Privacy issues in network environments
-
Upload
josef-noll -
Category
Technology
-
view
1.706 -
download
2
description
Transcript of Privacy issues in network environments
-
Lappeenranta Summer School on Telecommunications 2008
-
Privacy Issues in Network Environments
Josef NollUniversity Graduate Center at Kjeller, UNIK/
University of Oslo, UiO
Lappeenranta, 19 August 2008
http://wiki.unik.no
19. Aug 2008, Josef NollPrivacy Issues
! Research and Education at Kjeller
! Close relation to FFI, IFE, NILU,...
2
19. Aug 2008, Josef NollPrivacy Issues
“Innovation by Design”
"Movation is a very exciting initiative where some of the best
companies in Norway commit themselves to build the Norwegian
national team in wireless technology innovation”
– Paul Chaffey, Abelia
3
19. Aug 2008, Josef NollPrivacy Issues
Have you heard these ones? from Scott Mc Nealy (Sun Microsystems)
4
“The privacy you are so fond of is
mostly an illusion”
“You have no privacy. Get over it.”
19. Aug 2008, Josef NollPrivacy Issues
Have you heard these ones? from Scott Mc Nealy (Sun Microsystems)
4
“The privacy you are so fond of is
mostly an illusion”
“You have no privacy. Get over it.”
So, let’s go home and do
something useful
19. Aug 2008, Josef NollPrivacy Issues
How come these guys didn’t think of that?
5
11 ©2007 Deloitte & Touche GmbH WirtschaftsprüfungsgesellschaftWeb 2.0 Expo Berlin 2007
How come these guys didn’t think of that?
Source: Stefan Weiss, Deloite & Touche, 2007
19. Aug 2008, Josef NollPrivacy Issues
Outline
! Privacy, Identity, Trust, Reputation,....
! Network environments– technical: Internet and wireless networks
– Social networks
– .... networks
6
! Technologies
! Protection mechanisms
! Legal issues
! Tips and tricks
19. Aug 2008, Josef NollPrivacy Issues
Privacy
7
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share basic common themes. Privacy is sometimes related to anonymity, the wish to remain unnoticed or unidentified in the public realm.
source: Wikipedia
19. Aug 2008, Josef NollPrivacy Issues
Privacy
7
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively. The boundaries and content of what is considered private differ among cultures and individuals, but share basic common themes. Privacy is sometimes related to anonymity, the wish to remain unnoticed or unidentified in the public realm.
source: Wikipedia
! Physical: - intrusion into physical space (sauna, stalking,...)- searching in my personal possessions- access to my home
! Informational- Internet, electronic traces- Medical data
! Organisational- Industrial property rights (IPR)- protection of secrets
19. Aug 2008, Josef NollPrivacy Issues
Physical privacy! don’t touch me
! don’t kiss me
! don’t invade
! don’t you dare
8
19. Aug 2008, Josef NollPrivacy Issues
Physical privacy! don’t touch me
! don’t kiss me
! don’t invade
! don’t you dare
8
Factors
! cultural sensitivity
! personal dignity
! shyness
! safety concerns
19. Aug 2008, Josef NollPrivacy Issues
Physical privacy! don’t touch me
! don’t kiss me
! don’t invade
! don’t you dare
8
The worst places (for me)
Factors
! cultural sensitivity
! personal dignity
! shyness
! safety concerns
19. Aug 2008, Josef NollPrivacy Issues
Physical privacy! don’t touch me
! don’t kiss me
! don’t invade
! don’t you dare
8
The worst places (for me)
Factors
! cultural sensitivity
! personal dignity
! shyness
! safety concerns
The best places (for me)
19. Aug 2008, Josef NollPrivacy Issues
Physical privacy! don’t touch me
! don’t kiss me
! don’t invade
! don’t you dare
8
The worst places (for me)
Factors
! cultural sensitivity
! personal dignity
! shyness
! safety concerns
The best places (for me)
19. Aug 2008, Josef NollPrivacy Issues
Organisational privacy
9
! Access to fingerprints of all people
!
! What is in Coca Cola?
! When will VW launch the new Golf?
19. Aug 2008, Josef NollPrivacy Issues
Organisational privacy
9
Factors
! Patent (IPR)
! Trade mark
! price of information
! effect of damage
! Access to fingerprints of all people
!
! What is in Coca Cola?
! When will VW launch the new Golf?
19. Aug 2008, Josef NollPrivacy Issues
Information privacy
10
Information about me
! electronic information stored about me
- religion, sexual orientation, political opinion
- personal activities- family information
! Membership in social networks
! access to accounts
! Medical information
! Political privacy
19. Aug 2008, Josef NollPrivacy Issues
Information privacy
10
Information about me
! electronic information stored about me
- religion, sexual orientation, political opinion
- personal activities- family information
! Membership in social networks
! access to accounts
! Medical information
! Political privacy
Electronic traces
! Mobile phone- GSM, - Bluetooth
! sensor data
! traffic cameras
! surveillance
! payment card usage
! fingerprint check-in
19. Aug 2008, Josef NollPrivacy Issues
Summary
Factors influencing privacy
11
! cultural sensitivity
! personal dignity
! shyness
! ....
19. Aug 2008, Josef NollPrivacy Issues
Summary
Factors influencing privacy
11
! cultural sensitivity
! personal dignity
! shyness
! ....
! safety concerns
! effect of damage
! professional reputation
! discrimination ....
19. Aug 2008, Josef NollPrivacy Issues
Summary
Factors influencing privacy
11
! cultural sensitivity
! personal dignity
! shyness
! ....
! safety concerns
! effect of damage
! professional reputation
! discrimination ....
19. Aug 2008, Josef NollPrivacy Issues
Summary
Factors influencing privacy
11
! cultural sensitivity
! personal dignity
! shyness
! ....
! safety concerns
! effect of damage
! professional reputation
! discrimination ....
My own understanding
Privacy is about protecting myself such that others can’t harm me more than I can tolerate
others --> trust, relation
harm --> my roles (identity)
19. Aug 2008, Josef NollPrivacy Issues
Reality
What the Internet knows about me
12
Preface
I am not a member of a social network (yet). I do not publishing pictures about me.
And still ...
19. Aug 2008, Josef NollPrivacy Issues
Reality
What the Internet knows about me
12
Preface
I am not a member of a social network (yet). I do not publishing pictures about me.
And still ...
19. Aug 2008, Josef NollPrivacy Issues
Reality
What the Internet knows about me
12
Preface
I am not a member of a social network (yet). I do not publishing pictures about me.
And still ...
19. Aug 2008, Josef NollPrivacy Issues
Reality
What the Internet knows about me
12
Preface
I am not a member of a social network (yet). I do not publishing pictures about me.
And still ...
19. Aug 2008, Josef NollPrivacy Issues
Reality
What the Internet knows about me
12
Preface
I am not a member of a social network (yet). I do not publishing pictures about me.
And still ...
and I’m only talking about my public available data
19. Aug 2008, Josef NollPrivacy Issues
Two more definitions
13
Context,Presence
Community
User profile,privacy
Roles,Identities
User behaviour
Location,Proximity
19. Aug 2008, Josef NollPrivacy Issues
Two more definitions
13
others
--> trust, relation
harm --> my roles (identity)
Context,Presence
Community
User profile,privacy
Roles,Identities
User behaviour
Location,Proximity
19. Aug 2008, Josef NollPrivacy Issues
Identity! In philosophy, identity is whatever makes an entity definable
and recognizable, in terms of possessing a set of qualities or characteristics.
! Identity is an umbrella term used throughout the social sciences for an individual's comprehension of him or herself as a discrete, separate entity.
! Digital identity also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject.
! An online identity is a social identity that network users establish in online communities.
! As more more services are accessible in digital world, digital identities and their management will play a vital role in secure service access and privacy …..
14source: Wikipedia
19. Aug 2008, Josef NollPrivacy Issues
Digital identity
! Recommendation: Dick Hardt@OSCON, Identity 2.0
15June 09, 2008; MushfiqSWACOM Meeting, Grimstad 3
Identity: Real world to digital world
Real world Identities
Digital world
identities
Identity
Digital world
Passwords
everywhere
19. Aug 2008, Josef NollPrivacy Issues
The dilemma of computer science
Identity - “same as” and “not”! Identity is an umbrella term used throughout the social
sciences for an individual's comprehension of him or herself as a discrete, separate entity.
16
19. Aug 2008, Josef NollPrivacy Issues
The dilemma of computer science
Identity - “same as” and “not”! Identity is an umbrella term used throughout the social
sciences for an individual's comprehension of him or herself as a discrete, separate entity.
16
! Computer science: use of ontologies, binary strings ‘xFxkeyil9e4’
JosefJosef Noll
same as
19. Aug 2008, Josef NollPrivacy Issues
The dilemma of computer science
Identity - “same as” and “not”! Identity is an umbrella term used throughout the social
sciences for an individual's comprehension of him or herself as a discrete, separate entity.
16
! Computer science: use of ontologies, binary strings ‘xFxkeyil9e4’
JosefJosef Noll
same as
ContextCommunity
Roles,Identities
19. Aug 2008, Josef NollPrivacy Issues
The dilemma of computer science
Identity - “same as” and “not”! Identity is an umbrella term used throughout the social
sciences for an individual's comprehension of him or herself as a discrete, separate entity.
16
! Computer science: use of ontologies, binary strings ‘xFxkeyil9e4’
JosefJosef Noll
same as
ContextCommunity
Roles,Identities
! Are we in computer science in the Middle Ages?
! G. W. Leipniz (1646): if a=b and b=c, then a=c
19. Aug 2008, Josef NollPrivacy Issues
Reputation and Trust! Reputation is the opinion (more technically, a social evaluation) of
the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status.
! Reputation is known to be a ubiquitous, spontaneous and highly efficient mechanism of social control in natural societies.
17
! Trust is a relationship of reliance. A trusted party is presumed to seek to fulfill policies, ethical codes, law and their previous promises.
! Trust is a prediction of reliance on an action, based on what a party knows about the other party. Comment: Members of “la familia” trusts each other
19. Aug 2008, Josef NollPrivacy Issues
Reputation and Trust! Reputation is the opinion (more technically, a social evaluation) of
the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status.
! Reputation is known to be a ubiquitous, spontaneous and highly efficient mechanism of social control in natural societies.
17
! Trust is a relationship of reliance. A trusted party is presumed to seek to fulfill policies, ethical codes, law and their previous promises.
! Trust is a prediction of reliance on an action, based on what a party knows about the other party. Comment: Members of “la familia” trusts each other
do we really believe we can manage trust and represent reputation?
19. Aug 2008, Josef NollPrivacy Issues 18
! !
!"#$%&#'()*+&#$')&'(,*-+('-
Source: New York Times; Lasse Øverlier
19. Aug 2008, Josef NollPrivacy Issues
Revisit:Information privacy
19
19. Aug 2008, Josef NollPrivacy Issues
Revisit:Information privacy
19
It starts with the radio
! radio is broadcast: everyone can listen
! “radio identity” (MAC, Bluetooth,...) is known
! eavesdropping of traffic, man-in-the-middle: read-your email (smtp is plain text)
! Bluetooth and other ad-hoc networks, connectivity to phone without notice
! wireless networks at home: WEP easy to crack, access to whole home infrastructure
! Mobile phone (GSM): location, fake base-station
19. Aug 2008, Josef NollPrivacy Issues
Revisit:Information privacy
20
And it never stops
! Eavesdropping -> read your communication
! Crack WEP (encryption) -> read open information
! DNS forging -> leading you to a different site
! Phishing -> getting your secure information
! “Click to confirm that you read the privacy issue”
! Netvibes: Leading personal start page to manage your digital life
! Banking, Social Networks....
19. Aug 2008, Josef NollPrivacy Issues
Revisit:Information privacy
20
And it never stops
! Eavesdropping -> read your communication
! Crack WEP (encryption) -> read open information
! DNS forging -> leading you to a different site
! Phishing -> getting your secure information
! “Click to confirm that you read the privacy issue”
! Netvibes: Leading personal start page to manage your digital life
! Banking, Social Networks....
19. Aug 2008, Josef NollPrivacy Issues
Revisit:Information privacy
20
And it never stops
! Eavesdropping -> read your communication
! Crack WEP (encryption) -> read open information
! DNS forging -> leading you to a different site
! Phishing -> getting your secure information
! “Click to confirm that you read the privacy issue”
! Netvibes: Leading personal start page to manage your digital life
! Banking, Social Networks....
19. Aug 2008, Josef NollPrivacy Issues
Some technology first
Have you heard these ones?
21
"Last year (2007) the world produced more transistors
than rice corns”
– Hans Christian Haugli, CEO, Telenor R&I
“In three to five years we will interact with to 30-50
devices in our vicinity” – Marie Austenstaa, Connected Objects, Telenor R&I
19. Aug 2008, Josef NollPrivacy Issues
“The speed of technology”! The speed of development
22
source: Gerhard Fettweis, TU Dresden
! Do you remember: “There might be a need for 5 computers” (1943 Watson(?), 1951 Hartree)
! Mobile: NMT, GSM, GPRS, EDGE, UMTS, 3G, HSDPA, SMS, EMS, MMS,... DVB-H,...
19. Aug 2008, Josef NollPrivacy Issues
! N. Arora, Google Europe Manager [Oslo Innovation Week]:
– By 2012, iPods ... be capable of holding all music you will ever hear in your life (or one year of video)
– By 2018 it can hold all videos ever produced
! This speed will continue until 2025 [ITRS Roadmap]
Mobile Phone and Sensors
23
19. Aug 2008, Josef NollPrivacy Issues
! N. Arora, Google Europe Manager [Oslo Innovation Week]:
– By 2012, iPods ... be capable of holding all music you will ever hear in your life (or one year of video)
– By 2018 it can hold all videos ever produced
! This speed will continue until 2025 [ITRS Roadmap]
! Imagine a device, which – will save all the conversations you ever had
– will record all the environments you have ever been in
– identity all people you have ever talked to and remember what you talked about
Mobile Phone and Sensors
23
19. Aug 2008, Josef NollPrivacy Issues
! N. Arora, Google Europe Manager [Oslo Innovation Week]:
– By 2012, iPods ... be capable of holding all music you will ever hear in your life (or one year of video)
– By 2018 it can hold all videos ever produced
! This speed will continue until 2025 [ITRS Roadmap]
! Imagine a device, which – will save all the conversations you ever had
– will record all the environments you have ever been in
– identity all people you have ever talked to and remember what you talked about
! “Your Mobile will do”
Mobile Phone and Sensors
23
19. Aug 2008, Josef NollPrivacy Issues
Let’s get at deep breath....
and see what we can do about it
24
19. Aug 2008, Josef NollPrivacy Issues
RecallLessions learned
! Definitions of Privacy, Identity, Trust, Reputation,....
! “It all begins with the radio”
– location, device identity
– eavesdropping, phishing, man-in-the-middle, forging
! The user providing all kinds of information– social networks, service providers, ...
25
19. Aug 2008, Josef NollPrivacy Issues
Challenge
Manage the Privacy 2.0 Bermuda Triangle
2619 ©2007 Deloitte & Touche GmbH WirtschaftsprüfungsgesellschaftWeb 2.0 Expo Berlin 2007
Challenge: Manage the Privacy 2.0 Bermuda Triangle
User’s Privacy
Data iseverywhere
High value ofpersonal data
Vulnerabletechnology
Source: Stefan Weiss, Deloite & Touche, 2007
19. Aug 2008, Josef NollPrivacy Issues
Privacy Requirements
27
Network access
email, photo
Examples of Services
VPN, !/$
“How much will it cost me if my privacy gets compromised?”
•see: lost mobile phone, security of your house
•take appropriate measures
19. Aug 2008, Josef NollPrivacy Issues
Protecting the identity?
! 8 million US residents victims of identity theft in 2006 (4% of adults)
! US total (known) cost of identity theft was $49 billion – ~10% was paid by customers
– remaining by merchants and financial institutions
! Average victim spent $531 and 25 hours to repair for damages
28
Source: Lasse Øverlier & California Office of Privacy Protection
ID theft in secondshttp://itpro.no/art/11501.html
19. Aug 2008, Josef NollPrivacy Issues
2nd lecturePersonalisation, tips and tricks
! Personalisation of service, why?
! The role of the mobile phone– Seamless authentication
– Payment and access
! Protection mechanisms– Legal issues
– Tips and tricks
–
29
19. Aug 2008, Josef NollPrivacy Issues
! Complexity is ever increasing -> Need for reduction
! Technology is in place -> Semantics, Web Services,...
! Research projects address adaptation of services towards user needs
! Mobile phones are becoming the source for Internet and Service access
– 20-30 % of all phones worldwide will be smartphones by 2009
– 30 % of mobile users in the Nordic will receive push content by 2010
! Market need for personalisation: “Mobile advertisement has to fit to the user, otherwise it will fail completely”
30
User profiles/profiling -
“We have heard that before, nothing has happened”
[Movation White Paper, Mobile Phone Evolution, April 2007]
19. Aug 2008, Josef NollPrivacy Issues
! “Mobile advertisement is 1000 to 10000 times more valuable as Internet advertisement” [Bjarne Myklebust, NRK]
! “The chances of annoying customers through mobile advertisements are high. Mobile advertisements have to fit.”
! “Mobile advertising isn’t only hot, it’s on fire.” [Bena Roberts, GoMo News]
! Operators launch mobile advertisement companies (Telenor)
31
User profiles/profiling -
“Nobody is willing to pay for it”
19. Aug 2008, Josef NollPrivacy Issues 32
My phone collects all my security
SIM with NFC & PKI
Josef Noll, “Who owns the SIM?”, 5 June 2007
Mobile Services, incl. NFC
• Focus in 2008 on
mobile web
• Push content upcoming
• NFC needs next
generation phones
• S60, UIQ, ...
• Common Application
development
• Integrated
development
[“Mobile Phone Evolution”, Movation White paper, May 2007]
Expected customer usage [%] “have tried” of
mobile services in the Nordic Market
0
15
30
45
60
2006 2008 2010
SMS authentication Mobile WebPush content NFC payment
33
Josef Noll, “Who owns the SIM?”, 5 June 2007
Mobile Services, incl. NFC
• Focus in 2008 on
mobile web
• Push content upcoming
• NFC needs next
generation phones
• S60, UIQ, ...
• Common Application
development
• Integrated
development
[“Mobile Phone Evolution”, Movation White paper, May 2007]
Expected customer usage [%] “have tried” of
mobile services in the Nordic Market
0
15
30
45
60
2006 2008 2010
SMS authentication Mobile WebPush content NFC payment
33
19. Aug 2008, Josef NollPrivacy Issues
Operator supported service access
34
Seamless authenticationAuthentication
provider
19. Aug 2008, Josef NollPrivacy Issues
Operator supported service access
34
Seamless authentication
Service access
Authentication provider
19. Aug 2008, Josef NollPrivacy Issues
Operator supported service access
34
Seamless authentication
Physical access
VPNService access
Authentication provider
19. Aug 2008, Josef NollPrivacy Issues
Operator supported service access
34
Seamless authentication
Physical access
VPN
Home access, .mp3,
.jpg
Service access
Authentication provider
19. Aug 2008, Josef NollPrivacy Issues
Mobile Phone supported access! SMS one-time password
! MMS, barcode
! eCommerce (SMS exchange)
! Network authentication
! WAP auto access
! Applets: PIN code generation (Bank ID)
! Future SIM35
Photo: Spanair
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
HTTP request
94815894
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
HTTP request
94815894 Hash
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
HTTP request
94815894 Hash
HTTP request
!"#$%&'()*+,-.//
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 36
WAP gatewaySeamless authentication
HTTP request
94815894 Hash
HTTP request
!"#$%&'()*+,-.//
Pictures for ’rzso’.
Password:1234sID: cTHG8aseJPIjog==
Source: Erzsebet Somogyi, UNIK
19. Aug 2008, Josef NollPrivacy Issues 37
Bankingfrom the mobile phone
Security considerations
! Equally secure as SMS (get your account status)
! Easy to use
! Advanced functionality through PIN (if required)
" Seamless phone (SIM) authentication
! Advanced security when required
– BankID or
– PIN
Welcome Josef: SIM authentication
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
19. Aug 2008, Josef NollPrivacy Issues 37
Bankingfrom the mobile phone
Security considerations
! Equally secure as SMS (get your account status)
! Easy to use
! Advanced functionality through PIN (if required)
" Seamless phone (SIM) authentication
! Advanced security when required
– BankID or
– PIN
Welcome Josef: SIM authentication
Account status
Information:
Using SIM,no customer input
required
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
19. Aug 2008, Josef NollPrivacy Issues 37
Bankingfrom the mobile phone
Security considerations
! Equally secure as SMS (get your account status)
! Easy to use
! Advanced functionality through PIN (if required)
" Seamless phone (SIM) authentication
! Advanced security when required
– BankID or
– PIN
Welcome Josef: SIM authentication
Transfer, payments
Advanced functionality
BankID or PIN(double security)
Account status
Information:
Using SIM,no customer input
required
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
19. Aug 2008, Josef NollPrivacy Issues 38
MyBank example:
User incentive:
! “My account is just one click away”
! “enhanced security for transactions”
"Phone (SIM) authentication
"Level 2 security through PKI/BankID/PIN?
19. Aug 2008, Josef NollPrivacy Issues 39
RFID and NFCexample: Birkebeiner
! Online information to mobile phone
! Could be used for photo, video, etc
19. Aug 2008, Josef NollPrivacy Issues 40
NFC – Near field communication
! Based on RFID technology at 13.56 MHz
! Typical operating distance 10 cm
! Compatible with RFID
! Data rate today up to 424 kbit/s
! Philips and Sony
• ECMA-340, ISO/IEC 18092 & ECMA-352, …standards
• Powered and non-self powered devices
Photo: Nokia
19. Aug 2008, Josef NollPrivacy Issues
NFC is ...
! RFID at 13.56 MHz
! RF (modem) and protocolls
41
19. Aug 2008, Josef NollPrivacy Issues
NFC is ...
! RFID at 13.56 MHz
! RF (modem) and protocolls
41
Passive operation:1) Phone=Reader has static magnetic field2) Tag acts as resonator, “takes energy” ~1/r^6
19. Aug 2008, Josef NollPrivacy Issues
NFC is ...
! RFID at 13.56 MHz
! RF (modem) and protocolls
41
Passive operation:1) Phone=Reader has static magnetic field2) Tag acts as resonator, “takes energy” ~1/r^6
19. Aug 2008, Josef NollPrivacy Issues
NFC is ...
! RFID at 13.56 MHz
! RF (modem) and protocolls
41
Passive operation:1) Phone=Reader has static magnetic field2) Tag acts as resonator, “takes energy” ~1/r^6
0 0,8 1,6 2,4 3,2 4 4,8 5,6 6,4 7,2 8 8,8 9,6
0,25
0,5
0,75
1
1/r^2
1/r^6
Power decrease of static and electromagnetic field
19. Aug 2008, Josef NollPrivacy Issues
NFC use cases! Payment and access
– include Master-/Visacard in the phone
– have small amount money electronically
– admittance to work
! Service Discovery– easy access to mobile services:
Web page, SMS, call, ...
– local information and proximity services (get a game)
! Ticketing– Mobile tickets for plain, train, bus:
Parents can order and distribute, ...
42
Source: Nokia 6131 NFC Technical Product Description
19. Aug 2008, Josef NollPrivacy Issues
NFCIP-2 Interface and protocol
43
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC deviceProximity Card
ReaderVicinity Card
Reader
19. Aug 2008, Josef NollPrivacy Issues
NFCIP-2 Interface and protocol
43
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC deviceProximity Card
ReaderVicinity Card
Reader
NFC ECMA-340
YES340 okay
19. Aug 2008, Josef NollPrivacy Issues
NFCIP-2 Interface and protocol
44
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC deviceProximity Card
ReaderVicinity Card
Reader
19. Aug 2008, Josef NollPrivacy Issues
NFCIP-2 Interface and protocol
44
ECMA-340
Interface Standards
ISO/IEC 14443
PCD mode
(MIFARE, FeliCa)
ISO/IEC 15693
VCD mode
(facility access)
NFC deviceProximity Card
ReaderVicinity Card
Reader
NO15693 okay
19. Aug 2008, Josef NollPrivacy Issues
The radioNFC and privacy
! NFC is “as bad” as– your contactless Master and Visa card
– your passport
! Typical reading distance up to 4 cm (for activation)
! Eavesdropping possible under operation (1/r^2), – encrypted communication
45
19. Aug 2008, Josef NollPrivacy Issues
The radioNFC and privacy
! NFC is “as bad” as– your contactless Master and Visa card
– your passport
! Typical reading distance up to 4 cm (for activation)
! Eavesdropping possible under operation (1/r^2), – encrypted communication
45
Passport
! USA: passport can only be read when opened
! European passport: just place it on NFC reader
19. Aug 2008, Josef NollPrivacy Issues
From current SIM to Future SIM
46
New visionsfor mobile / UICC
Current Telenor Current Telenor
SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)
GlobalPlatform’s
Real Estate 3.rd
Party sec. domains
vision
SUN
2009?
(Java)
Plus ETSI SCP
3 new phys IFs:
12 Mb/s USB
NFC (SWP)
On-board
WEB server !
Multi-
Thread
New visionsfor mobile / UICC
Current Telenor Current Telenor
SIM (UICC) cardSIM (UICC) card(from 2001)(from 2001)
GlobalPlatform’s
Real Estate 3.rd
Party sec. domains
vision
SUN
2009?
(Java)
Plus ETSI SCP
3 new phys IFs:
12 Mb/s USB
NFC (SWP)
On-board
WEB server !
Multi-
Thread
Source: Judith Rossebø, Telenor
! To comply with 3G networking requirements (USIM)
– Security features (algorithms and protocols), longer key lengths
– GSM uses EAP SIM: client authentication
– UMTS uses EAP AKA: Mutual authentication
! 3rd party identities – ISIM application (IMS)
– private user identity
– one or more public user identities
– Long term secret
19. Aug 2008, Josef NollPrivacy Issues
Network privacy
! GSM– client-based positioning allows user to take control
– trustworthy operators?
! WLAN– open for all kinds of attacks
– example: TraceRoute for exposing packet origin
– encrypted communication and more....
! Bluetooth– are you afraid, then switch it off
– I leave it on, danger for getting tapped is rather small
! Social Network
! Web tools, e.g. search present significant privacy issue
47
19. Aug 2008, Josef NollPrivacy Issues
Do you know Freddie Staur4
48
13 ©2007 Deloitte & Touche GmbH WirtschaftsprüfungsgesellschaftWeb 2.0 Expo Berlin 2007
Do you know Freddie Staur4?
4 www.sophos.com/facebook, Survey among 200 randomly chosen Facebook users, August 2007.
•Sophos Facebook ID probe shows 41% of users happy
to reveal all to potential identity thieves
•Research highlights dangers of irresponsible behavior on
social networking sites
Source: Stefan Weiss, Deloite & Touche, 2007
19. Aug 2008, Josef NollPrivacy Issues
Privacy is not about ...
49
9 ©2007 Deloitte & Touche GmbH WirtschaftsprüfungsgesellschaftWeb 2.0 Expo Berlin 2007
Privacy is not about getting your private space
Sources: isolatr.com; Stefan Weiss, Deloite & Touche, 2007
19. Aug 2008, Josef NollPrivacy Issues
Privacy is not about ...
50
19. Aug 2008, Josef NollPrivacy Issues
Privacy is not about ...
50
Switching off the lights
19. Aug 2008, Josef NollPrivacy Issues
Private Sphere and PrivacyDirective 95/46/EC of the European parliament
! Data must be fairly and lawfully processed
! They must be processed for prior specified and limited purposes
! Adequate, relevant and not excessive
! Accurate
! Not kept longer than necessary
! Processed in accordance with the data subject’s rights
! Secure
! Not transferred to countries without adequate protection
51
19. Aug 2008, Josef NollPrivacy Issues
And the law might be applicable to Google
Google has to obey Norwegian law
! Art. 29-group looks how privacy is handled in the EU
! “Google is using cookies on PCs” thus they use equipment physically located in an EU state
! Art. 29 is valid for everyone using equipment in an EU state, thus also Google
52
19. Aug 2008, Josef NollPrivacy Issues
Tips and Tricks
! If you put your data into the social networks, it is your responsibility
! Security, Your data, Anonymity, .....
53
University of Florida © IFAS Information Technology, 2002
Specialized Privacy Probes
!Wiretap
!Web Bug + JAVA code
!Retrieve e-mail comments
!Retrieve mailing list
!Computer Triangulation
!Pinpoint physical location
• Country and City (90% accuracy)
• ZIP code (possible)
Source: Thomas Hintz, “Prrotecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Privacy Solutionshttp://notebook.ifas.ufl.edu/privacy/
All are free For home use…
Some are freeFor education sites
(check the license)
University of Florida © IFAS Information Technology, 2002
Anonymous web surfing
!Internet Explorer plug-in
!FREE – cannot visit secure sites
!Blocks IP address
!Blocks cookieshttp://www.anonymizer.com/
University of Florida © IFAS Information Technology, 2002
Encrypted e-mail
Pretty
Good
Privacy
University of Florida © IFAS Information Technology, 2002
Encrypted e-mail
Pretty
Good
Privacy
GPG
(GNU Privacy Guard)is a PGP compatible alternative
replacement based on the OpenPGP standard
http://www.gnupg.org/
University of Florida © IFAS Information Technology, 2002
Avoiding web spambots
!Do not use “ mailto: ” TAG unless encoded – mailto:hintz@ufl.edu
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Avoiding web spambots
!Use a graphic
!Use a graphic @ symbol
!Use TABLE
!Spell out address
!Do not use “ mailto: ” TAG unless encoded – mailto:hintz@ufl.edu
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Avoiding web spambots
[email protected]!Use a graphic
!Use a graphic @ symbol
!Use TABLE
!Spell out address
!Do not use “ mailto: ” TAG unless encoded – mailto:hintz@ufl.edu
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Avoiding web spambots
[email protected]!Use a graphic
!Use a graphic @ symbol
!Use TABLE
!Spell out address
!Do not use “ mailto: ” TAG unless encoded – mailto:hintz@ufl.edu
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Avoiding web spambots
[email protected]!Use a graphic
!Use a graphic @ symbol
!Use TABLE
!Spell out address
!hintz AT ifas.ufl.edu
!hintz AT ifas DOT ufl DOT edu
[email protected] (remove NOJUNK)
!Do not use “ mailto: ” TAG unless encoded – mailto:hintz@ufl.edu
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Would you give personal
information to strangers?
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Would you give personal
information to strangers?
24%of users havesupplied falseinformation
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Would you give personal
information to strangers?
24%of users havesupplied falseinformation
Create a
Virtual User
John Smith
7/7/77
blue eyes
red hair
Source: Thomas Hintz, “Protecting your Internet Privacy”
University of Florida © IFAS Information Technology, 2002
Provide accurate
personal information
ONLY
if appropriate for the
services requested.
Would you give personal
information to strangers?
24%of users havesupplied falseinformation
Create a
Virtual User
John Smith
7/7/77
blue eyes
red hair
Source: Thomas Hintz, “Protecting your Internet Privacy”
19. Aug 2008, Josef NollPrivacy Issues
! but what ....
60
! !
!"#$%#&%%'#(&"&)*+,)-
Anonymity is a shield from the tyranny of the majority.- US Supreme Court decision No. 93-986, April 19 1995
Source: Lasse Øverlier, “Anonymity, Privacy and Hidden Services”
19. Aug 2008, Josef NollPrivacy Issues 61
! !
!"#$$%&'()*+',*-$%./-0%#)%01
! “Disabling traffic flow analysis”! What can be resolved?
! who communicates to/with whom! who communicates when! activity type! movement! chain of command! type of information
Source: Lasse Øverlier, “Anonymity, Privacy and Hidden Services”
19. Aug 2008, Josef NollPrivacy Issues 62
! !
!"#$%&'$&'"'()*+($#",-.
! We need to distribute trust! Use an anonymizing network
! Independent nodes! Encrypted tunnels
! using (perfect) forward secrecy! changing appearance of data
! Any user, or server, of the network can be the originator
"#$%&'
(%)*%)
+,
+-+.
+/
+0
+1+2
3&4&56$7$&8!&%'94):
Source: Lasse Øverlier, “Anonymity, Privacy and Hidden Services”
torproject.org
19. Aug 2008, Josef NollPrivacy Issues
And we have not talked about
! Semantic technologies “the Web of Services”
! the car and future car2x communication
! and what about all the sensor networks
! who takes care of my data63
19. Aug 2008, Josef NollPrivacy Issues
StaticWWWURI, HTML, HTTP
Semantic WebRDF, RDF(S), OWL
Dynamic
Semantic Web Services
64
source: Juan Miguel Gomez, UC3M
Syntactic Semantic
19. Aug 2008, Josef NollPrivacy Issues
StaticWWWURI, HTML, HTTP
Semantic WebRDF, RDF(S), OWL
Dynamic
Semantic Web Services
64
source: Juan Miguel Gomez, UC3M
Syntactic Semantic
19. Aug 2008, Josef NollPrivacy Issues
StaticWWWURI, HTML, HTTP
Semantic WebRDF, RDF(S), OWL
DynamicWeb ServicesUDDI, WSDL, SOAP
Semantic Web Services
64
source: Juan Miguel Gomez, UC3M
Syntactic Semantic
19. Aug 2008, Josef NollPrivacy Issues
StaticWWWURI, HTML, HTTP
Semantic WebRDF, RDF(S), OWL
DynamicWeb ServicesUDDI, WSDL, SOAP
Bringing the web to its full potential
Intelligent WebServices
Semantic Web Services
64
source: Juan Miguel Gomez, UC3M
Syntactic Semantic
19. Aug 2008, Josef NollPrivacy Issues
Semantics in Business:
! Enable a paradigm switch in searching information
! From– Information Retrieval
! To– Question Answering
65
19. Aug 2008, Josef NollPrivacy Issues
Semantics in Business:
! Enable a paradigm switch in searching information
! From– Information Retrieval
! To– Question Answering
Google: “Josef Noll”
65
19. Aug 2008, Josef NollPrivacy Issues
Semantics in Business:
! Enable a paradigm switch in searching information
! From– Information Retrieval
! To– Question Answering
Google: “Josef Noll”
Why did Josef Noll come to Norway?
“It is important to educate
female engineers, ...”
65
19. Aug 2008, Josef NollPrivacy Issues 66
ITEA-Wellcom project
Future TV
source: Sony
And some of the partners working on tomorows TV experience:
19. Aug 2008, Josef NollPrivacy Issues
ITEA-WellCom.org
TV today and tomorrow
67
STB
Content
TV
19. Aug 2008, Josef NollPrivacy Issues
ITEA-WellCom.org
TV today and tomorrow
67
STB
Content
TV
BT
NFC
Service
19. Aug 2008, Josef NollPrivacy Issues
ITEA-WellCom.org
TV today and tomorrow
67
STB
Content
TV
BT
NFC
Service
19. Aug 2008, Josef NollPrivacy Issues
Service
adaptation
Context
(jabber)
Commun-
ication
Trust & Personalisation
Provider
ITEA-WellCom.org
TV today and tomorrow
67
STB
Content
TV
BT
NFC
Service
19. Aug 2008, Josef NollPrivacy Issues
Service
adaptation
Context
(jabber)
Commun-
ication
Trust & Personalisation
Provider
ITEA-WellCom.org
TV today and tomorrow
67
STB
Content
TV
BT
NFC
Service
Josef Noll, “Who owns the SIM?”, 5 June 2007
Third party business model
• Media,
• Banks, Service providers
• Telecom, Corporate, Home
Identity and personalisation
provider
Customer care
Serviceaggregator
Authentication and Access
provider
Paymentprovider
Content provider
68
Josef Noll, “Who owns the SIM?”, 5 June 2007
Third party business model
• Media,
• Banks, Service providers
• Telecom, Corporate, Home
Identity and personalisation
provider
Customer care
Serviceaggregator
Authentication and Access
provider
Paymentprovider
Content provider
• Service aggregator• Convenient interfaces
• Ease of use
68
Josef Noll, “Who owns the SIM?”, 5 June 2007
Third party business model
• Media,
• Banks, Service providers
• Telecom, Corporate, Home
Identity and personalisation
provider
Customer care
Serviceaggregator
Authentication and Access
provider
Paymentprovider
Content provider
• Service aggregator• Convenient interfaces
• Ease of use
• Identity and personalisation
provider• Convenience
• Trust
68
Josef Noll, “Who owns the SIM?”, 5 June 2007
The secure element:
SIM card
Send service to phone
Send info to recipient
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
Identity and personalisation
providerAuthentication
and Accessprovider
Serviceaggregator
Send key and credentials
Josef Noll, “Who owns the SIM?”, 5 June 2007
The secure element:
SIM card
Send service to phone
Send info to recipient
Smartcard interfacesISO/IEC 7816
NFCcommunication
unit
SIM
NFC2SIM
Identity and personalisation
providerAuthentication
and Accessprovider
Serviceaggregator
• SIM is secure
element• controlled environment
• over-the-air update
• open for applications
• SIM will be owned by user
• managed by trusted third party
Send key and credentials
Josef Noll, “Who owns the SIM?”, 5 June 2007
Challenges and Benefits
How insecure is the Internet?
Will the phone be the only secure element?
Dynamic service environment? On-the-fly creation of services?
Are Google, facebook and flickr more trusted than telecom
operators?
Visa and Mastercard enable convenient small amount
purchases
0
50
100
150
200
2006 2008 2010
Telco favourite Third party favourite
Convenience of usage
70
19. Aug 2008, Josef NollPrivacy Issues
Conclusions
71
• “The last time we were connected by a wire was at birth!” [Motorola]
• The service world is wireless– Q: “what is if you loose your
phone?”
– A: “A real crisis in life!”
• Easy access to devices and services, dependent on the context of the user
• Challenges– get control of complexity
– get people understanding what they are doing and us understanding people
! http://wiki.unik.no
19. Aug 2008, Josef NollPrivacy Issues
Thanks to contributions from! My PhD students György Kálmán, Mohammad M. R. Chowdhury
! Lasse Øverlier, “Anonymity, Privacy and Hidden Services”, PhD thesis at University of Oslo
! Stefan Weiss, “Your Users’ Privacy”, Deloite & Touche, 2007
! Thomas Hintz, “Protecting your Internet Privacy”, University of Florida, http://notebook.ifas.ufl.edu/privacy/
! Wikipedia; Dick Hardt, Identity 2.0
! Erzsebet Somogyi, UNIK - now CanalDigital.no; Judith Rossebø, Telenor
! Movation - White paper 'Mobile Phone Evolution', April 2007
! GPG(GNU Privacy Guard), based on PGP http://www.gnupg.org/
! Anonymizer http://www.anonymizer.com/
! Tor network, http://www.torproject.org
! The New York Times, Sony Europe, Facebook; isolatr.com
! Heung-Gyoon Ryu from Chungbuk National University, Korea
! ID theft in seconds, itpro.no
72