Upload
joelle
View
33
Download
0
Embed Size (px)
DESCRIPTION
The Privacy Conundrum (Do we have secrets to hide?). Partha Dasgupta Arizona State University Tempe, AZ, USA. Overview. Privacy – what, why, and it’s important Security is different Privacy leaks via browsing Advertising and the importance of targeting - PowerPoint PPT Presentation
Citation preview
The Privacy Conundrum(Do we have secrets to hide?)
Partha DasguptaArizona State University
Tempe, AZ, USA
Overview
Privacy – what, why, and it’s important· Security is different
Privacy leaks via browsing Advertising and the importance of targeting Why we have no privacy even if we have security? Smartphones and things to come
Privacy
The ability of an entity to seclude information about itself. Types of privacy:
· Personal, informational (financial, medical, political, Internet), organizational, spiritual.
Ability to control information flow, limit publicity, enforce the notion of “private information”
Privacy is rooted in cultural aspects. · Western cultures are more concerned with individual privacy. Urban
cultures value privacy more than rural cultures
Right to privacy?
Internet privacy?
Why Hide? Why Privacy?
“If you have nothing to hide, you have nothing to fear”OR
“If you have done nothing wrong, you have nothing to hide”· Eric Schmidt, (CEO of Google):
-- "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place, …”
Pitfalls: · Mistakes, misinterpretation, framing, false opinions, lack of due process· Discrimination based on personal opinions, politics, health,
Cardinal Richelieu (circa 1600): "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged",
Bruce Schneier: "Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control.“
Scott McNealy, “You have zero privacy anyway. Get over it.” (1998)
Security (and privacy)
Security: Protect against attackers gaining access to property, systems, information and such.
Privacy: Protect against oneself disclosing information that could be harmful if disclosed.
Privacy subsumes security, but not vice versa.· Secure systems can protect privacy, but often do not.· Smartphones may be secure, but are terrible leakers of privacy.
Today, most privacy leaks happen without any security attacks.· People unknowingly leak private information on the internet
Simple Privacy Leaks
Browser
Search History· On cloud, or local (with Javascript tracking)
Google Maps (mobile)
Filter Bubble
Customized searches· Google (and others) provide search results based on what you
searched/liked before· Customized for you
Customization leads to the “filter bubble”· you live in a bubble and see what you would like to see.· The user experience from an algorithm selectively guesses what
information a user would like to see based on information about the user.
Good Food choices, lifestyle choices
Bad Opinions, politics, news
“You are the Product”
The internet applications are free to users….· Since you are not paying, you are not the consumer· You are the product being sold to their clients
Why are you valuable?· Advertising budget: > USD 100 billion (40b for US)
Advertising effectiveness increases dramatically when a product is advertised to a person, who wants it, or may be convinced they want it.· Targeted advertising· The victim has little chance· Serious money is involved, and the better the targeting, the better
the results and hence the higher the cost-per-click.
Why track?
You are the product…targeted advertising is the goal· Profit!
The web is advertiser supported and advertisers want to know and control:· Who sees the ads – demographics, income, location, age, sex and
so on.· What ad should be shown to whom, targeted specials have great
success. Build profiles – databases about humans who brows the
web.· Even if browsing incognito (private modes)
Advertising Driven?
Google:Revenue, 2013: USD 60 billionProfits, 2013: USD 12 billion
Facebook too
Who paid this??Why?Google is free?
Marketing Maxims
You do not buy the product, you buy the brand Perception of a good deal Perception of higher quality Power of marketing
· “I do not care for advertisements” – not true. Targeted advertising
· Preys on peoples weaknesses, yearnings and FUD· FUD: Fear, uncertainty, doubt· “Good” deals too – it is musch better to mark up a $50 product to
$100 and then prividing a 50% discount, than to price it at $50.
Complex Privacy Leaks
Targeting user need in-depth information about the users· Hence breaching users privacy is important
Tracking / Monitoring Eavesdropping Aggregation of information Building profiles Data Mining and other AI/Machine Learning techniques Connection graph
Tracking – Monitoring - Eavesdropping
You know Your friends know some people may know One entity knows about everyone
Third party cookies
Javascript tracking
http://www.forbes.com/http://www.independent.co.uk/http://www.businessinsider.com/http://uk.reuters.com/http://venturebeat.com/
Facebook-style tracking
Facebook icons and likes· Also many other sites· Click not needed· Even when logged off!!
“Sign in with Facebook”
Cloud Computing
Cloud computing: “You have zero privacy anyway. Get over it.”
Storage on the cloud All data is visible to service provider. · Nothing ever gets deleted· Cloud drives, cloud email, financial tracking, health monitoring,
payment systems, calendaring, mapping and routing, call a cab, · Even crowdsourcing sites, social networking sites, photo sharing
sites, and so on.
Aggregation of tracks
Cookies allow a website to see who is repeatedly visiting them
Each website manages its own data about users Aggregation allows a third party to see the global picture
· Tracking techniques make this possible· Resulting data in valuable to marketing people
Graphs and Mining
Relationship graphs reveal a lot about you· Who do you communicate with?· Who communicates with you?· Relationships based on friends, location, age, gender, political
beliefs, religion, hobbies, interests Building profiles
· Data Mining· Machine learning
The Smartphone trap
The final frontier are smartphones “There is a app for it” As smartphone usage is rising, the tracking and monitoring
opportunities are exploding
Smartphone penetration – “HIGH”· US: 50%, China: India: 13%· Growth rate is impressive
Downloaded apps are like viruses, they have too much power· Even though they disclose the “power”
Too many permissions?
Android Security and Privacy
Android has a “well designed, well thought out” security infrastructure
Android has legitimate ways of bypassing security with user permissions – get higher permissions
Users have to be knowledgeable· Want the app? You have to say yes to permissions.
Privacy controls are terrible Apps can leak, aggregate, profile and even collude
· “intents” is a backdoor method of inter-app communication
Google Maps
Device & app history -- retrieve running appsIdentity -- find accounts on the device-- add or remove accountsContacts/Calendar -- read your contacts-- modify your contactsLocation -- precise location (GPS and
network-based)Phone -- write call log-- directly call phone numbersPhotos/Media/Files -- test access to protected storage-- modify or delete the contents of
your USB storageCamera/Microphone -- record audio
Wi-Fi connection information -- view Wi-Fi connectionsDevice ID & call information -- read phone status and identityOther -- view configured accounts-- receive data from Internet-- run at startup-- view network connections-- install shortcuts-- control Near Field Communication-- use accounts on the device-- disable your screen lock-- read Google service configuration-- full network access-- connect and disconnect from Wi-Fi-- control vibration
Facebook (edited)Identity -- find accounts on the device-- add or remove accounts-- read your own contact cardContacts/Calendar -- modify your contacts-- read calendar events plus confidential
information-- add or modify calendar events and send
email to guests without owners' knowledgeLocation -- precise location (GPS and network-based)SMS -- read your text messages (SMS or MMS)Phone -- write call log-- directly call phone numbersPhotos/Media/Files Camera/Microphone -- take pictures and videos-- record audio
Wi-Fi connection information -- view Wi-Fi connectionsDevice ID & call information -- read phone status and identityOther -- download files without notification-- create accounts and set passwords-- view network connections-- install shortcuts-- read Google service configuration-- draw over other apps-- full network access-- change network connectivity-- set wallpaper-- send sticky broadcast-- reorder running apps-- connect and disconnect from Wi-Fi
Brightest Flashlight
Location -- approximate location (network-
based)-- precise location (GPS and
network-based)Photos/Media/Files -- modify or delete the contents of
your USB storage-- test access to protected storageCamera/Microphone -- take pictures and videosWi-Fi connection information -- view Wi-Fi connections
Device ID & call information -- read phone status and identity Other -- disable or modify status bar-- read Home settings and shortcuts-- control flashlight-- prevent device from sleeping-- view network connections-- full network access-- install shortcuts-- uninstall shortcuts
Smartphone Tracking Risks
What can a smartphone do?· Complex apps that gather a lot of information· An aggregation point of a large number of tracking possibilities
Location maps Activity (physical) Transactions (financial) Communications with other people Lifestyle choices Health monitoring Payment systems
“The Ecosystem”· Profile building that is significantly better than what is possible on computers
Payment Systems
Smartphone based banking and payment systems are being marketed heavily
NFC (Near Field Communication) based systems, as well as other methods · Credit card transactions· Wallet based transactions· Monitoring your spending profiles
Gather real information about what the user does and purchases and sees
Comparative shopping systems · Amazon does real market analysis via crowdsourcing
Health Monitoring Systems
Health sensors that interface to your smartphone e.g. FITBIT Sensors can find out a lot about you
· Sleep· Sit, walk, run, climb· Vitals (heart rate, blood pressure, sugar levels)· Food and drink consumption
Data is uploaded to cloud servers· A lot of advantages· Get the ideas…..?
Life Scheduling
Things you should do, and when Calendaring combined with ….
· Location· To-do lists· Things to buy· Friends and connections· Managing time and activities
Yet another wonderful data mining source
Total Ecosystems
The smartphone based ecosystems are almost here Use the smartphone to control your entire existence
· Social· Personal· Professional· Entertainment· Hobbies
Aggregate all information and use it against the poor human· Google, Apple, Microsoft control all the apps you can get on the
respective platforms
Much more to come, things we have not thought of yet· Today marketing, tomorrow worse…
Government Surveillance
Governments use surveillance for various reasons· Defeating terrorism?
Using backbone monitoring· Raw data, as well s other techniques
Get encryption keys via various methods
Not easily defeated, since they have powers of enforcement
Internet of Things
The future – every device will be connected to the Internet· Household devices, sensors, actuators, lights, appliances
IPv6 will make everything have a unique IP address Security and privacy can be compromised in many ways
· Unintended consequences· Not well thought through, just like most technologies
Very useful, but has severe downsides
Conclusions
Scott McNealy was right · (1998 was not when privacy leaks were common)
Since we have lost the right to privacy, we probably will never get it back
Corporate and government interests will win The advantages of giving up privacy entices most people
· Services for free· Quite useful applications· BUT we pay a high price for it…..
“Free is too expensive”