Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | eleanore-fisher |
View: | 214 times |
Download: | 0 times |
1
Privacy in the next generation Privacy in the next generation InternetInternet
Data Protection in the context ofData Protection in the context of European Union Policy European Union Policy
A thesis submitted to KTH in partial fulfillment ofA thesis submitted to KTH in partial fulfillment ofthe requirements for the Doctorate of Technology degree.the requirements for the Doctorate of Technology degree.
4th December 2002 4th December 2002 Room C1 – ElectrumRoom C1 – Electrum Kista – Stockholm Kista – Stockholm
SWEDENSWEDEN
PhD Candidate: Lic. Tekn. Alberto Escudero-PascualPhD Candidate: Lic. Tekn. Alberto Escudero-Pascual
Advisors: Prof. Bjorn Pehrson and Prof. Gerald Q. Maguire Jr. Advisors: Prof. Bjorn Pehrson and Prof. Gerald Q. Maguire Jr.
2
MotivationMotivation
Me
Alberto Escudero-PascualSpanish29 years oldGraduate studentRoyal Institute of Technology
<who:ID> <when:Time> <what:Action> <where:Position>
Mobile Internet and Location PrivacyData Protection and Cybercrime
Identity Management
And my [email protected] +46 70286 798900:60:1D:F1:64:D4192.16.125.240 qwerty.ssvl.kth.se3ffe:200:15:2:260:1dff:fef1:64d416/01/2000,04/12/2002N59.40.54, E19.094.3
3
Dissertation Dissertation PhD proposal (13/12/2001)PhD proposal (13/12/2001)
Identify timely important emerging areas for privacy in the next generation Internet.
Study if the European Union Data legal provisions are suitable to deal with new telecommunication infrastructures.
Provide recommendations to technical and regulatory bodies to enhance next generation Internet privacy.
4
AgendaAgenda1. Background
• Next generation Internet • European Union Data Protection Policy
2. Three privacy areas• Unique identifiers and privacy
preferences observability• Privacy enhanced location based
services• Legal threatment of ’traffic data’
3. Summary of recommendations• Technical • Legal
4. Future work
FUTURE WORK
RECOMMENDATIONS
PRIVACY AREAS
BACKGROUND
5
BackgroundBackground
””Living in an all-IP E-world Living in an all-IP E-world with new E-Laws”with new E-Laws”
6
BackgroundBackground”The All-IP E-world””The All-IP E-world”
The next generation InternetThe next generation Internet
WHAT HOW
All IP-network IPv6
Convergence of core and wireless 2.5G, 3G ,4G
Native IP mobility and security MobileIPv6 and IPSEC
Self-configurationIPv6 Service discovery and autoconfiguration
7
BackgroundBackgroundIPv6/MobileIPv6IPv6/MobileIPv6
Ethernet IPv6 Header ESP TCP | HTTP
SOURCE ADDRESSCare-of-address(t)
Destination OptionMobile Node
Home network (t1)
Mobile NodeForeign Network
(t2)
DEST. ADDRESSwww.epic.org
HOME ADDRESS
Ethernet IPv6 Header Mobility Header
HOME ADDRESS
Care-of-address(t2)
SPI
Correspondent Node
1. AlwaysAddressable
by home address
2. Native integrity, Authentication,
and confidentiality
3. Self-Configuration 4. Route Optimitation
8
BackgroundBackground”The new E-laws””The new E-laws”
European Union New E-regulatory frameworkEuropean Union New E-regulatory framework
July 2000
- European Commission proposed 5 packages of measures for a new E-regulatory framework
- COM(2000)385: Updates Data Protection Directive (97/66/EC)
July 2002
- ”E”-Data Protection Directive (2002/58/EC)
9
BackgroundBackground(2002/58/EC)(2002/58/EC)
1. Aims to update (97/66/EC) 2. Technology-neutral policy3. Data Protection Directive Areas
Location data processing of traffic data (§6, §9)Security and confidentialityPrivacy-compliant soft and hardwareEx-directory defaultUnsolicited commercial communications
10
Three privacy areas Three privacy areas
in the next in the next generation generation
InternetInternet
1
2
3
11
Papers Papers
[P1] A. Escudero, M. Hedenfalk, and P.Heselius, Location Privacy in Mobile Internet - An extension to Freedom Network. Internet Society Conference (INET2001). Stockholm, Sweden. June 2001.
[P2] A. Escudero, Location Privacy in IPv6: ’Tracking binding updates’. Tutorial at Interactive Distributed Multimedia Systems (IDMS2001). Lancaster, UK. September 2001.
[P3] A. Escudero, Requirements for unobservability of privacy extension in IPv6. Radio Vetenskap 2002. Stockholm, Sweden. June 2002, pp. 58.
[P4] A. Escudero, Privacy enhanced architecture for location based services in the next generation wireless networks. 11th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN2002). Stockholm, Sweden. August 2002, pp. 169-172.
[P5] A. Escudero and G.Q. Maguire Jr., Role(s) of a proxy in location based services. 13th IEEE International Symposium on Personal, Indoor and Mobile Radio Communications. (PIMRC2002). Lisbon. Portugal. September 2002, Vol.3 pp. 1252-1257. © IEEE
[P6] A. Escudero and I. Hosein, The hazards of technology-neutral policy: questioning lawful access to traffic data.To appear in Communications of the Association for Computer Machinery (CACM) Journal. Accepted on the 5th September 2002 - Reviewed 19th October 2002. © ACM
[P7] A. Escudero,Privacy in mobile Internet in the context of the European Union data protection policy. Internet Society Conference (INET2002). Washington DC. USA. June 2002.
[P8] A. Escudero, T. Holleboom, and S. Fischer-Huebner, Privacy for location data in Mobile Networks (NORDSEC2002). Karlstad, Sweden. November 2002, pp. 220-232.
P
12
Papers and Privacy AreasPapers and Privacy Areas
Privacy threats
Unique Identifiers
Location PrivacyPrivacy in LBS
Traffic Data Policy
INET2001
IDMS2001
RVK02
LANMAN2002
PIMRC2002 © IEEE
CACM © ACM
INET2002
NORDEC2002 NORDSEC2002
13
11
IPv6 Unique IPv6 Unique IdentifiersIdentifiers
and privacy preferences observabilityand privacy preferences observability
Analysis of privacy extension for IPv6 Analysis of privacy extension for IPv6 address autoconfiguration: RFC3041address autoconfiguration: RFC3041
1
14
IPv6IPv6Unique IdentifiersUnique Identifiers
RFC2373 - IPv6 addressing architecture
RFC2374 - IPv6 aggregatable global unicast address
RFC2462 - IPv6 address autoconfiguration
IEEE 80200:60:1D:F1:64:D4
EUI-6400:60:1D:FF:FE:F1:64:D4
IPv6 IID0 60:1D FF:FE F1:64 D4
Router Advertisement3FFE:200:15:2
U/L bit
”EUI-64 based” IPv6 Interface Identifier(IID) is a unique identifer.
64 right bits remain contantU/L bit: CLAIM of uniqueness
1 00 0
2
15
Location Privacy Location Privacy implicationsimplications
Escudero A. ”Location Privacy in IPv6, tracking the binding updates”, Tutorial at IDMS2001, Lancaster. UK, September 2001.
It is possible to track a device by checking the global unicast address with same Interface Identifer.
It is possible to track a device by observing MobileIPv6 ”binding updates” (plain text).
Some proposals that try solve the problem• Privacy extensions for MobileIPv6 and Hierachical MIP
[Castellucia & Soliman]• Privacy exntesion for stateless address autoconfiguration
RFC3041 [Narten & Draves]
P2
P2
16
Analysis of RFC3041 Analysis of RFC3041
Escudero A. ”Requirements for unobservability of privacy extension in IPv6”, Radio Vetenskap, Stockholm, Sweden. June 2002.
• :
While the u bit indicates that the IID is not globaly unique, reveals under certain scenerios that an user wants to protect his/her privacy
RFC3041 ”privacy extension for address autoconfiguration” Suggests:
1. to generate the IID randomly2. change the u/l bit u=0 to indicate not globaly unique
P3
P3
U/L bit
0 00 0
17
Limitations of RFC3041Limitations of RFC3041Privacy Preferences ObservabilityPrivacy Preferences Observability
CGAManual
RFC3041
ManualRFC3041DHCPv6
CGAManual
RFC3041DHCPv6
U=0
ManualRFC3041
CGA
RFC3041
DHCP
Manual
m1,d=0
cga
m1,d=1
m0,d=1
m0,d=0
cga
dhcp
rfc3041
manual
!cga
!cga
!dhcp
RFC3041 u=0
u=0 RFC3041
18
Technical recommendationTechnical recommendation
1. All Interface identifiers are generated randomly (change RFC2373). ”Privacy by default”
2. The (U/L) ”claim bit” is not used. Use Duplicate Address Detection instead (DaD)
3. Create a ”pseudo-random interface identifier” based on link level information
19
22
Location Privacy in Location Privacy in Location BasedLocation Based
ServicesServices
Privacy Enhanced LBS architecturePrivacy Enhanced LBS architecture
2
20
Previous workPrevious workUntraceable Mobility Support Untraceable Mobility Support in the Freedom PIP network.in the Freedom PIP network.
• Proposal to extend the Zero Knowledge Systems’ Freedom network to support mobility.
• Application of Chaum-mixes + Hierarchical MobileIP inside of a Pseudonymous IP network.
• Addressed in detail in my Lic. Thesis
Escudero A., Hedenfalk M. and, Heselius P. ”Location privacy in mobile internetworking. Protocol Extensions to the Freedom Netowork”, INET2001, Stockholm. June 2001.
P1
P1
21
Seamless Mobility in Seamless Mobility in Freedom NetworkFreedom Network™™
Mobility supportPartial routes are re-created
AIP exit doesn’t see the micro mobility
AIPentry(2)
AIP2
AIPexit
AIPentry(1)
Complex Solution in the IP layer and up!Big infrastructure
Scalability
22
Privacy Enhanced Location Privacy Enhanced Location Based Services ArchitectureBased Services Architecture
Escudero A.”Privacy enhanced architecture for location based services in the next generation Internet”. LANMAN2002, Stockhoklm. Sweden. August 2002.
Escudero A and Maguire G. ”Role(s) of proxy in location based services”. PIMRC2002, Lisbon. Portugal. September 2002.
Location Data
Transport
SOAP Request
XML Location Data
Transport
LBS Proxy Server
S2 S1 S3
P4
P5
P4
P5
23
Technical recommendationTechnical recommendation• Proxy acts as:
– A SOAP class displatcher– PE-LBS proxy can act as a Chaum-Mix– Intelligent Software Agent
PE-LBS:– Suitable arquitecture for 3G networks– ”XML encryption” only requirement– Transport Independent
24
33
Legal Aspects of Legal Aspects of Internet Traffic DataInternet Traffic DataAnalysis of Data Protective Directive Analysis of Data Protective Directive
(2002/58/EC)(2002/58/EC)Location and Traffic DataLocation and Traffic Data
3
25
Legal aspects of “traffic and Legal aspects of “traffic and content data”content data”
The “Current” legal definitions of Internet trafficdata are a threat for privacy
Definitions
a) "traffic data": all data processed which relate to the routing of a communication by an electronic communications network.
b) "communication": all information exchanged or routed between a finite number of parties via an electronic communications network accessible to the public.
c) "Telecommunications service": services which consist in total or in part of the transmission and routing of signals on telecommunications networks, with the exception of radio and television.
26
Technology ITechnology IThe Phone – Call Data RecordsThe Phone – Call Data Records
Traffic data in POTS
EVENT: Someone makes a phone call
19991003070824178 165 0187611205 46732112106 ----------001------003sth 46 4673000-----0013 1410260
1999100307083041 33 01541011341 46708314801 ----------001------003sth 46 4670000--8 0013 11 10260
1999100307162963 51 0187614815 46739112106 ----------001------003sth 46 4673000-----0013 13 10260
1999100307182788 74 015410124301 46708314801 ----------001------003sth 46 4670000--8 0014 11 10260
1999100307204736 18 0187614805 46739112106 ----------001------003sth 46 4673000-----0013 14 10260
1999100307222326 20 01317023888 46706263087 ----------001------003sth 46 4670000--6 0013 1 10260
1999100300131791 90 0131654200 46854543084 ----------001------002sth 46 46 001-----0014 14 10260
27
Technology ITechnology IThe Phone – Call Data RecordsThe Phone – Call Data Records
Someone makes a phone call for 3 minutes and 20 seconds
1999-10-03 07:08:24 from telephone 46 732112106 to telephone 46
4673000
28
EVENT: Someone dials with a traditional telephone line using a modem to an Internet provider
Fri Oct 19 11:30:40 2001User-Name = "[email protected]"NAS-IP-Address = 62.188.74.4NAS-Port = 3239NAS-Port-Type = AsyncAcct-Status-Type = StartAcct-Delay-Time = 0Acct-Session-Id = "324546354"Acct-Authentic = RADIUSCalling-Station-Id = "01223461172"Called-Station-Id = "9061000"Framed-Protocol = PPPFramed-IP-Address = 62.188.17.227Proxy-State"PX01\0\0`\0xcdntg\0x13\0xdfV\0xa4\[...]\0xfc\0x8c"
Technology IITechnology II Radius – Internet Dialup recordsRadius – Internet Dialup records
29
Technology IITechnology II Radius – Internet Dialup recordsRadius – Internet Dialup records
User: [email protected] Place of call: Cambridge (UK) 01223461172
Calling to: London (UK) 9061000 IP address: 62.188.17.227
Durantion of call: 21 Seconds Type of connection: ASYNC MODEM
Date and time: from Fri Oct 19 11:30:40 2001 to Fri Oct 19 11:31:00 2001
30
Technology IIITechnology IIIWireless radio cell authenticationWireless radio cell authentication
EVENT: User A and B using WLAN network
time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:20:47:24 (A)time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:04:29:30 (B)time GMT=20010810010852 Cell ID=115 MAC ID=00:60:1D:21:C3:9Ctime GMT=20010810010853 Cell ID=129 MAC ID=00:02:2D:04:29:30time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:1F:53:C0time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:04:29:30 (B)time GMT=20010810010854 Cell ID=129 MAC ID=00:02:2D:20:47:24 (A)time GMT=20010810010856 Cell ID=41 MAC ID=00:02:2D:0A:5C:D0time GMT=20010810010856 Cell ID=41 MAC ID=00:02:2D:1F:78:00time GMT=20010810010856 Cell ID=41 MAC ID=00:60:1D:1E:D4:53time GMT=20010810010858 Cell ID=211 MAC ID=00:60:1D:F0:E4:D8time GMT=20010810010900 Cell ID=154 MAC ID=00:30:65:00:62:27time GMT=20010810010900 Cell ID=154 MAC ID=00:02:2D:05:0B:25time GMT=20010810010900 Cell ID=154 MAC ID=00:60:1D:22:26:A7time GMT=20010810010900 Cell ID=154 MAC ID=00:02:DD:30:06:90time GMT=20010810010900 Cell ID=154 MAC ID=00:02:2D:0D:27:D3
31
Technology IIITechnology III Wireless radio cell authenticationWireless radio cell authentication
The 2001-08-10 01:08:52 AM (A) was in radio cell 115 with user (B)
and move together at 01:08:54 AM to cell 129.
Radio cell 115 is covering the Electrum C1 Radio cell 129 is covering the Electrum Resturant
32
Technology IVTechnology IVWeb server logsWeb server logs
EVENT: User A connects to a webserver B
295.47.63.8 - - [05/Mar/2002:15:19:34 +0000] "GET/cgi-bin/htsearch?config =htdigx&words=startrek HTTP/1.0"20 2225
295.47.63.8 - - [05/Mar/2002:15:19:44 +0000] "GET/cgi-bin/htsearch?config =htdig&words=startrek+avi HTTP/1.0"200x
215.59.193.32 - - [05/Mar/2002:15:20:17 +0000] "GET/cgi-bin/htsearch?config= htdig&words=Modem+HOWTO …
192.77.63.8 - - [05/Mar/2002:15:20:35 +0000] "GET/cgi-bin/htsearch?config =htdig&words=conflict+war HTTP/1.0"200
211.164.33.3 - - [05/Mar/2002:15:21:32 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=railway+info …
211.164.33.3 - - [05/Mar/2002:15:21:38 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=tickets HTTP/1.0" 200
211.164.33.3 - - [05/Mar/2002:15:22:05 +0000] "GET/cgi-bin/htsearch?config =htdigx&words=railway+info+London
212.164.33.3 - - [05/Mar/2002:15:22:35 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=union+strike HTTP/1.0…
82.24.237.98 - - [05/Mar/2002:15:25:29 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=blind+date HTTP/1.0
33
Technology IVTechnology IVWeb server logsWeb server logs
The 2002-04-05 at 15:21:32PMUser 211.164.33.3 searches for info about:
railway, tickets, London, union, strike
34
Where is the content?Where is the content?Where is traffic? Where is traffic?
SIGNALINGPhone numbers/Time
CONTENTThe Conversation
INTERNETPOTS
35
Where is the content?Where is the content?Where is traffic? Where is traffic?
Ethernet IPv6 Header ESP TCP | HTTP
SOURCE ADDRESSCare-of-address(t)
Destination Option
Mobile Node (t1)
Mobile Node (t2)
DEST. ADDRESSwww.epic.org
HOME ADDRESS
Ethernet IPv6 Header Mobility Header
HOME ADDRESS
Care-of-address(t2)
SPI
Correspondent Node
http://www.epic.org
36
Traditional legal, regulatory and technical provisions were established with traditional technological environments in mind. The traditional classification of data based on the functional channel is no longer valid.
Data Protection policies should consider the sensitivity of the amount of personal identifiable information of a ’data set’ and not insist in applying traditional powers to new infrastructures.
Escudero A and Hosein I. ”The hazards of technology-neutral policy: questioning lawful access to traffic data". CACM.
Escudero A.”Privacy in the next generation Internet in the context of the European Union Policy” INET2002, Washington DC. USA: June 2002.
P6
P7
Legal recommendationLegal recommendation
37
Summary of Summary of recommendationsrecommendationsand contributionsand contributions
38
Summary and resultsSummary and results
CONCRETE RESULTOpinion 2/2002 Article 29 Data Protection Working Group
Concerning Unique identifiers:
- Show how IPv6 Unique Interface Identifiers are a threat for privacy.
- Show how IP addresses are Personal Identifiable Information.
- Show how IPv6 RFC3041 is not enough privacy protection.
- Propose changes to RFC2373, RFC2374, RFC2462.
ApA
39
CONCRETE RESULT PE-LBS architecture applied to ”road pricing”
Summary and resultsSummary and results
Concerning location based services:
- Propose a PE-LBS architecture suitable for 3G networks and compliant with Data Protection Directive (2002/58/EC).
- Propose the use of Platform for Privacy Preferences W3C P3P for obtaining informed consent. P8
40
Summary and resultsSummary and results
Concerning legal treatment of traffic data:
- Propose that Data Protection policies should consider the sensitivity to the amount of personal identifiable information of a ’data set’ and not insist in applying traditional powers to new infrastructures.
CONCRETE RESULT Journal Article - Wide Disemination
ApB
41
Future workFuture work
42
Future research Future research
• Role of Simple Unique Cryptographically Verifiable (SUCV) or Cryptographically generated addresses (CGA) in identity management as a privacy enhancing technology while retaining strong authentication.
• Intelligent Software Agents in location based services and their role in the infrastucture
• Anonymising techniques for ’traffic data’ compliant with Data Protection Directive (2002/58/EC)
43
Thanks!Thanks! Electronic version of the PhD thesishttp://www.it.kth.se/~aep/PhD
Isafjordsgatan, 39. Plan 8KTH/IMIT/TSLABSE-16440 Kista – [email protected] +46702867989
Google (Alberto Escudero)TITRA-IMIT-TSLAB AVH 02:01
ISSN 1651-4114