120 likes | 132 Views
Privacy and Security. Lowell Meeting Joe Hellerstein. These notes based on prior discussion. IBM Almaden Institute 2003: Privacy Organizer: Rakesh Agrawal These notes resulted from a group discussion I led: “Technology requirements for privacy.”
E N D
Privacy and Security Lowell Meeting Joe Hellerstein
These notes based on prior discussion • IBM Almaden Institute 2003: Privacy • Organizer: Rakesh Agrawal • These notes resulted from a group discussion I led: • “Technology requirements for privacy.” • Many participants, including computer scientists, government officials, product managers • Distillation is my own • I should be blamed for errors, misrepresentations, etc.
Whose Privacy? Whose Security? • Individual • Organization (corporation, library, school) • Government • Society
Traditional Topics & Today • Access control • Views (need-to-know) • Roles, not individuals • Etc. • Now mix in: • Serious adversaries (pass the bit tweezers) • Large timescales • Scale • # of people: every person now has rights and access • # of info-gatherers (people and “sensors”) • Cross-source data integration: 1+1 >> 2!! • Amount that people care
Some issues • Managing Data Use • Trust Relationships • Transparency • Incentives • Mechanisms • Goals/metrics
Primary & Secondary Use • Examples • The Prozac fiasco • Cameras at traffic lights • Specification of purpose for which data is collected • Mechanisms for enforcement of primary use?
Trust & Relationships • Two sorts of trust • Policy adherence trust (enforce/check-able?) • Relationship trust with the data recipient • may be only loosely related to policy adherence • Change in relationships can occur between data provider and data recipient • E.g. recipient participates in merger/acquisition • Effects on policy adherence • Effects on desirability of relationship.
Transparency • Of use • Policy crisp and comprehensible? (not p3p!) • Of disclosure • You should be able to know what information you give out • E.g. unclear whether the magstripe on your driver’s license has the same info as the text • Of extraction • How do I know what info is extracted, and whether it’s extracted faithfully? • E.g. swiping my driver’s license proves I’m >21, but swiping it also can time- and location-stamp me • Does the voting booth correctly record/transmit my vote? • Of data destruction • Impossible to ensure?
Incentives • Economic mechanisms? • Graduated, not Boolean (opt-in/out) settings? • Privacy is not a fungible good • My privacy is more important to me than to you, and vice-versa • The costs of privacy • Dollar costs? • E.g. black market value of identity today (assertion: $60 per capita). Value chain that follows? • Frictional costs to doing business • Cost vs. Usability • E.g. unsafe human rights environments
Mechanisms • Authorization vs. Accountability • I.e. “enforcement” in the CS sense vs. the police sense • Accountability scales better? • Graceful degradation? • Single point of failure = total leak forever? • Erasure rather than leakage? • The human factor • Human leaks • Key management • Long Timescales?
Goals & Metrics • Store my data forever? • Not necessarily! • Enforce my policy forever? • Not necessarily! • Ease of use! • But how? • Problem statements here are very tricky.
One Framework for Discussion Target “User” Technical Approaches (By analogy to Real World)