Privacy, Security and Trust in P2P environments: A Perspective

Transcription

1 Privacy, Security and Trust in P2P environments: A Perspective Anirban Mondal Masaru Kitsuregawa Institute of Industrial Science, University of Tokyo, JAPAN. {anirban, kitsure}@tkl.iis.u-tokyo.ac.jp Abstract The Peer-to-Peer (P2P) paradigm of computing has been growing dramatically in popularity over the last decade. Consequently, large amounts of data are being shared among P2P users on a global-scale. Given the inherently untrustworthy nature of P2P networks, this paper provides a perspective concerning trust, privacy and security issues in P2P networks. Additionally, we discuss the applicability of the P2P paradigm to new application domains, the aim being to ensure that the power of the P2P paradigm goes well beyond P2P file-sharing interactions. 1. Introduction The ever-increasing popularity of the Peer-to-Peer (P2P) paradigm of computing has resulted in huge amounts of data being shared on a global-scale in P2P networks. The strength of the P2P paradigm stems from its capability of efficiently harnessing the power of a large number of peers that may be geographically distributed. Incidentally, peers can join or leave the system without any intervention from a centralized server, which facilitates seamless integration of any number of new nodes (peers) to existing systems. Understandably, the decentralized nature of P2P networks facilitates scalability. Moreover, P2P networks do not have a single point of failure. However, the downside is that P2P environments are inherently untrustworthy in nature since P2P users generally have no idea about whom they are interacting with, and the notion of accountability does not typically exist in P2P environments. Thus, it becomes a necessity to adequately address P2P trust, privacy and security issues in order to optimally exploit the power of the P2P paradigm. Incidentally, the P2P paradigm is applicable to two types of environments: 1. A large number of distributively-owned peers: Such environments are characterized by peers that are largely unknown to each other. The notion of accountability is generally non-existent in such cases. Examples include Kazaa [8], Gnutella [5] and Morpheus [12]. 2. Peers that are owned by the same organization: These environments generally incorporate the existence of accountability and organizational controls e.g., a particular organization may manage its computer systems in a P2P manner to facilitate seamless integration of new nodes into its existing systems. This paper primarily focusses on environments associated with Case 1, although some discussions in this paper would also be applicable to environments involving Case 2. Since Case 2 incorporates accountability, it becomes easier for a peer to trust other peers. In contrast, for Case 1, lack of accountability implies that trust, privacy and security issues need to be addressed in comprehensive detail. Incidentally, issues concerning trust, security and privacy arise in several centralized and distributed computing environments. However, in the P2P context, these issues become significantly more challenging than in the case of traditional domains due to distributive ownership, lack of centralized control and lack of global knowledge. Hence, many open questions still remain in this research area. The main focus of this work is to provide our perspective concerning trust, privacy and security issues in P2P networks. We also discuss the applicability of the P2P paradigm to new application domains because we strongly believe that the power of the P2P paradigm could be exploited to obtain significantly greater user benefits than merely audio and video file-sharing. As such, this paper is not intended to be a survey, hence we have just referred to existing schemes in this area briefly without delving into specific details. The remainder of this paper is organized as follows. Section 2 discusses our perspectives concerning trust, security and privacy in P2P networks. Section 3 details advanced P2P applications, which we believe will maximize user ben-

2 efits from P2P systems. Section 4 briefly alludes to existing works in this area. Finally, Section 5 summarizes the paper. 2. Perspectives on Trust, Security and Privacy This section presents our perspectives concerning trust, security and privacy issues in P2P network. In some sense, trust holds the key to security and privacy, hence our perspectives are primarily from the viewpoint of trust. We shall henceforth use the terms peer and user interchangeably Quantifying trust in P2P environments Quantifying the notion of trust in P2P environments is extremely difficult primarily because a particular user generally has no idea about other users. In reality, the trustworthiness of a peer depends heavily upon the context. For example, a peer A may feel comfortable with downloading a file from a peer B, but A may not be willing to share his own medical data with B. Thus, A trusts B in the context of file downloads, but does not trust B in the context of medical data sharing. In the same vein, a peer X could provide very high-quality music files and low-quality of scientific documents. In other words, X can be trusted more in the context of music files than in the context of scientific documents. Furthermore, X could provide high-quality music files for classic songs and low-quality music files for new songs i.e., even for sharing similar kind of data, the amount of trust that could be placed in X could differ significantly. The implication is that quantifying a single trust measure for a peer is incomplete and does not reflect the reality of a diverse range of P2P interactions. Thus, several trust values could be assigned to a single peer, one value for each context to better reflect reality. Even when trust values of a peer have been specified w.r.t. a given context, P2P users should still take such values with a grain of salt since accountability and roll-back ability do not exist in case of P2P environments. Given a peer P, trust values for P for different contexts could be computed by considering other peers opinions about P s previous behaviours. However, the following practical issues arise: 1. Does expertise differ across users for a given context? 2. How to objectively assign weights to user opinions? 3. How to differentiate perception of trust across users? Question 1 above suggests that since different users have varying levels of expertise in a given context, it would not be reasonable to assign the same weight to all the peers opinions. This leads to Question 2. If users themselves decide the weight of their opinions, it is clear that objectivity would be lost since there would be too much dependence on user perception of their own expertise. On the other hand, such weights being determined by other users would bring us back to Question 1. Furthermore, as Question 3 indicates, users have varying ways of perceiving trust i.e., a one-time bad-quality file download from a peer P may be acceptable to some peers, while other peers may start viewing P as absolutely untrustworthy. From Questions 1, 2 and 3, we can understand that trust values computed by existing P2P trust schemes may not adequately reflect the actual trustworthiness of a peer. The complexity of this issue is further exacerbated by a wide variety of practical factors e.g., a peer posing as another peer, colluding peers, significant changes in behavioural patterns of peers and so on Accountability in P2P networks Trust is closely related to accountability. If any breach of trust occurs, the entity causing the breach of trust needs to be held accountable, thereby discouraging malicious behaviour in the system. However, in case of P2P networks, it is practically extremely challenging to ensure accountability due to the following reasons: 1. Identifying the peer who caused a breach of trust could be difficult in practice. 2. Even when it is possible to identify malicious peers, there is often extremely limited recourse (if any at all) to legal action. Now let us take a closer look at the above points. Identifying malicious peers could be difficult because such peers could easily pose as other peers. While peers could be monitored for detecting malicious behaviour in the network, it is important to remember that the immense popularity of P2P networks stems from the principles of anonymity and freedom, which the P2P paradigm embodies. Consequently, monitoring peers would run counter to the very principles which are the foundations of P2P computing. In the absence of monitoring, locating the origin of malicious behaviour may be practically impossible, especially given the scale of P2P networks. As a single instance, if a peer downloads a virus-infected file from another peer, the source of the file could have been any peer which once contained a copy of the file. Since tracing back the paths of all file downloads is too expensive in large-scale P2P networks and infringes upon peer privacy, we can intuitively understand that locating the origin of malicious behaviour is a problem in itself. Understandably, when legal systems all over the world were created, the concept of P2P computing, as we know it today, did not even exist. Hence, it is not surprising that legal experts could not really reach a consensus on the kind of P2P-related activities, which would allow the victim to

3 seek legal action. The recent spate of court proceedings between P2P systems and music corporations related to the sharing of music files in P2P systems has highlighted several grey areas in current laws when applied to P2P filesharing. These grey areas exist due to lack of P2P-specific laws. Moreover, creating P2P-specific laws would require consolidation of knowledge in two orthogonal domains i.e., P2P computing and law. This becomes challenging because P2P computing experts and legal experts generally have limited knowledge about each other s fields. Interestingly, P2P technologies have been growing at a fast pace, which makes it very difficult for legal systems to keep pace with the latest developments in P2P computing. In such cases, the scarcity of legal precedents concerning the P2P paradigm makes it even more challenging for legal experts to extrapolate current laws to P2P-specific scenarios. Finally, P2P systems transcend geographical and political boundaries, which further exacerbates legal issues. For example, if a peer located in a country X behaves maliciously with a peer located in a country Y, how would the victim bring the perpetrator to justice? Observe that most countries around the world do not even have P2Pspecific laws. For the relatively few countries, which have at least some P2P-specific laws, it is clear that those laws are quickly becoming obsolete due to the emergence of new and innovative P2P computing technologies. In our opinion, the notion of accountability should not be pro-actively incorporated into P2P networks primarily because accountability contradicts the basic tenets of the P2P paradigm. Till date, there have been millions of P2P users and a mind-boggling number of file downloads across P2P networks. In contrast, the number of reported cases of malicious peers have been relatively very few. This alone is excellent evidence that individual peers do not generally try to harm each other, even when the notion of accountability does not exist. We believe that P2P users should be educated about the risks involving the usage of P2P networks so that each individual user can decide the kind of P2P interactions with which he is comfortable Will users trust P2P systems for advanced data sharing applications? First, let us examine the following questions: 1. How many users would be willing to trust a (computer) system-generated trust value of a peer they have otherwise no idea about? 2. To what extent can the past trust-related behaviour of a peer be extrapolated to measure its future trustworthiness? Incidentally, the vast majority of P2P users cannot be expected to have even a preliminary understanding of how the trust values are generated for each peer. Moreover, a given peer may know virtually nothing about other peers. Thus, it becomes extremely difficult for a user to trust another user based on only the system-generated trust values. A few hundred years ago, it would have been unimaginable for humans to store their financial resources and valuables in a bank. But, currently, we feel that banks are safe. This can be attributed to evolution of trust in the banking system. In other words, since we have used banks for a long time without encountering any major loss, our trust in the banking system has increased over time to the point that we feel almost absolutely safe with the current banking system. We believe that the same would also be applicable in case of P2P systems in the future. Currently, P2P systems are still in their infancy. However, over the course of time, the trust among P2P users would evolve probably to the extent that users would be comfortable with sharing even some of their non-sensitive private information with other P2P users. User perception of P2P-related risk plays a major role in the types of data that a user would be willing to share in a P2P environment. Interestingly, the perception of risk associated with P2P systems may differ significantly among users. For example, a paranoid user may not be willing to accept even small risks (e.g., sharing non-copyrighted music files), while some users may feel comfortable with sharing some of their private medical information. This can be attributed to the fact that users have varying perceptions concerning the sensitivity of different kinds of data. Interestingly, many users may not even be aware of the risks associated with sharing their data in P2P networks. In essence, we are looking at a spectrum of P2P-related risk in which the user typically selects activities for which he perceives the risk to be low enough to be reasonably acceptable to him. Notably, P2P systems thrive on the principles of freedom, hence users are free to decide upon the kinds of data that they would be willing to share in a P2P system. Thus, there should be no system-imposed restrictions concerning the kinds of data that should be shared in a P2P network. Incidentally, user expectation of P2P systems is also an important factor. Since P2P systems are usually free and the data is generally not authenticated by any authority figure, users do not usually expect 100% accurate data or the latest versions of documents or the highest quality of mp3 files and videos from P2P systems. Generally speaking, most P2P users understand that they are probably not going to obtain data with quality guarantees from P2P systems. In realworld scenarios, as long as the quality of data is reasonable, it would suffice for the vast majority of users. Moreover, if a user is not satisfied with the quality of a file (e.g., music mp3 file) that he has downloaded from a P2P system, he can always download the same music file from possibly several different sources, until he finds one which meets his quality

4 requirements. We believe that user expectation of P2P systems is significantly lower than that of user expectation of dedicated servers which guarantee good data quality albeit at a price. 3 Towards advanced P2P applications This section presents advanced P2P applications to suggest how the power of the P2P paradigm could be harnessed to improve overall user benefits from P2P systems. We consider both static and mobile P2P domains Applications for static P2P systems Currently, P2P systems are primarily used for sharing music and video files. The question which arises is: Should a powerful computing paradigm such as P2P be limited to just file-sharing applications? Since P2P systems provide a large-scale and cost-effective mechanism for data sharing in general, several different kinds of data can also be shared by means of P2P systems. For example, different users could store information concerning their experiences with searching for a house to buy in a given spatial location. Since buying a house requires significant investment, we can intuitively understand that users would like to obtain every possible piece of information before making their final decision. Since P2P systems typically have a large number of users, users would be able to exploit a considerable large pool of experiences, thereby facilitating effective decisionmaking. Notably, our work in [10] has investigated the sharing of spatial data in P2P systems primarily from the perspective of indexing, the main objective being to support real estate applications. While such information may also be available from multiple websites associated with real-estate agents, the information in the websites are provided by real-estate agents who wish to sell. In contrast, the comments in P2P systems are from the experience of real users, who are all looking to buy, the implication being that such comments can be reasonably expected to be significantly more useful as well as realistic from the user perspective. Similarly, different users organizing different events (such as international conferences) could pool their experiences by sharing their document files by means of P2P systems. In the same vein, different people suffering from the same disease could share information concerning several kinds of medical treatments with each other. Users can easily remain anonymous by not mentioning any personally identifiable information in that file. In practical scenarios, determining the source of any given file in a P2P system (in the absence of personally identifiable information in the shared file) is extremely challenging primarily because several different peers could store replicas of the same file and replication can occur aggressively, especially for hot files. Consequently, user privacy would not be a significant concern in such cases. A legitimate concern with using P2P-related data is that some users may intentionally or unintentionally provide inaccurate information. This concern also arises for the Internet since not all websites provide correct information. However, even with inaccuracies, the vast majority of websites do provide the big picture reasonably well. The same would most likely also be applicable to P2P systems. Notably, we do not claim that P2P interactions should be used as a substitute for services provided by real-estate agencies, event organizers and medical personnel. Instead, we believe that P2P interactions should be used to complement the above services to deliver the best possible information to users Applications for Mobile P2P systems Proliferation of mobile devices (e.g., laptops, PDAs, mobile phones) coupled with the ever-increasing popularity of the P2P paradigm strongly motivate Mobile-P2P (M- P2P) network applications such as customers in a shopping mall sharing information about the cheapest available Levis jeans and swapping shopping catalogues on-the-fly using mobile devices [11]. During lunch-time, mobile users could share information about the cheapest price of steak across different nearby restaurants and exchange restaurant menus with each other. Visitors to a museum could request images/video-clips of different rooms of the museum to decide which room they will visit first. They could share songs and historical data about the museum. They could even request the museum s path information from other visitors as in virtual reality applications. Such P2P interactions among mobile users are generally not freely supported by existing mobile communication infrastructures. Notably, in these applications, the mobile devices are distributively owned and accountability is typically non-existent. Thus, trust, security and privacy issues would need to be adequately addressed for such applications to work effectively in practice. M-P2P network applications could also be collaborative in nature such as zoological and disaster-recovery applications. These applications are collaborative in the sense that all the mobile users are working towards a common goal. Imagine a group of zoologists looking for habitat information about amoeba in a remote forest, where communication infrastructures (e.g., base stations) do not exist. They could share data with each other using mobile devices in a P2P fashion. Notably, data being shared must be validated by an authority figure (e.g., a supervisor) to prevent collection of erroneous data. Similarly, workers in disaster recovery scenarios (e.g., earthquakes, tsunamis) also need to share data (e.g., number of injured people, number of fatalities) with each other using mobile devices. For such

5 applications, trust, security and privacy issues would not be a significant consideration due to the controlled nature of the environment, which facilitates accountability. 4. Related Work Research concerning privacy, security and trust in P2P systems draws upon the expertise of the distributed computing community as well as the sociology community. Since trust is generally related to reputation, several works [4, 13, 9] have examined reputation-related issues in general computing environments. In the context of P2P environments, reputation-based trust issues have been investigated in [14, 1, 3, 7]. Even though the proposed trust models in these works make significant contributions to trustrelated issues in P2P systems, it is important to note that none of these models can be expected to provide absolute trust guarantees essentially because the P2P environment is itself untrustworthy and also due to the fact these models have certain underlying assumptions, which may not always hold good in practical scenarios. As a single instance, the approach in [7] assumes certain pre-trusted peers in the network. However, this assumption may not be valid in case of large-scale massively distributed P2P systems, where the availability of pre-trusted peers would be highly unlikely. For detailed investigation of privacy issues in P2P systems, we refer interested readers to the work in [6]. Furthermore, the proposal in [2] can be referred to for a comprehensive discussion concerning anonymity issues in P2P systems. 5. Conclusion This paper has examined our perspectives on open research issues concerning trust, security and privacy in P2P environments with the objective of identifying future P2P applications. We summarize our perspectives on future P2P applications as follows: 1. Future applications on P2P systems are more likely to depend upon user perception of risk associated with using such applications. 2. Over the course of time and as larger number of users use such applications, user trust will grow. This would, in turn, significantly improve the popularity of these applications. 3. Effective trust models can facilitate in improving user trust in P2P applications. It is precisely here that research on trust, security and privacy issues can contribute to more powerful P2P applications. 4. Altruistic behaviour definitely exists in P2P environments. If this was not the case, P2P systems would never have become popular in the first place. Hence, trust models for P2P systems should not be too strict lest they scare away the very users that they are trying to attract. 5. Trust, security and privacy issues should be researched extensively for P2P networks, while considering the possibilities of future P2P applications, which would potentially allow users to optimally exploit the power of the P2P paradigm. 6. Trade-offs involving the importance of user freedom and the need for addressing trust, security and privacy issues should be considered meticulously, the objective being to provide P2P users adequate freedom at minimal estimated risks. In conclusion, we believe that P2P applications should be able to go well beyond the traditional file-sharing applications, as long as trust, security and privacy issues are adequately addressed for new application domains. References [1] K. Aberer and Z. Despotovic. Managing trust in a peer-topeer information system. Proc. CIKM, [2] I. Clarke, O. Sandberg, B. Wiley, and T. Hong. Freenet: A distributed anonymous information storage and retrieval system. Proc. ICSI Workshop on Design Issues in Anonymity and Unobservability, [3] F. Cornelli, E. Damiani, S. di Vimercati, S. Paraboschi, and P. Samarati. Choosing reputable servents in a P2P network. Proc. WWW, [4] C. Dellarocas. The digitization of word-of-mouth: Promise and challenges of online reputation mechanism. Proc. Management Science, 49(10), [5] Gnutella. [6] N. Good and A. Krekelberg. Usability and privacy: a study of kazaa P2P file-sharing. Proc. CHI, [7] S. Kamvar, M. Scholsser, and H. Garcia-Molina. The eigentrust algorithm for reputation management in P2P networks. Proc. WWW, [8] Kazaa. [9] D. Kreps and R. Wilson. Reputation and imperfect information. Proc. Journal of Economic Theory, 27, [10] A. Mondal, Y. Lifu, and M. Kitsuregawa. P2PR-tree: An R-tree-based spatial index for Peer-to-Peer environments. Proc. P2PDB, [11] A. Mondal, S. K. Madria, and M. Kitsuregawa. CLEAR: An efficient qos-based dynamic replication scheme for mobilep2p networks. To appear in Proc. DEXA, [12] Morpheus. [13] L. Mui, M. Mohtashemi, and A. Halberstadt. Notions of reputation in multi-agent systems: A review. Proc. Autonomous Agents and Multiagent Systems, [14] L. Xiong and L. Liu. Peertrust: supporting reputation-based trust for peer-to-peer electronic communities. Proc. IEEE TKDE, 16(7), 2004.