Location Privacy amidst Local Eavesdroppers

Mobile social networks and location-aware applications are becoming more and more widespread in current wireless networks. Thanks to WiFi or Bluetooth-enabled devices, everyday mobile users can enjoy new services. However, the deployment of these mobile technologies leads to many concerns for privacy, especially location privacy. In wireless networks, external malicious parties can monitor pseudonyms used for identification to learn mobile users' location and track their movements. A common technique for protecting location privacy consists in changing pseudonyms in regions called mix zones. In this report, we present a game-theoretic approach to evaluate the interaction and behaviors of an attacker aiming to jeopardize mobile nodes' location privacy and nodes willing to thwart adversary's spiteful plans. Assuming that such an attacker is armed with local eavesdropping devices, he must deploy them in an efficient way to track as many nodes as possible. On the other hand, mobile users have to define where are the best places to locate their mix zones. In order to evaluate their potential benefit, mobile nodes need to know the mixing effectiveness of possible mix zone locations. We propose a simplified metric based on the mobility profiles to determine the location privacy achieved with mix zones. We also build a payoff model to deal with costs, as well as benefits, led by this extended hide-and-seek game. By means of analytical and numerical results, we show the existence of Nash equilibria for all values of players' costs and mobility parameters. We prove that the adversary's best behavior evolves regarding the benefit he gets from traffic sniffing and the cost led by deployment of eavesdropping stations. On the other hand, we show that, when the mobility profile is homogeneous, the mobile nodes' best response is independent of the adversary's deployment of sniffing stations. Furthermore, the nodes' best response is only dependent on the number of mix zones they deploy, not on their particular locations

When Others Impinge upon Your Privacy:Interdependent Risks and Protection in a Connected World

Privacy is defined as the right to control, edit, manage, and delete information about oneself and decide when, how, and to what extent this information is communicated to others. Therefore, every person should ideally be empowered to manage and protect his own data, individually and independently of others. This assumption, however, barely holds in practice, because people are by nature biologically and socially interconnected. An individual's identity is essentially determined at the biological and social levels. First, a person is biologically determined by his DNA, his genes, that fully encode his physical characteristics. Second, human beings are social animals, with a strong need to create ties and interact with their peers. Interdependence is present at both levels. At the biological level, interdependence stems from genetic inheritance. At the social level, interdependence emerges from social ties. In this thesis, we investigate whether, in today's highly connected world, individual privacy is in fact achievable, or if it is almost impossible due to the inherent interdependence between people. First, we study interdependent privacy risks at the social level, focusing on online social networks (OSNs), the digital counterpart of our social lives. We show that, even if an OSN user carefully tunes his privacy settings in order to not be present in any search directory, it is possible for an adversary to find him by using publicly visible attributes of other OSN users. We demonstrate that, in OSNs where privacy settings are not aligned between users and where some users reveal a (even limited) set of attributes, it is almost impossible for a specific user to hide in the crowd. Our navigation attack complements existing work on inference attacks in OSNs by showing how we can efficiently find targeted profiles in OSNs, which is a necessary precondition for any targeted attack. Our attack also demonstrates the threat on OSN-membership privacy. Second, we investigate upcoming interdependent privacy risks at the biological level. More precisely, due to the recent drop in costs of genome sequencing, an increasing number of people are having their genomes sequenced and share them online and/or with third parties for various purposes. However, familial genetic dependencies induce indirect genomic privacy risks for the relatives of the individuals who share their genomes. We propose a probabilistic framework that relies upon graphical models and Bayesian inference in order to formally quantify genomic privacy risks. Then, we study the interplay between rational family members with potentially conflicting interests regarding the storage security and disclosure of their genomic data. We consider both purely selfish and altruistic behaviors, and we make use of multi-agent influence diagrams to efficiently derive equilibria in the general case where more than two relatives interact with each other. We also propose an obfuscation mechanism in order to reconcile utility with privacy in genomics, in the context where all family members are cooperative and care about each other's privacy. Third, we study privacy-enhancing systems, such as anonymity networks, where users do not damage other users' privacy but are actually needed in order to protect privacy. In this context, we show how incentives based on virtual currency can be used and their amount optimized in order to foster cooperation between users and eventually improve everyone's privacy.[...

Learning From the Past to Improve the Future

Contact tracing apps were considered among the first tools to control the spread of COVID-19 and ease lockdown measures. While these apps can be very effective at stopping transmission and saving lives, the level of adoption remains significantly below the expected critical mass. The public debate as well as academic research about contact tracing apps emphasizes general concerns about privacy (and the associated risks) but often disregards the value-added services, as well as benefits, that can result from a larger user base. To address this gap, the study analyzes goal-congruent features as drivers for user adoption. It uses market research techniques – specifically, conjoint analysis – to study individual and group preferences and gain insights into the prescriptive design. While the results confirm the privacy-preserving design of most European contact tracing apps, they emphasize the role of value-added services in addressing heterogeneous user segments to drive user adoption. The findings thereby are of relevance for designing effective contact tracing apps, but also inform the user-oriented design of apps for health and crisis management that rely on sharing sensitive information

Towards Mass Adoption of Contact Tracing Apps - Learning from Users’ Preferences to Improve App Design

Contact tracing apps have become one of the main approaches to control and slow down the spread of COVID-19 and ease up lockdown measures. While these apps can be very effective in stopping the transmission chain and saving lives, their adoption remains under the expected critical mass. The public debate about contact tracing apps emphasizes general privacy reservations and is conducted at an expert level, but lacks the user perspective related to actual designs. To address this gap, we explore user preferences for contact tracing apps using market research techniques, and specifically conjoint analysis. Our main contributions are empirical insights into individual and group preferences, as well as insights for prescriptive design. While our results confirm the privacy-preserving design of most European contact tracing apps, they also provide a more nuanced understanding of acceptable features. Based on market simulation and variation analysis, we conclude that adding goal-congruent features will play an important role in fostering mass adoption

On (The Lack Of) Location Privacy in Crowdsourcing Applications

Crowdsourcing enables application developers to benefit from large and diverse datasets at a low cost. Specifically, mobile crowdsourcing (MCS) leverages users' devices as sensors to perform geo-located data collection. The collection of geo-located data raises serious privacy concerns for users. Yet, despite the large research body on location privacy-preserving mechanisms (LPPMs), MCS developers implement little to no protection for data collection or publication. To understand this mismatch, we study the performance of existing LPPMs on publicly available data from two mobile crowdsourcing projects. Our results show that well-established defenses are either not applicable or offer little protection in the MCS setting. Additionally, they have a much stronger impact on applications' utility than foreseen in the literature. This is because existing LPPMs, designed with location-based services (LBSs) in mind, are optimized for utility functions based on users' locations, while MCS utility functions depend on the values (e.g., measurements) associated with those locations. We finally outline possible research avenues to facilitate the development of new location privacy solutions that fit the needs of MCS so that the increasing number of such applications do not jeopardize their users' privacy

Investigating Graph Embedding Methods for Cross-Platform Binary Code Similarity Detection

IoT devices are increasingly present, both in the industry and in consumer markets, but their security remains weak, which leads to an unprecedented number of attacks against them. In order to reduce the attack surface, one approach is to analyze the binary code of these devices to early detect whether they contain potential security vulnerabilities. More specifically, knowing some vulnerable function, we can determine whether the firmware of an IoT device contains some security flaw by searching for this function. However, searching for similar vulnerable functions is in general challenging due to the fact that the source code is often not openly available and that it can be compiled for different architectures, using different compilers and compilation settings. In order to handle these varying settings, we can compare the similarity between the graph embeddings derived from the binary functions. In this paper, inspired by the recent advances in deep learning, we propose a new method – GESS (graph embeddings for similarity search) – to derive graph embeddings, and we compare it with various state-of-the-art methods. Our empirical evaluation shows that GESS reaches an AUC of 0.979, thereby outperforming the best known approach. Furthermore, for a fixed low false positive rate, GESS provides a true positive rate (or recall) about 36% higher than the best previous approach. Finally, for a large search space, GESS provides a recall between 50% and 60% higher than the best previous approach

A Study on the Use of Checksums for Integrity Verification of Web Downloads

App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code – the checksum – matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such process is effective. Even worse, very few usability studies about it exist. In this paper, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution – a Chrome extension that verifies checksums automatically – significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers and content creators to increase the use of file integrity verification on their properties

Are Those Steps Worth Your Privacy? Fitness-Tracker Users' Perceptions of Privacy and Utility

Fitness trackers are increasingly popular. The data they collect provides substantial benefits to their users, but it also creates privacy risks. In this work, we investigate how fitness-tracker users perceive the utility of the features they provide and the associated privacy-inference risks. We conduct a longitudinal study composed of a four-month period of fitness-tracker use (N = 227), followed by an online survey (N = 227) and interviews (N = 19). We assess the users’ knowledge of concrete privacy threats that fitness-tracker users are exposed to (as demonstrated by previous work), possible privacy-preserving actions users can take, and perceptions of utility of the features provided by the fitness trackers. We study the potential for data minimization and the users’ mental models of how the fitness tracking ecosystem works. Our findings show that the participants are aware that some types of information might be inferred from the data collected by the fitness trackers. For instance, the participants correctly guessed that sexual activity could be inferred from heart-rate data. However, the participants did not realize that also the non-physiological information could be inferred from the data. Our findings demonstrate a high potential for data minimization, either by processing data locally or by decreasing the temporal granularity of the data sent to the service provider. Furthermore, we identify the participants’ lack of understanding and common misconceptions about how the Fitbit ecosystem works