Why Privacy-Preserving Protocols Are Sometimes Not Enough: A Case Study of the Brisbane Toll Collection Infrastructure

The use of Electronic Toll Collection (ETC) systems is on the rise, as these systems have a significant impact on reducing operational costs. Toll service providers (TSPs) access various information, including drivers’ IDs and monthly toll fees, to bill drivers. While this is legitimate, such information could be misused for other purposes violating drivers’ privacy, most prominent, to infer drivers’ movement patterns. To this end, privacy-preserving ETC (PPETC) schemes have been designed to minimize the amount of information leaked while still allowing drivers to be charged. We demonstrate that merely applying such PPETC schemes to current ETC infrastructures may not ensure privacy. This is due to the (inevitable) minimal information leakage, such as monthly toll fees, which can potentially result in a privacy breach when combined with additional background information, such as road maps and statistical data. To show this, we provide a counterexample using the case study of Brisbane’s ETC system. We present two attacks: the first, being a variant of the presence disclosure attack, tries to disclose the toll stations visited by a driver during a billing period as well as the frequency of visits. The second, being a stronger attack, aims to discover cycles of toll stations (e.g., the ones passed during a commute from home to work and back) and their frequencies. We evaluate the success rates of our attacks using real parameters and statistics from Brisbane’s ETC system. In one scenario, the success rate of our toll station disclosure attack can be as high as 94%. This scenario affects about 61% of drivers. In the same scenario, our cycle disclosure attack can achieve a success rate of 51%. It is remarkable that these high success rates can be achieved by only using minimal information as input, which is, e.g., available to a driver’s payment service provider or bank, and by following very simple attack strategies without exploiting optimizations. As a further contribution, we nalyze how the choice of various parameters, such as the set of toll rates, the number of toll stations, and the billing period length, impact a driver’s privacy level regarding our attacks

On Privacy Notions in Anonymous Communication

Many anonymous communication networks (ACNs) with different privacy goals have been developed. However, there are no accepted formal definitions of privacy and ACNs often define their goals and adversary models ad hoc. However, for the understanding and comparison of different flavors of privacy, a common foundation is needed. In this paper, we introduce an analysis framework for ACNs that captures the notions and assumptions known from different analysis frameworks. Therefore, we formalize privacy goals as notions and identify their building blocks. For any pair of notions we prove whether one is strictly stronger, and, if so, which. Hence, we are able to present a complete hierarchy. Further, we show how to add practical assumptions, e.g. regarding the protocol model or user corruption as options to our notions. This way, we capture the notions and assumptions of, to the best of our knowledge, all existing analytical frameworks for ACNs and are able to revise inconsistencies between them. Thus, our new framework builds a common ground and allows for sharper analysis, since new combinations of assumptions are possible and the relations between the notions are known

On privacy notions in anonymous communication

Many anonymous communication networks (ACNs) with different privacy goals have been devel- oped. Still, there are no accepted formal definitions of privacy goals, and ACNs often define their goals ad hoc. However, the formal definition of privacy goals benefits the understanding and comparison of different flavors of privacy and, as a result, the improvement of ACNs. In this paper, we work towards defining and comparing pri- vacy goals by formalizing them as privacy notions and identifying their building blocks. For any pair of no- tions we prove whether one is strictly stronger, and, if so, which. Hence, we are able to present a complete hier- archy. Using this rigorous comparison between notions, we revise inconsistencies between the existing works and improve the understanding of privacy goals

A Survey on Privacy-preserving Electronic Toll Collection Schemes for Intelligent Transportation Systems

As part of Intelligent Transportation Systems (ITS), Electronic toll collection (ETC) is a type of toll collection system (TCS) which is getting more and more popular as it can not only help to finance the government's road infrastructure but also it can play a crucial role in pollution reduction and congestion management. As most of the traditional ETC schemes (ETCS) require identifying their users, they enable location tracking. This violates user privacy and poses challenges regarding the compliance of such systems with privacy regulations such as the EU General Data Protection Regulation (GDPR). So far, several privacy-preserving ETC schemes have been proposed. To the best of our knowledge, this is the first survey that systematically reviews and compares various characteristics of these schemes, including components, technologies, security properties, privacy properties, and attacks on ETCS. This survey first categorizes the ETCS based on two technologies, GNSS and DSRC. Then under these categories, the schemes are classified based on whether they provide formal proof of security and support security analysis. We also demonstrate which schemes specifically are/are not resistant to collusion and physical attacks. Then, based on these classifications, several limitations and shortcomings in privacy-preserving ETCS are revealed. Finally, we identify several directions for future research

On the security, privacy and usability of online seals

This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean enabling users to judge on the trustworthiness of services offered on the Web. The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should follow for enabling users in judging on the trustworthiness of services offered on the Web

Design and Modeling of Privacy-Friendly Reputation (Ontwerp en modellering van privacy vriendelijke reputatie-systemen)

As the Internet has advanced into a mass media technology that is easy to accessand use, its applications have become more business oriented. For example, onlineshopping has become a very common way to purchase goods for a large part ofsociety. The involvement of money and financial transactions attracts fraudsters.Hence online shopping platforms need to implement protection measures. Nowadaysthese measures are implemented by either contracts with full identities, so that inthe case of fraud the problem can be disputed off-line, or via payment systems, suchas credit cards, that provide insurance to cover any potential losses and/or disputes.These online shopping platforms come with both monetary costs and a fundamentallack of privacy. However, privacy is basic right guaranteed by the EuropeanConvention on Human Rights. Hence it is argued that these aforementioned rightsshould be respected in online environments as well. Privacy enhancing technologies (PET) aim to reduce the amount of personaldata that is needed for a transaction. With the help of these technologies itis possible to interact anonymously on the Internet. However, PETs lower thethreshold for fraudsters: if a fraudulent transaction partner is not identifiable thenhe or she loses the motivation to actually deliver the requested goods or services,or to pay for them. Hence, mechanisms are needed to filter out untrustworthyusers. In the physical world, low and medium value transactions are usually basedon trust, i.e., the vendor trusts that the customer will pay before walking out ofthe shop and the customer trusts that the product he or she is purchasing is asdescribed. This trust is based on many, often subconsciously perceived, hints inthe context, but also on explicit factors as reputation and recommendations. However, for a straightforward implementation of a reputation system, iden-tification of the transaction partners is needed. This however is in oppositionwith the aims of PETs. Fortunately, there exist cryptographic protocols that canattest properties about items without identification. In this thesis, we utilize theseprotocols to enrich reputation systems with privacy properties. This study examines privacy in reputation systems from a technical point ofview. First, we show that linkability information, i.e., the information whethertwo items are in a relation or not, helps to de-anonymize items. Following that wepropose a model to evaluate the adversary s success in linking items that belongto a user. From this we conclude that reputation items should stay unlinkable to protect their owners privacy. Finally we present a set of reputation protocols thatprotect user privacy by hiding the relation of reputation items. While developingthese protocols, we discovered the need of a privacy model for such systems hencereinforcing the importance and applicability of this research.status: publishe