41 research outputs found
Privacy Issues of the W3C Geolocation API
The W3C's Geolocation API may rapidly standardize the transmission of
location information on the Web, but, in dealing with such sensitive
information, it also raises serious privacy concerns. We analyze the manner and
extent to which the current W3C Geolocation API provides mechanisms to support
privacy. We propose a privacy framework for the consideration of location
information and use it to evaluate the W3C Geolocation API, both the
specification and its use in the wild, and recommend some modifications to the
API as a result of our analysis
On User Privacy for Location-based Services
This thesis investigates user privacy concerns associated with
the use of location based services. We begin by introducing
various privacy schemes relevant to the use of location based
services.
We introduce the notion of constraints, i.e. statements
limiting the use and dis tribution of Location Information
(LI), i.e. data providing information regarding a subject's
location. Constraints can be securely bound to LI, and are
designed to reduce threats to privacy by controlling its
dissemination and use. The various types of constraint which
may be required are also considered. The issues and risks with
the possible use of constraints are discussed, as are possible
solutions to these hazards.
To address some of the problems that have been identified with
the use of constraints, we introduce the notion of an LI
Preference Authority (LIPA). A LIPA is a trusted party which
can examine LI constraints and make decisions about LI
distribution without revealing the constraints to the entity
requesting the LI. This is achieved by encrypting both the LI
and the constraints with a LIPA encryption key, ensuring that
the LI is only revealed at the discretion of the LIPA. We
further show how trusted computing can be used to enhance
privacy for LI. We focus on how the mechanisms in the Trusted
Computing Group specifications can be used to enable the holder
of LI to verify the trustworthiness of a remote host before
transferring the LI to that remote device. This provides
greater assurance to end users that their expressed preferences
for the handling of personal information will be respected.
The model for the control of LI described in this thesis has
close parallels to models controlling the dissemination and use
of other personal information. In particular, Park and Sandhu
have developed a general access control model intended to
address issues such as Digital Rights Management, code
authorisation, and the control of personal data. We show how
our model for LI control fits into this general access control
model.
We present a generic service which allows a device to discover
the location of other devices in ad hoc networks. The
advantages of the service are discussed in several scenarios,
where the reliance on an infrastructure such as GPS satellites
or GSM cellular base stations is not needed. An outline of the
technology which will be needed to realise the service is
given, along with a look at the security issues which surround
the use of this location discovery service.
Finally, we provide conclusions and suggestions for future
work
A Model for Emergency Service of VoIP Through Certification and Labeling
Voice over Internet Protocol (VoIP) will transform many aspects of
traditional telephony service including technology, the business models
and the regulatory constructs that govern such service. This
transformation is generating a host of technical, business, social and
policy problems. The Federal Communications Commission (FCC) could
attempt to mandate obligations or specific solutions to the policy
issues around VoIP, but is instead looking first to industry initiatives
focused on key functionality that users have come to expect of
telecommunications services. High among these desired functionalities is
access to emergency services that allow a user to summon fire, medical
or law enforcement agencies. Such services were traditionally required
(and subsequently implemented) through state and federal regulations.
Reproducing emergency services in the VoIP space has proven to be a
considerable task, if for no other reason then the wide and diverse
variety of VoIP implementations and implementers. Regardless of this
difficulty, emergency service capability is a critical social concern,
making it is particularly important for the industry to propose viable
solutions for promoting VoIP emergency services before regulators are
compelled to mandate a solution, an outcome that often suffers
compromises both through demands on expertise that may be better
represented in industry and through the mechanisms of political
influence and regulatory capture. While technical and business
communities have, in fact, made considerable progress in this area,
significant uncertainty and deployment problems still exist. The
question we ask is: can an industry based certification and labeling
process credibly address social and policy expectations regarding
emergency services and VoIP, thus avoiding the need for government
regulation at this critical time?1 We hypothesize that it can. To
establish this, we developed just such a model for VoIP emergency
service compliance through industry certification and device labeling.
The intent of this model is to support a wide range of emergency service
implementations while providing the user some validation that the
service will operate as anticipated. To do this we first examine
possible technical implementations for emergency services for VoIP.
Next, we summarize the theory of certification as self-regulation and
examine several relevant examples. Finally, we synthesize a specific
model for certification of VoIP emergency services. We believe that the
model we describe provides both short term and long-term opportunities.
In the short term, an industry driven effort to solve the important
current problem of emergency services in VoIP, if properly structured
and overseen as we suggest, should be both effective and efficient. In
the long term, such a process can serve as a model for the application
of self-regulation to social policy goals in telecommunications, an
attractive tool to have as telecommunications becomes increasingly
diverse and heterogeneous
Extending IP Flow-Based Network Monitoring with Location Information
Internet Draft - IETFIP Flow-based monitoring lacks a mechanism to associate measured IP Flow information with the geographic location of the device where theIP Flows have been observed. This document defines a set of guidelines and best practices to extend IP Flow monitoring protocols with location information of the device (both fixed and mobile) that acts as an IP Flow metering process
A Model for Emergency Service of VoIP through Certification and Labeling
Voice over Internet Protocol (VoIP) will transform many aspects of traditional telephony service, including the technology, the business models, and the regulatory constructs that govern such service. Perhaps not unexpectedly, this transformation is generating a host of technical, business, social, and policy problems. In attempting to respond to these problems, the Federal Communications Commission (FCC) could mandate obligations or specific solutions to VoIP policy issues; however, it is instead looking first to industry initiatives focused on the key functionality that users have come to expect of telecommunications services. High among this list of desired functionality is user access to emergency services for purposes of summoning fire, medical, and law enforcement agencies. Such services were traditionally required to be implemented (and subsequently were implemented) through state and federal regulations.
An emergency service capability is a critical social concern, making it particularly important for the industry to propose viable solutions for promoting VoIP emergency services before regulators are compelled to mandate a solution. Reproducing emergency services in the VoIP space has proven to be a considerable task, mainly due to the wide and diverse variety of VoIP implementations and implementers. While technical and business communities have, in fact, made considerable progress in this area, significant uncertainty and deployment problems still exist.
The question we ask is this: Can an industry-based certification and labeling process credibly address social and policy expectations regarding emergency services and VoIP, thus avoiding the need for government regulation at this critical time? We hypothesize that the answer is “yes.” In answering this question, we developed a model for VoIP emergency service compliance through industry certification and device labeling. This model is intended to support a wide range of emergency service implementations while providing users with sufficient verification that the service will operate as anticipated. To this end, we first examine possible technical implementations for VoIP emergency services. Next, we summarize the theory of certification as self-regulation and examine several relevant examples. Finally, we synthesize a specific model for certification of VoIP emergency services. We believe that the model we describe provides both short-term and long-term opportunities. In the short term, an industry-driven effort to solve the current problem of VoIP emergency services, if properly structured and overseen as we suggest, should be both effective and efficient. In the long term, such a process can serve as a self-regulatory model that can be applied to social policy goals in the telecommunications industry, making it an important tool to have as the industry becomes increasingly diverse and heterogeneous
Digital Rights Management for Personal Networks
The thesis is concerned with Digital Rights Management (DRM),
and in particular with DRM for networks of devices owned by a
single individual. This thesis focuses on the problem of
preventing illegal copying of digital assets without
jeopardising the right of legitimate licence holders to
transfer content between their own devices, which collectively
make up what we refer to as an authorised domain.
An ideal list of DRM requirements is specified, which takes
into account the points of view of users, content providers and
copyright law. An approach is then developed for assessing DRM
systems based on the defined DRM requirements; the most widely
discussed DRM schemes are then analysed and assessed, where the
main focus is on schemes which address the concept of an
authorised domain. Based on this analysis we isolate the issues
underlying the content piracy problem, and then provide a
generic framework for a DRM system addressing the identified
content piracy issues. The defined generic framework has been
designed to avoid the weaknesses found in other schemes.
The main contributions of this thesis include developing four
new approaches that can be used to implement the proposed
generic framework for managing an authorised domain. The four
novel solutions all involve secure means for creating, managing
and using a secure domain, which consists of all devices owned
by a single owner. The schemes allow secure content sharing
between devices in a domain, and prevent the illegal copying of
content to devices outside the domain. In addition, each
solution incorporates a method for binding a domain to a single
owner, ensuring that only a single consumer owns and manages a
domain. This enables binding of content licences to a single
owner, thereby limiting illicit content proliferation.
In the first solution, domain owners are authenticated using
two-factor authentication, which involves "something the domain
owner has", i.e. a master control device that controls and
manages consumers domains, and binds devices joining a domain
to itself, and "something the domain owner is or knows", i.e. a
biometric or password/PIN authentication mechanism that is
implemented by the master control device. In the second
solution, domain owners are authenticated using their payment
cards, building on existing electronic payment systems by
ensuring that the name and the date of birth of a domain
creator are the same for all devices joining a domain. In
addition, this solution helps to protect consumers' privacy;
unlike in existing electronic payment systems, payment card
details are not exposed to third parties. The third solution
involves the use of a domain-specific mobile phone and the
mobile phone network operator to authenticate a domain owner
before devices can join a domain. The fourth solution involves
the use of location-based services, ensuring that devices
joining a consumer domain are located in physical proximity to
the addresses registered for this domain. This restricts domain
membership to devices in predefined geographical locations,
helping to ensure that a single consumer owns and manages each
domain
Compromising Anonymous Communication Systems Using Blind Source Separation
We propose a class of anonymity attacks to both wired and wireless anonymity networks. These attacks are based on the blind source separation algorithms widely used to recover individual signals from mixtures of signals in statistical signal processing. Since the philosophy behind the design of current anonymity networks is to mix traffic or to hide in crowds, the proposed anonymity attacks are very effective. The flow separation attack proposed for wired anonymity networks can separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining the flow separation method with frequency spectrum matching, a passive attacker can derive the traffic map of the mix network. We use a nontrivial network to show that the combined attack works. The proposed anonymity attacks for wireless networks can identify nodes in fully anonymized wireless networks using collections of very simple sensors. Based on a time series of counts of anonymous packets provided by the sensors, we estimate the number of nodes with the use of principal component analysis. We then proceed to separate the collected packet data into traffic flows that, with help of the spatial diversity in the available sensors, can be used to estimate the location of the wireless nodes. Our simulation experiments indicate that the estimators show high accuracy and high confidence for anonymized TCP traffic. Additional experiments indicate that the estimators perform very well in anonymous wireless networks that use traffic padding
Compromising Anonymous Communication Systems Using Blind Source Separation
We propose a class of anonymity attacks to both wired and wireless anonymity networks. These attacks are based on the blind source separation algorithms widely used to recover individual signals from mixtures of signals in statistical signal processing. Since the philosophy behind the design of current anonymity networks is to mix traffic or to hide in crowds, the proposed anonymity attacks are very effective. The flow separation attack proposed for wired anonymity networks can separate the traffic in a mix network. Our experiments show that this attack is effective and scalable. By combining the flow separation method with frequency spectrum matching, a passive attacker can derive the traffic map of the mix network. We use a nontrivial network to show that the combined attack works. The proposed anonymity attacks for wireless networks can identify nodes in fully anonymized wireless networks using collections of very simple sensors. Based on a time series of counts of anonymous packets provided by the sensors, we estimate the number of nodes with the use of principal component analysis. We then proceed to separate the collected packet data into traffic flows that, with help of the spatial diversity in the available sensors, can be used to estimate the location of the wireless nodes. Our simulation experiments indicate that the estimators show high accuracy and high confidence for anonymized TCP traffic. Additional experiments indicate that the estimators perform very well in anonymous wireless networks that use traffic padding