1 / 53

PRIVACY AS & AND CONTEXTUAL INTEGRITY

PRIVACY AS & AND CONTEXTUAL INTEGRITY. Helen Nissenbaum Presented by Neelima Krishnan. PAPER 1. Privacy As Contextual Integrity. Nut Shell Definition of the core problem. Discussion of 3 scenarios. A 3 principled framework. Defining Contextual Integrity. What the paper defines?.

paniz
Download Presentation

PRIVACY AS & AND CONTEXTUAL INTEGRITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PRIVACY AS & AND CONTEXTUAL INTEGRITY Helen Nissenbaum Presented by Neelima Krishnan

  2. PAPER 1 • Privacy As Contextual Integrity. • Nut Shell • Definition of the core problem. • Discussion of 3 scenarios. • A 3 principled framework. • Defining Contextual Integrity

  3. What the paper defines? • The Core Problem: Public Surveillance – what it means and how it can affect. – A brief introduction.

  4. Defining Public Surveillance. • Monitoring of individuals in public through a variety of media (audio, video, online data) • Where is data stored? 1. stand alone systems 2. massive database of government and other institutions 3. Distributed network of computers/devices

  5. CONS: • Hepting v. AT&T is a United Statesclass action lawsuit filed in January 2006 by the Electronic Frontier Foundation (EFF) AT&T • Details of the Case: • AT&T permitted NSA in unlawfully monitoring the communications of USA. • This included- 1. • AT&T customers, • Bussinesses, • third parties whose comm where routed through AT&T’s network. • And also VOICE over IP- calls through internet.

  6. 1/3 scenarios • Case 1:Public Records Online • Initiatives to place public records online a. arrest records b. driving records c. birth and death records d. marriage records e. public school information f. property ownership; g. community planning records h. court records

  7. Are these worries rational? Is there genuine cause for resistance?

  8. 2/3 scenario • Case 2: Consumer Profiling and Data Mining • All the commercial activities leave digital trail that are stored away in large databases somewhere. • Used for mining “Gold” by companies! • Often the information in question is not confidential or sensitive in nature. • Why do people react with Indignation? • Quoted Example: Lotus Marketplace -where, your privacy is someone else’s bussiness….

  9. Case 3:Radio Frequency Identification (RFID) Tags • focuses attention on enhanced modes of gathering or capturing information as in automated road toll systems like EZ Pass, video surveillance and face recognition systems, web browser cookies, biometrics and thermal imaging

  10. Solution Proposed: Principle 1/3 • 1. Protecting Privacy of Individuals Against Intrusive Government Agents –

  11. What can Protect us: • The Fourth Amendment - "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

  12. Just in case you are interested: • http://groups.csail.mit.edu/mac/classes/6.805/student-papers/fall07-papers/social-networks.pdf

  13. Principle 2/3 • Principle 2: Restricting Access to Intimate, Sensitive, or Confidential Information • Giving privileges to data:- • Non-Classified • Public Information • Personal Information • Routine Bussiness information • Private • Confidential Bussiness Information 2. Classified • Confidential • Secret • Top Secret

  14. Principle 3/3 • Principle 3: Curtailing Intrusions into Spaces or Spheres Deemed Private or Personal - “a man’s home is his castle”. • The Bill of Rights of the U.S. Constitution expresses commitment of a protected private zone in the Third and Fourth Amendments, defining explicit limits on government access to a home— • quartering soldiers in the Third, • security against search and seizure in the Fourth.

  15. Quoted Case: • California v. Greenwood: • Highlights: - Inspector Jenny Stracner suspects Greenwood of selling drugs. • Stracnerasked the neighborhood's regular trash collector to pick up the plastic garbage bags that Greenwood left on the curb in front of his house • In the garbage, she found evidence of drug use. • used that information to obtain a warrant to search Greenwood's home • California Superior Court dismisses the case- on the ground that unwarranted trash searches violated the U.S. Constitution's Fourth Amendment, as well as the California Constitution • The US-Supreme court- granted certiorari and reversed the judgment of the California Court of Appeal

  16. Court’s Ruling “[a]ccordingly, having deposited their garbage in an area particularly suited for public inspection and, in a manner of speaking, public consumption, for the express purpose of having strangers take it, respondents could have had no reasonable expectation of privacy in the inculpatoryitems that they discarded.”

  17. Applying the Three Principles—Some Gray Areas • The PATRIOT ACT. • Carnivore • Analyzing the 3 cases- and see if its possible to draw lines?

  18. 1. Appliying Principle 2: Drawing lines in the case of intimate and sensitive information is also difficult and can be controversial. a. Designate credit headers as Personal or not? b. Case 1, Should public records ought to be available online? 2. Principle 3- Interpretations of what counts as a private space ? • Olmstead vs US case 1928 • Katz vsUSA 1967 • Kyllo v. United States 2001 • Employee online activities in office space (pre- post 9/11)

  19. The Three Principles and Public Surveillance • Public Survillence – • Does having all records online mean govt intrusion – or that its always worng? • Does having RFID tags mean – you are always tagged. • Does Online Profiling mean you are always watched?

  20. Defining Contextual Integrity • Two features of the 3 principle framework help us define- CI – - a universal account of what does and does not warrant restrictive, privacy-motivated measures - it expresses a right to privacy in terms of dichotomies. • Norm is a set of rules, which would help us in deciding if a message can be transferred from one part to another. This depends on the source, destination and the appropriateness of the content. - Personal information revealed in a particular context is always tagged with that context -These norms are relative, or non-universal

  21. How it works? • Norm of appropriation. • dictate what information about persons is appropriate, or fitting, to reveal in a particular context. - i.e, A patient can share information about his or her physical condition with the physician but not vice versa.

  22. “In every case, I quoted, the sort of relationship that people have to one another involves a conception of how it is appropriate for them to behave with each other, and what is more, a conception of the kind and degree of knowledge concerning one another which it is appropriate for them to have. “

  23. Norm of distribution (flow): • This governs the flow or distribution of information - movement, or transfer of information from one party to another or others. • Example scenarios- • Between friends. • Between a physician and a patient.

  24. Applying Contextual Integrity to the Three Cases • Case 1: Having records online. Example of new neighbors into a family neighborhood. • Case 2: Digital foot print. Example of Amazon.com • Case 3: RFID tags Example of customers and sales assistant.

  25. Privacy And Contextual Integrity Adam Barth, AnupamDatta, John C. Mitchell, Helen Nissenbaum Stanford University Presented By Neelima Krishnan Virginia Tech

  26. Introduction • This paper presents a formal framework for expressing privacy expectations and privacy practices, inspired by contextual integrity. • Lets say- - “Alice give Bob a certain piece of information about Charles “ -Now, impact on privacy varies based on – context, roles, and a focus on the type of information transmitted

  27. Intro- continued • Two kinds of norms • Positive (“allow”) • Negative (“deny”) • A positive norm permits communication if its temporal condition is satisfied, whereas a negative norm permits communication only if its temporal condition is satisfied. • norms are based only on the type of information communicated. • information is assumed to describe an individual rather than a group of individuals.

  28. Defining Contextual Integrity • A philosophical account of privacy in terms of the transfer of personal information. • Who are involved? • the one from whom the information flows • the one to whom the information flows, • and the one—the information subject—about whom the information is.

  29. The model and the formal language CI • In this model, the norms of transmission are expressed using Linear Temporal Logic (LTL). • We have Agents, Attributes, and Messages. • Associated with each agent is a collection of the attributes that agent knows. • Let P be a set of agents, and let be a set of attributes. • For e.g: Alice and Bob are agents, and “postal address” and “height” are attributes. • If (p, q, t)(a knowledge set), we say agent p knows the value of attribute t of agent q. i.e. Alice knows Bob’s height. • (Paper omits group attributes- like average height).

  30. Data model • To structure attributes, we include computation rules. - A computation rule is a pair (T, t), where T and t • Where, - That is, agent p learns attribute t about agent q. Let be a set of computation rules. - The relation is the transitive closure of

  31. An agent can send a message to another agent provided the sending agent knows all the attributes communicated by the message. • Messages m are drawn from a set M • Content(m)= P x which is closed under computation rules. • The art of sending a messgae – communication action and this is represented by triples “(p1,p2,m)”

  32. Roles, Contexts, and Traces • Let R be a set of roles and C be a partition of R. We refer to elements c C as contexts and the roles r c as the roles of context c. For example, “teller” is a role in a banking context and “doctor” is a role in a health care context. • The roles are structured by a partial order R. If r1 R r2, then r1 is a specialization of role r2 and, symmetrically,r2 is a generalization of r1. • Agents can be active in multiple roles simultaneously. For example, Alice can be at once a doctor in a health care context and a customer in a banking context.

  33. Temporal Logic • if Alice tells Bob her age under the principle of confidentiality, then, in the future, Bob must not disclose Alice’s age.

  34. Norms of Transmission • are expressed as temporal formulas. • Each norm is either positive or negative • Positive norm: doctor Alice can send patient Charlie’s test results to researcher Bob if Bob keeps the records in confidence. • Negative norm: communication can occur only if the temporal condition is satisfied. • Doctor Alice can send patient Charlie’s test results to researcher Bob only if Bob keeps the records in confidence.

  35. In order to satisfy the norms, a communication must be allowed by at least one of the positive norms and it must respect all of the negative norms. In the above formula , each individual norm applies to a downwardly closed set of attributes If Sheiyi wants to send a messge to Tom- If the rule says, “allow disclosure of postal address” – then the formula lets you send the the postal code too. If the rule forbids the postal code from being send- then the whole disclosure is forbidden.

  36. Properties and relations between policies • A privacy policy regulates what flows of information are permitted between agents in various roles. • A policy is a conjunction of contexts, requiring the norms of each context to be respected. • Example? • Defining : Consistency, Entailment, Compliance.

  37. Consistency - A policy is consistent if it is possible for communicating agents to respect the policy. • Entailment :- Another metric for evaluating a privacy policy is to compare it against another policy. For example, a hospital’s privacy policy should not allow information flows prohibited by HIPAA. • Compliance: Given the sequence of past communications, does the policy permit a contemplated communication and, if so, what future requirements are incurred?

  38. HIPAA Rules: • Health Insurance Portability and Accountability Act (1996) • This rule regulates the transmission of “protected health information” (phi), by covered entities. • forbids the disclosure of health information except to individuals or organizations acting in certain roles.

  39. What the formulas represent? • Norm 2: allows Dr. Alice to show Bob an x-ray of his broken leg. It does not allow, however, Dr. Alice to show Bob’s x-ray to Charlie. Also it does not allow x-ray technician Debbie to give the x-ray to Dr. Alice. • Norm 3: Dr. Alice is not only a covered entity, but more specifically a health care provider, someone directly involved in the care of a patient. Here, Debbie plays the role of covered entity and is permitted to give Bob’s x-ray to Dr. Alice (Bob plays the role of patient).

  40. Norm 4: A negative norm: • If Dr Alice is a psychiatrist. Debbie is a nurse practioner. Debbie cannot disclose the contents of the psychotherapy notes to the subject of the notes without the prior approval of a psychiatrist(Dr. Alice). • Note: The interplay between the positive and negative norms is subtle. • One positive norm (2) permits the disclosure of psychotherapy notes, but a negative norm (4) prevents it (unless approval is obtained).

  41. Norm 5: A positive Norm: Allows a covered entity may “disclose the individual’s [general] condition and location within the facility to anyone asking for the individual by name”. • Norm 6: A positive norm: Allows members of the clergy to obtain information about a patient from the “directory information” • Directory-information is an attribute that contains (formally can be used to compute)the individual’s name, general condition, religious affiliation, and location within the facility. • What the clergy does with this information is beyond the scope of HIPAA rules.

  42. Children’s Online Privacy ProtectionAct (COPPA) • protects the personal information children communicate to web sites • It contains two negative norms that restrict otherwise permissible flows of information. • Temporal conditions play a central role in COPPA • What are these temporal conditon? • Parental consent • Restricted acess

  43. Norm 7: requires web site operators to obtain parental consent before collecting protected information from children. • Notice the strong form of “since” is required here to ensure that the parent actually granted consent. • Norm 8: implies the website operators have to provide 2 things- • a privacy notice describing their information practices • specific information they have collected from the child. • COPPA also requires the operator to delete protected information in its possession upon receiving revoke consent.

  44. Gramm–Leach–Bliley Act (GLBA) • Broadly, GLBA requires financial institutions to inform their customers of their privacy practices and to allow customers to “opt-out” of certain kinds of information disclosures. • Financial institutions are required to send their customers privacy notices every year as long the customer relationship lasts. • There are 2 roles • Customer role. • Consumer role. • And we have non-affiliated companies with whom costumers and consumers can/not shar non-public personal information. • Example?

  45. The negative norm (9) requires institutions to periodically send privacy notices. • Norm 10: makes essential use of the three different roles (sender, recipient, and subject), as well as both past and future modalities in its temporal condition. • Norm 11: expresses the provision for consumers, and GLBA also contains an analogous non-affiliate opt-out norm for customers. That is - Consumers and customers also have the option of opting out sharing of credit reports and application information • Norm 12:This expresses the provision, and GLBA contains a similar norm for application information.

More Related