Analyzing Privacy Policies Using Contextual Integrity Annotations

In this paper, we demonstrate the effectiveness of using the theory of contextual integrity (CI) to annotate and evaluate privacy policy statements. We perform a case study using CI annotations to compare Facebook's privacy policy before and after the Cambridge Analytica scandal. The updated Facebook privacy policy provides additional details about what information is being transferred, from whom, by whom, to whom, and under what conditions. However, some privacy statements prescribe an incomprehensibly large number of information flows by including many CI parameters in single statements. Other statements result in incomplete information flows due to the use of vague terms or omitting contextual parameters altogether. We then demonstrate that crowdsourcing can effectively produce CI annotations of privacy policies at scale. We test the CI annotation task on 48 excerpts of privacy policies from 17 companies with 141 crowdworkers. The resulting high precision annotations indicate that crowdsourcing could be used to produce a large corpus of annotated privacy policies for future research.Comment: 18 pages, 9 figures, 5 table

dd-MABE: Distributed Multilevel Attribute-Based EMR Management and Applications

Current systems used by medical institutions for the management and transfer of Electronic Medical Records (EMR) can be vulnerable to security and privacy threats. In addition, these centralized systems often lack interoperability and give patients limited or no access to their own EMRs. In this paper, we propose a novel distributed data sharing scheme that applies the security benefits of blockchain to handle these concerns. With blockchain, we incorporate smart contracts and a distributed storage system to alleviate the dependence on the record-generating institutions to manage and share patient records. To preserve privacy of patient records, we implement our smart contracts as a method to allow patients to verify attributes prior to granting access rights. Our proposed scheme also facilitates selective sharing of medical records among staff members that belong to different levels of a hierarchical institution. We provide extensive security, privacy, and evaluation analyses to show that our proposed scheme is both efficient and practical

Emerging Privacy Issues and Solutions in Cyber-Enabled Sharing Services: From Multiple Perspectives

Fast development of sharing services has become a crucial part of the cyber-enabled world construction process, as sharing services reinvent how people exchange and obtain goods or services. However, privacy leakage or disclosure remains a key concern during the sharing service development process. While significant efforts have been undertaken to address various privacy issues in recent years, there is a surprising lack of review for privacy concerns in the cyber-enabled sharing world. To bridge the gap, in this study, we survey and evaluate existing and emerging privacy issues relating to sharing services from various perspectives. Differing from existing similar works on surveying sharing practices in various fields, our work comprehensively covers six branches of sharing services in the cyber-enabled world and selects solutions mostly from the recent five to six years. We conclude the issues and solutions from three perspectives, namely, from users', platforms' and service providers' perspectives. Hot topics and less discussed topics are identified, which provides hints to researchers for their future studies.Comment: 28 pages, 13 figure

De-anonymizing Social Networks

Operators of online social networks are increasingly sharing potentially sensitive information about users and their relationships with advertisers, application developers, and data-mining researchers. Privacy is typically protected by anonymization, i.e., removing names, addresses, etc. We present a framework for analyzing privacy and anonymity in social networks and develop a new re-identification algorithm targeting anonymized social-network graphs. To demonstrate its effectiveness on real-world networks, we show that a third of the users who can be verified to have accounts on both Twitter, a popular microblogging service, and Flickr, an online photo-sharing site, can be re-identified in the anonymous Twitter graph with only a 12% error rate. Our de-anonymization algorithm is based purely on the network topology, does not require creation of a large number of dummy "sybil" nodes, is robust to noise and all existing defenses, and works even when the overlap between the target network and the adversary's auxiliary information is small.Comment: Published in the 30th IEEE Symposium on Security and Privacy, 2009. The definitive version is available at: http://www.cs.utexas.edu/~shmat/shmat_oak09.pdf Frequently Asked Questions are answered at: http://www.cs.utexas.edu/~shmat/socialnetworks-faq.htm

Storing complex data sharing policies with the Min Mask Sketch

More data is currently being collected and shared by software applications than ever before. In many cases, the user is asked if either all or none of their data can be shared. We hypothesize that in some cases, users would like to share data in more complex ways. In order to implement the sharing of data using more complicated privacy preferences, complex data sharing policies must be used. These complex sharing policies require more space to store than a simple "all or nothing" approach to data sharing. In this paper, we present a new probabilistic data structure, called the Min Mask Sketch, to efficiently store these complex data sharing policies. We describe an implementation for the Min Mask Sketch in PostgreSQL and analyze the practicality and feasibility of using a probabilistic data structure for storing complex data sharing policies.Comment: 8 pages, 14 figure

Security and Privacy Policy Languages: A Survey, Categorization and Gap Identification

For security and privacy management and enforcement purposes, various policy languages have been presented. We give an overview on 27 security and privacy policy languages and present a categorization framework for policy languages. We show how the current policy languages are represented in the framework and summarize our interpretation. We show up identified gaps and motivate for the adoption of policy languages for the specification of privacy-utility trade-off policies.Comment: 13 pages, 2 figure

Stochastic Privacy

Online services such as web search and e-commerce applications typically rely on the collection of data about users, including details of their activities on the web. Such personal data is used to enhance the quality of service via personalization of content and to maximize revenues via better targeting of advertisements and deeper engagement of users on sites. To date, service providers have largely followed the approach of either requiring or requesting consent for opting-in to share their data. Users may be willing to share private information in return for better quality of service or for incentives, or in return for assurances about the nature and extend of the logging of data. We introduce \emph{stochastic privacy}, a new approach to privacy centering on a simple concept: A guarantee is provided to users about the upper-bound on the probability that their personal data will be used. Such a probability, which we refer to as \emph{privacy risk}, can be assessed by users as a preference or communicated as a policy by a service provider. Service providers can work to personalize and to optimize revenues in accordance with preferences about privacy risk. We present procedures, proofs, and an overall system for maximizing the quality of services, while respecting bounds on allowable or communicated privacy risk. We demonstrate the methodology with a case study and evaluation of the procedures applied to web search personalization. We show how we can achieve near-optimal utility of accessing information with provable guarantees on the probability of sharing data

A Model for Privacy-enhanced Federated Identity Management

Identity federations operating in a business or consumer context need to prevent the collection of user data across trust service providers for legal and business case reasons. Legal reasons are given by data protection legislation. Other reasons include business owners becoming increasingly aware of confidentiality risks that go beyond traditional information security, e.g., the numbers of authentications to an EDI service might provide insights into the volume of invoices, from which one could derive insider information. This paper proposes extended technical controls supporting three privacy requirements: a) Limit d Linkability: Two service providers cannot link data related to a user without the help of a third party, using neither an identifier nor other identifying attributes like email addresses or payment data; b) Limited Observability: An identity provider cannot trace which services a user is using without the help of a third party; c) Non-Disclosure: Attributes provided to the service provider by an attribute provider are not disclosed to the identity provider or an intermediate service broker. Using a hub-and-spoke federation style following the privacy-by-design principle, this reference architecture addresses the privacy controls mentioned above.Comment: 36 page

PPM: A Privacy Prediction Model for Online Social Networks

Online Social Networks (OSNs) have come to play an increasingly important role in our social lives, and their inherent privacy problems have become a major concern for users. Can we assist consumers in their privacy decision-making practices, for example by predicting their preferences and giving them personalized advice? To this end, we introduce PPM: a Privacy Prediction Model, rooted in psychological principles, which can be used to give users personalized advice regarding their privacy decision-making practices. Using this model, we study psychological variables that are known to affect users' disclosure behavior: the trustworthiness of the requester/information audience, the sharing tendency of the receiver/information holder, the sensitivity of the requested/shared information, the appropriateness of the request/sharing activities, as well as several more traditional contextual factors.Comment: 17 page

A Survey on the Security of Pervasive Online Social Networks (POSNs)

Pervasive Online Social Networks (POSNs) are the extensions of Online Social Networks (OSNs) which facilitate connectivity irrespective of the domain and properties of users. POSNs have been accumulated with the convergence of a plethora of social networking platforms with a motivation of bridging their gap. Over the last decade, OSNs have visually perceived an altogether tremendous amount of advancement in terms of the number of users as well as technology enablers. A single OSN is the property of an organization, which ascertains smooth functioning of its accommodations for providing a quality experience to their users. However, with POSNs, multiple OSNs have coalesced through communities, circles, or only properties, which make service-provisioning tedious and arduous to sustain. Especially, challenges become rigorous when the focus is on the security perspective of cross-platform OSNs, which are an integral part of POSNs. Thus, it is of utmost paramountcy to highlight such a requirement and understand the current situation while discussing the available state-of-the-art. With the modernization of OSNs and convergence towards POSNs, it is compulsory to understand the impact and reach of current solutions for enhancing the security of users as well as associated services. This survey understands this requisite and fixates on different sets of studies presented over the last few years and surveys them for their applicability to POSNs...Comment: 39 Pages, 10 Figure