Stefan Schiffner

Privacy and Data Protection by Design - from policy to engineering

Privacy and data protection constitute core values of individuals and of democratic societies. There have been decades of debate on how those values -and legal obligations- can be embedded into systems, preferably from the very beginning of the design process. One important element in this endeavour are technical mechanisms, known as privacy-enhancing technologies (PETs). Their effectiveness has been demonstrated by researchers and in pilot implementations. However, apart from a few exceptions, e.g., encryption became widely used, PETs have not become a standard and widely used component in system design. Furthermore, for unfolding their full benefit for privacy and data protection, PETs need to be rooted in a data governance strategy to be applied in practice. This report contributes to bridging the gap between the legal framework and the available technological implementation measures by providing an inventory of existing approaches, privacy design strategies, and technical building blocks of various degrees of maturity from research and development. Starting from the privacy principles of the legislation, important elements are presented as a first step towards a design process for privacy-friendly systems and services. The report sketches a method to map legal obligations to design strategies, which allow the system designer to select appropriate techniques for implementing the identified privacy requirements. Furthermore, the report reflects limitations of the approach. It concludes with recommendations on how to overcome and mitigate these limits.

k -anonymous reputation

While performing pure e-business transactions such as purchasing software or music, customers can act anonymously supported by, e.g., anonymous communication protocols and anonymous payment protocols. However, it is hard to establish trust relations among anonymously acting business partners. Anonymous reputation systems have been proposed to mitigate this problem. Schiffner et al. recently proved that there is a conflict between anonymity and reputation and they established the non-existence of certain privacy-preserving reputation functions. In this paper we argue that this relationship is even more intricate. First, we present a reputation function that deanonymizes the user, yet provides strong anonymity (SA) according to their definitions. However, this reputation function has no utility, i.e., the submitted ratings have no influence on the resulting reputation values. Second, we show that a reputation function having utility requires the system to choose new independently at random selected pseudonyms (for all users it has utility for) on every new rating as a necessary condition to provide strong anonymity according to the aforementioned definition. Since some persistence of pseudonyms is favorable, we present a more secure, but also more usable definition for anonymous reputation systems that allows persistency yet guaranties k-anonymity. We further present a definition for rating secrecy based on a threshold. Finally, we propose a practical reputation function, for which we prove that it satisfies these definitions.

Privacy Technologies and Policy

Existing work on privacy by design mostly focus on technologies rather than methodologies and on components rather than architectures. In this paper, we advocate the idea that privacy by design should also be addressed at the architectural level and be associated with suitable methodologies. Among other benefits, architectural descriptions enable a more systematic exploration of the design space. In addition, because privacy is intrinsically a complex notion that can be in tension with other requirements, we believe that formal methods should play a key role in this area. After presenting our position, we provide some hints on how our approach can turn into practice based on ongoing work on a privacy by design environment.

Privacy, liveliness and fairness for reputation

In various Internet applications, reputation systems are typical means to collect experiences users make with each other. We present a reputation system that balances the security and privacy requirements of all users involed. Our system provides privacy in the form of information theoretic relationship anonymity w.r.t. users and the reputation provider. Furthermore, it preserves liveliness, i.e., all past ratings can influence the current reputation profile of a user. In addition, mutual ratings are forced to be simultaneous and self rating is prevented, which enforces fairness. What is more, without performing mock interactions--even if all users are colluding--users cannot forge ratings. As far as we know, this is the first protocol proposed that fulfills all these properties simultaneously.

Distributed and Anonymous Publish-Subscribe

Publish-subscribe is a scheme for distributing information based on interests. While security mechanisms have been added to publish-subscribe, privacy, in particular anonymous communication is hardly considered. We summarize security and privacy requirements for such systems, including an adversary model for privacy. We introduce a construction for publish-subscribe overlays that fulfills the requirements. Contrary to previous approaches, it does neither presume an online trusted third party, nor expensive cryptographic operations performed by brokers. Further, we informally discuss how our requirements are met.

AnonPubSub: Anonymous publish-subscribe overlays

Publish-subscribe is an increasingly popular messaging pattern for distributed systems, supporting scalable and extensible programming, and optimal spatial, temporal, and control-flow decoupling of distributed components. Publish-subscribe middleware and methods were extended towards supporting security, in particular confidentiality, and increased availability, yet a few prior works addressed anonymity of participants. Anonymity of senders and receivers may however be crucial, e.g., for supporting freedom of expression in regimes where political repression and censorship prevail. In this article, we review basic security and privacy requirements and introduce a new attacker model based on statistical disclosure, used to challenge anonymity. We elaborate on design options for privacy-preserving publish-subscribe systems and present a novel system that leverages peer-to-peer networking concepts; this novel approach protects subscriber anonymity by means of Probabilistic Forwarding (PF) and through a novel so-called Shell Game (SG) algorithm. We verify our solution against the requirements and provide a simulation-based analysis of the effectiveness of our approaches in light of our attacker model. The results show that the SG algorithm efficiently protects subscriber anonymity, and that anonymity sets can be adjusted via PF.

On the limits of privacy in reputation systems

This paper describes a formal model for multiple privacy notions that apply to reputation systems and shows that, for certain classes of systems, very strong privacy notions are unachievable. In particular, it is shown that, systems where a users reputation depends exclusively on the ratings he received, necessarily leak information about the relationship between ratings and reputations. In contrast, systems where a users reputation depends both on the received ratings, and on the ratings received by others, potentially hide all information about this relationship. The paper concludes with guidelines for the construction of reputation systems that have the potential to retain high levels of privacy.

Evaluating adversarial partitions

In this paper, we introduce a framework for measuring un-linkability both per subject and for an entire system. The framework enables the evaluator to attach different sensitivities to individual items in the system, and to specify the severity of different types of error that an adversary can make. These parameters, as well as a threshold that defines what constitutes a privacy breach, may be varied for each subject in the system; the framework respects and combines these potentially differing parametrisations. It also makes use of graphs in a way that results in intuitive feedback of different levels of detail.We exhibit the behaviour of our measures in two experimental settings, namely that of adversaries that output randomly chosen partitions, and that of adversaries that launch attacks of different effectiveness.

WLAN Device Fingerprinting using Channel State Information (CSI)

As of IEEE 802.11n, a wireless Network Interface Card (NIC) uses Channel State Information (CSI) to optimize the transmission over multiple antennas. CSI contain radio-metrics such as amplitude and phase. Due to scattering during hardware production these metrics exhibit unique properties. Since these information are transmitted unencrypted, they can be captured by a passive observer. We show that these information can be used to create a unique fingerprint of a wireless device, based on as little as 100 CSI packets per device collected with an off-the-shelf Wi-Fi card. For our proof of concept we captured data from seven smartphones including two identical models. We were able to identify more than 90% when using out-of-the-box Random Forrest (RF).

Consumer Privacy on Distributed Energy Markets

Recently, several privacy-enhancing technologies for smart grids have been proposed. However, most of these solutions presume the cooperation of all smart grid participants. Hence, the privacy protection of consumers depends on the willingness of the suppliers to deploy privacy-enhancing technologies. Since electrical energy is essential for our modern life, it is impossible for consumers to opt out. We propose a novel consumer-only (do-it-yourself) privacy-enhancing approach under the assumption that users can obtain their energy from multiple suppliers on a distributed market. By splitting the demand over multiple suppliers, the information each of them can collect about a single consumer is reduced. In this context, we suggest two different buying strategies: a time and a sample diversification strategy. To measure their provided level of privacy protection, we introduce a new indistinguishability metric \(\lambda \)-Indistinguishability (\(\lambda \text {-IND}\)) that measures how relative consumption changes can be hidden in the total consumption. We evaluate the presented strategies with \(\lambda \text {-IND}\) and derive first privacy boundaries. The evaluation of our buying strategies on real-world energy data sets indicates their ability to hide load profiles of privacy sensitive appliances at low communication and computational overhead.