Trust, Security and Privacyin Learning Networks

Daniel OlmedillaL3S Research Center / Hannover University

Learning Networks in Practice10th May, 2007

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 2

About this presentation

The intention is to show the security-related implications of using standard internet technology

Not-specific to learning scenarios

User awareness and control are crucial when considering network- or social-based interactions

Encourage discussion

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 3

Outline

Did you know …?

What it is?

Learning Network Interaction

Some Research Directions

Conclusions

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 4

Did you know …?

that every time you use your browser your privacy is compromised?

that information apparently not sensitive may attempt your privacy?

that a security failure on any system may have strong consequences for you?

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 5

Did you know …?Using Search Engines

Each search query is only some keywords

You may believe they are harmless

What if you link them?

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 6

Did you know … ? The AOL scandal

AOL released in 2006 data about 3 months of use 20 million web queries from 650,000 AOL users AOL username was changed to an ID number

Users search for their own name, those from relatives or friends, addresses, social security numbers (SSN), etc.

What if you link own name + porn query embarrassment name + “buy ecstasy” evidence of crime name + address + SSN identity theft waiting to happen address + “how to kill your wife” possible future crime

http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 7

Did you know … ? Google Toolbar or Personalized Search

Several queries are normally linked only if they are within the same session or same IP

Google Toolbar and Personalized Search Collects information about your internet

surfing behavior Have your bookmarks Have your interests Know what you buy Etc.

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 8

Did you know … ? Information Linkage

SSN Name

Ethn DOB Sex ZIP Problem

… … … … … … …

… … White

09.16.61 F 94142 Obesity

… … … … … … …

Name Address City ZIP DOB Sex Party …

… … … … … … … …

Sue Carlson 900 Market St. San Fran. 94142 09.16.61 F Democrat

…

… … … … … … … …

Voter List

Medical Data released as Anonymous

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 9

Did you know … ? Is your disclosed information safe?

It may be stolen online because of security failures

Human intervention is an extra risk in the loop

Complete security does not exist !!!

http://www.usatoday.com/tech/news/computersecurity/2003-03-06-texas-hack_x.htmhttp://www.foxnews.com/story/0,2933,196492,00.html

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 10

What is it?Security, Trust and Privacy

Security: if you already know an entity, how do you decide what she is or is not allowed to do?

Trust: if you do not know an entity, how do you decide whether to continue with the interaction or not?

Privacy: if you are requested data, how do you decide what, to when and to whom you disclose it? How do you ensure it is not further redistributed afterwards?

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 11

Learning Network InteractionA possible scenario

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 12

Some Research DirectionsTwo main approaches

Soft/Social: based on previous behavior or experience, either direct or inferred e-bay, Amazon, etc.

Hard/Verifiable: based on the disclosure of credentials or certificates SSN, credit card, etc.

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 13

Some Research DirectionsSocial Approach – Trust Propagation

trust – 0.6

0.2??

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 14

Some Research DirectionsPolicies

Policy: statement specifying the behavior of a system

Some examples: Credit card required for a book purchase Discount to students My pictures can be access by my friends

Typically, only the server specifies the policies Take-it-or-leave-it fashion

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 15

Some Research DirectionsTrust Negotiation

Step 1: Alice requests a service from Bob

Step 5: Alice discloses her VISA card credential

Step 4: Bob discloses his BBB credential

Step 6: Bob grants access to the serviceService

BobAlice

Step 2: Bob discloses his policy for the service

Step 3: Alice discloses her policy for VISA

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 16

Conclusions

Be aware of the implications of your computer usage

Malicious entities are always watching

Key issue: user awareness and control

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 17

ConclusionsUser Awareness and Control (I)

Most security/privacy violations caused by

Lack of awareness Users ignore security threats and vulnerabilities

Users ignore the policies applied by the systems they use

Lack of control Users don't know how to personalize their policies

A social problem Everybody's machine is on the internet

Millions of computers can be exploited for attacks

By taking advantage of the users' lack of technical competence

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 18

ConclusionsUser Awareness and Control (&II)

A recent experiment:

Several computers connected to the network

Different platforms and configurations

With default policies: intrusion in <5 min.

Bias towards functionality

With personalized policies: safe for 2 weeks

Till the end of the experimentAvantgarde. http://www.avantgarde.com/xxxxttln.pdf

Daniel Olmedilla May. 10th, 2007Learning Networks in Practice 19

Questions?

olmedilla@L3S.de - http://www.L3S.de/~olmedilla/

Thanks!