 25%
• Class Participation 25%
• Project 50%
• There may be some simple lab assignments (under participation)
Monday, September 23, 13
Facilitation - In Class
• Each paper will have a person responsible for leading a 40 minute discussion around it
• Start with a 25 minute conference style presentation - pretend it is your paper
• Then, lead the class in a critical discussion
• Make sure to go over technical areas where people may be confused
Monday, September 23, 13
Facilitation - Online
• Online students have the choice of writing a discussion board post or uploading a 25-minute presentation to the discussion board.
• Posts will be graded harder than presentations. Posts should summarize the main ideas and results of the paper, assess the paper's significance, bring up discussion points, and link to related work. Posts will be due the Thursday before class at 5 pm (or occasionally before class under special circumstances)
• The poster will moderate a discussion on the board. All students are expected to participate by Monday (4:59 pm) for Thursday posts or by Thursday (4:59 pm) for Monday posts
Monday, September 23, 13
Class Participation
• Participation in in-class discussion
• If you cannot watch the class concurrently, you will be expected to write a discussion board post on the discussion for each paper, contributing your thoughts (due by Thursday, before the online discussion comes out for the following week) This should be a couple paragraphs (shorter than the facilitation posts)
• Participation in online discussions
• Watching lectures/discussions
Monday, September 23, 13
Class Project
• Research project on some topic related to privacy enhancing technologies
• Groups of 1-2 people
• Proposal and topic due October 21
• Paper (12 pages, workshop quality) and presentation due end of class
Monday, September 23, 13
The Final Project Proposal
• 2 pages long
• Problem Statement and Motivation
• Brief Description of Approach
• Related Work and novelty
• Evaluation approach
• Milestones
Monday, September 23, 13
Digital Millennium Copyright Act
• No person shall circumvent a technological measure that effectively controls access to a work protected under copyright.
• The Act defines what it means in Section 1201(a)(3):
(A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
(B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
• Also, no tools, advice, publication, etc
• Possible to get research/education exemptions sometimes, but likely not in time for Project 3
Monday, September 23, 13
Computer Fraud and Abuse Act
1. Knowingly accessing a computer without authorization in order to obtain national security data 2. Intentionally accessing a computer without authorization to obtain:
◦ Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
◦ Information from any department or agency of the United States ◦ Information from any protected computer if the conduct involves an interstate or foreign
communication 3. Intentionally accessing without authorization a government computer and affecting the use of the
government's operation of the computer. 4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of
value. 5. Knowingly causing the transmission of a program, information, code, or command that causes damage or
intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
◦ Loss to one or more persons during any one-year period aggregating at least $5,000 in value. ◦ The modification or impairment, or potential modification or impairment, of the medical examination,
diagnosis, treatment, or care of one or more individuals. ◦ Physical injury to any person. ◦ A threat to public health or safety. ◦ Damage affecting a government computer system 6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a
computer may be accessed without authorization.
Broadinterpretation
Monday, September 23, 13
Wiretapping laws
• Pennsylvania's wiretapping law is a "two-party consent" law. Pennsylvania makes it a crime to intercept or record a telephone call or conversation unless all parties to the conversation consent. See 18 Pa. Cons. Stat. § 5703 (Title 18, Part II, Article F, Chapter 57, Subchapter B, and then the specific provision).
• These laws apply to data, not just telephone surveillance
Monday, September 23, 13
Human Subjects Research
• Human subjects research -A systematic investigation involving live subjects, records, databases, tissue samples or surveys - including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
• Evaluated by Internal Review Board (IRB), but exemption for educational purposes
• If you are thinking of studying humans (users) in any way, please come talk to me about ways to do this legally and ethically
Monday, September 23, 13
Other parts of class
• Mini-lectures
•
Monday, September 23, 13
First week of papers
• We’ll assign to people here
• Figure out the rest after that, based on enrollment
Monday, September 23, 13
Reading Next Week
• By Thursday 11:59 pm
• 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy Daniel J. Solove, San Diego Law Review, Vol. 44, 2007
• By Next Class
• Leaked Prism Collection slides
• David Brin. The Transparent Society (WIRED, circa 1996, later expanded into a book)
Monday, September 23, 13
Also next week
• Micro-lecture on cryptography basics
• I will include short lectures from time to time to add some background
Monday, September 23, 13
Your responsibility
• Look through the schedule and pick a reading that you want to facilitate.
Monday, September 23, 13
Privacy : A Facilitated Discussion
credits to Alessandro Acquisti and others
Monday, September 23, 13
What is privacy?
Monday, September 23, 13
What is privacy?
• Hard to define
• Data concealment
• A right “to be left alone”
• Freedom
• The ability to control the information released about you
Monday, September 23, 13
Privacy in a Digital World
• How does it change?
Monday, September 23, 13
Privacy in dot com days
Monday, September 23, 13
And then...
Monday, September 23, 13
How the market reacted
Economic challenges pushed merchants to more restrictive policies
This policy may change from time to time soplease check back periodically
- Yahoo privacy policy circa 2001
Monday, September 23, 13
And governments have noticed this dynamic...
Monday, September 23, 13
Privacy in the newsAfter NSA revelations, a privacy czar is neededWashington Post-2 hours agoAlan Charles Raul is a lawyer in Washington who previously served as vice chairman of the Privacy and Civil Liberties Oversight Board and ...
Siliconrepublic.comSchools' use of cloud services puts student privacy at riskPCWorld-6 hours agoSchools that compel students to use commercial cloud services for email and documents are putting privacy at risk, says a campaign group ...
Privacy row as road chiefs track drivers on motorways by collecting ...Daily Mail-12 hours agoThe Highways Agency is collecting huge amounts of data from phone companies and other firms that log clients' location. Officials claim the ...
Human Resource Executive OnlineHHS Issues Last-Minute Changes to HIPAA Privacy, Security RulesiHealthBeat-47 minutes agoOn Thursday, HHS' Office for Civil Rights released new guidelines under the HIPAA privacy and security rules that allow pharmaceutical ...
Lawmaker proposes privacy advocate for secret courtReuters-Sep 20, 2013Robertson made his suggestion during a public meeting held by the bipartisan Privacy and Civil Liberties Oversight Board, which was set up in ...
Fingerprint scanner for iPhone 5s raises privacy, security concernsWashington Post-Sep 22, 2013One of the highlights of the iPhone 5s, the fingerprint scanner, is facing two concerns that may take a little shine off Apple's cool new feature.
Monday, September 23, 13
Stakeholders
• Individuals
• Businesses
• Governments
• Other groups
Monday, September 23, 13
Digital Surveillance
• Who is the adversary?
Monday, September 23, 13
Who is the data revealed to?
• Some faceless company?
• The government?
• The Internet?
• Friends/Family?
• Acquaintances/colleagues/employers?
Monday, September 23, 13
Threats or what could possibly go wrong?
Monday, September 23, 13
Threats or what could possibly go wrong?
• Identity Fraud/Theft
• Information actually used for harm
• Discrimination - social or economic
• Conformity pressure
Monday, September 23, 13
Privacy vs. Security
• When is there a tradeoff?
• When are they the same?
Monday, September 23, 13
A solved problem?“You pay for content or services with anonymous electronic cash. You connect to content and service providers with an anonymizing mixnet. You authenticate yourself with anonymous credential schemes or zero-knowledge identification protocols. You download content via private information retrieval or oblivious transfer. You use secure function evaluation when interacting with services that require some information.” - [Feigenbaum, Sander, Freedman, Shostack]
Monday, September 23, 13
E-cash and blind signatures
What else is needed for e-cash?
Monday, September 23, 13
Technology Rundown• Anonymous credentials (insurance cards, student
IDs, etc) - can use digital signatures for this too
• Brands generalized with certificate scheme
• What if, instead of providing a SSN or ID number, you provided a zero-knowledge proof that you know the private key related to some public key that identifies you?
• Mix-nets - Batch and mix messages to provide anonymity (high latency)
Monday, September 23, 13
Technology Rundown
• Private Information Retrieval/Oblivious Transfer : Bob has database of n elements, Alice pays to access 1 item and should not get more, Bob should not know which item Alice accessed
• Secure Function Evaluation - Alice and Bob want to compute some function, but keep the inputs private (classically, which one is richer?)
• Both of these can be done, but not always efficiently - take crypto class to learn more
Monday, September 23, 13
What are the obstacles?
• To these identity management technologies?
Monday, September 23, 13
Types of Privacy Enhancements: Anonymity
• Anonymity (unlinkability) - Data is not linked to an identity
• Location anonymity (Tor, mixes)
• Data anonymity - “we anonymized the data before releasing it”
• Netflix/census data/etc
• k-Anonymity
Monday, September 23, 13
Types of Privacy Enhancements: Policy• Policies that protect information
• Internal access control measures
• Data tagged with XACML or EPAL
• Agreements with partners
• Internal Auditing (Google example)
• Regulatory Compliance (HIPAA?)
Monday, September 23, 13
Lorrie Faith Cranor • http://lorrie.cranor.org/
Introduction to P3P
49
Privacy policy P3P policyDesigned to be read by a human Designed to be read by a
computer
Can contain fuzzy language with “wiggle room”
Mostly multiple choice – sites must place themselves in one “bucket” or another
Can include as much or as little information as a site wants
Must include disclosures in every required area
Easy to provide detailed explanations
Limited ability to provide detailed explanations
Sometimes difficult for users to determine boundaries of what it applies to and when it might change
Precisely scoped
Web site controls presentation User agent controls presentation
Monday, September 23, 13
Risk Analysis
Monday, September 23, 13
The Privacy Paradox
Why do we have great privacy enhancing technologies... that almost nobody uses?
Why do so many people claim to be concerned about privacy… and then do little to protect it?
Monday, September 23, 13
Privacy and Economics
• Will anyone buy privacy?
• Maybe...we buy curtains/blinds
Monday, September 23, 13
Difficulties in privacy economics
• Asymmetric information
• Individual does not know how, how often, for how long information will be used
• Intrusions invisible and ubiquitous
• Externalities and moral hazard
• Ex-post
• Value uncertainty
• Keeps on affecting individual after transaction
Monday, September 23, 13
Difficulties in privacy economics
• Context-dependent (states of the world)
• Anonymity sets (how many people could I be confused with )
• Sweeney (2002) 87% Americans uniquely identified by gender, birth year, and zip code.
• The more parties that use the good (personal information) the higher risks for original data owner
• Different individuals value the same piece of information differently
• Market for personal information is not necessarily the same as a market for privacy
Monday, September 23, 13
Privacy trade-offs
• Protect
• Immediate cost (or loss of immediate benefit)
• Future (uncertain) benefits
• Do not protect
• Immediate benefits
• Future (uncertain) costs
Monday, September 23, 13
Why is this Problematic?
• Incomplete information
• Bounded rationality/Behavioral distortions
• Complacency towards large risks
• Inability to handle prolonged accumulation of small risks
• Coherent arbitrariness
• Hyperbolic discounting
• Acquisti/Grossklags [2004]
Monday, September 23, 13
And Yet
• Privacy more in the public eye than ever
• Can’t separate government vs private sector data use
• Has an impact on consumer trust
Monday, September 23, 13
Privacy in the Electronic Society
• Nearly all of our actions are electronically mediated
• sometimes explicitly (Facebook) sometimes implicitly (Target’s database)
• Privacy is about the balance individual freedom and autonomy vs collective social control
• What kind of society do we want to have?
Monday, September 23, 13
Crypto - mini lecture 1
Monday, September 23, 13
Cryptography• Symmetric key cryptography (secret key crypto): sender and receiver keys identical• Asymmetric key cryptography (public key crypto): encryption key public, decryption key secret (private)
Monday, September 23, 13
Goal of Encryption
• Provide confidentiality -
• no one can read the data
• not anonymity
Monday, September 23, 13
Vernam Ciphers• XOR cipher - encryption and decryption the
same, Block of data XOR key
• Vernam’s cipher used a message with a paper tape loop that read off the key
• More modern versions use a pseudorandom number generator (stream cipher)
• One-time pad - If key perfectly random AND only used once, then perfect secrecy is assured
• Drawbacks?
Monday, September 23, 13
Reusing one-time pads
=
=
K1M1 E1
M2 K1 E2
E1 E2
=
Monday, September 23, 13
Old School Cryptography
• Caesar cipher - shift cipher (each letter replaced by one a fixed length down)
• “Veni, vidi, vici” -> “Yhql, ylgl, ylel”
• Monoalphabetic substitution : substitute one letter for another
• S-box - bit level substitution
• Transposition - Permute the order of the message
• P-box - bit level transposition
Monday, September 23, 13
Multiple Round Ciphers
• Multiple rounds of complex ciphers made up of permutations, substitutions, xor, etc
• Examples DES, AES
• DES not so secure because key too short
• Hard to understand, little proof of security (except that if anyone knows how to break they’re not telling)
Monday, September 23, 13
• List three types of data whose lifetime (amount of time for which confidentiality protection is needed) is approximately one day. List three whose lifetime is closer to one year. List three whose lifetime is closer to one century.
Data Lifetime
Monday, September 23, 13
DES Security
• DES not too susceptible to differential or linear cryptanalysis
• BUT, 56-bit key is just too short
• EFF’s Deep Crack breaks in 56 hours (1998) for $250,000
• distributed.net and Deep Crack 22 hours (1999)
• COPACOBANA FPGA machine $10,000, 6.4 days per key
Monday, September 23, 13
Security of AES
• Most successful attacks are side-channel attacks
• Side-channel attacks use weaknesses in the physical implementation of the system, not the algorithm or brute-force keycracking
• D.J. Bernstein showed that delays in encryption time due to cache misses can be used to infer key, demonstrated against a custom remote server using OpenSSL’s AES implementation, Osvik et al showed that local attacks could infer the key in 65 milliseconds
• Theoretical “XSL attack” in 2002 suggests some problems with the mathematics, no practical demonstration
Monday, September 23, 13
Problems with Symmetric Key Crypto• Scalability - separate communication between N
people requires N(N-1)/2 keys
• Key management
• Key distribution
• Key storage and backup
• Key disposal
• Key change
Monday, September 23, 13
Applications of Public Key Crypto
• Encryption for confidentiality
• Anyone can encrypt a message
• With symmetric key cryptography, must know secret key to encrypt
• Only someone who knows private key can decrypt
• Key management is simpler (maybe)
• Secret is stored only at one site
• Digital signatures for authentication
• Can “sign” a message with private key
• Session Key establishment
• Exchange messages to create a special session key
• Then use symmetric key cryptography
Monday, September 23, 13
Diffie-Hellman Protocol (1976)
• Alice and Bob never met and share no secrets
• Public info : p and g
• p is a large prime number, g is a generator of Zp*
• Zp*={1,2,...,p-1}; ∀a∈Zp* ∃i such that a=gi mod p
• Modular arithmetic (numbers wrap around after they reach p)
• 0 = p mod p
Monday, September 23, 13
Why is Diffie-Hellman Secure?
• Discrete Log (DL) problem: given gx mod p, it’s hard to extract x• There is no known efficient algorithm for doing this
• This is not enough for Diffie-Hellman to be secure! (Why?)
• Computational Diffie-Hellman problem: given gx and gy, it’s hard to compute gxy mod p
• … unless you know x or y, in which case it’s easy
• Decisional Diffie-Hellman (DDH) problem: given gx and gy, it’s hard to distinguish between gxy mod p and gr mod p where r is random
Monday, September 23, 13
Properties of Diffie-Hellman
• Assuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers
• Eavesdropper can’t distinguish between established key and a random value
• Can use new key for symmetric cryptography
• Approx. 1000 times faster than modular exponentiation
• Diffie-Hellman protocol (by itself) does not provide authentication
Monday, September 23, 13
Diffie-Hellman Handshake
Alice BobEBob(gx)
gy, H(K) K= gxy
This depends on the hardness of discrete log (hard to find x from gx)
Now both sides have a symmetric key, K= gxy, Why do we need to encrypt gx?
Why do we need H(K)?What’s still broken?
Monday, September 23, 13
