CoVault: A Secure Analytics Platform

In a secure analytics platform, data sources consent to the exclusive use oftheir data for a pre-defined set of analytics queries performed by a specificgroup of analysts, and for a limited period. If the platform is secure under asufficiently strong threat model, it can provide the missing link to enablingpowerful analytics of sensitive personal data, by alleviating data subjects'concerns about leakage and misuse of data. For instance, many types of powerfulanalytics that benefit public health, mobility, infrastructure, finance, orsustainable energy can be made differentially private, thus alleviatingconcerns about privacy. However, no platform currently exists that issufficiently secure to alleviate concerns about data leakage and misuse; as aresult, many types of analytics that would be in the interest of data subjectsand the public are not done. CoVault uses a new multi-party implementation offunctional encryption (FE) for secure analytics, which relies on a uniquecombination of secret sharing, multi-party secure computation (MPC), anddifferent trusted execution environments (TEEs). CoVault is secure under a verystrong threat model that tolerates compromise and side-channel attacks on anyone of a small set of parties and their TEEs. Despite the cost of MPC, we showthat CoVault scales to very large data sizes using map-reduce based queryparallelization. For example, we show that CoVault can perform queries relevantto epidemic analytics at scale.<br

Symposium: Effects of Human Choices on Characteristics of Urban Ecosystems

Most urban ecology in cities remains an “ecology in cities” rather than an “ecology of cities.” Accomplishing the latter requires the inclusion of humans within the concept of “ecosystem,” both how humans alter the properties of urban ecosystems and how these alterations in turn influence human well-being. These influences are both direct (e.g., physiological and psychological influences on the human organism) and indirect, by influencing ecosystem sustainability. For the 2007 ESA meeting, Larry Baker, Loren Byrne, Jason Walker, and Alex Felson organized a symposium to address the relationships among human choices and urban ecosystems. In the introductory talk of this symposium, these authors discussed how the cumulative effect of individual household choices can have major effects on the properties of urban ecosystems. For example, direct resource consumption by households accounts for 40% of U.S. energy use; in the Twin Cities of Minnesota, households account for 75–80% of total N and P inputs. Households also have a major impact on vegetation biodiversity in cities. Drawing from the social science literature, this first talk introduced the variety of conceptual models that have been put forth to understand how humans make choices. Economists use classic supply–demand models to understand consumption of market goods (such as energy) and other tools to understand the value of nonmarket goods. Environmental psychologists have often used the Theory of Planned Behavior and related models to explain barriers to adopting specific environmental practices. Political scientists focusing on group processes stress the process by which choices are made and the distributive effects of decisions. Although ecologists often focus on how human behaviors are environmentally destructive, there are also many examples of how collective choices have had very positive environmental outcomes. These include large declines in soil erosion and smaller declines in fertilizer P use by farmers in the United States, widespread adoption of household recycling, greatly reduced household water consumption in some water conservation programs, and rapid increases in the sales of the Prius hybrid automobile in recent years. Programs leading to these positive environmental choices generally include a mix of several of the following: a persistent, meaningful message; dissemination of accurate, trusted knowledge; early adoption by trusted individuals; financial incentives or disincentives; targeting of high-consumption individuals; direct regulations; personal economic benefit and feedback. Three presenters examined factors regarding choices of managing the vegetation in urbanized landscapes. Morgan Grove from the Baltimore Ecosystem Study (BES-LTER) discussed an “ecology of prestige” in which consumption and expenditure on environmentally relevant goods and services are motivated by group identity and perceptions of social status associated with different lifestyles, and have used this theory to examine landscaping patterns. Grove and his colleagues combined high-resolution social and ecological spatial and temporal data such as property parcels and land cover (\u3e1 m) with composite measures of population, social stratification, and lifestyle for this presentation. Fig. 1 shows the relationship between percentage tree canopy cover (height of bars) with PRIZM lifestyle classifications. Of particular interest in a long-term context is the relationship between cause and effect: the possibility that some social groups are attracted to and conserve existing, desirable landscapes at a neighborhood scale, while others move to and rehabilitate their landscapes

Enabling Social Applications via Decentralized Social Data Management

An unprecedented information wealth produced by online social networks, further augmented by location/collocation data, is currently fragmented across different proprietary services. Combined, it can accurately represent the social world and enable novel socially-aware applications. We present Prometheus, a socially-aware peer-to-peer service that collects social information from multiple sources into a multigraph managed in a decentralized fashion on user-contributed nodes, and exposes it through an interface implementing non-trivial social inferences while complying with user-defined access policies. Simulations and experiments on PlanetLab with emulated application workloads show the system exhibits good end-to-end response time, low communication overhead and resilience to malicious attacks.Comment: 27 pages, single ACM column, 9 figures, accepted in Special Issue of Foundations of Social Computing, ACM Transactions on Internet Technolog

Views on Privacy. A Survey

The purpose of this survey was to gather individual’s attitudes and feelings towards privacy and the selling of data. A total (N) of 1,107 people responded to the survey. Across continents, age, gender, and levels of education, people overwhelmingly think privacy is important. An impressive 82% of respondents deem privacy extremely or very important, and only 1% deem privacy unimportant. Similarly, 88% of participants either agree or strongly agree with the statement that ‘violations to the right to privacy are one of the most important dangers that citizens face in the digital age.’ The great majority of respondents (92%) report having experienced at least one privacy breach. People’s first concern when losing privacy is the possibility that their personal data might be used to steal money from them. Interestingly, in second place in the ranking of concerns, people report being concerned about privacy because ‘Privacy is a good in itself, above and beyond the consequences it may have.’ People tend to feel that they cannot trust companies and institutions to protect their privacy and use their personal data in responsible ways. The majority of people believe that governments should not be allowed to collect everyone’s personal data. Privacy is thought to be a right that should not have to be paid for

Perceived competence and credit access of SMEs: can trust change the rules of the game?

Banks play an essential role in financing firms and especially small and medium en-terprises (SMEs). The process used by banks to decide whether and how much to lend is complex and banks rely on different lending techniques. Relationship lending, by leveraging a variety of private information gathered through contact with the firm, its owner, and the local community, has a peculiar role and can benefit SMEs by providing them with easier access to credit. No previous research focuses specifically on the perceived competence of the entrepreneur or the owner/manager of the firm as well as on competence as a substitute of trust. The present paper tries to fill this gap. The research is based on a panel of 535 entrepreneurial SMEs which operate in the widely studied and economically successful North East of Italy. The data were collected by administering a survey to bank managers of local community banks and of two national banks. The regressions show that competence is positively related to overall credit gained and negatively related to interest rate. In addition, in low trusted SMEs, credit gained is positively related to competence while the interest rate is negatively linked to competence. In highly trusted firms, these relationships are not significant. Our findings support the point that competence is an important factor irrespective of the quality of the firm and that it is a substitute for trust in low-trusted SMEs. The findings have two major implications: banks should develop tools that are capable to catch the competence of the entrepreneurs irrespective of the performance of the firm depicted in the firms' data; the entrepreneurs need to effectively communicate their competences to the relevant stakeholders such as the bank managers. Thus, perceived competence can play an important role during economic downturns when the performance of the firm is affected by hostile eco-nomic environment

Sensor function virtualization to support distributed intelligence in the internet of things

It is estimated that-by 2020-billion devices will be connected to the Internet. This number not only includes TVs, PCs, tablets and smartphones, but also billions of embedded sensors that will make up the "Internet of Things" and enable a whole new range of intelligent services in domains such as manufacturing, health, smart homes, logistics, etc. To some extent, intelligence such as data processing or access control can be placed on the devices themselves. Alternatively, functionalities can be outsourced to the cloud. In reality, there is no single solution that fits all needs. Cooperation between devices, intermediate infrastructures (local networks, access networks, global networks) and/or cloud systems is needed in order to optimally support IoT communication and IoT applications. Through distributed intelligence the right communication and processing functionality will be available at the right place. The first part of this paper motivates the need for such distributed intelligence based on shortcomings in typical IoT systems. The second part focuses on the concept of sensor function virtualization, a potential enabler for distributed intelligence, and presents solutions on how to realize it

Open-TEE - An Open Virtual Trusted Execution Environment

Hardware-based Trusted Execution Environments (TEEs) are widely deployed in mobile devices. Yet their use has been limited primarily to applications developed by the device vendors. Recent standardization of TEE interfaces by GlobalPlatform (GP) promises to partially address this problem by enabling GP-compliant trusted applications to run on TEEs from different vendors. Nevertheless ordinary developers wishing to develop trusted applications face significant challenges. Access to hardware TEE interfaces are difficult to obtain without support from vendors. Tools and software needed to develop and debug trusted applications may be expensive or non-existent. In this paper, we describe Open-TEE, a virtual, hardware-independent TEE implemented in software. Open-TEE conforms to GP specifications. It allows developers to develop and debug trusted applications with the same tools they use for developing software in general. Once a trusted application is fully debugged, it can be compiled for any actual hardware TEE. Through performance measurements and a user study we demonstrate that Open-TEE is efficient and easy to use. We have made Open- TEE freely available as open source.Comment: Author's version of article to appear in 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, Helsinki, Finland, August 20-22, 201

Internet authentication based on personal history - a feasibility test

On the Internet, there is an uneasy tension between the security and usability of authentication mechanisms. An easy three-part classification is: 'something you know' (e.g. password); 'something you hold' (e.g. device holding digital certificate), and 'who you are' (e.g. biometric assessment) [9]. Each of these has well-known problems; passwords are written down, guessable, or forgotten; devices are lost or stolen, and biometric assays alienate users. We have investigated a novel strategy of querying the user based on their personal history (a 'Rip van Winkle' approach.) The sum of this information is large and well-known only to the individual. The volume is too large for impostors to learn; our observation is that, in the emerging environment, it is possible to collate and automatically query such information as an authentication test. We report a proof of concept study based on the automatic generation of questions from electronic 'calendar' information. While users were, surprisingly, unable to answer randomly generated questions any better than impostors, if questions are categorized according to appropriate psychological parameters then significant results can be obtained. We thus demonstrate the potential viability of this concept

Mandatory Enforcement of Privacy Policies using Trusted Computing Principles

Modern communication systems and information technology create significant new threats to information privacy. In this paper, we discuss the need for proper privacy protection in cooperative intelligent transportation systems (cITS), one instance of such systems. We outline general principles for data protection and their legal basis and argue why pure legal protection is insufficient. Strong privacy-enhancing technologies need to be deployed in cITS to protect user data while it is generated and processed. As data minimization cannot always prevent the need for disclosing relevant personal information, we introduce the new concept of mandatory enforcement of privacy policies. This concept empowers users and data subjects to tightly couple their data with privacy policies and rely on the system to impose such policies onto any data processors. We also describe the PRECIOSA Privacy-enforcing Runtime Architecture that exemplifies our approach. Moreover, we show how an application can utilize this architecture by applying it to a pay as you drive (PAYD) car insurance scenario

Storytelling Security: User-Intention Based Traffic Sanitization

Malicious software (malware) with decentralized communication infrastructure, such as peer-to-peer botnets, is difficult to detect. In this paper, we describe a traffic-sanitization method for identifying malware-triggered outbound connections from a personal computer. Our solution correlates user activities with the content of outbound traffic. Our key observation is that user-initiated outbound traffic typically has corresponding human inputs, i.e., keystroke or mouse clicks. Our analysis on the causal relations between user inputs and packet payload enables the efficient enforcement of the inter-packet dependency at the application level. We formalize our approach within the framework of protocol-state machine. We define new application-level traffic-sanitization policies that enforce the inter-packet dependencies. The dependency is derived from the transitions among protocol states that involve both user actions and network events. We refer to our methodology as storytelling security. We demonstrate a concrete realization of our methodology in the context of peer-to-peer file-sharing application, describe its use in blocking traffic of P2P bots on a host. We implement and evaluate our prototype in Windows operating system in both online and offline deployment settings. Our experimental evaluation along with case studies of real-world P2P applications demonstrates the feasibility of verifying the inter-packet dependencies. Our deep packet inspection incurs overhead on the outbound network flow. Our solution can also be used as an offline collect-and-analyze tool