Overview
1. The advancing privacy challenge
2. Help from the history of the evolution of privacy and technology
3. Assuming state-of-the art research succeeds, then what...
Privacy Challenges in the Web's first decade
Characteristics of Today's Privacy Challenge
- Lots of personal information data
- held by lots of parties
- huge increase in analytic capacity and data integration techniques
- little time and attention to manage uses
- unclear rules when data crosses boundaries
4th Amendment Perspective on Technology Change
Historical foundation:
"Ways may some day be developed by which the Government, without removing
papers from secret drawers, can reproduce them in court, and by which it
will be enabled to expose to a jury the most intimate occurrences of the
home.... Can it be that the Constitution affords no protection against such
invasions of individual security?"
Olmstead v. United States, 277 U.S. 438, 467 (1928) (Brandeis, J.,
dissenting)
Modern response:
It would be foolish to contend that the degree of privacy secured to
citizens by the Fourth Amendment has been entirely unaffected by the
advance of technology.... Where, as here, the Government uses a device that
is not in general public use, to explore details of the home that would
previously have been unknowable without physical intrusion, the
surveillance is a “search” and is presumptively unreasonable without a
warrant. "
Kyllo v. United States. 533 U.S. 27 (2001) (Scalia, J.)
"[T]he law must advance with the technology to ensure the continued
vitality of the Fourth Amendment
Electronic Communications Privacy Act legislative history, Senate Report,
p.5
Historical Evolution of Surveillance Technology and Legal Regulation
Expansion of Technological Capabilities & 4th
Amendment Protection
|
Communications Technology
|
Crime |
4A trigger
|
4A protection |
| 1928 |
Early telephone |
Prohibition |
Castle: Physical -- property/trespass
(Olmstead) |
none b/c no trespass |
| 1968 |
Mass market phones |
Gambling/Organized Crime |
People not places (Katz) |
Congress enacts guidance of Katz: Probable cause, limited class of
crimes, after the fact inventory |
| 1984/6 |
Store & forward/email |
[pre-emptive strike by technophiles] |
Activity not medium |
ECPA: email gets status of 1st class mail vs. 3rd party business
records |
| 1994 |
Transactional records |
Global, digital communications |
Power to reveal personal information vs. owner |
judicial supervision for transactional records access |
2007
Today |
World Wide Web and data mining |
Terrorism |
People not
information |
?? |
Characteristics of Today's Privacy Challenge
- Lots of personal information data
- held by lots of parties
- huge increase in analytic capacity and data integration techniques
- little time and attention to manage uses
- unclear rules when data crosses boundaries
Privacy: the dilemma of consent
Can today's model (EU or US) be sufficient going forward?
Key will be purpose limitation, but we have a dilemma...
- narrow purpose definition -> lots of choices = large time investment
will yield privacy protection and low flexibility
- broad purpose limitation -> few choices = small time investment
required but less control and less privacy protection
Dilemma: limited individual and regulatory capacity to
control escalating data collection.
Current result of consent dilemma +
increased inference power: strict about what's collected but loose about
usage
Better result: loose about what is
collected and strict about usage
One approach -- Better Secrecy: Privacy Sensitive Data Mining
Goal: construct data base protocol that limits
information access according to a formal definition of privacy
Privacy Definition: indistinguishability of the
individual from the community
Method: measures epsilon-indistinguishability of a database
query transcript
Differential
Privacy, Cynthia Dwork, 33rd International Colloquium on Automata,
Languages and Programming, ICALP 2006, Part II, pp. 1–12, 2006.
k-anonymity work
Questions upon the Success of Privacy Sensitive Data Mining
A privacy-safe zone: Privacy sensitive data mining establishes a boundary,
which, if respected, assures no privacy risk to the individual.
- how do you know that data usage remains within the privacy-safe zone:
- over time?
- across an institution?
- what legal rules outside the privacy-safe zone?
question 1 - requires new system design
question 2 - requires new policy making in response to technical change
Toward Another Approach...
- How many believe you are subject to law (any law)?
- How many of you follow (most) laws? [exclude speed limits]
- How many of you read all the laws to which you believe you are
subject?
- How many have been to a court of law?
Another Approach: Making the Web 'Policy Aware'
General view (amongst the 'digerati'): law has to catch
up with new technology.
General question: how will laws catch up?
My question: How will the Web finally catch up with the
'real world'?: in everyday life, the vast major of 'policy' problems get
worked out without recourse to legal system.
Design goal: instrument the Web to provide seamless
social interactions which allow us to avoid legal system the way we do in the
rest of life
Global perspective: In the shift from centralized to decentralized
information systems we see a general trend:
ex ante policy enforcement barriers -> policy description
with late binding of rules for accountability
Key Design Patterns For Policy Aware Systems
Policy: Shift from a priori controls to a posteriori accountability through transparency
Technology: Rules languages, reasoners, and transaction logging for transparency and accountability
Transparent Accountable Data Mining Project
Privacy Design Pattern: The more data becomes available on the Web and the more inferencing power increases, privacy protection will have to rely more on usage limitation rules and less on collection limitation rules.
Usage Limits depend upon:
- Transparency: history of data manipulations and inferences is maintained and can be examined by authorized parties (who may be the general public).
- Accountability: ability to check whether the policies that govern data manipulations and inferences were in fact adhered to.
End-to-End Semantic Accountability -- a unified infratructure for policy aware access control and rules accountability
End-to-End Semantic Accountability -- a unified infratructure for policy aware access control and rules accountability
Discussion and More Information
For more information see:
- MIT Decentralized Information Group: http://dig.csail.mit.edu/
- Transparent, Accountable Datamining Initiative (TAMI): http://groups.csail.mit.edu/dig/TAMI
- Policy Aware Web project (PAW): http://www.policyawareweb.org/
- Feigenbaum and Weitzner (eds.), "Report on the 2006 TAMI/Portia Workshop on Privacy and Accountability."
- Weitzner, Abelson, Berners-Lee, Hanson, Hendler, Kagal, McGuinness,
Sussman, Waterman, Transparent
Accountable Data Mining: New Strategies for Privacy Protection,; MIT
CSAIL Technical Report MIT-CSAIL-TR-2006-007
[DSpace handle]
(27 January 2006).
Work described here is supported by the US National Science Foundation
Cybertrust Program (05-518) and ITR Program (04-012).
This work is licensed under a Creative Commons
Attribution-NonCommercial-NoDerivs 2.5 License.
