I need you to destroy this script
Added 2022-07-19 14:18:27 +0000 UTCI am struggling with finishing this. Let me know what's wrong, incomplete, buggy, unclear, or just sucks.
Threat source
Privacy is a different goal then security so keep that in mind when thinking about your adversaries – who you are protecting your data from. LINDDUN considers three main threat sources:
- External attacker – is an adversary with an unauthorized access to communication or stored data.
- Organizational – is a company or an entity that handles your data in a privacy-violating way or a malicious employee abusing your data.
- Receiving party – are partners of companies and receiving ends of your communications.
Unlike with security threat actors, privacy adversaries can be people with authorized and legitimate access to your data because they are providing you a service you signed up for.
LINDDUN documents these threat sources alongside the seven threat categories. We will use these categories as our threat list to define what we are protecting our data from.
Threat list
We will first identify these threats and then map them against our data assets. We can approach each with a knowledge-base or by asking a set of questions.
Linkability
The first LINDDUN threat is linkability. It’s the ability of an attacker to find the link between two items of interest, even without knowing the actual identity of the subject. Linkability can lead to identifiability and inference and is impacted by data minimization and anonymization.
Linkability can be affected by your credentials, actions, personal data, metadata, shared data and stored data.
The questions you want to ask are:
- Are you re-using the same credentials and is the service using them to track you?
- Is your behavior creating a sufficiently unique pattern as to be linkable?
- Do you submit personal data that the provider can link together?
- Does the service collect linkable metadata?
- Does the service share your data with third parties that can be linked?
- Is the service minimizing or anonymizing stored data, i.e. by storing aggregate sets instead of individual profiles?
Identifiability
Identifiability is the ability of an adversary to identify a subject within a data set. It happens when you can’t hide the link between an item of interest and your identity. Identifiability leads to severe privacy violation. It is impacted by data minimization and linkability and it’s mitigated by anonymization.
Identifiability questions include:
- Do the credentials contain identifiable information (i.e. email address with real name, e-ID, biometrics)?
- Are your behavioral patterns sufficiently unique as to be identifiable?
- Do you submit identifiable personal data to the provider?
- Is the provider collecting identifying metadata?
- Is your identifiable data shared with third parties?
- Is the service storing identified data without minimization or de-identification? Can a retrieving party request identifiers from the stored data?
Non-repudiation
LINDDUN considers non-repudiation to be a privacy threat. Non-repudiation means not being able to deny a claim. In terms of privacy, it’s the opposite of plausible deniability. Plausible deniability is required when the communication is sensitive, such as during whistleblowing. However, non-repudiation is required for payment systems, as holding a purchase receipt is usually desirable.
Non-repudation questions are as follows:
- Does the system require identifiable credentials?
- Can the communication be traced back to its origin, i.e. your location?
- Can you plausible deny having received a message?
- Can you plausibly deny an encrypted storage?
- Can future parties retrieve data that contains undeniable information?
Detectability
In some cases, severe privacy violation can occur just by discovering an item of interest exists, without necessarily having access to its content. E.g. if a celebrity has a file in a rehab facility, without knowing the contents of their health record, you can infer they have an addiction problem. LINDDUN calls this threat detectability and it can be found by answering this set of questions:
- Can your credentials be discovered by an external threat source? e.g. by getting the “forgot password” prompt.
- Is communication between you and the service hidden and anonymous? e.g. by the Tor network?
- Can additional information be inferred from communication behavior?
- Can storage actions and data retrieval be detected by an external threat actor?
Due to the nature of the internet, detectability is a very persistent threat. External adversaries will almost always be able to detect contextual data. Detectability leads to inference and is impacted by data anonymization.
Disclosure of information
Security is a prerequisite for privacy. You shouldn’t compromise your security in the hopes of becoming more private. Bad recommendations will tell you to root or jailbreak your device or install custom software with a broken security model. These solutions are made without a threat model and they break system security properties, resulting in severe exposure.
LINDDUN recommends to do a full security analysis alongside privacy threat modeling. This is necessary to address the threat of disclosure of information. The threat model of choice is STRIDE. STRIDE is a mnemonic for spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege.
Disclosure of information happens as a breach of confidentiality, authentication or authorization. A threat actor could gain access to sensitive information if encryption is improperly implemented, they acquired privileged access to a system, or compromised credentials or secrets. Other attempts can include spoofing, where a phishing website or app would try to trick you into submitting personal or login data to the attacker. The severity of this threat depends on the skills of your adversary, ease of vulnerability exploitation and reward level. The higher the value of the target data, the more likely this threat is to occur and the stricter security controls need to be implemented.
Unawareness
LINDDUN considers unawareness to be a privacy threat. Users are often unaware of the impacts of data sharing. But this can be influenced by lack of transparency and bad data practices at the service provider. You need to carefully evaluate the following:
- Are personal data being collected and/or processed and are you sufficiently informed about this?
- Does the system provide user friendly privacy controls and opts in for privacy preserving default settings?
- Is the service storing your personal data and if so, does the system provide an easy mechanism for requesting a copy of the data?
- Can you request to remove or rectify your personal data?
- Does the service require an informed consent before data is processed? Can you easily withdraw your consent?
Non-compliance
The last threat to identify with software systems is non-compliance. Organizations or malicious employees can often violate regulations and corporate policies. Non-compliance is more severe the more data is collected. Ask these questions about a service:
- Does it collect more personal data than required for the purpose?
- Is the data being processed without your consent?
- Is more of your data processed than required for the purpose?
- Does the process make decisions without human verification? Can you object the automated decision?
- Is the service storing more personal data required for the purpose?
Mapping table
For every service in our data inventory, we can shuffle between the LINDDUN Go cards and answer the questions from each threat category. You will know how to answer these questions, because your inventory documents privacy policies of all the services that have your data.
Create a mapping table for each service with all privacy threats organized into rows and data flow components in columns. Make a mark in the mapping table for the relevant threat and component whenever an answer to a privacy question leads to a threat. Iterate over all LINDDUN Go cards for every service until you have done this for all systems in your data inventory.
This is the most productive part of threat modeling. You can do it with a group of friends or family members and help each other find threats to each others private data.
LINDDUN will also give you a consistent methodology to choose which privacy invasive services to replace with respecting alternatives.
Mitigation Strategies & Privacy Enhancing Techniques
To be continued...
Comments
If this is to be for beginners, then I feel that a portion of the script (mainly the beginning) should be focused on introducing the concept of threat modeling. Something that is not anecdotal but more of a laying out foundational terms and going into detail about the relationships between privacy and security. And then it can lead to the "Threat Source" section. The ideas you have in the section would flow better this way in my opinion. In addition, I think there are some lines and paragraphs in the script that may fall under this potential introductory section, such as the first paragraph under "Disclosure of information." Also, side comment to that section, but I think there needs to be a reordering of ideas and paragraphs, which is just having the third paragraph go before the second one. I also think it would help to have in mind who the beginner is and what stage they're in with their journey through privacy and security. I think this script works well for those of us who already have a good understanding of privacy, security, anonymity, the ethics and the methodologies surrounding them, but this may not work for the absolute beginner, who is bound to get lost with the level of vocabulary and speech we see from you and doesn't have the level of critical thinking that we've all developed. Though, I wouldn't be able to tell you how to accomplish writing and speaking with simplicity and tangibility.
Petrified
2022-07-21 04:07:32 +0000 UTCGreat information. I did note that I (personally) did not recall what exactly the acronyms meant, so repeating that may be helpful. One thing to think about: What level of understanding does each viewer have when they see the information? People progress (roughly) from: - having awareness of the idea of privacy - to hearing their first horror stories - to embracing the need for privacy - to learning the impact on them personally - to hearing recipes for the time and cost of a solution (anti-virus, privacy phones, etc) - to taking early action with imperfect results (wasted time/money) - to finding solutions (probably recipes again for most people) - to getting enough failures and horror stories to motivate them to deeper analysis - to searching for a pre-built deeper analysis - to being unhappy with completeness or applicability of the pre-built deeper analysis - to learning about deeper analysis techniques (i.e. the script you posted) - to personally doing a deeper analysis - to researching/actioning/implementing self customized solutions So your script is for quite advanced and/or motivated people. To expand the script's appeal (i.e. views), you could consider adding threat examples (more horror stories). Also, solution suggestions integrated early in the script, or pointing out --early in the script-- that solutions are coming later in the script. Those changes keep people motivated, and add more interest for people who have not progressed as far in my list. (Since there are more and more people at earlier and earlier stages in the list.) Horror stories people have not heard of (i.e. deatils from snowden/binney/vault7/etc) also grip viewers with the value of continuing both in the video, and with your content channels. Of course, as is, the script is already an interesting and informative read!
Peter
2022-07-19 19:54:06 +0000 UTCI just wanna make really sure that this is comprehensible and applicable for a beginner to privacy who wants to be serious about this.
The Hated One
2022-07-19 14:59:17 +0000 UTCWoa that's a load of info. For me, the only thing missing was the actual How, but that's where you stopped, so it's coming. The rest from my pov seems solid, loaded, but solid. If you asked us, that means you have your doubts, can you tell us a little more where you feel it's off?
EudaemonicRob
2022-07-19 14:33:05 +0000 UTC