Publications

Self-Sovereign Identity and User Control for Privacy-Preserving Contact Tracing
Wenting Song, Razieh Nokhbeh Zaeem, David Liau, Kai Chih Chang, Michael R. Lamison, Manah M. Khalil, K. Suzanne Barber, UT CID Report #22-02, February 2022

Abstract
Show AbstractContact tracing apps use mobile devices to keep track of and promptly identify those who come in contact with an individual who tests positive for COVID-19. However, privacy is a major obstacle to the wide-spread use of such apps since users are concerned about sharing their contact and diagnosis data. This research overcomes multiple challenges facing contact tracing apps: (1) As researchers have pointed out, there is a need to balance contact tracing effectiveness with the amount of user identity and diagnosis information shared. (2) No matter what information the user chooses to share, the app should safeguard the privacy of user information. (3) On the other hand, some essential test result information must be shared for the contact tracing app to work. While contact tracing apps have done a good job maintaining contact information on the user’s device, most such apps publish positive COVID-19 test results to a central server which have some risks for compromise. We address these challenges by (1) giving the user the right to choose how much information to share about their diagnosis and their identity,(2) building our novel contact tracing app on top of Self-Sovereign Identity (SSI) to assure privacy preserving user authentication with verifiable credentials, and (3) decentralizing the storage of COVID-19 test results. We, in collaboration with Verizon, have implemented our Privacy-preserving Contact Tracing (PpCT) app, leveraging SSI advances based on the blockchain for their 5G network.

Access Publication: Download PDF of Report

Finding Trustworthy Users: Twitter Sentiment Toward US Presidential Candidates in 2016 and 2020
Teng-Chieh Huang,Razieh Nokhbeh Zaeem, K. Suzanne Barber, UT CID Report #22-01, January 2022

Abstract
Show AbstractFor any topic in which the public opinion matters, there is a potential of using social media to evaluate the public opinion. Previous researches have proven the effectiveness of using social media as an indicator to elections. Nevertheless, the composition of social media users can never be the same as the real demographic. What makes things worse is the existence of malicious users who intend to manipulate the public’s tendencies toward candidates or parties. In this paper, we aim to increase the prediction correctness under the premise that the extracted data are noisy. By taking an individual’s trustworthiness, participation bias and the influence into account, we propose a novel method to forecast the U.S. presidential election in 2016 post facto and make predictions for the 2020 election. In essence, we identify the social media as a polling mechanism: What does social media predict as an election outcome?

 

Access Publication: Download PDF of Report

Proactive Identity Knowledge and Mitigation System
Aditya Tiaga, Razieh Nokhbeh Zaeem, K. Suzanne Barber, UT CID Report #21-10, December 2021

Abstract
Show AbstractWhile many organizations share threat intelligence, there is still a lack of actionable data for organizations to proactively and effectively respond to emerging identity threats to mitigate a wide range of crimes. There currently exists no solution for organizations to access current trends and intelligence to understand emerging threats and how to appropriately respond to them. This research project delivers I-WARN, to help bridge that gap. Using a wide range of open-source information, I-WARN gathers, analyzes, and reports on threats related to the theft, fraud, and abuse of Personally Identifiable Information (PII). Then maps those threats to the MITRE ATT&CK { a framework that helps understand lateral movement of an attack—to offer mitigation and risk reduction tactics. I-WARN aims to deliver actionable intelligence, offering early warning into threat behaviors, and mitigation responses. This paper discusses the technical details of I-WARN, current solutions for threat intelligence sharing with how they compare to I-WARN, and future work.

 

Access Publication: Download PDF of Report

Human and Privacy Rights
Razieh Nokhbeh Zaeem, K. Suzanne Barber, UT CID Report #21-09, November 2021

Abstract
Show Abstract Privacy is important. Individuals should have the right to control the disclosure of personal data that describes them, identifies them and reveals information about them. Individuals should not be subjected to invasions of their privacy, family, home or correspondence, nor to assaults upon their reputation. These rights to privacy must be protected by law to guard against such interference, invasions or attacks.

 

Access Publication: Download PDF of Report

It Is an Equal Failing to Trust Everyone and to Trust Nobody: Stock Price Prediction Using Trust Filters and Enhanced User Sentiment on Twitter
Teng-Chieh Huang, Razieh Nokhbeh Zaeem, K. Suzanne Barber, UT CID Report #21-08, November 2021

Abstract
Show AbstractSocial media are providing a huge amount of information, in scales never possible before. Sentiment analysis is a powerful tool that uses social media information to predict various target domains (e.g., the stock market). However, social media information may or may not come from trustworthy users. In order to utilize this information, a very first critical problem to solve is to filter credible and trustworthy information from contaminated data, advertisements or scams. We investigate different aspects of a social media user to score his/her trustworthiness and credibility. Furthermore, we provide suggestions on how to improve trustworthiness on social media by analyzing the contribution of each trust score. We apply trust scores to filter the tweets related to the stock market as an example target domain. While social media sentiment analysis has been on the rise over the past decade, our trust filters enhance conventional sentiment analysis methods and provide more accurate prediction of the target domain, here the stock market. We argue that while it is a failing to ignore the information social media provide, effectively trusting nobody, it is an equal failing to trust everybody on social media too: Our filters seek to identify whom to trust.

 

Access Publication: Download PDF of Report

Blockchain-Based Self-Sovereign Identity: Survey, Requirements, Use- Cases, and Comparative Study
Razieh Nokhbeh Zaeem, K. Suzanne Barber, Razieh Nokhbeh Zaeem, Kai Chih Chang, Teng-Chieh Huang, David Liau, Wenting Song, Aditya Tyagi, Manah M. Khalil, Michael R. Lamison, Siddhartha Pandey, UT CID Report #21-06, August 2021

Abstract
Show Abstract Identity is at the heart of digital transformation. Successful digi-tal transformation requires confidence in and protection of digital identities. On the Internet, however, there is no unique and stan-dard identity layer. Consequently, a variety of digital identities have emerged over years, leading to privacy risks, security vulnerabilities, risks for identity owners, and liability for identity issuers and those relying on digital identities to grant access to goods and services. Self-Sovereign Identity (SSI) and similar forms of identity management on the blockchain distributed ledger are novel technologies that recognize the need to keep user identity privately stored in user-owned devices, securely verified by identity issuers, and only revealed to verifiers as needed. There is limited academic literature defining the prerequisite SSI functional and non-functional requirements and comparing SSI technologies. Often those SSI technologies reviewed in the literature lack behind current advances. We present the first work that compiles a comprehensive list of functional and non-functional requirements of SSI and compares an extensive number of existing SSI/blockchain-based identity management solutions with respect to these requirements. Our work sheds light on the state-of-the-art SSI development and paves the way for future, more informed analysis and development of novel identity management and SSI solutions.

 

Access Publication: Download PDF of Report

Early Warning Identity Threat and Mitigation System
Aditya Tyagi, Razieh Nokhbeh Zaeem, K. Suzanne Barber, UT CID Report #21-05, August 2021

Abstract
Show Abstract While many organizations share threat intelligence, there is still a lack of actionable data for organizations to proactively and effectively respond to emerging identity threats to mitigate a wide range of crimes. There currently exists no solution for organizations to access current trends and intelligence to understand emerging threats and how to appropriately respond to them. This research project delivers I-WARN to help bridge that gap. Using a wide range of open-source information, I-WARN gathers, analyzes, and reports on threats related to the theft, fraud, and abuse of Personally Identifiable Information (PII). I-WARN then maps those threats to the MITRE ATT&CK – a framework that helps understand lateral movement of an attack – to offer mitigation and risk reduction tactics. I-WARN aims to deliver actionable intelligence, offering early warning into threat behaviors, and mitigation responses. This paper discusses the technical details of I-WARN, current solutions for threat intelligence sharing with how they compare to I-WARN, and future work.

 

Access Publication: Download PDF of Report

Personal Data Early Warning System: Machine Learning Models Extract Identity Theft and Fraud Trends from News
Razieh Nokhbeh Zaeem, K. Suzanne Barber, Jessica Cruz-Nagoski, Luke Norrell, Michael Sullivan, Jonathan Walsh, Dylan Wolford, Yasira Younus, UT CID Report #21-04, August 2021

Abstract
Show Abstract Each year, cyber attacks pose a greater and greater risk to consumer personal information stored by corporations and government agen-cies. Billions of consumer records are breached each year and data breaches compromise the personal data of hundreds of millions of citizens. These breaches are extremely costly–financially and in terms of privacy and reputation–to people (through identity theft and fraud) and to companies (through the abuse of their collected in-formation for which they are accountable). What is more, the theft of data often acts as a gateway in the complex and interdependent ecosystem of personal data. Personally Identifiable Information (PII) is breached to gain access and steal more PII in a chain of events and tactics. Therefore, there is a need to build tools to help people and businesses navigate the dangerous waters of identity theft and fraud. The cyber world, however, is an evolving landscape and trends change often. People and organizations need to have a current and accurate situational awareness understanding trends such as common breach threats and tactics, types of data most frequently attacked, and personal information most often exposed with the highest negative consequences. Enter the Personal Data Early Warning System (PDEWS), an online dashboard that tracks and displays the current cyber threat landscape and generates actionable insight into trends and pat-terns. PDEWS exists as an automated pipeline, collecting data each day about ongoing cyber threats. There are four major phases of PDEWS. First, PDEWS prowls through daily identity theft and fraud news stories and scrapes the body text. Then it formats the text into the representation required for a machine learning application and places that text in an Amazon Web Services cloud infrastructure. Next, PDEWS applies machine learning models trained on a private identity theft article corpus to extract relevant threat la-bels. Finally, PDEWS displays those trends on an online dashboard alongside recommendations researched to have the greatest mitigation capabilities against the current threat landscape.

 

Access Publication: Download PDF of Report

PrivacyCheck v3: Empowering Users with Higher-Level Understanding of Privacy Policies
Razieh Nokhbeh Zaeem, K. Suzanne Barber, Ahmad Ahbab, Josh Bestor, Hussam H. Djadi, Sunny Kharel, Victor Lai, Nick Wang, UT CID Report #21-03, August 2021

Abstract
Show Abstract Privacy policies are lengthy and hard to read, yet are profoundly important as they communicate the practices of an organization pertaining to user data privacy. Privacy Enhancing Technologies, or PETs, seek to inform users by summarizing these privacy policies. Efforts in the research and development of such PETs, however, have largely been limited to tools that recap the policy or visualize it. We present the next generation of our research and publicly available tool, PrivacyCheck v3, that utilizes machine learning to inform and empower users with respect to privacy policies. Privacy-Check v3 adds capabilities that are commonly absent from similar PETs. In particular, it adds the ability to (1) find the competitors of an organization with Alexa traffic analysis and compare policies across them, (2) follow privacy policies the user has agreed to and notify the user when policies change, (3) track policies over time and report how often policies change and their trends, (4) automat-ically find privacy policies in domains, and (5) provide a bird’s-eye view of privacy policies the user has agreed to. The new features of PrivacyCheck not only inform users about details of privacy policies, but also empower them to understand privacy policies at a higher level, make informed decisions, and even select competitors with better privacy policies.

 

Access Publication: Download PDF of Report

On the Usability of Self Sovereign Identity Solutions
Razieh Nokhbeh Zaeem, K. Suzanne Barber, Manah M. Khalil, Michael R. Lamison, Siddhartha Pandey, UT CID Report #20-02, August 2021

Abstract
Show Abstract In the absence of a unique identity layer on the Internet, many identity solutions have evolved over time—examples include standalone username and password pairs, Single Sign On, and Federated Identity Management. Privacy and security risks for identity owners and liability for identity issuers and verifiers, however, are still alarmingly present. Self-Sovereign Identity (SSI) solutions are new technologies that recognize the need to keep user identity privately stored in user-owned devices, securely verified by identity issuers, and only revealed to verifiers and relying parties as needed. Many commercial SSI solutions are already available to users, issuers, and verifiers. As other researchers have pointed out, usability remains a pressing unknown in the existing SSI solutions. We study five of the most commonly used SSI solutions: uPort, Connect.me, Trinsic, Jolocom, and ShoCard (now PingID) with respect to their usability. We identify some concrete usability problems and suggest ways to resolve them. Our work recognizes that identifying, prioritizing, and implementing the non-functional requirement of usability in SSI solutions is essential for their adoption.

 

Access Publication: Download PDF of Report