1 / 32

Privacy regulation and research

Privacy regulation and research. Aalto University , autumn 2012. Outline. Privacy legislation Examples of my own privacy research: Unwanted metadata in digital documents Identifiers leaks to the local network. Two aspects of privacy. Control over personal information

elana
Download Presentation

Privacy regulation and research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy regulation and research Aalto University, autumn2012

  2. Outline • Privacy legislation • Examples of my own privacy research: • Unwanted metadata in digital documents • Identifiers leaks to the local network

  3. Two aspects of privacy • Control over personal information • Emphasized in Europe • Gathering, disclosure and false representation of facts about someone’s personal life • Right to be left alone • Emphasized in America • Interference, control, discrimination, censorship, also spam

  4. Privacy legislation in Finland WARNING: I’m not a lawyer. The following slides contain highly simplified interpretations of the law. • Perustuslaki (constitution), 10 §http://www.finlex.fi/fi/laki/ajantasa/1999/19990731#p10 • Protection of privacy, honor and home • Secrecy of letters, messages and telephone calls Also: • Obligation to protect personal information by law • Exceptions can be made in other laws

  5. Crimes against privacy in Finland • Rikoslaki(criminal code), luku 24http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001#l24 • Kotirauhanrikkominen, Rikoslaki, luku 24, 1–2, 11 § • Disturbing people in their home (or equivalent place) is a crime • Telephone and mobile phone are also protected area • Salakuuntelujasalakatselu, Rikoslaki, luku 24, 5–7 § • Using technical equipment to listen or record people’s speech home or some other place when they don’t expect outsiders to hear is a crime • Using technical equipment to watch or record of pictures without permission at someone’s home (or equivalent place) , fenced yard, toilet or dressing room is crime • Ok to eavesdrop voices and sounds without equipment • Ok to record sound when you are legitimately present, e.g. your own conversations or telephone calls • Ok to photograph or record video in a public place

  6. Crimes against privacy in Finland • Yksityiselämääloukkaavantiedonlevittäminen, Rikoslaki, luku 24, 8 § • Publishing harmful information about an individual’s private life is a crime • Exceptions for politicians and other public figures • Kunnianloukkaus (libel), luku 24, 9–10§ • Spreading harmful false information about an individual is a crime • Viestintäsalaisuudenloukkaus(breach of communications confidentiality), luku 38, 3–4 § • Opening a letter or closed or protected message addressed to someone else is a crime (e.g. guessing email password) • Eavesdropping telecommunications networks is a crime • Being a system admin or using hacking tools makes the offence especially serious • Communication metadata (e.g. called numbers) is also protected

  7. Personally identifiable information • Henkilötietolaki 22.4.1999/523http://www.finlex.fi/fi/laki/ajantasa/1999/19990523 • Law about personally identifiable information (PII) when it is either processed automatically or stored in a register • Does not apply to normal persona use of data • Requirements for PII processing: • Following good data processing practices! • Defined purpose: the sources, uses and transfer of information must be defined beforehand; no new uses allowed • The person’s permission is required to process PII, except in some specific cases (e.g. employment or customer relationship) • The PII processing must be necessary and the processor is responsible for its correctness • The subject person must in informed • Rekisteriseloste: PII register holder must make a public declaration of what data is stored and for which purpose • Right to inspect your PII in the register (free once a year) and demand correction of incorrect information

  8. Freedom of information legislation • Laki viranomaisten toiminnan julkisuudesta 21.5.1999/621http://www.finlex.fi/fi/laki/ajantasa/1999/19990621 • Allofficial (governement) documentsarepublic,unlesssecretbylaw • Includesbothdocuments and data • No requirement to tellyouridentityorthe reasonfor requesting the information • Appliesalso to universities • Long list of exceptions (24 §) to protectsecurity, economicsetc.; for example, the followinginformation is secretbydefault: • Reseachplans, thesisplans, examquestions, personalincome, wealth, benefits, use of social services, health, disability and sexualorientation, privateinformatiomaboutcrimesuspects and victims, psychologialevaluations, examanswers and verbal (non-numerical) evaluations of students, secrettelephonenumbers, addresses and mobile-devicelocation, privatepoliticalviews, way of life, membership in associations, hobbies, family life • Asianosaisjulkisuus (11–12 §) • Individualshaveaccess to secretinformationaboutthemselves, and informationrelevant to theirrights and obligations (with someexceptions)

  9. Protection of electronic communication • Sähköisenviestinnäntietosuojalaki 16.6.2004/516http://www.finlex.fi/fi/laki/ajantasa/2004/20040516 • Message contents, metadata and location information are confidential by default • If you learn about a message, you must not tell others and must not use the information for any purpose • Must not break technical protection or make tools for it (e.g. password cracking or cryptanalysis) • Organizations (mainly employers) have some rights to access communication metadata to prevent crime, “Lex Nokia” • ISP, email service or Internet telephony service must store communication metadata for 12 months (for criminal investigations) • Right for forbid direct electronic marketing to youself • Many other things…

  10. Privacy and employment • Lakiyksityisyydensuojastatyöelämässä 13.8.2004/759, http://www.finlex.fi/fi/laki/ajantasa/2004/20040759 • Rules for what information employers may record and process about their employees • Detaield rules for • Processing of PII and health data • Drug tests • Camera surveillance at work • Opening work-related emails addressed to an absentemployee

  11. Unwanted Metadata in digital documents

  12. Word XP/2003

  13. Office 2007

  14. Detecting unknown metadata • Detection mostly done using unsystematic, ad-hoc methods • Goal to find something, not everything • Exception: [Byers 2003/04]

  15. PII detection tool • We developed a tool for detecting names, identifiers, addresses and other PII in documents • Goals • Testing Office 2007 document inspection must find strings in unknown locations • User does not know what to look for must determine search strings automatically • Document encoding unknown, fragments may be in different encodings must find strings in various encodings • Defensive only, used by document author

  16. PII detection tool: architecture

  17. Example: authoring process • Typical authoring process involves a set of tools and software components from multiple vendors • who don’t know of each other • who have different of conflicting goals • who all produce and consume metadata • No single entity controls what goes into the final published document

  18. PDF authoring with Word 2003

  19. PDF authoring with Word 2003 Assumption:no Word-specificmetadata added

  20. PDF authoring with Word 2003 Assumption:no Word-specificmetadata added 

  21. PDF authoring with Word 2003 Assumption:no Word-specificmetadata added

  22. Postscript comments • Extracts from Postscript files: %%Title: Microsoft Word - Testing.docx %%CreationDate: 1/23/2006 19:30:21 %%For: tuomaura %%OID_ATT_JOB_OWNER "tuomaura"; %%OID_ATT_JOB_NAME "Microsoft Word - Testing.docx“; %%Creator: CorelDRAW 10 %%Title: test-figures.ps %%CreationDate: Thu Apr 14 14:32:47 2005 %%For: Michael Roe

  23. PDF conversion • PS-to-PDF conversion (Adobe Distiller or Ghostscript) retains metadata from PS comments: /Title(Microsoft Word - Testing.docx) /Author(tuomaura) • PDF converters don’t know where the PS came from and assume all metadata is intentional

  24. Leaks in PDF authoring

  25. PDF authoring with Latex

  26. Anonymous submissions • Documents:43 anonymized conference submissions that had already been accepted, PDF/PS • Search string:Names and affiliations from conference program, email addresses from papers • Results: • One author name in PDF \Author field • Two author names in embedded EPS • One user name in DVI file path in PS comments (not detected by tool because we did not know the correct search string) • My own anon submissions... OOPS!

  27. Identifierleaks to the localnetwork

  28. Netmon trace of a Microsoft laptop at wireless hotspot Machine name (DHCP client) Full hostname (DNS) SIP server SIP server Email address/messenger user name Real name Messenger buddy list and blacklist Default DNS suffix (web proxy discovery) Machine domain

  29. Host name (IKE initiator id) IE home page OWA / Exchange Domain controller Print servers File server (Z: drive) File server (shortcuts)

  30. DNS queries • Many connection attempts and service-discovery protocols start with DNS queries • Some DNS queries from traces: • DC discovery: _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft. • Print server: camitgs01.europe.corp.microsoft.com • Web proxy: camproxy.europe.corp.microsoft.com • Exchange: euro-msg-43.europe.corp.microsoft.com • Exchange over HTTPS: mail.microsoft.com • Private DNS zones used on intranets • *.private.contoso.com or *.contoso.local • Default DNS suffix appended • To resolve www.tkk.fi, query first forwww.tkk.fi.europe.corp.microsoft.com

  31. NetBIOS and LLMNR Machine name • Local-link name resolution protocols • NetBIOS for IPv4, LLMNR also for IPv6 • Broadcast, so visible to others on switched LANs • Attempt to register computer and username in WINS server • Automatic discovery of printers and file shares • LLMNR name-conflict detection Primary DC File server Print server User name

  32. Potential solutions • Each individual leak appears trivial, yet it is difficult to prevent them all • Too many protocols, layers and applications involved • Obvious solutions, e.g. turning of all automation, are not acceptable • Computers should do stuff for the user without asking! • Could filter offending data at outbound host firewall • Danger: unpredictable application failures • Can recognize network location and enable/disable features [PETS 08] • Often unnecessary, failed connection attempts, to services that are not available in the current network

More Related