Wednesday, 4:00–5:00 PM
Chair: Flavio Junqueira

Distributing Private Data in Challenged Network Environments

Azarias Reda, Brian Noble, Yidnekachew Haile

Developing countries face significant challenges in network access, making even simple network tasks unpleasant. Many standard techniques—caching and predictive prefetching—help somewhat, but provide little or no assistance for personal data that is needed only by a single user. Sulula addresses this problem by leveraging the near-ubiquity of cellular phones able to send and receive simple SMS messages. Rather than visit a kiosk and fetch data on demand—a tiresome process at best—users request a future visit. If capacity exists, the kiosk can schedule secure retrieval of that user’s data, saving time and more efficiently utilizing the kiosk’s limited connectivity. When the user arrives at a provisioned kiosk, she need only obtain the session key on-demand, and thereafter has instant access. Experimental results show significant gains for the end user, saving tens of minutes of time for a typical email/news reading session. We also describe a small, ongoing deployment in-country for proof-of-concept, lessons learned from that experience, and provide a discussion on pricing and marketplace issues that remain to be addressed to make the system viable for developing-world access.

Privacy Wizards for Social Networking Sites

Lujun Fang, Kristen LeFevre

Privacy is an enormous problem in online social networking sites. While sites such as Facebook allow users fine-grained control over who can see their profiles, it is difficult for average users to specify this kind of detailed policy. In this paper, we propose a template for the design of a social networking privacy wizard. The intuition for the design comes from the observation that real users conceive their privacy preferences (which friends should be able to see which information) based on an implicit set of rules. Thus, with a limited amount of user input, it is usually possible to build a machine learning model that concisely describes a particular user’s preferences, and then use this model to configure the user’s privacy settings automatically. As an instance of this general framework, we have built a wizard based on an active learning paradigm called uncertainty sampling. The wizard iteratively asks the user to assign privacy “labels” to selected (“informative”) friends, and it uses this input to construct a classifier, which can in turn be used to automatically assign privileges to the rest of the user’s (unlabeled) friends. To evaluate our approach, we collected detailed privacy preference data from 45 real Facebook users. Our study revealed two important things. First, real users tend to conceive their privacy preferences in terms of communities, which can easily be extracted from a social network graph using existing techniques. Second, our active learning wizard, using communities as features, is able to recommend high-accuracy privacy settings using less user input than existing policy-specification tools.

Reining in the Web with Content Security Policy

Sid Stamm, Brandon Sterne, Gervase Markham

The last three years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 and 2009 saw dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, clickjacking, etc. While an ideal solution may be to develop web applications free from any exploitable vulnerabilities, real world security is usually provided in layers. We present content restrictions, and a content restrictions enforcement scheme called Content Security Policy (CSP), which intends to be one such layer. Content restrictions allow site designers or server administrators specify how content interacts on their web sites—a security mechanism desperately needed by the untamed Web. These content restrictions rules are activated and enforced by supporting web browsers when a policy is provided for a site via HTTP, and we show how a system such as CSP can be effective to lock down sites and provide an early alert system for vulnerabilities on a web site. Our scheme is also easily deployed, which is made evident by our prototype implementation in Firefox and on the Mozilla Add-Ons web site.


Back to full list of papers