cdiaz-parc - KU Leuvencdiaz/talks/cdiaz-parc.pdfTwo$tales$of$privacy$in$OSNs$ ClaudiaDiaz...
Transcript of cdiaz-parc - KU Leuvencdiaz/talks/cdiaz-parc.pdfTwo$tales$of$privacy$in$OSNs$ ClaudiaDiaz...
Two tales of privacy in OSNs
Claudia Diaz KU Leuven ESAT/COSIC
PARC, 16 May 2013
1
Based on joint paper with Seda Gürses, to appear at IEEE S&P Magazine hQps://www.cosic.esat.kuleuven.be/publicaVons/arVcle-‐2270.pdf
Outline
• Two narraVves: the ac#vist and the consumer
• Two ways of framing privacy – Understanding and improving social privacy in OSNs – PETs for social networks: evading surveillance and censorship
• Comparison of approaches – Surveillance and social privacy problems treated as unrelated
• abstract away the complexity of the privacy problem – Challenges for integraVon of approaches? – Some further points for discussion
2
3
The posiVve narraVve
• Social media enabler for social change, for ciVzens to contest ruling insVtuVons, to foster democracy and human rights, … – Relates to concepts of “privacy” as “protecVon from an overbearing state” (ECHR, US consVtuVon)
• One line of criVcism to this narraVve: role of SM is exaggerated, more credit to organizaVon and events on the ground
• Conveniently, the companies providing these social media services originate from the USA
4
5
6
7
The negaVve narraVve • How governments exploit SM:
– Social media blocked during civil unrest to prevent communicaVon – Social media used to disseminate misinformaVon or propaganda – Social media used to spy on people
• InformaVon can be used to, eg, idenVfy (and arrest or kill) dissenters
• Collusion SM companies and governments – The “surveillant assemblage” – OSN providers imposing their “morality” on users
• Link to privacy technologies: – how to design technologies with which people can interact socially
online while being free from surveillance and interference (eg, censorship)?
8
Other perspecVves on the problem of privacy in OSNs
• Safety, protecVon from crime – The bad guys: malware, scammers, online thieves, predators, stalkers – The good guys: regulators, industry, and law enforcement – Technologies: data security, soeware security, authenVcaVon/
idenVficaVon, access control, monitoring
• Data protecVon – Purposes for which informaVon is used – Informed consent – Subject access rights (eg, deleVon)
• Social privacy – OSNs are spaces to socialize – unsurprisingly, all the privacy issues of
social relaVonships reappear, plus new ones that appear
9
10
11
12
Social privacy issues • context collision (family, friends, colleagues) • unintended (or “unexpected”) informaVon disclosures • informaVon taken out of context • “inappropriate” comments or content • Reasons:
– misconfiguraVon of privacy seings (not usable) – open seings overriding more restricVve seings – soeware bugs – unintended mistakes (upload wrong picture of video) – bad decisions: regrets (angry, not thinking)
• Other issues – coercion (to provide password) – noVce and choice (informed consent) model: difficulty to read / understand
privacy policies
13
Social privacy research
• Understand social privacy issues from a user / community perspecVve, and its interrelaVon with technology design
• Improve OSN design based on user values – system is intuiVve, easy to use – behaves according to user expectaVons – has appropriate privacy defaults – provides meaningful privacy controls – helps users make beQer privacy decisions (e.g., “nudges” the
user towards beQer behavior) – supports users and communiVes in developing “privacy
pracVces”
14
Privacy pracVces • “acVons that users collecVvely or individually take to negoVate their
boundaries with respect to disclosure, idenVty and temporality in technologically mediated environments” (Palen and Dourish)
• “privacy is a social construct that reflects the values and norms of everyday people” (boyd)
• In OSNs: – tensions between privacy and publicity – negoVaVng boundaries between the private and the public – negoVaVng acceptable and unacceptable forms of behavior
• OSN architecture influences pracVces (boyd): persistence, replicability, visibility and searchability of content
15
PracVces and strategies • use of seings (blocking content towards certain people who may
criVcize or make fun of it) • eVqueQe: bad taste to comment on pictures that were uploaded
years before • indicaVng who is the audience (through the use of language, based
on topic) – Social steganography: “encoded” messages that mean different things
to different people, obscure references, inside jokes • separate profiles (in one or several OSNs) • regular deleVon of content • account deacVvaVon while offline
• How does OSNs design impact these pracVces and strategies?
16
Increasing transparency and improving privacy relevant decision-‐making
• Privacy is about “people being able to make informed decisions wrt informaVon disclosure”
• System behaves according to their expecta#ons
• Users have meaningful controls
• Users are nudged to be protecVve of their privacy (make it easy to be more private)
17
First decision: to join the OSN • Do users read the privacy policies?
– Mostly not, even less understand them – Warning: privacy policies used as disclaimer to then do whatever they want
with the data! once the user accepts the policy, she consents to its terms
– `
• How to improve the readability of privacy policies? – easy to find and interpret, to the point, standardized?
18
Make privacy informaVon salient
• Privacy policies of websites, apps, etc.
slide: Lorrie Cranor 19
Make it easy to segregate audiences
• Access control policies designed for sys admins – Now everyone must be able to configure privacy seings (a type
of AC policy)
• Goal: reduce cogniVve load of user
• BeQer interface designs for grouping friends – closer to the users mental models
• Automated grouping of friends – leverage user aQributes, social graph properVes (eg, clustering),
past interacVons
20
Make audience visible
• Current FB privacy seings, access control seings:
21
Make it easy to select privacy
• Seings that default to privacy • Usable privacy controls and tools • Add fricVon to privacy-‐reducing opVons – More clicks, scrolling, delay
Are you sure you want to make your photo public?
No Yes
slide: Lorrie Cranor 22
Understand failures in decision-‐making: study on “regrets”
• Series of studies: interviews, diary study, surveys – Focus on American users of Facebook and TwiQer
– Data collected from over 3000 social network users • Interviews with PiQsburgh residents • Large survey samples from Amazon Mechanical Turk
• Research quesVons – How common is it to have social network regrets?
– What do users regret doing on social networks?
– Why do users take regreQable acVons? – What are the consequences of these regreQable acVons?
– How do users avoid or repair regrets? – How are regrets different on social networks and in conversaVons?
slide: Lorrie Cranor 23
Overview of findings • Most social network users reported regrets
– 57% of FB users reported FB regrets – 51% of TwiQer users reported TwiQer regrets – 79% of TwiQer users reported conversaVonal regrets
• Serious consequences – RelaVonship breakup, job loss – Less serious consequences sVll very upseing
• What do people regret? – Photo tagging, using apps, (un)friending, posts about sex, relaVonships, profanity, alcohol and drugs, jokes, lies,
informaVon about work or company)
• Underlying causes oeen included: – being angry or upset, not thinking, thinking it was cool or funny, forgeing who might read their posts, being under
the influence of alcohol or drugs, posVng by mistake (not intenVonal)
• Most regrets occurred within one day of posVng
• How to help users prevent taking acVons that they later regret?
Y. Wang, S. Komanduri, P.G. Leon, G. Norcie, A. AcquisV, L.F. Cranor. I regretted the minute I pressed share: A Qualitative Study of Regrets on Facebook. SOUPS 2011. hQp://cups.cs.cmu.edu/soups/2011/proceedings/a10_Wang.pdf
slide: Lorrie Cranor 24
Timer nudge (stop and think)
slide: Lorrie Cranor 25
SenVment nudge (content feedback)
slide: Lorrie Cranor 26
Profile picture nudge (audience feedback)
slide: Lorrie Cranor 27
Preliminary results
• Timer nudge – Overall perceived as useful – Users reported rephrasing/correcVng/canceling posts
• Profile picture nudge – Overall perceived as useful – Made users more aware of audience and number of FB friends – Reminded users to use the appropriate privacy seings
• SenVment nudge – PosiVve senVment nudge was deemed useless – NegaVve senVment nudge annoyed people: missing context,
misinterpreVng sarcasVc comments, judgmental, censoring – Need smarter senVment analysis algorithm and beQer messaging
slide: Lorrie Cranor 28
Social privacy: methodology
• Research oeen based on user studies – QualitaVve (small scale) studies based on user interviews – QuanVtaVve (larger scale) studies, extract staVsVcs
• The studies help: – understand user expectaVons and concerns – study the impact of different design opVons
• Big issue: how representaVve is the user sample? – of collecVves with specific needs/situaVons – in other countries
29
Back to surveillance and censorship concerns…
Research in cryptography and computer security: Privacy Enhancing Technologies (PETs)
for OSNs
30
PETs methodology
• Model the system, make explicit assumpVons (eg, trust assumpVons, available building blocks)
• IdenVfy the threat model (knowledge, access, capabiliVes)
• IdenVfy the informaVon to protect (eg, content, traffic data) and the type of security property (eg, confidenVality, availability)
• Perform a security analysis of the system to test if the security properVes hold, and under which circumstances (assumpVons)
31
Accessing censored sites • Use of Tor (or other anonymous communicaVon networks) to
access blocked OSN sites – even beQer if the circumvenVon is undetectable
32
ProtecVng content • Use encrypVon: diversity of tools
– Note: main difference with seings is the protecVon from OSN provider
– FlyByNight: • Facebook app that protects user data by storing it encrypted • Relies on FB for key management
– Scramble • Browser plug-‐in that encrypts content prior to uploading • Key management done out of band
• Issues: – usability, flexibility of interface – key distribuVon (network effect – criVcal mass needed)
• Bonus – encrypVng the content makes censorship of content more difficult
33
OSN may not like encrypted content
• Q: should the law establish a right to encrypt the content users store/share in a service? – Or should the OSN provider have the right to say “If you use my service, I must be able to look into your content”?
– Issues: • “inappropriate” content (censorship?) • conflict with business model
34
Steganography? • Not possible for the OSN provider to realize that the content is encrypted
• NOYB (None Of Your Business ) – subsVtute (shuffle) user aQribute values (age, locaVon, etc.) – only users with the right keys can ‘undo’ the shuffle and retrieve the real aQribute values
• FaceCloak – symmetric key (shared only with audience of content) to encrypt user’s informaVon in
Facebook – encrypted data is stored in the FaceCloak server, and replaced in Facebook by random text
fetched from wikipedia or other sources (users are given the opVon to edit this text) – The random text acts as an index to the encrypted data on the server.
• Issues – possible misrepresentaVon of user interests towards the OSN provider (who sVll performs
profiling on the noisy informaVon) and towards other users who might not be using the system
– undetectability of the tool: double-‐edged sword
35
ProtecVng relaVonships and interacVons
• Even if content is encrypted, valuable intelligence can be extracted from analyzing the social graph and the fine-‐grained interacVons of users
• Is anonymity an opVon for online social networking?
• ObfuscaVon of relaVonships/interacVons with dummy traffic – content encrypted: hard to disVnguish encrypted content from random data (dummies)
– Dummy traffic expensive: how to opVmize dummy traffic generaVon?
36
AlternaVve centralized architectures
• HummingBird – privacy-‐enhanced alternaVve to TwiQer – relies on a set of crypto protocols – “protects tweet contents, hashtags and follower interests from
the (potenVally) prying eyes of the centralized server”
• Use the OSN as a “dumb” data store for encrypted blobs – Client soeware stores and retrieves blocks, and organizes info
for presentaVon to the user
• No protecVon against traffic analysis
37
Distributed architectures
• Adversary model in centralized OSNs is very strong: • global, potenVally acVve • protecVon against traffic analysis very hard
– Distributed architectures? • Diaspora, Safebook, Peerson • Challenges:
– informaVon availability, synchronizaVon, security of client soeware
– adversary and traffic analysis guarantees difficult to model
38
IntegraVon of the different approaches to privacy in OSNs
• When tacking a complex problem, researchers abstract away part of the complexity – the surveillance and social privacy approaches may actually have come to
systema#cally abstract each other away – even though they speak about the same phenomenon (privacy in OSNs), they
end up treaVng the surveillance and social privacy problems as independent of each other
• We argue that surveillance and social privacy are entangled in OSNs – Surveillance -‐> social privacy problems: change of seings policies, bugs – Social privacy problems -‐> surveillance: what others reveal about you, social
tagging improving idenVficaVon of anonymous protesters
• Thus: – need for a more holisVc approach that benefits from the knowledge base of
the two perspecVves – first step: understand the ways in which the two approaches are
complementary as well as idenVfy where the gaps lie 39
Who defines what the privacy problem is?
• experts: based on their technical knowledge (techno-‐centric) – Plus: what is technically possible? How can informaVon be abused? – LimitaVon: how do these technical risks map to social/poliVcal analyses of surveillance
pracVces? • risk of over-‐relying on techno-‐centric assumpVons about how surveillance funcVons and what may be
the most appropriate strategies to counter it – LimitaVon: technical tools do not behave as predicted in different contexts (social pracVces) – LimitaVon: no emphasis on usability, user needs
• users: based on their percepVons and experiences (user-‐centric) – Plus: take into account user perspecVve, context – LimitaVon: biased samples (oeen people in the US or EU), would a dissenter in Egypt have the
same concerns as college student in the US? – LimitaVon: no insight into organizaVonal pracVces – LimitaVon: users have a limited understanding of the technical infrastructure, may take the
technology as a given (hard to imagine alternaVves)
• regulaVon: based on legal norms (organizaVon-‐centric) – LimitaVon: compliance with data protecVon regulaVon does not necessarily imply privacy
protecVon
40
How is the “privacy problem” arVculated?
• Social privacy – focus on concrete harms in the user (social) environment – intuiVve causality between disclosures and consequences
• PETs – focus on risks that might lead to ‘abstract harms’ (worst-‐case
scenarios) • individual harms: being arrested, put under surveillance, inferences of
sensiVve informaVon, intrusion, manipulaVon • societal harms: discriminaVon, surveillance society, informaVon asymmetry,
upseing exisVng checks and balances of power between individuals, state and private sector
• Issues – No informaVon (transparency) about what is actually being done with
the data, complex processing involving mulVple sources and enVVes – How to communicate abstract harms to users?
41
What is in the scope of the privacy problem?
• social privacy: emphasis on user-‐generated content, voliVonal acVons (no implicit data) – how to communicate to users issues derived from implicit data? make implicit data more visible to users?
• PETs: in principle, all data is in the scope (voliVonal and implicit) – BUT: risks only with respect to the adversary (not ‘friends’) – Content-‐agnosVc: does not take into account the semanVcs of the content (semanVcs and context are however very relevant for social privacy)
42
Further points for discussion
• IncenVves of OSN providers wrt: – social privacy? surveillance? censorship?
• Is privacy always about informaVon concealment (in social privacy / surveillance /censorship)? – Counter example: saying “I do not want to be disturbed”
• Censorship in PETs and in social privacy research – Privacy as conforming / establishing norms of respect vs. privacy
as being able to break the norms
• Paradox of control – signaling that security is broken: false sense of security?
43
Conclusion • Researchers in different subfields of CS frame the OSN privacy
problem in very different ways – so does the media
• The different privacy problems are tackled as if they were completely unrelated – abstract away the complexity in order to reduce the problem to one
that can be more easily addressed – some quesVons are lee unaddressed
• We argue that the different privacy problems are entangled, rather than unrelated – a more holisVc approach needed – integraVon of approaches extremely challenging
44