Google added a great new service, Dashboard, that summarizes data stored for a Google account — see MY ACCOUNT>PERSONAL SETTINGS>DASHBOARD.

“Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented, and we’re delighted to be the first Internet company to offer this — and we hope it will become the standard.”

This is a good move on Google’s part. But while there’s a lot of information included, it’s not everything that Google knows about you — e.g., data in cookies, click throughs data from search results and information from companies it’s acquired, like Doublclick.

Still, it is a big step in a positive direction toward privacy awareness.

Yesterday was the first time a truly voter verifiable voting system was used in any binding government election, thanks in part to work being carried out at UMBC’s Cyber Defense Lab under the direction of Alan Sherman.

Takoma Park, MD used the Scantegrity system for its municipal election after testing it in a mock election last April. Technology Review has a story, First Test for Election Cryptography, that quotes Anne Sergeant, the chair of the Takoma Park board of elections

“Before trying Scantegrity in an official election, the city held a mock vote in April to work out kinks in the system. In that test, she says, about 30 percent of participants went home and used the system to verify their votes. Sergeant says that Scantegrity representatives talked extensively with voters and election officials after the April test and have improved their system accordingly. “I hope we can provide an experience where people walk away and say, ‘That was awesome,’” she says. “It’s a goal to which we aspire.”

The Scantegrity system was created by a group of universities, including UMBC. A voter uses a paper ballot marked with invisible ink, which is exposed with a special marker. That marker reveals a code, which the voter can then use to check online whether their vote was tabulated correctly.

Ben Adida has been auditing the election and documenting the process on his blog.

See also E-voting system lets voters verify their ballots are counted.

Sunday’s Boston Globe has an article on online privacy provocatively titled Project ‘Gaydar’ that leads with a story of an class experiment done by two MIT students on predicting sexual orientation from social network information.

“Using data from the social network Facebook, they made a striking discovery: just by looking at a person’s online friends, they could predict whether the person was gay. They did this with a software program that looked at the gender and sexuality of a person’s friends and, using statistical analysis, made a prediction. The two students had no way of checking all of their predictions, but based on their own knowledge outside the Facebook world, their computer program appeared quite accurate for men, they said.”

I suspect that many will read the article and think that such an analysis can be easily done on their own Facebook information. While I’m not a Facebook expert, I assume that the vast majority of its users employ the default privacy settings which do not allow non-friends to see personal information including gender and the ‘interested in’ attribute, which can be used as a proxy for sexual orientation.

Still, the problem of protecting privacy in online social networking systems is a very real one. The Boston Globe story also mentions work by AISL colleague Murat Kantarcioglu on predicting political affiliations (see Inferring Private Information Using Social Network Data).

“He and a student – who later went to work for Facebook – took 167,000 profiles and 3 million links between people from the Dallas-Fort Worth network. They used three methods to predict a person’s political views. One prediction model used only the details in their profiles. Another used only friendship links. And the third combined the two sets of data. The researchers found that certain traits, such as knowing what groups people belonged to or their favorite music, were quite predictive of political affiliation. But they also found that they did better than a random guess when only using friendship connections. The best results came from combining the two approaches.”

The article also mentions Lise Getoor’s work on discovering private information by integrating work across Facebook, Flickr, Dogster and BibSonomy (see To Join or not to Join: The Illusion of Privacy in Social Networks with Mixed Public and Private User Profiles).

“Those researchers blinded themselves to the profiles of half the people in each network, and launched a variety of “attacks” on the networks, to see what private information they could glean by simply looking at things like groups people belonged to, and their friendship links. On each network, at least one attack worked. Researchers could predict where Flickr users lived; Facebook users’ gender, a dog’s breed, and whether someone was likely to be a spammer on BibSonomy. The authors found that membership in a group gave away a significant amount of information, but also found that predictions using friend links weren’t as strong as they expected. “Using friends in classifying people has to be treated with care,” computer scientists Lise Getoor and Elena Zheleva wrote.”

The New York Times reports that the data for the Netflix Prize 2 will include more information about the anonymous users:

“Netflix was so pleased with the results of its first contest that it announced a second one on Monday. The new contest will present contestants with demographic and behavioral data, including renters’ ages, gender, ZIP codes, genre ratings and previously chosen movies — but not ratings. Contestants will then have to predict which movies those people will like.”

As others have noted this will make it much easier to “de-anonymize” individuals in the collection.

As an experiment, I checked the zip code where I grew up and found that it had about 3900 people in the 2000 census. So, given an age and gender you would have a set of about 40 people. With just a little bit of additional information, one could narrow this to a specific individual.

For example, Narayanan and Shmatikov showed (Robust De-anonymization of Large Sparse Datasets) that this could be done with the dataset from the first Netflix Grand Prize by mining information from IMDB. Think of how much more powerful such attacks would be with the new dataset.

Elinor Mills of cnet reports that the DOS against twitter, facebook, livejournal and blogger were focused on a single Russian blogger using the name Cyxymu.

A pro-Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the former Soviet Republic) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

According to the Register, Researcher: Twitter attack targeted anti-Russian blogger, the DOS attack was driven by spam rather than a botnet. Spam messages enticed their recipients to click on a link to one of Cyxymu’s many social media accounts.

You can try to access Cyxymu’s pages on twitter, livejournal, facebook, blogger and youtube.

It will be interesting to see what comes from today’s DDOS attacks on twitter, facebook and liveJournal. It is certainly a show of strength from whoever controls the botnets that launched the attacks. We can only assume that three three are from the same source or at lease related sources. Some sources:

• Official twitter status
• Official twitter blog
• Wired: Facebook Confirms Denial-of-Service Attack
• Techcrunch
• NTY Bits blog
• Computerworld

Was it a test? Demonstration? Preparation for extortion (Nice little Internet you got there. Shame if something happened to it.)?

The Department of Defense remains conflicted about their position on social media.

This past Sunday the US Marine Corps announced an immediate ban of Internet social networking sites on their NIPRNET network due to potential security risks. Specific examples of the sites now banned included facebook, myspace, and twitter.

Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, tweeted yesterday.

“Obviously we need to find right balance between security and transparency. We are working on that. But am I still going to tweet? You bet.”

The comment also appeared on Admiral Mullen’s facebook page.

While it’s tempting to poke fun at the apparent contradictions involved, it’s easy to see a difference. Its well known that there are many vulnerabilities on the Web that can result in compromising a computer and that they are more likely to be encountered in open, popular environments, like social media systems. So it’s prudent to limit access to some of these from networks like NIPRNET that are used for sensitive information. On the other hand, we assume that the computer used by Admiral Mullen and his staff for public announcements and PR are on conventional networks, so the risks asscociated with security problems are greatly reduced.

Still, you have to admit that it’s ironic.

The Electronic Frontier Foundation released a whitepaper, On Locational Privacy, and How to Avoid Losing it Forever, discussing problems and solutions involving location privacy. The report, written by Andrew Blumberg and Peter Eckersley, outlines how location information is being collected by devices and services and argues for solutions that maintain potential benefits without sacrificing personal privacy.

“There are nifty new location-based technologies like electronic road-toll tags and cell-phone apps that alert you when your friends are nearby — but these systems often create and store records of your movements,” said EFF Staff Technologist Peter Eckersley, one of the co-writers of the white paper. “This could make it possible for others to know when you visited a health clinic, what church or bar you spend time in, or who you go to lunch with. It is essential that privacy-protecting algorithms are built into these devices and services, so we can enjoy their convenience without making our private lives into open books.”
…
“The technical solution to preserving privacy in digital services lies in modern cryptography and careful design,” said Stanford University mathematician Andrew J. Blumberg, the white paper’s other co-writer. “It may seem counterintuitive, but using cryptography, these systems can function without collecting and storing personal data at all. The best way for systems to protect user data is not to collect it in the first place; then the information is not available for anyone to buy, steal, or obtain by subpoena — it would stay truly private.”

AISL CO-PI Elisa Bertino has been elected chair of the ACM Special Interest Group on Security, Audit and Control (SIGSAC) for a one year term bebinning.

She is professor at the Department of Computer Science, Purdue University and Research Director of CERIAS. Her main research interests cover many areas in the fields of information security and database systems. Her research combines both theoretical and practical aspects, addressing as well applications on a number of domains, such as medicine and humanities.

SIGSAC’s mission is to develop the information security profession by sponsoring high quality research conferences and workshops. SIGSAC conferences addresses all aspects of information and system security, encompassing security technologies, secure systems, security applications and security policies. Security technologies include access control, assurance, authentication, cryptography, intrusion detection, penetration techniques, risk analysis and secure protocols. Security systems include security in operating systems, database systems, networks and distributed systems and middleware. Representative security applications areas are information systems, workflow systems, electronic commerce, electronic cash, copyright and intellectual property protection, telecommunications systems and healthcare. Security policies encompass confidentiality, integrity, availability, privacy, and survivability policies, including trade-off and conflicts amongst these.

New York state attorney general Andrew Cuomo announced he intends to sue social networking company Tagged.com “for deceptive e-mail marketing practices and invasion of privacy”.

“Between April and June this year, Tagged sent tens of millions of misleading emails to unsuspecting recipients stating that Tagged members had posted private photos online for their friends to view. In reality, no such photos existed and the email was not from their friends. When recipients of these fraudulent emails tried to access the photos, they were forced to become a new member of Tagged. The company would then illegally gain access to their personal email contacts to send more fraudulent invitations.
     “This company stole the address books and identities of millions of people,” said Attorney General Cuomo. “Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their email contacts for Tagged’s unethical – and illegal – behavior. This very virulent form of spam is the online equivalent of breaking into a home, stealing address books, and sending phony mail to all of an individual’s personal contacts. We would never accept this behavior in the real world, and we cannot accept it online.”

See stories in the NYT and Independent.