Privacy Threat Modeling Research Articles

IoT Complexity: Security, Vulnerabilities and Risks

IoT privacy highlights the critical significance of tailored threat models to address the evolving challenges in the IoT landscape. This research paper presents an in-depth examination of privacy threat modeling in the context of the Internet of Things (IoT), and aims to develop threat models tailored to different IoT device categories, identifying vulnerabilities and potential privacy risks associated with each. This analysis seeks to provide insights into the diverse privacy challenges posed by IoT devices, ranging from wearables to healthcare IoT and smart home, which exhibit unique vulnerabilities and privacy risks. By developing threat models specific to each device category, this research elucidates the diversity of privacy concerns, such as data breaches, unauthorized access, and data tracking the applicability of privacy regulations varies across these categories, emphasizing the need for tailored regulatory frameworks. The research underscores the importance of user education and responsible device design, advocating for privacy literacy and transparency, as it ensures that privacy is an integral part of the development process, fostering a safer, more secure, and privacy-conscious IoT ecosystem where innovation and privacy coexist for the benefit of all.

Design and Implementation of the Advanced Cloud Privacy Threat Modeling

Design and Implementation of the Advanced Cloud Privacy Threat Modeling

Exploring how experienced and unexperienced professionals use a privacy threat modeling methodology

Online Social Networks (OSNs) have become one of the principal technological phenomena of the Web, gaining an eminent popularity among its users. With the growing worldwide expansion of OSN services, people have devoted time and effort to maintaining and manipulating their online identity on these systems. However, the processing of personal data through these networks has exposed users to various privacy threats. Consequently, new solutions need to be developed for addressing the threat scenarios to which a user is potentially exposed. In this sense, this paper proposes PTMOL (Privacy Threat MOdeling Language), an approach for modeling privacy threats in OSN domain. The proposed language aims to support the capture, organization and analysis of specific privacy threats that a user is exposed to when sharing assets in a social application, also enabling the definition of countermeasures to prevent or mitigate the effects of threat scenarios. The first language version has undergone a preliminary empirical study that identified its validity as a modeling language. The results indicate that the use of the language is potentially useful for identifying real privacy threats due to its exploratory and reflexive nature. We expect to contribute to support designers in making more preemptive decisions about user privacy risk, helping them to introduce privacy early in the development cycle of social applications.

Privacy Threats in Facial Recognition-Based Identity Verification

Facial recognition technology has gained significant prominence in identity verification systems, providing convenience and security in various domains. However, the widespread adoption of this technology also raises significant concerns regarding privacy threats. This paper presents a comprehensive privacy threat model specifically designed for identity verification based on facial recognition. The model encompasses potential adversary objectives, such as unauthorized access, identity theft, and profiling, and identifies specific privacy threats, including unauthorized data access, biometric data misuse, tracking and surveillance, re-identification attacks, discrimination and bias, and data retention and sharing. To mitigate these threats, the paper proposes several mitigation measures, such as informed consent, transparent data handling, secure data storage and transmission, minimization of data collection, regular audits and assessments, and ethical considerations. By providing a holistic view of privacy threats in facial recognition-based identity verification, this model aims to guide researchers, practitioners, and policymakers in developing and implementing effective privacy protection mechanisms in this rapidly evolving technological landscape

The impact of security and privacy threat modeling on blockchain-enabled-electronic voting system

Blockchain is a decentralized, distributed ledger that records transactions between two parties. A blockchain-based software system is a new and innovative approach to software engineering that uses blockchain technology. This approach has several advantages over traditional software engineering approaches, including improved security and transparency. The most common software engineering approaches are waterfall, agile and hybrid models. Each of these has its strengths and weakness. A blockchain-based system has the advantage of being more secure and transparent than any of these approaches. It also can track changes more accurately, which can improve quality control. Blockchain technologies have incredible potential but also have some problems. One problem is security and privacy issues, which brings into question the resilience of existing security and trust mechanisms. The distributed application (dApp) framework for the proposed electronic voting system is built with the help of blockchain technology in this proposal. As a result, fewer crimes has committed against sensitive data during the electoral process because of immutability, transparency and privacy. Ganache, Metamask and hashing algorithms are used to develop the dApp. The paper's strengths lie in its ability to create and analyze threat models for blockchain-enabled-electronic voting systems and to identify the types of threats using Microsoft STRIDE.

A privacy threat model for identity verification based on facial recognition

The proliferation of different types of photographic and video cameras makes it relatively simple and non-intrusive to acquire facial fingerprints with sufficient quality to perform individuals’ identity verification. In most democratic societies, a debate has been occurring regarding using such techniques in different application domains. Discussions usually revolve around the tradeoffs between utility (security in access control, mobile phone unlocking, payment processing, etc.), usability or economic gain and risks to citizens’ rights and freedoms (privacy) or ethics. This paper identifies the common aspects of different solutions for identity verification based on facial recognition techniques within different application domains. It then performs a privacy threat modelling based on these common aspects to identify the most critical risk factors and a minimum set of safeguards to be considered for their management.

Isoga: An Isogeny-Based Quantum-Resist Searchable Encryption Scheme Against Keyword Guessing Attacks

Driven by cloud computing technologies, public-key encryption with keyword search (PEKS) is becoming a common practice from aspects of the Industrial Internet of Things, smart healthcare, vehicular social networks, and so on. However, a dozen years of PEKS development is accompanied by some security and privacy issues in the encrypted data search and access processes. The keyword guessing attack is a typical user privacy threat model, that is, an adversary could guess the user’s retrieval keyword given a search trapdoor. On the other hand, the emergence of quantum computers make traditional PEKS schemes no longer secure. Although scholars put forward some postquantum secure PEKS schemes, these schemes are based on lattice cryptography with a larger key size. To the best of our knowledge, there is no quantum-resist PEKS scheme established on elliptic curve cryptography. This article utilizes PEKS with designated tester primitive and quantum resistance of isogeny. Then, we put forward a postquantum searchable encryption scheme named Isoga, which fights against keyword guessing attacks. We prove Isoga’s searchable ciphertext security and trapdoor indistinguishability under isogeny-related difficult assumptions. Performance evaluation indicates that the Isoga scheme is more practical in the quantum environment, considering seven schemes’ security properties, communication cost, and computing overload among.

Privacy Property Graph: Towards Automated Privacy Threat Modeling via Static Graph-based Analysis

Privacy threat modeling should be done frequently throughout development and production to be able to quickly mitigate threats. Yet, it can also be a very time-consuming activity. In this paper, we use an enhanced code property graph to partly automate the privacy threat modeling process: It automatically generates a data flow diagram from source code which exhibits privacy properties of data flows, and which can be analyzed semi-automatically via queries. We provide a list of such reusable queries that can be used to detect various privacy threats. To enable this analysis, we integrate a taint-tracking mechanism into the graph using privacy-specific labels. Since no benchmark for such an approach exists, we also present a test suite for privacy threat implementations which comprises implementations for 22 privacy threats in multiple programming languages. We expect that our approach significantly reduces time consumption of threat modeling and show that it also has potential beyond the threat categories defined by LINDDUN, e.g. to detect privacy anti-patterns and verify compliance to privacy policies.

Privacy Threat MOdeling Language

Online Social Networks (OSNs) are becoming pervasive in today’s world. Millions of people worldwide are involved in different forms of online networking. However, this ease of use of OSNs comes with a cost in terms of privacy. Users of OSNs become victims of identity theft, cyberstalking, and information leakage, which are real threats to privacy. Consequently, new solutions need to be developed for addressing the threat scenarios to which a user is potentially exposed. In this sense, this paper presents PTMOL (Privacy Threat MOdeling Language) as an approach for modeling privacy threats in an OSN domain. The proposed language is related to the attempt to mitigate privacy threats at the design level, thus promoting concern about threats in the stages preceding the development of OSNs. Two studies were conducted to evaluate the use of PTMOL at the design stages, which provided insights into the correctness, completeness, ease of use, usefulness, user satisfaction, and feasibility of the proposal. The results indicated that PTMOL can be incorporated into software development during the design phase. Via the language, we expect to support designers in making more pre-emptive decisions about user privacy risk, and help them to introduce privacy early in the development cycle of OSNs.

GDP vs. LDP: A Survey from the Perspective of Information-Theoretic Channel.

The existing work has conducted in-depth research and analysis on global differential privacy (GDP) and local differential privacy (LDP) based on information theory. However, the data privacy preserving community does not systematically review and analyze GDP and LDP based on the information-theoretic channel model. To this end, we systematically reviewed GDP and LDP from the perspective of the information-theoretic channel in this survey. First, we presented the privacy threat model under information-theoretic channel. Second, we described and compared the information-theoretic channel models of GDP and LDP. Third, we summarized and analyzed definitions, privacy-utility metrics, properties, and mechanisms of GDP and LDP under their channel models. Finally, we discussed the open problems of GDP and LDP based on different types of information-theoretic channel models according to the above systematic review. Our main contribution provides a systematic survey of channel models, definitions, privacy-utility metrics, properties, and mechanisms for GDP and LDP from the perspective of information-theoretic channel and surveys the differential privacy synthetic data generation application using generative adversarial network and federated learning, respectively. Our work is helpful for systematically understanding the privacy threat model, definitions, privacy-utility metrics, properties, and mechanisms of GDP and LDP from the perspective of information-theoretic channel and promotes in-depth research and analysis of GDP and LDP based on different types of information-theoretic channel models.

Fault tolerance of neural networks in adversarial settings

Artificial Intelligence systems require a through assessment of different pillars of trust, namely, fairness, interpretability, data and model privacy, reliability (safety) and robustness against against adversarial attacks. While these research problems have been extensively studied in isolation, an understanding of the trade-off between different pillars of trust is lacking. To this extent, the trade-off between fault tolerance, privacy and adversarial robustness is evaluated for the specific case of Deep Neural Networks, by considering two adversarial settings under a security and a privacy threat model. Specifically, this work studies the impact of the fault tolerance of the Neural Network on training the model by adding noise to the input (Adversarial Robustness) and noise to the gradients (Differential Privacy). While training models with noise to inputs, gradients or weights enhances fault tolerance, it is observed that adversarial robustness and fault tolerance are at odds with each other. On the other hand, ($\epsilon,\delta$)-Differentially Private models enhance the fault tolerance, measured using generalisation error, theoretically has an upper bound of $e^{\epsilon} - 1 + \delta$. This novel study of the trade-off between different elements of trust is pivotal for training a model which satisfies the requirements for different pillars of trust simultaneously.

Research Issues on Data Centric Security and Privacy Model for Intelligent Internet of Things based Healthcare

Various research works are conducted to design and implement Internet of things (IoT) based healthcare systems. However, there are still several open issues and challenges that are needed to be carefully addressed focused on security and privacy. Especially, data centric solutions should be focused on the intelligent IoT networks. Thereby, the purpose of this paper is to propose research direction on data centric security and privacy model for intelligent IoT based healthcare applications. The withdrawn required research issues and directions are including deriving data centric IoT features and characteristics, definition of security and privacy threat model, developing data centric security and privacy model, designing data centric access control scheme, devising homomorphic encryption based data retrieval technique and research on data centric anonymity and untraceability techniques. In the upcoming eras, intelligent IoT based healthcare will be more and more applications because of its widespread adoption of IoT. Security and privacy provision should be the core part for the success of the intelligent IoT based healthcare applications. The author hopes the content could guide researcher future issues and directions on their researches.

Analysing privacy in visual lifelogging

The visual lifelogging activity enables a user, the lifelogger, to passively capture images from a first-person perspective and ultimately create a visual diary encoding every possible aspect of her life with unprecedented details. In recent years, it has gained popularities among different groups of users. However, the possibility of ubiquitous presence of lifelogging devices specifically in private spheres has raised serious concerns with respect to personal privacy. In this article, we have presented a thorough discussion of privacy with respect to visual lifelogging. We have re-adjusted the existing definition of lifelogging to reflect different aspects of privacy and introduced a first-ever privacy threat model identifying several threats with respect to visual lifelogging. We have also shown how the existing privacy guidelines and approaches are inadequate to mitigate the identified threats. Finally, we have outlined a set of requirements and guidelines that can be used to mitigate the identified threats while designing and developing a privacy-preserving framework for visual lifelogging.

Design and Implementation of the Advanced Cloud Privacy Threat Modeling

Privacy-preservation for sensitive data has become a challenging issue in cloud computing. Threat modeling as a part of requirements engineering in secure software development provides a structured approach for identifying attacks and proposing countermeasures against the exploitation of vulnerabilities in a system . This paper describes an extension of Cloud Privacy Threat Modeling (CPTM) methodology for privacy threat modeling in relation to processing sensitive data in cloud computing environments. It describes the modeling methodology that involved applying Method Engineering to specify characteristics of a cloud privacy threat modeling methodology, different steps in the proposed methodology and corresponding products. In addition, a case study has been implemented as a proof of concept to demonstrate the usability of the proposed methodology. We believe that the extended methodology facilitates the application of a privacy-preserving cloud software development approach from requirements engineering to design.

Privacy threat model for data portability in social network applications

The advent of the participatory Web and social network applications has changed our communication behaviour and the way we express ourselves on the Web. Social network application providers benefit from the increasing amount of personally identifiable information willingly displayed on their sites but, at the same time, risks of data misuse threaten the information privacy of individual users as well as the providers’ business model. From recent research, this paper reports the major requirements for developing privacy-preserving social network applications and proposes a privacy threat model that can be used to enhance the information privacy in data or social network portability initiatives by determining the issues at stake related to the processing of personally identifiable information.