![Page 1: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/1.jpg)
Anonymity & Privacy
![Page 2: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/2.jpg)
2
Privacy
EU directives (e.g. 95/46/EC) to protect privacy.
College Bescherming Persoonsgegevens (CBP)
What is privacy? Users “must be able to determine for
themselves when, how, to what extent and for what purpose information about them is communicated to others” (Definition PRIME, European project on privacy & ID management.)
Alice
![Page 3: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/3.jpg)
3
EU Data Protection DirectivePersonal data usage requirements: Notice of data being collected Purpose for data use Consent for disclosure Informed who is collecting their data Kept secure Right to access & correct data Accountability of data collectors
![Page 4: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/4.jpg)
Recall Privacy Online
Peter Steiner 1993 Nik Scott 2008
Security AttributesPrivacy
A lot of information revealed just by browsing see e.g. http://whatismyipaddress.com/
![Page 5: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/5.jpg)
Protecting Privacy Hard privacy: data minimization
Subject provides as little data as possible Reduce as much as possible the need to trust other entities Example: anonymity
Issues; some information (needs to be) released.
Soft privacy: trusted controller Data subject provides her data Data controller responsible for its protection Example: hospital database medical information
Issues; external parties, errors, malicious insider
5
![Page 6: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/6.jpg)
Anonymity & Privacy on the Net
![Page 7: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/7.jpg)
7
Example: Google ``organize the world's information and make it universally
accessible...’’ Clear risk for privacy; includes personal information
Multiple services; becoming `omnipresent’Most searches (>90% in NL 2006) but also: Searching books, (satellite) maps, images, usenet,
news, scholarly papers, video’s, toolbar, account, email, calendar, photo program, instant messenger
Google & Doubleclick adds; used by many websites All linked to IP address user (+os+browser+etc.).
![Page 8: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/8.jpg)
8
Info collected by Google service Data mining to support services, custom ads (old) Privacy policy
Allows sharing with third party with user consent Provide data when `reasonably believes’ its legally required Allows new policy in case of e.g. merger only notification needed
(no consent)
![Page 9: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/9.jpg)
Google’s new privacy policy Combine information different services>60: search, YouTube, Gmail, Blogger, ...
Could already do for some, now extended
9
Europe to investigate new Google privacy policy(reuters)
Google privacy changes are in breach of EU law the EU's justice commissioner has said(BBC)
We are confident that our new simple, clear and transparent privacy policy respects all European data protection laws and principle(Quote Google on BBC)
![Page 10: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/10.jpg)
10
Anonymous remailersHide senderClean header
Forward toDestination
Receiving a Reply
(Temporary)Pseudonym
![Page 11: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/11.jpg)
11
Anonymous proxies Hide (IP) requester from destinationTraffic analysisTypically no protection against e.g. your ISP
Could encrypt connection proxy - clientNo protection against the proxy itselfPerformance
Port x <=> Port y
Proxy: port yService: port z
![Page 12: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/12.jpg)
12
Tor Union router for anonymity
on the network Hide requestor from
destination & third parties Traffic analysis Timing attacks Weaknesses in protocol Malicious nodes Performance
Also anonymous services
Figures from Tor website
![Page 13: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/13.jpg)
13
Pseudonyms
On website do you enter correct info (name, address, etc.) when data not needed for service?
Some services support pseudonyms.No direct link to userProfiles possible if pseudonyms persistent
Privacy issue ? Are pseudonym & group profiles personal data?
![Page 14: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/14.jpg)
14
Direct Anonymous Attestation
Revocationof anonymous credentialsof anonymity
Prover (TPM)idi
DAA verifier
DAA Issuer
1. Register
2. Certificate
3. Proof have certificate without revealing
4. Provide service Cannot link 2,3even if workingtogether.
AnonymityRevocationAuthority
![Page 15: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/15.jpg)
15
The magical cave
Cave with a fork Two passage ways Ends of passages not
visible from fork
![Page 16: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/16.jpg)
16
The magical Cave (2) Cave with fork, two
passage ways Ends of passages not
visible from fork Ends of passages
connected by secret passage way.
Only findable if you know the secret.
![Page 17: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/17.jpg)
17
The magical Cave (3)
I know the secret ! But I won’t tell you... Can I still convince
you I know the secret?
![Page 18: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/18.jpg)
18
Zero-Knowledge proof
Peggy and Victor meet at cave Peggy hides in a passage Victor goes to the fork
calls out either left or right Peggy comes out this passage
Uses secret passage if needed Is Victor convinced ?
If repeated many times?
From: Quisquater et al;How to explain Zero-Knowlege Protocols to Your Children
Right!
![Page 19: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/19.jpg)
19
Zero Knowledge proof
Peggy convinces Victor she know secret Proof is zero knowledge
Consider Victor tapes gameShows tape to you; will you be convinced?Proof can be simulated by cheating verifier
Without a proofer who has secret
![Page 20: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/20.jpg)
20
Example protocolThe Cave: Secret S, p, q (large primes) public n = p*q, I = S2 mod n
P proof knowledge of S to VP makes random R sends X = R2 mod nV makes & sends random bit EP sends Y = R * SE (mod n)V checks Y2 = X * IE (mod n)
Peggy hides
Peggy comes out
Left/Right
Victor Sees Peggy
![Page 21: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/21.jpg)
21
Example protocol analysis Completeness
With secret S can always correctly provide Y Zero-knowledge; simulation by cheating verifier
Simulate run (X, E, Y): choose random Y, E if E=0 take: X = Y2 if E=1 take: X = Y2 / I
Indistinguishable from real runs. Soundness
Without S: Has to choose X before knowing E: Choose X so know R = SQRT( X ): No answer if E=1 Choose X so know Y = SQRT( X * S2 ): No answer if E=0
Thus fails with probability 1/2
X = R2 mod nY = R or Y = R * S
No SQRT( X * S2 ) and SQRT ( X ) at same time
![Page 22: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/22.jpg)
22
Use of Zero knowledge proves Example protocol show Know secret for given public info
For applications e.g. DAAKnow values with special relation
ID along with a CA signature on this IDE.g. know integers α,β,γ with properties:
ZKP{(α,β,γ): y = gαhβ ^ y’ = g’αh’γ ^ (u ≤ α ≤ v)}
α,β,γ secrets, y,g,h,etc. known parameters g,h generators group G, g’,h’ for G’
![Page 23: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/23.jpg)
23
Direct Anonymous Attestation
Prover (TPM)f, idi
DAA verifier
DAA Issuer
1. Register; authenticatemasked value f
2. Certificate; signatureon masked f
3. Proof have signature on fwithout revealing f, signature
4. Provide service
Prover (TPM){f}sg(DAA),f, idi
![Page 24: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/24.jpg)
24
Direct Anonymous Attestation
Peggy chooses secret f Gets anonymous signature on fDoes not reveal f to issuerRecall blind signatures e.g. with RSAE(mre) = (mre)d mod n = mdr mod n = E(m)r
Zero knowledge proof knows an f together with a signature on f
![Page 25: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/25.jpg)
25
Direct Anonymous Attestation
Rogue member detection / revocationSecret of Peggy = f, g generator of groupPeggy sends gf
Victor Has list revoked f’ compares gf with gf’ for each on list g not random: not seen to often
![Page 26: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/26.jpg)
`Soft’ Privacy
Sometimes PII must be used.Privacy ~ use for correct purpose only
![Page 27: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/27.jpg)
27
Privacy Policy Statements When entering a form on web pages privacy policy: what may be done with data
IssuesTo long and complexNo guarantees if policy is actually followedNo user preferences
Accept existing policy / do not use service
![Page 28: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/28.jpg)
28
P3P Standardized XML based format for
privacy policiesenables automated tool supporte.g. to decide accept cookie
IssuesPolicies can be ambiguousNo definition how policy should be interpretedAlso no enforcement
![Page 29: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/29.jpg)
29
Enterprise Privacy: E-P3P / EPAL
Mechanisms for enforcement within an enterprise law often requires some for of enforcement
No External Check For company; ensure employees follow policies User still needs to trust company
Sticky Policies (policies stay with data) Local to company
No guarantees outside administrative domain Issue: No industry adoption
![Page 30: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/30.jpg)
Anonymizing data
E.g. use db of health records for research
![Page 31: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/31.jpg)
31
MedicalRecords Attacker
Knowledge(“Public”
attributes)
Anonymized databases
![Page 32: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/32.jpg)
32
Re-identify data by linking attributes
k-anonymity: a model for protecting privacy, L. Sweeney inInternational Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 2002
![Page 33: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/33.jpg)
33
AttackerKnowledge
onAlice
Alice
K-Anonymity (K=3)
Eve
Mallory
Alice
![Page 34: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/34.jpg)
34
Restrict Quasi-ids to achieve
l-Diversity: Privacy Beyond k-Anonymity by A. Machanavajjhala et al. inACM Transactions on Knowledge Discovery from Data 2007
![Page 35: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/35.jpg)
35
AttackerKnowledge
onAlice
Alice
Attribute Disclosure
Eve
Mallory
Alice
HeartDisease
HeartDisease
HeartDisease
![Page 36: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/36.jpg)
36
AttackerKnowledge
onAlice
Alice
Probabilistic disclosure
Eve
Mallory
Alice
Very rareDisease
HeartDisease
Very rareDisease
![Page 37: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/37.jpg)
37
K-anonymity, L-diversity, T-closeness
Equivalence class in released DB Records that an attacker cannot tell apart Same value for attributes known to attacker
K-anonymity; in each equivalence class at least K members
L-diversity; in each equivalence class at least l possible/likely values for attribute
T-closeness; in each equivalence class Distribution attributes similar to global distribution
![Page 38: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/38.jpg)
RFIDS & Privacy
![Page 39: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/39.jpg)
39
RFID system Wireless technology for automatic identification
a set of tags a set of readers a backend
Identification protocols Specify interaction tags & readers goal: securely get identity of the tag to backend
Readers connected with the backend Backend stores valuable information about tags
![Page 40: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/40.jpg)
40
Application
Supply chain automation Warehouses (real-time
inventory) Medical applications (People) tracking
security tracking for entrance management
Timing (sports event timing to
track athletes)
![Page 41: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/41.jpg)
41
Privacy problemsWhy? ease of access (wireless nature) constrained resources extensive use→ leakage of information about the owner's behaviour
Desired Properties? untraceability
adversary cannot link two sessions to same tag forward privacy
adversary cannot link past sessions of stolen tag backward privacy, etc.
![Page 42: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/42.jpg)
42
Untraceability game
![Page 43: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/43.jpg)
43
Untraceability game Attacker is given access to two tags either independent or linked
Attacker may query these tagsall tags in systemall readers in system
Attacker guesses linked/independent Untraceability: adversary cannot guess with probability
higher than random guessing
![Page 44: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/44.jpg)
44
Example protocol OSK
READER
si
h
si+1
h
si+2
h
g g(si)
IDj , s1,j
g(si)=g(hi(s1,j))
g(si+1)=g(hi+1(s1,j))
g(si+2)=g(hi+2(s1,j))
IDj
g g(si+1)IDj
g g(si+2)IDj
Ensure randomized output (untraceability)
Ensure previous secret secure (forward privacy)
TAG BACKEND
![Page 45: Anonymity & Privacy - Eindhoven University of Technology · Google’s new privacy policy Combine information different services >60: search, YouTube, Gmail, Blogger, ... Could already](https://reader033.vdocuments.mx/reader033/viewer/2022050521/5fa47de38818c41c2e34b7d3/html5/thumbnails/45.jpg)
45
Conclusions Privacy and Anonymity often confused Anonymity useful tool to protect privacy Other Privacy Enhancing Technologiese.g. EPAL
Anonymization of dataWhen is data really anonymous
UntraceabilityRFIDs but also e.g. sensor networks