Technology development and technical consulting for usable security & privacy

Today's information and device explosion poses enormous security and privacy challenges. Spyware, worms, and other malicious code are prevalent, serving as constant reminders about our critical need for security — especially for our personal mobile devices, which frequently connect to previously unknown devices and services.

Equally pervasive in our daily lives: private data collections that we generate and distribute through interactions with healthcare providers, insurers, retail stores, Internet services providers, and the government. The fundamental challenge in securing these devices and their communication is intelligent ease of use: if a security procedure is too difficult, users may configure it incorrectly, won't deploy it, or will just switch it off.

With expertise in applied cryptography, human factors, and network security, PARC is developing new technologies that intelligently support usable security and privacy for ubiquitous computing environments. Our approach demonstrates that the very data proliferation viewed by many as dangerous can be leveraged to achieve privacy and security goals that previously were impossible. Today, end users and enterprises can intelligently manage the security and privacy of their data and devices in an intuitive and flexible manner.

We are realizing this vision through research and consulting engagements with members of the financial sector, tech start-ups and several Fortune 500 companies. Recent clients include Fujitsu and G2 Microsystems.

applications

Wireless Security

Securing one's data today requires setting up network connections by navigating through multiple setup screens and filling out forms on the computer. People should not have to be networking experts to ensure the security of their data. PARC designs wireless security technology solutions to provide security and ease-of-use. As a demonstration, we developed our "Network-in-a-Box" prototype, employing an intuitive interface that instantly makes sense to people when they use it the first time.

For example, one can add a device to a wireless network by literally "introducing" it to the network's access point; e.g., by touching the two devices together or by indicating the device through infrared pointing.

Network-in-a-Box demonstrates the potential to:

• Put today's strongest-available industrial security technology into the hands of non-expert users
• Allow an average user to add a computer to an 802.1x-secured wireless network in less than 60 seconds, by following two simple steps
• Apply approach to consumer use, small- and home-office settings, and ad-hoc networks
• Scale the system to manage enterprise-class wireless networks
  

Content Privacy

PARC's content privacy tools leverage the Web to understand what can be inferred from text content. In particular, the Web serves as a proxy for human knowledge and enables PARC's technology to alert an organization that they are in danger of leaking sensitive information.

For example, this technique could help an organization maintain compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) by ensuring that a patient's HIV status cannot be learned from a medical record.

Similarly, it might enable government agencies to protect the identities of citizens while still complying with the U.S. Freedom of Information Act — or it might support a citizen journalist who wants to publish an anonymous blog without fear of recrimination by an employer.

PARC's inference detection technology also supports better content protection by allowing for fine-grained access controls in a content-driven manner. For example, access can be granted on a topic basis through keyword-based encryption protocols. This semantic approach to security benefits from PARC's expertise in natural language processing.

Fraud and Crimeware Defense

Fraud prevention is a truly multi-disciplinary topic, in which applied security intersects with user messaging and psychology, as well as with legal and policy aspects. Identifying trends in fraud relies on adversarial modeling and an in-depth understanding of technology, the financial systems and incentives, and of human factors.

Our deep expertise in identifying likely trends enables us to proactively develop technologies that robustly defend against new threats. In addition, our skills in designing and carrying out user experiments allow us to test hypotheses and to quantify vulnerabilities and countermeasures alike.

PARC scientists help organizations to understand identity theft vulnerabilities, and have developed commercial anti-phishing technology, anti-crimeware technology, and improved technology for authentication of users and machines. We believe in taking a holistic approach in which everything is measured and understood, chokepoints identified, and security technology developed to take advantage of our insights.