A Privacy-preserving Pseudonym Acquisition Scheme for Vehicular Communication Systems / Ett integritetsbevarande protokoll för erhållning av pseudonymer i fordonskommunikationssystem

Messing, Andreas

January 2018

Vehicular communication systems rely on temporary anonymous identities, i.e. pseudonyms, in order to establish security and at the same time avoid the possibility of tracking vehicles. If a vehicle uses only one pseudonym, an adversary would be able to follow the vehicle by observing and linking messages, signed under that pseudonym. Therefore, the vehicles acquire a set of pseudonyms from the VPKI, i.e. infrastructure of the communication system, and switches pseudonym frequently. If a vehicle would be unable to acquire these pseudonyms, it would not be able to utilize the communication system without compromising its privacy. A vehicle is able to create its own pseudonyms using group signatures, i.e. the so-called Hybrid scheme. However, a pseudonym issued by the VPKI and a pseudonym created with a group signature would look different to an observer. If only one vehicle used pseudonyms created with group signature, it would easily be singled out and tracked. This thesis proposes a solution to this problem, but not the broader problem of linking messages by other means, e.g. the content of the message. In the solution, a vehicle is able to generate its own pseudonyms, using the Hybrid scheme, and make them unlinkable at the cost of computational overhead for itself and the vehicles around it, since group signatures are costly. The vehicle achieves this by aligning the lifetime of the pseudonym with other pseudonyms and asking neighboring vehicles to alternate randomly between using pseudonyms issued by the VPKI and pseudonyms created with group signatures. This alternation by neighboring vehicles decreases the linkability of pseudonyms created with group signature without increasing the linkability of pseudonyms created by the VPKI. This results in a trade off between reasonable computational overhead and acceptable linkability for pseudonyms. A short paper, presenting the scheme and results of this thesis, has been accepted to the IEEE Vehicular Networking Conference in Torino, Italy, 27-29 November, 2017 [1]. / Fordonskommunikation utnyttjar temporära identiteter, dvs. pseudonymer, för att etablera säkerhet och samtidigt undvika möjligheten att spåra fordon. Om ett fordon skulle använda endast ett pseudonym så skulle en observatör kunna följa fordonet genom att observera och länka meddelanden signerade under det pseudonymet. Varje fordon erhåller därför ett set pseudonymer från kommunikationssystemet och byter pseudonym regelbundet. Om ett fordon inte kan erhålla dessa pseudonymer från systemet, så skulle fordonet inte kunna utnyttja kommunikationssystemet utan att förkasta sin integritet. Ett fordon skulle kunna skapa sina egna pseudonymer genom att använda gruppsignaturer, dvs. det så kallade Hybrid scheme. Problemet är att ett pseudonym som är erhållet från kommunikationssystemet och ett pseudonym som är genererat med en gruppsignatur, ser olika ut för en observatör. Om endast ett fordon skulle använda pseudonymer med gruppsignaturer, så skulle det enkelt filtreras ut och spåras. Den här avhandlingen föreslår en lösning på detta problem, men inte till det större problemet att länka meddelanden på andra sätt, exempelvis använda informationen i själva meddelandet. I lösningen kan fordonetgenerera egna pseudonymer, genom att använda gruppsignaturer, dvs. Hybrid scheme, och göra dem olänkbara till priset av extra beräkningstid för sig själv och fordonen omkring sig, eftersom gruppsignaturer är kostsamma. Fordonet uppnår det genom att synkronisera pseudonymernas livslängd med de andra pseudonymerna och fråga fordonen i närheten om de kan slumpmässigt växla mellan att använda pseudonymer från systemet och pseudonymer som de skapat med gruppsignaturer. Om fordon i närheten växlar mellan pseudonymer från systemet och pseudonymer genererade med gruppsignaturer så minskar länkbarheten av pseudonymer baserade på gruppsignaturer utan att öka länkbarheten av pseudonymer från kommunikationssystemet. Det resulterar i en avvägning mellan beräkningstid och acceptabel länkbarhet av pseudonymer. Ett konferens papper, som presenterar protokollet och resultatet av denna avhandling, har blivit accepterat till IEEE Vehicular Networking Conference i Torino, Italien, 27-29 November 2017 [1].

vehicular communication

network

security

privacy

Computer Sciences

Datavetenskap (datalogi)

Managing the risks associated with IT security and data privacy in the software development industry : Challenges related to operational, financial, and reputational risks

Hintze, Elias, Lofterud, Lukas

January 2022

This thesis examines how organisations within the IT software development industry manage risks associated with IT security and data privacy, with factors such as a growth in digitalisation and the Covid-19 pandemic. The research consists of four separate cases with interviewees in managerial positions in four different organisations.  The research shows the risks and challenges from an operational, financial, and reputational perspective. Development of the existing methods has been identified using cryptocurrencies as means to expose system vulnerabilities, an increase in monitoring and surveillance, which comes with considerations of follow-up and communication, along with the concept of moral hazards and their future implications. Furthermore, IT security organisations strive towards a risk tolerance approaching zero, as a result, discrepancies can occur between growth and risk. Considerations towards the compliance of data privacy must also be made, as new legislations take shape while being attentive to the stakeholders' changes in demands and expectations.  Contributions are made towards the field of risk management and IT security by taking a new era of digitalisation into consideration, giving the field an updated outlook for the future as the importance of data privacy and IT security is increasing. Therefore, the thesis provides valuable information that can be used as guidelines for organisations in this rapidly developing global environment.

IT security

Data privacy

Digitalisation

Risk management

Business Administration

Företagsekonomi

Privacy, Surveillance And The State: A Comparison Of U.S. And British Privacy Rights

Lander, Angelina

01 January 2009

This study investigates the effects of institutional structure on the privacy rights regimes in the United States and the United Kingdom, from 2000-2006. The goal of this research is to analyze how variation in the institutional arrangements across these two countries allowed for more or less protection of privacy rights for citizens. Domestic terrorist attacks during the time period represent a catalyst for changes in police and government surveillance activities. Veto points literature provides the framework for institutional comparison. The first part of the research provides a discussion of the historical evolution of privacy rights in both states, focusing on government and police surveillance and investigations. The second part of the research, based on veto points theory, compares the institutional arrangements of the United States and the United Kingdom, and suggests that the number of veto points and the ideological proximity of veto players have had an effect on the formulation of policy. Laws governing surveillance, investigations and privacy in the year 2000 provide a benchmark for analyzing how policies change over time.

privacy

surveillance

veto points

veto players

Political Science

Traffic Privacy Study on Internet of Things – Smart Home Applications

Patel, Ayan

01 August 2020

Internet of Things (IoT) devices have been widely adopted in many different applications in recent years, such as smart home applications. An adversary can capture the network traffic of IoT devices and analyze it to reveal user activities even if the traffic is encrypted. Therefore, traffic privacy is a major concern, especially in smart home applications. Traffic shaping can be used to obfuscate the traffic so that no meaningful predictions can be drawn through traffic analysis. Current traffic shaping methods have many tunable variables that are difficult to optimize to balance bandwidth overheads and latencies. In this thesis, we study current traffic shaping algorithms in terms of computational requirements, bandwidth overhead, latency, and privacy protection based on captured traffic data from a mimic smart home network. A new traffic shaping method - Dynamic Traffic Padding is proposed to balance bandwidth overheads and delays according to the type of devices and desired privacy. We use previous device traffic to adjust the padding rate to reduce the bandwidth overhead. Based on the mimic smart home application data, we verify our proposed method can preserve privacy while minimizing bandwidth overheads and latencies.

Internet of Things

IoT

Security

Privacy

Traffic Shaping

Digital Communications and Networking

Modeling Adversarial Insider Vehicles in Mix Zones

Plewtong, Nicholas

01 March 2018

Security is a necessity when dealing with new forms of technology that may not have been analyzed from a security perspective. One of the latest growing technological advances are Vehicular Ad-Hoc Networks (VANETs). VANETs allow vehicles to communicate information to each other wirelessly which allows for an increase in safety and efficiency for vehicles. However, with this new type of computerized system comes the need to maintain security on top of it. In order to try to protect location privacy of the vehicles in the system, vehicles change pseudonyms or identifiers at areas known as mix zones. This thesis implements a model that characterizes the attack surface of an adversarial insider vehicle inside of a VANET. This adversarial vehicle model describes the interactions and effects that an attacker vehicle can have on mix zones in order to lower the overall location privacy of the system and remain undetected to defenders in the network. In order to reach the final simulation of the model, several underlying models had to be developed around the interactions of defender and attacker vehicles. The evaluation of this model shows that there are significant impacts that internal attacker vehicles can have on location privacy within mix zones. From the created simulations, the results show that having one to five optimal attackers shows a decrease of 0.6%-2.6% on the location privacy of the network and a 12% decrease in potential location privacy in a mix zone where an attacker defects in a 50-node network. The industry needs to consider implementing defenses based on this particular attack surface discussed.

privacy

VANETs

pseudonym

mix zones

Digital Communications and Networking

Privacy and Authentication in Emerging Network Applications

Li, He

07 January 2021

In this dissertation, we studied and addressed the privacy-preserving and authentication techniques for some network applications, where existing internet security solutions cannot address them straightforwardly due to different trust and attack models and possibly constrained resources. For example, in a centralized dynamic spectrum access (DSA) system, the spectrum resource licensees called incumbent users (IUs), have strong operational privacy requirements for the DSA service provider called spectrum access system (SAS), and hence SAS is required to perform spectrum computation without knowing IUs' operational information. This means SAS can at most be considered as a semi-trusted party which is honest but curious, and common anonymization and end-to-end encryption cannot address this issue, and dedicated solutions are required. Another example is that in an intra-vehicle Controller Area Network (CAN), the transmitter can only embed 64 bits of message and its authentication tag into on message frame, which makes it difficult to achieve message authentication in real-time with sufficient cryptographic strength. The focus of this dissertation is to fill the gap of existing solutions with stronger security notion and practicability. On the topic of privacy-preserving DSA systems, we firstly explored existing solutions and proposed a comparative study. We additionally proposed a new metric for evaluation and showed the advantages and disadvantages of existing solutions. We secondly studied the IU location privacy in 3.5GHz band ESC-based DSA system and proposed a novel scheme called PriDSA. PriDSA addresses malicious colluding SAS attack model through leveraging different and relatively lightweight cryptography primitive with novel design, granting stronger security notion and improved efficiency as well. We thirdly studied the operational privacy of both IU and secondary users (SUs) in a general centralized SAS based DSA system and proposed a novel framework called PeDSS. Through our novel design that integrates differential privacy with secure multi-party computation protocol, PeDSS exhibits great communication and computation overhead compared to existing solutions. On the topic of lightweight message authentication in resource-constrained networks, we firstly explored message authentication schemes with high cryptographic strength and low communication-overhead and proposed a novel scheme called CuMAC. CuMAC provides a flexible trade-off between authentication delay and cryptographic strength, through the embodiment of a novel concept that we refer to as accumulation of cryptographic strength. We secondly explored the possibility of achieving both high cryptographic strength and low authentication delay and proposed a variant of CuMAC called CuMAC/S. By employing the novel idea of message speculation, CuMAC/S achieves enables the accumulation of cryptographic strength while incurring minimal delay when the message speculation accuracy is high. / Doctor of Philosophy / The privacy-preserving and message authentication issues of some network applications are distinctive from common internet security due to different attack models and possibly constrained resources, and these security and privacy concerns cannot be addressed by applying existing internet security solutions straightforwardly. For example, in a centralized dynamic spectrum access (DSA) system, the spectrum resource licensees called incumbent users (IUs), have strong operational privacy requirements for the DSA service provider called spectrum access system (SAS), and hence SAS is required to perform spectrum computation without knowing IUs' operational information. This means SAS can at most be considered as a semi-trusted party which is honest but curious, and common anonymization and end-to-end encryption cannot address this issue, and dedicated solutions are required. Another example is that in an intra-vehicle Controller Area Network (CAN), the transmitter can only embed 64 bits of message and its authentication tag into on message frame, which makes it difficult to achieve message authentication in real-time with sufficient cryptographic strength. We addressed the privacy issue of DSA systems by proposing novel schemes incorporating efficient cryptographic primitives and various privacy-preserving techniques, achieving a greatly higher efficiency or stronger privacy-preserving level. We addressed the lightweight authentication issue of resource-constrained networks by employing the novel concept of security accumulation and message speculation, achieving high cryptographic strength, low communication overhead, and probable low latency.

privacy-preserving technologies

dynamic spectrum sharing

lightweight authentication

applied cryptography.

Exploring Privacy and Personalization in Information Retrieval Applications

Feild, Henry A.

01 September 2013

A growing number of information retrieval applications rely on search behavior aggregated over many users. If aggregated data such as search query reformulations is not handled properly, it can allow users to be identified and their privacy compromised. Besides leveraging aggregate data, it is also common for applications to make use of user-specific behavior in order to provide a personalized experience for users. Unlike aggregate data, privacy is not an issue in individual personalization since users are the only consumers of their own data. The goal of this work is to explore the effects of personalization and privacy preservation methods on three information retrieval applications, namely search task identification, task-aware query recommendation, and searcher frustration detection. We pursue this goal by first introducing a novel framework called CrowdLogging for logging and aggregating data privately over a distributed set of users. We then describe several privacy mechanisms for sanitizing global data, including one novel mechanism based on differential privacy. We present a template for describing how local user data and global aggregate data are collected, processed, and used within an application, and apply this template to our three applications. We find that sanitizing feature vectors aggregated across users has a low impact on performance for classification applications (search task identification and searcher frustration detection). However, sanitizing free-text query reformulations is extremely detrimental to performance for the query recommendation application we consider. Personalization is useful to some degree in all the applications we explore when integrated with global information, achieving gains for search task identification, task-aware query recommendation, and searcher frustration detection. Finally we introduce an open source system called CrowdLogger that implements the CrowdLogging framework and also serves as a platform for conducting in-situ user studies of search behavior, prototyping and evaluating information retrieval applications, and collecting labeled data.

information retrieval

personalization

privacy

web search

Computer Sciences

The Security and Privacy Implications of Energy-Proportional Computing

Clark, Shane S.

01 September 2013

The parallel trends of greater energy-efficiency and more aggressive power management are yielding computers that inch closer to energy-proportional computing with every generation. Energy-proportional computing, in which power consumption scales closely with workload, has unintended side effects for security and privacy. Saving energy is an unqualified boon for computer operators, but it is becoming easier to identify computing activities by observing power consumption because an energy-proportional computer reveals more about its workload. This thesis demonstrates the potential for system-level power analysis---the inference of a computers internal states based on power observation at the "plug." It also examines which hardware components and software workloads have the greatest impact on information leakage. This thesis identifies the potential for privacy violations by demonstrating that a malicious party could identify which webpage from a given corpus a user is viewing with greater than 99% accuracy. It also identifies constructive applications for power analysis, evaluating its use as an anomaly detection mechanism for embedded devices with greater than 94% accuracy for each device tested. Finally, this thesis includes modeling work that correlates AC and DC power consumption to pinpoint which components contribute most to information leakage and analyzes software workloads to identify which classes of work lead to the most information leakage. Understanding the security and privacy risks and opportunities that come with energy-proportional computing will allow future systems to either apply system-level power analysis fruitfully or thwart its malicious application.

energy proportionality

power analysis

privacy

security

Computer Sciences

A Detailed Study of User Privacy Behavior in Social Media

Darwish, Roba N.

29 November 2017

No description available.

Computer Science

Privacy

Social Media

Tags

Faces

Machine Learning

Privacy-Aware Data Analysis: Recent Developments for Statistics and Machine Learning

Lut, Yuliia

January 2022

Due to technological development, personal data has become more available to collect, store and analyze. Companies can collect detailed browsing behavior data, health-related data from smartphones and smartwatches, voice and movement recordings from smart home devices. Analysis of such data can bring numerous advantages to society and further development of science and technology. However, given an often sensitive nature of the collected data, people have become increasingly concerned about the data they share and how they interact with new technology. These concerns have motivated companies and public institutions to provide services and products with privacy guarantees. Therefore, many institutions and research communities have adopted the notion of differential privacy to address privacy concerns which has emerged as a powerful technique for enabling data analysis while preventing information leakage about individuals. In simple words, differential privacy allows us to use and analyze sensitive data while maintaining privacy guarantees for every individual data point. As a result, numerous algorithmic private tools have been developed for various applications. However, multiple open questions and research areas remain to be explored around differential privacy in machine learning, statistics, and data analysis, which the existing literature has not covered. In Chapter 1, we provide a brief discussion of the problems and the main contributions that are presented in this thesis. Additionally, we briefly recap the notion of differential privacy with some useful results and algorithms. In Chapter 2, we study the problem of differentially private change-point detection for unknown distributions. The change-point detection problem seeks to identify distributional changes in streams of data. Non-private tools for change-point detection have been widely applied in several settings. However, in certain applications, such as identifying disease outbreaks based on hospital records or IoT devices detecting home activity, the collected data is highly sensitive, which motivates the study of privacy-preserving tools. Much of the prior work on change-point detection---including the only private algorithms for this problem---requires complete knowledge of the pre-change and post-change distributions. However, this assumption is not realistic for many practical applications of interest. In this chapter, we present differentially private algorithms for solving the change-point problem when the data distributions are unknown to the analyst. Additionally, we study the case when data may be sampled from distributions that change smoothly over time rather than fixed pre-change and post-change distributions. Furthermore, our algorithms can be applied to detect changes in linear trends of such data streams. Finally, we also provide a computational study to empirically validate the performance of our algorithms. In Chapter 3, we study the problem of learning from imbalanced datasets, in which the classes are not equally represented, through the lens of differential privacy. A widely used method to address imbalanced data is resampling from the minority class instances. However, when confidential or sensitive attributes are present, data replication can lead to privacy leakage, disproportionally affecting the minority class. This challenge motivates the study of privacy-preserving pre-processing techniques for imbalanced learning. In this work, we present a differentially private synthetic minority oversampling technique (DP-SMOTE) which is based on a widely used non-private oversampling method known as SMOTE. Our algorithm generates differentially private synthetic data from the minority class. We demonstrate the impact of our pre-processing technique on the performance and privacy leakage of various classification methods in a detailed computational study. In Chapter 4, we focus on the analysis of sensitive data that is generated from online internet activity. Accurately analyzing and modeling online browsing behavior play a key role in understanding users and technology interactions. Towards this goal, in this chapter, we present an up-to-date measurement study of online browsing behavior. We study both self-reported and observational browsing data and analyze what underlying features can be learned from statistical analysis of this potentially sensitive data. For this, we empirically address the following questions: (1) Do structural patterns of browsing differ across demographic groups and types of web use?, (2) Do people have correct perceptions of their behavior online?, and (3) Do people change their browsing behavior if they are aware of being observed? In response to these questions, we found little difference across most demographic groups and website categories, suggesting that these features cannot be implied solely from clickstream data. We find that users significantly overestimate the time they spend online but have relatively accurate perceptions of how they spend their time online. We find no significant changes in behavior throughout the study, which may indicate that observation had no effect on behavior or that users were consciously aware of being observed throughout the study.

Statistics

Machine learning

Privacy

Data protection

Internet searching