\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{proof}
\usepackage{beamerthemeplainculight}
\usepackage[T1]{fontenc}
\usepackage[latin1]{inputenc}
\usepackage{mathpartir}
\usepackage{isabelle}
\usepackage{isabellesym}
\usepackage[absolute,overlay]{textpos}
\usepackage{ifthen}
\usepackage{tikz}
\usepackage{courier}
\usepackage{listings}
\usetikzlibrary{arrows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
\usepackage{graphicx} 
\usetikzlibrary{shapes}
\usetikzlibrary{shadows}
\usetikzlibrary{plotmarks}


\isabellestyle{rm}
\renewcommand{\isastyle}{\rm}%
\renewcommand{\isastyleminor}{\rm}%
\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
\renewcommand{\isatagproof}{}
\renewcommand{\endisatagproof}{}
\renewcommand{\isamarkupcmt}[1]{#1}

% Isabelle characters
\renewcommand{\isacharunderscore}{\_}
\renewcommand{\isacharbar}{\isamath{\mid}}
\renewcommand{\isasymiota}{}
\renewcommand{\isacharbraceleft}{\{}
\renewcommand{\isacharbraceright}{\}}
\renewcommand{\isacharless}{$\langle$}
\renewcommand{\isachargreater}{$\rangle$}
\renewcommand{\isasymsharp}{\isamath{\#}}
\renewcommand{\isasymdots}{\isamath{...}}
\renewcommand{\isasymbullet}{\act}



\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc

\lstset{language=Java,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

\lstdefinelanguage{scala}{
  morekeywords={abstract,case,catch,class,def,%
    do,else,extends,false,final,finally,%
    for,if,implicit,import,match,mixin,%
    new,null,object,override,package,%
    private,protected,requires,return,sealed,%
    super,this,throw,trait,true,try,%
    type,val,var,while,with,yield},
  otherkeywords={=>,<-,<\%,<:,>:,\#,@},
  sensitive=true,
  morecomment=[l]{//},
  morecomment=[n]{/*}{*/},
  morestring=[b]",
  morestring=[b]',
  morestring=[b]"""
}

\lstset{language=Scala,
	basicstyle=\ttfamily,
	keywordstyle=\color{javapurple}\bfseries,
	stringstyle=\color{javagreen},
	commentstyle=\color{javagreen},
	morecomment=[s][\color{javadocblue}]{/**}{*/},
	numbers=left,
	numberstyle=\tiny\color{black},
	stepnumber=1,
	numbersep=10pt,
	tabsize=2,
	showspaces=false,
	showstringspaces=false}

% beamer stuff 
\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
\newcommand{\bl}[1]{\textcolor{blue}{#1}}

\begin{document}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}<1>[t]
\frametitle{%
  \begin{tabular}{@ {}c@ {}}
  \\
  \LARGE Access Control and \\[-3mm] 
  \LARGE Privacy Policies (9)\\[-6mm] 
  \end{tabular}}\bigskip\bigskip\bigskip

  %\begin{center}
  %\includegraphics[scale=1.3]{pics/barrier.jpg}
  %\end{center}

\normalsize
  \begin{center}
  \begin{tabular}{ll}
  Email:  & christian.urban at kcl.ac.uk\\
  Of$\!$fice: & S1.27 (1st floor Strand Building)\\
  Slides: & KEATS (also homework is there)\\
  \end{tabular}
  \end{center}

\end{frame}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Last Week}

Recall, the Schroeder-Needham (1978) protocol is vulnerable to replay attacks.

\begin{center}
\begin{tabular}{@{}r@ {\hspace{1mm}}l@{}}
\bl{$A \rightarrow S :$} & \bl{$A, B, N_A$}\\
\bl{$S \rightarrow A :$} & \bl{$\{N_A, B, K_{AB},\{K_{AB}, A\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A\}_{K_{BS}} $}\\
\bl{$B \rightarrow A :$} & \bl{$\{N_B\}_{K_{AB}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}\pause

Fix: Replace messages 2 and 3 to include a timestamp:\bigskip

\begin{minipage}{1.1\textwidth}
\begin{center}
\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\end{tabular}
\end{center}
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Denning-Sacco Fix}

Denning-Sacco (1981) suggested to add the timestamp, but omit the handshake:\bigskip

\begin{minipage}{1.1\textwidth}
\begin{center}
\begin{tabular}{@{\hspace{-2mm}}r@ {\hspace{1mm}}l@{}}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\textcolor{lightgray}{$B \rightarrow A :$} & \textcolor{lightgray}{$\{N_B\}_{K_{AB}}$}\\
\textcolor{lightgray}{$A \rightarrow B :$} & \textcolor{lightgray}{$\{N_B-1\}_{K_{AB}}$}\\
\end{tabular}
\end{center}
\end{minipage}\bigskip

they argue \bl{$A$} and \bl{$B$} can check that the messages are not replays of earlier 
runs, by checking the time difference with when the protocol is last used
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@{}c@{}}Denning-Sacco-Lowe Fix of Fix\end{tabular}}

Lowe (1997) disagreed and said the handshake should be kept, 
otherwise:\bigskip 

\begin{minipage}{1.1\textwidth}
\begin{center}
\begin{tabular}{@{\hspace{-7mm}}r@ {\hspace{1mm}}l@{}}
\bl{$A \rightarrow S :$} & \bl{$A, B$}\\
\bl{$S \rightarrow A :$} & \bl{$\{B, K_{\!AB}, T_S, \!\{K_{\!AB}, A, T_S\}_{K_{BS}} \}_{K_{AS}}$}\\
\bl{$A \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\\
\bl{$I(A) \rightarrow B :$} & \bl{$\{K_{AB}, A, T_S\}_{K_{BS}} $}\hspace{5mm}\textcolor{black}{replay}\\
\end{tabular}
\end{center}
\end{minipage}\bigskip

When is this a problem?\pause\medskip

Assume \bl{$B$} is a bank and the message is ``Draw \pounds{1000} from \bl{$A$}'s
account and transfer it to \bl{$I$}.''
\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{Privacy}

\begin{minipage}{1.05\textwidth}
\begin{itemize}
\item we \alert{do} want that government data is made public (free maps for example)
\item we \alert{do not} want that medical data becomes public (similarly tax data, school 
records, job offers)\bigskip
\item personal information can potentially lead to fraud 
(identity theft)
\end{itemize}\pause

{\bf ``The reality'':}
\only<2>{\begin{itemize}
\item London Health Programmes lost in June unencrypted details of more than 8 million people
(no names, but postcodes and details such as gender, age and ethnic origin)
\end{itemize}}
\only<3>{\begin{itemize}
\item also in June Sony, got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
\end{itemize}}
\end{minipage}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

   
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Privacy and Big Data}

Selected sources of ``Big Data'':\smallskip{}

\begin{itemize}
\item Facebook 
\begin{itemize}
\item 40+ Billion photos (100 PB)
\item 6 Billion messages daily (5 - 10 TB)
\item 900 Million users  
\end{itemize}
\item Common Crawl
\begin{itemize}
\item covers 3.8 Billion webpages (2012 dataset)
\item 50 TB of data
\end{itemize}
\item Google
\begin{itemize}
\item 20 PB daily (2008)
\end{itemize}
\item Twitter
\begin{itemize}
\item 7 Million users in the UK
\item a company called Datasift is allowed to mine all tweets since 2010
\item they charge 10k per month for other companies to target advertisement
\end{itemize}
\end{itemize}\pause


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Cookies\ldots}

``We have published a new cookie policy. It explains what cookies are 
and how we use them on our site. To learn more about cookies and 
their benefits, please view our cookie policy.\medskip

If you'd like to disable cookies on this device, please view our information 
pages on 'How to manage cookies'. Please be aware that parts of the 
site will not function correctly if you disable cookies. \medskip

By closing this 
message, you consent to our use of cookies on this device in accordance 
with our cookie policy unless you have disabled them.''


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Scare Tactics}

The actual policy reads:\bigskip

``As we explain in our Cookie Policy, cookies help you to get the most 
out of our websites.\medskip

If you do disable our cookies you may find that certain sections of our 
website do not work. For example, you may have difficulties logging in 
or viewing articles.''




\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Netflix Prize}

Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip

\begin{itemize}
\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
\item dataset contained 10\% of all Netflix users (appr.~500K)
\item names were removed, but included numerical ratings as well as times of rating
\item some information was \alert{perturbed} (i.e., slightly modified)
\end{itemize}

\hfill{\bf\alert{All OK?}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Re-identification Attack}

Two researchers analysed the data: 

\begin{itemize}
\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
records can be identified
\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
\item they took 50 samples from IMDb (where people can reveal their identity)
\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{}

\begin{itemize}
\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
\item Preferences in movies (99\% of 500K for 8 ratings)
\end{itemize}\bigskip

Therefore best practices / or even law (HIPAA, EU): 

\begin{itemize}
\item only year dates (age group for 90 years or over), 
\item no postcodes (sector data is OK, similarly in the US)\\
\textcolor{gray}{no names, addresses, account numbers, licence plates}
\item disclosure information needs to be retained for 5 years
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{How to Safely Disclose Information?}

\only<1>{
\begin{itemize}
\item Assume you make a survey of 100 randomly chosen people.
\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
Gangnam video on youtube.\bigskip

\item What can you infer about the rest of the population? 
\end{itemize}}
\only<2>{
\begin{itemize}
\item Is it possible to re-identify data later, if more data is released. \bigskip\bigskip\pause

\item Not even releasing only  aggregate information prevents re-identification attacks.
(GWAS was a public database of gene-frequency studies linked to diseases;
you only needed partial DNA information  in order
to identify whether an individual was part of the study --- DB closed in 2008) 
\end{itemize}}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Differential Privacy}

\begin{center}
User\;\;\;\;    
\begin{tabular}{c}
tell me \bl{$f(x)$} $\Rightarrow$\\
$\Leftarrow$ \bl{$f(x) + \text{noise}$}
\end{tabular}
\;\;\;\;\begin{tabular}{@{}c}
Database\\
\bl{$x_1, \ldots, x_n$}
\end{tabular}
\end{center}


\begin{itemize}
\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
individual entries  \bl{$x_1, \ldots, x_n$}\\
\item Intuition: whatever is learned from the dataset would be learned regardless of whether
\bl{$x_i$} participates\bigskip\pause 

\item Noised needed in order to prevent queries:\\ Christian's salary $=$ 
\begin{center}
\bl{\large$\Sigma$} all staff $-$  \bl{\large$\Sigma$} all staff $\backslash$ Christian
\end{center} 
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{Adding Noise}

Adding noise is not as trivial as one would wish:

\begin{itemize}
\item If I ask how many of three have seen the Gangnam video and get a result
as follows 

\begin{center}
\begin{tabular}{l|c}
Alice & yes\\
Bob & no\\
Charlie & yes\\
\end{tabular}
\end{center}

then I have to add a noise of \bl{$1$}. So answers would be in the
range of \bl{$1$} to \bl{$3$}

\bigskip
\item But if I ask five questions for all the dataset (has seen Gangnam video, is male, below 30, \ldots),
then one individual can change the dataset by \bl{$5$}
\end{itemize}

\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@{}c@{}}Tor, Anonymous Webbrowsing\end{tabular}}

\begin{itemize}
\item initially developed by US Navy Labs, but then opened up to the world 
\item network of proxy nodes
\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
\end{itemize}

\only<2>{
\begin{itemize}
\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
\begin{itemize}
\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
Tunesia `Tunesia' and India `1234')
\end{itemize}
\end{itemize}}
\only<3>{
\begin{itemize}
\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
\begin{itemize}
\item background: 40\% of traffic on Tor is generated by BitTorrent
\end{itemize}
\end{itemize}}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[t]
\frametitle{\begin{tabular}{@{}c@{}}Skype Secure Communication\end{tabular}}

\begin{itemize}
\item Skype used to be known as a secure online communication (encryption cannot be disabled), 
but \ldots\medskip

\item it is impossible to verify whether crypto algorithms are correctly used, or whether  there are backdoors.\bigskip
 
\item recently someone found out that you can reset the password of somebody else's
account, only knowing their email address (needed to suspended the password reset feature temporarily)
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}

According to Ross Anderson: \bigskip
\begin{itemize}
\item Privacy in a big hospital is just about doable.\medskip
\item How do you enforce privacy  in something as big as Google
or complex as Facebook? No body knows.\bigskip

Similarly, big databases imposed by government
\end{itemize}


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
\frametitle{\begin{tabular}{@{}c@{}}Next Week\end{tabular}}

Homework: Which areas should I focus on?


\end{frame}}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 

\end{document}

%%% Local Variables:  
%%% mode: latex
%%% TeX-master: t
%%% End: