Privacy and Security

1
Privacy and Security

• Lowell Meeting
• Joe Hellerstein

2
These notes based on prior discussion

• IBM Almaden Institute 2003 Privacy
• Organizer Rakesh Agrawal
• These notes resulted from a group discussion I
  led
• Technology requirements for privacy.
• Many participants, including computer scientists,
  government officials, product managers
• Distillation is my own
• I should be blamed for errors, misrepresentations,
  etc.

3
Whose Privacy? Whose Security?

• Individual
• Organization (corporation, library, school)
• Government
• Society

4
Traditional Topics Today

• Access control
• Views (need-to-know)
• Roles, not individuals
• Etc.
• Now mix in
• Serious adversaries (pass the bit tweezers)
• Large timescales
• Scale
• of people every person now has rights and
  access
• of info-gatherers (people and sensors)
• Cross-source data integration 11 gtgt 2!!
• Amount that people care

5
Some issues

• Managing Data Use
• Trust Relationships
• Transparency
• Incentives
• Mechanisms
• Goals/metrics

6
Primary Secondary Use

• Examples
• The Prozac fiasco
• Cameras at traffic lights
• Specification of purpose for which data is
  collected
• Mechanisms for enforcement of primary use?

7
Trust Relationships

• Two sorts of trust
• Policy adherence trust (enforce/check-able?)
• Relationship trust with the data recipient
• may be only loosely related to policy adherence
• Change in relationships can occur between data
  provider and data recipient
• E.g. recipient participates in merger/acquisition
• Effects on policy adherence
• Effects on desirability of relationship.

8
Transparency

• Of use
• Policy crisp and comprehensible? (not p3p!)
• Of disclosure
• You should be able to know what information you
  give out
• E.g. unclear whether the magstripe on your
  drivers license has the same info as the text
• Of extraction
• How do I know what info is extracted, and whether
  its extracted faithfully?
• E.g. swiping my drivers license proves Im gt21,
  but swiping it also can time- and location-stamp
  me
• Does the voting booth correctly record/transmit
  my vote?
• Of data destruction
• Impossible to ensure?

9
Incentives

• Economic mechanisms?
• Graduated, not Boolean (opt-in/out) settings?
• Privacy is not a fungible good
• My privacy is more important to me than to you,
  and vice-versa
• The costs of privacy
• Dollar costs?
• E.g. black market value of identity today
  (assertion 60 per capita). Value chain that
  follows?
• Frictional costs to doing business
• Cost vs. Usability
• E.g. unsafe human rights environments

10
Mechanisms

• Authorization vs. Accountability
• I.e. enforcement in the CS sense vs. the police
  sense
• Accountability scales better?
• Graceful degradation?
• Single point of failure total leak forever?
• Erasure rather than leakage?
• The human factor
• Human leaks
• Key management
• Long Timescales?

11
Goals Metrics

• Store my data forever?
• Not necessarily!
• Enforce my policy forever?
• Not necessarily!
• Ease of use!
• But how?
• Problem statements here are very tricky.

12
One Framework for Discussion
Target User
Technical Approaches (By analogy to Real World)