Advanced Internet Technologies

Document Sample
Advanced Internet Technologies Powered By Docstoc
					“The poorest man may in his cottage bid defiance to
  all the force of the crown.”
                                 --- William Pitt,
  Prime-minister of Great Britain, 1783 – 1801 and 1804- till his
  death in 1806



                                                                    1
From “Fear and Freedom on the Internet “
     --Peter Singer, Professor of Bio-ethics,   Princeton University
“There’s really no way to …repress information today, and I think
that’s a wonderful advance we can all feel good about... This is a
medium of total openness and total freedom, and that’s what
makes it so special.”
                                 -- Bill Gates, October 2005

Two newsitems of Jan 2006:
   At the request of China’s rulers, Microsoft shut down the
    website of Zhao Jing , a Chinese blogger, who had been
    reporting on a strike by journalists at The Beijing News that
    followed the dismissal of the newspaper’s independent-minded
    editor.. The blog was hosted on MSN Spaces in USA.

   Microsoft’s blog tool in China filters words like “democracy” and
    “human rights” from blog titles, to comply with local laws.

                                                                  2
Today’s news
Wednesday, Jan 25, 2006
 Google officially launched a new www.google.cn
 site that plans to filter out or block links to
 material likely to be considered politically sensitive
 by China's ruling Communist Party.




                                                    3
INTERNET PRIVACY:                     a DEFINITION
The ability
 to control what information one reveals about

  oneself over the Internet, and
 to control who can access that information.

Experts in the field of Internet privacy: Internet
  privacy does not really exist.
Privacy advocates believe that it should exist.
Reference: http://en.wikipedia.org/wiki/Internet_privacy as of
   September 18, 2007

                                                                 4
PRIVACY
   Right to a sense of personal autonomy
   Right to have information about oneself used
    fairly
     ensuring that organizations act fairly in the
    way they (i) collect (ii) store (iii) use and (iv)
    disclose one’s personal information
   Right to be left alone
   Right to decide what part of one’s personal
    information is to be shared with (i) doctor (ii)
    employer (iii) banker (iv) neighbor (v) friend
    or (vi) stranger

                                                    5
Who cares?
   2004:US government: introduced free
    ‘do not call’ service: 28 million phone
    numbers registered within a month
   2001 Survey in Australia: 90%
    Australians consider it important how
    their personal information is used by
    organizations and to whom it is
    disclosed.
                                              6
Costs of Privacy
   Privacy of data  its non-availability at
    some time, when required
   Attempts to retain privacy 
    inconvenience or forgoing certain
    benefits




                                            7
Privacy protection
   To shield innocent persons from an
    overzealous government
      Profiling can lead to a misinterpretation of
      accurate information
   To permit every one to preserve her/his
    dignity and autonomy
      To not let governments and big
      corporations to have and to exercise undue
      power over individuals

                                                8
Privacy protection and
              Public Interest
   To support freedom of expression,
    freedom of speech and freedom of
    association.
   Anonymity fosters creativity.
   Permits individuals to make a fresh start
    and become useful members of society.
   Privacy protection is integral to trust.
         Trust is the cornerstone of a strong relationship.


                                                              9
How to protect?
   Records should be kept for no longer than necessary.
   Records , if inaccurate, must be deleted or corrected.
      Sometimes not possible to delete:
      Example: Health records wrongly state that you have
      diabetes. Accordingly some wrong treatment was started. If
      the record is deleted, the reason why the wrong treatment
      was given will also go and the medication history will not
      make sense.
   Be proactive in defense of privacy.
      The default barriers of time, distance and cost, against
      publication and retention of your private information, have
      vanished.
PROBLEMS:
 Right to research vs autonomy;

 Right to forget vs. Right to know                            10
Risks
   Stealing information through Cookies
    (Example: Cross-site scripting )
   Browsing profile
   Weak spot: ISP
   Spyware, Phishing, malicious proxy servers
   Web-bug: techniques used to track who is
    reading a web page or e-mail, when, and
    from what computer. They can also be used
    to see if an e-mail was forwarded to someone
    else.
                                             11
The Google age
   “We are becoming a transparent society of
    record such that documentation of our past
    history, current identity, location,
    communication and physiological and
    psychological states and behavior is
    increasingly possible. With predictive profiles
    and DNA there are even claims to be able to
    know individual futures”. Gary Marx, “Privacy
    and Technology”, Telektronik, January 1996.


                                                 12
Health Information Acts stress PRIVACY

   Apply to hospitals, doctors, laboratories,
    insurance companies, employers etc
   Allow individuals to be informed about
    their health care
   Provide both privacy and legitimate
    access to health information


                                           13
Facts and needs
 Personal information: available in tens of
  data-bases under the control of different
  organizations.
 Onus on the person to correct his
  information,
  when he does not even know about all the
  places, where his information is.
 Ownership? vs Control?

Needs:
        PRIVACY,
        CORRECTNESS OF INFORMATION,
        AVAILABILITY WHEREVER REQUIRED

                                               14
Proposed Systems
   IBM: a third party to maintain and
    release information by following certain
    rules
   Information to be maintained by the
    owner




                                          15
Ownership of data
Ownership may not mean
 Write-access
             Ex: Government-owned information:
             social security number, passport ( A
             government can revoke a passport);
                         Financial information:
              Annual Tax returns, bank balances
   Read- access
              Ex: Reports by: physicians, laboratories
Reference: for the next set of slides: Carrie Gates,
  Jacob Slonim ,“ Owner-Controlled Information,”
  http://flame.cs.dal.ca/~gates/papers/nspw03.ps.
                                                       16
Ownership of data                            ….continued
Ownership means
 Permitting others to access part of the information
       Role-based access control, augmented by location (say in a
        hospital, when both the owner and the doctor are in the
        same room)
   Deciding about individuals, who can access it in case
    of disability
   Deciding about overarching access in case of an
    emergency/ in case of death
    Societal Needs to access
            For medical research
            For identifying concerned individuals
                           Example: spread of SARS
                                                               17
Escrowed Encryption Standard (EES)
   EES: uses key escrow method of enabling
    eavesdropping by authorized government agencies,
    under a court order. (FIPS 185)
   escrow: a deed, a bond, money, or a
    piece of property held in trust by a third
    party to be turned over to the grantee
    (in this case- a Law Enforcement
    Agency) only upon fulfillment of a
    condition
Reference: Merriam-Webster’s Online Dictionary
                                                  18
SKIPJACK
   encryption/decryption algorithm used by EES
   can be incorporated into voice, facsimile
    (fax), and computer data devices
   Has a Law-Enforcement Access Field (LEAF),
    and two LEAF decryption keys
   Clipper: the chip designed through US Dept
    of Commerce grants in 1994
Reference:http://searchsecurity.techtarget.com/sDefinition/0,,sid14
   _gci837181,00.html as of September 18, 2007

                                                               19
    Escrowed Encryption
   Research in Escrowed encryption standard
    abandoned after 1994
Ref.: http://csrc.nist.gov/publications/fips/fips185/fips185.txt

   Partial key Escrow
    that obey the secret sharing property (that any
    k pieces of the key can reconstruct the key, but
    that no t pieces provide information about the
    key, where t < k)
Ref.: http://www.cse.ucsd.edu/users/mihir/papers/escrow.html


                                                                   20
Physical Ownership
Need for an individual to carry information with him:
 Ownership and control

 Distributed and incomplete information: likely to be
  non-synchronized and erroneous
 May not be available, when required

 Can allow access to appropriate parts of information
  to various entities under specified conditions
 Misused in spite of assurances
     Ex: census information supposed to be retained for 99 years
     only for research; after 9/11, the president made it available
     to law-enforcement agencies



                                                               21
Problems of Physical Ownership
   Theft of identity
   Loss and recreation of information
   Requirement of Temper-proof hardware and
    protected storage areas
   To encash a cheque, without a cenralized data?
   How to ensure that the authorized user has not made
    a copy of the data released to him?
   Provision for expiry of data (like passport, health
    card, driving license
   Secure back-ups
   A friendly User interface and granularity of
    information


                                                   22
Trust
   No one is a super-user?
   Non-repudiated Audit Trail
   Alerts, in case unauthorized change has been
    done.
      Ex: A bank may
          sign the information, when it writes into the personal device.
          inserts a hash in the database.
          Next time when the device is presented to the Bank, it verifies
           the hash before starting the transaction.
   IDS to detect if someone tries to copy the
    data.

                                                                      23
Existing services
1. Microsoft Passport service:
    a single sign-on service

    may contain e-wallet containing billing and
      shipping information
(e-Wallet: safely stores
      name,
      address,
      credit-card numbers,
      password and
any other information needed for purchase from e-
  commerce sites )

References: 1. https://www.passport.net/
2. http://www.projectliberty.org/
                                                    24
Existing services                      …. continued
MS wanted to extend Passport to XML based Hailstorm
  to contain
    calendars,

    phone books,

    address books,

    documents, using passport authentication mechanism.
       However the project was abandoned in the face of criticism.

2.   Liberty Alliance of 150 companies for a federated
    identity infrastructure:
   Links databases maintained at a number of
    organizations rather than at a single (set of ) servers
                                                              25
Existing services           …. Continued 2
3. Persona Project at Oregon State University
 single sign-on,

 consumer-centered identity model, that is
  distributed across multiple systems
 holds a user's personal information, including
  identity, passwords, preferences and e-wallet
  information
 can be accessed via desktops, personal digital
  assistants (PDAs), cell phones, and even from
  cybercafes.

                                             26
The Persona project
   The persona is "an active software agent that encapsulates
    private and personal data and performs a range of
    authentication and personalization services on behalf of its
    owner.“

The basic premise:
   The user: authenticates himself to his persona.
   The persona: acts on behalf of the user to supply on-
    line information such as billing information or
    personal schedules.
   Access to this information: moderated by the access
    control rules employed by the user (e.g. so that only
    a limited number of companies can access credit card
    information, for example).
Ref.: http://www.cs.pdx.edu/~ktoth/index_files/
   RHASPersonaPaperTothSubramaniumV6.pdf                           27
    Issues
    CENTRAL VS FEDERATED VS PERSONALLY CARRIED
     INFORMATION IN SMART CARDS/FLASH KEYS ETC
    Authentication of the owner through biometric
     information
    Authentication of every one allowed to have a read or
     write access
References: 1. Electronic Privacy Information Center (EPIC)
http://www.epic.org/privacy/consumer/microsoft/passport.html
2 M.Fairhurst, R.Guest, F. Deravi and J. George,” Using Biometrics as
      an enabling technology in balancing universality and selectivity
      for management of information access,” Universal Access:
      Theoretical Perspectives, Practice and Experience: 7th ERCIM
      International Workshop on User Interface for All, Paris France
      Oct 24-25, 2002, Springer-Verlag Lecture Notes in CS 2615, pp
      249-259
                                                                  28
Implementation of Privacy Policies

Implementation requires
 a careful study of the Vulnerabilities and

  Requirements of the Organization;
 formulation of appropriate Security and

  Privacy policies;
 development of the Architecture of the

  Security system;
 selection of Security Technologies;

 verification whether the design of the system

  conforms to the statutory requirements and
  standards.                                  29
        Assignment I
   Use Ataraxis; Topic: Internet Privacy
References:
       ACM Digital Library, IEEE Explorer and Lecture Notes in Computer
        Science series at Leddy Library Electronic offerings
       Researchers: Sweeney L., Malin B., Clifton C., Vaidya J.
       Computers Freedom and Privacy Conference
        (http://www.cfp.org/)
       Anonymity project (http://idtrail.org/)
       Electronics Privacy Information Center (http://www.epic.org/)
       http://www.privacy.org/, http://www.privacyinternational.org/
       Studies on Privacy Vulnerabilities by John Hopkins Information
        Security Institute (http://web.jhu.edu/jhuisi/)

                                                                    30

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:10
posted:5/14/2012
language:English
pages:30