Mobile Adventure Privacy - a Taxonomy Proposal Alf Zugenmaier, DoCoMo Euro-Labs Security and Protection of Information, Brno, 2007.

Mobile Adventure

Privacy - a Taxonomy Proposal

Alf Zugenmaier, DoCoMo Euro-LabsSecurity and Protection of Information, Brno, 2007

© 2007 by DoCoMo Communications Laboratories

Europe GmbH

2

Mobile Adventure

What is Security?

• Information Security = CIA +

• Confidentiality• Integrity• Availability

• depends on the fashion of the day


Europe GmbH

3

Mobile Adventure

What is Privacy?

• Wired equivalent privacy (WEP), pretty good privacy (PGP)

• Privacy equal to security?

• Discussions about privacy• Privacy opposite of security?

• Authentication vs. authorization• Privacy orthogonal to security?

• All of the above plus: “No spam please!”• Intention and effect


Europe GmbH

4

Mobile Adventure

Agenda

Information privacy vs information security• Privacy taxonomy • Protecting privacy

– Self protection: anonymity – Cooperative approach

• Incentives• Conclusions


Europe GmbH

5

Mobile Adventure

Taxonomy of Privacy


Europe GmbH

6

Mobile Adventure

Taxonomy of Privacy

“He finally got a corner office but I’m not sure he

can handle it.”


Europe GmbH

7

Mobile Adventure

A Taxonomy of Privacy

privacyright to be left alone

“push privacy”freedom from

unwanted communication attention, aka spam

“pull privacy”freedom from

misappropriation of information


Europe GmbH

8

Mobile Adventure

What is Privacy? – Effect

(Graef) Actions should not have social consequences relative to not intended third parties.

Right to privacy– (invented by Warren/Brandeis) freedom from press exposure

– (Geuss) not universal, what for?– (Simmel) keeps actionable options open


Europe GmbH

9

Mobile Adventure

A Taxonomy of Privacy


“push privacy”no spam

“pull privacy”misappropriated

information

confidentialityagainst 3rd party

avoiding misuse service / resource


Europe GmbH

10

Mobile Adventure

3rd Party Confidentiality

• Content– communications content– data on personal device

• Context– sender / receiver anonymity– location privacy– situation, etc


Europe GmbH

11

Mobile AdventureAvoiding Misuse by Service / Resource

What is necessary to violate privacy?Information must be• perceived (may be indirect)• attributed to entity • remembered• interesting, relevant, accessible,

processible, and acted upon


Europe GmbH

12

Mobile Adventure

Avoiding Misuse by Service / Resource

• Data minimality

– avoids perception

• Anonymity / unlinkability

– no handle for linking

• Oblivion

– no data retention

• Policy

– limited use, data management

increasin

g co

op

eration

of co

mm

un

ication

partn

ers


Europe GmbH

13

Mobile Adventure

Taxonomy of Privacy




information



data minimality

anonymity

oblivion

policy

confidentialityof content data

confidentialityof context data


Europe GmbH

14

Mobile Adventure

Taxonomy of Privacy




information



data minimality

anonymity

oblivion

policy

confidentialityof content data

confidentialityof context data


Europe GmbH

15

Mobile Adventure

Agenda

Information privacy vs information security Privacy taxonomy• Protecting privacy

– Self protection: anonymity – Cooperative approach



Europe GmbH

16

Mobile Adventure

Self Protection: Anonymity

• Objective of attacker: discover identity of the user who performed an action

• Identity: set of personally identifying information

• Action: a thing done, taking limited time


Europe GmbH

17

Mobile AdventureExample Anonymity Mechanism:Crowds

encrypted request takes random path through crowd

Bob’s serverAlice


Europe GmbH

18

Mobile Adventure

Mobility Scenario

Problem: How can anonymity be provided for mobile users in a client – server scenario?

Server

Server

InternetGateway

action


Europe GmbH

19

Mobile Adventure

User and Terminal Mobility

Server

Server

InternetGateway

action


Europe GmbH

20

Mobile Adventure

FLASCHE – Idea

action

user

device location

attacker is able to localize action

personaldevice

a) identity management

a

b) user‘s mobility

b

c) device‘s mobility

c

d) FLASCHE

d


Europe GmbH

21

Mobile AdventureFLASCHE – Removing Device Identification

MAC IEEE802.11b– random MAC Address (cf. Orava et al.) – loaction: BSSID of access points

IPv6– device specific part of address random (as in

RFC3041)– location: (sub-)network ID– location determination: router solicitation– MAC Address: Neighbor Solicitation

UDP / TCP– random source port

DNS– no DNS entry of mobile device

HTTP– suppress attributes: FROM, REFERER, etc– SSL encryption possible


Europe GmbH

22

Mobile Adventure

Anonymity not Always Possible

• Quote from insurance company


Europe GmbH

23

Mobile Adventure

Anonymity not Always Possible

• Quote from insurance company• Asks for lots of personal information• Fake data may lead to wrong quote • What happens with the information after

rejecting the offer?


Europe GmbH

24

Mobile Adventure

Protection Goal

Control of use of personal data after releasein respect of• Who has access to personal data• What can be done with personal data• What has to be done when using personal

data

defined by Privacy Policy


Europe GmbH

25

Mobile Adventure

Attacker Model Revisited

Previous model:• Totally adversarial• Omnipresent attacker

Insurance Co.

trusted

untrusted

Client


Europe GmbH

26

Mobile Adventure

Attacker Model Revisited

Weakened Model• Not totally adversarial• Outsider attackers • Some co-operation• Some insider attackers

Insurance Co.

untrusted

trusted

trusted

Client


Europe GmbH

27

Mobile Adventure

Problem Statement

• How to ensure data is only given to co-operating entities

• How to ensure adherence to privacy policies

Digital Rights Management!


Europe GmbH

28

Mobile AdventureDigital Rights Management for Enforcement of Privacy Policies

• Digital rights management (DRM) and protection of personal data are mirror images

• Both regulate use of data after release– DRM licenses– privacy policies


Europe GmbH

29

Mobile Adventure

DRM Key Features

• License attached to data– defines terms of use

• Encryption / key management– prevents attacks on data

• Attestation– ensures trusted computing base (TCB)– prevents attacks on software


Europe GmbH

30

Mobile Adventure

License Description

• XRML license:– grant

• principal• right• resource• condition

– issuer• signature• time of issuance

• Privacy policy 5-tuple:– role– action– data type– purpose– obligation


Europe GmbH

31

Mobile Adventure

Example: Obligation

• Obligation: delete all data on terminal after use


Europe GmbH

32

Mobile Adventure

Trusted Computing Base (TCB)

BSD-Veriexec Kernel (TCB)

temporary (RAMdisk)chroot environment

signed environmentw/ printer device

signed environmentw/o printer device


Europe GmbH

33

Mobile Adventure

Attesting the Application

• Application hashed on start• Socket wrapper performs application

attestation

communication

kernelapplication

Security wrapper

• Measurement• Attestation of Application

TLS protected communication


Europe GmbH

34

Mobile Adventure

Microsoft IRM

• Microsoft framework for digital rights management

• Used in Outlook and Office• Uses XRML 1.2• Software based attestation• SDK available


Europe GmbH

35

Mobile Adventure

Negotiating Privacy Policy

privacy policy

verifyencrypt personal dataattach SIL

transmit data and SILclient

Insurance Co.


Europe GmbH

36

Mobile Adventure

Problems with Delegation

client

Insurance Co.

Known OffendersDatabase

Who decides about delegation to whom and when?


Europe GmbH

37

Mobile AdventurePossible Approach: Privacy Preserving Sandbox

• Attestation of sandbox instead of application• Sandbox disallows permanent storage• Only DRM-protected communication

sandbox

application


Europe GmbH

38

Mobile Adventure

Comparison of Approaches

Veriexec TPM IRM

Enforcement chaperoning applicationapplication or

sandbox

Security Kernel + key Hardware + OS IRM framework

Attestationkernel +

main moduleOS + wrapper +

application

IRM framework + application /

sandbox

Policy simple complex complex


Europe GmbH

39

Mobile Adventure

Agenda

Information privacy vs information security Privacy taxonomy Protecting privacy

Self protection: anonymity Cooperative approach



Europe GmbH

40

Mobile Adventure

Incentives

• Security– Self protection often possible– Own trade-off security vs. convenience

• Privacy– Self protection often not possible– Reliance on others (goodwill, laws)


Europe GmbH

41

Mobile Adventure

Example

Almost 1000 hitsfor AXIS camerasAlmost none with access control 06/2005UPDATE 05/2007: 12000 hits


Europe GmbH

42

Mobile Adventure

Example


Europe GmbH

43

Mobile Adventure

Example


Europe GmbH

44

Mobile Adventure

Example


Europe GmbH

45

Mobile Adventure

Incentives

• Non-adherence to security may breach other persons privacy

• Example webcameras

• Example Tk Maxx credit card database hack (46 million records exposed)

• Feedback loop:– Security: direct, operator suffers– Privacy: indirect, customers suffer

And it is hard to even get sufficient security awareness!


Europe GmbH

46

Mobile Adventure

Interest in Privacy

Push privacy• Most people affected high democratic

interest

Pull privacy• Experiment at HP Labs (Huberman et al.)• Reverse second price auction for personal

information• High value: Information that deviates from

perceived norm

• Most people don’t deviate from norm little democratic interest in pull privacy


Europe GmbH

47

Mobile AdventureTranslating Privacy for Corporations

Spam spam• Productivity wasted sorting incoming mail

Personal data company data• Intellectual property• Copyright and licenses

Requires institutional, legal, organizational, and technical safeguards

Sufficient economic interest


Europe GmbH

48

Mobile Adventure

Conclusion

• Information privacy needs the semantic layer

• Limited self protection mechanisms• Co-operation necessary• Incentives usually external


Europe GmbH

49

Mobile Adventure

Questions?


Europe GmbH

50

Mobile Adventure

Questions?


Europe GmbH

51

Mobile Adventure

Backup Slides


Europe GmbH

52

Mobile AdventureFLASCHE – Removing Device Identification

MAC IEEE802.11b– random MAC Address (cf. Orava et al.) – loaction: BSSID of access points

IPv6– device specific part of address random (as in

RFC3041)– location: (sub-)network ID– location determination: router solicitation– MAC Address: Neighbor Solicitation

UDP / TCP– random source port

DNS– no DNS entry of mobile device

HTTP– suppress attributes: FROM, REFERER, etc– SSL encryption possible


Europe GmbH

53

Mobile Adventure

FLASCHE – Design

socket API wrappersocket API wrapper

DNSresolver

DNSresolver

servicediscovery

servicediscoverybrowserbrowser identity

manager

identitymanager

socket APIsocket API

TCP/UDPTCP/UDP

……

……

hardwarehardware

IP address per interface

virtual network interface man

agem

ent p

lane

loca

t ion


Europe GmbH

54

Mobile Adventure

Protocol

personalWebserver

NetBSD with veriexec

browser inenvironment withclient certificate

external database

1. initiate connection(TLS)

2. environment finger- print verification

3. license (includesclient certificate)

5. HTTPS with browserand client certificate

6. personal data

4. set up chroot environment

8. delete environment

(7. external communication)

chaperone module


Europe GmbH

55

Mobile Adventure

Securing the TCB

• Introduction of hardware root of trust (Trusted Physical Module, Core Root of Trust for Measurement)

• Extension of TCB during startup• Measured hash values of software chained

and stored in TPM registers

CRTMboot block

TPM

Firmware OS Loader AppApp

App

OS


Europe GmbH

56

Mobile Adventure

Application Manifest

• Recipient application has to match application manifest defined in license

• Extension of TCB: attesting a valid known application to initial TCB via application manifest

• License can specify compatible applications

TCB TCB

ApplicationManifest

Mobile Adventure Privacy - a Taxonomy Proposal Alf Zugenmaier, DoCoMo Euro-Labs Security and Protection of Information, Brno, 2007.

Documents