EFFICIENT DELEGATION-BASED AUTHENTICATION
PROTOCOL WITH STRONG MOBILE PRIVACY
Jian-Zhu Lu, Hong-Qing Ren and Jiping Zhou
Department of Computer Science, Jinan University, Guangzhou, 510632 Guangdong, China
Keywords:
Security, Privacy, Mobile communication, Mutual authentication.
Abstract:
In 2008, Tang and Wu designed a one-time alias mechanism for protecting the mobile privacy of a user.
Recently, Youn and Lim proposed an improved delegation-based authentication protocol to provide private
roaming service. In this article, we show that a link between requests may disclose information about the
mobile privacy of a sender, and that the aliases of a user fail to achieve the unlinkability in Tan-Wu’s scheme.
We remedy this situation by suggesting an enhanced protocol that utilizes a pseudorandom function. Compared
to Youn-Lim’s protocol, our design is more efficient than theirs.
1 INTRODUCTION
Recent years have witnessed the dramatic and con-
tinuous increase of e-commerce transactions. E-
commerce makes it easier for a service provider to
get and collect users’ personal information. Privacy
is one of the major concerns of users when exchang-
ing information through a network. In a roaming en-
vironment, it’s important to provide a secure way to
simultaneously protect the interests of both the ser-
vice provider and the users and thereby establish a
trust relationship.
To meet the challenge of providing access con-
trol for a content provider and privacy protection for
users, several authentication schemes have been pro-
posed for roaming service (Lee, 2005), (Tang, 2008a),
(Tang, 2008b). In 2005, Lee and Yeh (Lee, 2005)
proposed a delegation-based authentication (DBA)
protocol for the use in portable communication sys-
tem. Tang and Wu designed a possible attack to Lee-
Yeh’s scheme in (Tang, 2008a), and then proposed a
scheme of protecting mobile privacy in wireless net-
works (Tang, 2008b). Recently, Youn and Lim (Youn,
2010) showed that the protocol in (Lee, 2005) cannot
achieve private roaming service. They then presented
an improved protocol to fix the problem.
In Tan-Wu’s scheme (Tang, 2008b), authors de-
signed a one-time alias mechanism for various lev-
els of privacy protection. A new alias was generated
by hashing either the previous used alias or the user
identity. In this article, we show that Tan-Wu’s pro-
tocol cannot provide the mobile privacy for a roam-
ing user since the aliases of the user fails to achieve
the unlinkability. We remedy this situation by sug-
gesting an enhanced protocol that utilizes a pseudo-
random function(PRF). We also demonstrate how the
enhanced protocol is more efficient compared to the
implementation in (Youn, 2010).
2 REVIEW OF TANG-WU’S
SCHEME
2.1 Description
In 2008, Tan and Wu proposed a mutual authen-
tication scheme for mobile communications (Tang,
2008b), which is briefly described below. First, the
notation used in the scheme is defined as follows. Let
G be a cyclic additive group with generator T, p is the
largest prime factor of the order of T, h : Z
p
7→ Z
p
be
a collision-resistant hash function, and
: G 7→ Z
p
be
a point representation function. The symbol
U
de-
notes a point addition operator in G, and [X]
K
denotes
encrypting a message X with a key K using a symmet-
ric encryption algorithm. We assume that IDV and
IDH be the identities of VLR and HLR, respectively.
HLR has a private/public key pair (x, Y), where x Z
p
is a random number, and Y = xT
The scheme in (Tang, 2008b) consists of two pro-
tocols:TDI and EMA. TDI is described below.
Step (1). First, MS sends his/her real identity IDM
and a alias IDMA to HLR for registration.
123
Lu J., Ren H. and Zhou J..
EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY.
DOI: 10.5220/0003606901230127
In Proceedings of the International Conference on Wireless Information Networks and Systems (WINSYS-2011), pages 123-127
ISBN: 978-989-8425-73-7
Copyright
c
2011 SCITEPRESS (Science and Technology Publications, Lda.)
Step (2). HLR sets key usage restrictions in m
w
,
and generates a random number κ, and computes
Γ = (h(IDMA|m
w
)T) (κT) and σ = xh(Π(Γ))
κmodp for a mobile station MS. Afterwards,
(IDMA, m
w
, Γ) is published, while (IDMA, σ) is
stored in HLR’s database and (σ, m
w
) is sent to MS
via a secure channel.
Step (3). If h(IDMA|m
w
)T = (σT) (h(Π(Γ))Y)
Γ, MS accepts the delegation key σ.
There are three parties involved in EMA: MS,
VLR, and HLR. Suppose there is a secure channel to
protect the traffic between VLR and HLR, and K
(V,H)
is their share key. Three parties perform the following
steps:
Step (1). MS randomly generates a communica-
tion key ck and two numbers nonce and κ, and
computes C = [ck, ts, T
exp
, nonce]
σ
, R = kT and s =
kh(Π(R)|nonce) + σmodp. Here, ts is the current
timestamp, and nonce is a nonce. ck is only valid
for a certain time length T
exp
. Then, MS sends S
1
=
{R, s, IDH, m
w
, C, nonce} to VLR.
Step (2). After receiving S
1
, VLR checks the war-
rant m
w
for restrictions, and authenticates MS by us-
ing the attached digital signature (R, s). If both are
true, VLR sends a request S
2
= {IDMA, C} to HLR.
Step (3). HLR first searches the corresponding σ in
its database according to IDMA, then decrypts C to
obtain ck, ts, T
exp
and nonce. If ck is valid, HLR
provides strong mobile privacy for MS by perform-
ing the following three tasks: (a) generation of new
alias IDMA = h(IDX) Z
p
, where IDX be the pre-
vious used alias or IDM; (b) substitution of dele-
gation key σ
for σ and public information Γ
for
Γ, where Γ
= (h(IDMA|m
w
)T) (κ
T) and σ =
xh(Π(Γ
)) κ
modp for a random number κ
; and
(c) sending C
V,H
= [IDMA, T
exp
, ts, ck, nonce]
K
(V,H)
to
VLR and forwarding [T
V,M
]
σ
to MS, where T
V,M
=
{IDV, nonce, σ
}.
Step (4). Receiving the response {C
V,H
, [T
V,M
]
σ
}
from HLR, VLR decryptsC
V,H
, and check the validity
not only for ck that isn’t an expired key, but also for
nonce that is equal to the one in Step (2). If it is true,
VLR computes [IDV, nonce, [T
V,M
]
σ
]
ck
and sends it to
MS.
Step (5). MS decrypts [IDV, nonce, [T
V,M
]
σ
]
ck
and
[T
V,M
]
σ
using ck and σ, respectively. By the consis-
tency of IDV and N, MS can authenticate VLR. If
true, and MS and VLR authenticate each other suc-
cessfully.
MS VLR HLR
S
1
(I)
IDMA, C
C
V,H
, [T
V,M
]
σ
[IDV, N, [T
V,M
]
σ
]
ck
C = [ck, ts, T
exp
, IDV, N, IDMA
]
σ
S
1
(I) = {IDMA, C, Sig
σ
(N), N, m
w
, IDH}
C
V,H
= [IDMA, T
exp
, ts, ck, N]
K
(V,H)
T
V,M
= {IDV, N, σ
}
Figure 1: Efficient DBA Protocol with Strong Mobile Pri-
vacy.
2.2 Mobile Privacy of Users in EMA
The mobile privacy of a user can be disclosed by using
the tracking and activity recognition when a link be-
tween the requests from the user exists. Suppose that
the service-region is divided into n areas and MS vis-
its them in the following order: A
1
A
2
··· A
n
.
There are n service providers. Each service provider
VLR
i
is responsible for one area A
i
, 1 i n. A re-
quest S
1
(I
i
) for a service item I
i
is generated in the
area A
i
by MS and is sent to the VLR
i
through a wire-
less channel. Using a pseudonym technique, MS is
able to interact with the system without revealing his
identity. However, an attacker can track the unique
pseudonym. This problem can be addressed with a
one-time alias technique for MS. The one time alias
IDMA
i
is used by MS to transmit the request mes-
sages S
1
(I
i
) to VLR
i
. If a link between these requests
is obtained by some means, an attacker can take action
to track MS’s moving history and current location.
There is a link between one-time aliases of MS
in (Tang, 2008b). As describe in (Tang, 2008b,
page1040, line 15), a new alias of MS is simply
IDMA=h(IDX), where IDX be the previous used
alias or IDM. In the first request S
1
(I
1
), there isn’t
any previous used alias for MS. The first alias in
S
1
(I
1
) can be computed as IDMA
1
=h(IDM). Af-
ter the first request, MS computes the one-time alias
IDMA
i
=h(IDX) in S
1
(I
i
), where IDX G
i1
={IDM,
IDMA
1
, ···, IDMA
i1
}, and 2 i n. For a given
set , we denote {h(e)|e } as h(). The above
process may be regarded as selecting an element
IDMA
i
from the set h(G
i1
)={h(e)|e G
i1
}. Note
that G
1
={IDM, h(IDM)} and G
i
=G
i1
{IDMA
i
}.
Since IDMA
i
h(G
i1
), we have G
i
(G
i1
h(G
i1
)). Thus, G
2
⊆{IDM, h(IDM), h
2
(IDM)}
using G
1
={IDM, h(IDM)}, and G
3
{IDM,
h(IDM), h
2
(IDM), h
3
(IDM)} using the result of
G
2
, and so on. Each set G
i1
can be rep-
WINSYS 2011 - International Conference on Wireless Information Networks and Systems
124
resented as a subset of D
i1
={IDM, h(IDM), ··· ,
h
i1
(IDM)}, and thereby h(G
i1
) h(D
i1
). We
note that h(D
1
) h(D
2
) ··· h(D
n1
) and
h(D
n1
)= {h(IDM), h
2
(IDM), · · · , h
n
(IDM)}. Ev-
ery set h(G
i1
) is a subset of h(D
n1
), so that
when IDMA
i
is chosen by MS from h(G
i1
), it
belongs to h(D
n1
). However, the elements in
h(D
n1
) form a hash chain that can be gener-
ated by the seed h(IDM). For each MS’s alias
couple (IDMA
i1
, IDMA
i
), there exists an inte-
ger l Z
n1
such as IDMA
i
=h
l
(IDMA
i1
) or
IDMA
i1
=h
l
(IDMA
i
). Hence, an attacker can link
two different aliases of MS, and conclude that MS
visits areas (from A
i1
to A
i
) in consecutive order.
3 EFFICIENT DBA PROTOCOL
WITH STRONG MOBILE
PRIVACY
3.1 Basic Idea
Let IDMA be the current alias of MS and assume that
F is taken from a pseudorandom function (PRF). For
the unlinkability, an alias of MS is derived from F
with delegation key σ and input IDMA and output of
the appropriate length for the subsequent authentica-
tion. HLR generates a new delegation key pair (σ
, Γ
)
for each new alias IDMA
, and transmits σ
to MS in a
secure way. Then MS and HLR store (IDMA
, σ
) in-
stead of (IDMA, σ). They use the updated delegation
key pair for a new authentication.
3.2 Description of Enhanced Protocol
Since the setup procedure is the same as TDI pro-
posed in (Tang, 2008b), we only describe the efficient
mutual authentication (EMA) procedure as shown in
Fig. 1. Let l be an integer representing the length
of an alias and B
l
(m) denote the first l bits of binary
string m. For each execution of EMA protocol , three
parties perform the following steps:
Step (1). MS sends a request S
1
(I) to VLR for
the service item I. First, MS computes a new alias
IDMA
= B
l
(F(σ, IDMA)) for the next authentication.
MS randomly generates a communication key ck and
two numbers N and κ, and computes C=[ck, ts, T
exp
,
IDV, N, IDMA
]
σ
and Sig
σ
(N)=(R, s), where R=kT,
and s=kh(Π(R)|N) + σ modp. Here, ts is the cur-
rent timestamp, and N is a nonce. ck is only valid for
a certain time length T
exp
. Then, MS sends S
1
(I) =
{IDMA, C, Sig
σ
(N), N, m
w
, IDH} to VLR.
Step (2). After receiving S
1
, VLR checks the war-
rant m
w
for restrictions, and authenticates MS by us-
ing the attached digital signature (R, s). If both are
true, VLR sends a request S
2
={IDMA, C} to HLR.
Otherwise, VLR rejects MS’s request.
Step (3). HLR retrieves σ according to IDMA, and
decrypts C to obtain ck, ts, T
exp
, IDV, N and IDMA
.
Then, HLR verifies if IDV is identical to the iden-
tity of sender in Step (2), at the same time, checks
if ck is not expired. If IDMA
= B
l
(F(σ, IDMA)),
HLR performs the substitution of delegation key
(IDMA
, σ
) for (IDMA, σ) and public information
(IDMA
, Γ
, m
w
) for (IDMA, Γ, m
w
), where Γ
=
(h(IDMA|m
w
)T) (κ
T) and σ = xh(Π(Γ
))
κ
modp for a random number κ
. Then, HLR sends
C
V,H
= [IDMA, T
exp
, ts, ck, N]
K
(V,H)
to VLR, and for-
wards [T
V,M
]
σ
to MS, where T
V,M
= {IDV, N, σ
}.
Step (4). Receiving the response {C
V,H
, [T
V,M
]
σ
}
from HLR, VLR decrypts C
V,H
, and checks the va-
lidity not only for ck that isn’t an expired key, but also
for N that is equal to the one in Step (2). If it is true,
VLR computes [IDV, N, [T
V,M
]
σ
]
ck
and sends it to MS.
Step (5). MS decrypts [IDV, N, [T
V,M
]
σ
]
ck
and
[T
V,M
]
σ
using ck and σ, respectively. By the con-
sistency of IDV and N, MS can authenticate VLR.
If true, MS and VLR authenticate each other suc-
cessfully. MS stores (IDMA
, σ
, m
w
) instead of
(IDMA, σ, m
w
).
3.3 Security Discussion and
Performance Comparison
3.3.1 Security
HLR is assumed to be completely trustworthy and
nontamperable. As indicated in (Youn, 2010), we
also assume that legitimate entities (including HLR
and VLR) are trustworthy. In this case, we can trust
anyone who is verified as a valid entity.
We analyze the security provided by the enhanced
protocol. As the basic requirements on mobile au-
thentication in (Tang, 2008b) are entirely preserved,
the associated security properties hold true here as
well and we will not repeat them. The enhanced
protocol does not suffer from the ailments of tradi-
tional pseudonymous authentication protocols. At-
tacks such as DOS attack to HLR or the privacy
disclosure of requests described in Section 2.2 are
avoided.In the following, we only discuss the en-
hanced security features of the proposed scheme:
Unlinkability. We now analyze the unlinkability of
enhanced protocol in terms of the various parts of the
EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY
125
request message S
1
(I). Recall that IDMA is the out-
put of PRF F and C is the output of an IND-CCA
secure symmetric encryption scheme. Due to the in-
distinguishability property of a PRF F, it is computa-
tionally infeasible to distinguish between IDMA and
a random value in {0, 1}
l
. The probability of suc-
cess for an attacker to distinguish between C and a
random element in the ciphertext space is negligible
under the IND-CCA assumption (Bellare, 1997). The
nonce N is randomly selected from Z
p
. At the same
time, MS runs a secure digital signature scheme in
(NIST, 2009) to generate Sig
σ
(N) for a service item
I, giving one-time σ and (IDMA, Γ, m
w
). It is also
straightforward to show that events E
1
and E
2
oc-
cur with negligible probability, where E
1
is the event
that a HLR-generated verification key (IDMA, Γ, m
w
)
is used more than once, and E
2
is the event that an
attacker forges a new, valid message/signature pair
with respect to any HLR-generated verification key.
We have assumed that the probability of deriving
MS identity information from its associated delega-
tion constraint information m
w
is negligible. The part
“IDH” is used to point to the end of the ciphertext C.
Therefore, an attacker can’t find a link of part in S
1
(I)
with the past.
Impersonation Attacks. The enhanced protocol
can efficiently preventan attacker from impersonating
attacks, since the scheme provides secure mutual au-
thentication mechanisms between a roaming MS and
VLR, MS and HLR, or VLR and HLR. Consider the
following impersonation attack scenarios in this pro-
tocol.
An attacker cannot impersonate a legitimate VLR
to cheat MS, since he does not possess the cor-
rect values N and [T
V,M
]
σ
. By intercepting the ex-
changing messages in steps (2) and (4), an outside
attacker first obtain C=[ck, ts, T
exp
, IDV, N, IDMA
]
σ
and [IDV, N, [T
V,M
]
σ
]
ck
. Then, she/he tries to cheat
MS by replaying previously reply messages (e.g.,
[IDV, N
, [T
V,M
]
σ
]
ck
). However, N is different from
those within C in the replayed messages and, there-
fore, it would be rejected by MS. Furthermore, an
inside attacker cannot impersonate the visited VLR
to cheat MS. Since the delegation key σ is unknown
to the inside attacker, and she/he cannot generate
[T
V,M
]
σ
, where T
V,M
={IDV, N, σ
}, IDV and N are
chosen by MS, and σ
can be verified with the pub-
lic information Γ
.
An attacker hasn’t the power to impersonate HLR
while communicating with VLR and to impersonate
VLR while communicating with HLR, since neither
the long-term secret key K
(V,H)
nor a valid IDV in C is
possessed. Hence, while communicating with HLR,
an attacker can neither generate the valid messages in
step (2) to guarantee that the matching of IDV is done
in a consistent way. At the same time, the lack of
key K
(V,H)
implies that it can not decrypt the response
C
V,H
. Likewise, she/he generate the responding con-
firmation C
V,H
while communicating with VLR.
MS and its HLR can authenticate their messages
so that an attacker cannot impersonate them any more.
Since the delegation key σ is unknown to the at-
tacker, and she/he cannot generate a valid cipher-
text C=[ck, ts, T
exp
, IDV, N, IDMA
]
σ
. Here, IDMA
=B
l
(F(σ, IDMA)), and ts and N are generated by M.
Similarly, the attacker can neither generate the re-
sponding confirmation [T
V,M
]
σ
.
Replay Attacks and DoS Attacks. In DoS attacks,
the attackers may flood a large number of illegal ac-
cess requests to the HLR. Their aim is to consume
critical resources in the HLR. By exhausting these
critical resources, the attacker can prevent the HLR
from serving legitimate users. In HLR-online authen-
tication, for every access request S
1
(I) from all users
that have registered in the HLR, HLR has to perform
two decryption operations and check the validity of
the requesters. These can easily be exploited by the
attacker.
The basic idea as adopted in (Tang, 2008a) is to
use a proxy signature along with mobile authenti-
cation. HLR performs a mobile authentication only
when the proxy signature can be verified by a VLR.
The following steps describe the proxy signature
verification procedure performed by a VLR. For each
request S
1
(I) that is received, extract the nonce N and
its signature Sig
σ
(N)=(R, s). VLR verifies this value
Sig
σ
(N) with the corresponding verification informa-
tion (IDM, Γ, m
w
) of MS, then S
1
(I) is considered to
be legitimate if (sT)(h(
(R)|N)R) = Γ. Otherwise,
the request is illegitimate. Then, VLR construct a re-
quest message S
2
= {IDMA, C} for legitimate S
1
(I),
and send it to the HLR. Thus, it is difficult for an at-
tacker to launch an effective DoS attack to HLR.
Furthermore, we make use of the nonce N to pre-
vent replay attacks. Thus, our solution does not suffer
from this attacks.
Table 1: Security comparison with other related schemes.
(Lee, 2005) (Tang, 2008b) (Youn, 2010) Ours
SP
1
No No Yes Yes
SP
2
No No Yes Yes
SP
3
Yes Yes Yes Yes
SP
4
Yes Yes Yes Yes
SP
5
Yes Yes Yes Yes
We also compare our scheme to other contributory
mobile authentication schemes including the schemes
in (Lee, 2005; Tang, 2008b; Youn, 2010). Table 1
summarizes the security properties of four schemes.
WINSYS 2011 - International Conference on Wireless Information Networks and Systems
126
The security properties against unlinkability, imper-
sonation attacks, mobile DoS attacks to HLR, replay
attacks, and session key agreement are are denoted as:
SP
1
, SP
2
, SP
3
, SP
4
and SP
5
, respectively.
Tang and Wu (Tang, 2008a) showed that Lee-Yeh
scheme in (Lee, 2005) suffers from an impersonated
HLR attack such that the session key is compromised.
Lu and Zhou (Lu, 2010) described a dishonest VLR
for Tang-Wu (Tang, 2008a) scheme to obtain the com-
munication key generated by MS. The above compar-
isons show that our scheme and provides the strongest
security protection.
3.3.2 Performance
The storage and the computation and communication
in the enhanced protocol are about the same costs as
that in the scheme (Tang, 2008b). No computation
cost needs to be added by MS, except the additional
communication cost 2l.
Table 2: Computation costs comparison.
Ours (Youn, 2010)
MS VLR HLR MS VLR HLR
Public key oper. 1 0 1 1 0 1
Sig. veri. 0 1 0 0 1 0
Nonce gen. 1 0 0 0 0 0
Hash+PRF oper. 1+1 0+0 0+1 2+0 0+0 1+0
Sym. key oper. 3 2 2 1 1 2
Our protocol uses overall structure similar to a re-
cent protocol (Youn, 2010), but our design is more
efficient than theirs. Table 2 shows the computa-
tion costs of both protocols. The time used to per-
form a symmetric encryption operation is negligible
compared with the time needed to execute a public-
key computation. Thus, Our computation cost is al-
most identical to Youn-Lim’s. Table 3 shows that the
communication costs and storage space of both pro-
tocols depend upon the choices of parameters, where
cr is the number of communication round, and L =
|ts| + |T
exp
| + |m
w
|. It is recommended that the secu-
rity strength of |p| isn’t less than 160 bits in (NIST,
2009)[Page 27], and the minimum of the security
strength of the (|p
|, |q|) pair is (1024, 160) in (NIST,
2009)[Page 15]. Therefore, our design is a less strong
requirement in the communication cost and storage
space than Youn-Lim’s, especially for the mobile user
MS.
4 CONCLUSIONS
In this paper, we showed that Tan-Wu scheme (Tang,
2008b) doesn’t provide the protection of mobile pri-
Table 3: Communication costs and storage spaces compari-
son.
cr Commun. Storage
Messages spaces
MS 2 6p+ 3l +L p+ l + |m
w
|
Ours VLR 2 4p+ 2l +L 2p+ l
HLR 2 5p+ 2l +L 3p+ 2l +|m
w
|
MS 4 3p
+ 2q+ 2l p
+ q
(Youn, 2010) VLR 4 2p
+ 5q+ 3l h+ l
HLR 2 p
+ 5q+ l +|h| p
+ 2q+ l
vacy in roaming services. We also proposes an
enhanced delegation-based authentication protocol.
Compared to Youn-Lim’s protocol in (Youn, 2010),
our design is more efficient than theirs.
ACKNOWLEDGEMENTS
This work was supported in part by the Na-
tional Natural Science Foundation of China un-
der Grants 60773083, and in part by the Provin-
cial Natural Science Foundation of Guangdong un-
der Grants 2008B090500201, 2009B010800023 and
2010B090400164.
REFERENCES
Lee W.-B., Yeh C.-K., 2005. A New Delegation-based Au-
thentication Protocol for Use in Portable Communica-
tion Systems. In IEEE Transactions Wireless Commu-
nication, vol. 4, no.1, pp. 57-64
Tang C., Wu D. O.,2008. An Efficient Mobile Authenti-
cation for Wireless Networks. In IEEE Transactions
Wireless Communication, vol. 7, no.4, pp. 1408-1416
Tang C., Wu D. O., 2008. Mobile Privacy in Wireless Net-
works Revisited. In IEEE Transactions Wireless Com-
munication, vol. 7, no.3, pp.1035-1042
Youn T.-Y., Lim J., 2010. Improved Delegation-Based Au-
thentication Protocol for Secure Roaming Service
with Unlinkability. In IEEE Communications Letters,
vol. 14, no. 9, pp.791-793
Bellare M., Desai A., Jokipii E., Rogaway P., 1997. A Con-
crete Security Treatment of Symmetric Encryption.
In: Proc. of the 38th IEEE Symp. on Found. of Com-
puter Sci., pp. 394-403
Lu J., Zhou J., 2010. The security of an efficient mo-
bile authentication scheme for wireless networks, In
WiCOM 2010: 6th International Conference on Wire-
less Communications Networking and Mobile Com-
puting, Chengdu (China).
NIST, 2009. NIST FIPS PUB 186-3, Digital Signature Stan-
dard (DSS) . U.S. Department of Commerce.
EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY
127