Proceedings of the 19th Workshop on Privacy in the Electronic Society最新文献

{"title":"Privacy Preserving CTL Model Checking through Oblivious Graph Algorithms","authors":"Samuel Judson, Ning Luo, Timos Antonopoulos, R. Piskac","doi":"10.1145/3411497.3420212","DOIUrl":"https://doi.org/10.1145/3411497.3420212","url":null,"abstract":"Model checking is the problem of verifying whether an abstract model $mathcalM of a computational system meets a specification of behavior φ. We apply the cryptographic theory of secure multiparty computation (MPC) to model checking. With our construction, adversarial parties D and A holding $mathcalM and φ respectively may check satisfaction --- notationally, whether $mathcalM |= φ --- while maintaining privacy of all other meaningful information. Our protocol adopts oblivious graph algorithms to provide for secure computation of global explicit state model checking with specifications in Computation Tree Logic (CTL), and its design ameliorates the asymptotic overhead required by generic MPC schemes. We therefore introduce the problem of privacy preserving model checking (PPMC) and provide an initial step towards applicable and efficient constructions.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"11 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116779393","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SoK on Performance Bounds in Anonymous Communication","authors":"C. Kuhn, Friederike Kitzing, T. Strufe","doi":"10.1145/3411497.3420218","DOIUrl":"https://doi.org/10.1145/3411497.3420218","url":null,"abstract":"Communicating anonymously comes at a cost - and large communities have been in a constant tug-of-war between the development of faster protocols, and the improvement of security analyses. Thereby more intricate privacy goals emerged and more detailed bounds on the minimum overhead necessary to achieve them were proven. The entanglement of requirements, scenarios, and protocols complicates analysis, and the published results are hardly comparable, due to deviating, yet specific choices of assumptions and goals (some explicit, most implicit). In this paper, we systematize the field by harmonizing the models, comparing the proven performance bounds, and contextualizing these theoretical results in a broad set of proposed and implemented systems. By identifying inaccuracies, we demonstrate that the attacks, on which the results are based, indeed break much weaker privacy goals than postulated, and tighten the bounds along the way. We further show the equivalence of two seemingly alternative bounds. Finally, we argue how several assumptions and requirements of the papers likely are of limited applicability in reality and suggest relaxations for future work.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126867806","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Poli-see: An Interactive Tool for Visualizing Privacy Policies","authors":"Wentao Guo, Jay Rodolitz, Eleanor Birrell","doi":"10.1145/3411497.3420221","DOIUrl":"https://doi.org/10.1145/3411497.3420221","url":null,"abstract":"Prior work has shown that current privacy policies fail to effectively implement informed consent. This work investigates how data use practices might be conveyed by a graphical representation. We present Poli-see, an interactive tool for visualizing privacy policies. We then describe the results of an in-person user study (n = 24) and an online study (n = 600) that evaluate how well Poli-see conveys information about data use practices. In our in-person study, we found that participants answered factual questions about privacy policies more accurately when shown a Poli-see representation than when shown an annotated text representation. In our online study, we found that participants who were shown a Poli-see representation reported higher levels of enjoyment and higher likelihood of looking at the policy than participants who were shown a conventional text representation or an annotated text representation. These results suggest that graphical representations might be useful for conveying data use practices to users, but that further research and refinement will be required before graphical representations can be effectively deployed in real-world systems. We conclude by identifying key advantages and challenges for graphical representations of privacy policies drawn from our experience.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125533635","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering","authors":"Doliére Francis Somé, Tamara Rezk","doi":"10.1145/3411497.3420222","DOIUrl":"https://doi.org/10.1145/3411497.3420222","url":null,"abstract":"Content Security Policy (CSP) is a security mechanism for mitigating content injection attacks. It makes it possible to specify the origins of content allowed to load in a webpage. Upon enforcement, CSP-compliant browsers would block content not matching the CSP. Previous works have demonstrated limitations of CSP that can lead to security violations. We observe that CSP bypasses (due to JSONP and open redirects) can be linked to the fact that in CSP specification, URL parameters are considered safe by default. In particular, the ability to bypass partially whitelisted origins using HTTP redirections has been rendered possible starting from CSP2 for privacy purposes (not to reveal redirection URLs), while this can lead to security holes. In this work, we discuss 4 extensions to strengthen CSP via a monitoring mechanism: the ability to selectively exclude whitelisted content, express more fine grained checks on URL arguments, explicitly prevent redirections to partially whitelisted origins, and an efficient reporting mechanism to collect content that are allowed by a CSP enforced on a webpage. We show that using CSP along with these extensions improves the security of web applications and overcomes known weaknesses of the current CSP specification. We demonstrate the feasibility of our proposals by an implementation using service workers.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"55 ","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120942422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AnonFACES","authors":"Minh-Ha Le, Md Sakib Nizam Khan, Georgia Tsaloli, Niklas Carlsson, S. Buchegger","doi":"10.1145/3411497.3420220","DOIUrl":"https://doi.org/10.1145/3411497.3420220","url":null,"abstract":"Image data analysis techniques such as facial recognition can threaten individuals' privacy. Whereas privacy risks often can be reduced by adding noise to the data, this approach reduces the utility of the images. For this reason, image de-identification techniques typically replace directly identifying features (e.g., faces, car number plates) present in the data with synthesized features, while still preserving other non-identifying features. As of today, existing techniques mostly focus on improving the naturalness of the generated synthesized images, without quantifying their impact on privacy. In this paper, we propose the first methodology and system design to quantify, improve, and tune the privacy-utility trade-off, while simultaneously also improving the naturalness of the generated images. The system design is broken down into three components that address separate but complementing challenges. This includes a two-step cluster analysis component to extract low-dimensional feature vectors representing the images (embedding) and to cluster the images into fixed-sized clusters. While the importance of good clustering mostly has been neglected in previous work, we find that our novel approach of using low-dimensional feature vectors can improve the privacy-utility trade-off by better clustering similar images. The use of these embeddings has been found particularly useful when wanting to ensure high naturalness and utility of the synthetically generated images. By combining improved clustering and incorporating StyleGAN, a state-of-the-art Generative Neural Network, into our solution, we produce more realistic synthesized faces than prior works, while also better preserving properties such as age, gender, skin tone, or even emotional expressions. Finally, our iterative tuning method exploits non-linear relations between privacy and utility to identify good privacy-utility trade-offs. We note that an example benefit of these improvements is that our solution allows car manufacturers to train their autonomous vehicles while complying with privacy laws.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127577576","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Where's Alice?: Applied Kid Crypto Meets Provable Security","authors":"Ryan Henry, Alyssa Tory, Sophie Henry, Isabella Henry, Samantha Henry","doi":"10.1145/3411497.3420225","DOIUrl":"https://doi.org/10.1145/3411497.3420225","url":null,"abstract":"In this short paper, we revisit the celebrated Naor?Naor?Reingold (NNR) protocol for ?[convincing] people you know where Waldo is without revealing information about his location?. We observe that, despite oft-repeated claims to the contrary, the NNR protocol is neither zero-knowledge nor a proof of knowledge. We propose a slightly more elaborate version that is both of these things?but still eminently suitable for children?s playdates (and the classroom).","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117310674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Standardizing and Implementing Do Not Sell","authors":"Sebastian Zimmeck, Kuba Alicki","doi":"10.1145/3411497.3420224","DOIUrl":"https://doi.org/10.1145/3411497.3420224","url":null,"abstract":"The California Consumer Privacy Act gives consumers the right to request that businesses do not sell their personal information. \"Selling'' is defined broadly and covers, among others, making personal information available to ad networks on websites via third party cookies. We began standardizing and implementing Do Not Sell technologies with the goal of integrating Do Not Sell directly into browser settings. Based on OptMeowt, our proof of concept Do Not Sell browser extension, we conduct experiments on the design, implementation, and current state of Do Not Sell. OptMeowt automatically places Do Not Sell cookies on visited sites and sends Do Not Sell headers per our draft standard. We believe that standardizing Do Not Sell provides an important building block for evolving the web towards increased privacy protections.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123722276","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Privacy in Crisis: Participants' Privacy Preferences for Health and Marketing Data during a Pandemic","authors":"Laura Calloway, Hilda Hadan, S. Gopavaram, Shrirang Mare, L. Camp","doi":"10.1145/3411497.3420223","DOIUrl":"https://doi.org/10.1145/3411497.3420223","url":null,"abstract":"The severity of COVID-19 and the need for contact tracing has resulted in new urgency for investigating two mutually exclusive narratives about the importance of privacy. The assertion by some technology advocates that privacy is no longer an issue in the face of a pandemic has been repeatedly reported; while others advocated for its centrality. The rejection of contact tracing apps, in part because of privacy, has also been widely reported. Simultaneously, different tracing apps implement different conceptions of privacy. For any contact tracing app to function the technology must provide security and privacy implementations that are usable and acceptable. Towards that goal, we sought to better understand risk perceptions about data use during a public health crisis. To do this we conducted a between-subject online survey to identify participants' risk perceptions about their data being collected and shared during a public health crisis. The survey results do not support claims in prior work that people are comfortable with sharing their private information during a public health crisis; but instead offered nuanced responses depending on type of information, purpose of use, and recipient, thus reifying previous work rather than suggesting a fundamental difference. We note that participants' privacy risk perceptions remain similar whether data are to be used to address health risks or for traditional marketing. Finally, our findings show that device type, not just data type, should be taken into account when designing a tracing app that aligns with participants' privacy perceptions.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"285 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121284875","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PRShare","authors":"Lihi Idan, J. Feigenbaum","doi":"10.1145/3411497.3420226","DOIUrl":"https://doi.org/10.1145/3411497.3420226","url":null,"abstract":"We consider the task of interorganizational data sharing, in which data owners, data clients, and data subjects have different and sometimes competing privacy concerns. One real-world scenario in which this problem arises is law-enforcement use of phone-call metadata: The data owner is a phone company, the data clients are law-enforcement agencies, and the data subjects are individuals who make phone calls. A key challenge in this type of scenario is that each organization uses its own set of proprietary intraorganizational attributes to describe the shared data; such attributes cannot be shared with other organizations. Moreover, data-access policies are determined by multiple parties and may be specified using attributes that are not directly comparable with the ones used by the owner to specify the data. We propose a system architecture and a suite of protocols that facilitate dynamic, efficient, and privacy-preserving interorganizational data sharing, while allowing each party to use its own set of proprietary attributes. We introduce the novel technique of Attribute-Based Encryption With Oblivious Attribute Translation (OTABE), which plays a crucial role in our solution and may be of independent interest.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126560265","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Privacy-Preserving Protocol for the Kidney Exchange Problem","authors":"Malte Breuer, Ulrike Meyer, S. Wetzel, A. Mühlfeld","doi":"10.1145/3411497.3420213","DOIUrl":"https://doi.org/10.1145/3411497.3420213","url":null,"abstract":"Kidney donations from living donors form an attractive alternative to long waiting times on a list for a post-mortem donation. However, even if a living donor for a given patient is found, the donor's kidney might not meet the patient's medical requirements. If several patients are in this position, they may be able to exchange donors in a cyclic fashion. Current algorithmic approaches for determining such exchange cycles neglect the privacy requirements of donors and patients as they require their medical data to be centrally collected and evaluated. In this paper, we present the first distributed privacy-preserving protocol for kidney exchange that ensures the correct computing of the exchange cycles while at the same time protecting the privacy of the patients' sensitive medical data. We prove correctness and security of the new protocol and evaluate its practical performance.","PeriodicalId":329371,"journal":{"name":"Proceedings of the 19th Workshop on Privacy in the Electronic Society","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129079233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}