REPHRAIN Publications

A list of the REPHRAIN Centre publications can be found below – please check back for regular updates.

October 2021

Building a Privacy Testbed: Use Cases and Design Considerations

Prepared by Joseph Gardiner, Partha Das Chowdhury, Jacob Halsey, Mohammad Tahaei, Tariq Elahi and Awais Rashid.

Abstract: Mobile application (app) developers are often ill-equipped to understand the privacy implications of their products and services, especially with the common practice of using third-party libraries to provide critical functionality. To add to the complexity, most mobile applications interact with the “cloud”—not only the platform provider’s ecosystem (such as Apple or Google) but also with third-party servers (as a consequence of library use). This presents a hazy view of the privacy impact for a particular app. Therefore, we take a significant step to address this challenge and propose a testbed with the ability to systematically evaluate and understand the privacy behavior of client server applications in a network environment across a large number of hosts. We reflect on our experiences of successfully deploying two mass market applications on the initial versions of our proposed testbed. Standardization across cloud implementations and exposed end points of closed source binaries are key for transparent evaluation of privacy features.

Paper available for download here.

September 2021

A Privacy Testbed for IT Professionals: Use Cases and Design Considerations

Prepared by Joseph Gardiner, Mohammad Tahaei, Jacob Halsey, Tariq Elahi and Awais Rashid

Abstract: We propose a testbed to assist IT professionals in evaluating privacy properties of software systems. The goal of the testbed, currently under construction, is to help IT professionals systematically evaluate and understand the privacy behaviour of applications. We first provide three use cases to support developers and privacy engineers and then describe key design considerations for the testbed.

Paper available for download here.

August 2021

Polynomial Representation Is Tricky: Maliciously Secure Private Set Intersections Revisited

Prepared by Aydin Abadi, Steven Murdoch, Thomas Zacharias

Abstract: Private Set Intersection protocols (PSIs) allow parties to compute the intersection of their private sets, such that nothing about the sets’ elements beyond the intersection is revealed. PSIs have a variety of applications, primarily in efficiently supporting data sharing in a privacy-preserving manner. At Eurocrypt 2019, Ghosh and Nilges proposed three efficient PSIs based on the polynomial representation of sets and proved their security against active adversaries. In this work, we show that these three PSIs are susceptible to several serious attacks. The attacks let an adversary (1) learn the correct intersection while making its victim believe that the intersection is empty, (2) learn a certain element of its victim’s set beyond the intersection, and (3) delete multiple elements of its victim’s input set. We explain why the proofs did not identify these attacks and propose a set of mitigations.

Paper available for download here.

March 2021

Towards Data Scientific Investigations: A Comprehensive Data Science Framework and Case Study for Investigating Organized Crime and Serving the Public Interest

Prepared by Erik van de Sandt, Arthur van Bunningen, Jarmo van Lenthe, John Fokker

Abstract: Big Data problems thwart the effectiveness of today’s organized crime investigations. A frequently proposed solution is the introduction of ‘smart’ data science technologies to process raw data into factual evidence. This transition to – what we call – data scientific investigations is nothing less than a paradigm shift for law enforcement agencies, and cannot be done alone. Yet a common language for data scientific investigations is so far missing. This white paper therefore presents guiding principles and best practices for data scientific investigations of organized crime, developed and put into practice by operational experts over several years, while connecting to existing law enforcement and industry standards. The associated framework is called CSAE (pronounced as ‘see-say’): a comprehensive framework that consists of a business process, methodology, policy agenda and public interest philosophy for data scientific operations.

Paper available for download here.