Invited Essay: Information Accountability

Challenge

The Web is Still Dumb about Policy

• Access Control & Authorization
• Copyright
• Privacy

In-depth look at privacy

• Tensions in traditional computer science and computer security view
• Tensions in traditional legal view
• Efforts toward revitalizing privacy

Privacy Challenges in the Web's first decade

Privacy Challenges in the Web's first decade

“The term “privacy” denotes a socially defined ability of an individual (or organization) to determine whether, when, and to whom personal (or organizational) information is to be released.”

Saltzer and Schroeder, The Protection of Information in Computer Systems Communications of the ACM 17, 7 (July 1974).

Characteristics of Today's Privacy Challenge

1. Lots of personal information data
2. held by lots of parties
3. huge increase in analytic capacity and data integration techniques
4. little time and attention to manage uses
5. unclear rules when data crosses boundaries

Overall transparency is a major factor in current privacy risks.

Privacy's Boundaries - The Home

Historical foundations - the home

"The house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose...." Semayne's Case, All ER Rep 62 (Michaelmas Tern 1604)

Privacy's Boundaries - The Home Breached

"Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.... Can it be that the Constitution affords no protection against such invasions of individual security?" Olmstead v. United States, 277 U.S. 438, 467 (1928) (Brandeis, J., dissenting)

Privacy's Boundaries - New Privacy Protections

"The Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection.... But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected Katz v. United States. 389 U.S. 347 (1967)

Privacy's Boundaries - New Challenges

It would be foolish to contend that the degree of privacy secured to citizens by the Fourth Amendment has been entirely unaffected by the advance of technology...." Kyllo v. United States. 533 U.S. 27 (2001) (Scalia, J.)

One approach -- Information Hiding: Privacy Sensitive Data Analysis

Goal: construct data base protocol that limits information access according to a formal definition of privacy

Privacy Definition: indistinguishability of the individual from the community

Method: measures epsilon-indistinguishability of a database query transcript

Differential Privacy, Cynthia Dwork, 33rd International Colloquium on Automata, Languages and Programming, ICALP 2006, Part II, pp. 1–12, 2006.

see also Sweeney's k-anonymity work

Questions upon the Success of Privacy Sensitive Data Analysis

A privacy-safe zone: Privacy sensitive data mining establishes a boundary, which, if respected, assures no privacy risk to the individual.

1. how do you know that data usage remains within the privacy-safe zone:
   • over time?
   • across an institution?
2. what legal rules outside the privacy-safe zone?

Another approach -- Consent and its limitations

Basic privacy notice & consent model. Can today's privacy model (EU or US) be sufficient going forward?

Key will be purpose limitation, but we have a dilemma...

• narrow purpose definition -> lots of choices = large time investment will yield privacy protection and low flexibility
• broad purpose limitation -> few choices = small time investment required but less control and less privacy protection

Dilemma: limited individual and regulatory capacity to control escalating data collection.

Privacy Re-Defined - Saltzer and Schroeder revisited

Information Accountability Through Policy Aware Systems

Information Accountability an as alternative to secrecy

• Rules and law should govern how information is used: "It is illegal to consider health status of applicant or her family in hiring decisions"
• Interactions with data are logged in order to provide possibility of machine-assisted human-driven accountability

A Sample Regulatory Paradigm for Semantic Web Data

United States Fair Credit Reporting Act

• Nearly unlimited information collection
• Unlimited analysis
• Strict usage limits
• Harsh penalties for mis-use
• Feedback loop to ensure accuracy

The Web Today

The Web with Information Accountability Mechanisms

Policy Aware Transaction Logs Policy Language Framework (AIR - Accountability In RDF) Policy Reasoning Tools (TMS-based forward-chaining with backward goal-direction)

Challenges

In order of complexity:

• Computer science research: policy discovery, reasoning, actions embedded in Web architecture
• Deployment: Will they come?
• Legal: Laws the reflect usage rules
• Social: Agreement on acceptable usage restrictions

Discussion and More Information

For more information see:

• Weitzner, Abelson, Berners-Lee, Feigenbaum, Hendler, Sussman, Information Accountability, MIT CSAIL Technical Report MIT-CSAIL-TR-2007 (13 June 2007)
• Hanson, Kagal, Sussman, Berners-Lee, Weitzner, "Data-Purpose Algebra: Modeling Data Usage Policies", IEEE Workshop on Policy for Distributed Systems and Networks 2007, June 2007 (POLICY 2007).
• Feigenbaum and Weitzner (eds.), "Report on the 2006 TAMI/Portia Workshop on Privacy and Accountability."
• Transparent, Accountable Datamining Initiative (TAMI): http://groups.csail.mit.edu/dig/TAMI
• Policy Aware Web project (PAW): http://www.policyawareweb.org/
• Weitzner, Abelson, Berners-Lee, Hanson, Hendler, Kagal, McGuinness, Sussman, Waterman, Transparent Accountable Data Mining: New Strategies for Privacy Protection,; MIT CSAIL Technical Report MIT-CSAIL-TR-2006-007 [DSpace handle] (27 January 2006).

Work described here is supported by the US National Science Foundation Cybertrust Program (05-518) and ITR Program (04-012).

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.