Difference between revisions of "Personal Privacy"

From MgmtWiki
Jump to: navigation, search
(Context)
(Problems)
Line 19: Line 19:
 
==Problems==
 
==Problems==
  
Threats against authentication, federation or user private data, as that can be used in spoofing.
+
User have a variety of reasons not to let their personal information be broadly available, some of those are:
 
+
* The right to the let alone based on  
* Attacks at the user device or user agent.
+
* The use of personal data to "steal you identity".
**User private data, including credentials used in authentication or secret seed value.
+
* Embarrassment over one's past behavior or attributes.
**Theft of user device or second factor token
+
* Loss of potential (or real) earnings.
**Data of the user's contacts' email address for spamming.
 
**Insertion of malware on the user's device.
 
**Interception of legitimate user connections to valuable resources, including elevation of priviledge.
 
* Attacks on the transmission of user private data.
 
**Interception of legitimate user connections to steal authentication data.
 
**Misdirection or misleading connection to attacker sites.
 
**Hijacking a legitimate user connection (Man in the middle attacks).
 
* Spoofing attacks at the resource site.
 
**Online guessing, when user lock-out or time-out is not applied.
 
**Binding of attacker's token to the user's profile at the resource
 
**Reuse or Replay of user credentials
 
***User reliance on passwords alone is known to result in password reuse, so if an attack succeeds on one site, it may work on others.
 
**Using data acquired by social engineering, such as using a pretext for the user to enable the authentication.
 
***Complex passwords that are unique to one site or service will force users to write down passwords which can be found.
 
**Initiating connections through other compromised sites, including compromised Identifier or Attribute Providers.
 
* Misuse of user private data.
 
**Releasing data to others.
 
**Data breaches.
 
**Social engineering at provider based on partial knowledge of user private data
 
  
 
==Solutions==
 
==Solutions==

Revision as of 08:12, 21 June 2018

Full Title or Meme

A list of various ways in which user private information can be protected by user actions now and in the future.

Context

Pages on the site where the broad definitions may be found:

  • Privacy is the page where the broad definitions may be found.
  • Identity Pathologies is the page where the various vulnerabilities are delineated.

User private data is required for release of web resources. Minimizing the amount of data released or its misuse after release is the object of this effort to list the steps that can be taken today by user as well as the developments that are still evolving.

There are four entities that are in play here.

  1. The user on a user device (aka a user agent).
  2. The resource provider (aka a relying party.)
  3. Identifier and Attribute Providers.
  4. Data Harvester or Broker

Problems

User have a variety of reasons not to let their personal information be broadly available, some of those are:

  • The right to the let alone based on
  • The use of personal data to "steal you identity".
  • Embarrassment over one's past behavior or attributes.
  • Loss of potential (or real) earnings.

Solutions

These are the steps that should be considered now

These are some of the steps under development

References