Privacy of social network attributes for online services

17/11/2011

Antoine Fressancourt

17/11/2011CARTES & IDentificationAntoine Fressancourt

The case of privacy in social networks Antoine Fressancourtnetworks

▶ Rising concern around privacy in social networks– Use of private information for

advertising purposes– Applications gaining access to

more and more personal more and more personal information

– Usage tracking using referral buttons

– Access to information directly using URL, content not ciphered

▶ More and more complex to manage– Groups– Possibility to specify target groups

on social network updates Adapted from The History Of Facebook’s

2

on social network updatesDefault Privacy Settings by Matt McKeon


A recent case: Europe vs Facebook Antoine FressancourtEurope vs. Facebook

▶ Case raised by Max ▶ Case raised by Max Schrems, a 24 years old law student against Facebook

▶ Discovered that Facebook keeps track of every digital trace of a user, even when they are “deleted”are deleted

3


Highlighted issuesAntoine Fressancourt

Those examples tend to highlight two issues

PrivacyPrivacyinside the social network itself

Data privacy fromData privacy fromoutside the social network

4


Anatomy of a social networkFunctional building blocks Antoine FressancourtFunctional building blocks

Identity Management of user d i l d ib

Profile(s)

Identity credentials and attributes

Role management for users i.e. how they want to appearic

y

Profile(s)

Social graph

how they want to appear

Management of a user’srelationshipsy

pol

g p

Messaging

relationships

Synchronous and asynchronousmessages for a userPr

ivac

g g

Repository

g

Storage of documents associated to a user

P

5


Potential solutionsAntoine Fressancourt

P i Cypher information Privacy inside the social

t k it lf

Cypher information inside the network itselfto protect from the SNS

providernetwork itself provider

Use identityData privacy from

outside the

Use identitymanagement concepts and zero knowledge

approaches to securesocial network approaches to secureexchanges with external

sites

6


Privacy inside the social networkReview of academic solutions Antoine FressancourtReview of academic solutions

Mainly two families of approaches:

▶ « add-in » applications▶ « add-in » applications

– FlyByNight: Re-Encryption proxy, El Gamal encryption, AES

– NOYB: Replace each attribute of a given user by an attribute of another member of its social network

– FaceCloak: Dictionnary, MAC

▶ « Privacy by Design » social networks▶ « Privacy by Design » social networks

– Persona: Attribute-Based Encryption

– EASiER: Attribute-Based Encryption

– A Collaborative Framework for Privacy Protection in Online Social Network: El Gamal

Cryptographic Treatment of Private User Profiles: Broadcast Encryption

7

– Cryptographic Treatment of Private User Profiles: Broadcast Encryption


Our proposal Solving the « inside » privacy issue Antoine FressancourtSolving the « inside » privacy issue

Using a Cypher text Policy AttributeBased Encryption (CP-ABE) scheme to Based Encryption (CP ABE) scheme to cypher the data inside the social network

▶ Advantagesll d f l b d– Allows us to define privacy policies based

on fine grained predicates– Englobate both Identity-based encryption

and Identity based broadcast encryptionsand Identity based broadcast encryptions– Ease of deployment given our objectives

▶ Drawback– Keys and cypher texts are longer than in

simpler, IBE schemes– Heavy management of cryptographic keys

8


What is IBE?Identity based encryption Antoine FressancourtIdentity based encryption

▶ Identity based encryption:

▶ Proposed by Shamir in 1984

▶ Encrypt a message using any arbitrary string as the key. (Message)[email protected]

▶ The string can be a representation of the user’s identity

▶ Principle:▶ Alice encrypt a message with

Bob’s e-mail addressh▶ Bob asks a PKG (Private Key

Generator) to provide a private key associated to his e-mail address.

AuthenticationPrivate Key

PKG

9


What is ABE?Attribute based encryption Antoine FressancourtAttribute based encryption

▶ Attribute based encryption is a generalisation of identity based encryption

▶ Encryption according

AND

▶ Encryption according attributes:▶ Personal: age, town, name…▶ Relational: colleague, family,

+18 y.o+18 y.oOR

friends, …

▶ Ciphertext-policy ABE: ▶ Cipher text possesses access ▶ Cipher text possesses access

structure▶ Saving structures

ColleagueColleague FranceFrance

10


Privacy outside the social networkWhat is needed Antoine FressancourtWhat is needed

Possibility to register on websites with credentials Use case of identity websites with credentials

provided to the social network

Use case of identity management systems

Social network External sitesSocial network External sites

Recovery of user data in various ways ( logs,

cookies, …)

Need to conform to regulation, risk related to user

acceptance

11

cookies, …) acceptance


What is Identity Management?Antoine Fressancourt

▶ Technologies, policies and practices used to control paccess to a resource by a third party.

▶ Three entities:UserUser

▶ Identity Provider (IdP): maintains and gives access to a user’s credentialsS i P id (SP) ▶ Service Provider (SP): Consumes attributes provided by an IdP

▶ User: Controls the distribution IdPIdP SPSPof its credentials by the IdP

12


Use of identity management in a social network context Antoine Fressancourtsocial network context

Use of concepts popularized by Idemix and UproveIdemix and Uprove▶ Anonymous credentials▶ Zero-knowledge protocol

P otocol in hich a p o e sho s to a Random value

– Protocol in which a prover shows to a verifier that he possesses an information without revealing it.

– Introduced by Goldwasser Micali and erif

ier

rove

r

Challenge

Introduced by Goldwasser, Micali and Rackoff in 1984.

▶ Minimal Disclosure

VePr

Response

How to perform the proof calculation?

Generation on the fly using a zero

k l d il

13

proof calculation? knowledge compiler


CACE: A zero knowledge compilerAntoine Fressancourt

Computer Aided CryptographyEngineering:▶ European Project▶ ∑-protocols▶ Composition techniques▶ Certificates

14


Our proposal Solving the « outside » privacy issue Antoine FressancourtSolving the « outside » privacy issue

Use of Identity Managementplatform and protocolsplatform and protocols

▶ Ensure minimal disclosure of privateinformation

▶ Framework to manage the disclosure of user credentials

Integration of a zero knowledgeg gcompiler

▶ Computing zero knowledge proofs on the flyy

▶ Enhance the protection of privateinformation through minimal disclosure.

15


To concludeAntoine Fressancourt

▶ Social networks raise a number of issues related to data security and privacyprivacy

▶ Two kinds of privacy issues– From inside the social network itself– From external sites outside the social network

▶ Inside privacy isssues can be solved by using ABE to protect data and give it access only to authorized contactsgive it access only to authorized contacts

▶ Outside privacy issues can be solved by using identity management protocols and systems

▶ Overall, better management of data privacy in future social network services deployed using emerging standards

16

Thank you

Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGridare registered trademarks of Atos SA. June 2011

© 2011 Atos. Confidential information owned by Atos, to be used by

17/11/2011

© y , ythe recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.

Date post:	13-Jul-2015
Category:	Technology
Upload:	atosworldline
View:	741 times
Download:	1 times

Privacy of social network attributes for online services

Technology