Michael Spiegel, Esq Timothy Shimeall, Ph.D.

Slides:

Advertisements

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

Advertisements

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Privacy on the WEB Privacy on the WEB Group 0227 Efrain Castro, Dinesh Parmer, Michael Raiford Robert Reich, Kim Walker, Claudia Worme.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2014 Microsoft Corporation. All rights reserved.

CREATED BY: HMIS Security Awareness Approved 1/10/2012 Revised 1/29/2013 Revised 3/15/2013.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© Carnegie Mellon University The CERT Insider Threat Center.

BC Freedom of Information and Protection of Privacy Act

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)

Permission to reprint or distribute any content from this presentation requires the prior written approval of Standard & Poor’s. Copyright © 2010 Standard.

Internet and Computer Rules If you want to use the computers you need to follow the rules.

Conditions and Terms of Use

© 2012 Microsoft Corporation. All rights reserved.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Location, Location, Location: The Emerging Crisis in Wireless Data Privacy Ari Schwartz & Alan Davidson Center for Democracy and Technology

Can We Keep Our Kids Safe on the Internet? By Kim Hollingsworth - ETEC 562.

Author Software Engineering Institute

Information Technology & Ethics. Impact The impact of IT on information and communication can be categorized into 4 groups: privacy, accuracy, property,

Oracle Fusion Applications 11gR1 ( ) Functional Overview (L2) Manage Inbound Logistics (L3) Manage and Disposition Inventory Returns.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.

WISHA, 7/23/04 Employee Medical and Exposure Records Chapter WAC Employer Responsibilities.

Copyright, Intellectual Property, and Privacy 1 Lesson Plan: BMM A9-4.

Human Subjects Update E. Wethington, Chair, UCHS.

Oracle E-Business Suite R12.1 Accounts Receivables Essentials Partner Boot Camp Training Courseware.

TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.

-1- For Oracle employees and authorized partners only. Do not distribute to third parties. © 2009 Oracle Corporation – Proprietary and Confidential Oracle.

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Oracle Proprietary and Confidential. 1.

FERPA Family Educational Rights and Privacy Act

Denise Chrysler, JD Director, Mid-States Region

Data Science: What It Is and How It Can Help Your Company

Secure Software Workforce Development Panel Session

Connectivity to bank and sample account structure

The Acceptable Use of Technology

Low Hanging Fruit Tastes Just as Good

David Svoboda & Aaron Ballman

Author Software Engineering Institute

Student Privacy in an Ever-Changing Digital World

Student Data Privacy and Security

Providing Access to Your Data: Handling sensitive data

<Insert Picture Here>

FERPA (Oops, can I say that?)

Obligations of Educational Agencies: Parents’ Bill of Rights

IT Applications Theory Slideshows

Chapter # 1 Overview of Ethics

Service Organization Control (SOC)

Chapter 20 Additional Assurance Services: Other Information

Metrics-Focused Analysis of Network Flow Data

FERPA (Oops, can I say that?)

Automation in an XML Authoring Environment

Chapter 4 Law, Regulations, and Compliance

Welcome to the FERPA training for Faculty and Staff.

Web Applications: Get a Grip on Privacy

Dynamic Cyber Training with Moodle

FERPA For New Faculty Lawrence F. Glick Sr. Associate General Counsel

Motivation for 36OU Open Rack

<Insert Picture Here>

HIPAA Overview.

The EDPS: competences and processing of personal data in EU funds

Emotional Intelligence: The Core of Family Offices

Jonathan D’Silva MMI Intellectual Property 900 State Street, Suite 301

Developing Useful Metrics

Presentation transcript:

Michael Spiegel, Esq Timothy Shimeall, Ph.D. Protecting Privacy During Network Flow Analysis: A Survey of Possible Approaches Michael Spiegel, Esq Timothy Shimeall, Ph.D.

Distribution Statements This presentation is not considered legal advice and does not establish an attorney- client relationship. Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT® and FloCon® are registered marks of Carnegie Mellon University. DM-0004331

Overview Possible abuses Privacy concerns Why privacy matters Privacy protection methods

Possible Abuses Connection between addresses and individuals Browsing history Absence of customary activity Corporate activity Visits to unacceptable sites Visits to revealing sites Changes in corporate behavior Insider trading

Privacy Concerns US HIPAA Reasonable basis to believe it can be used to identify individual Inferences about medical information US SEC Regulation Fair Disclosure Non-public information Financially exploitable network behavior Network traffic related to compromise US Children’s Online Privacy Protection Act Identification of children via browsing patterns Child profiling information US Communications Act of 1934, Section 222 Customer proprietary Network Information Internal abuse Organization for Economic Cooperation and Development (OECD) Privacy Principles #2 - Data Quality #4 - Use Limitation

Why Privacy Matters “Metadata absolutely tells you everything about somebody’s life….If you have enough metadata you don’t really need content…. [It’s] sort of embarrassing how predictable we are as human beings.” -- Stewart Baker, former general counsel, NSA Network flow analysis is a new field Laws and regulations effect on collection not much explored Privacy policies and limitations on use of network flow data Least privilege and limited access Management concerns

Methods of Protection All of these will impair analysis to a degree Analogous to database protection methods Data suppression – don’t allow some queries Data aggregation – collapse addresses to net blocks, statistical trends Data concealment – anonymize results (see prior FloCon presentation) Noise insertion – insert false data to conceal identity Disclose information kept and obtain consent of users Opt-out for non-sensitive information Opt-in for sensitive information (active permission)

Summary Network flow analysis can have privacy risks (less than packet- level, but still some) Field is still young Currently protected largely by confidentiality clauses in employment agreements Need to better understand privacy concerns and protections Balance risks of disclosure vs. lack of monitoring Issues here affect other sorts of security-relevant data (DNS records, web or email logs, especially packet capture)