Library Lookup By Team BitBytes

 


                         CS4.407 Online Privacy, IIIT Hyderabad


Archit Gupta (2020201075) , Ayush Khasgiwala (2020201088), Naman Jain (2020201080), Naman Juneja (2020201072), Jayant Ingle (2020201019), Shirish Shrivastava (2018122009), Pranav Subramanian (2020121004)





Abstract: 


We found that huge amounts of data is exposed on the library portal of IIITH that contains various information about users. That information can be easily accessed and can be used to draw some useful insights based on their issue history, fine log and profile info! 



.

Introduction


The library portal of IIIT Hyderabad is designed to be a one stop to access the library books, reserve them, and contains all the details about the student like book he issues, when is it due, the fine that is due, his/her login history, and the most important of all, all the personal details of the students like phone numbers, home address, date of birth, email id, course they are enrolled into and many more. 


We found a vulnerability in the portal, it does not require any password to login into a student's account, just the student’s roll number is enough to login into any other student’s account. This creates a great privacy threat to all the personal information that is available publicly to everyone in the campus.


Apart from this there was a lot of data which could be used to perform very important analysis like, the study pattern of students based on their issue history, finding out the most issued books so that library could be informed about keeping ample stocks of those particular books, A credit score system for prioritizing students for issuing books that are in shortage, identifying genre of the book which a student is issuing to find out details like what competitive exam is he studying for etc.


Apart from this there can be many privacy related attacks that could be done using the student's account which is discussed later in the report.





Procedure


The library portal of IIIT Hyderabad can be accessed using IIITH VPN and the URL is :- http://10.4.20.51:8380/opac/  


The flow that we have used in the project is :-

Fig - Procedure




Fig - Login Web Page

 


Since there is no password required to login into the portal, we have mirrored various pages of 1500 students and extracted the important information from each of the web pages into the json files.





Fig - Profile Info Web page



Fig - Book Issue History Web Page



Fig - Fine Log Web page






For each of the students, json files are created by scraping the different web pages shown in the figure above.



Fig - JSON file of a student





And later, we have converted it into csv files so that all the information of all the students can be shown in the tabular form and we can conveniently use that data to perform very important analysis.




Fig - Book Issue History by ID CSV file



Fig - Fine log CSV file




These CSV files are further used for important analysis, like, the study pattern of students based on their issue history, finding out the most issued books so that library could be informed about keeping ample stocks of those particular books, A credit score system for prioritizing students for issuing books that are in shortage, identifying genre of the book which a student is issuing to find out details like what competitive exam is he studying for etc.

Analysis



  1. The first analysis is of the Average Fine paid by the students





  1. The Second analysis is of the Top 5 Most Issued Books



These are the 5 books which are issued most by the students, so library needs to keep a larger quantity of these books so that everyone in the college can get these books during their semester.




  1. The Third analysis is of the most fined books 





  1. The Fourth analysis is of the Month Wise Book Issue



We can see the peaks are in the month of August, September and January, February when the new semester starts which shows that most student issue books in the start of semester


Eventually the number of students issuing books decreases. So, in IIITH majority of students start studying in the start of semester while a few percentage of people also study throughout the semester




  1. The Fifth analysis is of the Rating System.

In this thing we have developed a rating system, in which a user can enter his roll no and our system can return his rating.


This rating can be used by the library to decide the preference of the students or in the simple words we can say that, the Library can prefer those students to issue the books who have high rating.


This rating system was defined using the CSV files that we have extracted from the library portal. Also it depends on the record of the students, such as fine log, late returning of the book.


All those students who have clear records are given higher ratings than the students who have bad records.




  1. The Sixth Analysis is of the students who are planning for further studies.



These 3 students are planning for the Masters in abroad






Privacy Threats



  1. Accessing the phone numbers of all the students present in IIITH many organizations can directly market their product to students without their appropriate concern and violate their right to privacy.


  1. Date of Birth is very sensitive information and many credentials in our day to day lives involve the use of date of birth and one might not be comfortable seeing his date of birth accessible to everyone.


  1. The library system has  a reserve option for reserving books and unreserving books so one can reserve a particular book from multiple inactive accounts so that no one in the end can issue that particular book.


  1. Can send book recommendations from anyone’s side to the library and in return the library pings you back with a default email. This can be done to create a false perception about the need of a particular book.


  1. Send spam/anonymous emails from the official library email id to any student.


  1. Fake official messages could be sent on the behalf of the library to anyone.



A Message through our project


Our aim through this project was not to point fingers against anyone but to educate people about various privacy issues and threats that they have even from the sources they are unaware about. India is a country that is appreciated for its youth skills set but we lack in having the basic knowledge about privacy. Even the so called highly educated class of people don’t really care much about their privacy online and our project is to make masses aware about how big a deal it is to share their personal information to organizations and we aim that through our project people just bring about a small change in them i.e. instead of just blindly accepting to terms and conditions of any organization, just think about the consequences and skim through the privacy policy before they make their decision!


Link to the Demo: https://youtu.be/BLY24wd9P0w

Comments

Post a Comment

Popular posts from this blog

"TL;DR: No more an excuse!": On making privacy policies easier to read and interpret

Image
Introduction Many websites collect, share, and use users’ Personally Identifiable Information (PII). Many regulatory bodies around the globe have long enforced requirements on posting privacy policies online. Over the past few decades, however, the collection, sharing, and usage of users' PII have risen to a major privacy concern over the internet, so much so that newer laws have gone into effect to protect user privacy. Prominent examples of such laws are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. Research has shown, time and again, that privacy policies are too long and hard to comprehend for their intended users, and therefore users rarely take the time and effort to read them. Privacy Policies are getting longer over time and increasingly difficult to read. To address the poor readability of privacy policies, we have developed tools that leverage machine learning (ML) to automatically s...
Read more

Applications of NLP in Privacy Policies

Image
  Photo by Marija Zaric on Unsplash How many privacy policies have you accepted without knowing what the policy states? We're guessing that number is probably pretty high. And you are not alone. A  survey  of 2100 individuals conducted reported that 87% of individuals accept policies without reading them. Common reasons for this included the length and general readability of the policies. Of the top 500 websites, the average reading score was comparable to that of a high school student , while the average reading level of US adults is that of the 7th grade. Luckily, Natural Language Processing (NLP) can help. For our project, we set out to detect the readability of current privacy policies (spoiler alert: you'd need to have at least completed high school to make sense of what you agree to). We also wanted to see how we could make the readability of the policies better. So what did we do with the privacy policies? We used privacy policies from the  OPP-115 Corpus ...
Read more

SiPP - Simple Privacy Policy

Image
SiPP: Simple Privacy Policy     SiPP Introduction Privacy Policies are legal documents that are long and complex that enable the initiated to select their preferences and cripple the uninitiated into opting in by default into the conditions by the organizations to utilize their service.  In today's world, technology is an integral and influential part of most lives. While technology provides services, and to provide services, user-specific data that can be interpreted into information is crucial. Privacy policies are the means to collecting this data legally while providing services and monetizing the same for other incentives. [Trivia: in 2017, data became more valuable than Oil] For generalizing the privacy policies, universal guidelines are established.  FTC Privacy Principles OECD Principles Fair Information Practice Principles We introduce SiPP, Simple Privacy Policy, that enables you to take smaller bites into the privacy policies with ease by selecting cat...
Read more