320 likes | 476 Views
Privacy regulation and research. Aalto University , autumn 2011. Outline. Privacy legislation Examples of my own privacy research: Unwanted metadata in digital documents Identifiers leaks to the local network. Two aspects of privacy. Control over personal information
E N D
Privacy regulation and research Aalto University, autumn 2011
Outline • Privacy legislation • Examples of my own privacy research: • Unwanted metadata in digital documents • Identifiers leaks to the local network
Two aspects of privacy • Control over personal information • Emphasized in Europe • Gathering, disclosure and false representation of facts about one’s personal life • Right to be left alone • Emphasized in America • Avoiding interference, control, discrimination, spam, censorship
Privacy legislation in Finland WARNING: I’m not a lawyer. The following slides contain highly simplified interpretations of the law. • Perustuslaki (constitution), 10 §http://www.finlex.fi/fi/laki/ajantasa/1999/19990731#p10 • Protection of privacy, honor and home • Secrecy of letters, messages and telephone calls • Also: • Obligation to protect personal information by law • Exceptions can be made in other laws
Crimes against privacy in Finland • Rikoslaki(criminal code), luku 24http://www.finlex.fi/fi/laki/ajantasa/1889/18890039001#l24 • Kotirauhanrikkominen, Rikoslaki, luku 24, 1–2, 11 § • Disturbing people in their home (or equivalent place) is a crime • Telephone and mobile phone are also protected area • Salakuuntelujasalakatselu, Rikoslaki, luku 24, 5–7 § • Eavesdropping with technical equipment and secret recording of people’s sounds is a crime • Watching or recording of pictures with technical equipment without permission at someone’s home (or equivalent place) , fenced yard, toilet or dressing room is a crime • Ok to eavesdrop voices without equipment • Ok to record sounds when you are legitimately present, e.g. your own conversations or telephone calls • Ok to photograph or record video in a public place
Crimes against privacy in Finland • Yksityisyyttä loukkaavan tiedon levittäminen, Rikoslaki, luku 24, 9 § • Publishing harmful private information about an individual is a crime • Exceptions for politicians and other public figures • Kunnianloukkaus, luku 24, 10–11§ • Libel: spreading harmful false information about an individual is a crime • Viestintäsalaisuuden loukkaus (breach of communications confidentiality), luku 38, 3–4 § • Opening a letter or closed or protected message addressed to someone else is a crime (e.g. guessing email password) • Eavesdropping telecommunications networks is a crime • Being a system admin or using hacking tools makes the offence especially serious • Communication metadata (e.g. called numbers) is also protected
Personally identifiable information • Henkilötietolaki 22.4.1999/523http://www.finlex.fi/fi/laki/ajantasa/1999/19990523 • Law about personally identifiable information (PII) when it is either procesed automatically or stored in a register • Requirements for PII processing: • Following good data processing practices (!!!) • Defined purpose: the sources, uses and transfer of information must be defined beforehand; no new uses allowed • The person’s permission is required to process PII, except in some specific cases (e.g. employment or business relationship) • The PII processing must be necessary and the processor is responsible for its correctness • The person must in informed • Rekisteriseloste: PII register holder must make a public declaration of what data is stored and for which purpose • Right to inspect your PII in the register (free once a year) and demand correction of incorrect information
Freedom of information legislation • Laki viranomaisten toiminnan julkisuudesta 21.5.1999/621http://www.finlex.fi/fi/laki/ajantasa/1999/19990621 • All official (governement) documents are public, unless secret by law • Includes both documents and data • No requirement to tell your identity or reason for requesting the information • Applied also to universities • Long list of exceptions (24 §) to protect security, economicsetc.; for example, the following information is secret by default: • Reseach plans, thesis plans, exam questions, personal income, wealth, benefits, use of social services, health, disability and sexual orientation, private informatiom about crime suspects and victims, psychologial evaluations, exam answers and verbal (non-numerical) evaluations of students, secret telephone numbers, addresses and mobile-device location, private political views, way of life, membership in associations, hobbies, family life • Asianosaisjulkisuus (11–12 §) • Individuals have access to secret information about themselves, and information relevant to their rights and obligations (with exceptions)
Protection of electronic communication • Sähköisen viestinnän tietosuojalaki 16.6.2004/516http://www.finlex.fi/fi/laki/ajantasa/2004/20040516 • Message contents, metadata and location information are confidential by default • If you learn about a message, you must not tell others and must not use the information for any purpose • Must not break technical protection or make tools for it • Organizations have some rights to access communication metadata to prevent crime, “Lex Nokia” • ISP, email service or Internet telephony service must store communication metadata for 12 months (for criminal investigations) • Right for forbid direct electronic marketing to youself • Many other things…
Privacy and employment • Laki yksityisyyden suojasta työelämässä 13.8.2004/759, http://www.finlex.fi/fi/laki/ajantasa/2004/20040759 • Rules for what information employers may records and process about employees • Processing of PII and health data • Drug tests • Camera surveillance • Opeing emails addressed to the employee
Detecting unknown metadata • Detection mostly done using unsystematic, ad-hoc methods • Goal to find something, not everything • Exception: [Byers 2003/04]
PII detection tool • We developed a tool for detecting names, identifiers, addresses and other PII in documents • Goals • Testing Office 2007 document inspection ➨ must find strings in unknown locations • User does not know what to look for ➨ must determine search strings automatically • Document encoding unknown, fragments may be in different encodings ➨ must find strings in various encodings • Defensive only, used by document author
Example: authoring process • Typical authoring process involves a set of tools and software components from multiple vendors • who don’t know of each other • who have different of conflicting goals • who all produce and consume metadata • No single entity controls what goes into the final published document
PDF authoring with Word 2003 Assumption:no Word-specificmetadata added
PDF authoring with Word 2003 Assumption:no Word-specificmetadata added
PDF authoring with Word 2003 Assumption:no Word-specificmetadata added
Postscript comments • Extracts from Postscript files: %%Title: Microsoft Word - Testing.docx %%CreationDate: 1/23/2006 19:30:21 %%For: tuomaura %%OID_ATT_JOB_OWNER "tuomaura"; %%OID_ATT_JOB_NAME "Microsoft Word - Testing.docx“; %%Creator: CorelDRAW 10 %%Title: test-figures.ps %%CreationDate: Thu Apr 14 14:32:47 2005 %%For: Michael Roe
PDF conversion • PS-to-PDF conversion (Adobe Distiller or Ghostscript) retains metadata from PS comments: /Title(Microsoft Word - Testing.docx) /Author(tuomaura) • PDF converters don’t know where the PS came from and assume all metadata is intentional
Anonymous submissions • Documents:43 anonymized conference submissions that had already been accepted, PDF/PS • Search string:Names and affiliations from conference program, emailaddresses from papers • Results: • One author name in PDF \Author field • Two author names in embedded EPS • One user name in DVI file path in PS comments (not detected by tool because we did not know the correct search string) • My own anon submissions... OOPS!
Netmon trace of a Microsoft laptop at wireless hotspot Machine name (DHCP client) Full hostname (DNS) SIP server SIP server Email address/messenger user name Real name Messenger buddy list and blacklist Default DNS suffix (web proxy discovery) Machine domain
Host name (IKE initiator id) IE home page OWA / Exchange Domain controller Print servers File server (Z: drive) File server (shortcuts)
DNS queries • Many connection attempts and service-discovery protocols start with DNS queries • Some DNS queries from traces: • DC discovery: _ldap._tcp.EU-UK-IDC._sites.dc._msdcs.europe.corp.microsoft. • Print server: camitgs01.europe.corp.microsoft.com • Web proxy: camproxy.europe.corp.microsoft.com • Exchange: euro-msg-43.europe.corp.microsoft.com • Exchange over HTTPS: mail.microsoft.com • Private DNS zones used on intranets • *.private.contoso.com or *.contoso.local • Default DNS suffix appended • To resolve www.tkk.fi, query first forwww.tkk.fi.europe.corp.microsoft.com
NetBIOS and LLMNR Machine name • Local-link name resolution protocols • NetBIOS for IPv4, LLMNR also for IPv6 • Broadcast, so visible to others on switched LANs • Attempt to register computer and username in WINS server • Automatic discovery of printers and file shares • LLMNR name-conflict detection Primary DC File server Print server User name
Potential solutions • Each individual leak appears trivial, yet it is difficult to prevent them all • Too many protocols, layers and applications involved • Obvious solutions, e.g. turning of all automation, are not acceptable • Computers should do stuff for the user without asking! • Could filter offending data at outbound host firewall • Danger: unpredictable application failures • Can recognize network location and enable/disable features [PETS 08] • Often unnecessary, failed connection attempts, to services that are not available in the current network