Internet Security

Privacy researchers devise a noise-exploitation attack that defeats dynamic anonymity

Privacy researchers in Europe believe they have the first proof that a long-theorised vulnerability in systems designed to protect privacy by aggregating and adding noise to data to mask individual identities is no longer just a theory. The research has implications for the immediate field of differential privacy and beyond — raising wide-ranging questions about…


Privacy researchers in Europe believe they have the first proof that a long-theorised vulnerability in systems designed to protect privacy by aggregating and adding noise to data to mask individual identities is no longer just a theory.

The research has implications for the immediate field of differential privacy and beyond — raising wide-ranging questions about how privacy is regulated if anonymization only works until a determined attacker figures out how to reverse the method that’s being used to dynamically fuzz the data.

Current EU law doesn’t recognise anonymous data as personal data. Although it does treat pseudoanonymized data as personal data because of the risk of re-identification.

Yet a growing body of research suggests the risk of de-anonymization on high dimension data sets is persistent. Even — per this latest research — when a database system has been very carefully designed with privacy protection in mind.

It suggests the entire business of protecting privacy needs to get a whole lot more dynamic to respond to the risk of perpetually evolving attacks.

Academics from Imperial College London and Université Catholique de Louvain are behind the new research.

This week, at the 28th USENIX Security Symposium, they presented a paper detailing a new class of noise-exploitation attacks on a query-based database that uses aggregation and noise injection to dynamically mask personal data.

The product they were looking at is a database querying framework, called Diffix — jointly developed by a German startup called Aircloak andtheMax Planck Institute for Software Systems.

On its website Aircloak bills the technology as “the first GDPR-grade anonymization” — aka Europe’s General Data Protection Regulation, which began being applied last year, raising the bar for privacy compliance by introducing a data protection regime that includes fines that can scale up to 4% of a data processor’s global annual turnover.

What Aircloak is essentially offering is to manage GDPR risk by providing anonymity as a commercial service — allowing queries to be run on a data-set that let analysts gain valuable insights without accessing the data itself.The promise being it’s privacy (and GDPR) ‘safe’ because it’s designed to mask individual identities by returning anonymized results.

The problem is personal data that’s re-identifiable isn’t anonymous data. And the researchers were able to craft attacks that undo Diffix’s dynamic anonymity — although Aircloak is confident it has already prevented this attack.

“What we did here is we studied the system and we showed that actually there is a vulnerability that exists in their system that allows us to use their system and to send carefully created queries that allow us to extract — to exfiltrate — information from the data-set that the system is supposed to protect,” explains Imperial College’s Yves-Alexandre de Montjoye, one of five co-authors of the research paper.

“Differential privacy really shows that every time you answer one of my questions you’re giving me information and at some point — to the extreme — if you keep answering every single one of my questions I will ask you so many questions that at some point I will have figured out every single thing that exists in the database because every time you give me a bit more information,” he says of the pre

Read More

Be the first to write a comment.

Leave a Reply

Internet Security

TikTok’s new set of safety videos teach users about features, the app’s focus on ‘positivity’

TikTok today released a new set of safety videos designed to playfully inform users about the app’s privacy controls and other features — like how to filter comments or report inappropriate behavior, among other things. One video also addresses TikTok’s goal of creating a “positive” social media environment, where creativity is celebrated and harassment is…


TikToktoday released a new set of safety videos designed to playfully inform users about the app’s privacy controls and other features — like how to filter comments or report inappropriate behavior, among other things. One video also addresses TikTok’s goal of creating a “positive” social media environment, where creativity is celebrated and harassment is banned.

This particular value — that TikTok is for “fun” — is cited whenever the Beijing-based company is pressured about the app’s censorship activity. Today, TikTok hides under claims that it’s all about being a place for lighthearted, positive behavior. But in reality, it had been censoring topics China doesn’t want its citizens to know about — like the Hong Kong protests, for example. Meanwhile, it doesn’t appear to take action on political issues in the U.S., where hashtags like #dumptrump or #maga have millions of views.

To figure out its approach to moderation, TikTok recently hired corporate law firm K&L Gates to advise it on how to create policies that won’t have it coming under the eye of U.S. regulators.

In the meantime, TikTok is tackling the job of crafting the sort of community it wants through these instructive videos. But it’s not just issuing its commands from the top-down — TikTok partners with its own creators to participate in the videos and then promote them to fans. The first set of videos, released in February, featured a dozen TikTok creators, for example.

This time around, the company has pulled in a doze

Read More

Continue Reading
Internet Security

Facebook pilloried over iPhone ‘secret camera access’ bug

Facebook has faced a barrage of concern over an apparent bug that resulted in the social media giant’s iPhone app exposing the camera as users scroll through their feed. A tweet over the weekend blew up after Joshua Maddux tweeted a screen recording of the Facebook app on his iPhone. He noticed that the camera…


Facebookhas faced a barrage of concern over an apparent bug that resulted in the social media giant’s iPhone app exposing the camera as users scroll through their feed.

A tweet over the weekend blew up after Joshua Maddux tweeted a screen recording of the Facebook app on his iPhone. He noticed that the camera would appear behind the Facebook app as he scrolled through his social media feed.

Several users had already spotted the bug earlier in the month. One person called it “a little worrying.”

Some immediately assumed the worst — as you might expect, given the long history of security vulnerabilities, data breaches and inadvertent exposures at Facebo

Read More

Continue Reading
Internet Security

India moves closer to regulating internet services as it fears ‘unimaginable disruption to democracy’

India said on Monday that it is moving ahead with its plan to revise existing rules to regulate intermediaries — social media apps and others that rely on users to create their content — as they are causing “unimaginable disruption” to democracy. In a legal document filed with the country’s apex Supreme Court, the Ministry…


India said on Monday that it is moving ahead with its plan to revise existing rules to regulate intermediaries — social media apps and others that rely on users to create their content — as they are causing “unimaginable disruption” to democracy.

In a legal document filed with the country’s apex Supreme Court, the Ministry of Electronics and Information Technology said it would formulate the rules to regulate intermediaries by January 15, 2020.

In the legal filing, the government department said the internet had “emerged as a potent tool to cause unimaginable disruption to the democratic polity.” Oversight of intermediaries, the ministry said, would help in addressing the “ever growing threats to individual right

Read More

Continue Reading
Internet Security

Twitter says government demands for user data continue to rise

Twitter says the number of government demands for user data are at a record high. In its latest transparency report covering the six months between January and June, the social media giant said it received 7,300 demands for user data, up by 6% a year earlier, but that the number of accounts affected are down…


Twittersays the number of government demands for user data are at a record high.

In its latest transparency report covering the six months between January and June, the social media giant said it received 7,300 demands for user data, up by 6% a year earlier, but that the number of accounts affected are down by 25%.

The company turned over some account data in just less than half of all cases.

U.S. government agencies requested the most data from the company during the period, filing 2,120 demands for 4,150 accounts — accounting for about one-third of all

Read More

Continue Reading