370 likes | 648 Views
E-Surveillance and User Privacy. Yvonne Gladden Lauran Hollar Tim Kennedy Grant Wood. E-Surveillance. Surveillance – “The act of observing or the condition of being observed”.
E N D
E-Surveillance and User Privacy Yvonne Gladden Lauran Hollar Tim Kennedy Grant Wood
E-Surveillance • Surveillance – “The act of observing or the condition of being observed”. • Electronic Surveillance (US Government - FISA) – “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire or radio communication …” License Plate Monitoring
Privacy • “The right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed” Google Street View
Why is it Important? • Impacts virtually everyone • Internet • Cell Phones • Personal information • Law Enforcement • Evidence Collection • National Security • Drift Net Type Approach • Keyword Detection
Legal Background • e-Surveillance is not a new subject that the courts have had to deal with. • In 1928 the U.S. Supreme Court ruled on a case about it. • In 1934 this ruling was reviewed and changed.
Legal Background • In 1967 the Supreme Court ruled that the government could not infringe upon a persons reasonable expectation of privacy. • In 1968 Congress codified the requirements to obtain court authority for interception of oral and wire communication • In 1986 this Act was amended to include electronic communication
e-Surveillance Techniques • Spyware • Network Monitoring • Compromising Emanations (CE) • Biometrics (hand scanning, iris scanning)
Spyware • Various Threat Levels • Identification Cookies (low) • Associated (3rd party) Cookies (low – med) • Application based (medium – high)
Spyware Infections Key loggers send sensitive data (i.e. passwords) to spyware controller Commercial habits, and search keywords Sends host name, IP addresses, and computer processes
Delivery of App Based Spyware • Piggybacking on other software • Hidden in utility applications • Execution of ActiveX or Java Applets
Network Monitoring • Packet Sniffers • Hardware + Software • Narus Semantic Traffic Analyzer • State of the art monitoring software (“Ultimate Net Monitoring Tool”) • Linux based • Used by NSA in monitoring Internet traffic • Used by ISP’s to perform court-ordered monitoring
Compromising Emanations • TEMPEST – codename referring to study of CE • Heavily researched in military applications • Examples: • computer monitors (optical, electromagnetic) • cpu (electromagnetic) • keyboard (accoustic)
Compromising Emanations • Soft Tempest • method for preventing eavesdropping on monitor emissions • works by using software to filter off some of the higher frequencies before they are sent to the monitor
Soft Tempest Example Before After
Biometrics • Automated methods of recognizing a person based on a physiological or behavioral characteristic
Use of Biometrics • Sec. 403(c) of the USA-PATRIOT Act specifically requires the federal government to "develop and certify a technology standard that can be used to verify the identity of persons" applying for or seeking entry into the United States on a U.S. visa "for the purposes of conducting background checks, confirming identity, and ensuring that a person has not received a visa under a different name." • Enhanced Border Security and Visa Entry Reform Act of 2002, Sec. 303(b)(1), requires that only "machine-readable, tamper-resistant visas and other travel and entry documents that use biometric identifiers" shall be issued to aliens by October 26, 2004. The Immigration and Naturalization Service (INS) and the State Department currently are evaluating biometrics for use in U.S. border control pursuant to EBSVERA.
Uses of e-Surveillance Summary • National Security (Government) • ECHELON • Carnivore (now defunct) • Law Enforcement • Finding Dealers of Child Pornography • Finding Child Predators • Corporate Security • Employee Monitoring • Internet Advertising • Spyware • Malicious Uses • Identity Theft • Credit Card Fraud
Techniques for Privacy Protection • Firewalls • software or hardware based • Anti-spyware software • Ad-Aware, Spybot, PestPatrol • Encryption • Tighter Security at OS Level • FOOD • Changes to Network Protocols • DISCREET
FOOD • System to prevent execution of malicious code on Windows/X86 • Prior to execution, checks hash of binaries against signature of allowed binaries – if not allowed, execution denied • Prevents unauthorized indirect branching • Protects from buffer overflow attacks • Cost – 35% performance hit! • Weakness – Does not protect against scripted (interpreted) code attacks – Perl, VB, etc
DISCREET (D-Core) • New approach to user privacy • Goals • Allow users to take advantage of new services without worrying about their private information being misused • Structure • Three additional network layers (sub-layers of the Application Layer) • Identity Layer • Confidentiality Layer • Policy Control Layer
Challenges • Balancing user privacy vs. the need for information • encryption – if it is too good then criminals can communicate with impunity • Balancing security and user friendliness • Volume of Information (Mass Surveillance) • Legal Issues • FISA • Patriot Act
Moving Forward • Awareness • 70% of American computer users claim to have anti-spyware software on their computer, only 55% actually do • Only 22% have an enabled firewall, updated anti-virus software, and anti-spyware software installed on their computers
Moving Forward • Pass laws to make it tougher to collect personal information without consent, and to prohibit unfair deceptive practices using spyware • I-SPY ACT (passed three times by House, currently in Senate committee)
Conclusion • Privacy will be an ongoing issue • More capabilities lead to more security and ethical issues