Upload
morris-melton
View
212
Download
0
Embed Size (px)
Citation preview
Group D
Privacy with accountability, auditability and transparency
Accountability, auditability and transparency in
service of Privacy
18 Nov 2003 3
Grand Challenge Statement
Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.
18 Nov 2003 4
Motivating Scenario• It will soon be possible to determine an
individual’s complete genome• Terrific benefits:
– Customized medical treatments– Knowledge of predisposition for diseases– Aid medical research
• Terrific risk of abuse:– Unauthorized use by insurance, employers,
law enforcement
18 Nov 2003 5
Enabling Assumptions1. There will be semi-trusted computing
platforms (can provide a program to a machine and believe it will execute it only as intended).
2. Legal mechanisms will be in place to sufficiently deter misuse.
3. Perfect encryption primitives are available.
We don’t believe any of these exist yet…but close enough approximations do.
18 Nov 2003 6
Policy Questions• Who should set the policies?
– Individuals: change balance of power• It shouldn’t be up to individuals to understand and agree to a
service’s privacy policy• Instead, individuals provide data in a way that enforces their
policies, and the service decides what service to provide
– Society: “owner” is not only one impacted• Releasing my genome also releases information about my
sister, parents, etc.• Society may deserve to know about criminal records,
infectious diseases, etc.
Non-technical issues, but technology must be ableto support range of desired policies.
18 Nov 2003 7
Policy Questions• How do you express and reason about
policies?– Average users need to understand what policies
allow and disallow, and select (maybe define) policies that reflect their intent
– Privacy policies are complex: release of information, history, location (jurisdiction), remnants, independence
– Transfers between programs and organizations
Design languages for defining policies, tools for reasoning about what policies allow, models for
presenting policies that are understandable
18 Nov 2003 8
Accountability• Need workarounds: Doctor in foreign
country should be able to get medical history of unconscious patient
• Auditability: policies can specify that information is only released if an audit record is produced– Privacy of requestor may conflict with policy
• Policies can relate information release and use to accountability of user: credentials expand accountability, laws in user’s jurisdiction
18 Nov 2003 9
Enforcement• Control for release and use of data has to be
part of data itself– Programs that release information according to a
policy (DRM-like)
• Constrain the use of that information after it is released to one program, but not yet to another (or a human)
• Revocation: if there is a mistake, can we retrieve all information derived from bad data
18 Nov 2003 10
Timeline
Now 3 years 5 years 7 years
RevocationControl Use
Control ReleaseEnforcement
Policies thatdepend onjurisdiction,revocationpolicies
Policies that vary with Accountability, Society-level policies
UnderstandableRelease PoliciesFor Individuals
Policies
18 Nov 2003 11
Impact
Success criterion:
People are willing to provide their genome to medical databases in a way that enables customized treatments and medical research, without fear that it will be abused.
18 Nov 2003 12
Recap: Challenge Statement
Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.