A demonstration is available.
Privacy breaches are an increasing problem because of the large amounts of information being stored in computing systems and the wide range of ways that data can leak out. Privacy breaches can be caused by theft of data, malicious behavior, or negligence. In many cases, privacy breaches can occur when using certain kinds of programs or services.
PrivWatch was created to detect and monitor privacy breaches on the Gnutella Peer-to-Peer (P2P) network. With PrivWatch, you can view statistics about privacy breaches based on the type of information, the geographic patterns, and the trends over time. PrivWatch is produced by the Information Security Group at the Institute for Information Technology (IIT), part of the National Research Council (NRC) of Canada.
Peer-to-Peer (P2P) services allow users to share files that they have on their computers with other people around the world. The most popular use of P2P systems is sharing MP3 files containing music, and one of the most popular P2P programs is Limewire. Using Limewire, people can share music that they have on their systems, and download music that other people are sharing.
Configuring Limewire is not easy. A Limewire user must specify what folders on their hard drive should be shared with other P2P users. Normally, this would be a specific folder only containing the music files suitable for sharing. However, it is quite easy to configure Limewire to share folders that are not appropriate for sharing, or to share an entire “My Documents” folder, and all its sub-folders.
PrivWatch uses a modified Limewire program to search for non-music files that people are sharing. It downloads these files and then scans them for private information. The scan results are then anonymized and summarized to produce global statistics and trends. PrivWatch only analyzes files that people are already sharing, and it is hoped that, by drawing attention to these privacy breaches, users of P2P services will be more careful about what files they share.
The first experiments with PrivWatch sampled more than ten thousand files from P2P users around the world. The results showed that leaks of personal information are common, with over half the files containing at least one piece of personal data. The most common types of personal information were names and addresses, but more sensitive information (such as credit card and bank account numbers) was also found.
PrivWatch is a demonstration of the privacy scanning capabilities being developed at the NRC-IIT Information Security Group. The group is working with various partners to apply these technologies to other sources of data beyond P2P files, and they are interested in developing new collaborative relationships.