Visible to the public Biblio

Filters: Keyword is privacy policy  [Clear All Filters]
2020-04-03
Bello-Ogunu, Emmanuel, Shehab, Mohamed, Miazi, Nazmus Sakib.  2019.  Privacy Is The Best Policy: A Framework for BLE Beacon Privacy Management. 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). 1:823—832.
Bluetooth Low Energy (BLE) beacons are an emerging type of technology in the Internet-of-Things (IoT) realm, which use BLE signals to broadcast a unique identifier that is detected by a compatible device to determine the location of nearby users. Beacons can be used to provide a tailored user experience with each encounter, yet can also constitute an invasion of privacy, due to their covertness and ability to track user behavior. Therefore, we hypothesize that user-driven privacy policy configuration is key to enabling effective and trustworthy privacy management during beacon encounters. We developed a framework for beacon privacy management that provides a policy configuration platform. Through an empirical analysis with 90 users, we evaluated this framework through a proof-of-concept app called Beacon Privacy Manager (BPM), which focused on the user experience of such a tool. Using BPM, we provided users with the ability to create privacy policies for beacons, testing different configuration schemes to refine the framework and then offer recommendations for future research.
2020-01-21
Rana, Rima, Zaeem, Razieh Nokhbeh, Barber, K. Suzanne.  2019.  An Assessment of Blockchain Identity Solutions: Minimizing Risk and Liability of Authentication. 2019 IEEE/WIC/ACM International Conference on Web Intelligence (WI). :26–33.
Personally Identifiable Information (PII) is often used to perform authentication and acts as a gateway to personal and organizational information. One weak link in the architecture of identity management services is sufficient to cause exposure and risk identity. Recently, we have witnessed a shift in identity management solutions with the growth of blockchain. Blockchain-the decentralized ledger system-provides a unique answer addressing security and privacy with its embedded immutability. In a blockchain-based identity solution, the user is given the control of his/her identity by storing personal information on his/her device and having the choice of identity verification document used later to create blockchain attestations. Yet, the blockchain technology alone is not enough to produce a better identity solution. The user cannot make informed decisions as to which identity verification document to choose if he/she is not presented with tangible guidelines. In the absence of scientifically created practical guidelines, these solutions and the choices they offer may become overwhelming and even defeat the purpose of providing a more secure identity solution.We analyze different PII options given to users for authentication on current blockchain-based solutions. Based on our Identity Ecosystem model, we evaluate these options and their risk and liability of exposure. Powered by real world data of about 6,000 identity theft and fraud stories, our model recommends some authentication choices and discourages others. Our work paves the way for a truly effective identity solution based on blockchain by helping users make informed decisions and motivating blockchain identity solution providers to introduce better options to their users.
2019-11-11
Pierce, James, Fox, Sarah, Merrill, Nick, Wong, Richmond, DiSalvo, Carl.  2018.  An Interface Without A User: An Exploratory Design Study of Online Privacy Policies and Digital Legalese. Proceedings of the 2018 Designing Interactive Systems Conference. :1345–1358.
Privacy policies are critical to understanding one's rights on online platforms, yet few users read them. In this pictorial, we approach this as a systemic issue that is part a failure of interaction design. We provided a variety of people with printed packets of privacy policies, aiming to tease out this form's capabilities and limitations as a design interface, to understand people's perception and uses, and to critically imagine pragmatic revisions and creative alternatives to existing privacy policies.
Al-Hasnawi, Abduljaleel, Mohammed, Ihab, Al-Gburi, Ahmed.  2018.  Performance Evaluation of the Policy Enforcement Fog Module for Protecting Privacy of IoT Data. 2018 IEEE International Conference on Electro/Information Technology (EIT). :0951–0957.
The rapid development of the Internet of Things (IoT) results in generating massive amounts of data. Significant portions of these data are sensitive since they reflect (directly or indirectly) peoples' behaviors, interests, lifestyles, etc. Protecting sensitive IoT data from privacy violations is a challenge since these data need to be communicated, processed, analyzed, and stored by public networks, servers, and clouds; most of them are untrusted parties for data owners. We propose a solution for protecting sensitive IoT data called Policy Enforcement Fog Module (PEFM). The major task of the PEFM solution is mandatory enforcement of privacy policies for sensitive IoT data-wherever these data are accessed throughout their entire lifecycle. The key feature of PEFM is its placement within the fog computing infrastructure, which assures that PEFM operates as closely as possible to data sources within the edge. PEFM enforces policies directly for local IoT applications. In contrast, for remote applications, PEFM provides a self-protecting mechanism based on creating and disseminating Active Data Bundles (ADBs). ADBs are software constructs bundling inseparably sensitive data, their privacy policies, and an execution engine able to enforce privacy policies. To prove effectiveness and efficiency of the proposed module, we developed a smart home proof-of-concept scenario. We investigate privacy threats for sensitive IoT data. We run simulation experiments, based on network calculus, for testing performance of the PEFM controls for different network configurations. The results of the simulation show that-even with using from 1 to 5 additional privacy policies for improved data privacy-penalties in terms of execution time and delay are reasonable (approx. 12-15% and 13-19%, respectively). The results also show that PEFM is scalable regarding the number of the real-time constraints for real-time IoT applications.
Tesfay, Welderufael B., Hofmann, Peter, Nakamura, Toru, Kiyomoto, Shinsaku, Serna, Jetzabel.  2018.  I Read but Don'T Agree: Privacy Policy Benchmarking Using Machine Learning and the EU GDPR. Companion Proceedings of the The Web Conference 2018. :163–166.
With the continuing growth of the Internet landscape, users share large amount of personal, sometimes, privacy sensitive data. When doing so, often, users have little or no clear knowledge about what service providers do with the trails of personal data they leave on the Internet. While regulations impose rather strict requirements that service providers should abide by, the defacto approach seems to be communicating data processing practices through privacy policies. However, privacy policies are long and complex for users to read and understand, thus failing their mere objective of informing users about the promised data processing behaviors of service providers. To address this pertinent issue, we propose a machine learning based approach to summarize the rather long privacy policy into short and condensed notes following a risk-based approach and using the European Union (EU) General Data Protection Regulation (GDPR) aspects as assessment criteria. The results are promising and indicate that our tool can summarize lengthy privacy policies in a short period of time, thus supporting users to take informed decisions regarding their information disclosure behaviors.
2019-10-23
Ali, Abdullah Ahmed, Zamri Murah, Mohd.  2018.  Security Assessment of Libyan Government Websites. 2018 Cyber Resilience Conference (CRC). :1-4.

Many governments organizations in Libya have started transferring traditional government services to e-government. These e-services will benefit a wide range of public. However, deployment of e-government bring many new security issues. Attackers would take advantages of vulnerabilities in these e-services and would conduct cyber attacks that would result in data loss, services interruptions, privacy loss, financial loss, and other significant loss. The number of vulnerabilities in e-services have increase due to the complexity of the e-services system, a lack of secure programming practices, miss-configuration of systems and web applications vulnerabilities, or not staying up-to-date with security patches. Unfortunately, there is a lack of study being done to assess the current security level of Libyan government websites. Therefore, this study aims to assess the current security of 16 Libyan government websites using penetration testing framework. In this assessment, no exploits were committed or tried on the websites. In penetration testing framework (pen test), there are four main phases: Reconnaissance, Scanning, Enumeration, Vulnerability Assessment and, SSL encryption evaluation. The aim of a security assessment is to discover vulnerabilities that could be exploited by attackers. We also conducted a Content Analysis phase for all websites. In this phase, we searched for security and privacy policies implementation information on the government websites. The aim is to determine whether the websites are aware of current accepted standard for security and privacy. From our security assessment results of 16 Libyan government websites, we compared the websites based on the number of vulnerabilities found and the level of security policies. We only found 9 websites with high and medium vulnerabilities. Many of these vulnerabilities are due to outdated software and systems, miss-configuration of systems and not applying the latest security patches. These vulnerabilities could be used by cyber hackers to attack the systems and caused damages to the systems. Also, we found 5 websites didn't implement any SSL encryption for data transactions. Lastly, only 2 websites have published security and privacy policies on their websites. This seems to indicate that these websites were not concerned with current standard in security and privacy. Finally, we classify the 16 websites into 4 safety categories: highly unsafe, unsafe, somewhat unsafe and safe. We found only 1 website with a highly unsafe ranking. Based on our finding, we concluded that the security level of the Libyan government websites are adequate, but can be further improved. However, immediate actions need to be taken to mitigate possible cyber attacks by fixing the vulnerabilities and implementing SSL encryption. Also, the websites need to publish their security and privacy policy so the users could trust their websites.

2019-03-28
Fernández, Maribel, Jaimunk, Jenjira, Thuraisingham, Bhavani.  2018.  Graph-Based Data-Collection Policies for the Internet of Things. Proceedings of the 4th Annual Industrial Control System Security Workshop. :9-16.

Smart industrial control systems (e.g., smart grid, oil and gas systems, transportation systems) are connected to the internet, and have the capability to collect and transmit data; as such, they are part of the IoT. The data collected can be used to improve services; however, there are serious privacy risks. This concern is usually addressed by means of privacy policies, but it is often difficult to understand the scope and consequences of such policies. Better tools to visualise and analyse data collection policies are needed. Graph-based modelling tools have been used to analyse complex systems in other domains. In this paper, we apply this technique to IoT data-collection policy analysis and visualisation. We describe graphical representations of category-based data collection policies and show that a graph-based policy language is a powerful tool not only to specify and visualise the policy, but also to analyse policy properties. We illustrate the approach with a simple example in the context of a chemical plant with a truck monitoring system. We also consider policy administration: we propose a classification of queries to help administrators analyse policies, and we show how the queries can be answered using our technique.

2019-02-14
Tesfay, Welderufael B., Hofmann, Peter, Nakamura, Toru, Kiyomoto, Shinsaku, Serna, Jetzabel.  2018.  PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation. Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics. :15-21.

Nowadays Internet services have dramatically changed the way people interact with each other and many of our daily activities are supported by those services. Statistical indicators show that more than half of the world's population uses the Internet generating about 2.5 quintillion bytes of data on daily basis. While such a huge amount of data is useful in a number of fields, such as in medical and transportation systems, it also poses unprecedented threats for user's privacy. This is aggravated by the excessive data collection and user profiling activities of service providers. Yet, regulation require service providers to inform users about their data collection and processing practices. The de facto way of informing users about these practices is through the use of privacy policies. Unfortunately, privacy policies suffer from bad readability and other complexities which make them unusable for the intended purpose. To address this issue, we introduce PrivacyGuide, a privacy policy summarization tool inspired by the European Union (EU) General Data Protection Regulation (GDPR) and based on machine learning and natural language processing techniques. Our results show that PrivacyGuide is able to classify privacy policy content into eleven privacy aspects with a weighted average accuracy of 74% and further shed light on the associated risk level with an accuracy of 90%. This article is summarized in: the morning paper an interesting/influential/important paper from the world of CS every weekday morning, as selected by Adrian Colyer

2018-05-24
Johnson, Claiborne, MacGahan, Thomas, Heaps, John, Baldor, Kevin, von Ronne, Jeffery, Niu, Jianwei.  2017.  Verifiable Assume-Guarantee Privacy Specifications for Actor Component Architectures. Proceedings of the 22Nd ACM on Symposium on Access Control Models and Technologies. :167–178.

Many organizations process personal information in the course of normal operations. Improper disclosure of this information can be damaging, so organizations must obey privacy laws and regulations that impose restrictions on its release or risk penalties. Since electronic management of personal information must be held in strict compliance with the law, software systems designed for such purposes must have some guarantee of compliance. To support this, we develop a general methodology for designing and implementing verifiable information systems. This paper develops the design of the History Aware Programming Language into a framework for creating systems that can be mechanically checked against privacy specifications. We apply this framework to create and verify a prototypical Electronic Medical Record System (EMRS) expressed as a set of actor components and first-order linear temporal logic specifications in assume-guarantee form. We then show that the implementation of the EMRS provably enforces a formalized Health Insurance Portability and Accountability Act (HIPAA) policy using a combination of model checking and static analysis techniques.

Hagen, Loni.  2017.  Overcoming the Privacy Challenges of Wearable Devices: A Study on the Role of Digital Literacy. Proceedings of the 18th Annual International Conference on Digital Government Research. :598–599.

This paper argues that standard privacy policy principles are unsuitable for wearable devices, and introduces a proposal to test the role of digital literacy on privacy concerns and behaviors, in an effort to devise modified privacy policies that are appropriate for wearable devices.

Kacimi, Zineb, Benhlima, Laila.  2017.  XACML Policies into mongoDB for Privacy Access Control. Proceedings of the Mediterranean Symposium on Smart City Application. :9:1–9:5.

Nowadays Big data is considered as one of the major technologies used to manage a huge number of data, but there is little consideration of privacy in big data platforms. Indeed, developers don't focus on implementing security best practices in their programs to protect personal and sensitive data, and organizations can face financial lost because of this noncompliance with applied regulations. In this paper, we propose a solution to insert privacy policies written in XACML (eXtensible Access Control Markup Language) in access control solution to NoSQL database, our solution can be used for NoSQL data store which doesn't t include many access control features, it aims basically to ensure fine grained access control considering purpose as the main parameter, we will focus on access control in document level, and apply this approach to MongoDB which is the most used NoSQL data store.

Chen, Xin, Huang, Heqing, Zhu, Sencun, Li, Qing, Guan, Quanlong.  2017.  SweetDroid: Toward a Context-Sensitive Privacy Policy Enforcement Framework for Android OS. Proceedings of the 2017 on Workshop on Privacy in the Electronic Society. :75–86.

Android privacy control is an important but difficult problem to solve. Previously, there was much research effort either focusing on extending the Android permission model with better policies or modifying the Android framework for fine-grained access control. In this work, we take an integral approach by designing and implementing SweetDroid, a calling-context-sensitive privacy policy enforcement framework. SweetDroid combines automated policy generation with automated policy enforcement. The automatically generated policies in SweetDroid are based on the calling contexts of privacy sensitive APIs; hence, SweetDroid is able to tell whether a particular API (e.g., getLastKnownLocation) under a certain execution path is leaking private information. The policy enforcement in SweetDroid is also fine-grained - it is at the individual API level, not at the permission level. We implement and evaluate the system based on thousands of Android apps, including those from a third-party market and malicious apps from VirusTotal. Our experiment results show that SweetDroid can successfully distinguish and enforce different privacy policies based on calling contexts, and the current design is both developer hassle-free and user transparent. SweetDroid is also efficient because it only introduces small storage and computational overhead.

2017-12-04
Al-Shomrani, A., Fathy, F., Jambi, K..  2017.  Policy enforcement for big data security. 2017 2nd International Conference on Anti-Cyber Crimes (ICACC). :70–74.

Security and privacy of big data becomes challenging as data grows and more accessible by more and more clients. Large-scale data storage is becoming a necessity for healthcare, business segments, government departments, scientific endeavors and individuals. Our research will focus on the privacy, security and how we can make sure that big data is secured. Managing security policy is a challenge that our framework will handle for big data. Privacy policy needs to be integrated, flexible, context-aware and customizable. We will build a framework to receive data from customer and then analyze data received, extract privacy policy and then identify the sensitive data. In this paper we will present the techniques for privacy policy which will be created to be used in our framework.

2017-09-15
Tomuro, Noriko, Lytinen, Steven, Hornsburg, Kurt.  2016.  Automatic Summarization of Privacy Policies Using Ensemble Learning. Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. :133–135.

When customers purchase a product or sign up for service from a company, they often are required to agree to a Privacy Policy or Terms of Service agreement. Many of these policies are lengthy, and a typical customer agrees to them without reading them carefully if at all. To address this problem, we have developed a prototype automatic text summarization system which is specifically designed for privacy policies. Our system generates a summary of a policy statement by identifying important sentences from the statement, categorizing these sentences by which of 5 "statement categories" the sentence addresses, and displaying to a user a list of the sentences which match each category. Our system incorporates keywords identified by a human domain expert and rules that were obtained by machine learning, and they are combined in an ensemble architecture. We have tested our system on a sample corpus of privacy statements, and preliminary results are promising.

2015-05-01
Yoohwan Kim, Juyeon Jo, Shrestha, S..  2014.  A server-based real-time privacy protection scheme against video surveillance by Unmanned Aerial Systems. Unmanned Aircraft Systems (ICUAS), 2014 International Conference on. :684-691.

Unmanned Aerial Systems (UAS) have raised a great concern on privacy recently. A practical method to protect privacy is needed for adopting UAS in civilian airspace. This paper examines the privacy policies, filtering strategies, existing techniques, then proposes a novel method based on the encrypted video stream and the cloud-based privacy servers. In this scheme, all video surveillance images are initially encrypted, then delivered to a privacy server. The privacy server decrypts the video using the shared key with the camera, and filters the image according to the privacy policy specified for the surveyed region. The sanitized video is delivered to the surveillance operator or anyone on the Internet who is authorized. In a larger system composed of multiple cameras and multiple privacy servers, the keys can be distributed using Kerberos protocol. With this method the privacy policy can be changed on demand in real-time and there is no need for a costly on-board processing unit. By utilizing the cloud-based servers, advanced image processing algorithms and new filtering algorithms can be applied immediately without upgrading the camera software. This method is cost-efficient and promotes video sharing among multiple subscribers, thus it can spur wide adoption.