Lecture Notes in Computer Science 5672 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Ian Goldberg Mikhail J. Atallah (Eds.) Privacy Enhancing Technologies 9th International Symposium, PETS 2009 Seattle, WA, USA, August 5-7, 2009 Proceedings 1 3 VolumeEditors IanGoldberg UniversityofWaterloo,DavidR.CheritonSchoolofComputerScience 200UniversityAvenueWest,Waterloo,ON,N2L3G1,Canada E-mail:[email protected] MikhailJ.Atallah PurdueUniversity, DepartmentofComputerScience 305NorthUniversityStreet,WestLafayete,IN47907-2107,USA E-mail:[email protected] LibraryofCongressControlNumber:2009930653 CRSubjectClassification(1998):H.5,H.4,H.3,I.2,I.3,I.7,J.5 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-642-03167-6SpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-03167-0SpringerBerlinHeidelbergNewYork Springer-VerlagBerlinHeidelbergholdstheexclusiverightofdistributionandreproductionofthiswork, foraperiodofthreeyearsstartingfromthedateofpublication. springer.com PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12719389 06/3180 543210 Message from the Program Chairs The 2009 Privacy Enhancing Technologies Symposium was held at the Univer- sity of Washington in Seattle during August 5–7, 2009. This was the ninth in this series of meetings, and the second after the transition from workshop to symposium.PETSremainsa premierforumfor publishing researchonboththe theoryandthepracticeofprivacy-enhancingtechnologies,andhasabroadscope that includes all facets of the field. The PETS program this year included a diverse set of 14 peer-reviewed pa- pers, selected from 44 submissions. Each submission was reviewed by at least fourmembersoftheProgramCommittee.Thiswasthesecondyearofthepopu- larHotPETssession,designedasavenuetopresentexcitingbutstillpreliminary and evolving ideas, rather than formal and rigorous completed researchresults. HotPETsthisyearincludedaprogramof14presentationsof10–20minuteseach; as was the case last year, there were no published proceedings for HotPETs. PETS also included the traditional “rump session,” with brief presentations on a variety of topics. We are grateful to all of the authors who submitted, to the PETS and Hot- PETs speakers who presented their work selected for the program, and to the rumpsessionparticipants.WearealsogratefultotheProgramCommitteemem- bers,andtotheexternalreviewerswhoassistedthem,fortheirthoroughreviews andparticipationindiscussions—theywerecentraltotheresultinghigh-quality program. The following subset of these reviewers gracefully volunteered to con- tinue their work as shepherds helping the authors improve their papers and ad- dressthereviewercommentsandsuggestions:AlastairBeresford,LorrieCranor, Claudia Diaz, Steven Murdoch, and Carmela Troncoso. It is a also a pleasure to acknowledge the contribution of our General Chair, Adam Shostack, who worked tirelessly on the local arrangements and logistical aspects of the sym- posium. The University of Washington helped to host the symposium, and our webmaster since 2007, Jeremy Clark, did his usual outstanding job at evolving and maintaining the symposium’s website. Our gratitude also goes to the Hot- PETsChairs,AndreiSerjantovandThomasHeydt-Benjamin,whoputtogether an outstanding HotPETs program,as well as to Vitaly Shmatikov, who chaired the PET Award Selection Committee, and Roger Dingledine, for handling the stipends. Finally, in these tight economic times, we are particularly grateful to Microsoft for its sponsorship and support; it played a central role in helping attendees—especially students—meet registrationand travel costs. May 2009 Ian Goldberg Mikhail Atallah Organization Organizers General Chair Adam Shostack (Microsoft, USA) ProgramChairs IanGoldberg(UniversityofWaterloo,Canada) Mikhail Atallah (Purdue University, USA) PET Award Chair Vitaly Shmatikov (University of Texas, USA) Stipends Chair Roger Dingledine (The Tor Project, USA) HotPETs Chairs Thomas Heydt-Benjamin (IBM Research Zurich, Switzerland) Andrei Serjantov (The Free Haven Project, UK) Program Committee Alessandro Acquisti Carnegie Mellon University, USA Michael Backes Saarland University and Max Planck Institute for Software Systems, Germany Mira Belenkiy Microsoft, USA Alastair Beresford University of Cambridge, UK Nikita Borisov University of Illinois at Urbana-Champaign, USA Lorrie Cranor Carnegie Mellon University, USA George Danezis Microsoft Research Cambridge, UK Sabrina De Capitani di Vimercati Universita` degli Studi di Milano, Italy Claudia Diaz K.U. Leuven, Belgium Roger Dingledine The Tor Project, USA Alexandre Evfimievski IBM Almaden Research Center, USA Philippe Golle Palo Alto Research Center, USA Rachel Greenstadt Drexel University, USA Thomas Heydt-Benjamin IBM Research Zurich, Switzerland Apu Kapadia MIT Lincoln Laboratory,USA Bradley Malin Vanderbilt University, USA Tal Malkin Columbia University, USA Nick Mathewson The Tor Project, USA David Molnar University of California, Berkeley, USA Steven Murdoch University of Cambridge, UK Andreas Pfitzmann Dresden University of Technology, Germany Len Sassaman K.U. Leuven, Belgium Andrei Serjantov The Free Haven Project, UK Paul Syverson Naval Research Laboratory,USA VIII Organization Marianne Winslett University of Illinois at Urbana-Champaign, USA Matthew Wright University of Texas at Arlington, USA Ting Yu North Carolina State University, USA External Reviewers Titus Abraham Grigorios Loukides Sadia Afroz Nayantara Mallesh Elli Androulaki Aaron Massey Claudio Agostino Ardagna Kazuhiro Minami Sruthi Bandhakavi Esfandiar Mohammadi Stefan Berthold Meredith L. Patterson John Bethencourt John Paulett Rainer Boehme Stefanie Poetzsch Katrin Borcea-Pfitzmann So¨ren Preibusch Seung Geol Choi Mariana Raykova Sebastian Clauß Sasha Romanosky Ariel Elbaz Aakash Shah David Evans Entong Shen Michael Gagnon Alex Simma Aris Gkoulalas-Divanis Robin Snader Ragib Hasan Sandra Steinbrecher Keith Irwin Evan Sultanik Peter Johnson Evimaria Terzi Zach Jorgensen Carmela Troncoso Hahna Kane Patrick Tsang Benjamin Kellermann Binh Vo Matthias Kirchner Wei Wei Kush Kothari Jan Werner Robert Lass Charles Wright Grigorios Loukides Seung Yi Homin Lee Charles Zhang Karsten Loesing Table of Contents Ninth Privacy Enhancing Technologies Symposium Capturing Social Networking Privacy Preferences: Can Default Policies Help Alleviate Tradeoffs between Expressiveness and User Burden?..... 1 Ramprasad Ravichandran, Michael Benisch, Patrick Gage Kelley, and Norman M. Sadeh Regulating Privacy in Wireless Advertising Messaging: FIPP Compliance by Policy vs. by Design ................................ 19 Heng Xu, John W. Bagby, and Terence Ryan Melonas A Comparative Study of Online Privacy Policies and Formats ......... 37 Aleecia M. McDonald, Robert W. Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor Vida: How to Use Bayesian Inference to De-anonymize Persistent Communications................................................. 56 George Danezis and Carmela Troncoso Scalable Link-Based Relay Selection for Anonymous Routing .......... 73 Micah Sherr, Matt Blaze, and Boon Thau Loo Using Linkability Information to Attack Mix-Based Anonymity Services ........................................................ 94 Stefan Schiffner and Sebastian Clauß Physical Layer Attacks on Unlinkability in Wireless LANs............. 108 Kevin Bauer, Damon McCoy, Ben Greenstein, Dirk Grunwald, and Douglas Sicker RequestPolicy: Increasing Web Browsing Privacy through Control of Cross-Site Requests .............................................. 128 Justin Samuel and Beichuan Zhang Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default ......................................................... 143 Barath Raghavan, Tadayoshi Kohno, Alex C. Snoeren, and David Wetherall Privacy-PreservingPolicy-BasedInformation Transfer ................ 164 Emiliano De Cristofaro, Stanislaw Jarecki, Jihye Kim, and Gene Tsudik X Table of Contents Privacy-PreservingComputation and Verification of Aggregate Queries on Outsourced Databases ......................................... 185 Brian Thompson, Stuart Haber, William G. Horne, Tomas Sander, and Danfeng Yao APOD: Anonymous Physical Object Delivery........................ 202 Elli Androulaki and Steven Bellovin On the Optimal Placement of Mix Zones............................ 216 Julien Freudiger, Reza Shokri, and Jean-Pierre Hubaux Privacy-PreservingFace Recognition ............................... 235 ZekeriyaErkin,MartinFranz,JorgeGuajardo,StefanKatzenbeisser, Inald Lagendijk, and Tomas Toft Author Index.................................................. 255 Capturing Social Networking Privacy Preferences: Can Default Policies Help Alleviate Tradeoffs between Expressiveness and User Burden? Ramprasad Ravichandran, Michael Benisch, Patrick Gage Kelley, and Norman M. Sadeh School of Computer Science, Carnegie Mellon University, Pittsburgh PA 15217, USA {rravicha,mbenisch,pkelley,sadeh}@cs.cmu.edu Abstract. SocialnetworkingsitessuchasFacebookandMySpacethrive ontheexchangeofpersonalcontentsuchaspicturesandactivities.These sites are discovering that people’s privacy preferences are very rich and diverse.Intheory,providinguserswithmoreexpressivesettingstospec- ifytheirprivacypolicieswouldnotonlyenablethemtobetterarticulate their preferences, but could also lead to greater user burden.In this ar- ticle, we evaluate to what extent providing users with default policies can help alleviate some of this burden. Our research is conducted in thecontextoflocation-sharingapplications,whereusersareexpectedto specifyconditionsunderwhichtheyarewillingtoletothersseetheirlo- cations.Wedefinecanonicalpoliciesthatattempttoabstractawayuser- specific elements such as a user’s default schedule, or canonical places, such as “work” and “home.” Welearn aset of default policies from this data using decision-tree and clustering algorithms. We examine trade- offsbetweenthecomplexity/understandabilityofdefaultpoliciesmade availabletousers,andtheaccuracywithwhichtheycapturetheground truth preferences of our user population. Specifically, we present results obtained using data collected from 30 users of location-enabled phones overaperiodofoneweek.Theysuggestthatprovidinguserswithasmall numberofcanonicaldefaultpoliciestochoosefromcanhelpreduceuser burdenwhenitcomestocustomizingtherichprivacysettingstheyseem to require. Keywords: Usermodeling, Privacy, Mining default policies. 1 Introduction Social networking sites such as Facebook and MySpace thrive on the exchange of personal content such as pictures and activities. These sites are discovering that people’s privacy preferences are very rich and diverse. While in theory, providing users with more expressive settings to specify their privacy policies I.GoldbergandM.Atallah(Eds.):PETS2009,LNCS5672,pp.1–18,2009.