Security Framework for Decentralized Shared Calendars

International audienceWe propose a security framework for Decentralized Shared Calendar. The proposed security framework provides confidentiality to replicated shared calendar events and secures the commu- nication between users. It is designed in such a way that DeSCal preserves all of its characteristic features like fault-tolerance, crash recovery, availability and dynamic access control. It has been implemented on iPhone OS.Nous proposons un protocole de sécurité pour des agendas partagés dont la gestion de données est complètement décentralisée. Dans ce protocole, nous assurons à la fois (i) la confidentialité du contenu répliqué et (ii) la sécurité de communication entre les utilisateurs. Comme nous utilisons une réplication complête de données, notre protocole préserve toutes les caractéristiques d'une telle réplication, à savoir : la tolérance aux pannes et la reprise après panne. Pour valider notre solution, nous avons implémenté un prototype sur des mobiles tournant sous le système iPhone OS

Traçage en ligne : démystification et contrôle

It is no surprise, given smartphones convenience and utility, to see their wide adoption worldwide. Smartphones are naturally gathering a lot of personal information as the user communicates, browses the web and runs various Apps. They are equipped with GPS, NFC and digital camera facilities and therefore smartphones generate new personal information as they are used. Since they are almost always connected to the Internet, and are barely turned off, they can potentially reveal a lot of information about the activities of their owners. The close arrival of smart-­‐watches and smart-­‐glasses will just increase the amount of personal information available and the privacy leakage risks. This subject is closely related to the Mobilitics project that is currently conducted by Inria/Privatics and CNIL, the French data protection authority [1][2][3]. Therefore, the candidate will benefit from the investigations that are on progress in this context, in order to understand the situation and the trends. The candidate will also benefit from all the logging and analysis tools we developed for the iOS and Android Mobile OSes, as well as the experienced gained on the subject. Another question is the arrival of HTML5 based Mobile OSes, like Firefox OS: it clearly opens new directions as it "uses completely open standards and there’s no proprietary software or technology involved" (Andreas Gal, Mozilla). But what are the implications from a Mobile OS privacy point of view? That's an important topic to analyze. Beyond understanding the situation, the candidate will also explore several directions in order to improve the privacy control of mobile devices. First of all, a privacy-­‐by-­‐design approach, when feasible, is an excellent way to tackle the problem. For instance the current trend is to rely more and more on cloud-­‐based services, either directly (e.g., via Dropbox, Instagram, Social Networks, or similar services), or indirectly (e.g., when a backup of the contact, calendar, accounts databases is needed). But pushing data on cloud-­‐based systems, somewhere on the Internet, is in total contradiction with our privacy considerations. Therefore, an idea is to analyze and experiment with personal cloud services (e.g., ownCLoud, diaspora) that are fully managed by the user. Here the goal is to understand the possibilities, the opportunities, and the usability of such systems, either as a replacement or in association with commercial cloud services. Another direction is to carry out behavioral analyses. Indeed, in order to precisely control the privacy aspects, at one extreme, the user may have to deeply interact with the device (e.g., through pop-ups each time a potential privacy leak is identified), which negatively impacts the usability of the device. At the other extreme, the privacy control may be oversimplified, in the hope not to interfere too much with the user, as is the case with the Android static authorizations or the one-­‐time pop-­‐ups of iOS6. This is not appropriate either, since using private information once is not comparable to using it every minute. A better approach could be to perform, with the help of a machine learning system for instance, a dynamic analysis of the Mobile OS or App behavior from a privacy perspective and to interfere with the user only when it is deemed appropriate. This could enable a good tradeoff between privacy control and usability, with user actions only when meaningful. How far such a behavioral analysis can go and what are the limitations of the approach (e.g., either from a CPU/battery drain perspective, or in front of programming tricks to escape the analysis) are open questions. Tainting techniques applied to Mobile OSes (e.g., Taint-­Droid) can be used as a basic bloc to build a behavioral analysis tool, but they have limited accuracy are unable to analyze native code and have poor performances.Il n'est pas surprenant , compte tenu de smartphones commodité et l'utilité, pour voir leur adoption à grande échelle dans le monde entier . Les smartphones sont naturellement rassemblent un grand nombre de renseignements personnels que l'utilisateur communique , navigue sur le Web et fonctionne diverses applications . Ils sont équipés de GPS , NFC et les installations d'appareils photo numériques et les smartphones génèrent donc de nouvelles informations personnelles telles qu'elles sont utilisées . Comme ils sont presque toujours connectés à Internet , et sont à peine éteints, ils peuvent potentiellement révéler beaucoup d'informations sur les activités de leurs propriétaires. L'arrivée à proximité de la puce - montres et intelligents - lunettes va juste augmenter la quantité de renseignements personnels disponibles et les risques de fuite de confidentialité . Ce sujet est étroitement lié au projet Mobilitics qui est actuellement menée par l'Inria / Privatics et CNIL , l'autorité française de protection des données [ 1] [2 ] [3] . Par conséquent , le candidat bénéficiera des enquêtes qui sont en cours dans ce contexte, afin de comprendre la situation et les tendances. Le candidat devra également bénéficier de tous les outils de diagraphie et l'analyse que nous avons développées pour l'iOS et Android OS mobiles , ainsi que l' expérience acquise sur le sujet. Une autre question est l'arrivée de HTML5 base de systèmes d'exploitation mobiles , comme Firefox OS: il ouvre clairement de nouvelles directives qu'elle " utilise des normes ouvertes complètement et il n'y a pas de logiciel propriétaire ou technologie impliquée " ( Andreas Gal, Mozilla) . Mais quelles sont les implications d'un point de vie privée OS mobile de vue? C'est un sujet important à analyser. Au-delà de la compréhension de la situation , le candidat devra aussi explorer plusieurs directions afin d' améliorer le contrôle des appareils mobiles de la vie privée . Tout d'abord, une vie privée - par - approche de conception , lorsque cela est possible , est une excellente façon d'aborder le problème . Par exemple, la tendance actuelle est de plus en plus compter sur un nuage - Services basés , soit directement (par exemple , via Dropbox, Instagram , les réseaux sociaux ou services similaires ) , ou indirectement (par exemple , lorsqu'une sauvegarde du contact , calendrier, bases de données des comptes sont nécessaires ) . Mais en poussant des données sur les nuages ​​- systèmes basés , quelque part sur Internet , est en totale contradiction avec nos considérations de confidentialité. Par conséquent, l'idée est d'analyser et d'expérimenter avec les services de cloud personnel (par exemple , owncloud , diaspora ) qui sont entièrement gérés par l'utilisateur. Ici, le but est de comprendre les possibilités, les opportunités et la facilité d'utilisation de ces systèmes , que ce soit en remplacement ou en association avec les services de cloud commerciales. Une autre direction est d' effectuer des analyses comportementales . En effet, afin de contrôler précisément les aspects de la vie privée , à un extrême , l'utilisateur peut avoir à interagir fortement avec l'appareil (par exemple , par le biais des pop-ups chaque fois une fuite potentielle de la vie privée est identifié ) , qui a un impact négatif sur la facilité d'utilisation de l'appareil . À l'autre extrême , le contrôle de la vie privée peut être simplifiée à l'extrême , dans l'espoir de ne pas trop interférer avec l'utilisateur, comme c'est le cas avec les autorisations statiques Android ou celui - Temps pop - up de iOS6 . Ce n'est pas non plus approprié , puisque l'utilisation de renseignements personnels une fois n'est pas comparable à l'utiliser chaque minute

MobileAppScrutinator: A Simple yet Efficient Dynamic Analysis Approach for Detecting Privacy Leaks across Mobile OSs

Smartphones, the devices we carry everywhere with us, are being heavily tracked and have undoubtedly become a major threat to our privacy. As "tracking the trackers" has become a necessity, various static and dynamic analysis tools have been developed in the past. However, today, we still lack suitable tools to detect, measure and compare the ongoing tracking across mobile OSs. To this end, we propose MobileAppScrutinator, based on a simple yet efficient dynamic analysis approach, that works on both Android and iOS (the two most popular OSs today). To demonstrate the current trend in tracking, we select 140 most representative Apps available on both Android and iOS AppStores and test them with MobileAppScrutinator. In fact, choosing the same set of apps on both Android and iOS also enables us to compare the ongoing tracking on these two OSs. Finally, we also discuss the effectiveness of privacy safeguards available on Android and iOS. We show that neither Android nor iOS privacy safeguards in their present state are completely satisfying

Probabilistic km^m-anonymity: Efficient Anonymization of Large Set-Valued Datasets

International audienceSet-valued dataset contains different types of items/values per individual, for example, visited locations, purchased goods, watched movies, or search queries.As it is relatively easy to re-identify individuals in such datasets, their release poses significant privacy threats.Hence, organizations aiming to share such datasets must adhere to personal data regulations.In order to get rid of these regulations and also to benefit from sharing, these datasets should be anonymized before their release.In this paper, we revisit the problem of anonymizing set-valued data. We argue that anonymization techniques targeting traditional \emph{k\textsuperscript{m}}-anonymity model, which limits the adversarial background knowledge to at most \emph{m} items per individual, are impractical for large real-world datasets.Hence, we propose a probabilistic relaxation of \emph{k\textsuperscript{m}}-anonymity and present an anonymization technique to achieve it.This relaxation also improves the utility of the anonymized data.We also demonstrate the effectiveness of our scalable anonymization technique on a real-world location dataset consisting of more than 4 million subscribers of a large European telecom operator.We believe that our technique can be very appealing for practitioners willing to share such large datasets

Short: Device-to-Identity Linking Attack Using Targeted Wi-Fi Geolocation Spoofing

International audienceToday, almost all mobile devices come equipped with Wi-Fi technology. Therefore, it is essential to thoroughly study the privacy risks associated with this technology. Recent works have shown that some Personally Identifiable Information (PII) can be obtained from the radio signals emitted by Wi-Fi equipped devices. However, most of the times, the identity of the subject of those pieces of information remains unknown and the Wi-Fi MAC address of the device is the only available identifier. In this paper, we show that it is possible for an attacker to get the identity of the subject. The attack presented in this paper leverages the geolocation information published on some geotagged services, such as Twitter, and exploits the fact that geolocation information obtained through Wi-Fi-based Positioning System (WPS) can be easily manipulated. We show that geolocation manipulation can be targeted to a single device, and in most cases, it is not necessary to jam real Wi-Fi access points (APs) to mount a successful attack on WPS

MyTrackingChoices: Pacifying the Ad-Block War by Enforcing User Privacy Preferences

Accepted at The Workshop on the Economics of Information Security (WEIS), 2016Free content and services on the Web are often supported by ads. However, with the proliferation of intrusive and privacy-invasive ads, a significant proportion of users have started to use ad blockers. As existing ad blockers are radical (they block all ads) and are not designed taking into account their economic impact, ad-based economic model of the Web is in danger today. In this paper, we target privacy-sensitive users and provide them with fine-grained control over tracking. Our working assumption is that some categories of web pages (for example, related to health, religion, etc.) are more privacy-sensitive to users than others (education, science, etc.). Therefore, our proposed approach consists in providing users with an option to specify the categories of web pages that are privacy-sensitive to them and block trackers present on such web pages only. As tracking is prevented by blocking network connections of third-party domains, we avoid not only tracking but also third-party ads. Since users will continue receiving ads on web pages belonging to non-sensitive categories, our approach essentially provides a trade-off between privacy and economy. To test the viability of our solution, we implemented it as a Google Chrome extension, named MyTrackingChoices (available on Chrome Web Store). Our real-world experiments with MyTrackingChoices show that the economic impact of ad blocking exerted by privacy-sensitive users can be significantly reduced

MyAdChoices: Bringing Transparency and Control to Online Advertising

The intrusiveness and the increasing invasiveness of online advertising have, in the last few years, raised serious concerns regarding user privacy and Web usability. As a reaction to these concerns, we have witnessed the emergence of a myriad of ad-blocking and anti-tracking tools, whose aim is to return control to users over advertising. The problem with these technologies, however, is that they are extremely limited and radical in their approach: users can only choose either to block or allow all ads. With around 200 million people regularly using these tools, the economic model of the Web —in which users get content free in return for allowing advertisers to show them ads— is at serious peril. In this paper, we propose a smart Web technology that aims at bringing transparency to online advertising, so that users can make an informed and equitable decision regarding ad blocking. The proposed technology is implemented as a Web-browser extension and enables users to exert fine-grained control over advertising, thus providing them with certain guarantees in terms of privacy and browsing experience, while preserving the Internet economic model. Experimental results in a real environment demonstrate the suitability and feasibility of our approach, and provide preliminary findings on behavioral targeting from real user browsing profiles

Short Paper: WifiLeaks: Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission

International audienceOn Android, installing an application implies accepting the permissions it requests, and these permissions are then enforced at runtime. In this work, we focus on the privacy implications of the ACCESS_WIFI_STATE permission. For this purpose, we analyzed permissions of the 2700 most popular applications on Google Play and found that the ACCESS_WIFI_STATE permission is used by 41% of them. We then performed a static analysis of 998 applications requesting this permission and based on the results, chose 88 applications for dynamic analysis. Our analyses reveal that this permission is already used by some companies to collect user Personally Identifiable Information (PII). We also conducted an online survey to study users' perception of the privacy risks associated with this permission. This survey shows that users largely underestimate the privacy implications of this permission. As this permission is very common, most users are therefore potentially at risk

WifiLeaks: Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission

A short version has been accepted for publication in: 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC'14) Oxford, United Kingdom, July 23rd -- 25th 2014On Android, users can choose to install an application, or not, based on the permissions it requests. These permissions are later enforced on the application by the system, e.g., when accessing sensitive user data. In this work, we focus on the access to Wi-Fi related information, which is protected by the ACCESS_WIFI_STATE permission. We show that this apparently innocuous network related permission can leak Personally Identifiable Information (PII). Such information is otherwise only accessible by clearly identifiable permissions (such as READ_PHONE_STATE or ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION). We analyzed permissions of 2700 applications from Google Play, and found that 41% of them use the ACCESS_WIFI_STATE permission. We then statically analyzed 998 such applications and, based on the results, selected 88 for dynamic analysis. Finally, we conducted an online survey to study the user perception of the privacy risks associated with this permission. Our results demonstrate that users largely underestimate the privacy implications of this permission, in particular because they often cannot realize what private information can be inferred from it. Our analysis further reveals that some companies have already started to abuse this permission to collect personal user information, for example, to get a unique device identifier for tracking across applications or to geolocalize the user without explicitly asking for the dedicated permissions. Because this permission is very common, most users are potentially at risk. There is therefore an urgent need for modification of the privileges granted by this permission as well as a more accurate description of the implications of accepting a permission.Avec Android, les utilisateurs peuvent choisir d'installer ou non une application en fonction des permissions demandées par cette dernière. Ces permissions sont ensuite imposées à l'application par le système d'exploitation, par exemple lors de l'accès à des données sensibles de l'utilisateur. Dans ce travail nous nous intéressons à l'accès aux informations relatives au Wi-Fi, accès protégé par la permission ACCESS_WIFI_STATE. Nous montrons que cette permission de type réseau et d'apparence très anodine, peut être la cause de fuites d'informations personnelles (PII), qui ne seraient sinon accessibles que par des permissions clairement identifiables (telles que READ_PHONE_STATE ou ACCESS_FINE_LOCATION ou ACCESS_COARSE_LOCATION). Nous avons analysé les permissions de 2700 applications du marché Google Play, et nous avons trouvé que 41% d'entres elles demandent la permission ACCESS_WIFI_STATE. Nous avons ensuite analysé de façon statique 998 applications de cet ensemble, et en fonction des résultats, nous en avons sélectionné 88 pour une analyse dynamique plus poussée. Finallement nous avons conduit une enquête en ligne pour étudier la perception qu'ont les utilisateurs des risques associés à cette permission. Nos résultats démontrent que les utilisateurs sous estiment largement les implications en termes de vie privée de cette permission, en particulier parce qu'ils ne peuvent pas réaliser quelles informations privées peuvent en être tirées. Nos analyses montrent par ailleurs que certaines sociétés ont commencé à abuser de cette permission pour collecter des informations personnelles, par exemple pour obtenir un identifiant unique et stable du terminal à des fins de traçage, ou pour géolocaliser l'utilisateur sans avoir à lui demander explicitement l'autorisation. Parce que cette permission est très répendue, la plupart des utilisateurs courrent potentiellement un risque. Il y a donc un besoin urgent de modifier les privilèges associés à cette permission ainsi que de décrire plus précisément les implications que son acceptation peut avoir

Technologies for Integration of Large-Scale Distributed Generation and Volatile Loads in Distribution Grids

As fossil fuel reserves are limited in stock and there is an urgent call to reduce the carbon footprint, distribution grids urgently need to move towards heavy use of local and distributed generation of electricity using renewable energy sources. Another promising prospect for the future of the planet is wide adoption of electric cars. However, large-scale integration of these highly volatile resources in distribution grids is challenging: distribution grids may face power quality problems and fuel-based generators may be needed to compensate for high volatility (which defeats the original purpose). Additionally, with the large penetration of solar and wind energy, the grid becomes inverter-dominated (has little inertia) and therefore traditional methods for controlling the frequency, voltage, and congestion of lines are no longer sufficient. In this article, we present different activities carried out in our research groups to tackle above-mentioned challenges in large- scale integration of such volatile resources. These activities range from advance planning to real-time monitoring and operation of distribution grids. We have also developed a software testbed, called T-RECS, for testing software agents before deploying them in the field. Finally, as the reliability and robustness is very crucial in such critical infrastructures, we have developed some reliability solutions that are suitable for use case scenarios typical to distribution grids