Privacy of social network attributes for online services


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy of social network attributes for online services

  1. 1. Antoine Fressancourt 17/11/2011
  2. 2. 17/11/2011The case of privacy in social CARTES & IDentificationnetworks Antoine Fressancourt▶ Rising concern around privacy in social networks – Use of private information for advertising purposes – Applications gaining access to more and more personal information – Usage tracking using referral buttons – Access to information directly using URL, content not ciphered▶ More and more complex to manage – Groups – Possibility to specify target groups on social network updates Adapted from The History Of Facebook’s Default Privacy Settings by Matt McKeon 2
  3. 3. 17/11/2011A recent case: CARTES & IDentificationEurope vs. Facebook vs Antoine Fressancourt▶ Case raised by Max Schrems, a 24 years old law student against Facebook▶ Discovered that Facebook keeps track of every digital trace of a user, even when they are “deleted” deleted 3
  4. 4. 17/11/2011Highlighted issues CARTES & IDentification Antoine Fressancourt Those examples tend to highlight two issues Privacy inside the social network itself Data privacy from outside the social network 4
  5. 5. 17/11/2011Anatomy of a social network CARTES & IDentificationFunctional building blocks Antoine Fressancourt Management of user Identity credentials and attributes d i l d ibPrivacy policy Role management for users i.e. Profile(s) how they want to appear Management of a user’s Social graph g p relationships Synchronous and asynchronous Messaging g g messages for a user gP Storage of documents Repository associated to a user 5
  6. 6. 17/11/2011Potential solutions CARTES & IDentification Antoine Fressancourt Cypher information Privacy P i inside the network itself inside the social to protect from the SNS network it lf t k itself provider Use identityData privacy from management concepts and zero knowledge outside the approaches to secure social network exchanges with external sites 6
  7. 7. 17/11/2011Privacy inside the social network CARTES & IDentificationReview of academic solutions Antoine FressancourtMainly two families of approaches:▶ « add-in » applications – FlyByNight: Re-Encryption proxy, El Gamal encryption, AES – NOYB: Replace each attribute of a given user by an attribute of another member of its social network – FaceCloak: Dictionnary, MAC▶ « Privacy by Design » social networks – Persona: Attribute-Based Encryption – EASiER: Attribute-Based Encryption – A Collaborative Framework for Privacy Protection in Online Social Network: El Gamal – Cryptographic Treatment of Private User Profiles: Broadcast Encryption 7
  8. 8. 17/11/2011Our proposal CARTES & IDentificationSolving the « inside » privacy issue Antoine FressancourtUsing a Cypher text Policy AttributeBased Encryption (CP-ABE) scheme to (CP ABE)cypher the data inside the social network▶ Advantages – Allows us to d f ll define privacy policies b l based d on fine grained predicates – Englobate both Identity-based encryption and Identity based broadcast encryptions – Ease of deployment given our objectives▶ Drawback – Keys and cypher texts are longer than in simpler, IBE schemes – Heavy management of cryptographic keys 8
  9. 9. 17/11/2011What is IBE? CARTES & IDentificationIdentity based encryption Antoine Fressancourt▶ Identity based encryption: ▶ Proposed by Shamir in 1984 ▶ Encrypt a message using any arbitrary string as the key. (Message) ▶ The string can be a representation of the user’s identity ▶ Principle: ▶ Alice encrypt a message with Bob’s e-mail address ▶ Bob asks a PKG (Private Key Private Key h Authentication Generator) to provide a private key associated to his e-mail address. PKG 9
  10. 10. 17/11/2011What is ABE? CARTES & IDentificationAttribute based encryption Antoine Fressancourt▶ Attribute based encryption is a generalisation of identity AND based encryption▶ Encryption according attributes: ▶ Personal: age, town, name… OR +18 y.o ▶ Relational: colleague, family, friends, …▶ Ciphertext-policy ABE: ▶ Cipher text possesses access structure Colleague France ▶ Saving structures 10
  11. 11. 17/11/2011Privacy outside the social network CARTES & IDentificationWhat is needed Antoine Fressancourt Possibility to register on websites with credentials Use case of identity provided to the social management systems network Social network External sites Need to conform to Recovery of user data in regulation, risk various ways ( logs, related to user cookies, …) acceptance 11
  12. 12. 17/11/2011What is Identity Management? CARTES & IDentification Antoine Fressancourt▶ Technologies, policies and p practices used to control access to a resource by a third party. User▶ Three entities: ▶ Identity Provider (IdP): maintains and gives access to a user’s credentials ▶ S Service P i Provider (SP) id (SP): Consumes attributes provided by an IdP ▶ User: Controls the distribution IdP SP of its credentials by the IdP 12
  13. 13. 17/11/2011Use of identity management in a CARTES & IDentificationsocial network context Antoine FressancourtUse of concepts popularized byIdemix and Uprove▶ Anonymous credentials▶ Zero-knowledge protocol Random value – P otocol in which a p o e sho s to a Protocol hich prover shows verifier that he possesses an erifier rover information without revealing it. Challenge – Introduced by Goldwasser Micali and Goldwasser, Ve Pr Rackoff in 1984.▶ Minimal Disclosure Response Generation on the fly How to perform the using a zero proof calculation? knowledge compiler k l d il 13
  14. 14. 17/11/2011CACE: A zero knowledge compiler CARTES & IDentification Antoine FressancourtComputer Aided CryptographyEngineering:▶ European Project▶ ∑-protocols▶ Composition techniques▶ Certificates 14
  15. 15. 17/11/2011Our proposal CARTES & IDentificationSolving the « outside » privacy issue Antoine FressancourtUse of Identity Managementplatform and protocols▶ Ensure minimal disclosure of private information▶ Framework to manage the disclosure of user credentialsIntegration of a zero knowledge g gcompiler▶ Computing zero knowledge proofs on the y fly▶ Enhance the protection of private information through minimal disclosure. 15
  16. 16. 17/11/2011To conclude CARTES & IDentification Antoine Fressancourt▶ Social networks raise a number of issues related to data security and privacy▶ Two kinds of privacy issues – From inside the social network itself – From external sites outside the social network▶ Inside privacy isssues can be solved by using ABE to protect data and give it access only to authorized contacts▶ Outside privacy issues can be solved by using identity management protocols and systems▶ Overall, better management of data privacy in future social network services deployed using emerging standards 16
  17. 17. Thank youAtos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere,Atos Cloud and Atos WorldGridare registered trademarks of Atos SA. June 2011© 2011 Atos. Confidential information owned by Atos, to be used by y , ythe recipient only. This document, or any part of it, may not bereproduced, copied, circulated and/or distributed nor quoted withoutprior written approval from Atos. 17/11/2011