web privacy
play

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy - PowerPoint PPT Presentation

Dec 01, 2023 •368 likes •814 views

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

  1. CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

  2. Administrative Learning Objectives : • Consider the difference between security and privacy • Discuss work on browser privacy, location privacy • Survey broad topics in the “web privacy” area Announcements : • Reaction paper was due today (and all classes) • Feedback for reaction papers soon • Next Wednesday, will discuss first “homework” Reminder : Please put away (backlit) devices at the start of class CS423: Operating Systems Design 2 2

  3. A Brief Note Security versus Privacy? Security & Privacy Research at Illinois (SPRAI) 3

  4. A False Dichotomy privacy security • Personal Opinion: Privacy is often used as a diminutive term to downplay the importance of individual security. • “ Privacy” refers to a class of important security problems, often related to individual liberties. • The Security Triad captures all privacy problems, and privacy problems can be found in all sections of the triad. Security & Privacy Research at Illinois (SPRAI) 4

  5. A False Dichotomy privacy security • Confidentiality: Who can access my personal data? Can the data I explicitly disclose be used to make sensitive inferences about me? • Integrity: Who manages the data that I consume? Can unauthorized parties affect that data? • Availability: Is my personal data accessible to me and other authorized partied when I need it? Security & Privacy Research at Illinois (SPRAI) 5

  6. Tracking Web Browsers • Browser Tracking: The ability to associate a browser’s activities at different times and on different websites. • Cookies: Data from a website that is stored in the browser. • Enables a stateful Internet • Same-Origin Policies limit cookie’s use in browser tracking. • Supercookies: Any alternative to HTTP cookies that can be used to track browsers across multiple website. • Ex: ETags used in web caching (Microsoft circa 2011) Security & Privacy Research at Illinois (SPRAI) 6

  7. Aside: Who Cares? • Why should we really care if a website (e.g., usatoday.com) can identify us on subsequent visits? Websites: Expectation… Security & Privacy Research at Illinois (SPRAI) 7

  8. Aside: Who Cares? • Why should we really care if a website (e.g., usatoday.com) can identify us on subsequent visits? Websites: Reality! Security & Privacy Research at Illinois (SPRAI) 8

  9. Anti-Tracking Movement • In 2010, more users were realizing the extent of the browser tracking problem… If we eradicated cookies from the Internet, would that solve the browser tracking problem? Security & Privacy Research at Illinois (SPRAI) 9

  10. Browser Fingerprinting • An invisible, data-free form of browser tracking. • Already appearing in advertising products back in 2010 • One instance of broader class of attacks against hardware and devices. You can basically fingerprint anything, and use anything to fingerprint: • Targets: Phones, Computers, Cameras, etc. • Signals: Accelerometer readings, packet arrivals, etc. Security & Privacy Research at Illinois (SPRAI) 10

  11. Browser Fingerprinting • Many possible applications for browser fingerprinting, albeit with varying levels of difficulty, including: • Fingerprints to differentiate NATed devices • Fingerprints to defeat Cookie Regenerators • Fingerprints at Global Identifiers • What makes a given fingerprinting challenge easier or harder? Security & Privacy Research at Illinois (SPRAI) 11

  12. Enter Panoptoclick • The EFF wanted to know how practical Internet-scale browser fingerprinting was. • Since algorithms were proprietary, they made their own from various server-accessible browser attributes • Invited people to visit panoptoclick.eff.org • Analyzed entropy of resulting fingerprints to determine severity of the problem. Security & Privacy Research at Illinois (SPRAI) 12

  13. Panoptoclick Fingerprint Note: Plenty of unharvested info, such as ActiveX, Silverlight, etc. Security & Privacy Research at Illinois (SPRAI) 13

  14. Panoptoclick Analysis • Each feature is associated with a distribution related to Self-Information / Surprisal / Entropy (related ideas) • I.E., how much do we learn about an object when one of its random variable(s) is sampled? • Each bit of information cuts space of objects in half • Combine multiple features together, adjusting for the fact that the variables won’t all be independent. • Your browser is uniquely identifiable if the number of bits of information gained from its features is greater than the (logarithm of) the number of browsers in “the world” Security & Privacy Research at Illinois (SPRAI) 14

  15. Panoptoclick Results Of ~470,000 fingerprint instances collected… Security & Privacy Research at Illinois (SPRAI) 15

  16. Panoptoclick Results Of ~470,000 fingerprint instances collected… 8.1% of fingerprints 8 3 . 6 % o f had some semblance fingerprints of an anonymity set… are entirely unique! Security & Privacy Research at Illinois (SPRAI) 16

  17. Panoptoclick Results Where did Panoptoclick struggle? Security & Privacy Research at Illinois (SPRAI) 17

  18. Panoptoclick Results Where did Panoptoclick struggle? Trolls using lynx Androids iPhones Security & Privacy Research at Illinois (SPRAI) 18

  19. Panoptoclick Results Are browser fingerprints consistent? • No! 37.4% churn • But, probably over-reported given the EFF’s clientele… • Worse, even a crude algorithm can guess the link between two fingerprints 65% of the time (w/ 0.9% FP). Security & Privacy Research at Illinois (SPRAI) 19

  20. Additional Observations • The presence of Privacy Enhancing Technologies (e.g., anonymity plug-ins) often decreased anonymity set!! • Why? • APIs frequently offer the ability to enumerate system information. Testable APIs would increase difficulty of fingerprinting. • Tension between ease of debugging and difficulty of fingerprinting (e.g., fine-grained version numbers) • Tension between expressivity of browser config and difficulty of fingerprinting (e.g., font orders) Security & Privacy Research at Illinois (SPRAI) 20

  21. Location Privacy • Today, the world is lousy with location-based services (LBS), e.g., … • Coarse-grained LBS: weather, advertising, events in area • Fine-grained LBS: navigation, ride share, fitness tracking • Untrustworthy LBS could make sensitive inferences about our identity, of even harm us in the real world! • How can we use LBS without revealing our location? Security & Privacy Research at Illinois (SPRAI) 21

  22. Geo-Indistinguishability (GI) • On device, add controlled noise to user’s location before sharing with LBS. • Achieves quasi- indistinguishability within a given area • Generalization of differential privacy for an “User is equally likely to be anywhere arbitrary distance function. within radius r of the Eiffel Tower” Security & Privacy Research at Illinois (SPRAI) 22

  23. Geo-Indistinguishability (GI) How does GI work? • User is at location x • User specifies radius r, level of similarity λ • User reports some point z based on x, r, λ Security & Privacy Research at Illinois (SPRAI) 23

  24. Geo-Indistinguishability (GI) Properties of GI • What is point z? • Each point within one unit of distance within the region specified by ε is equally likely to be returned • Privacy level ε is the radio of λ to r • If r is small, λ must be large to have high ε • If r is large, λ can be smaller to have high ε • If we fix λ and increase r, ε is greater but results are inaccurate. Security & Privacy Research at Illinois (SPRAI) 24

  25. compare to Differential Privacy (DP)? • Similar to DP , GI is independent from side information of the attacker (no assumptions made about priors) • GI uses euclidean distance instead of hamming distance • Euclidean Distance: spatial or linear distance between two points • Hamming Distance: distance between two datasets Security & Privacy Research at Illinois (SPRAI) 25

  26. GI Algorithm • Perturbate input by noise generated from Laplace distribution, yielding a probability density function from which we choose a random point. • Map random point from the continuous domain to the nearest point in discrete domain (i.e., Lat, Long) • Eliminate unrealistic points based based on map data Continuous Discretize Truncate Security & Privacy Research at Illinois (SPRAI) 26

  27. Enhancing LBS • Coarse-grained LBS: apply stock geo-indistinguishability User’s approximate location z Location info for z • Fine-grained LBS: Geo-Indistinguishability may be inadequate, instead specify larger area of retrieval based on z: User’s approximate location z Area of Retrieval A POI Info within A Security & Privacy Research at Illinois (SPRAI) 27

  28. Fine-Grained LBS w/ GI Security & Privacy Research at Illinois (SPRAI) 28

  29. Fine-Grained LBS w/ GI Security & Privacy Research at Illinois (SPRAI) 29

  30. Fine-Grained LBS w/ GI Security & Privacy Research at Illinois (SPRAI) 30

  31. Fine-Grained LBS w/ GI Security & Privacy Research at Illinois (SPRAI) 31

  32. Fine-Grained LBS w/ GI Security & Privacy Research at Illinois (SPRAI) 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy

Bridging Privacy Definitions: Differential Privacy and Concepts from Privacy Law & Policy Alexandra Wood Berkman Klein Center for Internet & Society at Harvard University DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to

964 views • 54 slides
Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire

CS 134 Privacy and Anonymity 1 Privacy Privacy and society Basic individual right & desire (Image from geekologie.com) Relevant to corporations & government agencies Recently increased awareness However, general public

171 views • 16 slides
PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches

Marc Langheinrich: Privacy in Ubiquitous Computing 5/29/2010 Todays Menu PRIVACY IN UBIQUITOUS PRIVACY IN UBIQUITOUS Understanding Privacy Technical Approaches COMPUTING Definitions Challenges 1. History and legal aspects 1.

264 views • 13 slides
Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location

Mobile Networks - Module H2 Privacy in Wireless Networks privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; privacy preserving routing in ad hoc networks; Slides adapted from Security and

909 views • 55 slides
Weekly Meeting July 10, 2020 Welcome & Introductions Name Tribe or Organization

Weekly Meeting July 10, 2020 Welcome & Introductions Name Tribe or Organization

Slides with Meeting Notes from Native Census Coalition Weekly Meeting July 10, 2020 Welcome & Introductions Name Tribe or Organization What was your least favorite food as a child? A success this week A challenge this

278 views • 16 slides
Randomizations By Site 25 Nov Dec Jan Feb Mar Apr 20 15 Randomizations 10 5 0

Randomizations By Site 25 Nov Dec Jan Feb Mar Apr 20 15 Randomizations 10 5 0

Randomizations By Site 25 Nov Dec Jan Feb Mar Apr 20 15 Randomizations 10 5 0 Innovate. Discover. Cure. D2d Recruitment Methods Recruitment Strategies Postcards: Database: sent out to individuals from our database

494 views • 16 slides
Challenges in Web Information Retrieval Monika Henzinger Ecole Polytechnique Federale de

Challenges in Web Information Retrieval Monika Henzinger Ecole Polytechnique Federale de

Challenges in Web Information Retrieval Monika Henzinger Ecole Polytechnique Federale de Lausanne (EPFL) & Google Switzerland Statistics for March 2008 20% of the world population uses the internet [internetworldstats.com] ~300 million

514 views • 30 slides
SY306 Web and Databases for Cyber Operations Slide Set # 8: Cookies and Web tracking Some from

SY306 Web and Databases for Cyber Operations Slide Set # 8: Cookies and Web tracking Some from

SY306 Web and Databases for Cyber Operations Slide Set # 8: Cookies and Web tracking Some from https://www.httpwatch.com/httpgallery/cookies/ and https://www.httpwatch.com/httpgallery/headers/ HTTP client-server interaction review 1 Cookies

181 views • 4 slides
Advertisingpricing models Risk Bearing Publisher Advertiser CPM cost per thousand CPC

Advertisingpricing models Risk Bearing Publisher Advertiser CPM cost per thousand CPC

Advertisingpricing models Risk Bearing Publisher Advertiser CPM cost per thousand CPC cost per click CPA cost per action Revenue Share Current industry norms Portals CPM Search CPC Affiliates CPA / Rev Share

578 views • 21 slides
Miko Matsumura SVP Developer Relations Web: http://developer.kii.com Twitter:

Miko Matsumura SVP Developer Relations Web: http://developer.kii.com Twitter:

CAPITAL DISTRIBUTION TECHNOLOGY Miko Matsumura SVP Developer Relations Web: http://developer.kii.com Twitter: @mikojava Email: miko@kii.com Last weeks theme: OmniChannel Retail Me and Multi

719 views • 54 slides
Agents Artificial Intelligence @ Allegheny College Janyl Jumadinova 2227 January, 2020 Janyl

Agents Artificial Intelligence @ Allegheny College Janyl Jumadinova 2227 January, 2020 Janyl

Agents Artificial Intelligence @ Allegheny College Janyl Jumadinova 2227 January, 2020 Janyl Jumadinova 2227 January, 2020 1 / 32 Agents What is AI? Systems that think like humans Systems that think rationally Systems that act like

1.09k views • 79 slides
Internet Observation with N-TAP: how it works and what it does Kenji Masui

Internet Observation with N-TAP: how it works and what it does Kenji Masui

10th CAIDA/WIDE Workshop - 1st CAIDA/WIDE/CASFI Workshop (2008-08-16) Internet Observation with N-TAP: how it works and what it does Kenji Masui kmasui@gsic.titech.ac.jp WIDE Project / Tokyo Institute of Technology Internet Observation with

309 views • 17 slides

More recommend