1 / 24

3. Privacy Enhancing Technologies (PET)

3. Privacy Enhancing Technologies (PET). Bobby Vellanki Computer Science Dept. Yale University Oct . 2003. PET. [cf. Bobby Vellanki]. PET = Privacy Enhancing Technology – technology that enhances user control and removes personal identifiers Users want free Privacy

forster
Download Presentation

3. Privacy Enhancing Technologies (PET)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3. Privacy Enhancing Technologies (PET) Bobby Vellanki Computer Science Dept. Yale University Oct . 2003

  2. PET [cf. Bobby Vellanki] • PET = Privacy Enhancing Technology – technology that enhances user control and removes personal identifiers • Users want free Privacy • Hundreds of new technologies developed • Cf. Electronic Privacy Info Center - www.Epic.org • 4 categories of PETs: • Encryption Tools (e.g., SSL) • Policy Tools (e.g., P3P, TRUSTe) • Filtering Tools (e.g., Cookie Cutters, Spyware) • Anonymity Tools (e.g., Anonymizer, iPrivacy)

  3. Encryption Tools [cf. Bobby Vellanki] • Encryption tools • Examples: SSL, PGP, Encryptionizer • Thought of as a security tool to prevent unauthorized access to communications, files, and computers • Users don’t see the need • Necessary for privacy protection but not sufficient by themselves • Pros: • Inexpensive (free) / Easily accessible • Cons: • Encryption Software isn’t used unless it is built-in to the software • Both parties need to use the same software • Conclusions: • Easy access • All parties need to use the same tool • Good start but not sufficient enough

  4. Policy Tools (1) [cf. Bobby Vellanki] • P3P (Platform for Privacy Preferences) • Developed by World Wide Web Consortium • Usage: • Users declare their privacy policy on their browsers • Websites register their policy with Security agencies • The website policy is compared with user policy and the browser makes automated decisions • Benefits: • Might help uncover privacy gaps for websites • Can block cookies or prevent access to some sites • Built into IE 6.0 and Netscape 7 as of July 2002

  5. Policy Tools(2) [cf. Bobby Vellanki] • Other Policy Tools • TRUSTe • Non-profit organization which ensures that websites are following their privacy policy • Promotes fair information practices • BBBonline (Better Business Bureau) • Conclusions • Users are unaware of Privacy Policies • Not all websites have Policy tools • Need automated checks to see if websites are following their privacy policy

  6. Filtering Tools [cf. Bobby Vellanki] • Some Types 1) SPAM filtering 2) Cookie Cutters 3) Spyware killers

  7. 1) SPAM Filters [cf. Bobby Vellanki] • Problems: • Spammers use new technologies to defeat filters • Legitimate E-mailers send SPAM resembling E-mail • Possible Solution: • E-Mail postage scheme • Have to pay a bit for each e-mail => too costly to spam • Infeasible solution • Tough to impose worldwide • Need homogenous technology for all parties • Policy responsibility is unclear (Who will police it?)

  8. 2) Cookie Cutters [cf. Bobby Vellanki] • Programs that prevent browsers from exchanging cookies • Can block: • Cookie /Pop-ups • http headers that reveal sensitive info • Banner ads / Animated graphics 3) Spyware Killers: • To deal with spyware • Spyware programs gather info and send it to websites • Downloaded without user knowledge

  9. Filtering Tools - Conclusions [cf. Bobby Vellanki] • New technologies are created everyday • Tough to distinguish SPAM • Need for a universal organization • People are ignorant about the use of cookies

  10. Anonymity Tools [cf. Bobby Vellanki] • Enable users to communicate anonymously • Mask the IP address and personal info • Some use 3rd party proxy servers • Strip off user info and forward the rest to websites • Not helpful for online transactions • Expensive • Types of anonymity tools 1) Autonomy Enhancing (Anonymizer) 2) Seclusion Enhancing (iPrivacy) 3) Property Managing (.NET Passport)

  11. 1) Autonomy Enhancing Technology (1) [cf. Bobby Vellanki] • Examples: • Anonymizer, Freedom by Zero Knowledge • No user information is stored by anybody but its “owner” • User has complete control • Anonymizer: • One of the first PETs • Not concerned with transaction security • Provides anonymity by: • Routing through a proxy server • Software to manage security at the “owner’s” PC • Erases cookies and log files, pop-up blocker, kills Spyware, unlisted IP

  12. 1) Autonomy Enhancing Technology (2) [cf. Bobby Vellanki]

  13. 1) Autonomy Enhancing Technology (3) [cf. Bobby Vellanki] Anonymizer (Cont.) • Inexpensive ($30-$70 in 2003) • Can’t lose password • Services: • Customize privacy for each site • Erases cookies and log files, pop-up blocker, Spyware killer, unlisted IP • Reports • ISP service

  14. 2) Seclusion Enhancing Technologies (1) [cf. Bobby Vellanki] • Examples: • iPrivacy, Incogno SafeZone • Target Transaction processing companies • Trusted third party (TTP) who promises not to contact the customer • Consumer remains the decision maker • TTP keeps limited data (dispute resolution) • Transaction by transaction basis • Customers can choose to not give any data to merchants

  15. 2) Seclusion Enhancing Technologies (2) [cf. Bobby Vellanki]

  16. 2) Seclusion Enhancing Technologies(3) [cf. Bobby Vellanki] • iPrivacy • Intermediary for users and companies • Doesn’t have the ability to look at all user data • Cannot map transactions to user info • Each transaction needs to have personal info filled out • Customer downloads software • Client-side software for shipping and Credit Card companies • Licensed to Credit Card and Shipping Companies • Avoids replay attacks for CC companies • Allows users to end associations with merchants

  17. 2) Seclusion Enhancing Technologies(4) [cf. Bobby Vellanki] • iPrivacy – Privacy Policy • Never sees the consumer’s name or address • Ensures only CC and shipping companies see data • iPrivacy works as a one-way mirror • PII filter satisfies HIPAA requirements

  18. 3) Property Managing Technology (1) [cf. Bobby Vellanki] • Example: • .NET Passport • All user data is kept by the “privacy provider” • Like a lawyer protecting privacy of a client • Consumer doesn’t directly communicate with the merchant • Consumer’s control rights are surrendered for service • Potential for misuse of data • User gives agency rights to the provider • No direct contact with merchant

  19. 3) Property Managing Technology(2) [cf. Bobby Vellanki]

  20. 3) Property Managing Technology(3) [cf. Bobby Vellanki] • .NET Passport • Single login service • Customer’s personal info is contained in the Passport profile. • Name, E-mail, state, country, zip, gender, b-day, occupation, telephone # • Controls and logs all transactions • Participating sites can provide personalized services • Merchants only get a Unique ID • Participants: • Ebay, MSN, Expedia, NASDAQ, Ubid.com

  21. 3) Property Managing Technology(4) [cf. Bobby Vellanki] • NET Passport Privacy Policy: • Member of TRUSTe privacy program • Will not sell or rent data • Some sites may require additional info • Doesn’t monitor the privacy policies of .NET participants • Data is stored in controlled facilities • NET Passport features: • Uses “industry-standard” data encryptions • Uses cookies • You can’t use .NET if you decline • Microsoft has the right to store or process your data in the US or in another country • Abides by the Safe Harbor framework • Data privacy rules agreed upon by US and the EU

  22. 3) Property Managing Technology(5) [cf. Bobby Vellanki] • Conclusions • Identity is secured through proxy servers • Give up privacy for convenience (in .NET) • Fairly cheap (some free)

  23. Conclusions [cf. Bobby Vellanki] • Trade-off: Privacy vs. Convenience • People want free privacy • None of these tools are good enough by themselves • Technology that ensures the website is following its policy • Need for an universal organization • Privacy Enhancing Technologies (PET) • Bobby Vellanki • Computer Science Dept. • Yale University • Oct . 2003

  24. References (for PETs) Bobby Vellanki, “Privacy Enhancing Technologies (PET),” CS457, Computer Science Dept., Yale University, Oct . 2003.

More Related