CPFinder: Finding an unknown caller's profession from anonymized mobile phone data

Identifying an unfamiliar caller's profession is important to protect citizens' personal safety and property. Owing to the limited data protection of various popular online services in some countries, such as taxi hailing and ordering takeouts, many users presently encounter an increasing number of phone calls from strangers. The situation may be aggravated when criminals pretend to be such service delivery staff, threatening the user individuals as well as the society. In addition, numerous people experience excessive digital marketing and fraudulent phone calls because of personal information leakage. However, previous works on malicious call detection only focused on binary classification, which does not work for the identification of multiple professions. We observed that web service requests issued from users' mobile phones might exhibit their application preferences, spatial and temporal patterns, and other profession-related information. This offers researchers and engineers a hint to identify unfamiliar callers. In fact, some previous works already leveraged raw data from mobile phones (which includes sensitive information) for personality studies. However, accessing users' mobile phone raw data may violate the more and more strict private data protection policies and regulations (e.g., General Data Protection Regulation). We observe that appropriate statistical methods can offer an effective means to eliminate private information and preserve personal characteristics, thus enabling the identification of the types of mobile phone callers without privacy concerns. In this paper, we develop CPFinder —- a system that exploits privacy-preserving mobile data to automatically identify callers who are divided into four categories of users: taxi drivers, delivery and takeouts staffs, telemarketers and fraudsters, and normal users (other professions). Our evaluation of an anonymized dataset of 1,282 users over a period of 3 months in Shanghai City shows that the CPFinder can achieve accuracies of more than 75.0% and 92.4% for multiclass and binary classifications, respectively.     

PPDM中面向k-匿名的MI Loss评估模型

隐私保护数据挖掘（PPDM）利用匿名化等方法使数据所有者在不泄露隐私信息的前提下,安全发布在数据挖掘中有效可用的数据集。k-匿名算法作为PPDM研究使用最广泛的算法之一,具有计算开销低、数据形变小、能抵御链接攻击等优点,但是在一些k-匿名算法研究中使用的数据可用性评估模型的权重设置不合理,导致算法选择的最优匿名数据集在后续的分类问题中分类准确率较低。提出一种使用互信息计算权重的互信息损失（MI Loss）评估模型。互信息反映变量间的关联关系,MI Loss评估模型根据准标识符和标签之间的互信息计算权重,并通过Loss公式得到各个准标识符的信息损失,将加权后的准标识符信息损失的和作为数据集的信息损失,以弥补评估模型的缺陷。实验结果证明,运用MI Loss评估模型指导k-匿名算法能够明显降低匿名数据集在后续分类中的可用性丢失,相较于Loss模型和Entropy Loss模型,该模型分类准确率提升了0.73%~3.00%。     

A soft computing approach for privacy requirements engineering: The PriS framework

Soft computing continuously gains interest in many fields of academic and industrial domain; among the most notable characteristics for using soft computing methodological tools is the ability to handle with vague and imprecise data in decision making processes. Similar conditions are often encountered in requirements engineering. In this paper, we introduce the PriS approach, a security and privacy requirements engineering framework which aims at incorporating privacy requirements early in the system development process. Specifically, PriS provides a set of concepts for modelling privacy requirements in the organisation domain and a systematic way-of-working for translating these requirements into system models. The conceptual model of PriS uses a goal hierarchy structure. Every privacy requirement is either applied or not on every goal. To this end every privacy requirement is a variable that can take two values [0,1] on every goal meaning that the requirements constraints the goal (value 1) or not (value 0). Following this way of working PriS ends up suggesting a number of implementation techniques based on the privacy requirements constraining the respective goals. Taking into account that the mapping of privacy variables to a crisp set consisting of two values [0,1] is constraining, we extend also the PriS framework so as to be able to address the degree of participation of every privacy requirement towards achieving the generic goal of privacy. Therefore, we propose a fuzzification of privacy variables that maps the expression of the degree of participation of each privacy variable to the [0,1] interval. We also present a mathematical framework that allows the concurrent management of combined independent preferences towards the necessity of a privacy measure; among the advantages of the presented extended framework is the scalability of the approach in such a way that the results are not limited by the number of independent opinions or by the number of factors considered while reasoning for a specific selection of privacy measures.     

A secure collaboration service for dynamic virtual organizations

Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.     

All about me: Disclosure in online social networking profiles: The case of FACEBOOK

The present research examined disclosure in online social networking profiles (i.e., FACEBOOK™). Three studies were conducted. First, a scoring tool was developed in order to comprehensively assess the content of the personal profiles. Second, grouping categories (default/standard information, sensitive personal information, and potentially stigmatizing information) were developed to examine information pertinent to identity threat, personal and group threat. Third, a grouping strategy was developed to include all information present in FACEBOOK™, but to organize it in a meaningful way as a function of the content that was presented. Overall, approximately 25% of all possible information that could potentially be disclosed by users was disclosed. Presenting personal information such as gender and age was related to disclosure of other sensitive and highly personal information. Age and relationship status were important factors in determining disclosure. As age increased, the amount of personal information in profiles decreased. Those seeking a relationship were at greatest risk of threat, and disclosed the greatest amount of highly sensitive and potentially stigmatizing information. These implications of these findings with respect to social and legal threats, and potential means for identifying users placing themselves at greatest risk, are discussed.     

Comparison of paper-and-pencil versus Web administration of the Youth Risk Behavior Survey (YRBS): Participation,data quality,and perceived privacy and anonymity

The Youth Risk Behavior Surveillance System (YRBSS) monitors priority health-risk behaviors among US high school students. To better understand the ramifications of changing the YRBSS from paper-and-pencil to Web administration, in 2008 the Centers for Disease Control and Prevention conducted a study comparing these two modes of administration. Eighty-five schools in 15 states agreed to participate in the study. Within each participating school, four classrooms of students in grades 9 or 10 were randomly assigned to complete the Youth Risk Behavior Survey questionnaire in one of four conditions (in-class paper-and-pencil, in-class Web without programmed skip patterns, in-class Web with programmed skip patterns, and “on your own” Web without programmed skip patterns). Findings included less missing data for the paper-and-pencil condition (1.5% vs. 5.3%, 4.4%, 6.4%; p < .001), less perceived privacy and anonymity among respondents for the in-class Web conditions, and a lower response rate for the “on your own” Web condition than for in-class administration by either mode (28.0% vs. 91.2%, 90.1%, 91.4%; p < .001). Although Web administration might be useful for some surveys, these findings do not favor the use of a Web survey for the YRBSS.     

The Shadow Knows: Refinement and security in sequential programs

Stepwise refinement is a crucial conceptual tool for system development, encouraging program construction via a number of separate correctness-preserving stages which ideally can be understood in isolation. A crucial conceptual component of security is an adversary’s ignorance of concealed information. We suggest a novel method of combining these two ideas.Our suggestion is based on a mathematical definition of “ignorance-preserving” refinement that extends classical refinement by limiting an adversary’s access to concealed information: moving from specification to implementation should never increase that access. The novelty is the way we achieve this in the context of sequential programs.Specifically we give an operational model (and detailed justification for it), a basic sequential programming language and its operational semantics in that model, a “logic of ignorance” interpreted over the same model, then a program-logical semantics bringing those together — and finally we use the logic to establish, via refinement, the correctness of a real (though small) protocol: Rivest’s Oblivious Transfer. A previous report^? treated Chaum’s Dining Cryptographers similarly.In passing we solve the Refinement Paradox for sequential programs.     

Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2 RFID systems

Radio frequency Identification (RFID) systems are used to identify remote objects equipped with RFID tags by wireless scanning without manual intervention. Recently, EPCglobal proposed the Electronic Product Code (EPC) that is a coding scheme considered to be a possible successor to bar-code with added functionalities. In RFID-based applications where RFID tags are used to identify and track tagged objects, an RFID tag emits its EPC in plaintext. This makes the tag inevitably vulnerable to cloning attacks as well as information leakage and password disclosure. In this paper, we propose a novel anti-cloning method in accordance with the EPCglobal Class-1 Generation-2 (C1G2) standard. Our method only uses functions that can be supported by the standard and abides by the communication flow of the standard. The method is also secure against threats such as information leakage and password disclosure.     

Using Visualization to Explore Original and Anonymized LBSN Data

We present GSUVis, a visualization tool designed to provide better understanding of location‐based social network (LBSN) data. LBSN data is one of the most important sources of information for transportation, marketing, health, and public safety. LBSN data consumers are interested in accessing and analysing data that is as complete and as accurate as possible. However, LBSN data contains sensitive information about individuals. Consequently, data anonymization is of critical importance if this data is to be made available to consumers. However, anonymization commonly reduces the utility of information available. Working with privacy experts, we designed GSUVis a visual analytic tool to help experts better understand the effects of anonymization techniques on LBSN data utility. One of GSUVis's primary goals is to make it possible for people to use LBSN data, without requiring them to gain deep knowledge about data anonymization. To inform the design of GSUVis, we interviewed privacy experts, and collected their tasks and system requirements. Based on this understanding, we designed and implemented GSUVis. It applies two anonymization algorithms for social and location trajectory data to a real‐world LBSN dataset and visualizes the data both before and after anonymization. Through feedback from domain experts, we reflect on the effectiveness of GSUVis and the impact of anonymization using visualization.     

Cross-border issues under EU data protection law with regards to personal data protection

We are living in an inter-connected, global digital society where the services of different operating systems are universal in nature, but many Internet activities are still being tackled by national laws and regulations. A long-existing question is which law is applicable in cases of Internet activities because the online world does not have any physical boundaries. How the European Union (EU) approaches this duality has become a concern for data protection laws. By analysing some recent Court of Justice of the European Union case laws, this article seeks to discover how the EU data protection law tackles disputes involving transnational issues online, which includes its extra-territorial application and cross-border data transfers. The article also indicates that there is an enormous gap between legislation and practice.