StegoWeb: Towards the Ideal Private Web Content Publishing Tool
As the use of Web 2.0 services – most notably Social Networking Sites or SNSes – is becoming more and more widespread, the privacy-related questions of the sensitive information published there gain significance in a similar tact. The term ‘profiling’ is used to describe activities which involve collecting data about a person from various sources (e.g. customer preferences in a webshop and personal data published on social networking websites), and merging the pieces of information into a single record, called a profile. Since Web 2.0 services are based on user-created content, profilers can use these services to complement their profiles. Accurate user profiles serve as useful bases for many dubious or outright malicious activities, including targeted advertising and dynamic pricing. This tendency is likely to get worse as real-time searching becomes a core feature in search engines, which makes revocation of information impossible. Therefore, this problem is gaining importance frighteningly fast.
The techniques of profiling have evolved greatly since the birth of the World Wide Web. When IP addresses were fixed, they could be used to identify a user on the Web. Later on, as Internet Service Providers adopted the use of dynamic IP addresses, the main basis of identifying a user became unique identifiers in HTTP cookies and, later, ‘Flash cookies’ or LSOs. The evolution of tracking techniques is continuous; the concept of Evercookies and the Panopticlick browser fingerprinting experiment indicate that research and improvements in the area have certainly not concluded. Furthermore, information superpowers – service providers that offer a wide range of products to their users – are a major threat, because they can have access to various data about the user.
As such, there is a need for applications that protect the user against these actors through limiting the information of personal nature that a profiler potentially has access to. Our previous work introduced such a piece of software called BlogCrypt, a Firefox extension that could encrypt and decrypt data on websites with as little user interaction as possible. In that paper, we showed that BlogCrypt was an efficient countermeasure against profiling, but, as it does not conceal encryption, users are likely to face countermeasures on Web 2.0 sites where encrypting or otherwise obfuscating user content is forbidden by the Terms of Use.
Our main contribution in this paper is a steganographic approach to this problem, which, albeit not a direct successor or an improved version of BlogCrypt, addresses the same issue as it did, but in a slightly different context. The main reason is that steganography is ‘expensive’, i.e. only a small amount of data can be stored with such techniques. Therefore, while BlogCrypt was a useful solution to encrypt blog posts, StegoWeb is more likely to be applicable in the context of profile data on SNSes. If our application is used for this purpose, a profiler will not be able to link our personal information to other data she has potentially obtained about us.
The paper is structured as follows. In Section II, we survey already existing implementations and concepts that are destined to hinder profiling, and provide a taxonomy for classifying them. Then, in Section III, we discuss our own implementation, and analyse it in terms of advantages and drawbacks. In Section IV, we evaluate our implementation from the aspect of key management, and propose some improvements. Section V describes how the concept can be used for identity management purposes. Finally, we conclude our work in Section VI.
Published at:
SECURWARE 2011, The Fifth International Conference on Emerging Security Information, Systems and Technologies August 21-27, 2011 - French Riviera, Nice/Saint Laurent du Var, France pp. http://www.iaria.org/conferences2011/SECURWARE11.html
Digital library:
ThinkMind, http://www.thinkmind.org/
Download article from here or below.
Source:
SECURWARE 2011, The Fifth International Conference on Emerging Security Information, Systems and Technologies August 21-27, 2011 - French Riviera, Nice/Saint Laurent du Var, France. |
0 comments.
No comments.
Anyone can comment, in case of unregistered senders all fields are optional. Comment can be anonymous.