Privacy

In a paper presented at Usenix Security’s Symposium last week, �Թϱ�� researchers examined why users choose to grant or deny permission when apps request access to contacts, calendars, microphones and more. The iPhone and Android operating systems give users control over data access when installing an app and during the app’s operation – a process known as a “runtime permission request.”

David Lie, a professor in the Edward S. Rogers Sr. department electrical and computer engineering (ECE) in the Faculty of Applied Science & Engineering, says that when the team initially set out to determine which factors influence behaviour, they had no idea user expectations would be so significant.

“An unexpected request is more than twice as likely to be denied,” Lie says. “Also, if there is some explanation for it – if the app conveys to the user why it needs access to something – then we see the denial rate cut in half.

“App developers and smartphone OS designers should give serious consideration to how they communicate and set expectations with their users, which is more important than previously thought.”

The multidisciplinary team of researchers included Lisa Austin, a cross-appointed ECE professor who is also chair in law and technology in the Faculty of Law. Both Austin and Li are also affiliated with the Schwartz Reisman Institute for Technology and Society.

Professors Lisa Austin and David Lie, pictured here prior to the COVID-19 pandemic, are part of a multidisciplinary team behind a new global study that explores the privacy expectations and behaviour of smartphone users (photo by Jessica MacInnis)

To gather data for the study, the team developed an Android app, named PrivaDroid, that runs in the background of each participant’s phone for 30 days. After each new app installation or runtime permission request, PrivaDroid asks participants whether they expected the request and their rationale behind either granting or denying it.

Using online advertising, they recruited more than 1,700 participants from a variety of countries with contrasting privacy legislation and levels of economic development. Over several months ending in the spring of 2020, PrivaDroid observed more than 36,000 permission events.

“Previous studies were constrained to more artificial environments, where participants come into a lab or are set up with phone that’s not their own device,” says Lie. “This was first time someone has been able to do a global smartphone study ‘in the wild.’”

Past research has shown that factors such as age, gender, country of residence and level of education can influence privacy behaviour.

“Our study confirms this,” says Lie. “For example, women are more cautious about granting permissions than men, and young people grant permissions more often than older ones – but not as much as you might think.”

Another finding was that participants who were rated ‘privacy sensitive’ according to the international Internet Users’ Information Privacy Concerns privacy scale have highly variable deny rates – and nearly 30 per cent of them grant permissions more frequently than average.

“This gap between stated behaviour and actual behaviour is known as the ‘privacy paradox,’” says Lie. “This gap would make sense with behaviour one wouldn’t be proud of, but it’s hard to see how that applies with privacy. It’s a puzzle.”

Are these people paying lip service to privacy concerns and then prioritizing their own convenience in the moment? The study reveals that this apparent contradictory behaviour is more nuanced.

“The privacy-sensitive group who granted a lot of permissions said they expected them,” says Lie. “It’s possible they have a better understanding of how and why applications use permissions – that they’re avoiding the ‘creepy’ apps and installing the more transparent ones.”

“So many complex technical and geopolitical issues converge around privacy,” says Professor Deepa Kundur, chair of ECE. “They truly demand a multidisciplinary approach and a long runway. This smartphone privacy study may be a first in its size, scope and complexity, but hopefully it’s the first of many.”

Though prudence might suggest people deny permissions, “that belies how they actually use their phones,” says Lie. “If you really didn’t want what the app provided, or you thought the developer was malicious, you’d just uninstall the app. Smartphone users are telling us that clearly communicating expectations builds trust, and trust plays an important role in granting permissions.”

From phishing scams to compromised passwords: �Թϱ�� cyber security expert on how to stay safe online

Romi Levine — Mon, 28 Jan 2019 21:53:56 +0000

From phishing scams to compromised passwords: �Թϱ�� cyber security expert on how to stay safe online

Romi Levine Mon, 01/28/2019 - 16:53

Cutline

Whether you're browsing social media sites or checking your work email, there are ways to protect your data online (photo by rawpixel via Unsplash)

Topic

The internet is everywhere – from smartphones to cars and fridges. While that means our apps and appliances are more sophisticated than ever before, so too are the hackers, scammers and phishers who are trying to access your personal information.

Today, the University of Toronto is raising awareness about managing the risks of the digital world and providing resources to help the university community stay safe online with Data Privacy Day events taking place on the downtown Toronto campus. There is also a wealth of information available at securitymatters.utoronto.ca, including tools like Citizen Lab’s security planner, which gives you a personalized online safety recommendation, and a series of video tutorials with online safety tips.

Isaac Straley, �Թϱ��’s first-ever chief information security officer, shared his tips with �Թϱ�� on how to put your online privacy first.

Protect your passwords

“Password management is one of the most important things for everybody to be paying attention to right now,” says Straley.

Compromised accounts are one of the primary ways that data breaches happen, but there are a number of ways to keep yours safe and secure.

The first is using websites or applications with two-factor or multifactor authentication – where you are required to provide more than just a password when logging in.

“When you're using banking or other online tools, they might send you a code in addition to putting in your password or might have you push a button on your phone,” says Straley. “What this does is make it harder for an attacker to just know your password because you have to have the other information to be able to log in.”

The university is starting to roll out two-factor authentication for Office 365 for faculty and staff, he says.

Protip: Check out twofactorauth.org to find out if a website uses two-factor authentication.

Straley also says to avoid reusing passwords, but recognizes that remembering them all can be a challenge.

“Using a password manager is a really good tool,” says Straley. Apps like Password Safe and KeePass allow you to generate and store multiple passwords in one safe place – and not in your head.

But don’t put everything in your password manager, Straley warns. “Take the logins that are the most sacred or most important – protect the highest risk information – and remember those. But put everything else in the password manager so you don't have to waste your valuable brain space on remembering half a dozen passwords.”

Don’t be bait for phishing scams

It’s getting harder to distinguish an email scam from a legitimate message, but there are a few red flags you should be aware of, says Straley.

“Number one is almost always urgency,” he says. “When someone is asking you to do something fast.”

Emails warning you your account is about to be locked, or that you’ve gone over a quota are likely coming from illegitimate sources.

“Another one we’re starting to see more of are emails that look like they come from a supervisor or a manager or a colleague that say, ‘Hey, I'm really busy right now, can you help me out?’”

Don’t be fooled by these seemingly personal messages, says Straley. As soon as you agree to help, the scammer will ask you to do something for them, like buy a gift card.

“When you do, you end up spending your money and giving the gift cards to the attackers,” he says.

Personalize your privacy settings

It doesn’t matter if you’re a technophobe or a social media addict, you need to decide what level of privacy you’re comfortable with online, says Straley.

“I'm surprised how often folks don't stop and think about what they expect from their online life. Most of the services are pretty open on their privacy settings,” he says.

With social media platforms like Twitter, Instagram and Facebook, Straley says to make sure that the sharing settings are restricted to the communities you are specifically looking to engage online.

“Especially if you install a lot of social media and tools that have applications on the phone or multiple devices, those tools will ask for a lot of permissions like ‘give us access to all your photos or your mic, camera, or your location settings,’” he says.

Depending on the operating system you use, Straley says, you can choose to share your information with an application only when you're using it.

Cyber crime fighting at �Թϱ��

“A big portion of what we do is identifying different resources that would be attacked and making sure they are protected,” says Straley of his information security team.

“We’ve got tools that allow us to detect attacks – in our jargon they're called intrusion prevention or detection systems – and we have other ways to look for bad activity,” he says.

�Թϱ�� also co-ordinates with fellow higher education institutions, governments and other organizations so it knows what to look out for.

“One of our biggest challenges is just keeping up with the attackers,” Straley says.

Panel discussion to explore data privacy, social media in health care

noreen.rasbach — Tue, 15 May 2018 17:45:42 +0000

Panel discussion to explore data privacy, social media in health care

noreen.rasbach Tue, 05/15/2018 - 13:45

Cutline

(photo by rawpixel via Unsplash)

Nicole Bodnar

Topic

City & Culture

Institute of Health Policy Management and Evaluation

Dalla Lana School of Public Health

Faculty of Medicine

Health

Privacy

Subheadline

Political views and voting patterns were allegedly compromised in Facebook’s Cambridge Analytica data breach, but what if personal health information was leaked as a result of poor public policy on data privacy?

“Good data governance is the best way to mitigate risk and it’s absolutely critical when the public’s health is at stake,” said Jennifer Gibson, director of the University of Toronto Joint Centre for Bioethics (JCB).

“If digital technologies are to realize their promise of improving health, ensuring public trust must be a primary goal. This means engaging potential ethical issues upfront and with intention,” said Gibson (pictured left), also an associate professor at the Institute of Health Policy, Management and Evaluation.

Digital technologies are increasingly prevalent in daily life and it’s commonplace to see a patient blogging about their health-care journey or a surgeon tweeting from the operating room. That’s why the JCB is hosting a panel discussion on Bioethics for Health in a Digital Age at Hart House on Wednesday to explore the urgent need for new bioethical parameters in a digital world.

The all-women panel includes a surgeon, a bioethicist and a privacy lawyer, all of whom are intimately aware of the benefits and pitfalls of delivering health care in an increasingly digital world where the speed of technological advancement far outpaces reflective public policy that addresses ethical dilemmas.

“There aren’t enough conversations happening around the ethical challenges related to data power and governance,” said Gibson. “If we fail to put safeguards in place, important decisions will be made for us by corporations that don’t always have patients’ best interests in mind.”

Dr. Karen Devon, assistant professor of surgery at �Թϱ��’s Faculty of Medicine, will discuss her personal journey with social media in the clinical setting.

“We must be cognizant of the scope and permanence of anything posted online, which can be used for good or bad. Everyone needs to be very thoughtful before pressing the ‘post’ button and always consider all the potential impacts,” said Devon, who is an endocrine surgeon at Women’s College Hospital.

Devon will be joined by fellow panellists Ann Heesters, director of bioethics at the University Health Network, and Rosario G. Cartagena, a senior associate at Fasken Martineau and an expert on privacy and risk management.

The JCB is based at the Dalla Lana School of Public Health and is home to the largest academic community of health-care ethicists in the world. As the first WHO Collaborating Centre for Bioethics, the JCB is an international leader in end-of-life care, resource allocation ethics, infectious disease ethics, and global health ethics.

Bioethics for Health in a Digital Age is open to the �Թϱ�� community on May 16. Registration is required. Doors open at 5 p.m. Opening remarks and panel discussion will take place from 5:30-7 p.m. with a cocktail reception to follow.

�Թϱ��'s Citizen Lab and Open Effect develop privacy watchdog tool for Canadian consumers

lanthierj — Fri, 24 Jun 2016 20:40:10 +0000

�Թϱ��'s Citizen Lab and Open Effect develop privacy watchdog tool for Canadian consumers lanthierj Fri, 06/24/2016 - 16:40

Cutline

(photo by uditha wickramanayaka via flickr)

Adrienne Harry

Author legacy

Adrienne Harry

Topic

You want to meet someone new or track how many steps you take in a day. But your dating and fitness apps might have other plans for your personal data.

Enter Access My Info, an online tool developed by Open Effect and the University of Toronto’s Citizen Lab, at the Munk School of Global Affairs. This tool makes it easier for Canadians to keep track of how their personal information is being used.

“Access My Info empowers individual Canadians to easily exercise their legal right to understand what data is out there about them, whether that information is shared and, if so, with whom,” said Andrew Hilts, executive director of Open Effect and researcher at the Citizen Lab.

“This will help consumers make informed choices, and help companies assess whether their policies and practices are meeting the needs of their customers while also complying with the law.”

See the CTV story

Under the Personal Information Protection and Electronic Documents Act, Canadians have the right to ask companies for a record of what personal data the company is keeping on them. But the process of doing so can be complicated, especially if you don’t know the right questions to ask.

This is where Access My Info helps. In just a few minutes users can create a custom letter, crafted by policy experts from the Citizen Lab, that asks companies careful questions about how personal data is collected and used. The tool streamlines a potentially convoluted process, making it easier for the average Canadian to exercise their privacy rights.

“Most Internet users are either ignorant of, or apathetic about, the data they give away and what companies and governments do with it. When faced with lengthy and confusing terms of service, most users simply click ‘I agree’,” Professor Ronald Deibert, director of the Citizen Lab, says.

“Tools like Access My Info, in which consumers exercise their privacy rights to inquire how companies handle the data they collect on them, will help both bolster these rights and let companies and governments know we are watching.”

Funded by the Canadian Internet Registration Authority (CIRA) through its Community Investment Program, the aim of the Access My Info tool is to build more honest online relationships between Canadian companies and consumers. David Fowler, CIRA’s director of marketing and communications, adds that it never hurts for consumers to be informed.

“Just as we should do periodic checks of our own credit scores to ensure that our financial house is in order, it’s equally, if not more important to know what the companies we do business with are doing with the information we give them.”

(visit flickr to see the original of the photo used above)

Digital Hygiene website aims to make the Internet a little less scary

sgupta — Tue, 01 Mar 2016 11:13:46 +0000

Digital Hygiene website aims to make the Internet a little less scary sgupta Tue, 03/01/2016 - 06:13

Cutline

“It's like the Wild West online” (photo by Enko Koceku)

Terry Lavender

Author legacy

Terry Lavender

More News

Privacy

Munk School of Global Affairs & Public Policy

Subheadline

Munk School project offers advice on online risks

“You’re less incognito than you think.”

That’s the blunt message that greets visitors to the recently created Hygiene in the Digital Public Square website, a joint project of �Թϱ��’s Munk School of Global Affairs and online security specialists eQualit.ie.

“Malicious apps, theft, spam, cyber stalking, censorship, surveillance. There are no foolproof answers to risk online,” the website continues. “But there is advice to help.”

Hygiene in the Digital Public Square was created to give that advice. It offers guidelines on email, social networks, computers, data, identity and location, phones and more. For example, if a user clicks on “Access to the web” they see a brief introduction to security issues with websites and then can choose between three specific scenarios – connecting to a website anonymously, figuring out why a website is unreachable, or connecting to a website securely. Choosing one of the options brings up advice on how to achieve the goal and links to online tools that might help.

Sean Willett, creative director for the project, is one of the founders of the site. He spoke to �Թϱ�� about Hygiene in the Digital Public Square recently.

The Hygiene site is an offshoot of the Munk School’s Digital Public Square project, which is designed to increase digital communications access for people who face repression in countries worldwide. Is the Hygiene site just for people in authoritarian countries?

The Hygiene site is for everyone. Yes, it’s helpful for people under authoritarian regimes, but the Internet in general is sensitive digital space, and there are many actors in that space who can be malicious. It runs the gamut from an authoritarian government that’s punishing bloggers worldwide for writing what they want to write, to ISIS targeting internet cafes in Raqqa, to hackers who might be out for a bit of fun or something more malicious.

It’s like the Wild West online. There’s such a gap between what you’re experiencing on a computer and what’s actually happening to you. People don’t realize how much they’re being tracked. Even when you move in between websites – from Google to Facebook to your favourite news site, ad trackers in the background are monitoring you and your identity. With three points of data on a Google Map – where you go to work, where you shop, and your home – Google knows enough about you to identify you as unique. It knows what you’re shopping for; can guess your rough level of income; and a lot more. Some days you might be okay with that, some days you may not be. This site helps on may-not-be days.

How did you develop the site?

I approached the founder of eQualit.ie, Dmitri Vitaliev, saying I’d love to build something that’s natural language for users connecting to our websites. Something that offers no-nonsense answers about what it really means to have “great digital hygiene” online. He said what he’d love to do is develop a process that takes people through an interview, a “Q and A” process. That was just right. The design, the development, user experience was managed by Munk’s Digital Public Square team, and eQualit.ie mapped the question and answer framework.

Can you give an example of how people might use the site?

Ever worried about deleting a file permanently? You must have at some point. An email, or maybe a picture, that you’re really embarrassed about. So you delete it – but when you delete a file, you never really delete it off the computer. To really get rid of something so no one can recover it is a process that involves a few smart steps. That’s an example of the kind of thing this site explains how to do.

When you land on our site, we assume that the user may or may not know where they want to start to become a bit safer online. Hopefully, the process helps them uncover information not only about the thing that they’re looking for, but also the kinds of tools and how-to’s that they need in order to be cleaner, protect their identity, stop getting viruses or avoid surveillance in dangerous environments. This way beginners and advanced users are able to find something useful in the project.

Does the Hygiene site itself protect users’ identities?

It’s an anonymous process on the site. We do our best to automatically scrub any information that could identify a visiting user. I can’t say it enough – most people do not realize how identifiable they are when just browsing the web regularly.

When you land on our page you can immediately sift through the questions that interest, and importantly, tell us if it was useful without revealing your identity. And we hope users do. Each answer gives them a chance to say, “I think it was really helpful” or “it wasn’t helpful” – with the support of crowdsourcing, we can make this project better.

picpath

sites/default/files/Willett_3 (2).jpg

Fitness tracker flaws exposed by �Թϱ��'s Citizen Lab and Open Effect

sgupta — Tue, 02 Feb 2016 07:02:40 +0000

Fitness tracker flaws exposed by �Թϱ��'s Citizen Lab and Open Effect sgupta Tue, 02/02/2016 - 02:02

Cutline

The Apple Watch was the only device tested that had no issues, researchers said (photo by LWYang via flickr)

Alex Gillis

Author legacy

Alex Gillis

Read the complete report

The report is a collaborative effort between Open Effect, a non-profit applied research group focusing on digital privacy and security, and the Citizen Lab at the Munk School of Global Affairs at �Թϱ��. Open Effect previously published research on the security of ad tracking cookies. It also developed Access My Info, an application that makes it easy for Canadians to file legal requests for access to their personal information.

“I hadn’t thought about the issues too much,” said Gormley, “that somebody could find me using my watch.”

“The upside is they’re so great,” she said. She uses a Garmin device. “I guess we’re maybe a bit blind that there could be a downside.”

The downside, said Andrew Hilts, one of the report’s authors, stems from the fact that each device has a unique identifier emitted constantly via Bluetooth, even after users think they’ve stopped using it.

Hilts, the executive director of Open Effect and a research fellow with the Citizen Lab at the Munk School, said that means anyone – from savvy analytics firms or just someone in a coffee shop – could collect that unique identifier and, in some cases, collect your location and a whole lot more.

“The perception might be, ‘Okay, I’m done with this. I’m turning off Bluetooth,’ but your tracker is still emitting this unique identifier, even if your phone has Bluetooth turned off,” Hilts explained.

“There is a Bluetooth privacy standard in place that provides specifications on how device manufacturers can protect the privacy of their users,” Hilts said. “We’re trying to encourage fitness tracking companies to adopt this standard.” Most devices mentioned in the report do not implement Bluetooth privacy, leaving users vulnerable to location-based surveillance.

“We hope our findings will help consumers make more informed decisions about how they use fitness trackers, help companies improve the privacy and security of their offerings, and help regulators understand the current landscape of wearable products.”

Their findings come on the heels of a report by Professor Guy Faulkner and master's student Krystn Orr of �Թϱ��'s Faculty of Kinesiology & Physical Education that examined the reliability of smartphone pedometer applications.

Released at the end of 2015, that research found an “unacceptable error percentage” in all apps compared with actual pedometers and urged “caution in their promotion to the public for self-monitoring physical activity and in their use as tools for assessing physical activity in research trials”.

Read: Stuck in traffic? These apps think you're walking

The Citizen Lab and Open Effect researchers sought contact with the seven fitness tracker companies whose products exhibited security vulnerabilities. Fitbit, Intel (Basis), and Mio responded and engaged the researchers in a dialogue. Fitbit further expressed interest in exploring the topic of implementing Bluetooth privacy features in its communications with the researchers. Out of the devices studied, only the Apple Watch adopted the Bluetooth privacy standard.

The report’s authors, Hilts, Christopher Parsons and Jeffrey Knockel, reveal a third issue that arose in the Withings and Jawbone devices: users can falsify their own activity levels. The findings cast doubt on the reliability of data for insurance or other purposes.

“Maybe I’m naïve,” Gormley said. “Maybe an insurance company is conducting top-secret research on me and decide they don’t want to give me insurance?”

“Should I be worried?”

(Visit flickr to see the original of the photo used above)

picpath

sites/default/files/2016-02-02-apple-watch-1.jpg

NSA whistleblower Thomas Drake at �Թϱ��

sgupta — Mon, 09 Dec 2013 09:49:09 +0000

NSA whistleblower Thomas Drake at �Թϱ�� sgupta Mon, 12/09/2013 - 04:49

Cutline

Thomas Drake, whistleblower and former senior NSA official speaks at the �Թϱ�� iSchool. (photo by Johnny Guatto)

Kathleen O'Brien

Author legacy

Kathleen O'Brien

Thomas Drake, whistleblower and former senior National Security Agency (NSA) official, began his talk at the University of Toronto by telling the audience that he was told at the airport that his American passport was not enough to get into the country.

He had to provide papers showing he was invited to give a lecture at �Թϱ��'s Faculty of Information (iSchool).

Drake cited this as an example of what’s at stake for democracy and liberty as he began his talk, "Secret NSA/CSEC Surveillance versus Democracy: What's at Stake for the US & Canada?"

With interested followers from around the world watching a live feed, Drake explained how, after working at the NSA for six-and-a-half years, he was investigated and charged with espionage for allegedly disclosing secret information. The charges were dropped and since then Drake has devoted his life to helping citizens become more aware.

“When you see what I went through for five plus years, at the receiving end of a surveillance state in the US, you gain a better appreciation for what truly is at stake," Drake said. "I’ve already lived in a surveillance state. And I don’t want anyone else to live it with me, and don’t want the future to be owned by a surveillance state.

"We are individuals, human beings, we have rights. That makes us sovereign."

Professor Andrew Clement invited Mr. Drake to speak after recent explosive disclosures made by another former NSA contractor, Edward Snowden, that have challenged notions of privacy and democracy.

“The little we know about these surveillance agencies comes not through our usual institutions of democratic oversight, but because of a few very brave whistle blowers who have worked on the inside, and who have not been able to tolerate what they see, and who at great personal risk, expose the information to let us, the public, be much better informed, to what we have a right to,” Clement said in his introduction.

As listeners expected, Drake didn’t hold back, discussing how in a post-911 era, he feels the government has gone far beyond investigating legitimate threats.

“National security, an extremely overloaded phrase, is now the state religion in many democracies, including in the US, now increasingly in Canada. When you invoke the label of national security, you are exempt from all inquiries, from all queries, from oversight, and you do not question the high priests of secrecy,” Drake said.

Master of Information student Greg Hughes said he thought the December 5 talk was riveting. “It was like hearing all the thoughts you've buried or put to the back of your mind about the truth of the surveillance state come to light."

Drake urged the crowd to stand up for the truth, and support their right to freedom.

"I will never forsake my sovereignty for the sake of the State."

iSchool alumna Christina Darvasi watched the lecture from Mexico City and tweeted, “So jealous I'm no longer at the iSchool to see it live.”

Kathleen O'Brien is a writer with the iSchool at the University of Toronto.

picpath

sites/default/files/2013-12-05-Thomas-Drake.jpg

New algorithm finds you, even in an untagged photo

sgupta — Tue, 03 Dec 2013 12:35:52 +0000

New algorithm finds you, even in an untagged photo sgupta Tue, 12/03/2013 - 07:35

Cutline

Working with his student, Professor Parham Aarabi developed a search tool that quantifies relationships between people even when they are not tagged in a photo (photo by Johnny Guatto)

Marit Mitchell

Author legacy

Marit Mitchell

Topic

Breaking Research

Privacy

Smartphones and privacy: �Թϱ��� researchers on why we give access to apps

From phishing scams to compromised passwords: �Թϱ��� cyber security expert on how to stay safe online

Protect your passwords

Don’t be bait for phishing scams

Personalize your privacy settings

Cyber crime fighting at �Թϱ���

Panel discussion to explore data privacy, social media in health care

�Թϱ���'s Citizen Lab and Open Effect develop privacy watchdog tool for Canadian consumers

See the CTV story

Digital Hygiene website aims to make the Internet a little less scary

Fitness tracker flaws exposed by �Թϱ���'s Citizen Lab and Open Effect

Read the complete report

Read: Stuck in traffic? These apps think you're walking

NSA whistleblower Thomas Drake at �Թϱ���

New algorithm finds you, even in an untagged photo

Smartphones and privacy: �Թϱ�� researchers on why we give access to apps

From phishing scams to compromised passwords: �Թϱ�� cyber security expert on how to stay safe online

Cyber crime fighting at �Թϱ��

�Թϱ��'s Citizen Lab and Open Effect develop privacy watchdog tool for Canadian consumers

Fitness tracker flaws exposed by �Թϱ��'s Citizen Lab and Open Effect

NSA whistleblower Thomas Drake at �Թϱ��