Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE - - PowerPoint PPT Presentation
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design Ulm 9 th -10 th March 2015 11/03/2015 Privacy
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design Ulm 9th-10th March 2015
11/03/2015 1 Privacy Enhancing T echnologies
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– PET s for personal data management – PET s for data disclosure minimization
2 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
3 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Abstract and subjective concept, hard to defjne – Popular defjnitions:
– EU Regulation Data Protection Directive (95/46/EC)
protected
– Privacy controls: more detailed high level description
– Privacy properties
4 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
information.
– Reader of a web page, person accessing a service – Sender of an email, writer of a text – Person to whom an entry in a database relates – Person present in a physical location
– Pfjtzmann-Hansen (PH)[1] “Anonymity is the state of being not identifjable within a set of subjects, the anonymity set [...] The anonymity set is the set of all possible subjects who might cause an action” [pattern Anonymity set] – ISO 29100[2]“defjnes anonymity as a characteristic of information that does not permit a personally identifjable information principal to be identifjed directly or indirectly”
5 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– PH[1] “Pseudonymity is the use of pseudonyms as IDs [...] A digital pseudonym is a bit string which is unique as ID and which can be used to authenticate the holder” [pattern Pseudonymous identity ] – ISO15408[3] “pseudonymity ensures that a user may use a resource or service without disclosing its identity, but can still be accountable for that use. ”
One time pseudonyms (Anonymity) Persistent pseudonyms (Identity!) Hybrid (Multiple identities)
6 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
pieces
– T wo anonymous letters written by the same person – T wo web page visits by the same user – Entries in two databases related to the same person – T wo people related by a friendship link – Same person spotted in two locations at difgerent points in time
– PH[1] “Unlinkability of two or more items means that within a system, these items are no more and no less related than they are related concerning the a-priori knowledge” – ISO15408[3]“unlinkability ensures that a user may make multiple uses of resources or services without others being able to link these uses together ”
7 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– whether someone is accessing a web page – whether an entry in a database corresponds to a real person – whether someone or no one is in a given location
– PH[1]“Unobservability is the state of items of interest being indistinguishable from any item of interest at all [...] Sender unobservability then means that it is not noticeable whether any sender within the unobservability set sends.” – ISO15408[3] “unobservability ensures that a user may use a resource or service without others, especially third parties, without being able to observe that the resource or service is being used.”
8 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
said something
– Ofg-the-record conversations – Resistance to coercion:
a computer
safe
– Possibility to deny having been in a place at a certain point in time – Possibility to deny that a database record belongs to a person
9 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Cryptographic security properties – Not similar widely accepted for other means (the previous properties are building blocks)
before and after an event occurs.
– Special noise
10 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
echnologies that enable users to preserve their privacy
– In terms of technical properties
disclose data)
s for personal data management
s for data disclosure minimization (i.e., minimize trust)
11/03/2015 Privacy Enhancing T echnologies 11
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
echnologies that enable users to preserve their privacy
– In terms of technical properties
disclose data)
s for personal data management [“soft privacy”]
s for data disclosure minimization (i.e., minimize trust) [“hard privacy”]
11/03/2015 Privacy Enhancing T echnologies 12
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
13 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
stored, processed and disclosed to the data subject to enable well-informed decisions [
pattern Protection against tracking]
echnologies[4]
–Google Dashboard: what personal data is stored and who has access –Collusion (Firefox addon): list of entities tracking users –Mozilla Privacy Icons: simple visual language to make privacy policies more understandable –Privacy Bird (IE Add-on): shows user whether webpage complies with her preferred policy based on images
–How to provide information useful to users
11/03/2015 Privacy Enhancing T echnologies 14
Privacy as Control Privacy as Practice
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
preferences and give consent [
pattern Protection against tracking]
– Automated processing and comparison with users’ preferences – Diffjcult to make unambiguous and inform users (TET s) – Diffjcult to standardize and make them expressive
– Do Not T rack options
– Track Me Not plugin
11/03/2015 Privacy Enhancing T echnologies 15
Privacy as Control Privacy as Practice
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
preferences
– Sticky policies associated to data(e.g., trusted third party stores encryption keys only disclosed in certain cases) – Use of trusted hardware (HSMs, TPMs) to process data “out” of the server’s control
11/03/2015 Privacy Enhancing T echnologies 16
Privacy as Control Privacy as Practice
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
compliance with Data Protection.
– Backups, distributed logging – Forward integrity (hash chains)
– Automated tools for log audits
11/03/2015 Privacy Enhancing T echnologies 17
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Help the user understand and decide – Make data controllers more responsible
11/03/2015 Privacy Enhancing T echnologies 18
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
19 Privacy Enhancing T echnologies
Privacy as confjdentiality!
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
policy can be applied
– ...but if there is no closed group? (e.g., peer-to-peer) – The Identity Management concept
– Private authentication: hide against 3rd parties – Anonymous credentials: protect against everybody
I am A Is she?
20 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– ID docs: state certifjes name, birth dates, address – Letter reference: employer certifjes salary – Club membership: club certifjes some status – PKI certifjcate: RRN in Belgian eID, NIF in Spain
– e.g. ticket to the cinema (“i have paid”) – Digital credentials: string, boolean attributes, range
21 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
convinced
learns anything other than this fact
22 Privacy Enhancing T echnologies
I’m old
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
without revealing anything other than the veracity of the statement.
Protocols to Your Children"
A B
23 Privacy Enhancing T echnologies
I know how to
door Prove!
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
If there are doubts
repeat!
50% chance Likelihood
decreases
without revealing anything other than the veracity of the statement.
Protocols to Your Children"
A B
24 Privacy Enhancing T echnologies
A!
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
credential
the subject
25 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Signed by a trusted issuer Certification of attributes Authentication (secret key) Double-signing detection No data minimization Users are identifiable Users can be tracked (Signature linkable to other contexts where PK is used) Signed by a trusted issuer Certification of attributes Authentication (secret key) Double-signing detection Data minimization Users are anonymous Users are unlinkable in different contexts
26 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Query databases without revealing query
– Group computation where only result is revealed
– “Vaults” that allow to commit to secret values
– Digital cash with anonymity and unlinkablity properties (like real cash!)
– Find matching elements in sets without revealing further information
11/03/2015 Privacy Enhancing T echnologies 27
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Secure channel – The channel does not break the privacy property
– anonymous credentials are useless in this case...
– the military also use internet...
28 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
reveal a lot of information: source, destination, timing, volume, etc.
– British at Bletchley Park assesing the size of Germany's air- force – Discover/Uncover inminent actions
– Identifying people by their typing
– Amazon profjling based on clicks and hoovers – Fraud analysis in banks and Credit card companies
29 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Application Communicati
Application Communicati
30 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Observe
– Modify, delay, delete or inject messages. – Control some nodes in the network.
– Cannot break cryptographic primitives. – Cannot see inside nodes he does not control.
31 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
32
R
1
R
3
R
2
D D R
3
R
2
R
1
Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
R
1
R
3
R
2
D D R
3
R
2
R
1
33 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
34 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies
3 criteria to decide a dataset is non-anonymous (pseudonymous):
dataset (or between two datasets)
individual?
11/03/2015 35
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies
Location
“the median size of the individual's anonymity set in the U.S. working population is 1, 21 and 34,980, for locations known at the granularity of a census block, census track and county respectively”
Web browser
“It was found that 87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}” “if the location of an individual is specifjed hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio- temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
Demographics
11/03/2015 36
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies
take two graphs representing social networks and map the nodes to each other based on the graph structure alone—no usernames, no nothing Netfmix Prize, Kaggle contest T echnique to automate graph de-anonymization based on machine learning. Does not need to know the algorithm!
11/03/2015 37
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies
“Based on GPS tracks from, we identify the latitude and longitude of their
free Web service to do a reverse “white pages” lookup, which takes a latitude and longitude coordinate as input and gives an address and name. [172 individuals]” “We investigate the subtle cues to user identity that may be exploited in attacks on the privacy of users in web search query
classifjers to map a sequence of queries into the gender, age, and location of the user issuing the queries.”
11/03/2015 38
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
al]
– Probabilistic analysis – Most often need for case by case analysis
11/03/2015 Privacy Enhancing T echnologies 39
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies 40
– Enable protection of privacy
s for personal data management
– Require trust in service provider – State of the art in development
s for data disclosure minimization
– Limit trust in providers and other users (Adversarial models!) – Anonymous Credentials – Anonymous communications – Data anonymization
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
11/03/2015 Privacy Enhancing T echnologies 41
Pripare Educational Material by Pripare Project is licensed under a Creative Commons Attribution-No Derivatives 4.0 International L icense .
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies 42
1. Pfjtzmann, Andreas and Hansen, Marit. A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management. 2010. 2. International Organization for Standardization (ISO), Information technology – Security techniques – Privacy framework, ISO/IEC 29100:2011, First edition, Geneva, 15 Dec 2011. 3. International Organization for Standardization (ISO), Information technology – Security techniques – Evaluation criteria for IT security, ISO/IEC 15408-1, Third edition, Geneva, 2009. 4. Milena Janic, Jan Pieter Wijbenga, Thijs Veugen: T ransparency Enhancing T
s): An Overview. STAST 2013: 18-25
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies 43
– e-Call, VII, traffjc congestion control – Nearby... – Variable pricing applications (congestion pricing, pay-as-you-drive) – Social applications
– Any important location…
– Do you want to be seen at certain locations? AIDS clinic, business competitor,
One pseudonym per location exposure is not enough
Real time Space-Time relation Dummy traffjc?
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Applications can tolerate inaccurate location data to a certain degree – Location perturbation hinders inferences on exact location
– Simple perturbation
– Spatial Cloaking – Spatio-temporal Cloaking – Many more…
Privacy Enhancing T echnologies 44 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
– Applications can tolerate inaccurate location data to a certain degree – Location perturbation hinders inferences on exact location
– Simple perturbation
– Spatial Cloaking – Spatio-temporal Cloaking – Many more…
Privacy Enhancing T echnologies 45 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Privacy Enhancing T echnologies 46
– Many ways to defjne the region
[pattern Location granularity]
– Implementations
11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Router that hides correspondence between inputs and outputs
47 Privacy Enhancing T echnologies 11/03/2015
T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve
Router that hides correspondence between inputs and outputs
48 Privacy Enhancing T echnologies
Deployed mix systems
Mixmaster Mixminion
11/03/2015