我的台灣, 看見心靈的故鄉 =2009林磐聳藝術與設計展

This work is a sequel of the studies in the analysis of vulnerabilities in computer systems. It applied boolean algebras to develop a mathematical model describing the exploits of the NVD data source when using the classification based on the concept of measurement. Quasimeasure has been offered for the boolean algebra, proved that she is a measure from the point of view of measure theory. Shows that the algebraic structure is also algebra of events.

Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database

Abstract The app economy is largely reliant on data collection as its primary revenue model. To comply with legal requirements, app developers are often obligated to notify users of their privacy practices in privacy policies. However, prior research has suggested that many developers are not accurately disclosing their apps’ privacy practices. Evaluating discrepancies between apps’ code and privacy policies enables the identification of potential compliance issues. In this study, we introduce the Mobile App Privacy System (MAPS) for conducting an extensive privacy census of Android apps. We designed a pipeline for retrieving and analyzing large app populations based on code analysis and machine learning techniques. In its first application, we conduct a privacy evaluation for a set of 1,035,853 Android apps from the Google Play Store. We find broad evidence of potential non-compliance. Many apps do not have a privacy policy to begin with. Policies that do exist are often silent on the practices performed by apps. For example, 12.1% of apps have at least one location-related potential compliance issue. We hope that our extensive analysis will motivate app stores, government regulators, and app developers to more effectively review apps for potential compliance issues.

/pdf/maps-scaling-privacy-compliance-analysis-to-a-million-apps-4un300f3lq.pdf

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Single sign-on (SSO) protocols allow one person to use the same login credentials for several organizations Enterprises face increasing competitive pressure to position themselves with regard to SSO, yet the ramifications of a move to SSO are not fully understood In this paper we discuss OpenID, a relatively new SSO protocol that is gaining traction on the web We apply enterprise application modelling techniques to OpenID in order to obtain well-founded decision aids for enterprises: we show how published modelling approaches can be used to analyse risks in OpenID, and show that these can identify security problems with common OpenID practice Finally, we propose analysis principles that condense important general insights of authentication modelling

OpenID and the Enterprise: A Model-Based Analysis of Single Sign-On Authentication

The European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Its privacy regulations apply to any service and company collecting or processing personal data in Europe. Many companies had to adjust their data handling processes, consent forms, and privacy policies to comply with the GDPR's transparency requirements. We monitored this rare event by analyzing the GDPR's impact on popular websites in all 28 member states of the European Union. For each country, we periodically examined its 500 most popular websites - 6,579 in total - for the presence of and updates to their privacy policy. While many websites already had privacy policies, we find that in some countries up to 15.7 % of websites added new privacy policies by May 25, 2018, resulting in 84.5 % of websites having privacy policies. 72.6 % of websites with existing privacy policies updated them close to the date. Most visibly, 62.1 % of websites in Europe now display cookie consent notices, 16 % more than in January 2018. These notices inform users about a site's cookie use and user tracking practices. We categorized all observed cookie consent notices and evaluated 16 common implementations with respect to their technical realization of cookie consent. Our analysis shows that core web security mechanisms such as the same-origin policy pose problems for the implementation of consent according to GDPR rules, and opting out of third-party cookies requires the third party to cooperate. Overall, we conclude that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.

/pdf/we-value-your-privacy-now-take-some-cookies-measuring-the-2809s4rpy5.pdf

We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

Nowadays Internet services have dramatically changed the way people interact with each other and many of our daily activities are supported by those services. Statistical indicators show that more than half of the world's population uses the Internet generating about 2.5 quintillion bytes of data on daily basis. While such a huge amount of data is useful in a number of fields, such as in medical and transportation systems, it also poses unprecedented threats for user's privacy. This is aggravated by the excessive data collection and user profiling activities of service providers. Yet, regulation require service providers to inform users about their data collection and processing practices. The de facto way of informing users about these practices is through the use of privacy policies. Unfortunately, privacy policies suffer from bad readability and other complexities which make them unusable for the intended purpose. To address this issue, we introduce PrivacyGuide, a privacy policy summarization tool inspired by the European Union (EU) General Data Protection Regulation (GDPR) and based on machine learning and natural language processing techniques. Our results show that PrivacyGuide is able to classify privacy policy content into eleven privacy aspects with a weighted average accuracy of 74% and further shed light on the associated risk level with an accuracy of 90%.

PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation

With the continuing growth of the Internet landscape, users share large amount of personal, sometimes, privacy sensitive data. When doing so, often, users have little or no clear knowledge about what service providers do with the trails of personal data they leave on the Internet. While regulations impose rather strict requirements that service providers should abide by, the defacto approach seems to be communicating data processing practices through privacy policies. However, privacy policies are long and complex for users to read and understand, thus failing their mere objective of informing users about the promised data processing behaviors of service providers. To address this pertinent issue, we propose a machine learning based approach to summarize the rather long privacy policy into short and condensed notes following a risk-based approach and using the European Union (EU) General Data Protection Regulation (GDPR) aspects as assessment criteria. The results are promising and indicate that our tool can summarize lengthy privacy policies in a short period of time, thus supporting users to take informed decisions regarding their information disclosure behaviors.

I Read but Don't Agree: Privacy Policy Benchmarking using Machine Learning and the EU GDPR

In Internet of Things ecosystems, where various entities trade data and data analysis results, public key infrastructure plays an important role in establishing trust relationships between these entities to specify who trusts whose private keys. The owner of a private key is provided with a public key certificate issued by a certificate authority (CA) representing a trusted third party. Although this certificate ensures the reliability of the ecosystem by verifying the data source and preventing the denial of trading, it often causes an overconcentration of trust in a particular CA. Consequently, if that CA is infringed, all the related trust relationships become compromised. The paper proposes a distributed authentication infrastructure called Meta-PKI that decentralizes such overconcentration via a cross-certification procedure performed by multiple CAs. Although cross-certification is capable of establishing mutual trust relationships, it does not evaluate the trustworthiness of other CAs in a standardized manner. Therefore, this paper also proposes a new cross-certification method using a distributed ledger technology for building trust relationships based on unified criteria. It also describes the implementation of a Meta-PKI system for Hyperledger Fabric as a proof of concept. Once trust relationships have been established, it takes approximately 65.7 ms to validate them using the proposed system, which is secure against CA takeover and spoofing by outsider attackers.

/pdf/cross-certification-towards-distributed-authentication-4mp6ln7xz1.pdf

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

In this paper, we introduce a new architecture for personalized services. The architecture separates access control using a user own privacy policy from data storage for private information, and it supports privacy policy management by users. We design a core module, the Privacy Policy Manager (PPM). The module includes several functionalities: ID management, privacy policy management, control of information flows, and recording the flows.

/pdf/ppm-privacy-policy-manager-for-personalized-services-2veyymn8cv.pdf

PPM: Privacy Policy Manager for Personalized Services

This paper focuses on authentication with three types of entities: a user who sends an authentication request, an authentication-server who receives and verifies the request, and a database who supplies the authentication-server with information for verifying the request. This paper presents novel authentication protocols that satisfy the following important properties: (1) secure against replay attacks, (2) the database(s) cannot identify which user is authenticating and (3) the authentication-server cannot identify to which user a given authentication-request corresponds. Firstly, we show a protocol with a single database which satisfies Properties (1) and (2). Secondly, we show a protocol with multiple databases which satisfies Properties (1), (2) and (3). A key idea of our authentication protocols is to use private information retrieval (PIR) [Chor et al. J. ACM, 1998].

/pdf/anonymous-authentication-systems-based-on-private-1rcq1jbzyg.pdf

Toru Nakamura

Papers

PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation

I Read but Don't Agree: Privacy Policy Benchmarking using Machine Learning and the EU GDPR

Cross-Certification Towards Distributed Authentication Infrastructure: A Case of Hyperledger Fabric

PPM: Privacy Policy Manager for Personalized Services

Anonymous authentication systems based on private information retrieval