Privacy and technology

Apr 08

Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan | Cookies that give you away - Evaluating the surveillance implications of web tracking [PDF] -

Abstract:

"We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user’s IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user’s real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies."

See also: Related blog post.

Apr 07

Pam Dixon and Robert Gellman (World Privacy Forum) | US | The scoring of America - How secret consumer scores threaten your privacy and your future [PDF] -

From the Brief Summary of the Report:

"This report highlights the unexpected problems that arise from new types of predictive consumer scoring, which this report terms consumer scoring. […] The report includes a roster of the types of consumer data used in predictive consumer scores today, as well as a roster of the consumer scores such as health risk scores, consumer prominence scores, identity and fraud scores, summarized credit statistics, among others. The report reviews the history of the credit score – which was secret for decades until legislation mandated consumer access — and urges close examination of new consumer scores for fairness and transparency in their factors, methods, and accessibility to consumers."

(Source: pogowasright.org)

Apr 06

Joshua A. Kroll, Edward W. Felten and Dan Boneh | Secure protocols for accountable warrant execution [PDF] -

Abstract:

"We describe cryptographic protocols for secure execution of warrants or legal orders authorizing access to data held by private parties. Using cryptography enables a better combination of security, privacy, and accountability properties than would otherwise be possible. We describe a series of protocols, based on different assumptions about trust and technical sophistication of the parties, and making use of wellstudied cryptographic tools. We report benchmark results from our prototype implementation of the tools involved in one such protocol, and show that the protocol’s entire computational cost is easily feasible even for very large data sets, such as ‘cloud’ software service or telecommunications databases comprising billions of records."

See also: Related blog post.

Apr 05

John Bryan (Naked Security) | Is data privacy an out of date concept? -

From ‘So what am I saying?’

"It’s not that I’m saying that data privacy is unimportant. Unfortunately in the real world not everyone one has evolved to the point where prejudices don’t exist. The security reasons for some data privacy is more urgent now than ever before. But data privacy should not be done by rote, instead it should be done with thought and consideration. […] There always will be someone who wants to use and abuse that information for profit and exploitation. So anyone who is a caretaker of personal data still needs to ensure that they leave decisions on what is no longer private to the data owner - the individual. But let’s also keep our minds open that ‘personal’ is about being living, breathing people and not something to be imprisoned under lock and key."

See also: The other point of view, by Mark Stockley (Naked Security).

Apr 04

Privacy International, Access, Electronic Frontier Foundation, Article 19, Human Rights Watch, World Wide Web Foundation | OHCHR consultation in connection with General Assembly Resolution 68/167 "The right to privacy in the digital age" [PDF] -

From the Executive Summary:

"Submissions and recommendations cover five main themes: the meaning of interferences with the right to privacy in the context of communications surveillance, the out-dated distinction between communications data and content, the conceptualisation of mass surveillance as inherently disproportionate, the extra-territorial application of the right to privacy, and the need or legal frameworks to provide protections for the right to privacy without discriminating on the basis of nationality."

See also: Related blog post.

Apr 03

Laura W. Murphy and Christopher Calabrese (ACLU) | US | ACLU comments on the White House Big Data Initiative [PDF linked from this page] -

From the introduction:

”[…] big data does not present wholly – or even mostly – new challenges. In reality these issues have been confronting policymakers since at least the 1970s, when the federal government developed the first version of the Fair Information Practice Principles. In fact, we already have solutions for some of the privacy issues that confront us today and there are specific actions the executive branch can take to improve Americans’ privacy. With that goal in mind, the bulk of these comments will focus on two main areas. The first area is immediate actions the administration can and should take to improve how the federal government collects and uses personal information. The second area is a few specific subjects where sustained focus and attention could improve privacy knowledge and best practices in the future.”

See also: Related blog post.

Apr 02

Jules Polonetsky, Christopher Wolf, Josh Harris and Joseph Jerome (Future of Privacy Forum) | US | [Comments for the White House "Big Data review"] [PDF] -

From the introduction:

"Unlocking the value of data and instituting responsible data practices go hand-in-hand, and both have been an important focus of FPF’s work since our founding in 2008. FPF recognizes the enormous potential benefits to consumers and to society from sophisticated data analytics, yet FPF also understands that taking advantage of big data may require evolving how we implement traditional privacy principles. Through our work on inter-connected devices and applications and the emerging Internet of Things, FPF has acquired experience with the technologies involved in data collection and use. FPF appreciates this opportunity to provide Comments and share its insights into how best to promote the benefits of big data while minimizing any resulting privacy risks or harms."

See also: Related blog post.

Apr 01

Article 29 Data Protection Working Party | EU | Opinion [...] on personal data breach notification [PDF] -

From the Executive Summary:

"In this Opinion, the Article 29 Working Party provides guidance to controllers in order to help them to decide whether to notify data subjects in case of a “personal data breach”. Although this opinion considers the existing obligation of providers of electronic communications regarding Directive 2002/58/EC, it provides examples from multiple sectors, in the context of the draft data protection regulation, and presents good practices for all controllers."

See also: Overview of all opinions and recommendations by WP29.

(Source: huntonprivacyblog.com)

Mar 31

Lillian Ablon, Martin C. Libicki and Andrea A. Golay (RAND National Security Research Division, Juniper Networks) | Markets voor cybercrime tools and stolen data - Hackers' Bazaar [PDF linked from this page] -

From ‘Preface’:

"Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets in both the tools (e.g., exploit kits) and the take (e.g., credit card information). As with most things, intent is what can make something criminal or legitimate, and there are cases where goods or services can be used for altruistic or malicious purposes (e.g., bulletproof hosting and zero-day vulnerabilities). This report describes the fundamental characteristics of these markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment. Understanding the current and predicted landscape for these markets lays the groundwork for follow-on exploration of options that could minimize the potentially harmful influence these markets impart."

See also: Related blog post.

(Source: webwereld.nl)

Mar 30

Jalal Mahmud, Jeffrey Nichols and Clemens Drews | Home location identification of Twitter users [PDF] -

Abstract:

"We present a new algorithm for inferring the home location of Twitter users at different granularities, including city, state, time zone or geographic region, using the content of users’ tweets and their tweeting behavior. Unlike existing approaches, our algorithm uses an ensemble of statistical and heuristic classifiers to predict locations and makes use of a geographic gazetteer dictionary to identify place-name entities. We find that a hierarchical classification approach, where time zone, state or geographic region is predicted first and city is predicted next, can improve prediction accuracy. We have also analyzed movement variations of Twitter users, built a classifier to predict whether a user was travelling in a certain period of time and use that to further improve the location detection accuracy. Experimental evidence suggests that our algorithm works well in practice and outperforms the best existing algorithms for predicting the home location of Twitter users."

(Source: Ars Technica)

Mar 29

Catherine Crump and Matthew Harwood (ACLU) | Invasion of the data snatchers - Big Data and the Internet of Things means the surveillance of everything -

From the blog post:

"A future Internet of Things does have the potential to offer real benefits, but the dark side of that seemingly shiny coin is this: companies will increasingly know all there is to know about you. Most people are already aware that virtually everything a typical person does on the Internet is tracked. In the not-too-distant future, however, real space will be increasingly like cyberspace, thanks to our headlong rush toward that Internet of Things. With the rise of the networked device, what people do in their homes, in their cars, in stores, and within their communities will be monitored and analyzed in ever more intrusive ways by corporations and, by extension, the government."

Mar 28

Amy Collins, Adam J. Fleisher, Reed Freeman and Alistair Maughan (SCL) | The Internet of Things - the old problem squared -

From the blog post:

"Cisco estimates that some 25 billion devices will be connected in the IoT by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates. But the ingenuity and innovation which companies will apply to turn the IoT into practical reality is constrained by law and regulation. Existing issues may take on new dimensions and, as technologies combine, so will the legal consequences of those technologies. In this article, we look at the prospects for the IoT as well as the likely legal and regulatory factors that will affect the development and growth of IoT technology and the markets that such technology will create."

Mar 27

Human Rights Watch | ET | "They know everything we do" - Telecom and internet surveillance in Ethiopia [PDF linked from this page] -

From the Summary:

"The Ethiopian government has maintained strict control over Internet and mobile technologies so it can monitor their use and limit the type of information that is being communicated and accessed. Unlike most other African countries, Ethiopia has a complete monopoly over its rapidly growing telecommunications sector through the state-owned operator, Ethio Telecom. This monopoly ensures that Ethiopia can effectively limit access to information and curtail freedoms of expression and association without any oversight since independent legislative or judicial mechanisms that would ensure that surveillance capabilities are not misused do not exist in Ethiopia. All governments around the world engage in surveillance, but in most countries at least some judicial and legislative mechanisms are in place to protect privacy and other rights. In Ethiopia these mechanisms are largely absent. The government’s actual control is exacerbated by the perception among Ethiopia’s population that government surveillance is omnipresent. This results in considerable self-censorship, with many Ethiopians refraining from openly communicating on a variety of topics across the telecom network."

Mar 26

Brian Krebs (Krebs on Security) | US | Are credit monitoring services worth it? -

From the blog post:

"In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America."

(Source: databreaches.net)

Mar 25

Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M. Léveillé and Benjamin Vanheuverzwijn (WeLiveSecurity) | Operation Windigo - The vivisection of a large Linux server-side credential stealing malware campaign [PDF] -

From the Executive Summary:

"This document details a large and sophisticated operation, code named ‘Windigo’, in which a malicious group has compromised thousands of Linux and Unix servers. The compromised servers are used to steal SSH credentials, redirect web visitors to malicious content and send spam. This operation has been ongoing since at least 2011 and has affected high profile servers and companies […] This report contains a detailed description of our ongoing investigation of the Windigo operation. We provide details on the number of users that have been victimized and the exact type of resources that are now in control of the gang. Furthermore, we provide a detailed analysis for the three main malicious components of this operation […]"

See also: Related blog post.

(Source: Ars Technica)