Introduction to Privacy

Transcription

1 Introduction to Privacy

2 Why We Care? New Information Technologies: A) Digital storage, retrieval, distribution Enormous cost reductions B) Data sharing and processing i.e Data mining C) Ubiquitous Networking, comm. (sensors, rfid, smart phones, ) An emergent and fundamental change

3 Why We Care: Privacy Books per year (University Library database) Number

4 Privacy Concerns Important Points Privacy bounds vary between cultures Laws, rules, conventions, vary as well Focus originally on only one relationship Government citizen (citizens have little control over the information they provide...)

5 Going Digital Starting around 1970 Commercial databases Open data exchange standards Data exchange mechanisms (networks) exponentially increasing amounts of usable data Focus shifted to: Government, private sector citizen

6 History (1)

7 History (2)

8 History (3)

9 History (4)

10 Popular Arguments against Privacy If you care so much about your privacy it s because you have something to hide Surveillance is good and privacy is bad for national security. We need a tradeoff between privacy and security People don t care about privacy The nothing-to-hide argument

11 This information is not necessarily secret, but do you want to broadcast it? Identity attributes :Name, age, gender, race, IQ, marital status, place of birth, address, phone number, ID number... Location: Where you are at a certain point in time, movement patterns Interests / preferences : Books you read, music you listen, films you like, sports you practice Political affiliation, religious beliefs, sexual orientation Behavior: Personality type, what you eat, what you shop, how you behave and interact with others Health data: Medical issues, treatments you follow, DNA, health risk factors Social network: Who your friends are, who you meet when, your different social circles Financial data: How much you earn, how you spend your money, credit card number,...

12 The danger Surveillance: We move into a surveillance society companies/gov. gather a huge amount of information about users Discrimination: Profiling may reveal that a user is suffering from a certain disease. Insurance might then deny insurance Personalization: Filter bubble Information leakage We need privacy-preserving systems 14

13 PRIVACY DEFINITIONS

14 What is Privacy?

15 What is Privacy? Abstract and subjective concept, hard to define Dependent on cultural issues A couple of popular definitions: The right to be let alone Focus on freedom from intrusion Informational self-determination Focus on control How do we formalize privacy properties in computer systems?

16 Solove's Taxonomy A Taxonomy of Privacy by Daniel Solove

17 What is Privacy? How do we formalize privacy properties in computer systems?

18 Privacy properties from a technical point of view: Anonymity Hiding link between identity and action/piece of information. Reader of a web page, person accessing a service Sender of an , writer of a text Person to whom an entry in a database relates Pfitzmann-Hansen terminology: Anonymity is the state of being not identifiable within a set of subjects, the anonymity set The anonymity set is the set of all possible subjects who might cause an action Anonymity is the stronger, the larger the respective anonymity set is and the more evenly distributed the sending or receiving, respectively, of the subjects within that set is. Probabilistic definition Source: Anonymity, Unobservability, Pseudonymity, and Identity Management A Proposal for Terminology

19 Privacy properties from a technical point of view: Unlinkability Hiding link between two or more actions / identities / pieces of information. Examples: Two anonymous letters written by the same person Two web page visits by the same user Entries in two databases related to the same person Two people related by a friendship link Same person spotted in two locations at different points in time Pfitzmann-Hansen terminology: Unlinkability of two or more items means that within a system, these items are no more and no less related than they are related concerning the a-priori knowledge Focus on the information leakage of a system

20 Privacy properties from a technical point of view: Unobservability Hiding user activity. Examples: Impossible to see whether someone is accessing a web page Impossible to know whether an entry in a database corresponds to a real person Impossible to distinguish whether someone or no one is in a given location Pfitzmann-Hansen terminology: Unobservability is the state of items of interest being indistinguishable from any item of interest at all Sender unobservability then means that it is not noticeable whether any sender within the unobservability set sends.

21 PRIVACY METRICS

22 Can we measure privacy? Need to specify Privacy properties we want to achieve Adversary model: goals and capabilities Typically, adversaries are able to obtain probabilistic information. Examples: Probability of a person being the anonymous subject we want to identify (limited # of people in the world) Probability of two information items being related to each other (e.g., two web page requests coming from the same user) Many proposals, open research field Ex: information theoretic approach

23 A Primer on Info. Theory & Privacy There are around 7 billion humans on the planet: the identity of a random, unknown person contains just under 33 bits of entropy (2^33~8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount. There is a formula to say how much: - ΔS = - log2 Pr(X=x) Where ΔS is the reduction in entropy, measured in bits, and Pr(X=x) is simply the probability that the fact would be true of a random person.

24 A Primer on Info. Theory & Privacy For example: Starsign: ΔS = - log2 Pr(STARSIGN=capricorn) = - log2 (1/12) = 3.58 bits of information Birthday: ΔS = - log2 Pr(DOB=2nd of January) = -log2 (1/365) = 8.51 bits of information Note that if you combine several facts together, you might not learn anything new; for instance, telling me someone's starsign doesn't tell me anything new if I already knew their birthday.

25 How much entropy is needed to identify someone? if we know someone's birthday, and we know their ZIP code is 40203, we have = bits; that's almost, but perhaps not quite, enough to know who they are there might be a couple of people who share those characteristics. Add in their gender, that's bits, and we can probably say exactly who the person is!

26 An Application To Web Browsers how would this paradigm apply to web browsers? In addition to the commonly discussed "identifying" characteristics of web browsers, like IP addresses and tracking cookies, there are more subtle differences between browsers that can be used to tell them apart. One significant example is the User-Agent string, which contains the name, operating system and precise version number of the browser, and which is sent every web server you visit. A typical User Agent string looks something like this: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-gb; rv: ) Gecko/ Firefox/

27 An Application To Web Browsers (2) It turns out that that UA is quite useful for telling different people apart on the net. User Agent strings contain about 10.5 bits of identifying information, if you pick a random person's browser, only one in 1,500 other Internet users will share their User Agent string. So even if someone use TOR...the server can still get information about him!

28 Next: Protective Solutions Network-Layer Privacy Web Privacy (DNT, plugins, ) Data Sanitization PETs

29 Goals: Network-layer privacy (slides from Stanford) Hide user s IP address from target web site Hide browsing destinations from network

30 1 st attempt: anonymizing proxy anonymizer.com? URL=target User 1 Web 1 User 2 anonymizer.com Web 2 User 3 Web 3

31 Anonymizing proxy: security Monitoring ONE link: eavesdropper gets nothing Monitoring TWO links: Eavesdropper can do traffic analysis More difficult if lots of traffic through proxy Trust: proxy is a single point of failure Can be corrupt or subpoenaed Protocol issues: Long-lived cookies make connections to site linkable

32 How proxy works Proxy rewrites all links in response from web site Updated links point to anonymizer.com Ensures all subsequent clicks are anonymized Proxy rewrites/removes cookies and some HTTP headers Proxy IP address: if a single address, could be blocked by site or ISP anonymizer.com consists of >20,000 addresses Globally distributed, registered to multiple domains Note: chinese firewall blocks ALL anonymizer.com addresses

33 2 nd Attempt: MIX nets Goal: no single point of failure

34 MIX nets [C 81] R 1 R 3 R 5 R 6 srvr R 2 R 4 Every router has public/private key pair Sender knows all public keys To send packet: Pick random route: R 2 R 3 R 6 srvr Prepare onion packet: packet = E pk2 ( R 3, E pk3 ( R 6, E pk6 ( srvr, msg)

35 Eavesdropper s view at a single MIX user 1 R i batch user 2 user 3 Eavesdropper observes incoming and outgoing traffic Crypto prevents linking input/output pairs Assuming enough packets in incoming batch If variable length packets then must pad all to max len

36 Performance Main benefit: Privacy as long as at least one honest router on path R 2 R 3 R 6 Problems: srvr High latency (lots of public key ops) Inappropriate for interactive sessions May be OK for (e.g. Babel system) No forward security perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.

37 3 rd Attempt: Tor MIX circuit-based method Goals: privacy as long as one honest router on path, and reasonable performance

38 The Tor design Trusted directory contains list of Tor routers User s machine preemptively creates a circuit Used for many TCP streams New circuit is created once a minute R 3 R 1 R 5 stream 1 srvr 1 R 2 R 4 R 6 stream 2 one minute later srvr 2

39 Creating circuits TLS encrypted TLS encrypted R 1 R 2 Create C 1 D-H key exchange K 1 K 1 Relay C 1 Extend R 2 Extend R 2 D-H key exchange K 2 K 2

40 Routers only know ID of successor and predecessor Once circuit is created K 1, K 2, K 3, K 4 K 1 R 1 R 2 K 2 K 3 R 3 K 4 R 4 User has shared key with each router in circuit

41 Sending data K 1 K 2 R 1 R 2 Relay C 1 Begin site:80 Relay C 2 Begin site:80 TCP handshake Relay C 1 data HTTP GET Relay C 2 data HTTP GET HTTP GET Relay C 1 data resp Relay C 2 data resp resp

42 Properties Performance: Fast connection time: circuit is pre-established Traffic encrypted with AES: no pub-key on traffic Tor crypto: provides end-to-end integrity for traffic Forward secrecy via TLS Downside: Routers must maintain state per circuit Each router can link multiple streams via CircuitID all steams in one minute interval share same CircuitID

43 Privoxy Tor only provides network level privacy No application-level privacy e.g. mail progs add From: -addr to outgoing mail Privoxy: Web proxy for browser-level privacy Removes/modifies cookies Other web page filtering

44 Web Tracking & Privacy Privacy considerations of online behavioural tracking, C. Castelluccia and A. Narayanan

45 Why are we tracked? Web Tracking Personalized services to user and location. Targeted Advertisement Most content is free You are paying with your data Often, you are not the customer, but the product! 54

46 Online Advertising: Simplified Model 3 main entities: Advertiser (annonceur): entity that wants to advertise a service/products (i.e. hotels, car manufacturers, ) Publisher (editeur): entity that hosts the advertisements (i.e. online news, lemonde.fr, ) Ad-Network: entity that places advertisements on Publisher sites (i.e. google, ) 55

47 Online Advertising: Illustration ADVERTISER (maier.com) PUBLISHER (lemonde.fr) AD-NETWORK (doubleclick.com) 56

48 Online Advertising: Money Flow ADVERTISER (maier.com) PUBLISHER (lemonde.fr) $$$ $ AD-NETWORK (doubleclick.com) 57

49 Browsing Profiling: How? Doubleclick.co m Cnn.com Wsj.com Lemonde.fr 58

50 Browsing Profiling (2) Doubleclick.co m Cnn.com Wsj.com Lemonde.fr Cookie_cnn Cookie_dc 59

51 Browsing Profiling (2) Doubleclick.co m Cnn.com Wsj.com Lemonde.fr Cookie_wsj Cookie_dc 60

52 Browsing Profiling Doubleclick.co m Cnn.com Wsj.com Lemonde.fr Cookie_dc Cookie_lemonde 61

53 Browsing Profiling Doubleclick.co m Cnn.com Wsj.com Lemonde.fr Cookie_dc Cookie_lemonde 62

54 preferences 63

55 Online Tracking: Tracking on the Internet 64

56 Some Solutions Disable Cookies (at least third-party cookies) Browser s Private mode Use DNT (Do Not Track) But almost dead Use Plugins To see who is tracking you To block ads Use TOR Disconnect!!!

57 Some Nice Plugins Collision Ghostery about:trackers Adblock PLEASE BLOCK ADS!

58 Mobile and Privacy

59 Online Tracking: Smart Phone Marketers are tracking smartphone users through apps games and other software on their phones. Some apps collect information including location, unique serial-number-like identifiers for the phone, and personal details such as age and sex. Apps routinely send the information to marketing companies that use it to compile dossiers on phone users 68

60 Source: 69

61 Paper Toss App (iphone) App Server Location phoneid Third-party (google, flurry, ) 70

62 2010/12/17/angry-birds/ 71

63 Some Recommendations to App Developpers Enforce Privacy-by-Design Be transparent: tell users who you are, what you collect Ask user s active consent Inform, Be minimalist: only collect minimal information Be user-friendly: Help users manage their privacy Give users easy to understand choices and mechanismes for managing their privacy

64 Some Recommendations to App Developpers (2) Keep data secure Keep data in a portable format Set data retention and deletion periods Ensure default settings are privacy protective. Take measures to protect children from endangering themselves. Create appropriate tools to deactivate and delete data from applications and accounts. Target only on legitimetely collected data. Source: «Privacy Design Guidelines for Mobile Application Development», GSM Assoc.

65 Data Sanitization Goals: How to prevent data leakage from public dataset?

66 BIG DATA is Useful Predict flu Improve transportation, Logistic improve knowledge and efficience Data is the power. But

67 BIG DATA and PRIVACY Possible Privacy Breach Examples: AOL, Netflix,.. In 2006, AOL released 20 million search queries for users «Anonymized» by removing AOL id and IP address Easily de-anonymized in a couple of days by looking at queries

68 BIG DATA and PRIVACY Possible Privacy Breach Examples: AOL, Netflix,.. In 2006, AOL released 20 million search queries for users «Anonymized» by removing AOL id and IP address Easily de-anonymized in a couple of days by looking at queries

69 The data contains: Source of Problem Attribute values which can uniquely identify an individual { zip-code, nationality, age } or/and {name} or/and {SSN} sensitive information corresponding to individuals { medical condition, salary, location } Non-Sensitive Data Sensitive Data # Zip Age Nationality Name Condition Indian Kumar Heart Disease American Bob Heart Disease Canadian Ivan Viral Infection Japanese Umeko Cancer

70 Source of Problem Even if we remove the direct uniquely identifying attributes There are some fields that may still uniquely identify some individual! The attacker can join them with other sources and identify individuals Non-Sensitive Data Sensitive Data # Zip Age Nationality Condition Quasi-Identifiers

71 Source of Problem Published Data Non-Sensitive Data Sensitive Data # Zip Age Nationality Condition Indian Heart Disease American Heart Disease Canadian Viral Infection Japanese Cancer Data leak! # Name Zip Age Nationality 1 John American 2 Bob American 3 Chris American Voter List

72 Sanitization 81

73 Several Data anonymization methods Random perturbation Input perturbation Output perturbation Generalization The data domain has a natural hierarchical structure. Suppression Permutation Destroying the link between identifying and sensitive attributes that could lead to a privacy leakage. 82

74 Randomization Methods 83

75 K-anonymity 84

76 Some Other Sanitization Schemes 85

77 Why Data Anonymization is Hard: External Information The failure of Anonymization paper here

78 Sweeney s Original Attack 88

79 Netflix Data Release [Narayanan, Shmatikov 2008]

80 Netflix Data Release

81 Other Attacks

82 A Simple Exercice 92

83 Toward «Secure» Anonymization Existing Privacy models such a k-anonymity, L- diversity seem weak/broken Differential Privacy Relatively recent [Dwork2006] Provide some strong and measurable guarantees Secure even with external sources of data

84 Differen'al Privacy Pr(M(D) =D ) Pr(M(D 0 )=D ) apple e" 94

85 Differential Privacy Intuition: Changes to my data not noticeable Output is independent of my data

86 Differen'al Privacy 96

87 Histogram Release with Laplace Mechanism 97 H Add random Laplace noise to each bin before publishing! H 1 H 2 H 3 H 4 H 5 Q Q i Pr(H i + Laplace( )=Hi ) i Pr(H0 i + Laplace( apple exp )=H i ) P i H i H 0 i = e 1 H Global sensitivity: ΔH = Σ H i H i For histograms: ΔH = 1 H 1 H 2 +1 H 3 H 4 H 5 If λ = ΔH / ε, we have ε-differential privacy! 97

88 Differential Privacy Utility / privacy trade-off Strong privacy means large noise which reduces utility Provide good performance when values are much larger than noise Noise depends on sensitivity, not on data values! Most algorithms use aggregation to increase count values Not very efficient for high-dimentional data, where aggregation is not easy, such as sequential data

89 Some PETS Crypto. Can also help

90 Some useful tools Anonymous credential : anonymous variant of credentials that can be used to prove a property linked to his owner or the right of access to some ressources, but without having to reveal his identity. Group signature : method to prove that someone belongs to a group by signing a message anonymously on behalf of the group. Zero-knowledge proof : cryptographic protocol by which a prover can convince a verifier of the validity of a statement (for which he knows a proof) without having to reveal any other information that the veracity of this statement.

91 Some useful tools Private information retrieval : cryptographic primitive by which a client can learn the element of a databases stored on a server but without the server which element has been learned (to protect the privacy of the query). Homomorphic encryption: cryptosystem by which it is possible to perform operations on encrypted data (additions/multiplications) without any knowledge of the secrete key. Private Set Intersection, Secret-Handshakes, and many more

92 Conclusion

93 Active research areas Data anonymization of database records and other data structures (e.g., network graphs) Private communication (prevention of traffic analysis) Anonymous and covert communication Crypto protocols Privacy-enhanced authentication and identity management Operations in the encrypted domain Anonymous search and retrieval of information Privacy-preserving biometric authentication Location privacy Ubiquitous environments Constrained devices Securing the physical link Social networks

94 Problems not quite solved yet Privacy is an important, and will become even more important with ubiquitous networking Some important topics: Big Data Privacy Genomic Privacy Reality/Physical mining infers human relationship and behaviour from information collected by smartphones Augmented Reality Convergence of face recognition, social networks, data mining TV, mobile Advertising

95 Scary!