Showing papers by "Larry Korba published in 2006"

Ensuring privacy for e-health services

Abstract: The growth of the Internet has been accompanied by the growth of e-health services (e.g. online medical advice, online pharmacies). This proliferation of services and the increasing regulatory and legal requirements for personal privacy have fueled the need to protect the personal privacy of service users. Existing approaches for privacy protection such as access control are predicated on the e-service provider having possession and control over the user's personal data. In this paper, we propose a new approach to protecting personal privacy for e-health services: keeping possession and control over the user's personally identifiable information in the hands of the user as much as possible. Our approach can also be characterized as distributing personally identifiable information only on a "need to know" basis.

Pseudonym Technology for E-Services

Abstract: Pseudonym technology is attracting more and more attention and, together with privacy violations, is becoming a major issue in various e-services. Current e-service systems make personal data collection very easy and efficient through integration, interconnection, and data mining technologies since they use the user’s real identity. Pseudonym technology with unlinkability, anonymity, and accountability can give the user the ability to control the collection, retention, and distribution of his or her personal information. This chapter explores the challenges, issues, and solutions associated with pseudonym technology for privacy protection in e-services. To have a better understanding of how the pseudonym technology provides privacy protection in e-services, we describe a general pseudonym system architecture, discuss its relationships with other privacy technologies, and summarize its requirements. Based on the requirements, we review, analyze, and compare a number of existing pseudonym technologies. We then give an example of a pseudonym practice — e-wallet for eservices and discuss current issues. IDEA GROUP PUBLISHING This paper appears in the publication, Privacy Protection for E-Services edited by George Yee © 2006, Idea Group Inc. 701 E. Chocolate Avenue, Suite 200, Hershey PA 17033-1240, USA Tel: 717/533-8845; Fax 717/533-8661; URL-http://www.idea-gr up.com ITB12167

Automated social network analysis for collaborative work

Abstract: Inter-networked computers enable virtual collaborative work. In the course of interacting with one another, individuals send and receive messages and files of various sorts. This may be done within specialized collaborative work environments, or by simply employing a combination of different communication tools and applications. In the course of doing their work, collaborators perform different actions that create and/or otherwise manipulate digital artifacts that are related to different aspects of their collaboration. Social network analysis is used to develop a fuller understanding of interactions between people. We describe a software prototype of a tool that automatically measures and analyzes aspects of collaboration developing visualizations of likely social interactions. In this paper we describe the system, some early results, and several different possible applications of the technology.

Towards Designing Secure Online Games

Abstract: The multiplayer gaming industry has become very successful in Asia. With the growth of online gaming, there has been an amazing growth in online gamingrelated crime, especially in Massively Multiplayer Online Role-Playing Games (MMORPGs) [1]. In Taiwan, more than 37% of criminal cases relate to online gaming crime with most offenders in the age range of 15-20 years [5]. Most of these crimes can be attributed to the fact that these online games were not designed to be secure. This paper applies a design for security approach to MMORPGs and then examines what crimes could have been avoided if the games were designed to be secure from the beginning. The approach also uncovers some potential new threats and gives countermeasures for them.

Automated social network analysis for collaborative work

Abstract: Inter-networked computers enable virtual collaborative work. In the course of interacting with one another, individuals send and receive messages and files of various sorts. This may be done within specialized collaborative work environments, or by simply employing a combination of different communication tools and applications. In the course of doing their work, collabora tors perform different actions that create and/or otherwise manipulate digital artifacts that are related to different aspects of their collaboration. Social net work analysis is used to develop a fuller understanding of interactions between people. We describe a software prototype of a tool that automatically measures and analyzes aspects, of collaboration developing visualizations of likely social interactions. In this paper we describe the system, some early results, and several different possible applications of the technology.

Semi-Automated Seeding of Personal Privacy Policies in E-Services

Abstract: Permission is granted to quote short excerpts and to reproduce figures and tables from this report, provided that the source of such material is fully acknowledged. INTRODUCTION The rapid growth of the Internet has been accompanied by a proliferation of e-services targeting consumers. E-services are available for banking, shopping, learning, government online, and healthcare. However, each of these services requires a consumer's personally identifiable information (PII) in one form or another. This leads to concerns over privacy. In order for e-services to be successful, privacy must be protected (Ackerman, Cranor, and Reagle, 1999). An effective and flexible way of handling privacy is management via privacy policies. In this approach, a consumer of an e-service has a personal privacy policy that describes what private information the consumer is willing to give up to the e-service, with which parties the provider of the e-service may share the private information, and how long the private information may be kept by the provider. The provider likewise has a provider privacy policy describing similar privacy constraints as in the consumer's policy, but from the viewpoint of the provider, i.e. the nature of the private information and the disclosure/retention requirements that are needed by the e-service. Before the consumer engages the e-service, the provider's privacy policy must match with the consumer's privacy policy. In this way, the consumer's privacy is protected, assuming that the provider complies with the consumer's privacy policy. Note that policy compliance is outside the scope of this work but see Yee and Korba (July 2004). Initial attempts at conserving consumer privacy for e-services over the last few years have focused on the use of web site privacy policies that state the privacy rules or preferences of the web site or service provider. Some of these policies are merely statements in plain English and it is up to the consumer to read it. This has the drawback that very few consumers take the trouble to read it. Even when they do take the time to look at it, online privacy policies have been far too complicated for consumers to understand and suffer from other deficiencies (Lichtenstein, Swatman, and Babu, 1999; Jensen and Potts, 2004)). Still other privacy policies are specified using P3P (W3C) that allows a consumer's browser to automatically check the privacy policy via a browser plug-in. This, of course, is better than plain English policies but a major drawback is that …

Ensuring Privacy for Buyer-Seller E-Commerce

Abstract: The growth of the Internet has been accompanied by the growth of e-services (e.g. e-commerce, e-health). This proliferation of e-services and the increasing regulatory and legal requirements for personal privacy have fueled the need to protect the personal privacy of e-service users. Existing approaches for privacy protection such as the use of pseudonym technology, and personal privacy policies along with appropriate compliance mechanisms are predicated on the e-service provider having possession and control over the user’s personal data. In this paper, we propose a new approach for protecting personal privacy in buyer-seller e-commerce: keeping possession and control over the buyer’s personally identifiable information in the hands of the buyer as much as possible, with the help of a smart card and a trusted authority. Our approach can also be characterized as distributing personally identifiable information only on a “need to know” basis.