‘Depends on who’s got the data’: public understandings of personal digital dataveillance

This is the final version of the article. Available from Surveillance Studies Network via the URL in this record.Post-Snowden, several highly-publicised events and scandals have drawn attention to the use of people’s personal data by other actors and agencies, both legally and illicitly. In this article, we report the findings of a project in which we used cultural probes to generate discussion about personal digital dataveillance. Our findings suggest the prevailing dominance of tacit assumptions about the uses and benefits of dataveillance as well as fears and anxieties about its possible misuse. They were able to identify a range of ways in which dataveillance is conducted, but were more aware of obvious commercial and some government actors. There was very little identification of the types of dataveillance that are used by national security and policing agencies or of illegal access by hackers and cybercriminals. We found that the participants recognised the value of both personal data and the big aggregated data sets that their own data may be part of, particularly for their own convenience. However, they expressed concern or suspicion about how these data may be used by others, often founded on a lack of knowledge about what happens to their data. The major question for our participants was where the line should be drawn. When does personal dataveillance become too intrusive, scary or creepy? What are its drawbacks and risks? Our findings suggest that experimenting with innovative approaches to elicit practices and understandings of personal digital data offers further possibilities for greater depth and breadth of social research with all types of social groups.This research was funded by personal research funds provided by the University of Canberra to Deborah Lupton

Digging Them Out Alive

From 2013-2018, we taught a collection of interrelated law and social work clinical courses, which we call “the Unger clinic.” This clinic was part of a major, multi-year criminal justice project, led by the Maryland Office of the Public Defender. The clinic and project responded to a need created by a 2012 Maryland Court of Appeals decision, Unger v. State. It, as later clarified, required that all Maryland prisoners who were convicted by juries before 1981—237 older, long-incarcerated prisoners—be given new trials. This was because prior to 1981 Maryland judges in criminal trials were required to instruct the jury that they—the jury—had the ultimate right to determine the law. Our clinic helped to implement Unger by providing a range of legal services and related social services to many of these prisoners. Through the five years, the great majority of the Unger group were released by agreements, on probation, and not retried. In all, approximately 85% of the 237—that is, 85% of all state prisoners in Maryland convicted by juries of violent crimes before 1981—were released. This article describes why and how we created the Unger Clinic; why we made it interdisciplinary; what the students and we learned in it and from our clients; and what we would do differently. We believe the clinical education model we developed—an interdisciplinary clinic working in partnership with a major legal services provider and a citizens’ advocacy group—can be used effectively to address other significant access-to-justice problems nationally. In the end, the Unger Project has been a criminal justice laboratory. The qualitative experiences support many criminal justice reforms with the overriding lesson being that the continued incarceration of older, long incarcerated prisoners convicted of violent crimes serves no public safety purpose

A semantic methodology for (un)structured digital evidences analysis

Nowadays, more than ever, digital forensics activities are involved in any criminal, civil or military investigation and represent a fundamental tool to support cyber-security. Investigators use a variety of techniques and proprietary software forensic applications to examine the copy of digital devices, searching hidden, deleted, encrypted, or damaged files or folders. Any evidence found is carefully analysed and documented in a "finding report" in preparation for legal proceedings that involve discovery, depositions, or actual litigation. The aim is to discover and analyse patterns of fraudulent activities. In this work, a new methodology is proposed to support investigators during the analysis process, correlating evidences found through different forensic tools. The methodology was implemented through a system able to add semantic assertion to data generated by forensics tools during extraction processes. These assertions enable more effective access to relevant information and enhanced retrieval and reasoning capabilities

BC Law Magazine Summer 2019

https://lawdigitalcommons.bc.edu/bclsm/1094/thumbnail.jp

Contributions to security and privacy protection in recommendation systems

A recommender system is an automatic system that, given a customer model and a set of available documents, is able to select and offer those documents that are more interesting to the customer. From the point of view of security, there are two main issues that recommender systems must face: protection of the users' privacy and protection of other participants of the recommendation process. Recommenders issue personalized recommendations taking into account not only the profile of the documents, but also the private information that customers send to the recommender. Hence, the users' profiles include personal and highly sensitive information, such as their likes and dislikes. In order to have a really useful recommender system and improve its efficiency, we believe that users shouldn't be afraid of stating their preferences. The second challenge from the point of view of security involves the protection against a new kind of attack. Copyright holders have shifted their targets to attack the document providers and any other participant that aids in the process of distributing documents, even unknowingly. In addition, new legislation trends such as ACTA or the ¿Sinde-Wert law¿ in Spain show the interest of states all over the world to control and prosecute these intermediate nodes. we proposed the next contributions: 1.A social model that captures user's interests into the users' profiles, and a metric function that calculates the similarity between users, queries and documents. This model represents profiles as vectors of a social space. Document profiles are created by means of the inspection of the contents of the document. Then, user profiles are calculated as an aggregation of the profiles of the documents that the user owns. Finally, queries are a constrained view of a user profile. This way, all profiles are contained in the same social space, and the similarity metric can be used on any pair of them. 2.Two mechanisms to protect the personal information that the user profiles contain. The first mechanism takes advantage of the Johnson-Lindestrauss and Undecomposability of random matrices theorems to project profiles into social spaces of less dimensions. Even if the information about the user is reduced in the projected social space, under certain circumstances the distances between the original profiles are maintained. The second approach uses a zero-knowledge protocol to answer the question of whether or not two profiles are affine without leaking any information in case of that they are not. 3.A distributed system on a cloud that protects merchants, customers and indexers against legal attacks, by means of providing plausible deniability and oblivious routing to all the participants of the system. We use the term DocCloud to refer to this system. DocCloud organizes databases in a tree-shape structure over a cloud system and provide a Private Information Retrieval protocol to avoid that any participant or observer of the process can identify the recommender. This way, customers, intermediate nodes and even databases are not aware of the specific database that answered the query. 4.A social, P2P network where users link together according to their similarity, and provide recommendations to other users in their neighborhood. We defined an epidemic protocol were links are established based on the neighbors similarity, clustering and randomness. Additionally, we proposed some mechanisms such as the use SoftDHT to aid in the identification of affine users, and speed up the process of creation of clusters of similar users. 5.A document distribution system that provides the recommended documents at the end of the process. In our view of a recommender system, the recommendation is a complete process that ends when the customer receives the recommended document. We proposed SCFS, a distributed and secure filesystem where merchants, documents and users are protectedEste documento explora c omo localizar documentos interesantes para el usuario en grandes redes distribuidas mediante el uso de sistemas de recomendaci on. Se de fine un sistema de recomendaci on como un sistema autom atico que, dado un modelo de cliente y un conjunto de documentos disponibles, es capaz de seleccionar y ofrecer los documentos que son m as interesantes para el cliente. Las caracter sticas deseables de un sistema de recomendaci on son: (i) ser r apido, (ii) distribuido y (iii) seguro. Un sistema de recomendaci on r apido mejora la experiencia de compra del cliente, ya que una recomendaci on no es util si es que llega demasiado tarde. Un sistema de recomendaci on distribuido evita la creaci on de bases de datos centralizadas con informaci on sensible y mejora la disponibilidad de los documentos. Por ultimo, un sistema de recomendaci on seguro protege a todos los participantes del sistema: usuarios, proveedores de contenido, recomendadores y nodos intermedios. Desde el punto de vista de la seguridad, existen dos problemas principales a los que se deben enfrentar los sistemas de recomendaci on: (i) la protecci on de la intimidad de los usuarios y (ii) la protecci on de los dem as participantes del proceso de recomendaci on. Los recomendadores son capaces de emitir recomendaciones personalizadas teniendo en cuenta no s olo el per l de los documentos, sino tambi en a la informaci on privada que los clientes env an al recomendador. Por tanto, los per les de usuario incluyen informaci on personal y altamente sensible, como sus gustos y fobias. Con el n de desarrollar un sistema de recomendaci on util y mejorar su e cacia, creemos que los usuarios no deben tener miedo a la hora de expresar sus preferencias. Para ello, la informaci on personal que est a incluida en los per les de usuario debe ser protegida y la privacidad del usuario garantizada. El segundo desafi o desde el punto de vista de la seguridad implica un nuevo tipo de ataque. Dado que la prevenci on de la distribuci on ilegal de documentos con derechos de autor por medio de soluciones t ecnicas no ha sido efi caz, los titulares de derechos de autor cambiaron sus objetivos para atacar a los proveedores de documentos y cualquier otro participante que ayude en el proceso de distribuci on de documentos. Adem as, tratados y leyes como ACTA, la ley SOPA de EEUU o la ley "Sinde-Wert" en España ponen de manfi esto el inter es de los estados de todo el mundo para controlar y procesar a estos nodos intermedios. Los juicios recientes como MegaUpload, PirateBay o el caso contra el Sr. Pablo Soto en España muestran que estas amenazas son una realidad

Social Palimpsests - clouding the lens of the personal panopticon

The use of personal data has incredible potential to benefit both society and individuals, through increased understanding of behaviour, communication and support for emerging forms of socialisation and connectedness. However, there are risks associated with disclosing personal information, and present systems show a systematic asymmetry between the subjects of the data and those who control and manage the way that data is propagated and used. This leads to a tension between a desire to engage with online society and enjoy its benefits on one hand, and a distrust of those with whom the data is shared on the other. In this chapter, we explore a set of obfuscation techniques which may help to redress the balance of power when sharing personal data, and return agency and choice to users of online services

Privacy-preserving and secure location authentication

With the advent of Location-Based-Systems, positioning systems must face new security requirements: how to guarantee the authenticity of the geographical positon announced by a user before granting him access to location-restricted! resources. In this thesis, we are interested in the study of ! security ! protocols that can ensure autheniticity of the position announced by a user without the prior availability of any form of trusted architecture. A first result of our study is the proposal for a distance-bounding protocol based on asymmetric cryptography which allows a node knowing a public key to authenticate the holder of the associated private key, while establishing confidence in the distance between them. The distance measurement procedure is sufficently secure to resist to well-known attacks such as relay attacks, distance-, mafia- and terrorist-attacks. We then use such distance-bounding protocol to define an architecture for gathering privacy friendly location proofs. We define a location proof as a digital certificate attesting of presence of an individual at a location at a given time. The privacy properties we garanty through the use of our system are: the anonymity of users, un-linkability of their actions within the system and a strong binding between each user ! and the localization proof it is associated. on last property of our system is the possibility to use the same location proof to demonstrate different granularity of the associated position