47 research outputs found
Case study: disclosure of indirect device fingerprinting in privacy policies
Recent developments in online tracking make it harder for
individuals to detect and block trackers. This is especially true for de-
vice fingerprinting techniques that websites use to identify and track
individual devices. Direct trackers { those that directly ask the device
for identifying information { can often be blocked with browser configu-
rations or other simple techniques. However, some sites have shifted to
indirect tracking methods, which attempt to uniquely identify a device
by asking the browser to perform a seemingly-unrelated task. One type
of indirect tracking known as Canvas fingerprinting causes the browser
to render a graphic recording rendering statistics as a unique identifier.
Even experts find it challenging to discern some indirect fingerprinting
methods. In this work, we aim to observe how indirect device fingerprint-
ing methods are disclosed in privacy policies, and consider whether the
disclosures are sufficient to enable website visitors to block the track-
ing methods. We compare these disclosures to the disclosure of direct
fingerprinting methods on the same websites.
Our case study analyzes one indirect ngerprinting technique, Canvas
fingerprinting. We use an existing automated detector of this fingerprint-
ing technique to conservatively detect its use on Alexa Top 500 websites
that cater to United States consumers, and we examine the privacy poli-
cies of the resulting 28 websites. Disclosures of indirect fingerprinting
vary in specificity. None described the specific methods with enough
granularity to know the website used Canvas fingerprinting. Conversely,
many sites did provide enough detail about usage of direct fingerprint-
ing methods to allow a website visitor to reliably detect and block those
techniques.
We conclude that indirect fingerprinting methods are often technically
difficult to detect, and are not identified with specificity in legal privacy
notices. This makes indirect fingerprinting more difficult to block, and
therefore risks disturbing the tentative armistice between individuals and
websites currently in place for direct fingerprinting. This paper illustrates
differences in fingerprinting approaches, and explains why technologists,
technology lawyers, and policymakers need to appreciate the challenges
of indirect fingerprinting.Accepted manuscrip
Can the government compel decryption? Don't trust -- verify
If a court knows that a respondent knows the password to a device, can the
court compel the respondent to enter that password into the device? In this
work, we propose a new approach to the foregone conclusion doctrine from Fisher
v US that governs the answer to this question. The Holy Grail of this line of
work would be a framework for reasoning about whether the testimony implicit in
any action is already known to the government. In this paper we attempt
something narrower. We introduce a framework for specifying actions for which
all implicit testimony is, constructively, a foregone conclusion. Our approach
is centered around placing the burden of proof on the government to demonstrate
that it is not "rely[ing] on the truthtelling" of the respondent.
Building on original legal analysis and using precise computer science
formalisms, we propose demonstrability as a new central concept for describing
compelled acts. We additionally provide a language for whether a compelled
action meaningfully entails the respondent to perform in a manner that is 'as
good as' the government's desired goal. Then, we apply our definitions to
analyze the compellability of several cryptographic primitives including
decryption, multifactor authentication, commitment schemes, and hash functions.
In particular, our framework reaches a novel conclusion about compelled
decryption in the setting that the encryption scheme is deniable: the
government can compel but the respondent is free to use any password of her
choice.CNS-1915763 - National Science Foundation; HR00112020021 - Department of Defense/DARPA; CNS-1718135 - National Science Foundation; CNS-1801564 - National Science Foundation; CNS-1931714 - National Science FoundationAccepted manuscrip
Decrypting legal dilemmas
It has become a truism that the speed of technological progress leaves law and policy scrambling to keep up. But in addition to creating new challenges, technological advances also enable new improvements to issues at the intersection of law and technology. In this thesis, I develop new cryptographic tools for informing and improving our law and policy, including specific technical innovations and analysis of the limits of possible interventions. First, I present a cryptographic analysis of a legal question concerning the limits of the Fifth Amendment: can courts legally compel people to decrypt their devices? Our cryptographic analysis is useful not only for answering this specific question about encrypted devices, but also for analyzing questions about the wider legal doctrine. The second part of this thesis turns to algorithmic fairness. With the rise of automated decision-making, greater attention has been paid to statistical notions of fairness and equity. In this part of the work, I demonstrate technical limits of those notions and examine a relaxation of those notions; these analyses should inform legal or policy interventions. Finally, the third section of this thesis describes several methods for improving zero-knowledge proofs of knowledge, which allow a prover to convince a verifier of some property without revealing anything beyond the fact of the prover's knowledge. The methods in this work yield a concrete proof size reduction of two plausibly post-quantum styles of proof with transparent setup that can be made non-interactive via the Fiat-Shamir transform: "MPC-in-the-head," which is a linear-size proof that is fast, low-memory, and has few assumptions, and "Ligero," a sublinear-size proof achieving a balance between proof size and prover runtime. We will describe areas where zero-knowledge proofs in general can provide new, currently-untapped functionalities for resolving legal disputes, proving adherence to a policy, executing contracts, and enabling the sale of information without giving it away
Public Verification for Private Hash Matching
End-to-end encryption (E2EE) prevents online services from accessing user content. This important security property is also an obstacle for content moderation methods that involve content analysis. The tension between E2EE and efforts to combat child sexual abuse material (CSAM) has become a global flashpoint in encryption policy, because the predominant method of detecting harmful content---server-side perceptual hash matching on plaintext images---is unavailable.
Recent applied cryptography advances enable private hash matching (PHM), where a service can match user content against a set of known CSAM images without revealing the hash set to users or nonmatching content to the service. These designs, especially a 2021 proposal for identifying CSAM in Apple\u27s iCloud Photos service, have attracted widespread criticism for creating risks to security, privacy, and free expression.
In this work, we aim to advance scholarship and dialogue about PHM by contributing new cryptographic methods for system verification by the general public. We begin with motivation, describing the rationale for PHM to detect CSAM and the serious societal and technical issues with its deployment. Verification could partially address shortcomings of PHM, and we systematize critiques into two areas for auditing: trust in the hash set and trust in the implementation. We explain how, while these two issues cannot be fully resolved by technology alone, there are possible cryptographic trust improvements.
The central contributions of this paper are novel cryptographic protocols that enable three types of public verification for PHM systems: (1) certification that external groups approve the hash set, (2) proof that particular lawful content is not in the hash set, and (3) eventual notification to users of false positive matches. The protocols that we describe are practical, efficient, and compatible with existing PHM constructions
PSPACE-completeness of Pulling Blocks to Reach a Goal
We prove PSPACE-completeness of all but one problem in a large space of
pulling-block problems where the goal is for the agent to reach a target
destination. The problems are parameterized by whether pulling is optional, the
number of blocks which can be pulled simultaneously, whether there are fixed
blocks or thin walls, and whether there is gravity. We show NP-hardness for the
remaining problem, Pull?-1FG (optional pulling, strength 1, fixed blocks, with
gravity).Comment: Full version of JCDCGGG2019 paper, 22 pages, 25 figure
Understanding the healthcare workplace learning culture through safety and dignity narratives: a UK qualitative study of multiple stakeholders’ perspectives
Objectives: While studies at the undergraduate level have begun to explore healthcare students’ safety and dignity dilemmas, none have explored such dilemmas with multiple stakeholders at the postgraduate level. The current study therefore explores the patient and staff safety and dignity narratives of multiple stakeholders to better understand the healthcare workplace learning culture. Design: A qualitative interview study using narrative interviewing.Setting: Two sites in the UK ranked near the top and bottom for raising concerns according to the 2013 General Medical Council National Training Survey.Participants: Using maximum variation sampling, 39 participants were recruited representing 4 different groups (10 public representatives, 10 medical trainees, 8 medical trainers, and 11 nurses and allied health professionals) across the two sites. Methods: We conducted one group and 35 individual semi-structured interviews. Data collection was completed in 2015. Framework analysis was conducted to identify themes. Theme similarities and differences across the two sites and four groups were established. Results: We identified five themes in relation to our three research questions: (1) Understandings of safety and dignity (RQ1); (2) Experiences of safety and dignity dilemmas (RQ2); (3) resistance and/or complicity regarding dilemmas encountered (RQ2); (4) Factors facilitating safety and/or dignity (RQ3); and (5) Factors inhibiting safety and/or dignity (RQ3). The themes were remarkably similar across the two sites and four stakeholder groups. Conclusions: While some of our findings are similar to previous research with undergraduate healthcare students, our findings also differ, for example, illustrating higher levels of reported resistance in the postgraduate context. We provide educational implications to uphold safety and dignity at the level of the individual (e.g. stakeholder education), interaction (e.g. stakeholder communication and teamwork) and organisation (e.g. institutional policy)
Arithmetic Expression Construction
When can given numbers be combined using arithmetic operators from a
given subset of to obtain a given target number? We
study three variations of this problem of Arithmetic Expression Construction:
when the expression (1) is unconstrained; (2) has a specified pattern of
parentheses and operators (and only the numbers need to be assigned to blanks);
or (3) must match a specified ordering of the numbers (but the operators and
parenthesization are free). For each of these variants, and many of the subsets
of , we prove the problem NP-complete, sometimes in the
weak sense and sometimes in the strong sense. Most of these proofs make use of
a "rational function framework" which proves equivalence of these problems for
values in rational functions with values in positive integers.Comment: 36 pages, 5 figures. Full version of paper accepted to 31st
International Symposium on Algorithms and Computation (ISAAC 2020
Telomeric expression sites are highly conserved in trypanosoma brucei
Subtelomeric regions are often under-represented in genome sequences of eukaryotes. One of the best known examples of the use of telomere proximity for adaptive purposes are the bloodstream expression sites (BESs) of the African trypanosome Trypanosoma brucei. To enhance our understanding of BES structure and function in host adaptation and immune evasion, the BES repertoire from the Lister 427 strain of T. brucei were independently tagged and sequenced. BESs are polymorphic in size and structure but reveal a surprisingly conserved architecture in the context of extensive recombination. Very small BESs do exist and many functioning BESs do not contain the full complement of expression site associated genes (ESAGs). The consequences of duplicated or missing ESAGs, including ESAG9, a newly named ESAG12, and additional variant surface glycoprotein genes (VSGs) were evaluated by functional assays after BESs were tagged with a drug-resistance gene. Phylogenetic analysis of constituent ESAG families suggests that BESs are sequence mosaics and that extensive recombination has shaped the evolution of the BES repertoire. This work opens important perspectives in understanding the molecular mechanisms of antigenic variation, a widely used strategy for immune evasion in pathogens, and telomere biology