Strong Privacy Protection Research Articles

Privacy‐preserving framework for geosocial applications

ABSTRACTThe paper deals with user privacy in geosocial applications. Geosocial applications have become very popular but can misuse user's private data and location. We propose a novel solution that prevents tracking and protects against personal identity and location being misused by external attackers or service providers. The proposed framework provides security and privacy protection for geosocial applications that provide, for example, information sharing, geotagging, and monitoring of people without revealing their identity to unauthorized persons, including the service provider. Unlike current security solutions in geosocial services, our novel framework uses advanced cryptography to secure user privacy. This protection is provided by advanced group signatures ensuring data integrity, authenticity, non‐repudiation, and strong privacy protection. The paper outputs a detailed cryptographic scheme for the protection of privacy in geosocial services and its security analysis. The proposed scheme has also been implemented, and the performance results are outlined in the paper. Copyright © 2013 John Wiley & Sons, Ltd.

Robust password changing and DoS resilience for human‐centric password authentication

ABSTRACTIn password‐based or two‐factor (password and smart card) authentications, password changing is one of common techniques used to improve the security of the systems protected by the password. However, the password‐changing operations in existing password authentications either depend on the login phase or violate the common practice that an old password should not be valid for subsequent login after being updated. On the other hand, password mistyping is very common in reality, which may be random or be skewed by the adversary via technical means or social engineering manipulation [i.e., a kind of denial‐of‐service (DoS) attack]. In human‐centric authentication mechanisms, password changing and DoS resilience are not marginal issues. The paper addresses the requirements of robust password changing in authentication and presents , a password authentication scheme with robust password changing, DoS resilience, and card‐compromise security. Thus, the proposal can be viewed as a suitable candidate instantiation for authentication services of human‐centric security, by embedding in the computer and software systems. also achieves other appealing features, such as self‐healing ability and strong privacy protection, which may be useful for human‐centric applications. Copyright © 2013 John Wiley & Sons, Ltd.

A hash-based RFID security protocol for strong privacy protection

RFID (Radio Frequency Identification) tags are small, wireless electronic devices that help identify objects and people. Privacy protection and integrity assurance become rather crucial in the RFID systems, because these RFID tags may have a wide transmission range, making them subject to unauthorized scanning by malicious readers and various other attacks. Hence, Ha et al. proposed an RFID protocol and proved that their protocol can provide the forward privacy service. However, in this paper, it is shown that an attacker can track a target tag by observing unsuccessful previous session of the tag. That is, Ha et al.'s RFID protocol fails to provide the forward privacy protection as claimed. Therefore, to overcome the privacy weaknesses of Ha et al.'s RFID protocol, an RFID protocol based on the cryptographic hash functions is proposed. Moreover, the proposed RFID protocol is evaluated according to both the privacy attribute and the implementation performance.

Cryptanalysis and security enhancement of a remote user authentication scheme using smart cards

With the broad implementations of the electronic business and government applications, robust system security and strong privacy protection have become essential requirements for remote user authentication schemes. Recently, Chen et al. pointed out that Wang et al.'s scheme is vulnerable to the user impersonation attack and parallel session attack, and proposed an enhanced version to overcome the identified security flaws. In this paper, however, we show that Chen et al.'s scheme still cannot achieve the claimed security goals and report its following problems: (1) It suffers from the offline password guessing attack, key compromise impersonation attack and known key attack; (2) It fails to provide forward secrecy; (3) It is not easily repairable. As our main contribution, a robust dynamic ID-based scheme based on non-tamper resistance assumption of the smart cards is presented to cope with the aforementioned defects, while preserving the merits of different related schemes. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several grave security threats that are difficult to be tackled at the same time in previous scholarship.

A Secure Dynamic Identity Based Remote User Authentication Scheme Using Secret Sharing

With the rapid growth of Internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme. Engineers have proposed many identity based authentication schemes for remote login systems in past decades. In recent years, the security mechanism for the dynamic identity of legal user appearance has become a new technology in the field of network communications. This novel technology has allowed us to conduct a more secure remote user authentication scheme using a smart card, in which the well-designed module has remedied the system drawback of a static identity based authentication scheme. However, many kinds of authentication schemes need a system of synchronized clocks to withstand replay attacks and achieve mutual authentication, and most of them cannot propose a lightweight mechanism to reduce implementation complexity and achieve computation efficiency. Therefore, we propose a new dynamic identity based authentication scheme using three-way challenge-response strategy to achieve mutual authentication without a system of synchronized clocks. It completely prevents various attacks, supports the session key agreement, and offers the functionality advantages. As a result, the proposed scheme seems to be more secure and suitable for remote communication environment with low computation consumption and better security attributes.

For the Sake of One Child

What are the ethical considerations of providing anonymous access to the Internet in an age when child pornographers are using this technology to share illegal materials? perennial dilemma of an open society is striking a balance between liberty and safety. Too much liberty, and people are free to commit horrible acts. Too much safety, and people are constrained in what they can think, say, and do. balance tilts toward safety in times of war, or when fears (real or perceived) take hold in the popular imagination. When threats to children are involved, safety almost always wins out over liberty, as the concept of protecting even one child from harm, regardless of the cost, is a powerful rhetorical tool. As a 2007 case in Colorado will demonstrate, this balance poses a challenge for libraries offering public access to the Internet, especially if that access may facilitate criminal activity.While librarians often talk about protecting user privacy, it is user ano - nymity and confidentiality that are ultimately at stake. Distinctions among the three terms are necessary before continuing. A private act is not known to anyone except the person committing the act. Others can know about an anonymous act, but the actor's identity is unknown. Confidential acts are known by those, and only those, who need to know the actor's identity. A truly private act in a is to take a book offthe shelf, read it in the library, and replace it without being observed by anyone. Even if an item is checked out using a self- check system and is never handled by a employee, the creates and keeps a confidential record for as long as the item is in use. Anonymous uses of the include reading materials in view of others, whether staffor other users, and using computers that do not require a personally identifiable login.Colorado and ConfidentialityLibrary users in Colorado have good reason to expect protection of their confidentiality. As noted in its own annotations, the Colorado Constitution provides stronger privacy protections than the Constitution of the United States: The Colorado proscription against unreasonable searches and seizures protects a greater range of privacy interests than does its federal counterpart (Colo. Const. art. II, § 7). Additionally, an expectation of confidentiality in libraries is explicitly spelled out in the Colorado Revised Statutes: [A] publiclysupported shall not disclose any record or other information that identifies a person as having requested or obtained specific materials or service or as otherwise having used the library (emphasis added) (Privacy of User Records, 2010; see Appendix A for the complete statute). law provides the usual exceptions for responding to court orders and for reasonable administration of the library, but it is important to note the sweeping scope of what is protected. This legislation was adopted following John Hinckley Jr.'s attempted assassination of President Ronald Reagan. When Hinckley was arrested in 1981, one of the pieces of identification found in his wallet was his Jefferson County (Colorado) card (Falsone, 1987). was then inundated with requests from journalists for Hinckley's records to see what he had checked out. Though the initially refused to release this information, the county attorney advised that the requests had to be filled under the Colorado Open Records Act (2010). In response , the Colorado community studied the confidentiality laws of other states and worked toward the eventual adoption of the Colorado Privacy of User Records legislation in 1983 (Falsone, 1987).A subsequent court case further strengthened expectations of confidentiality in Colorado libraries. In Tattered Cover, Inc. v. City of Thornton (2002), the Colorado Supreme Court found that bookstores could not be compelled to release information about a criminal suspect's purchases because the law enforcement agency had not demonstrated sufficient need for the records. …

Discriminative and Non-User Specific Binary Biometric Representation via Linearly-Separable SubCode Encoding-based Discretization

Biometric discretization is a process of transforming continuous biometric features of an identity into a binary bit string. This paper mainly focuses on improving the global discretization method ? a discretization method that does not base on information specific to each user in bitstring extraction, which appears to be important in applications that prioritize strong security provision and strong privacy protection. In particular, we demonstrate how the actual performance of a global discretization could further be improved by embedding a global discriminative feature selection method and a Linearly Separable Subcode-based encoding technique. In addition, we examine a number of discriminative feature selection measures that can reliably be used for such discretization. Lastly, encouraging empirical results vindicate the feasibility of our approach.

¿Viva La Data Protection?: How Culture Has Informed Chilean Information Privacy Law and What That Means for the Rest of the World

This paper attempts to uncover a puzzle: although the traditional levers for strong privacy protection are present in Chile – a history of dictatorship, an information technology revolution, and strong trade with the European Union – its data protection laws are in fact very weak. What explains this apparent disconnect? This paper challenges extant theories that claim that Chile's weak data protection regime is the result of weak democratic institutions, collective action problems, or the prioritization of credit data protections. Instead, it argues that Chile's stunted regime results from a political culture in which privacy protections, generally, are traded off for other, competing values, including free speech and the free-flow of information. These conclusions suggest that proponents of present and future efforts to harmonize data protection law on a global basis may need to more fully address divergent cultural conceptions of privacy world-wide. Such proponents might also more fully consider the loss of cultural pluralism that will necessarily ensue from any successful global data protection harmonization scheme.

Extending ℓ-diversity to generalize sensitive data

Generalization is an important technique for protecting privacy in data dissemination. In the framework of generalization, ℓ-diversity is a strong notion of privacy. However, since existing ℓ-diversity measures are defined in terms of the most specific (rather than general) sensitive attribute (SA) values, algorithms based on these measures can have narrow eligible ranges for data that has a heavily skewed distribution of SA values and produce anonymous data that has a low utility. In this paper, we propose a new ℓ-diversity measure called the functional ( τ, ℓ)-diversity, which extends ℓ-diversity by using a simple function to constrain frequencies of base SA values that are induced by general SA values. As a result, algorithms based on ( τ, ℓ)-diversity may generalize SA values, thus are much less constrained by skew SA distributions. We show that ( τ, ℓ)-diversity is more flexible and elaborate than existing ℓ-diversity measures. We present an efficient heuristic algorithm that uses a novel order of quasi-identifier (QI) values to achieve ( τ, ℓ)-diversity. We compare our algorithm with two state-of-the-art algorithms that are based on existing ℓ-diversity measures. Our preliminary experimental results indicate that our algorithm not only provides a stronger privacy protection but also results in better utility of anonymous data.

Two robust remote user authentication protocols using smart cards

With the rapid growth of electronic commerce and enormous demand from variants of Internet based applications, strong privacy protection and robust system security have become essential requirements for an authentication scheme or universal access control mechanism. In order to reduce implementation complexity and achieve computation efficiency, design issues for efficient and secure password based remote user authentication scheme have been extensively investigated by research community in these two decades. Recently, two well-designed password based authentication schemes using smart cards are introduced by Hsiang and Shih (2009) and Wang et al. (2009), respectively. Hsiang et al. proposed a static ID based authentication protocol and Wang et al. presented a dynamic ID based authentication scheme. The authors of both schemes claimed that their protocol delivers important security features and system functionalities, such as mutual authentication, data security, no verification table implementation, freedom on password selection, resistance against ID-theft attack, replay attack and insider attack, as well as computation efficiency. However, these two schemes still have much space for security enhancement. In this paper, we first demonstrate a series of vulnerabilities on these two schemes. Then, two enhanced protocols with corresponding remedies are proposed to eliminate all identified security flaws in both schemes.

Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D

In November, 2009, a prominent group of privacy professionals, business leaders, information technology specialists, and academics gathered in Madrid to discuss how the next set of threats to privacy could best be addressed. The event, Privacy by Design: The Definitive Workshop, was co-hosted by my office and that of the Israeli Law, Information and Technology Authority. It marked the latest step in a journey that I began in the 1990’s, when I first focused on enlisting the support of technologies that could enhance privacy. Back then, privacy protection relied primarily upon legislation and regulatory frameworks—in an effort to offer remedies for data breaches, after they had occurred. As information technology became increasingly interconnected and the volume of personal information collected began to explode, it became clear that a new way of thinking about privacy was needed. Privacy-Enhancing Technologies (PETs) paved the way for that new direction, highlighting how the universal principles of fair information practices could be reflected in information and communication technologies to achieve strong privacy protection. While the idea seemed radical at the time, it has been very gratifying over the past 15 years to see it come into widespread usage as part of the vocabulary of both privacy and information technology professionals. But the privacy landscape continues to evolve. So, like the technologies that shape and reshape the world in which we live, the privacy conversation must IDIS (2010) 3:247–251 DOI 10.1007/s12394-010-0062-y

Regulatory Compliance and the Correlation to Privacy Protection in Healthcare

Recent government-led efforts and industry-sponsored privacy initiatives in the healthcare sector have received heightened publicity. The current set of privacy legislation mandates that all parties involved in the delivery of care specify and publish privacy policies regarding the use and disclosure of personal health information. The authors’ study of actual healthcare privacy policies indicates that the vague representations in published privacy policies are not strongly correlated with adequate privacy protection for the patient. This phenomenon is not due to a lack of available technology to enforce privacy policies, but rather to the will of the healthcare entities to enforce strong privacy protections and their interpretation of minimum compliance obligations. Using available information systems and data mining techniques, this article describes an infrastructure for privacy protection based on the idea of policy refinement to allow the transition from the current state of perceived to be privacy-preserving systems to actually privacy-preserving systems.

Privacy-Preserving Authentication of Users with Smart Cards Using One-Time Credentials

User privacy preservation is critical to prevent many sophisticated attacks that are based on the user's server access patterns and ID-related information. We propose a password-based user authentication scheme that provides strong privacy protection using one-time credentials. It eliminates the possibility of tracing a user's authentication history and hides the user's ID and password even from servers. In addition, it is resistant against user impersonation even if both a server's verification database and a user's smart card storage are disclosed. We also provide a revocation scheme for a user to promptly invalidate the user's credentials on a server when the user's smart card is compromised. The schemes use lightweight operations only such as computing hashes and bitwise XORs.

Optimal random perturbation at multiple privacy levels

Random perturbation is a popular method of computing anonymized data for privacy preserving data mining. It is simple to apply, ensures strong privacy protection, and permits effective mining of a large variety of data patterns. However, all the existing studies with good privacy guarantees focus on perturbation at a single privacy level . Namely, a fixed degree of privacy protection is imposed on all anonymized data released by the data holder. This drawback seriously limits the applicability of random perturbation in scenarios where the holder has numerous recipients to which different privacy levels apply. Motivated by this, we study the problem of multi-level perturbation , whose objective is to release multiple versions of a dataset anonymized at different privacy levels. The challenge is that various recipients may collude by sharing their data to infer privacy beyond their permitted levels. Our solution overcomes this obstacle, and achieves two crucial properties. First, collusion is useless, meaning that the colluding recipients cannot learn anything more than what the most trustable recipient (among the colluding recipients) already knows alone . Second, the data each recipient receives can be regarded (and hence, analyzed in the same way) as the output of conventional uniform perturbation. Besides its solid theoretical foundation, the proposed technique is both space economical and computationally efficient. It requires O (n+m) expected space, and produces a new anonymized version in O ( n + log m ) expected time, where n is the cardinality of the original dataset, and m the number of versions released previously. Both bounds are optimal under the realistic assumption that n » m .

Privacy-Aware Collaborative Spam Filtering

While the concept of collaboration provides a natural defense against massive spam e-mails directed at large numbers of recipients, designing effective collaborative anti-spam systems raises several important research challenges. First and foremost, since e-mails may contain confidential information, any collaborative anti-spam approach has to guarantee strong privacy protection to the participating entities. Second, the continuously evolving nature of spam demands the collaborative techniques to be resilient to various kinds of camouflage attacks. Third, the collaboration has to be lightweight, efficient, and scalable. Toward addressing these challenges, this paper presents ALPACAS-a privacy-aware framework for collaborative spam filtering. In designing the ALPACAS framework, we make two unique contributions. The first is a feature-preserving message transformation technique that is highly resilient against the latest kinds of spam attacks. The second is a privacy-preserving protocol that provides enhanced privacy guarantees to the participating entities. Our experimental results conducted on a real e-mail data set shows that the proposed framework provides a 10 fold improvement in the false negative rate over the Bayesian-based Bogofilter when faced with one of the recent kinds of spam attacks. Further, the privacy breaches are extremely rare. This demonstrates the strong privacy protection provided by the ALPACAS system.

Protecting Patient Privacy Through Health Record Trusts

Patients should have the opportunity to exercise privacy rights through an account issued by a health record trust (or bank). Trusts would collect a complete digital copy of patients' health records and enable patients to make informed decisions about their use. Federal legislation is needed to promote and oversee health record trusts and to reconcile existing privacy laws with stronger privacy protection available through health record trusts.

Is Consent the Foundation of Fair Information Practices? Canada's Experience Under PIPEDA

Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) implements what are known internationally as information Within this model of data protection, privacy is often seen to be the core interest protected and individual consent to the collection, use and disclosure of personal information is the central vehicle through which this protection is accomplished. This paper argues that the alleged centrality of consent to the protection of privacy is misplaced: all derogations from consent are not necessarily derogations from privacy. A number of reasons support this claim. First, there are persuasive arguments that individual consent is neither necessary nor sufficient for the adequate protection of privacy. Second, consent is not the only norm operating to limit the collection, use and disclosure of personal information within different articulations of fair information practices. Third, decisions rendered under PIPEDA so far indicate that where individuals are properly notified regarding the for the collection of their personal information and that collection is found to be reasonable, a finding of consent usually follows. This suggests that it is reasonable purposes that holds out the most promise for strong privacy protection and is therefore deserving of greater attention by the privacy community.

Is Consent the Foundation of Fair Information Practices? Canada's Experience Under Pipeda

Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) implements what are known internationally as information Within this model of data protection, privacy is often seen to be the core interest protected and individual consent to the collection, use and disclosure of personal information is the central vehicle through which this protection is accomplished. This paper argues that the alleged centrality of consent to the protection of privacy is misplaced: all derogations from consent are not necessarily derogations from privacy. A number of reasons support this claim. First, there are persuasive arguments that individual consent is neither necessary nor sufficient for the adequate protection of privacy. Second, consent is not the only norm operating to limit the collection, use and disclosure of personal information within different articulations of fair information practices. Third, decisions rendered under PIPEDA so far indicate that where individuals are properly notified regarding the for the collection of their personal information and that collection is found to be reasonable, a finding of consent usually follows. This suggests that it is reasonable purposes that holds out the most promise for strong privacy protection and is therefore deserving of greater attention by the privacy community.

Strong Privacy Protection in Electronic Voting

We give suggestions for protection against adversaries with access to the voter's equipment in voting schemes based on homomorphic encryption. Assuming an adversary has complete knowledge of the contents and computations taking place on the client machine we protect the voter's privacy in a way so that the adversary has no knowledge about the voter's choice. Furthermore, an active adversary trying to change a voter's ballot may do so, but will end up voting for a random candidate. <br /> <br />To accomplish the goal we assume that the voter has access to a secondary communication channel through which he can receive information inaccessible to the adversary. An example of such a secondary communication channel is ordinary mail. Additionally, we assume the existence of a trusted party that will assist in the protocol. To some extent, the actions of this trusted party are verifiable.

Pay-TV system with strong privacy and non-repudiation protection

Current pay-TV systems enable service providers to acquire personal data easily, e.g. the customers' TV-watching habits, which can make customers uncomfortable or cause them inconvenience. Although many privacy protection schemes have been proposed, they only protect customer privacy from abuse by outsiders, not the service providers. This paper develops a new conditional access system (CAS) mechanism - "e-ticket" - for pay-TV systems to protect customer privacy from abuse by both outsiders and providers, while protecting both the customers and the providers against double-spending, loss, misuse, and/or stealing of the e-ticket. This article also demonstrates that the combination of the partial blind digital signature and anonymous digital signature makes pay-TV systems more robust and fairer than before.