Privacy and Networks CPS 96 Eduardo Cuervo Amre Shakimov

Privacy and Networks CPS 96 Eduardo Cuervo Amre Shakimov

Context of this talk Do we sacrifice privacy by using various network services (Internet, online social networks, mobile phones)? How does the structure/topology of a network affect its privacy properties? Techniques for enhancing privacy? Privacy is hard!

What do we mean by privacy? Louis Brandeis (1890) – “right to be left alone” – protection from institutional threat: government, press Alan Westin (1967) – “right to control, edit, manage, and delete information about themselves and decide when, how, and to what extent information is communicated to others”

Privacy vs. security Privacy: what information goes where? Security: protection against unauthorized access Security helps enforce privacy policies Can be at odds with each other – e.g., invasive screening to make us more “secure” against terrorism

Privacy-sensitive information Identity – name, address, SSN Location Activity – web history, contact history, online purchases Health records and more

Tracking on the web IP address – Number identifying your computer on the Internet – Visible to site you are visiting – Not always permanent 72.21.214.128 Cookies – Text stored on your computer by site – Sent back to site by your browser Internet – Used to save prefs, shopping cart, etc. – Can track you even if IP changes 152.3.136.66

OSNs: State-of-the-Art Fun Popular Platform

“Facebook Wants You To Be Less Private”

Attack of the Zombie Photos

OSNs mishandle data Facebook Beacon Facebook employees abuse personal data

Threat: collusion among services

Online social networks Pros – Simplifies data analysis – High availability Cons – Single point of attack – No longer control access to own data Centralized structure

Personal Personal data data

Alternatives? Anonymization – Do not use real names Encryption – NOYB, flyByNight Decentralization – Tighter control over data

Anonymization Hide identity, remove identifying info Proxy server: connect through a third party to hide IP Health data released for research purposes: remove name, address, etc

Threat: deanonymization Netflix Prize dataset, released 2006 100,000,000 (private) ratings from 500,000 users Competition to improve recommendations – i.e., if user X likes movies A,B,C, will also like D Anonymized: user name replaced by a number

Threat: deanonymization Problem: can combine “private” ratings from Netflix with public reviews from IMDB to identify users in dataset May expose embarrassing info about members

Threat: deanonymization User Movie Rating 1234 Rocky II 3/5 1234 The Wizard 4/5 1234 The Dark Knight 5/5 1234 Girls Gone Wild User Movie Rating dukefan The Wizard 8/10 dukefan The Dark Knight 10/10 dukefan Rocky II 6/10 5/5 User 1234 is dukefan!

Threat: deanonymization Lesson: cannot always anonymize data simply by removing identifiers Vulnerable to aggregating data from multiple sources/networks Humans are predictable – E.g., try Rock-paper-scissors vs AI

P2P Architecture Personal Personal data data

Decentralization: pros and cons True ownership of data Maintenance burden Cost Business model User experience

Location privacy Mobile phones: – Always in your pocket – Always connected – Always knows where it is: GPS Location-based services Location-based ads What are we giving up?

Mobile phones

Why, when and what to disclose? It is not a simple question! Tradeoff between functionality Also important whom to disclose it to? – Relatives – Co-workers – Friends There have been studies about this – Not easy to classify – People want to disclose only what is useful

How is your data used by apps? Many “free” apps supported by ads Analytics: profiling users Our research: found it common for popular free apps to send location device ID to advertising and analytics servers What can we do? – More visibility into what app does with data once it reads it

AppScope Monitors app behavior to determine when privacy sensitive information leaves the phone

Application Study 30 popular Android applications that access Internet, camera, location or microphone Of 105 flagged connections, only 37 were legitimate

Findings - Location 15 of the 30 applications shared physical location with an ad server Most of this information was sent in the clear In no case was sharing obvious to user – Or written in the EULA – In some cases it occurred without app use!

Findings – Phone identifiers 7 applications sent device unique identifiers (IMEI) and 2 apps sent phone info (e.g. phone number) to a remote location without warning – One app’s EULA indicated the IMEI was sent Appeared to be sent to app developers “There has been cases in the past on other mobile platforms where wellintentioned developers are simply over-zealous in their data gathering, without having malicious intent.” -- Lookout

Takeaways Decentralized network structure can enhance privacy Difficult to achieve true anonymity Fine-grained control over data can help – Tension with usability

Resources Duke “Office Hours” on Privacy in Social Media – http://ondemand.duke.edu/video/23686/landon-cox-on-privacy-and-soci “Someone Is Watching Us” on WUNC – http://wunc.org/tsot/archive/Someone Is Watching Us.mp3/view

Acknowledgments Thanks to Peter Gilbert, who prepared a significant amount of this material for us.