62 research outputs found
PrivacyScore: Improving Privacy and Security via Crowd-Sourced Benchmarks of Websites
Website owners make conscious and unconscious decisions that affect their
users, potentially exposing them to privacy and security risks in the process.
In this paper we introduce PrivacyScore, an automated website scanning portal
that allows anyone to benchmark security and privacy features of multiple
websites. In contrast to existing projects, the checks implemented in
PrivacyScore cover a wider range of potential privacy and security issues.
Furthermore, users can control the ranking and analysis methodology. Therefore,
PrivacyScore can also be used by data protection authorities to perform
regularly scheduled compliance checks. In the long term we hope that the
transparency resulting from the published benchmarks creates an incentive for
website owners to improve their sites. The public availability of a first
version of PrivacyScore was announced at the ENISA Annual Privacy Forum in June
2017.Comment: 14 pages, 4 figures. A german version of this paper discussing the
legal aspects of this system is available at arXiv:1705.0888
A System for Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation
The growing spread of smartphones and other mobile devices has given rise to a number of health and fitness applications. Users can track their calorie intake, get reminders to take their medication, and track their fitness workouts. Many of these services have social components, allowing users to find like-minded peers, compete with their friends, or participate in open challenges. However, the prevalent service model forces users to disclose all of their data to the service provider. This may include sensitive information, like their current position or medical conditions. In this thesis, we will design, implement and evaluate a privacy-preserving fitness data sharing system. The system provides privacy not only towards other users, but also against the service provider, does not require any Trusted Third Parties (TTPs), and is backed by strong cryptography. Additionally, it hides the communication metadata (i.e. who is sharing data with whom). We evaluate the security of the system with empirical and formal methods, including formal proofs for parts of the system. We also investigate the performance with empirical data and a simulation of a large-scale deployment. Our results show that the system can provide strong privacy guarantees. However, it incurs a significant networking overhead for large deployments
Best Practices for Notification Studies for Security and Privacy Issues on the Internet
Researchers help operators of vulnerable and non-compliant internet services
by individually notifying them about security and privacy issues uncovered in
their research. To improve efficiency and effectiveness of such efforts,
dedicated notification studies are imperative. As of today, there is no
comprehensive documentation of pitfalls and best practices for conducting such
notification studies, which limits validity of results and impedes
reproducibility. Drawing on our experience with such studies and guidance from
related work, we present a set of guidelines and practical recommendations,
including initial data collection, sending of notifications, interacting with
the recipients, and publishing the results. We note that future studies can
especially benefit from extensive planning and automation of crucial processes,
i.e., activities that take place well before the first notifications are sent.Comment: Accepted to the 3rd International Workshop on Information Security
Methodology and Replication Studies (IWSMR '21), colocated with ARES '2
On the Difficulties of Incentivizing Online Privacy through Transparency: A Qualitative Survey of the German Health Insurance Market
Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public “naming and shaming” as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites – mostly on-responders – improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches
Zero-Interaction Security-Towards Sound Experimental Validation
Reproducibility and realistic datasets are crucial for advancing research. Unfortunately, they are often neglected as valid scientific contributions in many young disciplines, with computer science being no exception. In this article, we show the challenges encountered when reproducing the work of others, collecting realistic data in the wild, and ensuring that our own work is reproducible in turn. The presented findings are based on our study investigating the limits of zero-interaction security (ZIS)- a novel concept, leveraging sensor data collected by Internet of Things (IoT) devices to pair or authenticate devices. In particular, we share our experiences in reproducing five state-of-the-art ZIS schemes, collecting a comprehensive dataset of sensor data from the real world, evaluating these schemes on the collected data, and releasing the data, code, and documentation to facilitate reproducibility of our results
Psoralen Treatment of Adenovirus Particles Eliminates Virus Replication and Transcription While Maintaining the Endosomolytic Activity of the Virus Capsid
Adenovirus entry into its host cell transiently permeabilizes the cell allowing the coentry of reagents such as DNA. We compare here adenovirus inactivation with β-propiolactone and several psoralen derivatives, seeking reagents that disrupt the viral genome without impairing the viral entry functions. No virus replication can be detected after 8-methoxypsoralen (8-MOP) modification. Viral transcription is not detectable by Northern analysis, and reverse transcriptase/PCR analysis demonstrates at least a 1000-fold decrease in viral transcription after 8-MOP treatment. Using [3H]8-MOP, the psoralen is found to enter the virus capsid and react throughout the viral genome, with approximately one psoralen modification per 100 bp of viral DNA. This inactivated adenovirus allows us to deliver DNA to target cells without interference from adenovirus gene expression or replication. Furthermore, we can now study the host cell response to adenovirus entry without the complications of adenovirus gene expression
- …