Wednesday, December 10, 2014

Web & Mobile Privacy

Web & Mobile Privacy

Adam Cox

University of Massachusetts Lowell
Lowell, MA 01854
Adam.Cox9@gmail.com

Abstract

Privacy on the web and on mobile devices is a growing concern. More people are sharing more aspects of their lives on their mobile device and the web without knowing exactly what can happen. This paper will identify the general “privacy” problem; provide some specific examples where the web & mobile users’ are at risk; and attempt to identify some potential solutions.

Introduction

“Privacy is considered a core value in democratic societies and is recognized either explicitly or implicitly as a fundamental human right by most constitutions of democratic societies. [2]” There is no clear definition of privacy. Several different sources have somewhat similar but different definitions of privacy. It is viewed by some researchers [7] as either “the right to be left alone” or “the right to control what information is known about them.” Further, other researchers state a similar definition by [2] defining privacy in two aspects, “informational privacy” and “spatial privacy”. One really good question was asked [7]: “Is privacy one of the unalienable rights to all citizens?” If it is, then there are mobile & web privacy related issues that need to be taken into deep consideration. It is, indeed, implied [2] that privacy is a core value in democratic societies.

There has been research [7] into the foundation of privacy rights. US laws are built upon the principles stated in the Constitution, Declaration of Independence & Bill of Rights. However, there was no direct mention of the term privacy in either the Constitution or Declaration of Independence [13]. The US Bill of Rights [16] states that “private property [should not] be taken for public use, without just compensation” in Amendment V.

The laws that do exist are considered a patchwork and some are not fit for the web and mobile devices [7]. Further, it is suggests that the laws will become too complex and possibly ineffective. There is an abundance of laws related to privacy, but no general law. Further, research suggests that a general law will not be effective either [7]. There is one solution put forth that will break up a general privacy law into realm levels with guidelines in each realm and that would be more effective [7]. Google’s new privacy policy has a one size fits all solution and a sub-privacy policy for specific services that either extend or overwrite the general policy [17]. Google’s method appears to be appropriate and the US in its’ entirety should make a general privacy policy with some policies that override it for specific situations. This is similar to the idea put forth by [7].

Current Privacy Laws

Most states have enacted laws to require companies to notify customers that their personal information has been breached. According to Anton, Earp, & Young [10], they concluded that it is plausible that these laws made it so more breaches were reported. This data can be visualized in [10].

The US has some privacy related laws [7]:

The US Constitution (Amendment IV) secures the right of the people to be secure against unreasonable search and seizures
Privacy Act of 1974
Computer Security Act of 1988

In 1998, the FTC recommends five Fair Information Principles [6]:

Notice/Awareness
Choice/Consent
Access/Participation
Integrity/Security
Enforcement/Redress

The EU has privacy protection laws [2]:

EU Data Protection Directive 95/46/EC - codifies general privacy principles
EU Directive 2002/58/EC - sets out specific rules for privacy protection in the electronic and mobile communications sector.

Security freeze laws were put into place allowing users to prevent any accounts being opened in their name. According to [11], Alabama, Michigan, and Missouri have not yet adapted a security freeze law, but since this paper was published, Missouri has passed such a law. However, the consumer agencies allow anybody from any state to set a security freeze on their account [10].

The HIPAA Privacy rule establishes national standards to protect individuals’ medical records and other personal health information [12]. There is no general law that forces companies to notify its’ customers of their privacy practices other than medical related information. There are many federal and state laws that are related to the privacy of users’ data [13].

User Concerns

A study performed [10] revealed issues in the following classifications - personalization, notice/awareness, information transfer, information collection, information storage, and access/participation.

The top concern was information transfer, followed by notice/awareness, then information storage and access/participation; the fifth top concern is information collection and finally the least concern is personalization [10].

Personalization is when a website changes based on the users behavior. Even though this is the least of users’ concerns, users were concerned about personalization in 2002 and even more in 2008 [10]. This could be from the users’ perceived feeling of being a victim of the websites targeting.

It was stated [2] that “privacy can only be effectively protected by a holistic approach comprising both legal and technical means of protection.”

Common Threats

“New users of the Internet generally do not realize that every post they make to a newsgroup, every piece of email they send, every [WWW] page they access, and every item they purchase online could be monitored or logged by some unseen third party. [1]”. Whether it will be from their mobile device or their desktop computer, it is evident that users are at risk.

“Long-term databases threaten your ability to choose what you would like to disclose from your past. [1]” A post that you made after a few drinks when you were 21, could come back to haunt you at your job when you are 30. Further, advanced search technology could turn up a post or picture of you that maybe a family member or friend posted in the past without your knowledge or permission. This may cause harm at your place of work or in a relationship. Other problems include sites that allow anybody to locate another person’s address online. This could allow stalkers or an ex to identify and locate their victims.

There have been many specific examples of government employees abusing government databases of information [1]:

IRS employees making illegal queries
SSA employees making illegal queries
AIDS patients records have been leaked
The FBI has been known to spy on politicians
The NSA has been known to spy on other domestic targets
Bill Clinton’s Democratic administration was found to have unauthorized secret dossiers on Republican opponents

Vulnerabilities

Mulliner [9] found that private information would be sent to the websites that the user visited through the HTTP proxy headers. They concluded that the mobile network carriers appended this information instead of it getting sent directly from the phone. They showed a detailed example of how the MSISDN number is getting sent out which contains the user’s phone number. They showed that a website could collect this information and, in some cases, perform a reverse phone number look up. The “reverse phone number look up” reveals information such as first & last name and sometimes the users’ address. The solution presented [9] is for the mobile network operators to not inject this data into the headers. Alternatively, the data would only be included in the mobile carrier network and only be sent to currently authorized third parties. The user has no way to prevent this from happening.

Some security vulnerabilities were presented [8] in accessing social networks from mobile phones in which private information can be accessed by a third party. Three classes of privacy and security problems associated with mobile social networks were identified:

Direct anonymity issues
Indirect or k-anonymity issues
Eavesdropping, spoofing, replay, and wormhole attacks.

Further, [2] stated that “the current development of technologies has neglected to maintain the protection of individuals’ sovereignty over his/her private sphere and particularly individuals control over personal data that the real non-electronic world naturally and culturally provides.” Users are more vulnerable using web & mobile technologies and the laws have not adapted properly.


Tools & Solutions

The Platform for Privacy Preferences (P3P) [3] protocol would allow websites to publish their privacy policies in a machine readable format. The browser of the visitor could then read this and compare it to the user’s settings. The drawback to this method is that there are no laws or regulations forcing websites to adhere to this policy if they use it [2].

Other tools, such as PiML would control the dissemination of a User Agent profile. The User Agent profile includes information such as location. PiML could be run as a proxy-based solution or browser built-in solution [2].

There is also a PRIME project, which is working on solutions that will provide users control over their personal data. It will also allow users to trace where the data about them is being sent [2].

Conclusion

Through the research presented in this paper, it is shown that privacy threats exist on the Web and on Mobile Devices. These threats were identified and a summary of them was presented. It was also shown that there are some ways to potentially prevent some of these threats either through individual or collective means.

References

[1] I. Goldberg, D. Wagner, E. Brewer. “Privacy-enhancing technologies for the Internet” http://www.cs.berkeley.edu/~daw/papers/privacy-compcon97-www/privacy-html.html

[2] S. Fischer-Huebner. “Privacy Risks and Challenges for the Mobile Internet”

[3] W3C, Platform for Privacy Preferences (P3P) Project, http://www.w3.org/P3P/

[4] The Privacy Act of 1974 http://www.justice.gov/opcl/privstat.htm

[5] The Computer Security Act of 1987
http://www.cio.gov/documents/computer_security_act_jan_1998.html

[6] FTC, Fair Information Practice Principles
http://www.ftc.gov/reports/privacy3/fairinfo.shtm

[7] C. Purchell, J. Zhan. “Adapting US Privacy Laws to the Internet: Is Patching Enough?”

[8] A. Beach, M Gartrell, R. Han. “Solutions to Security and Privacy Issues in Mobile Social Networking”

[9] C. Mulliner. “Privacy Leaks in Mobile Phone Internet Access”

[10] A. I. Anton, J. B. Earp, J. D. Young. “How Internet Users’ Privacy Concerns Have Evolved since 2002”

[11] Missouri Attorney General. http://ago.mo.gov/ConsumerCorner/blog/10407/Credit_freeze_may_become_law_and_cheaper_in_Missouri/

[12] US Department of Health & Human Services, HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

[13] Information Shield, United States privacy Laws. http://www.informationshield.com/usprivacylaws.html

[14] US Constitution, http://www.house.gov/house/Constitution/Constitution.html

[15] Declaration of Independence, http://www.archives.gov/exhibits/charters/declaration_transcript.html

[16] Bill of Rights, http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html

[17] Google, Policies & Principles. http://www.google.com/policies/privacy/preview/

Posted by at No comments:
Subscribe to: Posts (Atom)