scholarly journals Mitigator: Privacy policy compliance using trusted hardware

2020 ◽  
Vol 2020 (3) ◽  
pp. 204-221
Author(s):  
Miti Mazmudar ◽  
Ian Goldberg
Keyword(s):  
Trusted Computing ◽  
Privacy Policy ◽  
End User ◽  
Privacy Policies ◽  
Policy Compliance ◽  
Policy Model ◽  
Access Control Policies ◽  
Trusted Hardware ◽  
Trusted Computing Base ◽  
Proof Of Compliance

AbstractThrough recent years, much research has been conducted into processing privacy policies and presenting them in ways that are easy for users to understand. However, understanding privacy policies has little utility if the website’s data processing code does not match the privacy policy. Although systems have been proposed to achieve compliance of internal software to access control policies, they assume a large trusted computing base and are not designed to provide a proof of compliance to an end user. We design Mitigator, a system to enforce compliance of a website’s source code with a privacy policy model that addresses these two drawbacks of previous work. We use trusted hardware platforms to provide a guarantee to an end user that their data is only handled by code that is compliant with the privacy policy. Such an end user only needs to trust a small module in the hardware of the remote back-end machine and related libraries but not the entire OS. We also provide a proof-of-concept implementation of Mitigator and evaluate it for its latency. We conclude that it incurs only a small overhead with respect to an unmodified system that does not provide a guarantee of privacy policy compliance to the end user.

Legislative Based for Personal Privacy Policy Specification

2011 ◽  
pp. 281-94 ◽  
Author(s):  
George Yee ◽  
Larry Korba ◽  
Ronggong Song
Keyword(s):  
Private Information ◽  
The United States ◽  
Privacy Policy ◽  
The European Union ◽  
Personal Privacy ◽  
User Privacy ◽  
Privacy Policies ◽  
Policy Model ◽  
Privacy Preferences ◽  
Policy Specification

The growth of the Internet has been accompanied by a proliferation of e-services, especially in the area of e-commerce (e.g., Amazon.com, eBay.com). However, consumers of these e-services are becoming more and more sensitive to the fact that they are giving up private information every time they use them. At the same time, legislative bodies in many jurisdictions have enacted legislation to protect the privacy of individuals when they need to interact with organizations. As a result, e-services can only be successful if there is adequate protection for user privacy. The use of personal privacy policies to express an individual’s privacy preferences appears best-suited to manage privacy for e-commerce. We first motivate the reader with our e-service privacy policy model that explains how personal privacy policies can be used for e-services. We then derive the minimum content of a personal privacy policy by examining some key privacy legislation selected from Canada, the European Union, and the United States.

Legislative Based for Personal Privacy Policy Specification

2011 ◽  
pp. 2622-2633
Author(s):  
George Yee ◽  
Larry Korba ◽  
Ronggong Song
Keyword(s):  
Private Information ◽  
The United States ◽  
Privacy Policy ◽  
The European Union ◽  
Personal Privacy ◽  
User Privacy ◽  
Privacy Policies ◽  
Policy Model ◽  
Privacy Preferences ◽  
Policy Specification

The growth of the Internet has been accompanied by a proliferation of e-services, especially in the area of e-commerce (e.g., Amazon.com, eBay.com). However, consumers of these e-services are becoming more and more sensitive to the fact that they are giving up private information every time they use them. At the same time, legislative bodies in many jurisdictions have enacted legislation to protect the privacy of individuals when they need to interact with organizations. As a result, e-services can only be successful if there is adequate protection for user privacy. The use of personal privacy policies to express an individual’s privacy preferences appears best-suited to manage privacy for e-commerce. We first motivate the reader with our e-service privacy policy model that explains how personal privacy policies can be used for e-services. We then derive the minimum content of a personal privacy policy by examining some key privacy legislation selected from Canada, the European Union, and the United States.

scholarly journals Threats and Vulnerabilities to IoT End Devices Architecture and suggested remedies

2020 ◽  
Vol 8 (6) ◽  
pp. 5712-5718
Keyword(s):  
Decision Making ◽  
Internet Of Things ◽  
Data Processing ◽  
Trusted Computing ◽  
External World ◽  
Security Threats ◽  
Iot Applications ◽  
Trusted Computing Base ◽  
Chain Of Trust ◽  
New Challenges

Due to decentralization of Internet of Things(IoT) applications and anything, anytime, anywhere connectivity has increased burden of data processing and decision making at IoT end devices. This overhead initiated new bugs and vulnerabilities thus security threats are emerging and presenting new challenges on these end devices. IoT End Devices rely on Trusted Execution Environments (TEEs) by implementing Root of trust (RoT) as soon as power is on thus forming Chain of trust (CoT) to ensure authenticity, integrity and confidentiality of every bit and byte of Trusted Computing Base (TCB) but due to un-trusted external world connectivity and security flaws such as Spectre and meltdown vulnerabilities present in the TCB of TEE has made CoT unstable and whole TEE are being misutilized. This paper suggests remedial solutions for the threats arising due to bugs and vulnerabilities present in the different components of TCB so as to ensure the stable CoT resulting into robust TEE.

scholarly journals The Path to a Creating a New Privacy Policy: NYPL's story

2017 ◽  
Vol 2 (1) ◽  
pp. 5 ◽  
Author(s):  
Bill Marden
Keyword(s):  
Privacy Policy ◽  
Privacy Policies ◽  
Intellectual Inquiry

Every library has (or should have) one. Ironically, in an institution devoted to reading and intellectual inquiry, it is probably the most seldom-read document in its collections. I am referring to library privacy policies, which have become increasingly important in an era when the broad gathering of information and data is exponentially increasing.

An Analysis of Online Privacy Policies of Fortune 100 Companies

2009 ◽  
pp. 269-283
Author(s):  
Suhong Li
Keyword(s):  
Personal Information ◽  
Online Privacy ◽  
Third Party ◽  
Security Requirements ◽  
Current Status ◽  
Safe Harbor ◽  
Privacy Policy ◽  
Privacy Policies ◽  
Fair Information Practices ◽  
Fortune 100

The purpose of this chapter is to investigate the current status of online privacy policies of Fortune 100 Companies. It was found that 94% of the surveyed companies have posted an online privacy policy and 82% of them collect personal information from consumers. The majority of the companies only partially follow the four principles (notice, choice, access, and security) of fair information practices. For example, most of the organizations give consumers some notice and choice in term of the collection and use of their personal information. However, organizations fall short in security requirements. Only 19% of organizations mention that they have taken steps to provide security for information both during transmission and after their sites have received the information. The results also reveal that a few organizations have obtained third-party privacy seals including TRUSTe, BBBOnline Privacy, and Safe Harbor.

Semi-Automated Seeding of Personal Privacy Policies in E-Services

2011 ◽  
pp. 985-992
Author(s):  
George Yee ◽  
Larry Korba
Keyword(s):  
Private Information ◽  
Web Site ◽  
Privacy Policy ◽  
Personal Privacy ◽  
Privacy Policies ◽  
Major Drawback ◽  
Consumer Privacy ◽  
Privacy Preferences ◽  
Privacy Constraints ◽  
The Web

The rapid growth of the Internet has been accompanied by a proliferation of e-services targeting consumers. E-services are available for banking, shopping, learning, government online, and healthcare. However, each of these services requires a consumer’s personally identifiable information (PII) in one form or another. This leads to concerns over privacy. In order for e-services to be successful, privacy must be protected (Ackerman, Cranor, & Reagle, 1999). An effective and flexible way of handling privacy is management via privacy policies. In this approach, a consumer of an e-service has a personal privacy policy that describes what private information the consumer is willing to give up to the e-service, with which parties the provider of the e-service may share the private information, and how long the private information may be kept by the provider. The provider likewise has a provider privacy policy describing similar privacy constraints as in the consumer’s policy, but from the viewpoint of the provider, (i.e., the nature of the private information and the disclosure/retention requirements that are needed by the e-service). Before the consumer engages the e-service, the provider’s privacy policy must match with the consumer’s privacy policy. In this way, the consumer’s privacy is protected, assuming that the provider complies with the consumer’s privacy policy. Note that policy compliance is outside the scope of this work but see Yee and Korba (July, 2004). Initial attempts at conserving consumer privacy for e-services over the last few years have focused on the use of Web site privacy policies that state the privacy rules or preferences of the Web site or service provider. Some of these policies are merely statements in plain English and it is up to the consumer to read it. This has the drawback that very few consumers take the trouble to read it. Even when they do take the time to look at it, online privacy policies have been far too complicated for consumers to understand and suffer from other deficiencies (Lichtenstein, Swatman, & Babu, 2003; Jensen & Potts, 2004). Still other privacy policies are specified using P3P (W3C) that allows a consumer’s browser to automatically check the privacy policy via a browser plug-in. This, of course, is better than plain English policies but a major drawback is that it is a “take-it-or-leave-it” approach. There is no recourse for the consumer who has a conflict with the Web site’s P3P policy, except to try another Web site. In this case, we have advocated a negotiations approach to resolve the conflict (Yee & Korba, Jan., May, 2003). However, this requires a machine-processable personal privacy policy for the consumer. We assume that providers in general have sufficient resources to generate their privacy policies. Certainly, the literature is full of works relating to enterprise privacy policies and models (e.g., Barth & Mitchell, 2005; Karjoth & Schunter 2002). Consumers, on the other hand, need help in formulating machine-processable privacy policies. In addition, the creation of such policies needs to be as easy as possible or consumers would simply avoid using them. Existing privacy specification languages such as P3P, APPEL (W3C; W3C, 2002), and EPAL (IBM) are far too complicated for the average internet user to understand. Understanding or changing a privacy policy expressed in these languages effectively requires knowing how to program. Moreover, most of these languages suffer from inadequate expressiveness (Stufflebeam, Anton, He, & Jain, 2004). What is needed is an easy, semi-automated way of seeding a personal privacy policy with a consumer’s privacy preferences. In this work, we present two semi-automated approaches for obtaining consumer personal privacy policies for e-services through seeding. This article is based on our work in Yee and Korba (2004). The section “Background” examines related work and the content of personal privacy policies. The section “Semi-Automated Seeding of Personal Privacy Policies” shows how personal privacy policies can be semi-automatically seeded or generated. The section “Future Trends” identifies some of the developments we see in this area over the next few years. We end with ”Conclusion”.

Sign in / Sign up

Export Citation Format

Share Document