Showing papers by "George Danezis published in 2006"
Proceedings Article•
01 Dec 2006
TL;DR: This paper introduces results of a study into the value of location privacy for individuals using mobile devices, and compares this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation.
Abstract: This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment. © 2006 ACM.
151 citations
30 Oct 2006
TL;DR: In this article, the authors introduce results of a study into the value of location privacy for individuals using mobile devices, and compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation.
Abstract: This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment.
146 citations
Proceedings Article•
01 Jan 2006
TL;DR: A framework where for each transaction there is a precise specification of what pieces of certified data is revealed to each participant is described, and the cryptographic building blocks that this framework is built upon are described.
Abstract: It is usually the case that before a transaction can take place, some mutual trust must be established between the participants. On-line, doing so requires the exchange of some certified information about the participants. The easy solution is to disclose one's identity and reveal all of one's certificates to establish such a trust relationship. However, it is clear that such an approach is unsatisfactory from a privacy point of view. In fact, often revealing any information that uniquely corresponds to a given individual is a bad idea from the privacy point of view. In this survey paper we describe a framework where for each transaction there is a precise specification of what pieces of certified data is revealed to each participant. We show how to specify transactions in this framework, give examples of transactions that use it, and describe the cryptographic building blocks that this framework is built upon. We conclude with bibliographic notes on the state-of-the-art in this area.
68 citations
06 Sep 2006
TL;DR: This work discusses the problem, which occurred in the initial design of Tarzan, and other related problems from the literature, when systems are large, and individual nodes only gain random knowledge of part of the network.
Abstract: Peer discovery and route set-up are an integral part of the processes by which anonymizing peer-to-peer systems are made secure. When systems are large, and individual nodes only gain random knowledge of part of the network, their traffic can be detected by the uniqueness of the information they have learnt. We discuss this problem, which occurred in the initial design of Tarzan, and other related problems from the literature.
43 citations
Journal Article•
TL;DR: In this paper, the authors suggest the use of an access control policy language which allows for override of denied access in some cases for increased flexibility, and they suggest that the overrides should be audited and the policy can be used for finding the people who should perform the audit.
Abstract: Because it is difficult to predict access needs in advance and the limitations of formal policy languages it is difficult to completely define an access control policy ahead of the actual use. We suggest the use of an policy language which allows for override of denied access in some cases for increased flexibility. The overrides should be audited and we suggest that the access control policy can be used for finding the people who should perform the audit.
42 citations
19 Sep 2006
TL;DR: It is argued that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.
Abstract: We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and blackmail of computer users, are effective mechanisms for malware to survive and entrench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.
32 citations
01 Jan 2006
TL;DR: A model of surveillance based on social network theory, where observing one participant also leaks some information about third parties is presented, to provide important insights into the actual security of anonymous communication, and their ability to minimise surveillance and disruption in a social network.
Abstract: We present a model of surveillance based on social network theory, where observing one participant also leaks some information about third parties. We examine how many nodes an adversary has to observe in order to extract information about the network, but also how the method for choosing these nodes (target selection) greatly influences the resulting intelligence. Our results provide important insights into the actual security of anonymous communication, and their ability to minimise surveillance and disruption in a social network. They also allow us to draw interesting policy conclusions from published interception figures, and get a better estimate of the amount of privacy invasion and the actual volume of surveillance taking place.
31 citations
Journal Article•
TL;DR: This work analyzes four schemes related to mix networks that make use of Universal Re-encryption and finds serious weaknesses in all of them and demonstrates that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.
Abstract: Universal Re-encryption allows El-Gamal ciphertexts to be re-encrypted without knowledge of their corresponding public keys. This has made it an enticing building block for anonymous communications protocols. In this work we analyze four schemes related to mix networks that make use of Universal Re-encryption and find serious weaknesses in all of them. The Universal Re-encryption of signatures is open to existential forgery, and the two mix schemes can be fully compromised by an passive adversary observing a single message close to the sender. The fourth scheme, the rWonGoo anonymous channel, turns out to be less secure than the original Crowds scheme, on which it is based. Our attacks make extensive use of unintended 'services' provided by the network nodes acting as decryption and re-routing oracles. Finally, our attacks against rWonGoo demonstrate that. anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.
22 citations
Proceedings Article•
14 Oct 2006TL;DR: Two ways of recovering all matching documents, in the Ostrovsky- et al.
Abstract: We show two ways of recovering all matching documents, in the Ostrovsky
et al. Private Search, while requiring considerably shorter buffers.
Both schemes rely on the fact that documents colliding in a buffer
position provide the sum of their plaintexts. Efficient decoding
algorithms can make use of this property to recover documents never
present alone in a buffer position.
18 citations
01 Jan 2006
TL;DR: This analysis highlights that one can reason about plausible deniability in terms of the information theoretic anonymity metrics and analyze the effect of multiple messages being traced and devise some techniques that could retain some anonymity.
Abstract: We study the effect compulsion attacks, through which an adversary can request a decryption or key from an honest node, have on the security of mix based anonymous communication systems. Some specific countermeasures are proposed that increase the cost of compulsion attacks, detect that tracing is taking place and ultimately allow for some anonymity to be preserved even when all nodes are under compulsion. Going beyond the case when a single message is traced, we also analyze the effect of multiple messages being traced and devise some techniques that could retain some anonymity. Our analysis highlights that we can reason about plausible deniability in terms of the information theoretic anonymity metrics. © Springer-Verlag Berlin Heidelberg 2005.
Book•
01 Jan 2006
TL;DR: This paper presents an analysis of Parallel Mixing with Attacker-Controlled Inputs and high-Power Proxies for Enhancing RFID Privacy and Utility and some proposed remedies for these problems.
Abstract: Privacy Vulnerabilities in Encrypted HTTP Streams.- An Analysis of Parallel Mixing with Attacker-Controlled Inputs.- Message Splitting Against the Partial Adversary.- Location Privacy for Cellular Systems Analysis and Solution.- Towards Modeling Wireless Location Privacy.- Failures in a Hybrid Content Blocking System.- Anonymity Preserving Techniques in Trust Negotiations.- Unmixing Mix Traffic.- Mix-Network with Stronger Security.- Covert Channels in IPv6.- Towards Privacy-Aware eLearning.- Anonymization of IP Traffic Monitoring Data: Attacks on Two Prefix-Preserving Anonymization Schemes and Some Proposed Remedies.- Privacy Issues in Vehicular Ad Hoc Networks.- High-Power Proxies for Enhancing RFID Privacy and Utility.- Integrating Utility into Face De-identification.- Privacy in India: Attitudes and Awareness.- Economics of Identity Management: A Supply-Side Perspective.
30 Aug 2006
TL;DR: This work analyzes four schemes related to mix networks that make use of Universal Re-encryption and finds serious weaknesses in all of them, and demonstrates that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.
Abstract: Universal Re-encryption allows El-Gamal ciphertexts to be re-encrypted without knowledge of their corresponding public keys. This has made it an enticing building block for anonymous communications protocols. In this work we analyze four schemes related to mix networks that make use of Universal Re-encryption and find serious weaknesses in all of them. The Universal Re-encryption of signatures is open to existential forgery, and the two mix schemes can be fully compromised by an passive adversary observing a single message close to the sender. The fourth scheme, the rWonGoo anonymous channel, turns out to be less secure than the original Crowds scheme, on which it is based. Our attacks make extensive use of unintended ‘services' provided by the network nodes acting as decryption and re-routing oracles. Finally, our attacks against rWonGoo demonstrate that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.
Journal Article•
TL;DR: In this article, the authors discuss the apparent conflict that exists between privacy and accountability, and highlight research directions for balancing the needs of both of the objectives, i.e., accountability tends to be about determining which entities committed which actions while privacy seeks to hide this information.
Abstract: As the Internet has gained widespread use, and advanced technologies such as high-speed multi-media technologies and automated digital monitoring have become a reality, privacy is at the greatest risk of all time. At the same time, sophisticated threats from hackers, terrorists, thieves, and others that would abuse privacy highlight the need to find technologies that provide some accountability. However, the goals of accountability and of privacy appear to be in contradiction: accountability tends to be about determining which entities committed which actions, while privacy seeks to hide this information. In this paper, we discuss the apparent conflict that exists between privacy and accountability. We survey some of the issues in privacy and in accountability and highlight research directions for balancing the needs of both.
Journal Article•
TL;DR: Critical concepts of evidence-based trust/reputation systems are outlined first, followed by an introduction to the four families of the Common Criteria Privacy Class: Unobservability, Anonymity, Unlinkability, and Pseudonymity.
Abstract: This position paper discusses the relation of privacy, namely pseudonymity, to evidence-based trust (or rather reputation). Critical concepts of evidence-based trust/reputation systems are outlined first, followed by an introduction to the four families of the Common Criteria (for security evaluation) Privacy Class: Unobservability, Anonymity, Unlinkability, and Pseudonymity. The paper then discusses the common problem of many papers that narrow the considerations of privacy to anonymity only, and elaborates on the concept of pseudonymity through aspects of evidence storing, attacks and some of their implications, together with other related issues like use of mixes.