the high school profiling attack: how privacy laws can increase minors’ risk
DESCRIPTION
The High School Profiling Attack: How Privacy Laws Can Increase Minors’ Risk. Ratan Dey, Yuan Ding, Keith W. Ross Dept. of Computer Science and Engineering. Third-Party Profiling of Children. Question: - PowerPoint PPT PresentationTRANSCRIPT
The High School Profiling Attack: How Privacy Laws Can Increase
Minors’ RiskRatan Dey, Yuan Ding, Keith W. Ross
Dept. of Computer Science and Engineering
Third-Party Profiling of ChildrenQuestion:
Is it possible to automatically build detailed profiles of most of the teenagers (ages 12-17) in a target high school?
Profiles might include:
• Full name, gender, birth year, current school name, school year
• Home street address, photo of home• SkypeID, email address• Names and profiles of family members; names and
profiles of school friends• Interests, wall postings, hundreds of photos
The Danger
Data brokers:• sell profiles to advertisers,
spammers, malware distributors, employment agencies, college admission offices.
• teen market surpasses $200B in USPedophiles:• many already luring victims with FacebookSpear-phishing attacks:• Large-scale, automated and highly
personalized
Natural Approach: Begin w/ Facebook
• Find a child on FB, download his information.
• Visit his friends’ pages.• Repeat with friends.
• Then try to enhance profiles with other sources.
What a stranger sees about a minor:
What a stranger sees about an adult
Default and Worst-Case Information Available to
Strangersin Facebook
Challenge
• For a given high school, how do we find the students in Facebook and build profiles???
–Minors are not searchable by school in FB
– Only name, profile photo, cover photo album, and gender available for minor.
Attack Ingredients
• COPPA, a law designed to protect the privacy of children, indirectly facilitates the attack.
• “Reverse Friend Lookup,” an attacker can infer a user’s friends even if the user’s friend list is private.
• High-school students tend to have a relatively large number of friends from the same high school in the same graduating class year.
Children’s
Online
Privacy
Protection
Act
Some children lie about their ages
High-School Profiling Attack
• Pick target HS• Search FB by HS– Mostly get adults (alumni)– But get some lying minors w/ future
grad year: “core users”
• Collect all friends of core users: “candidates”
• Identify candidates with many friends in core set
Identify candidates w/ many core friends
core
use
rs
candid
ate
stud
en
ts
Lying minors in 10th
grade in Springfield HS
Harry likely:• lives in Springfield• goes to Springfield High• 10th grade• 16 years old• friends with Lisa, Etienne
Honest minor:name and pic
Honest minors are vulnerable
Data sets – One private & two public high schools
Estimating the crawling efforts
High-School #1• 362 students; found FB pages for 325• Attack:18 core users; 6,282
candidates
Top 300 has 75% w/ 22%
false negatives
High-School #2,3
Profile for honest minor:• Full name, gender, profile picture
• City, school name, school year, birth year• Friends in same school; their profiles
• Home street address, photo of home• Names of parents
• SkypeID• Facebook pages of parents• ……
What if no COPPA ?
Counter-measure: remove Harry from others’ friend lists
Take away
• Component of COPPA law actually facilitates privacy leakages to third parties.
• OSNs can take additional measures to significantly protect children’s privacy.– Remove minors from public friend lists– Detect lying minors
Some Current/Future Research• Defenses– Government polices, OSN measures– Quantify privacy leakage
• City attack– Attempt to find and profile all middle-school
and high-school children– Active attack: “friend” minors, get more info
• Information from photos– Big data approach
IMDB Database
Poly Students
Component graphs for students
Component # 1 Component # 2
Obtaining relative height estimates
1. Use openCV for face detection2. Use midpoints of boxes to determine
height differences in pixels = pij
3. Determine average box size in pixels = b4. Determine height differences wrt box
height
5. e.g., S = 15 cm
b
pb ijij
ijij bSx .
CDF for School Database
0 1 2 3 4 5 6 7 80
0.2
0.4
0.6
0.8
1
1.2
Estimated error for Mean approach
Estimated error for Baseline
Error in cm
C
DF