Transcript Accessing Public WiFi: Security Issues

A Few Topics on Privacy
Sankar Roy
1
Acknowledgement
In preparing the presentation slides and the
demo, I received help from
• Professor Simon Ou
• Professor Gurdip Singh
• Professor Eugene Vasserman
2
What is private? What should be?
•
•
•
•
•
Your email and your phone calls
Your location throughout the day
Your detailed activity throughout the day
Patterns of your activity
Your web locations throughout the day
– Surfing history
• Whether you’re on vacation
– Is your house empty?
What are privacy leaks?
• Public vs. private exposure:
– Your email and your phone calls are exposed
– Your activity/actions/movement are tracked
– Your patterns of activity are exposed
– Your web activity/history is exposed
– Your online purchases are exposed
– Your medical records are exposed
Agenda
• Web tracking
• Social network privacy
• Geo-tracking
• Cross-reference with public records (e.g. census)
• University policies for your privacy
Web Tracking
• Information about people’s web activities have
business value
• Many companies are trying to
– collect your web data
– develop a profile of you (what you like or dislike)
• Broadly speaking, two types of tracking
– monitoring your visits to several websites, online
shopping, etc.
– monitoring your queries to search engines, keywords
used in your emails, etc.
6
Web Bug : A Tracking Tool
• Web bugs
– used to be images (also known as tracking pixels)
– now can be HTML iFrame, style, script, input link
– are loaded on a webpage when you browse it
• Typically, web pages are not self-contained
– the main content comes from the relevant server (e.g.
citi.com)
– additional content (including web bugs) come from a 3rd
party server (tracker)
• The tracker can get information such as
– visitor’s IP address, time of visit, type of browser,
previously set cookies, etc.
More on Web Bugs
• A simplified tracking example
– consider a tracking company that has ties with a
network of sites
– all images (e.g. web bugs) are stored on one host
computer while the web pages are stored in
different servers.
– so, web bugs tool can recognize users traveling
around the different servers
– advantage: tracking becomes easy because
statistics can be collected centrally
DoubleClick (Google) System
• Doubleclick is an online ad management system
– its clients are advertisers and publishers
– tracks users via browser cookies as users travel from
website to website (and records which advertisements
they view and select).
• Runs background analysis: can mine trends over
– multiple web sites, types of visitors, periods of time,
etc.
The Business Model of DoubleClick
• Ad-serving: publishers display ad on their websites
• Ad delivery: advertisers control the ad frequency, time
• Behavioral targeting: based on the visitor’s past
activities, guesses the adverts he/she would like to see
Web-tracking by DoubleClick
• What information of the visitor is tracked?
– visit time, ad placement id, advert id, user id, user IP
address, referral URL, etc.
• Can track someone visiting multiple web sites
– if these web sites participate in AdSense (Google)
• May give a label to a visitor
– E.g. “sports lover”, “computer & electronics”, etc.
• Note: you may check and edit your label on your
Google Ad Preferences manager page
How to Check your label in Google’s
Ad Preferences – Part I
How to Check your label in Google’s ad
preferences manager – Part II
Do Not Track Me Online Act of 2011
• Sets the standards for the use of an online optout function
– allows a consumer to forbid the use of private
information
• Regarded as an online version of the Do Not Call
law
• States that a business entity should disclose the
status of personal information collection
• The opposition group (against this law) also has
some valid points
Abine’s Tool: “Do Not Track Me”
• This tool works as a browser (e.g. Firefox) plugin
• Blocks the tracking capabilities
– of advertisers, social networks, and data-collection
companies
– can display the list of websites which are tracking you
now
– opts you out of being tracked
• May still allow same number of adverts,
– but can stop targeted advertising that uses your
personal information
Using “Do Not Track Me”: Example I
16
Using “Do Not Track Me”: Example II
17
Web History Tracking
• Search engines, such as Google keep on
storing the keywords you search
– as well as your browsing history
– and associates this information against your
Google account id
– Google uses this information for targeted
advertisement in future
• If misused, this information can lead to our
privacy breach
18
A Google Web History Page
19
Google’s Combining Distinct Privacy Policies
• Recently, Google combined 60 distinct privacy
policies into one single policy in 2012
– if you're signed in, Google treats you as a single
user across all of the products
– combines information you've provided from one
service with information from the others
– can use web search information to target an
advertisement to you in YouTube, Google Maps,
and Gmail
20
How to reduce risks of Google’s Tracking
• You may turn off the Web History
– log in to your Google a/c
– go to www.google.com/history and remove all
– but this may not guarantee much
• You may not sign into Gmail while using
Google search, maps or YouTube
• Or, you may create separate accounts for each
Google service
21
How to Turn Off the Search History
22
Class Agenda
• Web tracking
• Social network privacy
• Geo-tracking
• Cross-reference with public records (e.g. census)
• University policies for your privacy
Online Social networks (OSN)
• Becoming more and more popular
– Facebook, Twitter, Google+, Linkedin, flickr, etc.
• Facebook is the largest OSN
(Ref. epic.org).
– 500 million active users, with 150
million in the United States.
– 3 billion photos are uploaded
each month.
– each day 100 million tags to
photos.
24
Mobile OSN (mOSN)
• Currently, all major OSNs can be accessed via
smart phones
• Location has been (mostly) missing between the
real world and OSNs
– mOSN is providing the location link now
– location is notorious for compromising privacy
– a quarter of Facebook users are on a mobile device
25
Privacy Concerns on Social Networks
• Too much personal information being displayed by
the users may compromise their identity
• Location-based-service taking advantage of mobile
devices causes more privacy concerns
• Storage of personal data: most social networking
sites require users to agree for storage.
• Employment issues: employers are searching OSNs
in order to screen potential candidates
• Stalking, and many other privacy problems.
26
How to Mitigate Privacy Leaks in OSNs
• Understand the risks or possible damage
• Do not post
– unnecessary information or confidential messages or
private photos
• To protect against identity theft
– do not make your birthday public
– never expose your exact address, SSN, passport info
• Avoid cross-linking
– your social network with your professional network
• Be watchful of your information leak
– check what is leaking via a close family member or a friend
27
Facebook’s Privacy Concerns
• Facebook displays social ads to targeted customers
– the business model has some similarity with Google ad’s
• Claims retroactive rights to users’ personal information
– even after a user has deleted her account.
• Discloses “publicly available information” to search
engines
– i.e., to all Internet users even they are not Facebook users.
• And many other concerns: e.g. face recognition, geotagging
28
Facebook and Face Recognition
• Facebook Becomes FaceBank?
– by Janeth Lopez, 2012 (available on
moglen.law.columbia.edu)
• After you upload new photos
– Facebook scans them with facial recognition software
– matches the new photos to other photos you are already
tagged in.
• When a user manually tags the friends in a photo
– the Facebook machine learns more
– making facial recognition more accurate in future.
29
Facebook’s Photo-Tag Suggestions
• You can tag a photo to show who’s in the photo
– You can post a status update and say who you are with.
• After a photo upload, Facebook apparently by magic
– finds faces in a photo as a square frame
– and suggests the name of your friend
• Facebook identifies your friends through your profile
– using face recognition technology
30
Privacy Concerns due to Face Recognition
• We could take a photo of a stranger and pull up
his/her full name and public information
• We may cross-reference the information
– with social dating sites to know the stranger's interests.
• Stores and restaurants may identify customers and
their "likes" in real time
– in order to offer them personalized advertising
• Law enforcement agents can use this face bank
31
How to Reduce Photo Tagging Risks
• You can untag photos you are tagged in by friends.
– simply go to the photo and click on your name
• But no way to prevent friends from tagging you
• You can prevent others from seeing the photos via
your tagged name.
– from the Account menu, chose Privacy Settings, click
"Customize settings.”
– you have the option of choosing who can see photos via
your tagged name. You can set it to "Only me”.
– here, you also have the option of preventing specific
Facebook friends seeing photos via your tagged name.
32
Class Agenda
• Web tracking
• Social network privacy
• Geo-tracking or Geo-tagging
• Cross-reference with public records (e.g. census)
• University policies for your privacy
Geo-tagging
• It is the process of adding geographical identification
metadata to various media such as a photo (Wikipedia)
• Many tools: Camera, smart phones, etc.
34
Geo-tagging on OSNs
• Facebook has a feature called “Places” which
allows users to check-in at locations in real time
– it is turned on by default
– other users can “geo-tag” you
– you may discover friends who are in the same place
– friends can share interesting places
– you may find out a spot from friends’
recommendations
35
Risks of Geo-tagging
• You may give a stalker or a potential thief your
exact whereabouts
– say you post a photo of your house, and leave a
message on Twitter : “need to go to office now”.
• Particularly when your cross-post check-ins to
interesting spots on multiple OSNs.
• Also, geo-tagging has the potential to
establish patterns of your movements
36
How to avoid risks of Geo-tagging
• Be familiar with the risks involved.
• Learn how to disable your smart phone's geotagging feature
• Learn how to protect yourself on the geotagging websites
– control the people who are able to see where
you're located.
– avoid automatic geo-tagging by default. Facebook
Places is active until disabled.
37
Class Agenda
• Web tracking
• Social network privacy
• Geo-tracking
• Cross-reference with public records (e.g. census)
• University policies for your privacy
Privacy issues in public records
• Various public records and survey results:
– Census, medical, genetic, financial data, location data,
purchasing histories, etc.
– are extremely valuable for social science research,
epidemiology, strategic marketing, and so on
• But if these databases can be matched up with
one another
– then we may be able to generate a detailed picture of
a specific individual’s private life.
39
Challenges and Solutions
• In 2000, Latanya Sweeney analyzed data from the
1990 census and discovered
– 87% of the U.S. population could be uniquely identified by
just a Zip code, date of birth, and gender.
• Professor Sweeney now says it should be quite easy
to determine patient names
– from the secondary health data sold by pharmacies and
analytics companies
• Privacy experts have proposed algorithms to
– anonymize public records before release
– measure the degree of privacy and guarantee it
40
Class Agenda
• Web tracking
• Social network privacy
• Geo-tracking
• Cross-reference with public records (e.g. census)
• University policies for your privacy
K-State Information Technology Usage
: Privacy Policy
• Authorized access to data entails both privilege
and responsibility
– not only for the user, but also for the system
administrator.
• The university will treat information stored on
computers as confidential
– However, there is no expectation for documents and
messages stored on University-owned equipment.
– email and data stored on KSU's network of computers
may be accessed by the university for a few special
purposes
42
Summary
• We discussed common privacy issues.
• We presented a few standard countermeasures
to mitigate the risks
• Remainder:
– the next homework is due before the next class (1pm
on March 7)
– the next class will be held in Room 128
43