C3P: Context-Aware Crowdsourced Cloud Privacy

1CloudSpacesPrivacy Enhancing Technologies Symposium, 2014

2

Files to Flowers

Conversion

2

Files to Flowers

Conversion

2

Files to Flowers

Conversion

2

Files to Flowers

Conversion

2

Files to Flowers

Conversion

3

60% increase in corporate data shared to the cloud in 2015

Source: Elastica’s Q2 2015 Shadow Data Report

3

20% of files shared to the cloud contain protected data

60% increase in corporate data shared to the cloud in 2015

Source: Elastica’s Q2 2015 Shadow Data Report

3

20% of files shared to the cloud contain protected data

60% of sensitive files contain PII

30% …contain health info

60% increase in corporate data shared to the cloud in 2015

Source: Elastica’s Q2 2015 Shadow Data Report

3

20% of files shared to the cloud contain protected data

60% of sensitive files contain PII

30% …contain health info

Emergence of “Shadow IT”

60% increase in corporate data shared to the cloud in 2015

Source: Elastica’s Q2 2015 Shadow Data Report

You cannot use cloud services.

You are fully protected.

Your files are always

encrypted before

uploading.

Anti-Snooping Tools for the Cloud

Examples:

4

You cannot run

software.

You are fully protected.

Your files are always

quarantined.

What if Antivirus Software was Similar?

5

Obstacles

Privacy vs. Services dilemma

Obstacles

Privacy vs. Services dilemma

Context-dependence of privacy

Obstacles

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

Privacy vs. Services dilemma

Context-dependence of privacy

Manual effort and expertise for assessing data sensitivity

6

What is needed?

Ensure serviceable protection instead of brute encryption.

What is needed?

Ensure serviceable protection instead of brute encryption.

Account for the metadata, sharing environment, and

data content.

What is needed?

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

Ensure serviceable protection instead of brute encryption.

Account for the metadata, sharing environment, and

data content.

Automatically estimate the sensitivity of shared data.

7

Introducing C3P

Various levels of information hiding

8

Introducing C3P

Define data in terms of context

Various levels of information hiding

8

Introducing C3P

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

Private crowdsourcing mechanism for gathering people privacy policies

Define data in terms of context

Various levels of information hiding

8

Introducing C3P

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

Private crowdsourcing mechanism for gathering people privacy policies

Psychologically grounded approach for estimating sensitivity

Define data in terms of context

Various levels of information hiding

8

Fine-Grained Policies

9

Defining Data through Context

10

Content Metadata Environment

Defining Data through Context

10

Content Metadata Environment

Defining Data through Context

10

Content Metadata Environment

Location

Data

TopicMedia

Home

OfficeDocument

SoftwareFinancial

Educational

Context Vocabulary

11

Privacy Preserving Crowdsourcing

12

Business Me ColleagueFinancial Me Stranger Faces Home Friend

Financial Me Stranger

Business Me Colleague

Faces Home Friend

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

User 1 User 2 User 3

Privacy Preserving Crowdsourcing

12

Business Me ColleagueFinancial Me Stranger Faces Home Friend

Financial Me Stranger

Business Me Colleague

Faces Home Friend

Faces Home Friend

Sharing Operation Context

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

User 1 User 2 User 3

Privacy Preserving Crowdsourcing

12

Business Me ColleagueFinancial Me Stranger Faces Home Friend

Financial Me Stranger

Business Me Colleague

Faces Home Friend

Faces Home Friend

WorkSea

Colleague

Family

Sharing Operation Context

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

User 1 User 2 User 3

Privacy Preserving Crowdsourcing

12

Business Me ColleagueFinancial Me Stranger Faces Home Friend

Financial Me Stranger

Business Me Colleague

Faces Home Friend

Faces Home Friend

WorkSea

Colleague

Family

Forward-AnonymityK-anonymity

Sharing Operation Context

I dedicate the rest of my life for sorting out

sensitive from non-sensitive files on my HD

User 1 User 2 User 3

Faces Home Friend

Context

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

 

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

 

High Privacy Attitude

75%

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

 

High Privacy Attitude

75%

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

 

High Privacy Attitude

75%

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

 

High Privacy Attitude

75%

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

Group Invariance

Faces Home Friend Faces Home Friend

 

 

High Privacy Attitude

75%

Sensitivity Estimation using Item Response Theory

13

Faces Home Friend

High Sensitivity 75%

Group Invariance

Faces Home Friend Faces Home Friend

 

Item Invariance

 

 

Connecting the Dots

14Client

Server

?

Connecting the Dots

14Client

Server

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Context Extraction

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Context Extraction

Sensitivity Request

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Sensitivity Reply

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Sensitivity Reply

Policy Decision

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Policy Decision

Data Sharing

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Crowdsourcing

?

Connecting the Dots

14

Financial Me Stranger

Client

Server

Crowdsourcing

? Sensitivity Computation

Evaluation

15

C3P

IRT Models Fit Privacy-Aware Cloud Sharing?

16

81

96

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

16

81

96

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

• Standardized Infit Statistic:• (x-axis values should lie in [-2,2])

16

81

96

Dichotomous case

Sens

itivi

ty

Infit t-statistic

A dot represents a

context

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

• Standardized Infit Statistic:• (x-axis values should lie in [-2,2])

16

81

96

Dichotomous case

Sens

itivi

ty

Infit t-statistic

A dot represents a

context

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

• Standardized Infit Statistic:• (x-axis values should lie in [-2,2])

16

81

96

Polytomous case

Infit t-statisticSe

nsiti

vity

Dichotomous case

Sens

itivi

ty

Infit t-statistic

A dot represents a

context

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

• Standardized Infit Statistic:• (x-axis values should lie in [-2,2])

16

81

96

Polytomous case

Infit t-statisticSe

nsiti

vity

Dichotomous case

Sens

itivi

ty

Infit t-statistic

A dot represents a

context

IRT Models Fit Privacy-Aware Cloud Sharing?

• Ex: With which privacy level would you share a project presentation with a friend?

• Standardized Infit Statistic:• (x-axis values should lie in [-2,2])

16

81

96

Yes!

Polytomous case

Infit t-statisticSe

nsiti

vity

Dichotomous case

Sens

itivi

ty

Infit t-statistic

A dot represents a

context

Temporal Cost of Crowdsourcing & Privacy

17

Zipf context distribution

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Temporal Cost of Crowdsourcing & Privacy

k

 

17

Zipf context distribution

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Temporal Cost of Crowdsourcing & Privacy

k

 

17

Zipf context distribution

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Crowdsourcing cost: Hit rate (HR) from 0 to 90% in 10 days

Temporal Cost of Crowdsourcing & Privacy

k

 

17

Zipf context distribution

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Crowdsourcing cost: Hit rate (HR) from 0 to 90% in 10 daysAnonymity cost: HR difference starts high but vanishes in 10 days.

Effect of Sharing Behavior on the Temporal Cost

18

Anonymity Parameter K=3

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Effect of Sharing Behavior on the Temporal Cost

18Effect: Long tail distribution is of lower temporal cost.

Anonymity Parameter K=3

500

3125

30000

av.: 1 Item/6 hours

• Synthetic Dataset:

Robustness Towards Malicious Users?

19

• Test: • Assign sensitivities to items

and attitudes to people. • Honest users choose policies

according to the model. • Malicious users choose

policies at random.

Robustness Towards Malicious Users?

19

• Test: • Assign sensitivities to items

and attitudes to people. • Honest users choose policies

according to the model. • Malicious users choose

policies at random.

Robustness Towards Malicious Users?

19

• Test: • Assign sensitivities to items

and attitudes to people. • Honest users choose policies

according to the model. • Malicious users choose

policies at random.

Robustness Towards Malicious Users?

19

• Test: • Assign sensitivities to items

and attitudes to people. • Honest users choose policies

according to the model. • Malicious users choose

policies at random.

Preset Sensitivity

Computed Sensitivity-Check

Robustness Towards Malicious Users?

19

• Test: • Assign sensitivities to items

and attitudes to people. • Honest users choose policies

according to the model. • Malicious users choose

policies at random.

Preset Sensitivity

Computed Sensitivity-Check

Tolerance: 25% malicious: ≈8% difference, 50% malicious: ≈17% difference

Future Work

• Recommendation of policies to users

• Batch sensitivity analysis

• Considering probabilistic attacks on the scheme

• Working with IRT alternatives.

20

ELO MF

21

22

PrivyShare

PrivyShare - Desktop

PrivyShare Benefits

• Works with any cloud service

23

PrivyShare Benefits

• Works with any cloud service• Provides “Sensitivity as a Service”

23

PrivyShare Benefits

• Works with any cloud service• Provides “Sensitivity as a Service”• Offers fine grained protection• Metadata cleaning• Face Blurring• Encryption• Encryption + Auxiliary Information (automatic summaries, blurred

thumbnails)

23

24

PrivyShare

PrivyShare - Browser

PrivySeal: Dealing with 3rd Party Cloud Apps

25

PrivySeal

privyseal.epfl.ch

26

Questions

hamzaharkous.com

Images/Media Credits

•Pixel77•Freepik