Usable Privacy and Security 5-899 / 17-500 / 17-800

Designing for Privacy

Student Lecture by John Wyrick

February 22, 2007

Outline

• Privacy vs Security

• Exoinformation and Awareness

• Examining Privacy Tools

• Privacy Scenarios Exercise

Privacy and Security Defined

• Privacy: “The ability of individuals to control the terms under which their personal information is acquired and used.”– Security and Usability, chapter 19, page 382

• Security: “…the process of protecting data from unauthorized access, use, disclosure, destruction, modification, or disruption.”– Wikipedia, “Information Security”

Privacy vs Security

• Privacy is the user’s control of their personal information

• Security is the process of protecting any information

• Security may help establish privacy, but it is not itself privacy!

• This is an important distinction to make when considering privacy in design

Privacy vs Security – Scenario 1

• Scenario: In some areas, CMU provides Windows machines for individual student use equipped with Active Directory, Kerberos and other tools configured for the CMU network. Active Directory requires the student’s username/password authentication to access these machines.

• Q: What is the difference/relationship between privacy and security in this scenario?

• A: Active Directory provides an authorization process for security, but the student’s data is not secure; at any time a network administrator may view, use, or delete information on the student’s machine without their knowledge or consent.

• The student has no control over this; hence they cannot maintain total privacy on their CMU-provided machine

Privacy vs Security – Scenario 2

• What if you controlled the authorization process?• Scenario: Your personal laptop, on which you are the

sole administrator. User password and other installed security measures configured by you alone.

• Q: What is the difference/relationship between privacy and security in this scenario?

• A: Since you now control the authentication process, your laptop’s security enforces your chosen privacy levels.

Privacy vs Security – Scenario 2 (cont.)

• Could your laptop’s privacy still be compromised?

• Identifiable information you were not aware of– User name, machine name, MAC address, OS

• Shared data you were not aware was being distributed– Hidden/default shares, overly comprehensive shares

• Lack of Awareness => Lack of Choice => Lack of Control => Lack of Privacy!

Exoinformation and Awareness

• “Exoinformation is information gleaned from the tidbits of information that we give off during information-seeking activities.”– Security and Usability, chapter 20, page 404

• Personal information that we are either unaware is being released or whose release we are unable to control– Example: Browserspy, http://gemal.dk/browserspy

Exoinformation and Awareness• Other examples of private exoinformation that is routinely released?

• Touch-tone phone numeral tones– Sound reveals number being called

• Social security number on some drivers licenses when presented as a form of ID– Available to be copied by checking attendant and matched with other

information such as name and address; enough to apply for a credit card?• Un-shredded spam credit card offers that link your name and address

– Dumpster diving for data mining

• Key point: Awareness of privacy choices and their impacts is required to let individual users control access to their private information

Privacy FrameworkDeveloped by Benjamin Brunk as shown in Chapter 20 of Security and Usability.

Brunk added the concept of Awareness to Bruce Schneier’s previous work on a security framwork

• Awareness– Anything that conveys information without requiring the user to act

• Detection– Tools or features that scan or actively look for potential problems

• Prevention– A feature or tool that is used as a precaution

• Response– Taking action after a problem has been detected

• Recovery– Features and tools that help you get back to normal

Case Study: Reno & Boise

• Mobile device location disclosure utilities

• Reno included Automated tasks– Auto-reply to defined user group– Auto-send to defined user upon arrival

• Study found users almost uniformly did not use these features

• Q: Beyond simply ‘control’, what reasons or scenarios would users have for wanting to not use the automation?

Examining Privacy Tools

• Tor (review)• Domains by Proxy

– “Did you know that for each domain name you register, anyone - anywhere, anytime - can find out your name, home address, phone number and email address?

The law requires that the personal information you provide with every domain you register be made public in the "WHOIS" database. Your identity becomes instantly available - and vulnerable - to spammers,scammers, prying eyes and worse.” – www.domainsbyproxy.com

• Commercial privacy solutions: http://www.privacy.li– Anonymous Remailers, Secure Tunnels… anonymous banking?

Case Study: SPARCLE

• User interface for authoring and meshing technical privacy policies– [User category(ies)] can [Action(s)] [Data Category(ies)]

for the purpose(s) of [Purpose(s)] if [(optional) Condition(s)] with [(optional) Obligation(s)]

– Study showed that this setup helped users be more aware of what policies were needed

– Brodie, Karat & Feng. “Usable security and privacy: a case study of developing privacy management tools.” Proceedings of the 2005 symposium on Usable privacy and security

Privacy Scenarios Exercise• Having presented these tools, is it possible to have complete privacy?

• 1. As an already published and easily-identified author, you want to publish a lengthy opinion on a controversial topic you do not wish to be associated with, such that it will recieve a lot of publicity without your name ever being mentioned as the author.

• 2. You are attempting to facilitate an online conversation between an informant and a deep-cover agent to convey vital information. Both stipulate that they dont want to know anything at all about each other, or for you to know anything about either of them OR what information they pass. You can assume you have a means to securely communicate with each individually to give them instructions.

• 3. You are an employee in a controlled office environment - i.e. not your terminal's sole administrator. You have just found out that the company's stock is going to double in price due to an announcement at the end of the workday, and you want to communicate with your bank and your broker to buy more before that happens. You have a personal wireless laptop at your disposal, but it is registered on the company's network. If you're caught it would mean jail time for insider trading, but you could really use the money - and since the company's network policies that prevent you are a matter of record, it would be the perfect alibi if you could pull it off.

Q&A?