liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Information Sharing and User Privacy in the Third-party Identity Management Landscape
Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology.
Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology. (ADIT)ORCID iD: 0000-0003-1367-1594
NICTA, Australia.
Linköping University, Department of Computer and Information Science, Database and information techniques. Linköping University, The Institute of Technology. (ADIT)
2015 (English)In: ICT Systems Security and Privacy Protection: 30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015, Proceedings / [ed] Hannes Federrath, Dieter Gollmann, Springer, 2015, p. 174-188Conference paper, Published paper (Refereed)
Abstract [en]

The cross-site information sharing and authorized actions of third-party identity management can have significant privacy implications for the users. In this paper, we use a combination of manual analysis of identified third-party identity management relationships and targeted case studies to (i) capture how the protocol usage and third-party selection is changing, (ii) profile what information is requested to be shared (and actions to be performed) between websites, and (iii) identify privacy issues and practical problems that occur when using multiple accounts (associated with these services). By characterizing and quantifying the third-party relationships based on their cross-site information sharing, the study highlights differences in the privacy leakage risks associated with different classes of websites, and provides concrete evidence for how the privacy risks are increasing. For example, many news and file/video-sharing sites ask users to authorize the site to post information to the third-party website. We also observe a general increase in the breadth of information that is shared across websites, and find that due to usage of multiple third-party websites, in many cases, the user can lose (at least) partial control over which identities they can merge/relate and the information that is shared/posted on their behalf.

Place, publisher, year, edition, pages
Springer, 2015. p. 174-188
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238 ; 455
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:liu:diva-117543DOI: 10.1007/978-3-319-18467-8_12ISI: 000364779100012ISBN: 978-3-319-18466-1 (print)ISBN: 978-3-319-18467-8 (print)OAI: oai:DiVA.org:liu-117543DiVA, id: diva2:809431
Conference
30th IFIP TC 11 International Conference, SEC 2015, Hamburg, Germany, May 26-28, 2015
Available from: 2015-05-04 Created: 2015-05-04 Last updated: 2021-04-26Bibliographically approved
In thesis
1. Web Authentication using Third-Parties in Untrusted Environments
Open this publication in new window or tab >>Web Authentication using Third-Parties in Untrusted Environments
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

With the increasing personalization of the Web, many websites allow users to create their own personal accounts. This has resulted in Web users often having many accounts on different websites, to which they need to authenticate in order to gain access. Unfortunately, there are several security problems connected to the use and re-use of passwords, the most prevalent authentication method currently in use, including eavesdropping and replay attacks.

Several alternative methods have been proposed to address these shortcomings, including the use of hardware authentication devices. However, these more secure authentication methods are often not adapted for mobile Web users who use different devices in different places and in untrusted environments, such as public Wi-Fi networks, to access their accounts.

We have designed a method for comparing, evaluating and designing authentication solutions suitable for mobile users and untrusted environments. Our method leverages the fact that mobile users often bring their own cell phones, and also takes into account different levels of security adapted for different services on the Web.

Another important trend in the authentication landscape is that an increasing number of websites use third-party authentication. This is a solution where users have an account on a single system, the identity provider, and this one account can then be used with multiple other websites. In addition to requiring fewer passwords, these services can also in some cases implement authentication with higher security than passwords can provide.

How websites select their third-party identity providers has privacy and security implications for end users. To better understand the security and privacy risks with these services, we present a data collection methodology that we have used to identify and capture third-party authentication usage on the Web. We have also characterized the third-party authentication landscape based on our collected data, outlining which types of third-parties are used by which types of sites, and how usage differs across the world. Using a combination of large-scale crawling, longitudinal manual testing, and in-depth login tests, our characterization and analysis has also allowed us to discover interesting structural properties of the landscape, differences in the cross-site relationships, and how the use of third-party authentication is changing over time.

Finally, we have also outlined what information is shared between websites in third-party authentication, dened risk classes based on shared data, and proled privacy leakage risks associated with websites and their identity providers sharing data with each other. Our ndings show how websites can strengthen the privacy of their users based on how these websites select and combine their third-parties and the data they allow to be shared.

Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2016. p. 64
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1768
National Category
Computer Systems
Identifiers
urn:nbn:se:liu:diva-127304 (URN)10.3384/diss.diva-127304 (DOI)9789176857533 (ISBN)
Public defence
2016-09-30, Visionen, hus B,, Campus Valla, Linköping, 10:15 (English)
Opponent
Supervisors
Funder
ELLIIT - The Linköping‐Lund Initiative on IT and Mobile Communications
Available from: 2016-08-22 Created: 2016-04-19 Last updated: 2021-04-26Bibliographically approved

Open Access in DiVA

fulltext(723 kB)281 downloads
File information
File name FULLTEXT02.pdfFile size 723 kBChecksum SHA-512
dae90edf4aa99b588f3c2f7b43c8a4df902e7f8036e3f7998e6580a7b481f1492706a60e0382c2e72efbac6a190b5db406fd9130e03bb77a98824db73e7fd856
Type fulltextMimetype application/pdf

Other links

Publisher's full text

Authority records

Vapen, AnnaCarlsson, NiklasShahmehri, Nahid

Search in DiVA

By author/editor
Vapen, AnnaCarlsson, NiklasShahmehri, Nahid
By organisation
Database and information techniquesThe Institute of Technology
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 402 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 469 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf