Dimensions of Privacy - PowerPoint PPT Presentation

Loading...

PPT – Dimensions of Privacy PowerPoint presentation | free to download - id: 676e31-ZTJhM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Dimensions of Privacy

Description:

18739A: Foundations of Security and Privacy Dimensions of Privacy Anupam Datta Fall 2009 * * * * * * * * * * * * * * * * * Remark 1. The summation (over x in RDB) is ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 21
Provided by: eceCmuEdu
Learn more at: http://www.ece.cmu.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Dimensions of Privacy


1
Dimensions of Privacy
18739A Foundations of Security and Privacy
  • Anupam Datta
  • Fall 2009

2
Privacy in Organizational Processes
Patient medical bills
Patient information
Insurance Company
Hospital
Drug Company
Aggregate anonymized patient information
Advertising
PUBLIC
Complex Process within a Hospital
Patient
Achieve organizational purpose while respecting
privacy expectations in the transfer and use of
personal information (individual and aggregate)
within and across organizational boundaries
3
Dimensions of Privacy
What is Privacy? Philosophy, Law, Public Policy
Express and Enforce Privacy Policies Programming
Languages, Logics, Usability
Database Privacy Statistics, Cryptography
4
Philosophical studies on privacy
  • Reading
  • Overview article in Stanford Encyclopedia of
    Philosophy
  • http//plato.stanford.edu/entries/privacy/
  • Alan Westin, Privacy and Freedom, 1967
  • Ruth Gavison, Privacy and the Limits of Law, 1980
  • Helen Nissenbaum, Privacy as Contextual
    Integrity, 2004 (more on Nov 8)

5
Westin 1967
  • Privacy and control over information
  • Privacy is the claim of individuals, groups or
    institutions to determine for themselves when,
    how, and to what extent information about them is
    communicated to others
  • Relevant when you give personal information to a
    web site agree to privacy policy posted on web
    site
  • May not apply to your personal health information

6
Gavison 1980
  • Privacy as limited access to self
  • A loss of privacy occurs as others obtain
    information about an individual, pay attention to
    him, or gain access to him. These three elements
    of secrecy, anonymity, and solitude are distinct
    and independent, but interrelated, and the
    complex concept of privacy is richer than any
    definition centered around only one of them.
  • Basis for database privacy definition discussed
    later

7
Gavison 1980
  • On utility
  • We start from the obvious fact that both perfect
    privacy and total loss of privacy are
    undesirable. Individuals must be in some
    intermediate state a balance between privacy
    and interaction Privacy thus cannot be said to
    be a value in the sense that the more people have
    of it, the better.
  • This balance between privacy and utility will
    show up in data privacy as well as in privacy
    policy languages, e.g. health data could be
    shared with medical researchers

8
Contextual Integrity Nissenbaum 2004
  • Philosophical framework for privacy
  • Central concept Context
  • Examples Healthcare, banking, education
  • What is a context?
  • Set of interacting agents in roles
  • Roles in healthcare doctor, patient,
  • Informational norms
  • Doctors should share patient health information
    as per the HIPAA rules
  • Norms have a specific structure (descriptive
    theory)
  • Purpose
  • Improve health
  • Some interactions should happen - patients should
    share personal health information with doctors

9
Informational Norms
  • In a context, the flow of information of a
    certain type about a subject (acting in a
    particular capacity/role) from one actor (could
    be the subject) to another actor (in a particular
    capacity/role) is governed by a particular
    transmission principle.

Contextual Integrity Nissenbaum2004
10
Privacy Regulation Example (GLB Act)
Sender role
Subject role
Financial institutions must notify consumers if
they share their non-public personal information
with non-affiliated companies, but the
notification may occur either before or after the
information sharing occurs
Attribute
Recipient role
Exactly as CI says!
Transmission principle
11
Privacy Laws in the US
  • HIPAA (Health Insurance Portability and
    Accountability Act, 1996)
  • Protecting personal health information
  • GLBA (Gramm-Leach-Bliley-Act, 1999)
  • Protecting personal information held by financial
    service institutions
  • COPPA (Childrens Online Privacy Protection Act,
    1998)
  • Protecting information posted online by children
    under 13
  • More details in later lecture about these laws
    and a formal logic of privacy that captures
    concepts from contextual integrity

12
Database Privacy
  • Releasing sanitized databases
  • k-anonymity Samarati 2001 Sweeney 2002
  • (c,t)-isolation Chawla et al. 2005
  • Differential privacy Dwork et al. 2006 (next
    lecture)

13
Sanitization of Databases
Add noise, delete names, etc.
Real Database (RDB)
Sanitized Database (SDB)
Health records Census data
Protect privacy Provide useful information
(utility)
14
Re-identification by linking
Linking two sets of data on shared attributes
may uniquely identify some individuals
Example Sweeney De-identified medical data
was released, purchased Voter Registration
List of MA, re-identified Governor 87 of US
population uniquely identifiable by 5-digit ZIP,
sex, dob
15
1. K-anonymity
  • Quasi-identifier Set of attributes (e.g. ZIP,
    sex, dob) that can be linked with external data
    to uniquely identify individuals in the
    population
  • Issue How do we know what attributes are
    quasi-identifiers?
  • Make every record in the table indistinguishable
  • from at least k-1 other records with respect
    to quasi-identifiers
  • Linking on quasi-identifiers yields at least k
    records for each possible value of the
    quasi-identifier

16
K-anonymity and beyond
Provides some protection linking on ZIP, age,
nationality yields 4 records Limitations lack
of diversity in sensitive attributes, background
knowledge, subsequent releases on the same
data set, syntactic definition Utility less
suppression implies better utility
l-diversity, m-invariance, t-closeness,
17
2. (c,t)-isolation
  • Mathematical definition motivated by Gavisons
    idea that privacy is protected to the extent that
    an individual blends into a crowd.
  • Image courtesy of WaldoWiki http//images.wikia.c
    om/waldo/images/a/ae/LandofWaldos.jpg

18
Definition of (c,t)-isolation
  • A database is represented by n points in high
    dimensional space (one dimension per column)
  • Let y be any RDB point, and let dyq-y2. We
    say that q (c,t)-isolates y iff B(q,cdy) contains
    fewer than t points in the RDB, that is,
    B(q,cdy) n RDB lt t.

x2
xt-2
x1
q
cdy
dy
y
19
Definition of (c,t)-isolation (contd)
20
Another influence
  • Next lecture Issues with this definition of
    privacy (impossible to achieve for arbitrary
    auxiliary information) and an alternate
    definition (differential privacy)
About PowerShow.com