1 / 26

Privacy

Privacy. Michael May CIS551 – Computer and Network Security Fall 2004. Credit. Some material in this lecture comes from a presentation by Michael McDougall (2000). Outline. Introduction Classic Privacy Issues Solutions P3P DRM PDRM Case Study: Location Based Services. Introduction.

jera
Download Presentation

Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Michael May CIS551 – Computer and Network Security Fall 2004 CIS551

  2. Credit • Some material in this lecture comes from a presentation by Michael McDougall (2000) CIS551

  3. Outline • Introduction • Classic Privacy • Issues • Solutions • P3P • DRM • PDRM • Case Study: Location Based Services CIS551

  4. Introduction • Definitions • Current issues • Legislation CIS551

  5. Definitions • Anonymous • Having an unknown or unacknowledged name • Examples: cash transactions, voting • Privacy • Being alone and undisturbed • Example: window shades • Confidence • Firm trust, assured expectation • Something confided; secret CIS551

  6. Current Issues • Identity Theft • 9.91 Million people affected • Average loss per victim - $500 • http://www.ftc.gov/os/2003/09/synovatereport.pdf • Patriot Act • FISA • Online associations CIS551

  7. Legislation • Graham Leach Bliley • Financial Services • HIPAA • Medical • Examples CIS551

  8. Financial Privacy – Fidelity Investments • Fidelity has always considered the protection of sensitive information to be a foundation of customer trust and a sound business practice. We employ extensive physical, electronic and procedural controls in keeping with industry standards and practices, and we regularly adapt these controls to respond to changing requirements and advances in technology • Within Fidelity and among our service providers, we restrict access to personal information to those who require it to provide products and services to you. We may share the personal information that we collect with the following entities: • Affiliates, including affiliated service providers (for example, our data processing company and printing operation) • Unaffiliated service providers (for example, fulfillment companies and securities clearinghouses) • Government agencies, other regulatory bodies and law enforcement officials (for example, for tax purposes or for reporting suspicious transactions) • Other organizations, with your consent or as directed by your representative (for example, if you use Fidelity as a financial reference in applying for credit with another institution) • Other organizations, as permitted by law (for example, for fraud prevention) • As described below, in circumstances that apply only to certain subsets of Fidelity customers CIS551

  9. HIPAA • Columbia University Hospital • http://www.hr.columbia.edu/hr/html/body_hipaa_privacy_policy.html • Right to Request Restrictions. • You may request restrictions on certain uses and disclosures of your health information. You have the right to request a limit on the Health Plan's disclosure of your health information to someone involved in the payment of your care. However, the Health Plan is not required to agree to your request. If you wish to make a request for restrictions, please make your request in writing to the Privacy Officer (see contact information) CIS551

  10. HIPAA continued • Right to Receive Confidential Communications. • You have the right to request that the Health Plan communicate with you in a certain way if you feel the disclosure of your health information could endanger you. For example, you may ask that the Health Plan only communicate with you at a certain telephone number or by email. If you wish to receive confidential communications, please make your request in writing to the Privacy Officer (see contact information). The Health Plan will attempt to honor your reasonable requests for confidential communications. • Right to Inspect and Copy Your Health Information. • You have the right to inspect and copy your health information. A request to inspect and copy records containing your health information must be made in writing to the Privacy Officer (see contact information).  If you request a copy of your health information, the Health Plan may charge a reasonable fee for copying, assembling costs and postage, if applicable, associated with your request. CIS551

  11. Goals in prevention • Feeling watched • Eeriness of knowledge • Power CIS551

  12. Classic Privacy Ideas • Mixes • Sent information through a stranger • Crowd • Anonymous routing • Digital Cash • Signed by a bank and untraceable • Privacy Preserving Data Mining • Due to R. Agrawal and R. Srikant, 2000 • Example • Anonymity • Anonymous mail servers CIS551

  13. P3P (W3C) • Model • HTTP interactions • Web Based Privacy Issues • Example • http://friendsofbolivia.org.uk/w3c/policy.xml • Issues • Adoption • Enforcement • Interpretation CIS551

  14. P3P Cont. • Meant to hold off legislation • Never strongly adopted by major companies • Browsers didn’t do it – so people didn’t • Cookies permissions CIS551

  15. Question: • Ever share files? CIS551

  16. Digital Rights Management • Make the files enforce the rules • Companies don’t trust the consumer • Applies to • Music • Movies • E-Books • Microsoft code CIS551

  17. DRM cont. • DMCA • Companies suing John Does for money • Recently began suing students • Where does it come to privacy? • ISPs have records of who has what IP address • Can media companies demand those records to sue? CIS551

  18. eXtensible rights Management Language • Content Guard, Inc. • XML language for describing rights and rules • Model • Provider signs “Grant” • Grant embedded in media file • Trusted player/reader follows only the rules in the license CIS551

  19. XrML • Example CIS551

  20. PDRM • Turn DRM on its head • You license data to them • Companies make money off data • Direct Marketing • Media habits • Who pays for it? The consumer • Work with C. Gunter and S. Stubblebine, 2004 CIS551

  21. PDRM Cont. • Own your data • Assert control over its use • Gain benefit • System that licenses use from the subject of the data • Example • Tracking data movement • Transfer • Accuracy reduction • Permissions based on licenses CIS551

  22. Location Based Services • Cell phone tracks you • Where are you? • Directions • Nearby stores • Technology already out there • Manage the 2-way flow of info • How can the data be used? CIS551

  23. LBS Cont. • Cases • EZ Pass transponder • Tracks when you pass through toll booth and where • Can track even as you drive by • What can the data be used for? • RFID tags • Can fit thousands into a vial • Interrogation by anybody • Can anybody scan what’s in your pocket or in your apt? CIS551

  24. LBS Cont. • PDA Location Service • 802.11 Wireless Infrastructure • GeoLocation Service • GeoInformation Service • License use of data • Sign a digital contract once • Afterwards all data collected is under that license CIS551

  25. Summary • Privacy issue blurry but essential • Breakdown of information secrecy worrying, but can yield amazing results • Govt has begun enforcing some rules, but not all • Personal privacy belongs to the upper echelon of tech users • Bring that down to Earth CIS551

  26. References • Graham Leach Bliley • http://banking.senate.gov/conf/ • HIPAA • http://www.hhs.gov/ocr/hipaa/ • P3P • http://www.w3.org/P3P/ CIS551

More Related