Archive for the 'Privacy' Category
August 17th, 2017, by Tim Finin, posted in Mobile Computing, OWL, Privacy, RDF, Semantic Web
Ph.D. Dissertation Defense
Context-dependent privacy and security management on mobile devices
Prajit Kumar Das
8:00-11:00am Tuesday, 22 August 2017, ITE325b, UMBC
There are ongoing security and privacy concerns regarding mobile platforms which are being used by a growing number of citizens. Security and privacy models typically used by mobile platforms use one-time permission acquisition mechanisms. However, modifying access rights after initial authorization in mobile systems is often too tedious and complicated for users. User studies show that a typical user does not understand permissions requested by applications or are too eager to use the applications to care to understand the permission implications. For example, the Brightest Flashlight application was reported to have logged precise locations and unique user identifiers, which have nothing to do with a flashlight application’s intended functionality, but more than 50 million users used a version of this application which would have forced them to allow this permission. Given the penetration of mobile devices into our lives, a fine-grained context-dependent security and privacy control approach needs to be created.
We have created Mithril as an end-to-end mobile access control framework that allows us to capture access control needs for specific users, by observing violations of known policies. The framework studies mobile application executables to better inform users of the risks associated with using certain applications. The policy capture process involves an iterative user feedback process that captures policy modifications required to mediate observed violations. Precision of policy is used to determine convergence of the policy capture process. Policy rules in the system are written using Semantic Web technologies and the Platys ontology to define a hierarchical notion of context. Policy rule antecedents are comprised of context elements derived using the Platys ontology employing a query engine, an inference mechanism and mobile sensors. We performed a user study that proves the feasibility of using our violation driven policy capture process to gather user-specific policy modifications.
We contribute to the static and dynamic study of mobile applications by defining “application behavior” as a possible way of understanding mobile applications and creating access control policies for them. Our user study also shows that unlike our behavior-based policy, a “deny by default” mechanism hampers usability of access control systems. We also show that inclusion of crowd-sourced policies leads to further reduction in user burden and need for engagement while capturing context-based access control policy. We enrich knowledge about mobile “application behavior” and expose this knowledge through the Mobipedia knowledge-base. We also extend context synthesis for semantic presence detection on mobile devices by combining Bluetooth, low energy beacons and Nearby Messaging services from Google.
Committee: Drs. Anupam Joshi (chair), Tim Finin (co-chair), Tim Oates, Nilanjan Banerjee, Arkady Zaslavsky, (CSIRO), Dipanjan Chakraborty (Shopperts)
June 10th, 2017, by Tim Finin, posted in cybersecurity, Privacy, Security
The DC-Area Anonymity, Privacy, and Security Seminar (DCAPS) is a seminar for research on computer and communications anonymity, privacy, and security in the D.C. area. DCAPS meets to promote collaboration and improve awareness of work in the community. Seminars occur three times a year. It meets at different locations and has been hosted in the past by George Mason University, Georgetown University, George Washington University, University of Maryland, College park and UMBC. DCAPS meetings are free and open to anybody interested. To join the seminar mailing list, contact the organizer, Aaron Johnson, at aaron.m.johnson AT nrl.navy.mil.
February 27th, 2017, by Tim Finin, posted in Mobile Computing, Privacy, Security
Context-Dependent Privacy and Security Management on Mobile Devices
10:00am Tuesday, 27 February, 2017
Security and privacy of mobile devices is a challenging research domain. A prominent aspect of this research focuses on discovering software vulnerabilities for mobile operating systems and mobile apps. The other aspect of research focuses on user privacy and using feedback, generates privacy profiles for controlling data privacy. Profile based or role-based security can be restrictive as they require prior definition of such roles or profiles. As a result, it is better to use attribute-based access control and let the attributes define granularity of policy definition. This problem may thus be defined as, a security and privacy personalization problem. A critical issue in the process of capturing personalized policy is one of creating a system that is adaptive and knows when user’s preferences have been captured. Presented in this work you will learn about Mithril, a framework for capturing user access control policies that are fine-grained, context-sensitive and are represented using Semantic Web technologies and thereby manages access control decisions for user data on mobile devices. Violation metric has been used in this work as a measure to determine system state. A hierarchical context ontology has been used to define fine-grained access control policies and simplifying the process of policy modification for a user. A secondary goal of this research was to determine behavioral traits of mobile applications with a goal to detect outlier applications. Some preliminary research on this topic will also be discussed.
November 8th, 2016, by Tim Finin, posted in cybersecurity, Ebiquity, Mobile Computing, Policy, Privacy
In this week’s ebiquity meeting (11:30 8 Nov. 2016) Prajit Das will present his work on capturing policies for fine-grained access control on mobile devices.
As of 2016, there are more mobile devices than humans on earth. Today, mobile devices are a critical part of our lives and often hold sensitive corporate and personal data. As a result, they are a lucrative target for attackers, and managing data privacy and security on mobile devices has become a vital issue. Existing access control mechanisms in most devices are restrictive and inadequate. They do not take into account the context of a device and its user when making decisions. In many cases, the access granted to a subject should change based on context of a device. Such fine-grained, context-sensitive access control policies have to be personalized too. In this paper, we present the Mithril system, that uses policies represented in Semantic Web technologies and captured using user feedback, to handle access control on mobile devices. We present an iterative feedback process to capture user specific policy. We also present a policy violation metric that allows us to decide when the capture process is complete.
May 24th, 2016, by Tim Finin, posted in cloud computing, cybersecurity, Privacy, Security, Semantic Web
Vaishali Narkhede, Karuna Pande Joshi, Tim Finin, Seung Geol Choi, Adam Aviv and Daniel S. Roche, Managing Cloud Storage Obliviously
, International Conference on Cloud Computing, IEEE Computer Society, June 2016.
Consumers want to ensure that their enterprise data is stored securely and obliviously on the cloud, such that the data objects or their access patterns are not revealed to anyone, including the cloud provider, in the public cloud environment. We have created a detailed ontology describing the oblivious cloud storage models and role based access controls that should be in place to manage this risk. We have developed an algorithm to store cloud data using oblivious data structure defined in this paper. We have also implemented the ObliviCloudManager application that allows users to manage their cloud data by validating it before storing it in an oblivious data structure. Our application uses role-based access control model and collection based document management to store and retrieve data efficiently. Cloud consumers can use our system to define policies for storing data obliviously and manage storage on untrusted cloud platforms even if they are unfamiliar with the underlying technology and concepts of oblivious data structures.
September 26th, 2015, by Tim Finin, posted in cybersecurity, Machine Learning, Privacy, Security
Is your personal data at risk?
App analytics to the rescue
10:30am Monday, 28 September 28 2015, ITE346
According to Virustotal, a prominent virus and malware tool, the Google Play Store has a few thousand apps from major malware families. Given such a revelation, access control systems for mobile data management, have reached a state of critical importance. We propose the development of a system which would help us detect the pathways using which user’s data is being stolen from their mobile devices. We use a multi layered approach which includes app meta data analysis, understanding code patterns and detecting and eventually controlling dynamic data flow when such an app is installed on a mobile device. In this presentation we focus on the first part of our work and discuss the merits and flaws of our unsupervised learning mechanism to detect possible malicious behavior from apps in the Google Play Store.
April 19th, 2015, by Tim Finin, posted in OWL, Privacy, RDF, Security, Semantic Web
In this week’s meeting (10-11am Tue, April 21), Ankur Padia will present work in progress on providing access control to an RDF triple store.
Triple store access control for a linked data fragments interface
Ankur Padia, UMBC
The maturation of Semantic Web standards and associated web-based data representations such as schema.org have made RDF a popular model for representing graph data and semi-structured knowledge. Triple stores are used to store and query an RDF dataset and often expose a SPARQL endpoint service on the Web for public access. Most existing SPARQL endpoints support very simple access control mechanisms if any at all, preventing their use for many applications where fine-grained privacy or data security is important. We describe new work on access control for a linked data fragments interface, i.e. one that accepts queries consisting one or more triple patterns and responds with all matching triples that the authenticated querier can access.
January 27th, 2015, by Prajit Kumar Das, posted in Microsoft, Pervasive Computing, Privacy, Technology, Technology Impact, Wearable Computing
In this post we will talk about certain User Interface (UI) technological advances that we are observing at the moment. One such development was revealed in a recent media event conducted by Microsoft, where they announced the Microsoft HoloLens, a computing platform which achieves seamless connection between the digital and the physical world, quite similar to the experience referred to in certain movies in the past.
It is interesting to note that the design of the HoloLens device looks so similar to something we have seen before.
Even the vision of holographic computing and users interacting with such interfaces isn’t a new one. The 2002 movie “The first $20 million is always the hardest” was possibly the first time we saw how such a futuristic technology might look like.
How did we reach here? A brief discussion on UIs…
User interfaces have always been an important aspect of computers. In its early days computers had a monochromatic screen (or at-most a duo-chromatic screen). A user would type in commands into the screen and computers would execute said commands. Since the commands would be entered in a single or a series of lines, this interface was called the Command-Line Interface (CLI).
Command Line based UI
Such an interface was not particularly intuitive as you had to know the list of commands that would fulfill a certain task. Albeit a certain group of individuals i.e. geeks and some computer programmers, like me, prefer such an interface owing to its clean and distraction free nature. However, owing to the learning curve of CLIs, researchers at Stanford Research Institute and Xerox PARC research center invented a new User interface called the Graphical User Interface (GUI). There were a few variations of the GUIs for example the point and click type also known as WIMP (windows, icons, menus, pointer) UI created at the Xerox PARC research center and made popular by Apple through it’s Macintosh operating systems
Apple’s Macintosh UI
And also adopted by Microsoft in its Windows operating systems
Microsoft’s Windows UI
Some early versions even included a textual user interface with programs which had menus that could be parsed using a keyboard instead of a mouse.
Early textual menu based UI
Eventually new avenues were created for UI research. Continuing onwards from textual interfaces to the WIMP interfaces to the world wide web where objects on the web became entities accessible through a Uniform Resource Identifier (URI). Such an entity could possibly have Semantics associated with them too (as defined by Web 2.0). However, with the advent of mobile smart-phones we saw a completely different class of user interfaces. The touch-based user interfaces and its more evolved cousin the multi-touch systems which allowed gesture based interactions.
Touch and gesture based UI
This was the first time in computing history that humans were able to directly interact with an object on their device with their hands instead of using an input device. The experience was immersive but yet these objects had not entered into the real world. We were on precipice of a revolution in computing.
This revolution was the mainstream launch of Wearable Technology and Virtual/Augmented Reality and Optical Head Mounted Display devices with the creation of devices like the Oculus Rift, Google Glass and EyeTap among others. These devices allowed voice inputs and created a virtual or an augmented reality world for it’s user. Microsoft too was working on gesture based interactions with the Kinect device and research in the Natural User Interface (NUI) field. Couple of interesting works worthy of taking a look from this revolution are listed below.
This talk by John Underkoffler demos a UI that we saw in the movie Minority Report. He talks about the spatial aspect of how humans interact with their world and how computers might be able to help us better if we could do the same with our computers.
Here Pranav Mistry, currently the Head of the Think Tank Team and Director of Research of Samsung Research America, speaks of SixthSense. A new paradigm in computing that allows interaction between the real world and the digital world. All these works were knocking on the doors of a computer as we saw in the 2002 movie mentioned earlier, a real life holographic computer. Enter Microsoft HoloLens!
What is Microsoft HoloLens?
Microsoft HoloLens is an augmented reality computing platform. As per the review from Forbes.com this device has taken a step beyond current work by adding to the world around its user, virtual holograms, rather than putting the user in a completely virtual environment. This device has launched a new platform of software development, i.e. Holographic apps. As well as, the device has created a scope for hardware research and development, as it requires new components like the Holographic Processing Unit or HPU. Visualization and sharing of ideas and interaction with the real world can now be done as envisioned in the TED talk by Pranav Mistry. A more natural way of interacting with digital content as envisioned in the works above are a reality now. The device tracks its user’s movements in an environment. It detects what a person is looking at and transforms the visual field by overlaying 3D objects on top of that.
What kind of applications can we expect to be developed for HoloLens?
When the touch UI became a reality developers had to change the way they worked on software. Direct object interactions as shown above had to be programmed into their applications. Apps for HoloLens would similarly need to handle use-cases of interactions involving voice commands and gesture recognition. The common ideas and their corresponding research implication that come to mind include:
- Looking up a grocery list when you enter the grocery store (context aware)
HoloLens Environment overlaid with lists
- Recording important events automatically (context aware computing)
- Recognizing people in a party (social media and privacy)
- Taking down notes, writing emails using voice commands (natural language understanding)
- Searching for “stuff” around us (nlp, data analytics, semantic web, context aware computing)
- Playing 3D games (animation and graphics)
HoloLens Environment overlaid with 3D Games
- Making sure your battery doesn’t run out (systems, hardware)
- Virtual work environments (systems)
Virtual Work Environments through HoloLens
- Teaching virtual classrooms (systems)
Why or how could it fail?
Are there any obvious pitfalls that we are not thinking about? We can be rest assured that researchers are already looking at ways this venture can fail and for Microsoft’s own good we can be certain they have a list of ways they think this might go and if there are any flaws they are surely working on fixing them. However, as a researcher in the mobile field with a bit of experience with the Google Glass, we can try to list some of the possible pitfalls of a AR/VR device. The HoloLens being a tetherless, Augmented Virtual Reality (AVR) device could possibly suffer from some of these pitfalls too. The reader should understand that we are not claiming any of the following to be scientifically provable because these are merely empirical observations.
- The first thing that worried us while using the Google Glass was that it would sometimes cause us headaches after using it for couple of hours. We have not researched the implications of using the device by any other person so this is and observation from experience. Therefore one concern could be regarding the health impact on a human being with prolonged usage of an AVR device.
- The second thing that was noticed with the Google Glass was how that the device heated up fast. We know from experience that computers do get hot. For example when we play a game they get hot or we do a lot of complex computations they get hot. An AVR device which is being used for playing games will most probably get hot too. At least the Google Glass did after recording a video. Here we are concerned about the heat dissipation and its health impact on the user.
- The third observation that we made was that the Google Glass, showed significant sluggishness when it tried to accomplish computation heavy tasks. Will the HoloLens device be able to keep up with all the computations needed for, say, playing a 3D game?
- The fourth concern is regarding battery capacity. The HoloLens is advertised as a device with no wires, cords or tethers. Anyone who has used a smartphone ever knows the issues of the battery on the devices running out within a day or even half a day. Will the HoloLens be able to carry a charge for long or will it require constant charging?
- The fifth concern that we had was regarding privacy. The Google Glass has faced quite a few privacy concerns because it can readily take pictures using a simple voice command or even a non-verbal command like a ‘wink’. We have worked on this issue as part of our research product FaceBlock. Will the HoloLens create such concerns as this device too has front facing cameras that are capturing a user’s environment and projecting an augmented virtual world to the user.
The above lists of possible issues and probable application areas are not exhaustive in anyway. There will be numerous other scenarios and ways we can work on this new computing platform. There will probably be a multitude of issues with such a new and revolutionary platform. However, the hybrid of augmented and virtual reality has just started taking small steps now. With invention of devices like the Microsoft HoloLens, Google Glass, Oculus Rift, EyeTap etc. we can look forward to an exciting period in the future of Computing for Augmented Virtual Reality.
June 15th, 2014, by Tim Finin, posted in alumni, Ebiquity, Privacy, Security, Semantic Web
Congratulations to ebiquity alumna Lalana Kagal (Ph.D. 2004) for being featured on MIT’s home page recently for recent work with Ph.D. student Oshani Seneviratne on enabling people to track how their private data is used online. You can read more about their work via this MIT news item and in their paper Enabling Privacy Through Transparency which will be presented next month in the 2014 IEEE Privacy Security and Trust conference.
December 27th, 2013, by Tim Finin, posted in Privacy, Web
At the ISWC Privon workshop in October, Neel Guha talked about his Spy Watch Google Chrome extension that keeps track of the third parties tracking the web pages you visit. Unlike Ghostery, it only collects information and can not block tracking sites, but it logs more information about how your Web behavior is being observed and gives good insight into the nature and scope of the Web tracking phenomenon.
When you view a page like www.nytimes.com you expect it to know that you visited the site. It may even know personal information (e.g., name, address, age, sex) if ever divulged it to the site, perhaps when setting up an account. Spy Watch reports that my recent visit to the NYT site was also observed by 24 other sites, including doubleclick.com, brightcove.com, googleapis.com and sothebysrealty.com. And this is with an ad blocker enabled — 28 third parties observed me when I disable it.
Each of these third parties also knows the page on the NYT site I just visited. But I don’t have an account on most of them, so they don’t know who I really am, right? Well, some can easily discover my identity. Doubleclick, for example, knows I just read that Times article on how to cook a duck and, since it’s part of Google, can potentially integrate the information with all of the other information Google has about me.
I’ve been running Spy Watch for about two months and it reports that 1533 third party sites have (potentially) collected data about the 12,000 distinct URLs I’ve visited during this time. It also notes that, on average, every page I’ve visit has been watched by 3.7 third parties. As you might expect, the distribution follows a power law with a long tail of sites that only observed a few of my visits (about 2/3 of them saw three or fewer). Here are the top twenty third party trackers in my two month’s of data.
Note that Google (red), Facebook (dark blue) and Twitter (green) are the three companies who potentially know the most about what you do on the Web.
Spy Watch can also show how many and which pages have been observed by a tracker. Facebook observed me viewing 2208 pages across 509 sites (via FB like and visit buttons) and now knows that I read reviews for Sharp and LG microwave ovens on toptenreviews.com earlier this month and frequently visit the cra.org site.
You can get and install Spy Watch from the Google Web store, which describes it like this.
Spy Watch is a privacy extension that aims to create transparency in online internet tracking by third party sites. When a user visits a page, Spy Watch lets the user see every site that knows the user visited that page. And for each of these sites, the user can find out what other information the site has gathered about the user’s browsing history. After you install the extension, continue to browse normally. After some time, click on the extension to see who’s watching you! Disclaimer: User data is stored in the browser and is not accessible by the creator of this extension.
March 9th, 2013, by Tim Finin, posted in Mobile Computing, Privacy
Memoto is a $279 lifelogging camera takes a geotagged photo every 30 seconds, holds 6K photos, and runs for several days without recharging. The company producing Memoto is a Swedish company intially funded via kickstarter and expects to start shipping the wearable camera in April 2013. The company will also offer “safe and secure infinite photo storage at a flat monthly fee, which will always be a lot more affordable than hard drives.”
The lifelogging idea has been around for many years but has yet to become propular. One reason is privacy concerns. DARPA’s IPTO office, for example, started a LifeLog program in 2004 which was almost immediately canceled after criticism from civil libertarians concerning the privacy implications of the system.
January 24th, 2011, by Tim Finin, posted in cybersecurity, Privacy, Security, smart grid
The North American electric power system has been called the world’s largest interconnected machine and is a key part of our national infrastructure. The power grid is evolving to better exploit modern information technology and become more integrated with our cyber infrastructure. This presents unprecedented opportunities for enhanced management and efficiency but also introduces vulnerabilities for intrusions, cascading disruptions, malicious attacks, inappropriate manipulations and other threats. Similar issues are foreseen for other cyber-physical infrastructure systems including industrial control systems, transportation, water, natural gas and waste disposal.
A one-day Smart Grid Cyber Security Conference will be held at UMBC on February 15, hosted by the UMBC Computer Science and Electrical Engineering Department and Maryland Clean Energy Technology Incubator. The conference will be a comprehensive presentation by the National Institute of Standards and Technology regarding an Inter-agency Report 7628 (NISTIR 7628) named Guidelines for Smart Grid Cyber Security which is a critically important document for guiding government, regulatory organizations, industry and academia on Smart Grid cybersecurity. This regional outreach conference is valuable to any organization that is planning, integrating, executing or developing cyber technology for the Smart Grid.
The conference is free, but participants are asked to register in advance to help us organize for the correct number of participants.
A full copy of the 600 page report is available here.
You are currently browsing the archives for the Privacy category.