Urs Hengartner

FaceCloak: An Architecture for User Privacy on Social Networking Sites

Social networking sites, such as MySpace, Facebook and Flickr, are gaining more and more popularity among Internet users. As users are enjoying this new style of networking, privacy concerns are also attracting increasing public attention due to reports about privacy breaches on social networking sites. We propose FaceCloak, an architecture that protects user privacy on a social networking site by shielding a users personal information from the site and from other users that were not explicitly authorized by the user. At the same time, FaceCloak seamlessly maintains usability of the sites services. FaceCloak achieves these goals by providing fake information to the social networking site and by storing sensitive information in encrypted form on a separate server. We implemented our solution as a Firefox browser extension for the Facebook platform. Our experiments show that our solution successfully conceals a users personal information, while allowing the user and her friends to explore Facebook pages and services as usual.

Louis, Lester and Pierre: three protocols for location privacy

Location privacy is of utmost concern for location-based services. It is the property that a persons location is revealed to other entities, such as a service provider or the persons friends, only if this release is strictly necessary and authorized by the person. We study how to achieve location privacy for a service that alerts people of nearby friends. Here, location privacy guarantees that users of the service can learn a friends location if and only if the friend is actually nearby. We introduce three protocols--Louis, Lester and Pierre--that provide location privacy for such a service. The key advantage of our protocols is that they are distributed and do not require a separate service provider that is aware of peoples locations. The evaluation of our sample implementation demonstrates that the protocols are sufficiently fast to be practical.

TCP Vegas revisited

The innovative techniques of TCP Vegas have been the subject of much debate in recent years. Several studies have reported that TCP Vegas provides better performance than TCP Reno. However, the question of which of the new techniques are responsible for the impressive performance gains remains unanswered so far. This paper presents a detailed performance evaluation of TCP Vegas. By decomposing TCP Vegas into the various novel mechanisms proposed and assessing the effect of each of these mechanisms on performance, we show that the reported performance gains are achieved primarily by TCP Vegass new techniques for slow start and congestion recovery. TCP Vegass innovative congestion avoidance mechanism is shown to have only a minor influence on throughput. Furthermore, we find that the congestion avoidance mechanism exhibits fairness problems even if all competing connections operate with the same round trip time.

Anonymity and security in delay tolerant networks

A delay tolerant network (DTN) is a store and forward network where end-to-end connectivity is not assumed and where opportunistic links between nodes are used to transfer data. An emerging application of DTNs are rural area DTNs, which provide Internet connectivity to rural areas in developing regions using conventional transportation mediums, like buses. Potential applications of these rural area DTNs are e-governance, telemedicine and citizen journalism. Therefore, security and privacy are critical for DTNs. Traditional cryptographic techniques based on PKI-certified public keys assume continuous network access, which makes these techniques inapplicable to DTNs. We present the first anonymous communication solution for DTNs and introduce a new anonymous authentication protocol as a part of it. Furthermore, we present a security infrastructure for DTNs to provide efficient secure communication based on identity-based cryptography. We show that our solutions have better performance than existing security infrastructures for DTNs.

Detection and analysis of routing loops in packet traces

Routing loops are caused by inconsistencies in routing state among a set of routers. They occur in perfectly engineered networks, and have a detrimental effect on performance. They impact end-to-end performance through increased packet loss and delay for packets caught in the loop, and through increased link utilization and corresponding delay and jitter for packets that traverse the link but are not caught in the loop.Using packet traces from a tier-1 ISP backbone, we first explain how routing loops manifest in packet traces. We characterize routing loops in terms of the packet types caught in the loop, the loop sizes, and the loop durations. Finally, we analyze the impact of routing loops on network performance in terms of loss and delay.

Protecting Access to People Location Information

Ubiquitous computing provides new types of information for which access needs to be controlled. For instance, a person’s current location is a sensitive piece of information, and only authorized entities should be able to learn it. We present several challenges that arise for the specification and implementation of policies controlling access to location information. For example, there can be multiple sources of location information, policies need to be flexible, conflicts between policies might occur, and privacy issues need to be taken into account. Different environments handle these challenges in a different way. We discuss the challenges in the context of a hospital and a university environment. We show how our design of an access control mechanism for a system providing people location information addresses the challenges. Our mechanism can be deployed in different environments. We demonstrate feasibility of our design with an example implementation based on digital certificates.

Implementing access control to people location information

Ubiquitous computing uses a variety of information for which access needs to be controlled. For instance, a persons current location is asensitive piece of information, which only authorized entities should be able to learn. Several challenges arise in the specification and implementation of policies controlling access to location information. For example, there can be multiple sources of location information, the sources can be within different administrative domains, different administrative domains might allow different entities to specify policies, and policies need to be flexible. Weaddress these issues in our design of an access control mechanism for a people location system. Our design encodes policies as digital certificates. We present an example implementation based on SPKI/SDSI certificates. Using measurements, we quantify the influence of access control on query processing time. We also discuss trade-offs between RSA-based and DSA-based signature schemes for digital certificates.

A distributed k-anonymity protocol for location privacy

To benefit from a location-based service, a person must reveal her location to the service. However, knowing the persons location might allow the service to re-identify the person. Location privacy based on k-anonymity addresses this threat by cloaking the persons location such that there are at least k − 1 other people within the cloaked area and by revealing only the cloaked area to a location-based service. Previous research has explored two ways of cloaking: First, have a central server that knows everybodys location determine the cloaked area. However, this server needs to be trusted by all users and is a single point of failure. Second, have users jointly determine the cloaked area. However, this approach requires that all users trust each other, which will likely not hold in practice. We propose a distributed approach that does not have these drawbacks. Our approach assumes that there are multiple servers, each deployed by a different organization. A users location is known to only one of the servers (e.g., to her cellphone provider), so there is no single entity that knows everybodys location. With the help of cryptography, the servers and a user jointly determine whether the k-anonymity property holds for the users area, without the servers learning any additional information, not even whether the property holds. A user learns whether the k-anonymity property is satisfied and no other information. The evaluation of our sample implementation shows that our distributed k-anonymity protocol is sufficiently fast to be practical. Moreover, our protocol integrates well with existing infrastructures for location-based services, as opposed to the previous research.

VeriPlace: a privacy-aware location proof architecture

Recently, there has been a dramatic increase in the number of location-based services, with services like Foursquare or Yelp having hundreds of thousands of users. A users location is a crucial factor for enabling these services. Many services rely on users to correctly report their location. However, if there is an incentive, users might lie about their location. A location proof architecture enables users to collect proofs for being at a location and services to validate these proofs. It is essential that this proof collection and validation does not violate user privacy. We introduce VeriPlace, a location proof architecture with user privacy as a key design component. In addition, VeriPlace can detect cheating users who collect proofs for places where they are not located. We also present an implementation and a performance evaluation of VeriPlace and its integration with Yelp.

Bandwidth modelling for network-aware applications

Network-aware applications attempt to adjust their resource demands in response to changes in resource availability, e.g., if a server maintains a connection to a client, the server may want to adjust the amount of data sent to the client based on the effective bandwidth realized for the connection. Information about current and future network performance is therefore crucial for an adaptive application. This paper discusses three aspects of the coupling of applications and networks: (1) a network-aware application needs timely information about the status of the network; (2) a simple bandwidth estimation technique per forms reasonably well for TCP-Reno connections without timeouts; (3) enhancements proposed to TCP-Reno to reduce the number of timeouts (i.e., SACKs and its variants) increase the bandwidth but also improve the accuracy of bandwidth estimators developed by other researchers. The empirical observations reported in this paper are based on an in-vivo experiment in the Internet. Over a 6-month period, we logged the micro dynamics of random connections between a set of selected hosts. These results are encouraging for the developer of a network-aware application since they provide evidence that a simple widening of the interface between applications and network (protocol) may provide the information that allows an application to successfully adapt to changes in resource availability.