Jordi Forné

From t-Closeness-Like Privacy to Postrandomization via Information Theory

t-Closeness is a privacy model recently defined for data anonymization. A data set is said to satisfy t-closeness if, for each group of records sharing a combination of key attributes, the distance between the distribution of a confidential attribute in the group and the distribution of the attribute in the entire data set is no more than a threshold t. Here, we define a privacy measure in terms of information theory, similar to t-closeness. Then, we use the tools of that theory to show that our privacy measure can be achieved by the postrandomization method (PRAM) for masking in the discrete case, and by a form of noise addition in the general case.

Optimized Query Forgery for Private Information Retrieval

We present a mathematical formulation for the optimization of query forgery for private information retrieval, in the sense that the privacy risk is minimized for a given traffic and processing overhead. The privacy risk is measured as an information-theoretic divergence between the users query distribution and the populations, which includes the entropy of the users distribution as a special case. We carefully justify and interpret our privacy criterion from diverse perspectives. Our formulation poses a mathematically tractable problem that bears substantial resemblance with rate-distortion theory.

Privacy-Preserving Enhanced Collaborative Tagging

Collaborative tagging is one of the most popular services available online, and it allows end user to loosely classify either online or offline resources based on their feedback, expressed in the form of free-text labels (i.e., tags). Although tags may not be per se sensitive information, the wide use of collaborative tagging services increases the risk of cross referencing, thereby seriously compromising user privacy. In this paper, we make a first contribution toward the development of a privacy-preserving collaborative tagging service, by showing how a specific privacy-enhancing technology, namely tag suppression, can be used to protect end-user privacy. Moreover, we analyze how our approach can affect the effectiveness of a policy-based collaborative tagging system that supports enhanced web access functionalities, like content filtering and discovery, based on preferences specified by end users.

Secure brokerage mechanisms for mobile electronic commerce

The possibility of making the Internet accessible via mobile devices has generated an important opportunity for electronic commerce. Nevertheless, some deficiencies deter a massive use of m-commerce applications. Security and easiness of use are unavoidable conditions. The use of brokerage systems constitutes an interesting solution to speed up the information delivery to the users. Moreover, brokers can use mobile agents to efficiently and easily perform the search and retrieval of commercial information in the Internet. Although the mobile agent technology is a very suitable choice for the m-commerce scenario, there are security issues that hinder its use. In particular, an important aspect that must be solved for the m-commerce scenario is the mobile agent protection from manipulation attacks performed by malicious hosts. The first part of this paper describes a mechanism to reach this protection. We describe how to use software watermarking techniques in the mobile agent to detect manipulation attacks, and how the broker can be used to punish the malicious hosts. Once an m-commerce site is selected by the user, an end-to-end secure transaction must be established. The transaction can use several protocols, from a simple secure TLS channel to send a credit card number until a sophisticated payment protocol. In any case, Public Key Certificates (PKCs) are required for these protocols. It must be stressed that certificates management is a heavy process and that clients in the brokerage scenario are usually resource-limited. For this reason, the best option is that clients delegate this task to the broker. Notice that the broker is a Trusted Third Party (TTP) and, in general, it is not resource-limited. Therefore, the broker is appropriate for storing and managing PKCs. The second part of this paper addresses this issue, with a particular emphasis in the certificate status management which is the most complex task of certificate management.

On the measurement of privacy as an attacker's estimation error

A wide variety of privacy metrics have been proposed in the literature to evaluate the level of protection offered by privacy-enhancing technologies. Most of these metrics are specific to concrete systems and adversarial models and are difficult to generalize or translate to other contexts. Furthermore, a better understanding of the relationships between the different privacy metrics is needed to enable more grounded and systematic approach to measuring privacy, as well as to assist system designers in selecting the most appropriate metric for a given application. In this work, we propose a theoretical framework for privacy-preserving systems, endowed with a general definition of privacy in terms of the estimation error incurred by an attacker who aims to disclose the private information that the system is designed to conceal. We show that our framework permits interpreting and comparing a number of well-known metrics under a common perspective. The arguments behind these interpretations are based on fundamental results related to the theories of information, probability, and Bayes decision.

From t-Closeness to PRAM and Noise Addition Via Information Theory

t-Closeness is a privacy model recently defined for data anonymization. A data set is said to satisfy t-closeness if, for each group of records sharing a combination of key attributes, the distance between the distribution of a confidential attribute in the group and the distribution of the attribute in the data is no more than a threshold t. We state here the t-closeness property in terms of information theory and then use the tools of that theory to show that t-closeness can be achieved by the PRAM masking method in the discrete case and by a form of noise addition in the general case.

Host revocation authority: a way of protecting mobile agents from malicious hosts

Mobile agents are software entities that consist of code, data and state, and that can migrate autonomously from host to host executing their code. Despite its benefits, security issues restrict the use of code mobility. The approach that is presented here aids to solve the problem of malicious hosts by using a Trusted Third Party, the Host Revocation Authority. The HoRA controls which are the hosts that acted maliciously in the past. The agent sender must consult the HoRA before sending an agent in order to remove from the agents itinerary all the revoked hosts. The HoRA can also revoke a malicious host if the agent sender detects and proves that this malicious host did not act honestly.

Mobile Agent Watermarking and Fingerprinting: Tracing Malicious Hosts

Mobile agents are software entities consisting of code and data that can migrate autonomously from host to host executing their code. Despite its benefits, security issues strongly restrict the use of code mobility. The protection of mobile agents against the attacks of malicious hosts is considered the most difficult security problem to solve in mobile agent systems.

On content-based recommendation and user privacy in social-tagging systems

Recommendation systems and content-filtering approaches based on annotations and ratings essentially rely on users expressing their preferences and interests through their actions, in order to provide personalised content. This activity, in which users engage collectively, has been named social tagging, and it is one of the most popular opportunities for users to engage online, and although it has opened new possibilities for application interoperability on the semantic web, it is also posing new privacy threats. In fact, it consists in describing online or offline resources by using free-text labels, i.e., tags, thereby exposing a users profile and activity to privacy attacks. As a result, users may wish to adopt a privacy-enhancing strategy in order not to reveal their interests completely. Tag forgery is a privacy-enhancing technology consisting in generating tags for categories or resources that do not reflect the users actual preferences too accurately. By modifying their profile, tag forgery may have a negative impact on the quality of the recommendation system, thus protecting user privacy to a certain extent but at the expenses of utility loss. The impact of tag forgery on content-based recommendation isconsequently investigated in a real-world application scenario where different forgery strategies are evaluated, and the resulting loss in utility is measured and compared. We investigate the effects of different privacy enhancing technologies in content-based recommendation systems.We study the interplay between the degree of privacy and the potential degradation of the quality of the recommendation.We evaluate three different tag forgery strategies: optimised tag forgery, uniform tag forgery and TrackMeNot.We carry out an experimental evaluation on a real dataset extracted from Delicious.

Certificate revocation system implementation based on the Merkle hash tree

Public-key cryptography is widely used to provide Internet security services. The public-key infrastructure (PKI) is the infrastructure that supports the public-key cryptography, and the revocation of certificates implies one of its major costs. The goal of this article is to explain in detail a certificate revocation system based on the Merkle hash tree (MHT) called AD–MHT. AD–MHT uses the data structures proposed by Naor and Nissim in their authenticated dictionary (AD) [20]. This work describes the tools used and the details of the AD–MHT implementation. The authors also address important issues not addressed in the original AD proposal, such as responding to a request, revoking a certificate, deleting an expired certificate, the status checking protocol for communicating the AD–MHT repository with the users, verifying a response, system security, and, finally, performance evaluation.