privacy preserving infrastructural requirements brad rosen professor joan feigenbaum ta: ganghua sun...

Privacy Preserving Privacy Preserving Infrastructural Infrastructural RequirementsRequirements

Brad RosenBrad RosenProfessor Joan FeigenbaumProfessor Joan Feigenbaum

Ta: Ganghua SunTa: Ganghua SunCS 557: Sensitive Information In the CS 557: Sensitive Information In the

Wired WorldWired World

Presentation OutlinePresentation Outline

• Definition and Redefinition of TermsDefinition and Redefinition of Terms• Privacy Enhancement vs Privacy Privacy Enhancement vs Privacy

PreservationPreservation• Background on PET’s [Taxonomy et al]Background on PET’s [Taxonomy et al]• Current InfrastructureCurrent Infrastructure• Next-Generation InfrastructureNext-Generation Infrastructure• Trusted ProxiesTrusted Proxies• Case Study: iPrivacyCase Study: iPrivacy• ConclusionsConclusions

TermsTerms

• PII: Personally Identifiable InformationPII: Personally Identifiable Information• Trusted Platform: Either – for a given input Trusted Platform: Either – for a given input

its outputs or known, or the authenticity of its outputs or known, or the authenticity of its software can be verified.its software can be verified.

• Privacy Enhancing Technology: A program Privacy Enhancing Technology: A program or programme of action which increases or programme of action which increases user’s control about what happens to data.user’s control about what happens to data.

• Proxy: A server that redirects internet Proxy: A server that redirects internet requests.requests.

What is a Privacy What is a Privacy ““Enhancing”Enhancing” Technology?Technology?

• As we’ve seen [Ashley/Bobby] PETs As we’ve seen [Ashley/Bobby] PETs “enhance” user control over “private” data.“enhance” user control over “private” data.

• Some of these data are intrinsically hard to Some of these data are intrinsically hard to protect due to the nature of the current protect due to the nature of the current Internet. [Server-Side IP Address “Cookies”]Internet. [Server-Side IP Address “Cookies”]

• All of which require a certain degree of All of which require a certain degree of “trust” in another party. [Proxies vs Cookies]“trust” in another party. [Proxies vs Cookies]

• Paradigm shift in how we think about Paradigm shift in how we think about privacy… privacy…

Background on PET: Background on PET: TaxonomyTaxonomy

• Within our discussions of PETs, we have Within our discussions of PETs, we have seen a number of active [Cookie Cutters, seen a number of active [Cookie Cutters, Proxies] and passive [Policy Tools] Proxies] and passive [Policy Tools] technologies.technologies.

• Encryption Tools are quickly becoming Encryption Tools are quickly becoming ubiquitous in all aspects of modern ubiquitous in all aspects of modern computing and are a prerequisite to, not an computing and are a prerequisite to, not an enhancement for, protection of “sensitive” enhancement for, protection of “sensitive” data.data.

• Filtering tools [SPAM] merely seek to fix a Filtering tools [SPAM] merely seek to fix a (heavily) broken mail standard (heavily) broken mail standard (SMTP/ESMTP)(SMTP/ESMTP)

Privacy Enhancing or Privacy Enhancing or Privacy Preserving?Privacy Preserving?

• Reasonable ExpectationsReasonable Expectations– When a user performs certain actions on the When a user performs certain actions on the

internet [like shopping or browsing] they internet [like shopping or browsing] they have the inherent reasonable expectation of have the inherent reasonable expectation of privacy. [Real life library]privacy. [Real life library]

– These expectations These expectations were notwere not design goals design goals of the original internet. [p3p…]of the original internet. [p3p…]

– Rather than tack on privacy Rather than tack on privacy “enhancements” to an architecture that was “enhancements” to an architecture that was not designed for them, we need to look at not designed for them, we need to look at building privacy building privacy preservationpreservation in from the in from the ground up. ground up.


Policy Tools Policy Tools• P3P is somewhat ambiguous, but P3P is somewhat ambiguous, but

supposesuppose there was a non-ambiguous there was a non-ambiguous policy language…policy language…

• ““Perfect P3P” [P4P] data may be very Perfect P3P” [P4P] data may be very large in size.large in size.

• Users will need semi-regular updates Users will need semi-regular updates of P4P data.of P4P data.

• Without proxied browsing, even Without proxied browsing, even connecting to a site may violate the connecting to a site may violate the user’s preference [IP tracking] …user’s preference [IP tracking] …


Pop-Up Blockers Pop-Up Blockers• Pop-Up windows are a vestige of arguably Pop-Up windows are a vestige of arguably

terrible design decisions in JavaScript/EMCA terrible design decisions in JavaScript/EMCA Script.Script.

• While Pop-Up windows are an While Pop-Up windows are an annoyanceannoyance and and an an inconvenienceinconvenience, they are by no stretch of , they are by no stretch of the imagination an invasion of privacy. [They the imagination an invasion of privacy. [They may be directed at sites which attempt to may be directed at sites which attempt to perform such an act – which should perform such an act – which should concomitantly be blocked by other tools.]concomitantly be blocked by other tools.]

• Pop Up Blockers are not a Pop Up Blockers are not a privacy privacy enhancingenhancing technology. technology.


Cookie Cutters Cookie Cutters• Cookies were originally a “hack” to get Cookies were originally a “hack” to get

around the fact that HTTP is a stateless around the fact that HTTP is a stateless protocol.protocol.

• Anything that can be accomplished with Anything that can be accomplished with cookies can be accomplished server-side cookies can be accomplished server-side with a unique identifier [such as IP address]with a unique identifier [such as IP address]

• In the absence of proxy tools, cookie cutters In the absence of proxy tools, cookie cutters are not enough to prevent tracking of click are not enough to prevent tracking of click data, etc.data, etc.

• Blocking cookies is trivial.Blocking cookies is trivial.


Proxy Tools Proxy Tools• Any device which masks a user’s IP address Any device which masks a user’s IP address

may arguably be a proxy tool. [NAT home may arguably be a proxy tool. [NAT home routing]routing]

• While proxy tools [and blocked cookies] While proxy tools [and blocked cookies] ensure no tracking data is leaked, it requires ensure no tracking data is leaked, it requires trusttrust in the organization running the proxy. in the organization running the proxy.

• These organizations may have unclear, vague, These organizations may have unclear, vague, or unfavorable terms to those who use their or unfavorable terms to those who use their proxies.proxies.

• The question of “anonymity” vs “identity The question of “anonymity” vs “identity protection” remains. [crime, traceability, etc]protection” remains. [crime, traceability, etc]

Background on PET: Background on PET: TaxonomyTaxonomy SpyWare SpyWare

• The collection of data by a program resident on The collection of data by a program resident on a computer. Often installed with “freebies” a computer. Often installed with “freebies” (like Kazaa) – but could be installed by a buffer (like Kazaa) – but could be installed by a buffer overflow in any web-enabled program. [IE]overflow in any web-enabled program. [IE]

• There are those in the community that consider There are those in the community that consider spyware to be an actual intrusion/trespassing.spyware to be an actual intrusion/trespassing.

• SpyWare removal tools [AdAware, etc] blur the SpyWare removal tools [AdAware, etc] blur the line of PETs, simply because no user had the line of PETs, simply because no user had the reasonable expectation of SpyWare being reasonable expectation of SpyWare being installed on his/her computer in the first place. installed on his/her computer in the first place.

Current InfrastructureCurrent Infrastructure

• The status quo of the internet relies on a The status quo of the internet relies on a number of standards: IPV4, (E)SMTP, HTTP, number of standards: IPV4, (E)SMTP, HTTP, JavaScript/EMCA Script, Applets/ActiveX.JavaScript/EMCA Script, Applets/ActiveX.

• One of the reason that good PETs have One of the reason that good PETs have failed to materialize is that the current failed to materialize is that the current infrastructure was designed with quick infrastructure was designed with quick spread of information in mind – not spread of information in mind – not protection thereof. [Lack of Palladium…]protection thereof. [Lack of Palladium…]

• Looking at the end-to-end traffic, we can see Looking at the end-to-end traffic, we can see a number of holes… a number of holes…

• DISCUSSION: WHAT IS THE FIRST DISCUSSION: WHAT IS THE FIRST HOLE???HOLE???

Current Infrastructure:Current Infrastructure:HTTP End-To-EndHTTP End-To-End

• When a user points their browser at a website, When a user points their browser at a website, that name must be translated into the IP address that name must be translated into the IP address where that website is hosted. This is done by where that website is hosted. This is done by the Domain Name System [DNS]the Domain Name System [DNS]

• DNS Requests are sent in DNS Requests are sent in clear text.clear text.• Most ISPs provide their own domain name Most ISPs provide their own domain name

servers [caching servers] for their users – and servers [caching servers] for their users – and thus could track website visit data trivially. thus could track website visit data trivially.

• DNS hi-jacking is a problem – setting up a DNS hi-jacking is a problem – setting up a website which looks like Amazon or EBay tricks website which looks like Amazon or EBay tricks people plenty already – imagine if it was actually people plenty already – imagine if it was actually at Amazon.com or EBay.comat Amazon.com or EBay.com


• After DNS resolution, the HTTP request is sent to After DNS resolution, the HTTP request is sent to the website.the website.

• The request is carried by a number of intermediary The request is carried by a number of intermediary hops [routers] all of which know the source and hops [routers] all of which know the source and destination IP address.destination IP address.

• Routers operate on a Routers operate on a store-and-forwardstore-and-forward basis – basis – they store the packet locally in case it is lost further they store the packet locally in case it is lost further down the chain.down the chain.

• There is no user assurance that the intermediate There is no user assurance that the intermediate routers actually discard those packets. routers actually discard those packets.

• A human could perform reverse-dns lookup or A human could perform reverse-dns lookup or simply visit the IP address to see what someone simply visit the IP address to see what someone else has been doing…else has been doing…


• As users navigate the website, both As users navigate the website, both cookies and server-side storage cookies and server-side storage [indexed by IP, username, or some [indexed by IP, username, or some other identifier] may be used to track other identifier] may be used to track their browsing habits.their browsing habits.

• The status quo of web-servers [Apache The status quo of web-servers [Apache and IIS] store IP addresses for every and IIS] store IP addresses for every object served – causing the object served – causing the proliferation of “trackers” and 1x1 pixel proliferation of “trackers” and 1x1 pixel “web bugs.”“web bugs.”


• Transfer of “sensitive” data may be Transfer of “sensitive” data may be done via HTTPS. [HTTP using secure done via HTTPS. [HTTP using secure sockets layer]sockets layer]

• Any data sent without using HTTPS can Any data sent without using HTTPS can be snooped at any point between the be snooped at any point between the user and the ultimate server. [It is most user and the ultimate server. [It is most often used to protect credit card data.]often used to protect credit card data.]

• Danger: Not all data is sent via HTTPS, Danger: Not all data is sent via HTTPS, tracking is still available, but most of all tracking is still available, but most of all … [discussion]… [discussion]


• Once users have submitted data, they Once users have submitted data, they simply have no control whatsoever over simply have no control whatsoever over that data. that data.

• Sites may post a privacy policy…Sites may post a privacy policy…• ……and then violate it later. [JetBlue, eToys]and then violate it later. [JetBlue, eToys]• There are no assurances as the security of There are no assurances as the security of

and access to the data [of internal or and access to the data [of internal or external parties]external parties]

• ““Sharing” with “affiliated parties” has Sharing” with “affiliated parties” has become common – yet typically there is no become common – yet typically there is no mention of how these parties are bound.mention of how these parties are bound.

Current Infrastructure:Current Infrastructure:IPV4IPV4

• Due to size of address space, NAT is Due to size of address space, NAT is common.common.

• IP Fragmentation/NAT “mucks” with many IP Fragmentation/NAT “mucks” with many common encryption tools: [Kerberos, common encryption tools: [Kerberos, IPSEC]IPSEC]

• No end-to-end security measures truly No end-to-end security measures truly available.available.

• ““Spoofing” is common.Spoofing” is common.• [Spoofing may be used to defeat credit card [Spoofing may be used to defeat credit card

companies statistically monitoring companies statistically monitoring purchasing IP address]purchasing IP address]

Current Infrastructure:Current Infrastructure:JavaScript/EMCA ScriptJavaScript/EMCA Script

• Originally invented to allow for client-Originally invented to allow for client-side functionality, a number of “cute side functionality, a number of “cute hacks” can be used to collect data.hacks” can be used to collect data.

• Most notably, the presence of “new Most notably, the presence of “new frames” opened that may jump around frames” opened that may jump around the screen with pornography, Viagra the screen with pornography, Viagra ads, etc, and may or may not contain ads, etc, and may or may not contain web-bugs.web-bugs.

Current Infrastructure:Current Infrastructure:Applets/ActiveX ControlsApplets/ActiveX Controls

• Applets [and to an extent ActiveX controls, Applets [and to an extent ActiveX controls, despite being MSIE only] have a much despite being MSIE only] have a much greater range of operation than simple greater range of operation than simple web-bugs and pop-ups.web-bugs and pop-ups.

• Tools already exist for permission control Tools already exist for permission control of Applets and ActiveX controls [bugs in of Applets and ActiveX controls [bugs in their implementation aside]their implementation aside]

• This is a problem of user-education, This is a problem of user-education, not a technological problem! MANY not a technological problem! MANY USERS BLINDLY CLICK YES! USERS BLINDLY CLICK YES! [Control [Control Discussion]Discussion]

Current Infrastructure:Current Infrastructure:(E)SMTP(E)SMTP

• (E)SMTP does not require (E)SMTP does not require authentication when sending an email.authentication when sending an email.

• Spammers can simply connect to “open Spammers can simply connect to “open relays” that allow them to freely send relays” that allow them to freely send mail.mail.

• SHOW DEMO: HELO, MAIL FROM, SHOW DEMO: HELO, MAIL FROM, RCPT TO, DATA, QUIT.RCPT TO, DATA, QUIT.

• IP Tracking/Spoofing IP Tracking/Spoofing Cross-layer Cross-layer flaws lead to fundamental problems.flaws lead to fundamental problems.

Next-Generation Next-Generation InfrastructureInfrastructure

(Privacy Preserving)(Privacy Preserving)• Many of the tools are “on the horizon” Many of the tools are “on the horizon”

or “have been discussed”or “have been discussed”• There are There are significantsignificant barriers to barriers to

adoption.adoption.• Numerous trade-offs involved in this Numerous trade-offs involved in this

paradigm shift.paradigm shift.• Information is ubiquitous Information is ubiquitous

Information is ubiquitously controlled Information is ubiquitously controlled by the person or entity it concerns.by the person or entity it concerns.

Next-Generation Next-Generation InfrastructureInfrastructure

Necessary AssumptionsNecessary Assumptions• Assume that the vagueness of P3P has been Assume that the vagueness of P3P has been

eliminated producing P4P.eliminated producing P4P.• Assume that “Palladium-like” features are available on Assume that “Palladium-like” features are available on

allall platforms. [Including Routers!] platforms. [Including Routers!]• Assume there are [at least] a few “signing bodies” – Assume there are [at least] a few “signing bodies” –

bonded entities that are willing to certify [via their bonded entities that are willing to certify [via their own remote attestation] that certain websites are own remote attestation] that certain websites are indeed running the software they claim to be running. indeed running the software they claim to be running. [Randomized Testing][Randomized Testing]

• Assume there are [at least] a few “verifying bodies” – Assume there are [at least] a few “verifying bodies” – bonded entities that are willing to certify [via code bonded entities that are willing to certify [via code inspection, mathematical induction or exhaustive inspection, mathematical induction or exhaustive proof] that the program certified by a signing body proof] that the program certified by a signing body does indeed conform to the P4P profile espoused by does indeed conform to the P4P profile espoused by the program’s owners. the program’s owners.

• Assume there are “trusted proxies” – [Discussion Assume there are “trusted proxies” – [Discussion Later]Later]

Next-Generation Next-Generation Infrastructure:Infrastructure:

HTTP End-To-EndHTTP End-To-End• Proposed solution to hi-jacking is Proposed solution to hi-jacking is

DNSSEC – which again requires digital DNSSEC – which again requires digital signing and distribution of verification signing and distribution of verification keys.keys.

• DNS requests should be encrypted [ssl] to DNS requests should be encrypted [ssl] to prevent snooping [by other users on the prevent snooping [by other users on the same machine or neighbors on a home same machine or neighbors on a home cable/dsl network/university subnet]cable/dsl network/university subnet]

• Users not wanting their ISP to be able to Users not wanting their ISP to be able to associate dns-lookups with themselves associate dns-lookups with themselves should tunnel all DNS resolution requests should tunnel all DNS resolution requests through a trusted proxy first.through a trusted proxy first.


HTTP End-To-EndHTTP End-To-End• After DNSSEC resolution, the user’s computer After DNSSEC resolution, the user’s computer

must “test the path” [like trace route] [secure must “test the path” [like trace route] [secure ICMP hand waving]ICMP hand waving]

• All routers must attest to:All routers must attest to:– Running a known routing algorithm which will destroy Running a known routing algorithm which will destroy

packets after their acknowledgement by the next hop.packets after their acknowledgement by the next hop.– Will not permit access to those packets by a local Will not permit access to those packets by a local

accessing useraccessing user– Will not store the packets in an unencrypted formWill not store the packets in an unencrypted form– Will not forward the packets to any router which does not Will not forward the packets to any router which does not

meet these same requirements.meet these same requirements.

• Again, the privacy-obsessive will need to tunnel Again, the privacy-obsessive will need to tunnel these requests through a proxy if they want to these requests through a proxy if they want to prevent the destination website from knowing prevent the destination website from knowing their IP address.their IP address.


HTTP End-To-EndHTTP End-To-End• What if a user does not want to even visit What if a user does not want to even visit

sites that do not meet their P4P guidelines? sites that do not meet their P4P guidelines? [Users not behind a proxy fearing IP [Users not behind a proxy fearing IP address use for statistics]address use for statistics]

• P4P profiles should be stored at:P4P profiles should be stored at:– A central authority [or authorities] ORA central authority [or authorities] OR– Piggybacked onto the secure-DNS systemPiggybacked onto the secure-DNS system

• Pop a warning “This site does not follow Pop a warning “This site does not follow your specified……do you still want to your specified……do you still want to connect?”connect?”


HTTP End-To-EndHTTP End-To-End• Already, many modern browsers prevent Already, many modern browsers prevent

“remote-loading” of images on user request.“remote-loading” of images on user request.• Part of the P4P and trust conventions are that Part of the P4P and trust conventions are that

web-pages cannot serve pages that will web-pages cannot serve pages that will produce remote-loaded images/applets to produce remote-loaded images/applets to servers with less-stringent P4P policies.servers with less-stringent P4P policies.

• This is possible to do at page-generation time.This is possible to do at page-generation time.• Tracking of click data: Could be prevented Tracking of click data: Could be prevented

either in a P4P policy or by a zealous user either in a P4P policy or by a zealous user with a proxy.with a proxy.


HTTP End-To-EndHTTP End-To-End• Secure data transfer is still required to Secure data transfer is still required to

prevent snooping on the first level of prevent snooping on the first level of connectionsconnections

• Some mechanism [encryption or parts Some mechanism [encryption or parts of IPV6] must be used to ensure that of IPV6] must be used to ensure that packets cannot be sniffed during inter-packets cannot be sniffed during inter-router movement.router movement.

• Any changes in path must re-initiate Any changes in path must re-initiate the attestation check.the attestation check.


HTTP End-To-EndHTTP End-To-End• Now, once users have submitted data, the user knows they are Now, once users have submitted data, the user knows they are

running on a trusted platform and that no other application running on a trusted platform and that no other application except the signed one may access that data.except the signed one may access that data.

• Assuming the user has accepted the P4P policy posted, the Assuming the user has accepted the P4P policy posted, the user will know user will know exactlyexactly what the site can and cannot do with what the site can and cannot do with their data.their data.

• This reverses control of the data.This reverses control of the data.• This does This does not not allow for customized privacy on a per-user allow for customized privacy on a per-user

granularity. granularity. – Discussion of requirements: Per-Person-Per-Site Storage of Discussion of requirements: Per-Person-Per-Site Storage of

Privacy!Privacy!• Assuming that employee-access privileges are specified in the Assuming that employee-access privileges are specified in the

policy, the user need not fear “errant browsing” [inside jobs policy, the user need not fear “errant browsing” [inside jobs can never be stopped]can never be stopped]

• ““Sharing” with “affiliated parties” is not a relevant problem Sharing” with “affiliated parties” is not a relevant problem when specified in advance with the caveat of “no sharing with when specified in advance with the caveat of “no sharing with less-restrictive policies” – or even “no sharing”less-restrictive policies” – or even “no sharing”


IPV6IPV6• IPV6 Provides End-To-End SecurityIPV6 Provides End-To-End Security• IPV6 Also Gives better network-IPV6 Also Gives better network-

managementmanagement• IPSec and Kerberos authentication can IPSec and Kerberos authentication can

become used much more often.become used much more often.• ““Spoofing” becomes almost impossibleSpoofing” becomes almost impossible• No Fragmentation: Prevention of No Fragmentation: Prevention of

common buffer overflow exploits, DDOS common buffer overflow exploits, DDOS attacks, etc.attacks, etc.


JavaScript/EMCA ScriptJavaScript/EMCA Script• This is the last word on pop-ups, ever.This is the last word on pop-ups, ever.• Disable them in the browser or require Disable them in the browser or require

the P4P policy to assure that the site the P4P policy to assure that the site does not serve pages that contain code does not serve pages that contain code for pop-ups.for pop-ups.

• AGAIN: POP UPS ARE MORE OF A AGAIN: POP UPS ARE MORE OF A NUISANCE THAN A THREAT TO NUISANCE THAN A THREAT TO PRIVACY!PRIVACY!


Applets/ActiveX ControlsApplets/ActiveX Controls• With trusted computing, strict With trusted computing, strict

hardware enforcement can substitute hardware enforcement can substitute for much of the current user-policing for much of the current user-policing requirement.requirement.

• P4P Policies can also specify types of P4P Policies can also specify types of applets/controls that may be served.applets/controls that may be served.


New Mail StructureNew Mail Structure• Scrap system entirely, run legacy system in Scrap system entirely, run legacy system in

parallel.parallel.– Two mailboxes, one filled with junk, one not.Two mailboxes, one filled with junk, one not.

• User must [encrypted] authenticate themselves.User must [encrypted] authenticate themselves.• Mail servers will only accept ‘trusted mail’ from Mail servers will only accept ‘trusted mail’ from

a server which it can verify is only accepting mail a server which it can verify is only accepting mail from its own authenticated clients.from its own authenticated clients.

• Advertising/Spam is a social problem – there will Advertising/Spam is a social problem – there will not be a 100% technical solution. Requiring not be a 100% technical solution. Requiring authenticated email provides enough authenticated email provides enough accountability for human intervention to finish accountability for human intervention to finish the job.the job.

Trusted ProxiesTrusted Proxies

• Two Desires: Seclusion and AnonymityTwo Desires: Seclusion and Anonymity• AnonymityAnonymity

– Hard to justify in the face of child pornography, Hard to justify in the face of child pornography, national security, illegal activities.national security, illegal activities.

– Desirable to protect freedom of speech, Desirable to protect freedom of speech, freedom of expression, freedom of religion, etc.freedom of expression, freedom of religion, etc.

– AnonymityAnonymity

• SeclusionSeclusion– Websites cannot track you for purposes of Websites cannot track you for purposes of

gathering statistical data.gathering statistical data.– Don’t want to be in a customer database.Don’t want to be in a customer database.

Trusted ProxiesTrusted Proxies

• The only ways to achieve either are via The only ways to achieve either are via connected-dial up or VPN connections connected-dial up or VPN connections to the proxy. [Must be encrypted if not to the proxy. [Must be encrypted if not dialup]dialup]

• Discussion of tradeoffs: Discussion of tradeoffs: • DialupDialup• VPNVPN• [Both offered by Anonymizer][Both offered by Anonymizer]

Case Study: iPrivacyCase Study: iPrivacy

• Discussion of PaperDiscussion of Paper• Most offerings already availableMost offerings already available• Difficulties/Realities of providing Difficulties/Realities of providing

– Anonymous Discount Coupons (Easy)Anonymous Discount Coupons (Easy)– Anonymous Delivery Services (Hard)Anonymous Delivery Services (Hard)– Anonymous Browsing Services (Easy)Anonymous Browsing Services (Easy)

Case Study: iPrivacyCase Study: iPrivacyConnectionsConnections

• iPrivacy iPrivacy Merchant Merchant• iPrivacy iPrivacy Credit Card Company Credit Card Company• iPrivacy iPrivacy Delivery Agent Delivery Agent

• One-Way Hash or Constant Lookup?One-Way Hash or Constant Lookup?– If algorithmic, then can be computed If algorithmic, then can be computed

offline.offline.– If constant lookup, then iPrivacy If constant lookup, then iPrivacy mustmust

retain that info.retain that info.

Case Study: iPrivacyCase Study: iPrivacyStatementsStatements

• iPrivacy is “traceable” but anonymousiPrivacy is “traceable” but anonymous– Discussion of doublespeakDiscussion of doublespeak

• Who will police iPrivacy and its employees?Who will police iPrivacy and its employees?• Getting the ball rolling (barriers to entry)Getting the ball rolling (barriers to entry)

– Must be used by major credit card firms (isn’t)Must be used by major credit card firms (isn’t)– Must be associated with many merchants (isn’t)Must be associated with many merchants (isn’t)– Must be used by many consumers to be viable for Must be used by many consumers to be viable for

above two.above two.– [Chicken and Egg Problem][Chicken and Egg Problem]

Case Study: iPrivacyCase Study: iPrivacyDiscussionDiscussion

• What DOES iPrivacy really provide that is What DOES iPrivacy really provide that is novel?novel?

• What are the implications of a one-way-What are the implications of a one-way-mirror?mirror?

• What are the advantages of having an What are the advantages of having an integrated service [iPrivacy] over non-integrated service [iPrivacy] over non-integrated services [using Anonymizer, integrated services [using Anonymizer, Yahoo, Google Toolbar in combination]Yahoo, Google Toolbar in combination]

• What are the disadvantages of having an What are the disadvantages of having an integrated service over non-integrated integrated service over non-integrated services? [SPOF, etc]services? [SPOF, etc]

ConclusionsConclusions• The trade off of Privacy and Convenience remains. The trade off of Privacy and Convenience remains.

(“The website does not meet your P4P….”)(“The website does not meet your P4P….”)• A fundamental shift is required to ensure “user A fundamental shift is required to ensure “user

control” of data – be it sensitive or otherwise.control” of data – be it sensitive or otherwise.• PETs can only “hack” a limited amount of control PETs can only “hack” a limited amount of control

into the current architecture – and only the into the current architecture – and only the semblance of true control. [JetBlue redux]semblance of true control. [JetBlue redux]

• Despite a number of concerns against “Trusted” Despite a number of concerns against “Trusted” computing – it does solve a number of problems.computing – it does solve a number of problems.

• New Problems: Randomized attestation, hijacking New Problems: Randomized attestation, hijacking port connections on a local machine. Low-level port connections on a local machine. Low-level packet sniffing. [Introducing errors into the JVM packet sniffing. [Introducing errors into the JVM via magnetic fields.]via magnetic fields.]

privacy preserving infrastructural requirements brad rosen professor joan feigenbaum ta: ganghua sun...

Documents