Not so very long ago, we closed our curtains for privacy. Security was achieved by locking our doors and windows.
But now, with nearly everyone going online for research, shopping, socializing, banking, and other daily needs, these terms have taken on new meaning. Digital privacy is hard to define and even more difficult to achieve—and it comes with major legal, technical, and economic ramifications.
Enter the University of Oregon’s new Center for Cyber Security and Privacy, which is also designated a National Center of Academic Excellence in Cyber Defense Research. The center is directed by associate professor of computer and information science Jun Li, and includes representatives from computer and information science, the law and business schools, and the philosophy and information services departments. “The center is formalizing our informal networks,” says associate professor of philosophy Colin Koopman. “To Jun’s credit, he realized that there is an ethical dimension to developing computer systems, and to conceptualizing notions of privacy.”
Everyone agrees that privacy is important, Koopman says, but everyone has different conceptions of what it is. “Whose privacy?” he asks. “What kinds of privacy? We need sustained inquiry in the places where new IT infrastructure is being built, not just after the fact when something goes wrong downstream.”
The center’s initial research will focus on the functional and operational aspects of Internet security. “We have focused on monitoring and detecting anomalous events on the control plane, and handling malicious Internet traffic on the data plane,” Li says.
The control plane regulates how different nodes, or routers, communicate with each other to enable the transfer of “packets”—units of communication that are the building blocks of e-mails, web pages, or an audio file. The packets are forwarded “hop by hop,” Li says, and then assembled at your computer.
Li hopes to gain increased understanding of “Internet earthquakes” that happen frequently—including disruptive events such as a natural disaster, undersea cable cut, or large-scale power outage that causes the routing to deviate from its normal state—and malicious events, such as when attackers intercept a path and reroute users to fake websites.
The data plane of the Internet is concerned with delivering Internet traffic from source to destination. A major concern in the data plane over the past decades has been the proliferation of distributed denial of service (DDoS) attacks, when attackers flood a website with “garbage packets” and use up all its bandwidth, making it impossible for legitimate packets to get to the site. The center has received a $1.38 million award from the US Department of Homeland Security to create technology that will defend systems from these attacks.
DDoS attacks can happen for a number of reasons. In 2007, during a period of protests in Estonia, attackers disabled the websites of government ministries, political parties, newspapers, banks, and more. Estonia blamed Russia for the attacks, which began after the country moved a Soviet war memorial. Attacks can also take place for more mundane reasons, such as when a player in an online game wants to maliciously freeze another player. An extreme case would be “ransom ware,” Li notes, where someone says, “Pay me, or I’ll take your website down.”
None of these methods of attack are new, he says, but “the attackers’ capabilities are becoming more significant. We are studying how and where to put filters into the networks, as well as how to incentivize Internet service providers to provide this service.”
Another area of research concerns online social networks such as Facebook, Instagram, and Twitter, where there are, of course, many security and privacy concerns. A multi-institution team led by Li recently received a $1.2 million grant from the National Science Foundation that will be used in studies to identify and thwart fraud and attacks. “Social networks create a dilemma for their users,” Li says, “because people want both maximum privacy and maximum publicity. It will be interesting to see how that plays out.”
A third area of research involves finding better methods for protecting the security and privacy of the “Internet of Things”—a phrase that refers to devices that interact with the Internet, such as watches, refrigerators, pacemakers, robotic vacuum cleaners, baby monitors, video cameras at street intersections, and more. Security researchers have exposed security vulnerabilities in everything from Hello Barbie dolls, which allowed hackers to intercept a child’s communication, to cars that can be remotely hacked so their brakes and transmission are disabled.
Li cites the example of a home camera leaking a video of a baby to “unknown folks,” and the ability of someone to hack into a medical device in your body, causing it to malfunction or leak your medical data. That possibility was of enough concern to Dick Cheney’s cardiologist that he disabled Cheney’s pacemaker during his time in office to ensure that an attacker could not deliver a fatal shock to the vice president.
Information garnered from hacking into Internet-connected devices could also be used in criminal investigations, says associate professor of law Carrie Leonetti, whose scholarship focuses on the constitutional right to privacy in criminal investigations. “For instance, your house turns your furnace on and off at certain times, so the metadata shows what time you come and go. This could be very useful.”
Coming up with appropriate definitions for the concepts of security and privacy is an important part of the center’s work. “Does privacy only matter if you’re doing something wrong?” Leonetti asks. “What about medical information? What if you are having an intimate conversation with someone you love?
“The traditional definition of privacy was largely based on the concept of assumption of risk, so that, if you had high fences and blackout curtains, you were not taking the risk of invasion of privacy,” she says. “But everything is different now. By not building an electronic wall, have you relinquished any expectation of privacy in your information?
“We need to figure out the equivalent of closing your curtains in a digital world.”
—By Rosemary Howe Camozzi
Rosemary Howe Camozzi, BA ’96, is a former senior writer and editor for Oregon Quarterly.