Enhancing Online Privacy Control with Pseudonyms and User Tracking Solutions
Explore the implications of internet tracking on user privacy, the threats posed by trackers, and the goal of giving users greater control over their online tracking. Discover current defense mechanisms and a proposed cross-layer pseudonyms system to address these privacy concerns effectively.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Expressive Privacy Control with Pseudonyms Seungyeop Han, Vincent Liu, Qifan Pu, Simon Peter, Thomas Anderson, Arvind Krishnamurthy, David Wetherall University of Washington
Internet Tracking is Pervasive Alice Tracker User1: UW, CSE, Route to [Alice s home] User2: SIGCOMM, Hacking, Depression Bob Trackers link user activities to form large user profiles SIGCOMM 2013 2
Implications of Tracking for Users Cons: Pros: Personalization Better Security Lack of Privacy Revenue for Service SIGCOMM 2013 3
Threat Model: Trackers Correlate Unwanted Traffic Alice Tracker User1: UW, CSE, Route to [Alice s home] User2: SIGCOMM, Hacking, Depression Bob SIGCOMM 2013 4
Goal: Give Users Control over How They are Tracked Alice Tracker User1: UW, CSE User2: Route to [Alice s home] User3: SIGCOMM, Hacking User4: Depression Bob SIGCOMM 2013 5
Implications of Giving Users Control Cons: Pros: Personalization Better Security Lack of Privacy Revenue for Service SIGCOMM 2013 6
Current Defenses Provide Insufficient Control Current Defenses Application Layer: Third-party cookie blocking, DoNotTrack Network Layer: Tor, Proxies Limitations Coarse-grained Not cross-layer SIGCOMM 2013 7
Outline Motivation / Background Approach: Cross-Layer Pseudonyms System Design Application-Layer Network-Layer Implementation and Evaluation Conclusion SIGCOMM 2013 8
Trackers Link User Requests Multiple requests are linkable by remote trackers, if they share the same identifiers. User Tracker Req. 1 (128.208.7.x), header: cookie( ) Req. 2 (128.208.7.x), header: cookie( ) Important identifiers for Web tracking: Application info. (cookie, JS localstorage, Flash) IP Address SIGCOMM 2013 9
Approach: Pseudonym Abstraction Pseudonym = A set of all identifying features that persist across an activity Allow a user to manage a large number of unlinkable pseudonyms User can choose which ones are used for which operations. Pseudonym1 Medical information Alice Tracker Cookie1 IP1 Pseudonym2 Location-related (Alice s home) Cookie2 IP2 SIGCOMM 2013 10
How We Want to Use Pseudonyms 1. Application-Layer Design Tracker Alice Application Medical Pseudonym1 Policy Engine Cookie1 IP1 IP1 IP IP IP Pseudonym2 Location Cookie2 OS IP2 DHCP Routers SIGCOMM 20132. Network-Layer Design 11
Application-Layer Design Application needs to assign different pseudonyms into different activities. How to use pseudonyms depends on user and application. APIs are provided to define policies. Policy in Web browsing: a function of the request information and the state of the browser. Window ID, tab ID, request ID, URL, whether request is going to the first-party, etc. SIGCOMM 2013 12
Sample Pseudonym Policies for the Web Article on Politics P1 news.com P2 facebook.com facebook.com P3 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 SIGCOMM 2013 13
Sample Pseudonym Policies for the Web Article on Politics P1 news.com P2 facebook.com facebook.com P3 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 SIGCOMM 2013 14
Sample Pseudonym Policies for the Web Article on Politics P1 news.com P2 facebook.com facebook.com P3 Default: P1 = P2 = P3 Per-Request: P1 != P2 != P3 Per-First Party: P1 = P2 != P3 Facebook cannot know the user s visit to news.com SIGCOMM 2013 15
Pseudonyms in Action Tracker Alice Application Pseudonym1 Policy Engine Cookie1 IP1 IP1 IP IP IP Pseudonym2 Cookie2 OS IP2 DHCP Routers SIGCOMM 20132. Network-Layer Design 16
Network-Layer Design Consideration 1. Many IP addresses for an end-host 2. Proper mixing 3. Efficient routing 4. Easy revocation 5. Support for small networks SIGCOMM 2013 17
Network-Layer Design Consideration 1. Many IP addresses for an end-host 2. Proper mixing 3. Efficient routing 4. Easy revocation 5. Support for small networks SIGCOMM 2013 18
1) IPv6 Allows Many IPs per Host 128bits IPv6 Address Small networks get /64 address space (1.8e19) SIGCOMM 2013 19
2, 3) Symmetric Encryption for Mixing and Routing 128bits IPv6 Address Network Prefix To route the packet within the network To route the packet to the network Networks can use this part as they want SIGCOMM 2013 20
2, 3) Symmetric Encryption for Mixing and Routing 128bits Network Prefix Subnet Host Base Pseudonym Use symmetric-key encryption Encrypt Decrypt Network Prefix Encrypted ID Encrypted End-hosts know only encrypted IP addresses Router uses the base addresses to forward packets By longest-prefix matching with subnet::host, thus, the size of routing table does not change. SIGCOMM 2013 21
Routing Example Prefix Encrypted ID Internet Sub::Host::Pseudo ISP ( Prefix :: ) Sub::Host::Pseudo SIGCOMM 2013 22
Outline Motivation / Background Approach: Cross-Layer Pseudonyms System Design Application-Layer Network-Layer Implementation and Evaluation Conclusion SIGCOMM 2013 23
Prototype Implementation Web Server Alice Web Browser Policy Engine Extension function extreme_policy(request, browser) { return request.requestID; } IPv6 Internet IP1 IP IP IP OS Gateway /64 network IPv6 Tunnel Broker IP IP IP SIGCOMM 2013 24
Evaluation Is the policy framework expressive enough? How many pseudonyms are required? Do policies effectively preserve privacy? Are that many pseudonyms feasible? How much overhead in OS and router? SIGCOMM 2013 25
Pseudonym Policy is Expressive We could implement all the protection mechanisms from the related work in a cross-layer manner. Name Description Trivial Every request uses the same pseudonym Extreme Every request uses different pseudonym Per tab [1] Request from each tab uses different pseudonym Per 1st-party [2] Based on the connected page (1st-party) s domain Time-based [3] Change pseudonym every 10 minutes More examples in the paper: Per browsing session, 3rd-party blocking [1] CookiePie Extension, [2] Milk, Walls et al. HotSec 2012, [3] Tor SIGCOMM 2013 26
Privacy Preservation over Policies 100000 10000 # of Pseudonyms 10 bits 1000 100 10 1 SIGCOMM 2013 27
Privacy Preservation over Policies 100000 10000 10000 # of Pseudonyms 1000 # of activities 1000 100 100 10 10 1 1 SIGCOMM 2013 28
Conclusion Pseudonym abstraction: user control over unlinkable identities. Provided new network addressing and routing mechanisms that exploit the ample IPv6 address space. Enabled various policies with expressive policy framework. Prototyped with an extension for web browser to show the feasibility SIGCOMM 2013 29
