Presentation on theme: "Privacy and Security Lowell Meeting Joe Hellerstein."— Presentation transcript:
Privacy and Security Lowell Meeting Joe Hellerstein
These notes based on prior discussion IBM Almaden Institute 2003: Privacy Organizer: Rakesh Agrawal These notes resulted from a group discussion I led: Technology requirements for privacy. Many participants, including computer scientists, government officials, product managers Distillation is my own I should be blamed for errors, misrepresentations, etc.
Whose Privacy? Whose Security? Individual Organization (corporation, library, school) Government Society
Traditional Topics & Today Access control Views (need-to-know) Roles, not individuals Etc. Now mix in: Serious adversaries (pass the bit tweezers) Large timescales Scale # of people: every person now has rights and access # of info-gatherers (people and sensors) Cross-source data integration: 1+1 >> 2!! Amount that people care
Some issues Managing Data Use Trust Relationships Transparency Incentives Mechanisms Goals/metrics
Primary & Secondary Use Examples The Prozac fiasco Cameras at traffic lights Specification of purpose for which data is collected Mechanisms for enforcement of primary use?
Trust & Relationships Two sorts of trust Policy adherence trust (enforce/check-able?) Relationship trust with the data recipient may be only loosely related to policy adherence Change in relationships can occur between data provider and data recipient E.g. recipient participates in merger/acquisition Effects on policy adherence Effects on desirability of relationship.
Transparency Of use Policy crisp and comprehensible? (not p3p!) Of disclosure You should be able to know what information you give out E.g. unclear whether the magstripe on your drivers license has the same info as the text Of extraction How do I know what info is extracted, and whether its extracted faithfully? E.g. swiping my drivers license proves Im >21, but swiping it also can time- and location-stamp me Does the voting booth correctly record/transmit my vote? Of data destruction Impossible to ensure?
Incentives Economic mechanisms? Graduated, not Boolean (opt-in/out) settings? Privacy is not a fungible good My privacy is more important to me than to you, and vice- versa The costs of privacy Dollar costs? E.g. black market value of identity today (assertion: $60 per capita). Value chain that follows? Frictional costs to doing business Cost vs. Usability E.g. unsafe human rights environments
Mechanisms Authorization vs. Accountability I.e. enforcement in the CS sense vs. the police sense Accountability scales better? Graceful degradation? Single point of failure = total leak forever? Erasure rather than leakage? The human factor Human leaks Key management Long Timescales?
Goals & Metrics Store my data forever? Not necessarily! Enforce my policy forever? Not necessarily! Ease of use! But how? Problem statements here are very tricky.
One Framework for Discussion Target User Technical Approaches (By analogy to Real World)