skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Use & Abuse of Personal Information, Part II: Robust Generation of Fake IDs for Privacy Experimentation
When personal information is shared across the Internet, we have limited confidence that the designated second party will safeguard it as we would prefer. Privacy policies offer insight into the best practices and intent of the organization, yet most are written so loosely that sharing with undefined third parties is to be anticipated. Tracking these sharing behaviors and identifying the source of unwanted content is exceedingly difficult when personal information is shared with multiple such second parties. This paper formulates a model for realistic fake identities, constructs a robust fake identity generator, and outlines management methods targeted towards online transactions (email, phone, text) that pass both cursory machine and human examination for use in personal privacy experimentation. This fake ID generator, combined with a custom account signup engine, are the core front-end components of our larger Use and Abuse of Personal Information system that performs one-time transactions that, similar to a cryptographic one-time pad, ensure that we can attribute the sharing back to the single one-time transaction and/or specific second party. The flexibility and richness of the fake IDs also serve as a foundational set of control variables for a wide range of social science research questions revolving around personal information. Collectively, these fake identity models address multiple inter-disciplinary areas of common interest and serve as a foundation for eliciting and quantifying personal information-sharing behaviors.  more » « less
Award ID(s):
1946493
PAR ID:
10595273
Author(s) / Creator(s):
; ; ; ; ;
Publisher / Repository:
MDPI
Date Published:
Journal Name:
Journal of Cybersecurity and Privacy
Volume:
4
Issue:
3
ISSN:
2624-800X
Page Range / eLocation ID:
546 to 571
Subject(s) / Keyword(s):
fake identity privacy active OSINT open source intelligence
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; (, 2020 IEEE International Symposium on Networks, Computers and Communications (ISNCC))
    A large amount of data is often needed to train machine learning algorithms with confidence. One way to achieve the necessary data volume is to share and combine data from multiple parties. On the other hand, how to protect sensitive personal information during data sharing is always a challenge. We focus on data sharing when parties have overlapping attributes but non-overlapping individuals. One approach to achieve privacy protection is through sharing differentially private synthetic data. Each party generates synthetic data at its own preferred privacy budget, which is then released and horizontally merged across the parties. The total privacy cost for this approach is capped at the maximum individual budget employed by a party. We derive the mean squared error bounds for the parameter estimation in common regression analysis based on the merged sanitized data across parties. We identify through theoretical analysis the conditions under which the utility of sharing and merging sanitized data outweighs the perturbation introduced for satisfying differential privacy and surpasses that based on individual party data. The experiments suggest that sanitized HOMM data obtained at a practically reasonable small privacy cost can lead to smaller prediction and estimation errors than individual parties, demonstrating the benefits of data sharing while protecting privacy. 
    more » « less
  2. ; ; ; ; ; ; ; (, The Workshop on Technology and Consumer Protection (ConPro ’19))
    The dominant privacy framework of the information age relies on notions of “notice and consent.” That is, service providers will disclose, often through privacy policies, their data collection practices, and users can then consent to their terms. However, it is unlikely that most users comprehend these disclosures, which is due in no small part to ambiguous, deceptive, and misleading statements. By comparing actual collection and sharing practices to disclosures in privacy policies, we demonstrate the scope of the problem. Through analysis of 68,051 apps from the Google Play Store, their corresponding privacy policies, and observed data transmissions, we investigated the potential misrepresentations of apps in the Designed For Families (DFF) program, inconsistencies in disclosures regarding third-party data sharing, as well as contradictory disclosures about secure data transmissions. We find that of the 8,030 DFF apps (i.e., apps directed at children), 9.1% claim that their apps are not directed at children, while 30.6% claim to have no knowledge that the received data comes from children. In addition, we observe that 10.5% of 68,051 apps share personal identifiers with third-party service providers, yet do not declare any in their privacy policies, and only 22.2% of the apps explicitly name third parties. This ultimately makes it not only difficult, but in most cases impossible, for users to establish where their personal data is being processed. Furthermore, we find that 9,424 apps do not use TLS when transmitting personal identifiers, yet 28.4% of these apps claim to take measures to secure data transfer. Ultimately, these divergences between disclosures and actual app behaviors illustrate the ridiculousness of the notice and consent framework. 
    more » « less
  3. ; (, Washington and Lee law review)
    To prepare for the age of the intelligent, highly connected, and autonomous vehicle, a new approach to concepts of granting consent, managing privacy, and dealing with the need to interact quickly and meaningfully is needed. Additionally, in an environment where personal data is rapidly shared with a multitude of independent parties, there exists a need to reduce the information asymmetry that currently exists between the user and data collecting entities. This Article rethinks the traditional notice and consent model in the context of real-time communication between vehicles or vehicles and infrastructure or vehicles and other surroundings and proposes a re-engineering of current privacy concepts to prepare for a rapidly approaching digital future. In this future, multiple independent actors such as vehicles or other machines may seek personal information at a rate that makes the traditional informed consent model untenable. This Article proposes a two-step approach: As an attempt to meet and balance user needs for a seamless experience while preserving their rights to privacy, the first step is a less static consent paradigm able to better support personal data in systems which use machine based real time communication and automation. In addition, the article proposes a radical re-thinking of the current privacy protection system by sharing the vision of “Privacy as a Service” as a second step, which is an independently managed method of granular technical privacy control that can better protect individual privacy while at the same time facilitating high-frequency communication in a machine-to-machine environment. 
    more » « less
  4. ; ; ; ; ; (, IEEE)
    Dynamic spectrum sharing has emerged as a promising solution to address the spectrum scarcity challenge. Currently, the FCC has designated several Spectrum Access Systems (SAS) administrators to deploy their SAS that coordinates the usage of the certificated shared band(s) such as the 3.55-3.7 GHz CBRS band. The SAS ensures that the incumbent’s access to the shared band is guaranteed while also granting commercial users access rights when the incumbents are not present. However, explicitly sharing the spectrum band(s) information among participants raises privacy concerns. Certain participants, such as curious SAS administrators, have the ability to deduce the confidential operational patterns of the incumbents through the Environmental Sensing Capability (ESC) or Incumbent Informing Capability (IIC) notifications. Additionally, a curious SAS administrator may obtain the client’s operational information of other SAS administrators throughout the process of inter-SAS coordination. We propose Pri-Share, a novel privacy-preserving spectrum sharing paradigm that tailors the threshold-based private set union (PSU) and homomorphic encryption (HE) techniques to address the aforementioned privacy problems. Specifically, it enables all parties to jointly compute a unified spectrum allocation plan to resolve the potential conflicts between different parties while safeguarding the confidentiality of each stakeholder’s spectrum requirements and usage. Pri-Share also ensures that while a curious participant might ascertain the usage of a particular spectrum band, they are unable to deduce the precise identity of the party utilizing it. Besides, Pri-Share adheres to the key spectrum allocation regulations outlined by FCC (part 96), such as assurance of access rights for various priority levels. Our implementation result shows that Pri-Share can be achieved with notable computational and communication efficiency, 
    more » « less
  5. ; ; ; ; (, Digital Health (ICDH), IEEE International Conference on)
    Patients often have their healthcare data stored in centralized systems, leading to challenges when reconciling or consolidating their data across providers due to centralized databases that store patient identities. The challenges disrupt the flow of patient care where time is sensitive for both patients and providers. Decentralized technologies have enabled a new identity model–Self-Sovereign Identity (SSI)–that grants individuals the right to freely control, access, and share their own data. This work proposes a system that achieves SSI in a semi-permissioned blockchain network using an open protocol as the certificate of authority and several guidelines for securely handling transactions in the network. Open protocols like Keccak can grant access to a permission-based network such as Hyperledger Fabric. The network architecture ensures data security and privacy through mechanisms of multi-signature transactions and guidelines for storing transactions locally, making this architecture ideal for privacy-centered use cases, such as healthcare data-sharing applications. The ultimate goal is to give patients full control over their identity and other data derived from their identity within a semi-permissioned network. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email