Change search
ReferencesLink to record
Permanent link

Direct link
Privacy Issues in Decentralized Online Social Networks and other Decentralized Systems
KTH, School of Computer Science and Communication (CSC), Theoretical Computer Science, TCS.ORCID iD: 0000-0002-7102-8153
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Popular Online Social Networks (OSNs), such as Facebook or Twitter, are logically centralized systems. The massive information aggregation of sensitive personal data at the central providers of these services is an inherent threat to the privacy of the users. Leakages of these data collections happen regularly – both intentionally, for example by selling of user data to third parties and unintentionally, for example when outsiders successfully attack a provider.

Motivated by this insight, the concept of Decentralized Online Social Networks (DOSNs) has emerged. In these proposed systems, no single, central provider keeps a data collection of all users. Instead, the data is spread out across multiple servers or is distributed completely among user devices that form a peer-to-peer (P2P) network. Encryption is used to enforce access rights of shared content and communication partners ideally connect directly to each other. DOSNs solve one of the biggest privacy concerns of centralized OSNs in a quite forthright way – by getting rid of the central provider. Furthermore, these decentralized systems can be designed to be more immune to censorship than centralized services. But when decentralizing OSNs, two main challenges have to be met: to provide user privacy under a significantly different threat model, and to implement equal usability and functionality without centralized components.

In this work we analyze the general privacy-problems in DOSNs, especially those arising from the more exposed metadata in these systems. Furthermore, we suggest three privacy-preserving implementations of standard OSN features, i.e. user authentication via password-login, user search via a knowledge threshold and an event invitation system with fine-grained privacy-settings. These implementations do not rely on a trusted, central provider and are therefore applicable in a DOSN scenario but can be applied in other P2P or low-trust environments as well. Finally, we analyze a concrete attack on a specific decentralized system, the Tor anonymization network, and suggest improvements for mitigating the identified threats.

Abstract [sv]

Populära sociala nätverkstjänster som Facebook och Instagram bygger på en logiskt centraliserad systemarkitektur. Tjänsteleverantörerna har därför tillgång till omfattande ansamlingar av känsliga personuppgifter,vilket innebär en oundviklig risk för integritetskränkningar. Med jämna mellanrum läcks dessa informationsansamlingar till tredje part – antingen när tjänsteleverantören själv säljer eller ger dem tillexterna aktörer, eller när obehöriga får åtkomst till tjänsteleverantörens datasystem.

Decentraliserade sociala nätverkstjänster (eng. Decentralized Online Social Networks, DOSNs) är en lovande utveckling för att minska denna risk och för att skydda användarnas personliga information såväl från tjänsteleverantören som från tredje part. Ett vanligt sätt att implementera ett DOSN är genom en icke-hierarkisk nätverksarkitektur (eng. peer-to-peer network) för att undvika att känsliga personuppgifter samlas på ett ställe som är under tjänsteleverantörens kontroll. Kryptering används för att skydda kommunikationen och för att realisera åtkomstkontrollen av information som ska delas med andra användare.

Att inte längre ha en tjänsteleverantör som har tillgång till all data innebär att den största riskfaktorn for integritetskränkningar tas bort. Men genom att ersätta den centrala tjänsteleverantören med ett decentraliserat system tar vi även bort ett visst integritetsskydd. Integritetsskyddet var en konsekvens av att förmedlingen av all användarkommunikation skedde genom tjänsteleverantörens servrar. När ansvaret för lagring av innehållet, hantering av behörigheterna, åtkomst och andra administrativa uppgifter övergår till användarna själva, blir det en utmaning att skydda metadata för objekt och informationsflöden, även om innehållet är krypterat. I ett centraliserat system är dessa metadata faktiskt skyddade av tjänsteleverantören – avsiktligt eller som en sidoeffekt.

För att implementera de olika funktioner som ska finnas i ett integritetsskyddande DOSN, är det nödvändigt både att lösa dessa generella utmaningar och att hantera frånvaron av en betrodd tjänsteleverantör som har full tillgång till all data. Användarautentiseringen borde till exempel ha samma användbarhet som i centraliserade system. Det vill säga att det är lätt att ändra lösenordet, upphäva rättigheterna för en stulen klientenhet eller återställa ett glömt lösenord med hjälp av e-post eller säkerhetsfrågor – allt utan att förlita sig på en betrodd tredje part. Ett annat exempel är funktionen att kunna söka efter andra användare. Utmaningen där är att skydda användarinformationen samtidigt som det måste vara möjligt att hitta användare baserad på just denna informationen. En implementation av en sådan funktion i ett DOSN måste klara sig utan en betrodd tjänsteleverantör som med tillgång till alla användardata kan upprätthålla ett globalt sökindex.

I den här avhandlingen analyserar vi de generella risker för integritetskränkningar som finns i DOSN, särskilt de som orsakas av metadata. Därutöver föreslår vi tre integritetsskyddande implementationer av vanliga funktioner i en social nätverkstjänst: lösenordsbaserad användarautentisering, en användarsökfunktion med en kunskapströskel och en inbjudningsfunktion för evenemang med detaljerade sekretessinställningar. Alla tre implementationerna är lämpliga för DOSN-scenarier eftersom de klarar sig helt utan en betrodd, central tjänsteleverantör, och kan därför även användas i andra sammanhang såsom icke-hierarkiska nätverk eller andra system som måste klara sig utan en betrodd tredje part. Slutligen analyserar vi en attack på ett specifikt decentraliserat system, anonymitetstjänsten Tor, och diskuterar hur systemet kan skyddas mot de analyserade sårbarheterna.

Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2016. , 150 p.
Series
TRITA-CSC-A, ISSN 1653-5723 ; 2016:28
Keyword [en]
Privacy, Online Social Networks, Decentralized Online Social Networks
National Category
Computer Science
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:kth:diva-196118ISBN: 978-91-7729-194-7OAI: oai:DiVA.org:kth-196118DiVA: diva2:1046856
Public defence
2016-12-15, F3, Kungl Tekniska högskolan, Lindstedtsvägen 26, Stockholm, 14:00 (English)
Opponent
Supervisors
Funder
Swedish Foundation for Strategic Research , SSF FFL09-0086Swedish Research Council, VR 2009-3793
Note

QC 20161115

Available from: 2016-11-17 Created: 2016-11-11 Last updated: 2016-11-17Bibliographically approved
List of papers
1. The devil is in the metadata - New privacy challenges in decentralised online social networks
Open this publication in new window or tab >>The devil is in the metadata - New privacy challenges in decentralised online social networks
2012 (English)In: 2012 IEEE International Conference on Pervasive Computing and Communications Workshops, PERCOM Workshops 2012, IEEE , 2012, 333-339 p.Conference paper (Refereed)
Abstract [en]

Decentralised Online Social Networks (DOSN) are evolving as a promising approach to mitigate design-inherent privacy flaws of logically centralised services such as Facebook, Google+ or Twitter. A common approach to build a DOSN is to use a peer-to-peer architecture. While the absence of a single point of data aggregation strikes the most powerful attacker from the list of adversaries, the decentralisation also removes some privacy protection afforded by the central party's intermediation of all communication. As content storage, access right management, retrieval and other administrative tasks of the service become the obligation of the users, it is non-trivial to hide the metadata of objects and information flows, even when the content itself is encrypted. Such metadata is, deliberately or as a side effect, hidden by the provider in a centralised system. In this work, we aim to identify the dangers arising or made more severe from decentralisation, and show how inferences from metadata might invade users' privacy. Furthermore, we discuss general techniques to mitigate or solve the identified issues.

Place, publisher, year, edition, pages
IEEE, 2012
Keyword
privacy, social networks, metadata, decentralized social networks
National Category
Computer Systems
Research subject
SRA - ICT
Identifiers
urn:nbn:se:kth:diva-88041 (URN)10.1109/PerComW.2012.6197506 (DOI)2-s2.0-84861539737 (ScopusID)978-146730907-3 (ISBN)
Conference
2012 IEEE International Conference on Pervasive Computing and Communications Workshops, PERCOM Workshops 2012; Lugano; 19 March 2012 through 23 March 2012
Funder
Swedish Research CouncilICT - The Next Generation
Note

QC 20120806

Available from: 2012-02-14 Created: 2012-02-14 Last updated: 2016-11-15Bibliographically approved
2. Passwords in Peer-to-Peer
Open this publication in new window or tab >>Passwords in Peer-to-Peer
Show others...
2012 (English)In: Peer-to-Peer Computing (P2P), 2012 IEEE 12th International Conference on, IEEE , 2012, 167-178 p.Conference paper (Refereed)
Abstract [en]

One of the differences between typical peer-to-peer (P2P) and client-server systems is the existence of user accounts. While many P2P applications, like public file sharing, are anonymous, more complex services such as decentralized online social networks require user authentication. In these, the common approach to P2P authentication builds on the possession of cryptographic keys. A drawback with that approach is usability when users access the system from multiple devices, an increasingly common scenario. In this work, we present a scheme to support logins based on users knowing a username-password pair. We use passwords, as they are the most common authentication mechanism in services on the Internet today, ensuring strong user familiarity. In addition to password logins, we also present supporting protocols to provide functionality related to password logins, such as resetting a forgotten password via e-mail or security questions. Together, these allow P2P systems to emulate centralized password logins. The results of our performance evaluation indicate that incurred delays are well within acceptable bounds.

Place, publisher, year, edition, pages
IEEE, 2012
Series
, IEEE International Conference on Peer-to-Peer Computing, ISSN 2161-3567
Keyword
Authentication mechanisms, Client-server systems, Complex services, Cryptographic key, File Sharing, Multiple devices, Online social networks, P2P applications, P2P system, Peer to peer, Performance evaluation, User authentication, Users access
National Category
Computer Science Telecommunications
Identifiers
urn:nbn:se:kth:diva-107785 (URN)10.1109/P2P.2012.6335797 (DOI)000312674500024 ()2-s2.0-84870369349 (ScopusID)978-146732862-3 (ISBN)
Conference
IEEE 12th International Conference on Peer-to-Peer Computing, P2P 2012; Tarragona;3 September 2012 through 5 September 2012
Funder
Swedish Foundation for Strategic Research , SSF FFL09-0086Swedish Research Council, VR 2009-3793ICT - The Next Generation
Note

QC 20130111

Available from: 2012-12-17 Created: 2012-12-17 Last updated: 2016-11-15Bibliographically approved
3. User Search with Knowledge Thresholds in Decentralized Online Social Networks
Open this publication in new window or tab >>User Search with Knowledge Thresholds in Decentralized Online Social Networks
2014 (English)In: PRIVACY AND IDENTITY MANAGEMENT FOR EMERGING SERVICES AND TECHNOLOGIES, 2014, 188-202 p.Conference paper (Refereed)
Abstract [en]

User search is one fundamental functionality of an Online Social Network (OSN). When building privacy-preserving Decentralized Online Social Networks (DOSNs), the challenge of protecting user data and making users findable at the same time has to be met. We propose a user-defined knowledge threshold ("find me if you know enough about me") to balance the two requirements. We present and discuss protocols for this purpose that do not make use of any centralized component. An evaluation using real world data suggests that there is a promising compromise with good user performance and high adversary costs.

Series
, IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 421
Keyword
Decentralized Online Social Networks, Privacy, User Search
National Category
Telecommunications
Identifiers
urn:nbn:se:kth:diva-155157 (URN)000342688200015 ()978-3-642-55137-6; 978-3-642-55136-9 (ISBN)
Conference
8th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6 International Summer School, JUN 17-21, 2013, Nijmegen, NETHERLANDS
Note

QC 20141103

Available from: 2014-11-03 Created: 2014-10-31 Last updated: 2016-11-15Bibliographically approved
4. Event Invitations in Privacy-Preserving DOSNs: Formalization and Protocol Design
Open this publication in new window or tab >>Event Invitations in Privacy-Preserving DOSNs: Formalization and Protocol Design
2015 (English)In: Privacy and Identity Management for the Future Internet in the Age of Globalisation: 9th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, Patras, Greece, September 7-12, 2014, Revised Selected Papers / [ed] Camenisch, Jan; Fischer-Hübner, Simone; Hansen, Marit, Springer Publishing Company, 2015, Vol. 457, 185-200 p.Chapter in book (Refereed)
Abstract [en]

Online Social Networks (OSNs) have an infamous history of privacy and security issues. One approach to avoid the massive collection of sensitive data of all users at a central point is a decentralized architecture.

An event invitation feature - allowing a user to create an event and invite other users who then can confirm their attendance - is part of the standard functionality of OSNs. We formalize security and privacy properties of such a feature like allowing different types of information related to the event (e.g., how many people are invited/attending, who is invited/attending) to be shared with different groups of users (e.g., only invited/attending users).

Implementing this feature in a Privacy-Preserving Decentralized Online Decentralized Online is non-trivial because there is no fully trusted broker to guarantee fairness to all parties involved. We propose a secure decentralized protocol for implementing this feature, using tools such as storage location indirection, ciphertext inferences and a disclose-secret-if-committed mechanism, derived from standard cryptographic primitives.

The results can be applied in the context of Privacy-Preserving DOSNs, but might also be useful in other domains that need mechanisms for cooperation and coordination, e.g., Collaborative Working Environment and the corresponding collaborative-specific tools, i.e., groupware, or Computer-Supported Collaborative Learning.

Place, publisher, year, edition, pages
Springer Publishing Company, 2015
Series
, IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 457
Keyword
Event invitation, Privacy, Decentralized Online Social Networks
National Category
Computer Systems Telecommunications
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-166775 (URN)10.1007/978-3-319-18621-4_13 (DOI)000380771600013 ()2-s2.0-84942575280 (ScopusID)978-3-319-18620-7 (ISBN)978-3-319-18621-4 (ISBN)
Funder
Swedish Foundation for Strategic Research , FFL09-0086Swedish Research Council, 2009-3793
Note

QC 20150618

Available from: 2015-05-18 Created: 2015-05-18 Last updated: 2016-11-15Bibliographically approved
5. The Effect of DNS on Tor’s Anonymity
Open this publication in new window or tab >>The Effect of DNS on Tor’s Anonymity
Show others...
2017 (English)Manuscript (preprint) (Other academic)
Abstract [en]

Previous attacks that link the sender and receiver oftraffic in the Tor network (“correlation attacks”) have generally relied on analyzing traffic from TCP connections. The TCP connections of a typical client application, however, are often accompanied by DNS requests and responses. This additional traffic presents more opportunities for correlation attacks. This paper quantifies how DNS traffic can make Tor users more vulnerable to correlation attacks. We investigate how incorporating DNS traffic can make existing correlation attacks more powerful and how DNS lookups can leak information to third parties about anonymous communication. We (i) develop a method to identify the DNS resolvers of Tor exit relays; (ii) develop a new set of correlation attacks (DefecTor attacks) that incorporate DNS traffic to improve precision; (iii) analyze the Internet-scale effects of these new attacks on Tor users; and (iv) develop improved methods to evaluate correlation attacks. First, we find that there exist adversaries that can mount DefecTor attacks: for example, Google's DNS resolver observes almost 40% of all DNS requests exiting the Tor network. We also find that DNS requests often traverse ASes that the corresponding TCP connections do not transit, enabling additional ASes to gain information about Tor users' traffic. We then show that an adversary that can mount a DefecTor attack can often determine the website that a Tor user is visiting with perfect precision, particularly for less popular websites where the set of DNS names associated with that website may be unique to the site. We also use the Tor Path Simulator (TorPS) in combination with traceroute data from vantage points co-located with Tor exit relays to estimate the power of AS-level adversaries that might mount DefecTor attacks in practice.

Keyword
Tor, Website Fingerprinting, Correlation Attacks, Anonymity, DNS
National Category
Computer Science
Research subject
Computer Science
Identifiers
urn:nbn:se:kth:diva-196505 (URN)10.14722/ndss.2017.23311 (DOI)1-1891562-46-0 (ISBN)
Conference
Network and Distributed System Security Symposium (NDSS) 2017
Funder
Swedish Foundation for Strategic Research , FFL09-0086Swedish Research Council, VR 2009-3793
Note

Accepted.

QC 20161115

Available from: 2016-11-14 Created: 2016-11-14 Last updated: 2016-11-15Bibliographically approved

Open Access in DiVA

fulltext(5982 kB)62 downloads
File information
File name FULLTEXT01.pdfFile size 5982 kBChecksum SHA-512
0e74873f9d70d9fd865e4a4edd5180109cd542394f496eb41635fbcf9b064bb08976b969f22c9cf383d665e06f1b7807b34f9d1ee67af25178e7462591021dcc
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Greschbach, Benjamin
By organisation
Theoretical Computer Science, TCS
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 62 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 152 hits
ReferencesLink to record
Permanent link

Direct link