1 / 41

563.10 Privacy Risk Analysis

563.10 Privacy Risk Analysis. Jodie P. Boyer , Carl A. Gunter, Karrie G. Karahalios. Agenda. Motivating Example Risk Analysis Privacy Graphs Case Studies Empirical Evaluation Revisiting the Case Studies. What is Privacy?. “The right to be let alone” Confidentiality Anonymity

gitano
Download Presentation

563.10 Privacy Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 563.10 Privacy Risk Analysis Jodie P. Boyer, Carl A. Gunter, Karrie G. Karahalios

  2. Agenda • Motivating Example • Risk Analysis • Privacy Graphs • Case Studies • Empirical Evaluation • Revisiting the Case Studies

  3. What is Privacy? • “The right to be let alone” • Confidentiality • Anonymity • Access Control • Privacy risks go beyond these things! • How people feel about privacy effects how they will use or not use software • Real or Perceived privacy breaches can cost a company

  4. Motivating Example • 3 Kitchens at MSR were connected to promote social interaction • What would you think about this? • The researchers received many complaints concerning the privacy implications of the system. Could we have predicted this reaction? Jancke et.al. CHI 01

  5. Risk Analysis • A set of mechanisms that allow developers to reason about the risks of adding a new system • There are well known mechanisms for understand security risks • Mechanisms for evaluating privacy risks are expensive

  6. Privacy Graphs • Similar to access control matrices • Models relationships among principles and data • Specifically focuses on principal-to-data and principle-to-principle relationships

  7. Privacy Graphs “Nodes” Relationships

  8. Privacy Graphs • Access Magnitude • A measure of how many principles have access to one principles information • N is the access magnitude with respect to A if N principals have access to at least one data item that is about A. • Accumulation Magnitude • A measure of how much data a principal has about another • N is the accumulation magnitude if N is the largest number of data items that a single principal can access.

  9. Example

  10. Privacy Graph Methodology • Determine who your principals are • Determine what your data items are and what their “unit” is • Draw the about relationships • Draw and annotate the “relate” relationship • Draw the access relationships • Annotate the access relationships with use

  11. Privacy Graphs for Comparative Study • Privacy graphs are good for comparative study • Draw the system before and after the addition of a new application or feature • Look at changes in: • Access Magnitude • Accumulation Magnitude • Relationships

  12. Back to Virtual Kitchens • First lets draw before the virtual kitchens • Focus on a specific user (Joe) • According to the paper, 50 people used each kitchen

  13. Step 1

  14. Step 2

  15. Step 3

  16. Step 4

  17. Step 5

  18. Step 6

  19. Comparing the Two Graphs

  20. Case Study 1:Facebook • Sept. 2006, Facebook introduced a news feed. • Allowed users to see changes to their friend’s profiles in a quick and accessible format • User’s were very upset about this • Students against Facebook News Feed (Official Petition to Facebook) has 720,915 members

  21. Case Study 1:Facebook

  22. Case Study 1:Facebook

  23. Case Study 2:Building Automation Systems • Consider a smart building • University IDs are used to access rooms in the building • Administrators decide to allow building users access to door swipes of others in their “class” Boyer Tan Gunter 05

  24. Case Study 2:Building Automation Systems

  25. Case Study 2:Building Automation Systems

  26. What do Privacy Graphs Tell Us? • How much more concerned are people with the increase in access magnitude? • How does the new use of the same information affect privacy attitudes? • What is the effect of allowing a supervisor access to information? How does changing the structure of a privacy graph affect privacy attitudes?

  27. Empirical Foundations • We performed 2 studies to: • Validate the applicability of privacy graphs • Provide empirical evidence to reason about privacy • Participants were presented with different scenarios and asked how they felt about them • Scenarios corresponded to different privacy graphs

  28. Empirical Foundations How comfortable would you be with your supervisor using 5-10 minutes worth of video of you from cameras in your home to determine your location? Would you be comfortable with a government agency using a complete historical library of footage from ATM cameras to look for terrorists? How comfortable would you be if a family member used a single image of you from the workplace cameras to monitor your productivity level?

  29. Video Camera Survey • One survey concerned the privacy concerns with respect to surveillance cameras • Survey had 3 parts: Demographics, Scenarios, and General Privacy Statements • Scenarios involved cameras in football stadiums, ATMs, workplaces, and Homes

  30. Relationships Between Principals

  31. Detail of Data

  32. Purpose

  33. General Applicability • Performed a second survey to assess the general applicability of the video camera results • Scenarios concerned financial records, medical records, web searches as well as video cameras • Concerned use, access magnitude and accumulation magnitude

  34. Results:General Applicability

  35. Using the Surveys to Evaluate Risk • Create an analogy to video camera scenarios • Change information can lead to scenes, historical libraries, etc. • Think about expected use as Incident Investigation

  36. Case Study 1:Facebook • Accumulation Magnitude • Users logged onto Facebook about 20 minutes a day • Short Scene to Historical Library – 7% change • Use change • Facebook used a communication medium • Users concerned about what newsfeed was for • Incident Investigation to Location detection – 21% change Ellison Steinfield Lampe 06

  37. Case Study 2:Building Automation Systems • New Principals • Government Agencies to Co-Workers – 11% • Use change • Incident Investigation to Location detection – 21% change • What about supervisors? • Results suggested that this would be no more concerning than allowing co-workers • Comparing with Facebook suggests that users may be uncomfortable with the BAS location system

  38. Related Work • Survey instruments (Smith et.al. 1996) • Guidelines (Hong et.al. 2004) • Regulatory compliance (Canadian Privacy Impact Guidelines, EU Privacy Directives) • Formal Models for Regulatory Compliance (May, Gunter, Lee 2006, …) • Economics (Cvrceket.al. 2006, Daneziset.al. 2005) • User Studies (Olson, Grudin, Horvitz 2006, Friedman et.al 2006, etc.)

  39. Conclusions • What remains is to understand what to do if there is a significant change in privacy attitudes • Privacy graphs are a tool like flow charts, venn diagrams, etc. • They provide a framework in which to reason about privacy risks

  40. References • Hong, J.I., Ng, J.D., Lederer, S., Landay, J.A.: Privacy risk models for designing privacy-sensitive ubiquitous computing systems. In: DIS '04: Proceedings of the 2004 conference on Designing interactive systems, New York, NY, USA, ACM Press (2004) 91{100 • Jancke, G., Venolia, G.D., Grudin, J., Cadiz, J., Gupta, A.: Linking public spaces:Technical and social issues. In: ACM CHI, Seattle, WA (April 2001) • Werren, J., Vara, V.: New facebook features have members in an uproar. Walk Street Journal (September 7 2006) • Zuckerberg, M.: Calm down. breathe. we hear you. The Facebook Blog (September 2006) • Ellison, N., Steineld, C., Lampe, C.: Spatially bounded online social networks and social capital: The role of facebook. In: Annual Conference of the International Communication Association. (2006) • Olson, J.S., Grudin, J., Horvitz, E.: A study of preferences for sharing and privacy. In: ACM CHI, Portland, Oregon (April 2005) • Boyer, J.P., Tan, K., Gunter, C.A.: Privacy sensitive location information systems in smart buildings. In: Security in Pervasive Computing. (2006) • Smith, H.J., Milberg, S.J., Burke, S.J.: Information privacy: Measuring individuals‘ concerns about organizational practices. MIS Quarterly 20(3) (June 1996) 167 { 196 • of Canada Secretariat, T.B.: Privacy impact assessment guidelines: A framework to manage privacy risks (August 2002) • The European Parliment and the Council of the European Union: Directive 95/46/ec of the european parliament and of the council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (1995) • Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proceedings of the IEEE Symposium on Security and Privacy, IEEE (May 2006)

  41. References Continued • May, M.J., Gunter, C.A., Lee, I.: Privacy APIs: Access control techniques to analyze and verify legal privacy rules. In: IEEE Computer Security Foundations Workshop (CSFW '06), Venice, Italy (July 2006) • He, Q., Otto, P., Anton, A.I., Jones, L.: Ensuring compliance between policies, requirements and software design: A case study. In: IEEE International Workshop on Information Assurance (IWIA'06). (2006) • Cvrcek, D., Kumpost, M., Matyas, V., Danezis, G.: A study on the value of location privacy. In: WPES '06: Proceedings of the 5th ACM workshop on Privacy in electronic society, New York, NY, USA, ACM Press (2006) 109{118 • Danezis, G., Lewis, S., Anderson, R.: How much is location privacy worth? In: Fourth Workshop on the Economics of Information Security. (2005) • Friedman, B., Jr., P.H.K., Hagman, J., Severson, R.L., Gill, B.: The watcher and the watched: Social judgements about privacy in a public place. Human-Computer Interaction 21(2) (2006) 233{274 • Consolvo, S., andTara Matthews, I.E.S., LaMarcha, A., Tabert, J., Powledge, P.: Location disclosure to social relationtions: Why, when & what people want to share. In: ACM CHI, Portland, Oregon (April 2005) 81{90 • Hawkey, K., Inkpen, K.M.: Keeping up appearances: Understanding the dimensions of incidental information privacy. In: ACM CHI, Montreal, Quebec, Canada (April 2006) • Spiekermann, S., Grossklags, J., Berendt, B.: E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In: ACM Electronic Commerce, Tampa, Florida (October 2001) 38{47 • P&AB: Consumer privacy attitudes: A major shift since 2000 and why. Privacy and American Business Newsletter 10(6) (September 2003) 1,3{5

More Related