Group D

Privacy with accountability, auditability and transparency

Accountability, auditability and transparency in

service of Privacy

18 Nov 2003 3

Grand Challenge Statement

Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.

18 Nov 2003 4

Motivating Scenario• It will soon be possible to determine an

individual’s complete genome• Terrific benefits:

– Customized medical treatments– Knowledge of predisposition for diseases– Aid medical research

• Terrific risk of abuse:– Unauthorized use by insurance, employers,

law enforcement

18 Nov 2003 5

Enabling Assumptions1. There will be semi-trusted computing

platforms (can provide a program to a machine and believe it will execute it only as intended).

2. Legal mechanisms will be in place to sufficiently deter misuse.

3. Perfect encryption primitives are available.

We don’t believe any of these exist yet…but close enough approximations do.

18 Nov 2003 6

Policy Questions• Who should set the policies?

– Individuals: change balance of power• It shouldn’t be up to individuals to understand and agree to a

service’s privacy policy• Instead, individuals provide data in a way that enforces their

policies, and the service decides what service to provide

– Society: “owner” is not only one impacted• Releasing my genome also releases information about my

sister, parents, etc.• Society may deserve to know about criminal records,

infectious diseases, etc.

Non-technical issues, but technology must be ableto support range of desired policies.

18 Nov 2003 7

Policy Questions• How do you express and reason about

policies?– Average users need to understand what policies

allow and disallow, and select (maybe define) policies that reflect their intent

– Privacy policies are complex: release of information, history, location (jurisdiction), remnants, independence

– Transfers between programs and organizations

Design languages for defining policies, tools for reasoning about what policies allow, models for

presenting policies that are understandable

18 Nov 2003 8

Accountability• Need workarounds: Doctor in foreign

country should be able to get medical history of unconscious patient

• Auditability: policies can specify that information is only released if an audit record is produced– Privacy of requestor may conflict with policy

• Policies can relate information release and use to accountability of user: credentials expand accountability, laws in user’s jurisdiction

18 Nov 2003 9

Enforcement• Control for release and use of data has to be

part of data itself– Programs that release information according to a

policy (DRM-like)

• Constrain the use of that information after it is released to one program, but not yet to another (or a human)

• Revocation: if there is a mistake, can we retrieve all information derived from bad data

18 Nov 2003 10

Timeline

Now 3 years 5 years 7 years

RevocationControl Use

Control ReleaseEnforcement

Policies thatdepend onjurisdiction,revocationpolicies

Policies that vary with Accountability, Society-level policies

UnderstandableRelease PoliciesFor Individuals

Policies

18 Nov 2003 11

Impact

Success criterion:

People are willing to provide their genome to medical databases in a way that enables customized treatments and medical research, without fear that it will be abused.

18 Nov 2003 12

Recap: Challenge Statement

Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.