Privacy Software Yannis Mallios February 27, 2008

advertisement
Privacy Software
Yannis Mallios
February 27, 2008
Overview








Privacy Enhancing Technologies
Classification of PETs
Anonymous Browsing
Policies
Filter Tools
Encryption
Awareness
Q&A
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
2
Privacy Enhancing Technologies (PETs)

A coherent system of ICT measures that
protects privacy by




7/17/2016
eliminating or reducing personal data or
by preventing unnecessary and/or undesired
processing of personal data, all
without losing the functionality of the information
system
Hes, Borking, Privacy Enhancing Technologies, The Path to Anonymity
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
3
PETs Classification (1)


Hundreds of Tools (?)
Various methods of Classification

Encryption Tools (e.g. SSL), Policy Tools (e.g. P3P, TRUSTe), Filtering
Tools (e.g. Cookie Management, Spyware), Anonymous Tools (e.g.
Anonymizer, iPrivacy), Identity Management

Firewall, Cookie Remover, Web Bug Remover, Anonymous Web
Browsing, Encrypted Email, Advertising Filters, Anti-Spam Tools, AntiSpyware Tools

Snoop Proof Email, Anonymous Remailers, Surf Anonymously,
HTML Filters, Cookie Busters, Voice Privacy, Email & File Privacy,
Secure Instant Messaging, Web Encryption, Telnet Encryption, Disk
Encryption, Disk/File Erasing Programs, Privacy Policy Generators,
Password Security, Firewalls
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
4
PETs Classification (2)

We could generalize to the following

Anonymous Tools



Encryption






7/17/2016
Anonymous Mail
Anonymous Web Browsing
Communication Encryption (mail, voice, telnet, etc)
File Encryption
Policy Tools (Generators, User Agents, etc)
Identity Management
Firewalls
Filter Tools (Cookies, Web Bugs, etc)
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
5
Privacy Framework

Framework by Benjamin Brunk

Awareness


Detection


Taking action after the detection of an issue
Recovery


Tools used as precaution
Response


Tools that actively scan for potential problems
Prevention


Tools that convey information without requiring explicit action from the
user
Tools that help users get back to normal
Discussion


7/17/2016
Do we have PETs for every stage of the framework?
PETs for the subset of the stages?
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
6
Fair information practice codes





Notice/Awareness
Choice/Consent
Access/Participation
Integrity/Security
Enforcement/Redress
Discussion
Do we have PETs for ensuring all principles?
Can we rely solely on technology and Privacy Software?
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
7
PETs Already Discussed

Anonymous Web Browsing


Anonymous Email


ZoneAlarm
Policy Tools




PGP
Firewalls


MixMinion
Communication Encryption


TOR
Seal Programs
P3P
Privacy Bird/ Privacy Finder
Filter Tools

7/17/2016
Bugnosis
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
8
Anonymous Browsing - Anonymizer




Traffic is routed through dedicated hardware, housed in secure
facilities with complete access control
 Tor does not use secure hardware or private proxies.
Ensures High availability
Anonymizer maintains tens of thousands of privately owned
"clean" IP addresses and rotates them frequently
 Onion router type of network use proxies owned by individual
operators
Centralized or Distributed?
 Anon.penet.fi again?
 Laws and Regulations?
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
9
Policies – P3PEdit




Web-based wizard that creates P3P policies for
websites
Basic questions about website’s data collection
P3PEdit generates an XML document that web
browsers can read
Internet Explorer 6 blocks cookies from third-party
websites.



If trying to set cookies from a webserver on another site,
the cookies will be blocked.
In a website with multiple domains, only the primary
domain may set cookies without a P3P policy.
P3PEdit creates P3P policies that are necessary to
set cookies
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
10
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
11
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
12
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
13
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
14
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
15
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
16
Policies – P3PEdit
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
17
Filter Tools - Adblock Plus

Mozilla Firefox Add-On

7/17/2016
Block Ads and Banners on the internet that often
take longer to download
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
18
Filter Tools – Adblock Plus

Subscription to Filter Lists
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
19
Filter Tools – Popup Ad Smasher

Provides Multiple Functionalities Including:








7/17/2016
Removes cookies.
Stops Animated Flash ads.
Stops Floating pop-up ads
Cancels Timer ads.
Remove Web Bugs.
Stops Blinking/Shaking Picture ads.
Cancel 3rd Party Activity.
Auto Cleans Temp folder.
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
20
Filter Tools – Popup Ad Smasher
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
21
Filter Tools – Popup Ad Smasher
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
22
Encryption - TrueCrypt





Free open-source disk encryption software
Creates a virtual encrypted disk within a file and
mounts it as a real disk.
Encrypts an entire partition or storage device
such as USB flash drive or hard drive.
Encrypts a partition or drive where Windows is
installed (pre-boot authentication).
Encryption is automatic, real-time (on-the-fly) and
transparent.
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
23
Encryption - TrueCrypt
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
24
Privacy in Wireless Networks



Wireless Networks = Broadcast Networks
Anyone can intercept traffic
Especially unencrypted such as:



7/17/2016
Instant Messaging
Emails
Web Visits
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
25
Peripheral Privacy Notifications for
Wireless Networks


Notify users of information leaks through
peripheral display
Similar to
Wall of Sheep
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
26
Peripheral Privacy Notifications-Study

Implementation



Study



Display specific key words
Use a consistent font/text per person
In a non-CS or engineering graduate lab (semipublic)
Displayed privacy notifications for a week
Conclusions


7/17/2016
Network usage did not decrease significantly
Participants became more self-conscious
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
27
Peripheral Privacy Notifications-Study

Users seemed to have attributed the threat to
the display’s presence

Discussion


7/17/2016
How could the user study be improved?
How could the proposal/Technology be improved?
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
28
Questions and Discussion
Privacy Software
Yannis Mallios
February 27, 2008
7/17/2016
Carnegie Mellon University
Usable Privacy and Security - Spring 2008
29
Download