cs 590: privacygreenie/privacy/cs590-w17-01.pdf · introductions • hopefully, we’ve all done...
TRANSCRIPT
CS 590: Privacy
Instructor: Rachel Greenstadt
January 10, 2017
Tuesday, January 17, 17
Introductions
• Hopefully, we’ve all done online introductions
• Your name
• Program
• Interest in privacy/this course
• Something else interesting about you
Tuesday, January 17, 17
High Level Information
• Instructor: Rachel Greenstadt
• Office: UC 140
• Office Hours (Wednesday 2-3 pm)
• Feel free to email or stop by
• Course website
• http://www.cs.drexel.edu/~greenie/privacy/
Tuesday, January 17, 17
Overview• About this class
• Topics Covered
• Structure/Syllabus
• Final Project
• About Privacy
• Mini Lecture Cryptography
Tuesday, January 17, 17
Course Objectives
• Read and discuss papers about privacy as it relates to computer science
• Paper presentations and discussion
• Learn how to conduct research in this area
• Final research project
Tuesday, January 17, 17
Research Topics• Basic Cryptography
• Privacy foundations / theory of privacy
• Privacy Enhancing Technologies
• Anonymous communication
• Data/Database privacy
• Privacy and E-commerce
• Web Privacy
• Bitcoin / ecash
• Social network privacy
• Privacy usability/engineering
• Privacy and Gov’t/Policy
Tuesday, January 17, 17
Readings• January 10 : Welcome to CS 590
◦ Intro to Privacy and Syllabus• January 17 (In Class)
◦ Mini-lecture: Introduction to Cryptography◦ Slides on Ethical Research : Jack Mendencorp and
slides◦ Privacy Foundations: 'I've Got Nothing to Hide' and
Other Misunderstandings of Privacy (local cached copy) Daniel J. Solove, San Diego Law Review, Vol. 44, 2007
◦ Unpacking "Privacy" for a Networked WorldLeysia Palen and Paul Dourish, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2003.
• January 24 (In Class)◦ Making Sense from Snowden, Susan Landau, IEEE
Security and Privacy, Volume 11, Issue 4, July 2013. (also Part II, Susan Landau, IEEE Security and Privacy, Volume 12, Issue 1, January 2014.
◦ The Right To Privacy, Warren and Brandeis, Harvard Law Review, Vol. IV, No. 5, December 1890.
◦ Apple vs FBI Amicus Brief EFF and 46 Technologist, Researchers, and Cryptographers, March 2016.
◦ Optional supplemental readings■ Defeating the modern Leviathan of corporate-
government data collection by Bruce Schneier
• February 2 : Cryptography for Privacy (In Class)◦ Security of Symmetric Encryption against Mass
Surveillance, Mihir Bellare, Kenneth G. Paterson, and Phillip Rogaway, Advances in Cryptology (CRYPTO '14), 2014.
◦ A Systematic Analysis of the Juniper Dual EC Incident, Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Makiewicz, Eric Rescorla, Hovav Schachm, and Ralf-Philipp Weinmann, ACM CCS 2016.
• Febrary 9 : PETs for the Internet (In Class)◦ Proposals due◦ Privacy-enhancing Technologies for the Internet (local
cached copy)Ian Goldberg, David Wagner, Eric Brewer, IEEE COMPCON 1997
◦ Towards an Analysis of Onion Routing Security(local cached copy)Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. In the Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, July 2000, pages 96-114.
◦ Tor: The Second-Generation Onion Router (local cached copy), Roger Dingledine, Nick Mathewson, Paul Syverson, USENIX Security 2004.
Tuesday, January 17, 17
Readings continuedFebruary 21: Privately Participating in Online Life (online)◦ "My Data Just Goes Everywhere:": User Mental Models
of the Internet and Implications for Privacy and Security, Ruogu Kang, Lauara Dabbish, Nathaniel fruchter, and Sara Kiesler, USENIX Symposium on Usable Privacy and Security, 2015.
◦ Privacy, Anonymity and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians. Andrea Forte, Nazanin Andalibi, and Rachel Greenstadt, Proceedings of Computer-Supported Cooperative Work and Social Computing (CSCW), Portland OR, 2017.
◦ Nymble: Blocking Misbehaving Users in Anonymizing Networks, Patrick P. Tsang, Apu Kapadia, Cory Cornelius, and Sean W. Smith, IEEE Transactions on Dependable and Secure Computing (IEEE TDSC), Volume 8, Number 2, 2011.
• Febrary 28: Bitcoin (online)◦ Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic
Cash System◦ A Fistful of Bitcoins: Characterizing Payments Among
Men with No Names, Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage, Internet Measurement Conference (IMC), 2013.
◦ Zerocash: Decentralized Anonymous Payments from Bitcoin, Eli Ben-Sasson, Alessadro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. IEEE Symposium on Security and Privacy, 2014.
• March 8: Data Privacy (In Class)◦ SoK: Privacy on Mobile Devices - It's Complicated
Chad Spensky, Jeffrey Stewart, Arkady Yerukimovich, Richard Shay, Ari Trachtenberg, Rick Housley, and Robert K. Cunningham. Proceedings on Privacy Enhancing Technologies (PoPETS), Volume 2016, Issue 3.
◦ A Scanner Darkly: Protecting User Privacy from Perceptual Applications. Suman Jana, Arvind Narayanan, and Vitaly Shmatikov, IEEE Symposium on Privacy and Security, 2013.
◦ RAPPOR: Randomized Aggregatable Privacy-Preserving Ordinal Response. Ulfar Erlingsson, Vasyl Pihur, and Aleksandra Koralova. ACM Conference on Computer and Communications Security (CCS), 2014.
• March 15 : Project Presentations (Please upload your 5 minutes presentation to BBLearn by 4 pm, online students should embed audio)
• March 21 : Project Papers Due
Tuesday, January 17, 17
What is a seminar course?
• Classic graduate style, but one you may not have been exposed to
• A key focus of this course is on reading and discussing research on privacy
• You will be learning from each other as much as or more than from the instructor
• Why the course, despite few prereqs is “Advanced”
• Important to come to class prepared having read and thought about the papers
Tuesday, January 17, 17
Course Structure
• Traditional graduate seminar EXCEPT
• hybrid online/in-person class
• This is the beta-release of this class
• Aspects will be experimental and subject to change
• Feedback welcome
Tuesday, January 17, 17
Grades
• Facilitation: 25%
• Class Participation 25%
• Project 50%
• There may be some simple lab assignments (under participation)
Tuesday, January 17, 17
Facilitation - In Class
• Each paper will have a person responsible for leading a 40 minute discussion around it
• Start with a 25 minute conference style presentation - pretend it is your paper
• Then, lead the class in a critical discussion
• Make sure to go over technical areas where people may be confused
Tuesday, January 17, 17
Facilitation - Online
• Online students have the choice of writing a discussion board post or uploading a 25-minute presentation to the discussion board.
• Posts will be graded harder than presentations. Posts should summarize the main ideas and results of the paper, assess the paper's significance, bring up discussion points, and link to related work. Posts will be due the Thursday before class at 5 pm (or occasionally before class under special circumstances)
• The poster will moderate a discussion on the board. All students are expected to participate by Tuesday (6 pm) for Thursday posts.
Tuesday, January 17, 17
Class Participation
• Participation in in-class discussion
• If you cannot watch the class concurrently, you will be expected to write a discussion board post on the discussion for each paper, contributing your thoughts (due by Thursday, before the online discussion comes out for the following week) This should be a couple paragraphs (shorter than the facilitation posts)
• Participation in online discussions
• Watching lectures/discussions
Tuesday, January 17, 17
Class Project
• Research project on some topic related to privacy enhancing technologies
• Groups of 1-2 people
• Proposal and topic due February 9
• Paper (12 pages, workshop quality) and presentation due end of class
Tuesday, January 17, 17
The Final Project Proposal
• 2 pages long
• Problem Statement and Motivation
• Brief Description of Approach
• Related Work and novelty
• Evaluation approach
• Milestones
Tuesday, January 17, 17
Digital Millennium Copyright Act
• No person shall circumvent a technological measure that effectively controls access to a work protected under copyright.
• The Act defines what it means in Section 1201(a)(3):
(A) to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and
(B) a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.
• Also, no tools, advice, publication, etc
• Possible to get research/education exemptions sometimes, but likely not in time for Project 3
Tuesday, January 17, 17
Computer Fraud and Abuse Act
1. Knowingly accessing a computer without authorization in order to obtain national security data 2. Intentionally accessing a computer without authorization to obtain:
◦ Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer.
◦ Information from any department or agency of the United States ◦ Information from any protected computer if the conduct involves an interstate or foreign
communication 3. Intentionally accessing without authorization a government computer and affecting the use of the
government's operation of the computer. 4. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of
value. 5. Knowingly causing the transmission of a program, information, code, or command that causes damage or
intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:
◦ Loss to one or more persons during any one-year period aggregating at least $5,000 in value. ◦ The modification or impairment, or potential modification or impairment, of the medical examination,
diagnosis, treatment, or care of one or more individuals. ◦ Physical injury to any person. ◦ A threat to public health or safety. ◦ Damage affecting a government computer system 6. Knowingly and with the intent to defraud, trafficking in a password or similar information through which a
computer may be accessed without authorization.
Broadinterpretation
Tuesday, January 17, 17
Wiretapping laws
• Pennsylvania's wiretapping law is a "two-party consent" law. Pennsylvania makes it a crime to intercept or record a telephone call or conversation unless all parties to the conversation consent. See 18 Pa. Cons. Stat. § 5703 (Title 18, Part II, Article F, Chapter 57, Subchapter B, and then the specific provision).
• These laws apply to data, not just telephone surveillance
Tuesday, January 17, 17
Human Subjects Research
• Human subjects research -A systematic investigation involving live subjects, records, databases, tissue samples or surveys - including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.
• Evaluated by Internal Review Board (IRB), but exemption for educational purposes
• If you are thinking of studying humans (users) in any way, please come talk to me about ways to do this legally and ethically
Tuesday, January 17, 17
Other parts of class
• Mini-lectures
Tuesday, January 17, 17
First week of papers
• We’ll assign to people here
• Figure out the rest after that, based on enrollment
Tuesday, January 17, 17
Reading Next Week
• By Next Class
• Privacy Foundations: 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy (local cached copy) Daniel J. Solove, San Diego Law Review, Vol. 44, 2007
• Unpacking "Privacy" for a Networked WorldLeysia Palen and Paul Dourish, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2003.
Tuesday, January 17, 17
Also next week
• Micro-lecture on cryptography basics
• I will include short lectures from time to time to add some background
Tuesday, January 17, 17
Your responsibility
• Look through the schedule and pick a reading that you want to facilitate.
Tuesday, January 17, 17
Privacy : A Facilitated Discussion
credits to Alessandro Acquisti and others
Tuesday, January 17, 17
What is privacy?
Tuesday, January 17, 17
What is privacy?
• Hard to define
• Data concealment
• A right “to be left alone”
• Freedom
• The ability to control the information released about you
Tuesday, January 17, 17
Privacy in a Digital World
• How does it change?
Tuesday, January 17, 17
Privacy in dot com days
Tuesday, January 17, 17
And then...
Tuesday, January 17, 17
How the market reacted
Economic challenges pushed merchants to more restrictive policies
This policy may change from time to time soplease check back periodically
- Yahoo privacy policy circa 2001
Tuesday, January 17, 17
And governments have noticed this dynamic...
Tuesday, January 17, 17
Privacy in the newsAfter NSA revelations, a privacy czar is neededWashington Post-2 hours agoAlan Charles Raul is a lawyer in Washington who previously served as vice chairman of the Privacy and Civil Liberties Oversight Board and ...
Siliconrepublic.comSchools' use of cloud services puts student privacy at riskPCWorld-6 hours agoSchools that compel students to use commercial cloud services for email and documents are putting privacy at risk, says a campaign group ...
Privacy row as road chiefs track drivers on motorways by collecting ...Daily Mail-12 hours agoThe Highways Agency is collecting huge amounts of data from phone companies and other firms that log clients' location. Officials claim the ...
Human Resource Executive OnlineHHS Issues Last-Minute Changes to HIPAA Privacy, Security RulesiHealthBeat-47 minutes agoOn Thursday, HHS' Office for Civil Rights released new guidelines under the HIPAA privacy and security rules that allow pharmaceutical ...
Lawmaker proposes privacy advocate for secret courtReuters-Sep 20, 2013Robertson made his suggestion during a public meeting held by the bipartisan Privacy and Civil Liberties Oversight Board, which was set up in ...
Fingerprint scanner for iPhone 5s raises privacy, security concernsWashington Post-Sep 22, 2013One of the highlights of the iPhone 5s, the fingerprint scanner, is facing two concerns that may take a little shine off Apple's cool new feature.
Tuesday, January 17, 17
Stakeholders
• Individuals
• Businesses
• Governments
• Other groups
Tuesday, January 17, 17
Digital Surveillance
• Who is the adversary?
Tuesday, January 17, 17
Who is the data revealed to?
• Some faceless company?
• The government?
• The Internet?
• Friends/Family?
• Acquaintances/colleagues/employers?
Tuesday, January 17, 17
Threats or what could possibly go wrong?
Tuesday, January 17, 17
Threats or what could possibly go wrong?
• Identity Fraud/Theft
• Information actually used for harm
• Discrimination - social or economic
• Conformity pressure
Tuesday, January 17, 17
Privacy vs. Security
• When is there a tradeoff?
• When are they the same?
Tuesday, January 17, 17
A solved problem?“You pay for content or services with anonymous electronic cash. You connect to content and service providers with an anonymizing mixnet. You authenticate yourself with anonymous credential schemes or zero-knowledge identification protocols. You download content via private information retrieval or oblivious transfer. You use secure function evaluation when interacting with services that require some information.” - [Feigenbaum, Sander, Freedman, Shostack]
Tuesday, January 17, 17
E-cash and blind signatures
What else is needed for e-cash?
Tuesday, January 17, 17
Technology Rundown• Anonymous credentials (insurance cards, student
IDs, etc) - can use digital signatures for this too
• Brands generalized with certificate scheme
• What if, instead of providing a SSN or ID number, you provided a zero-knowledge proof that you know the private key related to some public key that identifies you?
• Mix-nets - Batch and mix messages to provide anonymity (high latency)
Tuesday, January 17, 17
Technology Rundown
• Private Information Retrieval/Oblivious Transfer : Bob has database of n elements, Alice pays to access 1 item and should not get more, Bob should not know which item Alice accessed
• Secure Function Evaluation - Alice and Bob want to compute some function, but keep the inputs private (classically, which one is richer?)
• Both of these can be done, but not always efficiently - take crypto class to learn more
Tuesday, January 17, 17
What are the obstacles?
• To these identity management technologies?
Tuesday, January 17, 17
Types of Privacy Enhancements: Anonymity
• Anonymity (unlinkability) - Data is not linked to an identity
• Location anonymity (Tor, mixes)
• Data anonymity - “we anonymized the data before releasing it”
• Netflix/census data/etc
• k-Anonymity
Tuesday, January 17, 17
Types of Privacy Enhancements: Policy• Policies that protect information
• Internal access control measures
• Data tagged with XACML or EPAL
• Agreements with partners
• Internal Auditing (Google example)
• Regulatory Compliance (HIPAA?)
Tuesday, January 17, 17
Lorrie Faith Cranor • http://lorrie.cranor.org/
Introduction to P3P
48
Privacy policy P3P policyDesigned to be read by a human Designed to be read by a
computer
Can contain fuzzy language with “wiggle room”
Mostly multiple choice – sites must place themselves in one “bucket” or another
Can include as much or as little information as a site wants
Must include disclosures in every required area
Easy to provide detailed explanations
Limited ability to provide detailed explanations
Sometimes difficult for users to determine boundaries of what it applies to and when it might change
Precisely scoped
Web site controls presentation User agent controls presentation
Tuesday, January 17, 17
Risk Analysis
Tuesday, January 17, 17
The Privacy Paradox
Why do we have great privacy enhancing technologies... that almost nobody uses?
Why do so many people claim to be concerned about privacy… and then do little to protect it?
Tuesday, January 17, 17
Privacy and Economics
• Will anyone buy privacy?
• Maybe...we buy curtains/blinds
Tuesday, January 17, 17
Difficulties in privacy economics
• Asymmetric information
• Individual does not know how, how often, for how long information will be used
• Intrusions invisible and ubiquitous
• Externalities and moral hazard
• Ex-post
• Value uncertainty
• Keeps on affecting individual after transaction
Tuesday, January 17, 17
Difficulties in privacy economics
• Context-dependent (states of the world)
• Anonymity sets (how many people could I be confused with )
• Sweeney (2002) 87% Americans uniquely identified by gender, birth year, and zip code.
• The more parties that use the good (personal information) the higher risks for original data owner
• Different individuals value the same piece of information differently
• Market for personal information is not necessarily the same as a market for privacy
Tuesday, January 17, 17
Privacy trade-offs
• Protect
• Immediate cost (or loss of immediate benefit)
• Future (uncertain) benefits
• Do not protect
• Immediate benefits
• Future (uncertain) costs
Tuesday, January 17, 17
Why is this Problematic?
• Incomplete information
• Bounded rationality/Behavioral distortions
• Complacency towards large risks
• Inability to handle prolonged accumulation of small risks
• Coherent arbitrariness
• Hyperbolic discounting
• Acquisti/Grossklags [2004]
Tuesday, January 17, 17
And Yet
• Privacy more in the public eye than ever
• Can’t separate government vs private sector data use
• Has an impact on consumer trust
Tuesday, January 17, 17
Privacy in the Electronic Society
• Nearly all of our actions are electronically mediated
• sometimes explicitly (Facebook) sometimes implicitly (Target’s database)
• Privacy is about the balance individual freedom and autonomy vs collective social control
• What kind of society do we want to have?
Tuesday, January 17, 17
Crypto - mini lecture 1
Tuesday, January 17, 17
Cryptography• Symmetric key cryptography (secret key crypto): sender and receiver keys identical• Asymmetric key cryptography (public key crypto): encryption key public, decryption key secret (private)
Tuesday, January 17, 17
Goal of Encryption
• Provide confidentiality -
• no one can read the data
• not anonymity
Tuesday, January 17, 17
Vernam Ciphers• XOR cipher - encryption and decryption the
same, Block of data XOR key
• Vernam’s cipher used a message with a paper tape loop that read off the key
• More modern versions use a pseudorandom number generator (stream cipher)
• One-time pad - If key perfectly random AND only used once, then perfect secrecy is assured
• Drawbacks?
Tuesday, January 17, 17
Reusing one-time pads
=
=
K1M1 E1
M2 K1 E2
E1 E2
=
Tuesday, January 17, 17
Old School Cryptography
• Caesar cipher - shift cipher (each letter replaced by one a fixed length down)
• “Veni, vidi, vici” -> “Yhql, ylgl, ylel”
• Monoalphabetic substitution : substitute one letter for another
• S-box - bit level substitution
• Transposition - Permute the order of the message
• P-box - bit level transposition
Tuesday, January 17, 17
Multiple Round Ciphers
• Multiple rounds of complex ciphers made up of permutations, substitutions, xor, etc
• Examples DES, AES
• DES not so secure because key too short
• Hard to understand, little proof of security (except that if anyone knows how to break they’re not telling)
Tuesday, January 17, 17
• List three types of data whose lifetime (amount of time for which confidentiality protection is needed) is approximately one day. List three whose lifetime is closer to one year. List three whose lifetime is closer to one century.
Data Lifetime
Tuesday, January 17, 17
DES Security
• DES not too susceptible to differential or linear cryptanalysis
• BUT, 56-bit key is just too short
• EFF’s Deep Crack breaks in 56 hours (1998) for $250,000
• distributed.net and Deep Crack 22 hours (1999)
• COPACOBANA FPGA machine $10,000, 6.4 days per key
Tuesday, January 17, 17
Security of AES
• Most successful attacks are side-channel attacks
• Side-channel attacks use weaknesses in the physical implementation of the system, not the algorithm or brute-force keycracking
• D.J. Bernstein showed that delays in encryption time due to cache misses can be used to infer key, demonstrated against a custom remote server using OpenSSL’s AES implementation, Osvik et al showed that local attacks could infer the key in 65 milliseconds
Tuesday, January 17, 17
Problems with Symmetric Key Crypto• Scalability - separate communication between N
people requires N(N-1)/2 keys
• Key management
• Key distribution
• Key storage and backup
• Key disposal
• Key change
Tuesday, January 17, 17
Applications of Public Key Crypto
• Encryption for confidentiality
• Anyone can encrypt a message
• With symmetric key cryptography, must know secret key to encrypt
• Only someone who knows private key can decrypt
• Key management is simpler (maybe)
• Secret is stored only at one site
• Digital signatures for authentication
• Can “sign” a message with private key
• Session Key establishment
• Exchange messages to create a special session key
• Then use symmetric key cryptography
Tuesday, January 17, 17
Diffie-Hellman Protocol (1976)
• Alice and Bob never met and share no secrets
• Public info : p and g
• p is a large prime number, g is a generator of Zp*
• Zp*={1,2,...,p-1}; ∀a∈Zp* ∃i such that a=gi mod p
• Modular arithmetic (numbers wrap around after they reach p)
• 0 = p mod p
Tuesday, January 17, 17
Why is Diffie-Hellman Secure?
• Discrete Log (DL) problem: given gx mod p, it’s hard to extract x• There is no known efficient algorithm for doing this
• This is not enough for Diffie-Hellman to be secure! (Why?)
• Computational Diffie-Hellman problem: given gx and gy, it’s hard to compute gxy mod p
• … unless you know x or y, in which case it’s easy
• Decisional Diffie-Hellman (DDH) problem: given gx and gy, it’s hard to distinguish between gxy mod p and gr mod p where r is random
Tuesday, January 17, 17
Properties of Diffie-Hellman
• Assuming DDH problem is hard, Diffie-Hellman protocol is a secure key establishment protocol against passive attackers
• Eavesdropper can’t distinguish between established key and a random value
• Can use new key for symmetric cryptography
• Approx. 1000 times faster than modular exponentiation
• Diffie-Hellman protocol (by itself) does not provide authentication
Tuesday, January 17, 17
Diffie-Hellman Handshake
Alice BobEBob(gx)
gy, H(K) K= gxy
This depends on the hardness of discrete log (hard to find x from gx)
Now both sides have a symmetric key, K= gxy, Why do we need to encrypt gx?
Why do we need H(K)?What’s still broken?
Tuesday, January 17, 17