Blog - Computational Privacy Group, Imperial College London

Collective blog of the Computational Privacy Group at Imperial College London

Deep perceptual hashing is not robust to adversarial detection avoidance attacks

Perceptual-hashing based client-side scanning is promoted by governments and technology companies as a privacy-preserving solution to detect illegal content on end-to-end encrypted platforms. The client-side scanning solutions, if deployed, would scan the media (such as images and videos) on the user device before they are encrypted and sent on a messaging platform (e.g. WhatsApp or Signal) or uploaded to a cloud service (e.g. iCloud). In a paper presented this week at 31st USENIX Security Symposium in Boston, USA we show that existing perceptual hashing algorithms are not robust to adversarial evasion attacks. More specifically, an attacker with only black-box access to the system could modify an image such that the modified image evades detection by the client-side scanning system while remaining visually similar to the original illegal image. We here extend the attack to the state-of-the-art deep perceptual hashing algorithms for image copy detection and show that even they are vulnerable our detection avoidance attack.

Read blog ↦

Evaluating COVID-19 contact tracing apps? Here are 8 privacy questions we think you should ask.

While governments are ramping up their efforts to slow down the spread of COVID-19, contact tracing apps are being developed to record interactions and warn users if one of their contacts is later diagnosed positive. These apps could help avoid long-term confinement, but also record fine-grained location or close-proximity data. In this blog post, we propose 8 questions one should ask to understand how protective of privacy an app is.

Read blog ↦

Can we fight COVID-19 without resorting to mass surveillance?

Governments across the world are doing everything they can to fight the COVID-19 virus. Used correctly, data collected through mobile phones could help monitor the effectiveness of lockdown measures and track contacts of people who have been tested positive. We've had many people reaching out to ask if the data could be collected and used effectively without enabling mass surveillance. We thought we'd share our response

Read blog ↦

When the signal is in the noise: Exploiting Aircloak's Diffix anonymization mechanism

Information about us is being constantly collected, through our phones and the services we use online. This data is hugely valuable but also highly personal, and often sensitive. This raises a crucial question: can we use this data without disclosing people's private information? We studied Diffix, a system developed and commercialized by Aircloak to anonymise data by adding noise to SQL queries sent by analysts. In a manuscript we just published on arXiv, we show that Diffix is vulnerable to a noise-exploitation attack. In short, our attack uses the noise added by Diffix to infer people's private information with high accuracy. We share Diffix's creators opinion that it is time to take a fresh look at building practical anonymization systems. However, as we increasingly rely on security mechanisms to protect privacy, we need to learn from the security community: secure systems have to be fully open and part of a larger layered security approach. Privacy is hard, it is time to admit that we won't find a silver bullet and start engineering systems.

Read blog ↦