Privacy Software Yannis Mallios February 27, 2008 Overview Privacy Enhancing Technologies Classification of PETs Anonymous Browsing Policies Filter Tools Encryption Awareness Q&A 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 2 Privacy Enhancing Technologies (PETs) A coherent system of ICT measures that protects privacy by 7/17/2016 eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system Hes, Borking, Privacy Enhancing Technologies, The Path to Anonymity Carnegie Mellon University Usable Privacy and Security - Spring 2008 3 PETs Classification (1) Hundreds of Tools (?) Various methods of Classification Encryption Tools (e.g. SSL), Policy Tools (e.g. P3P, TRUSTe), Filtering Tools (e.g. Cookie Management, Spyware), Anonymous Tools (e.g. Anonymizer, iPrivacy), Identity Management Firewall, Cookie Remover, Web Bug Remover, Anonymous Web Browsing, Encrypted Email, Advertising Filters, Anti-Spam Tools, AntiSpyware Tools Snoop Proof Email, Anonymous Remailers, Surf Anonymously, HTML Filters, Cookie Busters, Voice Privacy, Email & File Privacy, Secure Instant Messaging, Web Encryption, Telnet Encryption, Disk Encryption, Disk/File Erasing Programs, Privacy Policy Generators, Password Security, Firewalls 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 4 PETs Classification (2) We could generalize to the following Anonymous Tools Encryption 7/17/2016 Anonymous Mail Anonymous Web Browsing Communication Encryption (mail, voice, telnet, etc) File Encryption Policy Tools (Generators, User Agents, etc) Identity Management Firewalls Filter Tools (Cookies, Web Bugs, etc) Carnegie Mellon University Usable Privacy and Security - Spring 2008 5 Privacy Framework Framework by Benjamin Brunk Awareness Detection Taking action after the detection of an issue Recovery Tools used as precaution Response Tools that actively scan for potential problems Prevention Tools that convey information without requiring explicit action from the user Tools that help users get back to normal Discussion 7/17/2016 Do we have PETs for every stage of the framework? PETs for the subset of the stages? Carnegie Mellon University Usable Privacy and Security - Spring 2008 6 Fair information practice codes Notice/Awareness Choice/Consent Access/Participation Integrity/Security Enforcement/Redress Discussion Do we have PETs for ensuring all principles? Can we rely solely on technology and Privacy Software? 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 7 PETs Already Discussed Anonymous Web Browsing Anonymous Email ZoneAlarm Policy Tools PGP Firewalls MixMinion Communication Encryption TOR Seal Programs P3P Privacy Bird/ Privacy Finder Filter Tools 7/17/2016 Bugnosis Carnegie Mellon University Usable Privacy and Security - Spring 2008 8 Anonymous Browsing - Anonymizer Traffic is routed through dedicated hardware, housed in secure facilities with complete access control Tor does not use secure hardware or private proxies. Ensures High availability Anonymizer maintains tens of thousands of privately owned "clean" IP addresses and rotates them frequently Onion router type of network use proxies owned by individual operators Centralized or Distributed? Anon.penet.fi again? Laws and Regulations? 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 9 Policies – P3PEdit Web-based wizard that creates P3P policies for websites Basic questions about website’s data collection P3PEdit generates an XML document that web browsers can read Internet Explorer 6 blocks cookies from third-party websites. If trying to set cookies from a webserver on another site, the cookies will be blocked. In a website with multiple domains, only the primary domain may set cookies without a P3P policy. P3PEdit creates P3P policies that are necessary to set cookies 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 10 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 11 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 12 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 13 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 14 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 15 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 16 Policies – P3PEdit 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 17 Filter Tools - Adblock Plus Mozilla Firefox Add-On 7/17/2016 Block Ads and Banners on the internet that often take longer to download Carnegie Mellon University Usable Privacy and Security - Spring 2008 18 Filter Tools – Adblock Plus Subscription to Filter Lists 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 19 Filter Tools – Popup Ad Smasher Provides Multiple Functionalities Including: 7/17/2016 Removes cookies. Stops Animated Flash ads. Stops Floating pop-up ads Cancels Timer ads. Remove Web Bugs. Stops Blinking/Shaking Picture ads. Cancel 3rd Party Activity. Auto Cleans Temp folder. Carnegie Mellon University Usable Privacy and Security - Spring 2008 20 Filter Tools – Popup Ad Smasher 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 21 Filter Tools – Popup Ad Smasher 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 22 Encryption - TrueCrypt Free open-source disk encryption software Creates a virtual encrypted disk within a file and mounts it as a real disk. Encrypts an entire partition or storage device such as USB flash drive or hard drive. Encrypts a partition or drive where Windows is installed (pre-boot authentication). Encryption is automatic, real-time (on-the-fly) and transparent. 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 23 Encryption - TrueCrypt 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 24 Privacy in Wireless Networks Wireless Networks = Broadcast Networks Anyone can intercept traffic Especially unencrypted such as: 7/17/2016 Instant Messaging Emails Web Visits Carnegie Mellon University Usable Privacy and Security - Spring 2008 25 Peripheral Privacy Notifications for Wireless Networks Notify users of information leaks through peripheral display Similar to Wall of Sheep 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 26 Peripheral Privacy Notifications-Study Implementation Study Display specific key words Use a consistent font/text per person In a non-CS or engineering graduate lab (semipublic) Displayed privacy notifications for a week Conclusions 7/17/2016 Network usage did not decrease significantly Participants became more self-conscious Carnegie Mellon University Usable Privacy and Security - Spring 2008 27 Peripheral Privacy Notifications-Study Users seemed to have attributed the threat to the display’s presence Discussion 7/17/2016 How could the user study be improved? How could the proposal/Technology be improved? Carnegie Mellon University Usable Privacy and Security - Spring 2008 28 Questions and Discussion Privacy Software Yannis Mallios February 27, 2008 7/17/2016 Carnegie Mellon University Usable Privacy and Security - Spring 2008 29