Proceedings on Privacy Enhancing Technologies 2021; ..:1–23 Iñigo Querejeta-Azurmendi*, Panagiotis Papadopoulos, Matteo Varvello, Antonio Nappa, Jiexin Zhang, and Benjamin Livshits ZKSENSE: A Friction-less Privacy-Preserving Human Attestation Mechanism for Mobile Devices Abstract: Recent studies show that 20.4% of the inter- 1. Introduction net traffic originates from automated agents. To iden- Automated software agents that interact with content tify and block such ill-intentioned traffic, mechanisms in a human-like way, are becoming more prevalent and that verify the humanness of the user are widely de- pernicious in the recent years. Web scraping, com- ployed, with CAPTCHAs being the most popular. Tra- petitive data mining, account hijacking, spam and ad ditional CAPTCHAs require extra user effort (e.g., solv- fraud are attacks that such agents launch by mimick- ing mathematical puzzles), which can severely down- ing human actions at large scale. According to a recent grade the end-user’s experience, especially on mobile, study [1], 20.4% of the 2019 internet traffic was fraudu- and provide sporadic humanness verification of ques- lent, associated with user, albeit not human, activity. tionable accuracy. More recent solutions like Google’s In the ad market specifically, such type of fraudulent reCAPTCHA v3, leverage user data, thus raising sig- traffic costs companies between $6.5-$19 billions in the nificant privacy concerns. To address these issues, U.S. alone, and it is estimated that this will grow to $50 we present zkSENSE: the first zero-knowledge proof- billion by 2025 [2]. When it comes to the ever-growing based humanness attestation system for mobile devices. mobile traffic, a recent study [3] (using data spanning 17 zkSENSE moves the human attestation to the edge: billion transactions) observes 189 million attacks origi- onto the user’s very own device, where humanness of nated specifically from mobile devices; this is an increase the user is assessed in a privacy-preserving and seamless of 12% compared to the previous six months. manner. zkSENSE achieves this by classifying motion The “Completely Automated Public Turing tests sensor outputs of the mobile device, based on a model to tell Computers and Humans Apart” (or just trained by using both publicly available sensor data and CAPTCHA) is the current state-of-the-art mechanism data collected from a small group of volunteers. To en- to assess the humanness of a user. CAPTCHAs are sure the integrity of the process, the classification result widely deployed across the internet to identify and block is enclosed in a zero-knowledge proof of humanness that fraudulent non-human traffic. The major downsides can be safely shared with a remote server. We implement of current CAPTCHA solutions (e.g., Securimage [4], zkSENSE as an Android service to demonstrate its ef- hCaptcha [5]) include: (i) questionable accuracy: fectiveness and practicality. In our evaluation, we show various past works demonstrate how CAPTCHAs can that zkSENSE successfully verifies the humanness of a be solved within milliseconds [6–10], (ii) added fric- user across a variety of attacking scenarios and demon- tion: additional user actions are required (e.g., image, strate 92% accuracy. On a two years old Samsung S9, audio, math, or textual challenges) that significantly im- zkSENSE’s attestation takes around 3 seconds (when poverish the user experience [11], especially on mobile visual CAPTCHAs need 9.8 seconds) and consumes a devices, (iii) discrimination: poor implementations negligible amount of battery. often block access to content [12], especially to visual- arXiv:1911.07649v4 [cs.CR] 7 Sep 2021 impaired users [13] (iv) serious privacy implica- Keywords: Human Attestation, Privacy Preserving Bot tions: to reduce friction, Google’s reCAPTCHAv3 [14] Detection, Frictionless verification of humanness replaces proof-of-work challenges with extensive user DOI foobar tracking. Google’s servers attest user’s humanness by collecting and validating behavioral data [15] (i.e., typ- ing patterns, mouse clicks, stored cookies, installed plu- *Corresponding Author: Iñigo Querejeta-Azurmendi: gins), thus raising significant privacy concerns [16–18]. Universidad Carlos III Madrid / ITFI, CSIC. Part of the work The goal of this paper is to build a humanness at- performed while working at Brave Software. testation alternative that will put an end to the false Panagiotis Papadopoulos: Telefónica Research dilemma: humanness attestation at the cost of user ex- Matteo Varvello: Bell Labs Antonio Nappa: University of California, Berkeley Jiexin Zhang: University of Cambridge Benjamin Livshits: Brave Software/Imperial College Proceedings on Privacy Enhancing Technologies 2021; ..:2–23 perience or at the cost of user privacy? By leveraging tegrity of the classification result reported to a re- the device’s motion sensors we demonstrate that it is mote server. possible to build a humanness attestation mechanism 3. We implement an Android SDK and a demo app2 on the edge that preserves the privacy of the users and to showcase the detection accuracy of zkSENSE. runs seamlessly on the background thus requiring zero zkSENSE is invisible to the user and capable of ver- interaction from the mobile user. ifying their humanness with accuracy higher than re- The key intuition behind our approach is that when- lated proposals [19] (92%). Performance evaluation ever a (human) user interacts with a mobile device, results of our prototype show that the entire attesta- the force applied during the touch event generates mo- tion operation takes less than 3 seconds (compared tion. This motion can be captured by the device’s sen- to 9 sec [21] required by Android reCAPTCHA [22] sors (e.g., accelerometer and gyroscope) and used to and consumes less than 5 mAh of power. uniquely distinguish real users from automated agents. Further, this detection can run on the user device, with- 2. Goals and Threat Model out requiring secure execution environment (unlike re- In this section, we describe (i) the basic design principles lated proposals [19, 20]), but more importantly with- that a humanness verification mechanism must follow, out sharing private information with any server (unlike and (ii) how existing mechanisms work and compare state-of-the-art [14]), apart from a proof that guarantees with zkSENSE. Specifically, a successful human attes- the integrity of the attestation result. Secure execution tation mechanism must: environments are rapidly evolving and might soon be- A) Be friction-less: Most existing mechanisms re- come a crucial tool for human attestation mechanisms, quire the user to solve mathematical quizzes or im- however, we have not yet seen wide adoption by low- age/audio challenges [4, 5], thus severely hampering the end devices. We realize this vision with zkSENSE, a user experience. According to studies [21, 23]: (i) hu- friction-less and privacy-preserving mechanism for hu- mans only agree on what the CAPTCHA says 71% of manness attestation that aims to replace CAPTCHA in the time, (ii) visual CAPTCHAs take 9.8 seconds (on mobile devices. This paper makes the following contri- average) to complete, (iii) audio CAPTCHAs take 28.4 butions: seconds (and 50% of the Audio CAPTCHA users quit). 1. We design a human attestation system (zkSENSE) The profound degradation of the user experience forces that is both friction-less and privacy preserving. service providers to perform user attestations only spo- zkSENSE leverages mobile motion sensors to verify radically [24–26] in an attempt to save their declining that user actions (e.g., type/touch events) on a mo- conversion rates. Related research works [27–29] reduce bile device are triggered by an actual human. Such user friction by requiring, for example, the user to tilt classification takes place by studying the output of their phone during humanness verification. In contrast, the mobile device’s motion sensors during the par- zkSENSE is completely friction-less: humanness is at- ticular user action. To set the ground truth, we use tested via device micro-movements that happen during publicly available sensor traces and we instrument natural user actions like typing, and screen touching. an actual Android browser app to capture both user B) Be privacy-preserving: To mitigate the above, clicks and sensor traces from a small set of real users. mechanisms like reCAPTCHA v3 [14] (i) track the user Our approach is tested under various scenarios: (i) while browsing a webpage, (ii) send raw tracking data when device is resting (on a table), (ii) when there is to third party attestation servers, where (iii) a “risk artificial movement from device’s vibration, or (iii) score” representative of humanness is computed and from an external swinging cradle. then (iv) shared with the webmasters. Of course, this 2. We develop a sub-linear inner product zero- pervasive behavioral tracking raises significant privacy knowledge proof, which we use to build (and open- concerns [16, 17]. Similarly, there are sensor-based ap- source1) zkSVM: a zero-knowledge based library for proaches [19, 27, 28] that transmit raw mobile sensor enclosing results of an SVM (Support-Vector Ma- data to remote attestation servers; something that as chine) classifier into zero-knowledge proofs. zkSVM reported, may reveal keystrokes, gender, age, or be used leverages arithmetic properties of commitment func- to fingerprint users [30–36]. Contrary to that, zkSENSE tions and prover-effective proofs to ensure the in- 1 zkSVM source code: https://github.com/zkSENSE/zkSVM 2 Demo video: https://youtu.be/U-tZKrGb8L0 Proceedings on Privacy Enhancing Technologies 2021; ..:3–23 decouples the humanness attestation procedure from tion attacks to increase their app ranking [41–43], or the server, and moves it to the edge. By performing the (ii) directly: an attacker registers for reward schemes in entire attestation on the user’s very own device, no sen- mobile apps (e.g., Brave’s Ad Rewards [44]) via multiple sitive data but the classification result (enclosed in zero- accounts and claim rewards.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages23 Page
-
File Size-