Date of Award

1-1-2010

Document Type

Campus Access Dissertation

Department

Computer Science and Engineering

First Advisor

Csilla Farkas

Abstract

Web-based services have become an integral element of modern life due to their convenience and round-the-clock availability. Their prevalence has lead to service providers maintaining easily-accessible, electronic collections of personal data about users. While the main objective of such data collections is to enhance marketing efforts, they also create a golden opportunity for misuse. The dramatic rise in identity theft in recent years is a prime example of such misuses. Current laws and regulations and privacy-enhancing technologies aim to combat these crimes. However, most privacy protection solutions focus on protecting the users' data after release at which point individuals have little or no control over how their personal data is secured. The focus of this dissertation is developing methods to enable users to make informed decisions regarding which personal data they release during online transactions. The user-centric privacy protection framework I propose addresses potential privacy violations that occur via direct and indirect disclosure of data and the potential linkability of online activities.

In this dissertation work, I present P2F: a user-centric privacy protection framework that supports users in protecting their privacy during online activities. P2F is a client-side decision support tool that informs the user about potential disclosures of personal data given a prospective transaction. I present a theoretical model to define privacy-related concepts and a novel qualitative privacy compromise risk assessment approach to evaluate the potential risk of online transactions. I propose an ontology to formally describe personal data, services, transactions, and service provider properties and relationships. I also introduce concepts to describe associations between personal data which are used to infer additional data that can be disclosed about the user if a set of personal data is released. The qualitative risk assessment model uses service provider properties, likelihood of information-sharing between service providers, the sensitivity of the personal data to be released, and transaction linkability to determine the privacy compromise potential of releasing a set of personal data. P2F generates all sets of personal data that satisfy the requirements of the prospective transaction to find the set of data with the lowest privacy compromise risk. The developed procedures are evaluated from the perspective of efficiency and completeness. I have developed a proof-of-concept implementation of the framework to demonstrate its functionality and efficiency.

Share

COinS