According to a famous study [10] of the 1990 census data, 87% of the US population can be uniquely identified by gender, ZIP code and full date of birth. This short paper revisits the uniqueness of simple demographics in the US population based on the most recent census data (the 2000 census). We offer a detailed, comprehensive and up-to-date picture of the threat to privacy posed by the disclosure of simple demographic information. Our results generally agree with the findings of [10], although we find that disclosing one's gender, ZIP code and full date of birth allows for unique identification of fewer individuals (63% of the US population) than reported in [10]. We hope that our study will be a useful reference for privacy researchers who need simple estimates of the comparative threat of disclosing various demographic data.
{"title":"Revisiting the uniqueness of simple demographics in the US population","authors":"P. Golle","doi":"10.1145/1179601.1179615","DOIUrl":"https://doi.org/10.1145/1179601.1179615","url":null,"abstract":"According to a famous study [10] of the 1990 census data, 87% of the US population can be uniquely identified by gender, ZIP code and full date of birth. This short paper revisits the uniqueness of simple demographics in the US population based on the most recent census data (the 2000 census). We offer a detailed, comprehensive and up-to-date picture of the threat to privacy posed by the disclosure of simple demographic information. Our results generally agree with the findings of [10], although we find that disclosing one's gender, ZIP code and full date of birth allows for unique identification of fewer individuals (63% of the US population) than reported in [10]. We hope that our study will be a useful reference for privacy researchers who need simple estimates of the comparative threat of disclosing various demographic data.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"4 1","pages":"77-80"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76376006","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mingyan Li, K. Sampigethaya, Leping Huang, R. Poovendran
In wireless networks, the location tracking of devices and vehicles (nodes) based on their identifiable and locatable broadcasts, presents potential threats to the location privacy of their users. While the tracking of nodes can be mitigated to an extent by updating their identifiers to decorrelate their traversed locations, such an approach is still vulnerable to tracking methods that utilize the predictability of node movement to limit the location privacy provided by the identifier updates. On the other hand, since each user may need privacy at different locations and times, a user-centric approach is needed to enable the nodes to independently determine where/when to update their identifiers. However, mitigation of tracking with a user-centric approach is difficult due to the lack of synchronization between updating nodes. This paper addresses the challenges to providing location privacy by identifier updates due to the predictability of node locations and the asynchronous updates, and proposes a user-centric scheme called Swing that increases location privacy by enabling the nodes to loosely synchronize updates when changing their velocity. Further, since each identifier update inherently trades off network service for privacy, the paper also introduces an approach called Swap, which is an extension of Swing, that enables the nodes to exchange their identifiers to potentially maximize the location privacy provided by each update, hence reducing the number of updates needed to meet the desired privacy levels. The performance of the proposed schemes is evaluated under random and restricted pedestrian mobility.
{"title":"Swing & swap: user-centric approaches towards maximizing location privacy","authors":"Mingyan Li, K. Sampigethaya, Leping Huang, R. Poovendran","doi":"10.1145/1179601.1179605","DOIUrl":"https://doi.org/10.1145/1179601.1179605","url":null,"abstract":"In wireless networks, the location tracking of devices and vehicles (nodes) based on their identifiable and locatable broadcasts, presents potential threats to the location privacy of their users. While the tracking of nodes can be mitigated to an extent by updating their identifiers to decorrelate their traversed locations, such an approach is still vulnerable to tracking methods that utilize the predictability of node movement to limit the location privacy provided by the identifier updates. On the other hand, since each user may need privacy at different locations and times, a user-centric approach is needed to enable the nodes to independently determine where/when to update their identifiers. However, mitigation of tracking with a user-centric approach is difficult due to the lack of synchronization between updating nodes. This paper addresses the challenges to providing location privacy by identifier updates due to the predictability of node locations and the asynchronous updates, and proposes a user-centric scheme called Swing that increases location privacy by enabling the nodes to loosely synchronize updates when changing their velocity. Further, since each identifier update inherently trades off network service for privacy, the paper also introduces an approach called Swap, which is an extension of Swing, that enables the nodes to exchange their identifiers to potentially maximize the location privacy provided by each update, hence reducing the number of updates needed to meet the desired privacy levels. The performance of the proposed schemes is evaluated under random and restricted pedestrian mobility.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"38 1","pages":"19-28"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88371284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A previous paper demonstrates that if a seller always uses auction bids to later price discriminate against losing bidders, his revenue decreases dramatically. In this paper, we examine whether the seller obtains an advantage if he randomizes his strategy -- that is, if he does not use privacy-infringing information all the time, but only with probability ?;. Using both Bayesian techniques and genetic algorithm experiments, we determine optimal strategies for bidders and sellers in a two stage game: Stage I is a first price auction used to elicit information on a bidder's valuation; Stage II is, with probability ?;, a price discrimination offer, and, a fixed price offer P; else. Our results show that the seller does not benefit from randomized price discrimination. Further, low valuation bidders benefit more from the seller's use of privacy-infringing information than do the high valuation ones, as they may wish to signal that they cannot afford a high second-stage offer. To our knowledge, our use of genetic algorithm simulations is unique in the privacy literature.
{"title":"Randomization as a strategy for sellers during price discrimination, and impact on bidders' privacy","authors":"Sumit Joshi, Yu-An Sun, P. Vora","doi":"10.1145/1179601.1179614","DOIUrl":"https://doi.org/10.1145/1179601.1179614","url":null,"abstract":"A previous paper demonstrates that if a seller always uses auction bids to later price discriminate against losing bidders, his revenue decreases dramatically. In this paper, we examine whether the seller obtains an advantage if he randomizes his strategy -- that is, if he does not use privacy-infringing information all the time, but only with probability ?;. Using both Bayesian techniques and genetic algorithm experiments, we determine optimal strategies for bidders and sellers in a two stage game: Stage I is a first price auction used to elicit information on a bidder's valuation; Stage II is, with probability ?;, a price discrimination offer, and, a fixed price offer P; else. Our results show that the seller does not benefit from randomized price discrimination. Further, low valuation bidders benefit more from the seller's use of privacy-infringing information than do the high valuation ones, as they may wish to signal that they cannot afford a high second-stage offer. To our knowledge, our use of genetic algorithm simulations is unique in the privacy literature.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"55 1","pages":"73-76"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86552576","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Oblivious submission to anonymity systems is a process by which a message may be submitted in such a way that neither the anonymity network nor a global passive adversary may determine that a valid message has been sent. We present Nonesuch: a mix network with steganographic submission and probabilistic identification and attenuation of cover traffic. In our system messages are submitted as stegotext hidden inside Usenet postings. The steganographic extraction mechanism is such that the the vast majority of the Usenet postings which do not contain keyed stegotext will produce meaningless output which serves as cover traffic, thus increasing the anonymity of the real messages. This cover traffic is subject to probabilistic attenuation in which nodes have only a small probability of distinguishing cover messages from "real" messages. This attenuation prevents cover traffic from travelling through the network in an infinite loop, while making it infeasible for an entrance node to distinguish senders.
{"title":"Nonesuch: a mix network with sender unobservability","authors":"T. S. Benjamin, A. Serjantov, Benessa Defend","doi":"10.1145/1179601.1179603","DOIUrl":"https://doi.org/10.1145/1179601.1179603","url":null,"abstract":"Oblivious submission to anonymity systems is a process by which a message may be submitted in such a way that neither the anonymity network nor a global passive adversary may determine that a valid message has been sent. We present Nonesuch: a mix network with steganographic submission and probabilistic identification and attenuation of cover traffic. In our system messages are submitted as stegotext hidden inside Usenet postings. The steganographic extraction mechanism is such that the the vast majority of the Usenet postings which do not contain keyed stegotext will produce meaningless output which serves as cover traffic, thus increasing the anonymity of the real messages. This cover traffic is subject to probabilistic attenuation in which nodes have only a small probability of distinguishing cover messages from \"real\" messages. This attenuation prevents cover traffic from travelling through the network in an infinite loop, while making it infeasible for an entrance node to distinguish senders.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"27 1","pages":"1-8"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82704336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Daniel Cvrcek, Marek Kumpost, Vashek Matyás, G. Danezis
This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment.
{"title":"A study on the value of location privacy","authors":"Daniel Cvrcek, Marek Kumpost, Vashek Matyás, G. Danezis","doi":"10.1145/1179601.1179621","DOIUrl":"https://doi.org/10.1145/1179601.1179621","url":null,"abstract":"This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"58 2","pages":"109-118"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"91490428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Over the years, many aspects of the transfer of information from one party to another have commanded the attention of the security and privacy community. Released information can have various levels of sensitivity: facts that are pub-lic, sensitive private information that requires its original owner's permission for its future dissemination, or even in-formation that requires control over the release of the con-clusions reached using that information. Some situations also call for declassification of information, which requires a two-pronged approach: the original owner retains control over the dissemination of sensitive information and sensitive conclusions reached using that information, but when the in-formation is used to reach conclusions that are sufficiently non-sensitive, the original owner's control can be removed for the dissemination of those conclusions. In this paper, we define such a logic to specify information dissemination con-trol policies and reason about release and declassification, and give case studies of the use of our language to control the release of aggregated open source software, multimedia content and medical information.
{"title":"Super-sticky and declassifiable release policies for flexible information dissemination control","authors":"Sruthi Bandhakavi, Charles C. Zhang, M. Winslett","doi":"10.1145/1179601.1179609","DOIUrl":"https://doi.org/10.1145/1179601.1179609","url":null,"abstract":"Over the years, many aspects of the transfer of information from one party to another have commanded the attention of the security and privacy community. Released information can have various levels of sensitivity: facts that are pub-lic, sensitive private information that requires its original owner's permission for its future dissemination, or even in-formation that requires control over the release of the con-clusions reached using that information. Some situations also call for declassification of information, which requires a two-pronged approach: the original owner retains control over the dissemination of sensitive information and sensitive conclusions reached using that information, but when the in-formation is used to reach conclusions that are sufficiently non-sensitive, the original owner's control can be removed for the dissemination of those conclusions. In this paper, we define such a logic to specify information dissemination con-trol policies and reason about release and declassification, and give case studies of the use of our language to control the release of aggregated open source software, multimedia content and medical information.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"23 1","pages":"51-58"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89505059","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In ubiquitous environments, context sharing among agents should be made privacy-conscious. Privacy preferences are generally specified to govern the context exchanging among agents. Besides who has rights to see what information, a user's privacy preference could also designate who has rights to have what obfuscated information. By obfuscation, people could present their private information in a coarser granularity, or simply in a falsified manner, depending on the specific situations. Nevertheless, people cannot randomly obfuscate their private information because by reasoning the recipients could detect the obfuscation. In this paper, we present a Bayesian network-based method to reason about the obfuscation. On the one hand, it can be used to find if the received information has been obfuscated, and if so, what the true information could be; on the other hand, it can be used to help the obfuscators reasonably obfuscate their private information.
{"title":"Reasoning about obfuscated private information: who have lied and how to lie","authors":"X. An, D. Jutla, N. Cercone","doi":"10.1145/1179601.1179617","DOIUrl":"https://doi.org/10.1145/1179601.1179617","url":null,"abstract":"In ubiquitous environments, context sharing among agents should be made privacy-conscious. Privacy preferences are generally specified to govern the context exchanging among agents. Besides who has rights to see what information, a user's privacy preference could also designate who has rights to have what obfuscated information. By obfuscation, people could present their private information in a coarser granularity, or simply in a falsified manner, depending on the specific situations. Nevertheless, people cannot randomly obfuscate their private information because by reasoning the recipients could detect the obfuscation. In this paper, we present a Bayesian network-based method to reason about the obfuscation. On the one hand, it can be used to find if the received information has been obfuscated, and if so, what the true information could be; on the other hand, it can be used to help the obfuscators reasonably obfuscate their private information.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"58 1","pages":"85-88"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87573681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent trends in Internet computing have led to the popularization of many forms of virtual organizations. Examples include supply chain management, grid computing, and collaborative research environments like PlanetLab. Unfortunately, when it comes to the security analysis of these systems, the whole is certainly greater than the sum of its parts. That is, local intrusion detection and audit practices are insufficient for detecting distributed attacks such as coordinated network reconnaissance, stepping-stone attacks, and violations of application-level trust constraints between security domains. A distributed process that coordinates information from each member could detect these types of violations, but privacy concerns between member organizations or safety concerns about centralizing sensitive information often restrict this level of information flow. In this paper, we propose a privacy-preserving framework for distributed audit that allows member organizations to detect distributed attacks without requiring the release of excessive private information. We discuss both the architecture and mechanisms used in our approach and comment on the performance of a prototype implementation.
{"title":"A privacy-preserving interdomain audit framework","authors":"Adam J. Lee, Parisa Tabriz, N. Borisov","doi":"10.1145/1179601.1179620","DOIUrl":"https://doi.org/10.1145/1179601.1179620","url":null,"abstract":"Recent trends in Internet computing have led to the popularization of many forms of virtual organizations. Examples include supply chain management, grid computing, and collaborative research environments like PlanetLab. Unfortunately, when it comes to the security analysis of these systems, the whole is certainly greater than the sum of its parts. That is, local intrusion detection and audit practices are insufficient for detecting distributed attacks such as coordinated network reconnaissance, stepping-stone attacks, and violations of application-level trust constraints between security domains. A distributed process that coordinates information from each member could detect these types of violations, but privacy concerns between member organizations or safety concerns about centralizing sensitive information often restrict this level of information flow. In this paper, we propose a privacy-preserving framework for distributed audit that allows member organizations to detect distributed attacks without requiring the release of excessive private information. We discuss both the architecture and mechanisms used in our approach and comment on the performance of a prototype implementation.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"89 1","pages":"99-108"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85797697","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The goal of most research on anonymity, including all currently used systems for anonymity, is to achieve anonymity through unlinkability: an adversary should not be able to determine the correspondence between the input and output messages of the system. An alternative anonymity goal is unobservability: an adversary should not be able to determine who sends and who receives messages. We study the effect of k-anonymity, a weak form of unobservability, on two types of attacks against systems that provide only unlinkability.
{"title":"On the effectiveness of k;-anonymity against traffic analysis and surveillance","authors":"Nicholas Hopper, Eugene Y. Vasserman","doi":"10.1145/1179601.1179604","DOIUrl":"https://doi.org/10.1145/1179601.1179604","url":null,"abstract":"The goal of most research on anonymity, including all currently used systems for anonymity, is to achieve anonymity through unlinkability: an adversary should not be able to determine the correspondence between the input and output messages of the system. An alternative anonymity goal is unobservability: an adversary should not be able to determine who sends and who receives messages. We study the effect of k-anonymity, a weak form of unobservability, on two types of attacks against systems that provide only unlinkability.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"79 5 Pt 1 1","pages":"9-18"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74586388","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Among techniques for ensuring privacy in data publishing, k-anonymity and publishing of views on private data are quite popular. In this paper, we consider data publishing by views and develop a probability framework for the analysis of privacy breach. We propose two attack models and derive the probability of privacy breach for each model.
{"title":"Probabilistic privacy analysis of published views","authors":"Wendy Hui Wang, L. Lakshmanan","doi":"10.1145/1179601.1179616","DOIUrl":"https://doi.org/10.1145/1179601.1179616","url":null,"abstract":"Among techniques for ensuring privacy in data publishing, k-anonymity and publishing of views on private data are quite popular. In this paper, we consider data publishing by views and develop a probability framework for the analysis of privacy breach. We propose two attack models and derive the probability of privacy breach for each model.","PeriodicalId":74537,"journal":{"name":"Proceedings of the ACM Workshop on Privacy in the Electronic Society. ACM Workshop on Privacy in the Electronic Society","volume":"46 1","pages":"81-84"},"PeriodicalIF":0.0,"publicationDate":"2006-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80009873","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: