 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can be detected by user or remote system (tamper bit is set in TPM)  Guarantee that no keys can be compromised  No, keys that go to OS and are used by sw can still be compromised  Guarantee that applications cannot be changed or compromised  No, I can only detect compromise by comparing hashes of apps in hw What TC Can and Can’t Do

 Guarantee that no rootkits can reside on the system  No, but we can detect compromise by comparing hashes of OS files in hw  Guarantee that applications cannot interfere with each other  Yes, due to OS separation  Guarantee data safety on disk  Yes, we can encrypt data separately for each virtual system and we can encrypt the whole disk  No, because encryption happens in sw

What is Privacy?  Privacy is about PII  It is primarily a policy issue  Privacy is an issue of user education o Make sure users are aware of the potential use of the information they provide o Give the user control  Privacy is a security issue o Security is needed to implement the policy

 Sometimes conflicting o Many security technologies depend on identification o Many approaches to privacy depend on hiding one’s identity  Sometimes supportive o Privacy depends on protecting PII (personally identifiable information) o Poor security makes it more difficult to protect such information

 How much low level information should be kept to help track down cyber attacks o Such information can be used to breach privacy assurances o How long can such data be kept

 Business Concerns o Disclosing Information we think of as privacy- related can divulge business plans ▪ Mergers ▪ Product plans ▪ Investigations  Some “private” information is used for authentication o SSN o Credit card numbers

 Location o From IP address o From Cell Phones o From RFID  Interests, Purchase History, Political/Religious Affiliations o From RFID o From transaction details o From network and server traces

 Associates o From network, phone, records o From location based information  Health Information o From Purchases o From location based information o From web history

 Aren’t the only ones that need to be concerned about privacy the ones that are doing things that they shouldn’t?  Consider the following: o Use of information outside original context  Certain information may be omitted o Implications may be mis-represented o Inference of data that is sensitive o Data can be used for manipulation

 Consider whether it is safe to release information in aggregate o Such information is presumably no longer personally identifiable o But given partial information, it is sometimes possible to derive other information by combining it with the aggregated data.

 Consider whether it is safe to release information that has been stripped of so called personal identifiers o Such information is presumably no longer personally identifiable What is important is not just anonymity, but linkability If I can link multiple queries, I might be able to infer the identity of the person issuing the query through one query, at which point, all anonymity is lost

 Even when specifics of communication are hidden, the mere knowledge of communication between parties provides useful information to an adversary o E.g. pending mergers or acquisitions o Relationships between entities o Created visibility of the structure of an organizations o Allows some inference about interests

 Lists of the web sites you visit  logs  Phone records  Perhaps you expose the linkages through web sites like linked in  Consider what information remains in the clear when you design security protocols

 Researchers need network data o To validate their solutions o To mine and understand trends  Sharing network data creates necessary diversity o Enables generalization of results o Creates a lot of privacy concerns o Very few public traffic trace archives (CAIDA, WIDE, LBNL, ITA, PREDICT, CRAWDAD, MIT DARPA)

 Remove or obscure (anonymize) sensitive data o Remove packet contents and application headers o Anonymize IP addresses  Positional - anonymize in order of appearance. Inconsistent and lose information about networks  Cryptographic - anonymize by encrypting with a key. Consistent but still lose information about networks.  Prefix-preserving - cryptographic approach is applied to portions of IP separately to preserve network information.  Sanitization loses a lot of data - application headers, contents, IP addresses o This is acceptable for some research but not for all  Sanitized data still has sensitive information

 Passive attacker o Observe publicly released trace o Use some public or private auxiliary information to infer private data  Active attacker o Insert traffic during trace collection o Identify this traffic later in public trace  This creates an auxiliary information channel  Can learn what method was used to obscure private data  Can verify presence or absence of data items with same/similar values in other records o Provider cannot identify injected traffic  Covert channel problem