Privacy: Challenges and Privacy: Challenges and OpportunitiesOpportunities

Tadayoshi KohnoDepartment of Computer Science and EngineeringUniversity of Washington

Definition - Oxford English Dictionary:“The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion.”

Questions:Who: Who receives access to your information?What: What information is disclosed?When: Under what conditions is it exposed?Why: What will they use that information for?

Claim: It’s a lost cause - we’ve already lost our privacyClaim: “I’ve got nothing to hide”Claim: Users choose functionality over privacy

Examples:The web (search engines, web mail, social networking sites, traffic through ISPs, …)Shopping (customer loyalty cards, conventional credit cards, RFID credit cards)Electronic voting (privacy issues seldom discussed)

Claim: Known privacy breaches change people’s perceptions (at least temporarily)

Guardian

What are users’ privacy goals and values (users may differ)?How can we give users a more intuitive understanding of:

What information leaks out;To whom; andFor what purposes?

Proposals like P3P (Platform for Privacy Preferences) help

Who should take responsibility?The data collector?

Harden systems against attacksSufficiently scrub data before sharing data with the public (recall the AOL logs)What about sharing data with corporate partners?

The user?Don’t reveal information in the first place (cash purchases, no Web)Tor, anonymization systems, pseudonymsBut what if data collectors aggregate information or are not trustworthy?

Privacy may come with a cost (efficiency, time to market, usability, ...)

Is the cost worth it?

Assume products/services A, B, and C violate a user’s privacy

Is it worth just fixing the privacy properties of A?What are the incentives when A, B, and C are produced by competing companies?

Scrubbing data while preserving utility is challengingWhat constitutes identifying (or too revealing) information?Recent examples:

Identifying users in “anonymized” AOL logsDe-anonymizing IP addresses in “anonymized” network tracesIdentifying encrypted web content (from MSR and elsewhere)

Example directions (for query logs) [Adar, QLW WWW07]

Remove queries that occur < n timesNew pseudonyms every t minutesDifferent pseudonyms for each “type” of query

Multiple parties involvedUsers, companies, and adversariesDifferent parties may have different goals, perceptions of privacy

Users may not understand implications of revealing data

Users may not even consider that data to be private

Where should we focus our efforts?Users and usability?Individual products and services?Policy?

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of

this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Research Faculty Summit 2007