Gaming privacy : a Canadian case study of a children’s co-created privacy literacy game

This paper reports the process and outcomes of the design of a game that educates children about management of privacy online. Using a participatory action research process, children worked with the researchers to develop and play a game which simulates certain aspects of online privacy management and allows for scaffolded experiential learning in a safe environment. The game allows children to develop autonomous skills and understandings, not only for more effective learning but also because it is only through autonomy that children can develop a sense of self which is necessary for understanding what it means to be private. The paper shows that children have quite sophisticated understandings of privacy, compared with some adult perceptions, and that these understandings include awareness of the risks posed by commercial organisations seeking to gather personal data from them. The paper shows how engaging children as research and design participants can lead to more successful approaches in the development of privacy literacy.

Generating repudiable, memorizable and privacy preserving security questions using the Propp Theory of Narrative

 Security questions are often based on personal information that is limited in variety, available in the public record and very difficult to change if compromised. A personalized folktale shared only by the communicating parties provides memorizable basis for individualized security questions that can be readily replaced in the event of a security breach. We utilize the Propp theory of narrative to provide a basis of abstraction for story generation systems. We develop a proof-of-concept system based on placeholder replacement to demonstrate the generation of repudiate and memorizable questions and answers suitable for online security questions. A 3-component protocol is presented that demonstrates the use of this process to derive a shared secret key through privacy amplification. This combination of story generation and communication security provides the basis for improvements in current security question practice.

Real and substantial connections : Enforcing Canadian privacy laws against American social networking companies

Any organisation that captures personal data in Canada for processing is deemed tohave a ‘real and substantial connection’ to Canada and thus fall within thejurisdiction of the Personal Information Protection and Electronic Documents Act(PIPEDA) and of the Office of the Privacy Commissioner of Canada (OPC). Whathas been the experience of enforcing Canadian privacy protection law on US-basedsocial networking services? We analyse some of the high-profile enforcement actionsby the Privacy Commissioner. We also test compliance through an analysis of theprivacy policies of the top 23 SNSs operating in Canada and through the use of accessto personal information requests. Our analysis suggests that non-compliance iswidespread, and is explained by the countervailing conceptions of jurisdictioninherent in corporate policy and technical system design.

PPFSCADA: Privacy preserving framework for SCADA data publishing

Supervisory Control and Data Acquisition (SCADA) systems control and monitor industrial and critical infrastructure functions, such as electricity, gas, water, waste, railway, and traffic. Recent attacks on SCADA systems highlight the need for stronger SCADA security. Thus, sharing SCADA traffic data has become a vital requirement in SCADA systems to analyze security risks and develop appropriate security solutions. However, inappropriate sharing and usage of SCADA data could threaten the privacy of companies and prevent sharing of data. In this paper, we present a privacy preserving strategy-based permutation technique called PPFSCADA framework, in which data privacy, statistical properties and data mining utilities can be controlled at the same time. In particular, our proposed approach involves: (i) vertically partitioning the original data set to improve the performance of perturbation; (ii) developing a framework to deal with various types of network traffic data including numerical, categorical and hierarchical attributes; (iii) grouping the portioned sets into a number of clusters based on the proposed framework; and (iv) the perturbation process is accomplished by the alteration of the original attribute value by a new value (clusters centroid). The effectiveness of the proposed PPFSCADA framework is shown through several experiments on simulated SCADA, intrusion detection and network traffic data sets. Through experimental analysis, we show that PPFSCADA effectively deals with multivariate traffic attributes, producing compatible results as the original data, and also substantially improving the performance of the five supervised approaches and provides high level of privacy protection. © 2014 Published by Elsevier B.V. All rights reserved.

Privacy preserving in location data release: A differential privacy approach

Communication devices with GPS chips allow people to generate large volumes of location data. However, location datasets have been confronted with serious privacy concerns. Recently, several privacy techniques have been proposed but most of them lack a strict privacy notion, and can hardly resist the number of possible attacks. This paper proposes a private release algorithm to randomize location datasets in a strict privacy notion, differential privacy. This algorithm includes three privacy-preserving operations: Private Location Clustering shrinks the randomized domain and Cluster Weight Perturbation hides the weights of locations, while Private Location Selection hides the exact locations of a user. Theoretical analysis on utility confirms an improved trade-off between the privacy and utility of released location data. The experimental results further suggest this private release algorithm can successfully retain the utility of the datasets while preserving users’ privacy.