CSCD 303Essential ComputerSecurityWinter 2014

Lecture 14 – Internet Privacy

Reading: See links - End of Slides

Overview

• Anonymity and Privacy Defined• Reasons to be Anonymous• Threats to Privacy• Solutions to maintaining privacy

Anonymous Defined

Anonymous1. Without any name acknowledged, as that

of author, contributor• An anonymous letter to the editor; an

anonymous donation.

2. Of unknown name; whose name is withheld

3. Lacking individuality, unique character, or distinction: an endless row of drab, anonymous houses.

Why Protect Anonymity?

A Few Good Reasons EFF

McIntyre v. Ohio Elections Comm’n 514 U.S. 334 (1995)

“Anonymity is a shield from the tyranny of the majority ... [that] exemplifies the purpose [of the First Amendment] to protect unpopular individuals from retaliation … at the hand of an intolerant society.”

A Few Good Reasons EFF

McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995)

“[A]n author’s decision to remain anonymous, like other decisions concerning omissions or additions to the content of a publication, is an aspect of the freedom of speech protected by the First Amendment.”

A Few Good Reasons EFF

Doe v. 2theMart.com, 140 F. Supp. 2d 1088 (W.D. Wash. 2001)

“The right to speak anonymously extends to speech via the Internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas.”

8

Applications of Anonymity

Privacy• Hide online transactions, Web browsing,

etc. from intrusive governments, marketers and archivists

Untraceable electronic mail• Corporate whistle-blowers• Political dissidents• Confidential business negotiations

Law enforcement and intelligence• Sting operations and honeypots• Secret communications on a public

network

9

Applications of Anonymity

Digital cash• Electronic currency with properties of

paper money (online purchases unlinkable to buyer’s identity)

Anonymous electronic voting Censorship-resistant publishing

10

Anonymity in terms of Internet Traffic Sender anonymity

• A particular message is not linkable to any sender and that to a particular sender, no message is linkable

Recipient anonymity• A particular message cannot be linked to

any recipient and that to a particular recipient, no message is linkable

Relationship anonymity• The sender and the recipient cannot be

identified as communicating with each other, even though each of them can be identified as participating in some communication

•A. Pfizmann and M. Waidner, Networks without User Observability. Computers & Security 6/2 (1987) 158-166

Anonymity in terms of Internet

Anonymity is the state of being not identifiable within set of subjects

You cannot be anonymous by yourself!Hide your activities among others’ similar activities

Unlinkability of action and identity For example, sender and his email are no more

related after observing communication than they were before

Unobservability (hard to achieve) Any item of interest (message, event, action) is

indistinguishable from any other item of interest

Attacks on Anonymity What could you do to identify a subject? Passive traffic analysis

Infer from network traffic who is talking to whom To hide your traffic, must carry other people’s traffic!

Active traffic analysis Inject packets or put a timing signature on packet

flow Compromise network nodes

Attacker may compromise some routersIt is not obvious which nodes have been compromised• Attacker may be passively logging traffic

Better not to trust any individual router• Assume that some fraction of routers are good, don’t know

which

13

One Solution, Randomized Routing

Hide message source by routing it randomly Popular technique: Crowds, Freenet, Onion routingRouters don’t know for sure if source of message is true sender or another router

14

Onion Routing

R R4

R1

R2

R

RR3

Bob

R

R

R

Sender chooses a random sequence of routers • Some routers are honest, some controlled by

attacker• Sender controls the length of the path

[Reed, Syverson, Goldschlag ’97]

Alice

Tor is an Onion Router

15

Tor was originally designed, implemented, and deployed as third-generation onion routing project of U.S. Naval Research Laboratory, – Primary purpose of protecting government

communications Tor is free tool that allows people to use the

internet anonymously

Tor is an Onion Router

16

Basically, Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world

How doe this help you achieve anonymity?

It prevents somebody watching your Internet connection from learning what sites you visit

It prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked

Tor anonymizes the origin of your traffic!

What is Tor?

17

IP address that appearsvia other browsers atthe same time

IP address that appearsvia other browsers atthe same time

IP address that appears via the Tor browser

IP address that appears via the Tor browser

What is under the hood?

18

Tor is based on Onion Routing, a technique for anonymous communication over a computer network.

http://en.wikipedia.org/wiki/Onion_routing

Steps• Messages are repeatedly

encrypted and then sent through several network nodes called onion routers

• Each onion router removes layer of encryption to uncover routing instructions, and sends message to the next router where this is repeated This prevents these intermediary nodes from knowing origin, destination, and contents of message

Onions

Who is using Tor?

19

Normal people (e.g. protect their browsing records)

Militaries (e.g. military field agents)

Journalists and their audiences (e.g. citizen journalists encouraging social change)Law enforcement officers (e.g. for online “undercover” operations)

Activists and Whilstblowers (e.g. avoid persecution while still raising a voice)

BloggersIT professionals (e.g. during development and operational testing, access internet resources while leaving security policies in place)

Other Ways to Protect Your Anonymity

ToolsRemoval of Information

VPN's Encrypted Email

Privacy Settings

Program that configures on-line accounts for optimum privacy

Priveazy Lockdown is handy and reliable Firefox extension that helps you to tweak privacy and security settings for online accounts.

Priveazy Lockdown works with websites such as Google, Facebook, Twitter, Gmail, AOL, YouTube, Pandora, Amazon and eBay

Video on how to use the programhttp://www.frequency.com/video/priveazy-lockdo/

85402212

Removing Your Information

Remove your information from People Search databases

One handy page has access to many databases

http://abine.com/optouts.php Or, you can use their tool

More complete list of Data Brokershttps://www.privacyrights.org/online-information-

brokers-list

Get Private Email

Encypted, Private Email Use a secure email service for better

email privacyNo more Gmail for me !!!One page has links to multiple secure

emailers plus reviewshttp://thesimplecomputer.info/free-webmail-for-

better-privacy/

Secure VPN's to Hide IP Address

Can use VPN's to either encrypt your connections or use as a proxy to hide your IP address

Cyberghost is one VPN programhttp://cyberghostvpn.com/en/surf-anonym.html

Ordinary surfing, use SecurityKISS.• This program does store your IP address,

but this is only associated with the total amount of data sent tunneled through SecurityKISS

• No other personally identifiable information is logged

http://www.securitykiss.com/index.php

Privacy

Treating privacy as a separate subject than anonymity

In reality, they are linkedBeing anonymous is one way to

achieve a level of privacyBut, in reality, if corporations and

governments respected our right to privacy, we would not need to be anonymous ….

Privacy Defined

Privacy

1. The state of being private; retirement or seclusion

2. The state of being free from intrusion or disturbance in one's private life or affairs: the right to privacy; There is so much information about us online that personal privacy may be a thing of the past ...

3. Secrecy

Is Privacy a Fundamental Human Right? Can also ask what are Fundamental

Human Rights anyway? Human rights are rights inherent to all human

beings, whatever our nationality, place of residence, sex, national or ethnic origin, colour, religion, language, or any other status

We are all equally entitled to our human rights without discrimination

Fundamental Human Rights

There is a United Nations defined– Universal Declaration of Human Rights

The Universal Declaration of Human Rights, which was adopted by UN General Assembly on 10 December 1948, was result of experience of Second World War

End of that war, creation of United Nations, international community vowed never again to allow those atrocities to happen again

http://www.un.org/en/documents/udhr/

Back to Privacy

Article 12 of 1948 Universal Declaration of Human Rights, specifically protects territorial and communications privacy

Is there an explicit right to privacy in the United States?

Privacy in the United States

Not Really !!! The U. S. Constitution contains no express right to

privacy The Bill of Rights, however, reflects the concern of

James Madison and other framers for protecting specific aspects of privacy, such as the privacy of beliefs (1st Amendment), privacy of the home against demands that it be used to house soldiers (3rd Amendment), privacy of the person and possessions as against unreasonable searches (4th Amendment), and the 5th Amendment's privilege against self-incrimination

Plus, there are laws that protect privacy of various kinds

Privacy Laws in the US

The Privacy Act of 1974 prevents unauthorized disclosure of personal information held by federal government

The Fair Credit Reporting Act protects information gathered by credit reporting agencies

The Children’s Online Privacy Protection Act grants parents authority over what information about their children (age 13 and under) can be collected by web sites

The California Online Privacy Protection Act of 2003 (OPPA)– Effective as of July 1, 2004, is a California State Law– According to this law, operators of commercial websites

that collect personally identifiable information from California's residents are required to conspicuously post and comply with a privacy policy that meets certain requirements

Privacy Laws Regulating Industry As it relates to securing computer networks or

data

Sarbanes-Oxley Act, http://en.wikipedia.org/wiki/Sarbanes

%E2%80%93Oxley_Act - business practices

HIPAA, http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

GLBA http://www.business.ftc.gov/privacy-and-security/gramm-leach-bliley-act banks

Contain at least some guarantee of an individual’s right not to have their personal or confidential information exposed

These regulations mandate that companies take steps to ensure their customer’s data is secure and impose fines and penalties on companies that fail to do so

Summary

• Anonymity and privacy

• We do have a right to them !!! Even on the Internet … even dogs have these rights

• So, recommendation is to try out some of these methods

• Know your rights. To privacy and every other human right. Or else you might lose them.

• Money talks. Corporations want to make more money. If they violate your rights in the process … well, they are not all honest in that regard.

• Government, what can we say?

Who is this really?

References

About.com Article on Privacyhttp://netsecurity.about.com/od/newsandeditorial1/a/

aaprivacyrights.htm

Advice on Protecting Your Privacy On-linehttp://www.techsupportalert.com/content/how-protect-your-online-

privacy.htm#Make_Sure_Any_Online_Accounts_Are_Properly_Configured_For_Optimum_Privacy

Privacy Rights Clearinghousehttps://www.privacyrights.org/privacy-survival-guide-take-control-your-

personal-information

End

Lab on XSS and CSRF, SQL -injection