Current Events in Privacy and Security. Michael Brennan. Overview. Topics Web Tracking Digital Privacy Law Internet Security Device/Location Privacy Class may be stopped occasionally for discussions . Privacy is Big.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Current Events in Privacy and Security Michael Brennan
Overview • Topics • Web Tracking • Digital Privacy Law • Internet Security • Device/Location Privacy • Class may be stopped occasionally for discussions.
Privacy is Big. • Has critical mass been reached regarding privacy concerns? Possibly. • Popular support for privacy enhancing technologies. Public revolt for privacy invasive features. • Will it blow over, or will it maintain momentum as a legitimate issue?
Behavioral Advertising/Tracking • Who watches you on the web?
Behavioral Advertising/Tracking • Who watches you on the web? • System Admins (maybe!) • Anyone sharing your computer • Ad Networks?
Behavioral Advertising/Tracking • How is most web tracking done? Cookies! • What is a cookie? • 1st Party vs. 3rd Party? • Opt-Out Cookie? • Preventing Tracking via Cookies? • So, how does a cookie allow an ad network to track you?
Visualization: Collusion • http://collusion.toolness.org/
Privacy and User Choice on the Web • Can individuals protect themselves against this kind of tracking? • (should they even be able to?) • Opting Out • Opt-Out Cookies • Not permanent. • Privacy enhancing actions (deleting cookies) removes them. • Better methods: browser extensions, do-not-track. • Private Browsing Mode
Opting Out: Is it Hopeless? • Evercookie: Circumventing User Choice • http://samy.pl/evercookie • 13 trackers and counting: Standard HTTP Cookie, LSO (Flash Cookie), Silverlight Storage, PNG exploit, Web History, eTag, Cache Cookie… • At least 5 are widely used so far. • CSS Browsing History Exploit • “purple” links can be queried to see if you have visited them. Only works on older browsers (used by 50% of users!) • Judging the morality of new tracking technology: Is it intended to circumvent user choice?
Tracking Discussion • Behavioral tracking as a business model – is it OK? • If not, what are the consequences of banishing it? • If so, to what extent should people be enabled to opt-out? • What information do we need to properly inform this debate?
Location, Location, Location. • iPhone (& Android) maintained an unencrypted database on the device that appeared to be a history of that device’s location. • Since revealed to be a list of nearby WiFi access points to assist in GPS location. • Apple claims this is not the same as your location , and thus not a problem. What do you think? www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html
It’s Not a Problem… But We’ll Fix It! • Despite arguing that the problem was insignificant, Apple has made some changes: • Reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone • Ceases backing up this cache • Deletes this cache entirely when Location Services is turned off
Facebook: The Elephant in the Room? • General public sense that Facebook is privacy invasive. What do you see as some of Facebook’s privacy problems? • Is winning over public opinion on privacy key to Facebook’s success, or is it irrelevant? • G+ is widely thought to be superior in terms of privacy. What has that meant for FB and social media?
Protecting Privacy: The Actors • Federal Trade Commission • Division of Privacy and Identity Protection • Only federal authority with broad privacy oversight • Non-Profits / Thinktanks • Electronic Frontier Foundation (EFF) • Electronic Privacy Information Center (EPIC) • Center for Democracy and Technology (CDT) • New America Foundation Open Technology Initiative (OTI) • Industry • Google, Facebook, Microsoft all have privacy directors (really!) • Advertising Networks? • Academic and Independent Researchers
The PKI Problem • Public Key Infrastructure • How do you know you are connecting to securewebsite.com? • Your browser is given a certificate to examine. • How do you know the certificate is valid? • It is stamped by a certificate authority. • How can you trust the certificate authority? • It is built into the browser.
PKI Primer It’s Me, Google! Certificate Authority’s Stamp Google’s Stamp
So, What’s the Problem? • The Threat: • A fraudulently issued certificate can be used to intercept encrypted communication. • The PKI Infrastructure Problem: • Thousands of entities can issue certificates, and all of them are equally trusted. • Current certificate revocation methods are inadequate and can be easily circumvented. • Certificate Authorities are being actively compromised! • Comodo, DigiNotar: *.google.com, torproject.org, many more.
Moxie Marlinspike on Comodo • http://www.youtube.com/watch?v=Z7Wl2FW2TcA#t=300s • Terms: • Man-In-The-Middle Attack • Certificate • BlueCoat • sslsniff • Referrer header • RSA 2011 • DNS
Digital Privacy & The Law • Diary in your sock drawer? Warrant required. • Diary in word documents stored on your laptop? Warrant required. • Diary in a personal, password-protected blogspot account? No warrant necessary.
ECPA “The rules established by the 1986 Electronic Communications Privacy Act depend on what type of information is sought and how old it is. And courts in different jurisdictions have interpreted the rules differently. But in many cases, the government does not notify people that they are searching their online information or prove probable cause, and if the government violates the law in obtaining information, defendants are generally unable to exclude that evidence from a trial, Ms. Freiwald said. Generally law enforcement officials do not need a warrant to read e-mail messages that are more than 180 days old. This makes online surveillance different from surveillance of postal mail or phone calls. For example, when wiretapping phones, law enforcement must get a court order and when searching homes, they must obtain a warrant.” - 1986 Privacy Law Is Outrun by the Web by MIGUEL HELFT and CLAIRE CAIN MILLER. NY Times.
ECPA • Electronic Communication Privacy Act (1986) • “[affords] more protection to letters in a file cabinet than e-mail on a server.”  • Reform? • ECPA Amendments Act of 2011 (Leahy) • Creates legal standard for geolocation, electronic communication and remote computing. Eliminates 180 day rule. Requires disclosure of search warrant. • Currently (stuck?) in committee. • Argument against reform: Law enforcement says that criminals are more able than ever to avoid detection. Therefore, privacy restrictions should be scaled back. http://www.nytimes.com/2011/01/10/technology/10privacy.html
Discussion: What Should Be Done? • Where does the responsibility for privacy lie? Is it all up to the user (to train themselves, get the tools they need)? Should the state be responsible? Should industry be more liable? • How should a company proceed when it must decide between privacy and innovation? How would you advise the industry?