An official website of the United States government
Interdependent privacy (IDP) violations among users occur at a massive scale on social media, as users share or re-share potentially sensitive photos and information about other people without permission. Given that IDP represents a collective moral concern, an ethics of care (or “care ethics”) can inform interventions to promote online privacy. Applied to cyber security and privacy, ethics of care theory puts human relationships at the center of moral problems, where caring-about supports conditions of caring-for and, in turn, protects interpersonal relationships. This position paper explores design implications of an ethics of care framework in the context of IDP preservation. First, we argue that care ethics highlights the need for a network of informed stakeholders involved in content moderation strategies that align with public values. Second, an ethics of care framework calls for psychosocial interventions at the user-level aimed toward promoting more responsible IDP decision-making among the general public. In conclusion, ethics of care has potential to provide coherence in understanding the people involved in IDP, the nature of IDP issues, and potential solutions, in turn, motivating new directions in IDP research.
more »
« less
Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials
Single sign-on (SSO) has provided convenience to users in the web domain as it can authorize a user to access various resource providers (RPs) using the identity provider (IdP)'s unified authentication portal. However, SSO also faces security problems including IdP single-point failure and the privacy associated with identity linkage. In this paper, we present the initial design of an alternative SSO solution called VC-SSO to address the security and privacy problems while preserving SSO's usability. VC-SSO leverages the recently emerged decentralized identifier (DID) and verifiable credential (VC) framework in that a user only needs to authenticate with the IdP once to obtain a VC and then may generate multiple verifiable presentations (VPs) from the VC to access different RPs. This is based on the design that each RP has established a smart contract with the IdP specifying the service agreement and the VP schema for user authorization. We hope the proposed VC-SSO design marks the first step toward a future SSO system that provides strong reliability and privacy to users under adversarial conditions.
more »
« less
- Award ID(s):
- 2247561
- PAR ID:
- 10498908
- Publisher / Repository:
- ACM
- Date Published:
- Journal Name:
- Proceedings of the 10th ACM Workshop on Moving Target Defense
- ISBN:
- 9798400702563
- Page Range / eLocation ID:
- 25 to 28
- Subject(s) / Keyword(s):
- Single sign-on, privacy, authentication, verifiable credential
- Format(s):
- Medium: X
- Location:
- Copenhagen Denmark
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Information-centric networking (ICN) replaces the widely used host-centric networking paradigm in communication networks (e.g., Internet and mobile ad hoc networks) with an information-centric paradigm, which prioritizes the delivery of named content, oblivious of the contents' origin. Content and client security, provenance, and identity privacy are intrinsic by design in the ICN paradigm as opposed to the current host centric paradigm where they have been instrumented as an afterthought. However, given its nascency, the ICN paradigm has several open security and privacy concerns. In this paper, we survey the existing literature in security and privacy in ICN and present open questions. More specifically, we explore three broad areas: 1) security threats; 2) privacy risks; and 3) access control enforcement mechanisms. We present the underlying principle of the existing works, discuss the drawbacks of the proposed approaches, and explore potential future research directions. In security, we review attack scenarios, such as denial of service, cache pollution, and content poisoning. In privacy, we discuss user privacy and anonymity, name and signature privacy, and content privacy. ICN's feature of ubiquitous caching introduces a major challenge for access control enforcement that requires special attention. We review existing access control mechanisms including encryption-based, attribute-based, session-based, and proxy re-encryption-based access control schemes. We conclude the survey with lessons learned and scope for future work.more » « less
-
As part of its ongoing efforts to meet the increased spectrum demand, the Federal Communications Commission (FCC) has recently opened up 150 MHz in the 3.5 GHz band for shared wireless broadband use. Access and operations in this band, aka Citizens Broadband Radio Service (CBRS), will be managed by a dynamic spectrum access system (SAS) to enable seamless spectrum sharing between secondary users (SU s) and incumbent users. Despite its benefits, SAS’s design requirements, as set by FCC, present privacy risks to SU s, merely because SU s are required to share sensitive operational information (e.g., location, identity, spectrum usage) with SAS to be able to learn about spectrum availability in their vicinity. In this paper, we propose TrustSAS, a trustworthy framework for SAS that synergizes state-of-the-art cryptographic techniques with blockchain technology in an innovative way to address these privacy issues while complying with FCC’s regulatory design requirements. We analyze the security of our framework and evaluate its performance through analysis, simulation and experimentation. We show that TrustSAS can offer high security guarantees with reasonable overhead, making it an ideal solution for addressing SU s’ privacy issues in an operational SAS environment.more » « less
-
In smart grids, two-way communication between end-users and the grid allows frequent data exchange, which on one hand enhances users' experience, while on the other hand increase security and privacy risks. In this paper, we propose an efficient system to address security and privacy problems, in contrast to the data aggregation schemes with high cryptographic overheads. In the proposed system, users are grouped into local communities and trust-based blockchains are formed in each community to manage smart grid transactions, such as reporting aggregated meter reading, in a light-weight fashion. We show that the proposed system can meet the key security objectives with a detailed analysis. Also, experiments demonstrated that the proposed system is efficient and can provide satisfactory user experience, and the trust value design can easily distinguish benign users and bad actors.more » « less
-
Interdependent privacy (IDP) violations occur when users share personal information about others without permission, resulting in potential embarrassment, reputation loss, or harassment. There are several strategies that can be applied to protect IDP, but little is known regarding how social media users perceive IDP threats or how they prefer to respond to them. We utilized a mixed-method approach with a replication study to examine user beliefs about various government-, platform-, and user-level strategies for managing IDP violations. Participants reported that IDP represented a 'serious' online threat, and identified themselves as primarily responsible for responding to violations. IDP strategies that felt more familiar and provided greater perceived control over violations (e.g., flagging, blocking, unfriending) were rated as more effective than platform or government driven interventions. Furthermore, we found users were more willing to share on social media if they perceived their interactions as protected. Findings are discussed in relation to control paradox theory.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1145/3605760.3623767
