cops: community-oriented privacy system

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

COPS: Community-Oriented Privacy System

The Email Prototype



2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

IntroductionMotivationEmail PrototypeFuture work

COPS




What is privacy? The quality or state of being apart from company

or observationHow do we protect privacy?

Doors, locks, alarms, fences/gates Passwords, encryption, information flow

Whose privacy is being protected? The individual

Individual Privacy




What is a ‘group’? Collaborative, Cooperative, Collective

What is privacy? A boundary regulation process that is context

dependentHow is privacy protected?

A dynamic process driven by a group of users

Group Privacy




How do groups of people share information? In person Postal mail Telephone Email/Fax Social networking Cloud

Communication




Facebook News Feed (2006)

• Facebook made privacy changes that made status updates, images, and other user-created content public by default, which motivated more than a third of Facebook users to alter their privacy settings.

Beacon (2007-2009)• Beacon was a part of Facebook's advertisement system that sent data

from external websites to Facebook, for the purpose of allowing targeted advertisements and allowing users to share their activities with their friends.

Cookies (Oct. 2011)• Facebook sued for “tracking, collecting, and storing its users’ wire or

electronic communications, including but not limited to portions of their internet browsing history even when the users were not logged-in to Facebook.”

Motivation




Cloud privacy concerns Amazon’s cloud browser• "All of your web surfing habits will transit Amazon's cloud.

If you think that Google AdWords and Facebook are watching you, this service is guaranteed to have a record of everything you do on the Web.“ -Chester Wisniewski, a senior security adviser at British computer security firm Sophos

Dropbox• “Insecure by design” –Derek Newton of Information

Security Insights• Will turn your files over to the Government if asked

Motivation




Have you ever sent an email to the wrong person accidentally? “One of Eli Lilly & Co.'s sub-contracted lawyers at

Philadelphia based Pepper Hamilton had mistakenly emailed confidential Eli Lilly's discussions to Times reporter Alex Berenson (instead of Bradford Berenson, her co-counsel), costing Eli Lilly nearly $1 billion.” (Zilberman 2010)

Other issues: Huge recipient lists, similar/duplicate names

Motivation




Are there any solutions out there to stop this from happening? Gmail undo:

Complex privacy policies (Leon 2011)• “Online opt-out tools were challenging for users to

understand and configure”

Email Leakage




Community-Oriented Privacy System (COPS)Privacy boundaries are defined through "community

tags“Regulation of privacy is provided through

mechanisms for setting, changing, and making exceptions to the community tags.

Sense of community is realized through mechanisms for notification (making actions of individuals visible to the group) and consensus (allowing the group to vote on changes and exceptions)

COPS




Why take a community-based approach? Shared expertise - privacy-enhancing features like

rules and settings are underutilized by the individual. Shared expertise will lead to better utilization of the privacy mechanisms and better awareness of the privacy requirements and privacy threats.

Shared responsibility - social pressure from the group encourages the individual to pay better attention to neglected privacy tasks due to a sense of responsibility to the community.

COPS




Community Tag

Protect privacy by requiring group consensus required for tag creation/modification and exceptions

Tag usage is enforced by the users

COPS




Threat model - In computer security the term threat modeling is used to describe a set of issues that the designer of the system is interested in. In order to achieve a feeling of privacy we must cover four areas in particular: Accidental disclosure Lack of awareness Inability to understand the privacy rules or system

interfaces Inability of the system to guarantee desired privacy

COPS




Accidental disclosure - when a user accidentally sends an email to the wrong recipient or incorrectly forwards an email to someone that should not have seen it. We anticipate that most privacy breaches are the result of accidental disclosure and we've seen that accidental disclosure can have significant ramifications

COPS




Lack of awareness - Related to accidental disclosure but mostly caused by the lack of knowledge rather than being a mere mistake. Lack of awareness privacy breaches most likely occur as a result of email forwarding and long recipient lists. Tracking an email's forwarding history can be a daunting task and trying to read through an email's recipient list of more than a dozen people is an exercise of frustration

COPS




Inability to understand the privacy rules or system interfaces - As the designers of this system, we're responsible for providing an interface that's easy to use and understand. Our research should look into the metaphors and current practices that people use when protecting privacy and leverage these practices

COPS




Inability of the system to guarantee desired privacy - Our research much span across various different domains -- from academia to the business world and from small informal groups to large group communication. Different domains have different requirements and enforce privacy in different ways. We must take into account these different practices and design a system that can translate easily from one domain to another

COPS




Email Prototype Proof of concept Mockups High fidelity prototype

COPS




COPS




High fidelity prototype

COPS




Usability Studies Single user observations Interactive task-based experiment In the experiment the user will take the role of an

employee working in the Human Resources department at a fictitious company.

Tasks will start out easy and straightforward and will ramp up in difficulty as the participant works through the problems.

COPS




Evaluation Gather data from intro/exit questionnaires, post-

experiment interviews, observation, system monitoring

Measure performance through ease of use, task completion time, error rate, and user satisfaction

Most importantly, do users understand the new privacy features and do they find them useful in the context of an Email application?

COPS




Future work Group of users interacting with the system at once Writing a plug-in for existing Email applications File system/cloud implementation

COPS

cops: community-oriented privacy system

Documents

facebook users

master title stylehow

master title stylewhat

master title stylehave

privacy changes

privacy settings

information flowwhose

group of users