E-Surveillance and User Privacy

Download Report

Transcript E-Surveillance and User Privacy

E-Surveillance and User
Privacy
Yvonne Gladden
Lauran Hollar
Tim Kennedy
Grant Wood
E-Surveillance
• Surveillance – “The act of observing or the
condition of being observed”.
• Electronic Surveillance (US Government FISA) – “the acquisition by an electronic,
mechanical, or other surveillance device of
the contents of any wire or radio
communication …”
License Plate Monitoring
Privacy
• “The right of individuals to control or
influence what information related to them
may be collected and stored and by whom
and to whom that information may be
disclosed”
Google Street View
Why is it Important?
•
Impacts virtually everyone
•
•
•
•
Internet
Cell Phones
Personal information
Law Enforcement
•
•
Evidence Collection
National Security
•
•
Drift Net Type Approach
Keyword Detection
Legal Background
• e-Surveillance is not a new subject that the
courts have had to deal with.
• In 1928 the U.S. Supreme Court ruled on a
case about it.
• In 1934 this ruling was reviewed and
changed.
Legal Background
• In 1967 the Supreme Court ruled that the
government could not infringe upon a
persons reasonable expectation of privacy.
• In 1968 Congress codified the requirements
to obtain court authority for interception of
oral and wire communication
• In 1986 this Act was amended to include
electronic communication
e-Surveillance Techniques
•
•
•
•
Spyware
Network Monitoring
Compromising Emanations (CE)
Biometrics (hand scanning, iris scanning)
Spyware
• Various Threat Levels
• Identification Cookies (low)
• Associated (3rd party) Cookies (low – med)
• Application based (medium – high)
Spyware Infections
Key loggers send sensitive
data (i.e. passwords) to
spyware controller
Commercial
habits, and search
keywords
15%
25%
Major
Moderate
Minor
60%
Sends host name, IP
addresses, and computer
processes
Associated Cookies
Delivery of App Based Spyware
• Piggybacking on other software
• Hidden in utility applications
• Execution of ActiveX or Java Applets
Network Monitoring
• Packet Sniffers
• Hardware + Software
• Narus Semantic Traffic Analyzer
• State of the art monitoring software (“Ultimate
Net Monitoring Tool”)
• Linux based
• Used by NSA in monitoring Internet traffic
• Used by ISP’s to perform court-ordered
monitoring
Compromising Emanations
• TEMPEST – codename referring to study of
CE
• Heavily researched in military applications
• Examples:
• computer monitors (optical, electromagnetic)
• cpu (electromagnetic)
• keyboard (accoustic)
Compromising Emanations
• Soft Tempest
• method for preventing eavesdropping on
monitor emissions
• works by using software to filter off some of
the higher frequencies before they are sent to
the monitor
Soft Tempest Example
Before
After
Biometrics
• Automated methods of recognizing a person
based on a physiological or behavioral
characteristic
Use of Biometrics
• Sec. 403(c) of the USA-PATRIOT Act specifically requires the
federal government to "develop and certify a technology standard that
can be used to verify the identity of persons" applying for or seeking
entry into the United States on a U.S. visa "for the purposes of
conducting background checks, confirming identity, and ensuring that
a person has not received a visa under a different name."
• Enhanced Border Security and Visa Entry Reform Act of 2002,
Sec. 303(b)(1), requires that only "machine-readable, tamper-resistant
visas and other travel and entry documents that use biometric
identifiers" shall be issued to aliens by October 26, 2004. The
Immigration and Naturalization Service (INS) and the State
Department currently are evaluating biometrics for use in U.S. border
control pursuant to EBSVERA.
Uses of e-Surveillance Summary
• National Security (Government)
• ECHELON
• Carnivore (now defunct)
• Law Enforcement
• Finding Dealers of Child Pornography
• Finding Child Predators
• Corporate Security
• Employee Monitoring
• Internet Advertising
• Spyware
• Malicious Uses
• Identity Theft
• Credit Card Fraud
Techniques for Privacy Protection
• Firewalls
• software or hardware based
• Anti-spyware software
• Ad-Aware, Spybot, PestPatrol
• Encryption
• Tighter Security at OS Level
• FOOD
• Changes to Network Protocols
• DISCREET
FOOD
• System to prevent execution of malicious code on
Windows/X86
• Prior to execution, checks hash of binaries against
signature of allowed binaries – if not allowed,
execution denied
• Prevents unauthorized indirect branching
• Protects from buffer overflow attacks
• Cost – 35% performance hit!
• Weakness – Does not protect against scripted
(interpreted) code attacks – Perl, VB, etc
DISCREET (D-Core)
• New approach to user privacy
• Goals
• Allow users to take advantage of new services
without worrying about their private
information being misused
• Structure
• Three additional network layers (sub-layers of
the Application Layer)
• Identity Layer
• Confidentiality Layer
• Policy Control Layer
Challenges
• Balancing user privacy vs. the need for
information
• encryption – if it is too good then criminals can
communicate with impunity
• Balancing security and user friendliness
• Volume of Information (Mass Surveillance)
• Legal Issues
• FISA
• Patriot Act
Moving Forward
• Awareness
• 70% of American computer users claim to have
anti-spyware software on their computer, only
55% actually do
• Only 22% have an enabled firewall, updated
anti-virus software, and anti-spyware software
installed on their computers
Moving Forward
• Pass laws to make it tougher to collect
personal information without consent, and
to prohibit unfair deceptive practices using
spyware
• I-SPY ACT (passed three times by House,
currently in Senate committee)
Conclusion
• Privacy will be an ongoing issue
• More capabilities lead to more security and
ethical issues