Sensitive Information in aWired WorldSupported by the National Science Foundation under the ITR ProgramJOAN FEIGENBAUMhttp://www.cs.yale.edu/homes/jfPORTIA: Privacy, Obligations, and Rights in Technologies of Information AssessmentLarge-ITR project described in NSF proposal as a “five-year, multi-institutional, multi-disciplinary, multi-modal research project on end-to-end handling of sensitive information in a wired world”Ubiquity of Computers and Networks Heightens the Need to Distinguish• Private information- Only the data subject has a right to it.• Public information- Everyone has a right to it.• Sensitive information- “Legitimate users” have a right to it.- It can harm data subjects, data owners, or data users if it is misused.Examples of Sensitive Information• Copyright works• Certain financial information– Graham-Leach-Bliley uses the term “nonpublic personal information.”• Health InformationQuestion: Should some information now in “public records” be reclassified as “sensitive”?State of Technology+ We have the ability (if not always the will) to prevent improper access to private information. Encryption is very helpful here.- We have little or no ability to prevent improper use of sensitive information. Encryption is less helpful here.PORTIA Goals• Produce a next generation of technology for handling sensitive information that is qualitatively better than the current generation’s.• Enable end-to-end handling of sensitive information over the course of its lifetime.• Formulate an effective conceptual framework for policy making and philosophical inquiry into the rights and responsibilities of data subjects, data owners, and data users.Academic–CS ParticipantsStanfordDan BonehHector Garcia-MolinaJohn MitchellRajeev MotwaniYaleJoan FeigenbaumRavi KannanAvi SilberschatzUniv. of NM Stevens NYUStephanie Forrest Rebecca Wright Helen Nissenbaum(“computational immunology”) (“value-sensitive design”)Multidisciplinarity on SteroidsJ. Balkin (Yale Law School)G. Crabb (Secret Service)C. Dwork (Microsoft)S. Hawala (Census Bureau)B. LaMacchia (Microsoft)K. McCurley (IBM)P. Miller (Yale Medical School)J. Morris (CDT)B. Pinkas (Hewlett Packard)M. Rotenberg (EPIC)A. Schäffer (NIH)D. Schutzer (CitiGroup)Note participation by the software industry, key user communities, advocacy organizations, and non-CS academics.Five Major Research Themes• Privacy-preserving data mining and privacy-preserving surveillance• Sensitive data in P2P systems• Policy-enforcement tools for db systems• Identity theft and identity privacy• Contextual integrityPrivacy-preserving Data Mining• Is this an oxymoron?• No! Cryptographic theory is extraordinarily powerful, almost paradoxically so.• Computing exactly one relevant fact about a distributed data set while concealing everything else is exactly what cryptographic theory enables in principle. But not (yet!) in practice.Secure, MultipartyFunction Evaluation. . .x1x2x3xn-1xny = F (x1, …, xn)• Each i learns y.• No i can learn anything about xj(except what he can infer from xiand y ).• Very general positive results. Not very efficient.PPDM Work by PORTIA-related Researchers• Lindell and Pinkas: Efficient 2-party protocol for ID3 data mining on x1∪ x2.• Aggarwal, Mishra, and Pinkas: Efficient n-party protocol for order statistics of x1∪…∪ xn.• Freedman, Nissim, and Pinkas: Efficient 2-party protocol for x1∩ x2.Some Areas in which Law and Technology Affect Each Other• Internet access to “public records”• Identification technology• Unsolicited email and phone calls• Digital copyright and DRM“Public Records” in the Internet AgeDepending on State and Federal law, “public records” can include:• Birth, death, marriage, and divorce records• Court documents and arrest warrants (including those of people who were acquitted)• Property ownership and tax-compliance records• Driver’s license information• Occupational certificationThey are, by definition, “open to inspection by any person.”How “Public” are They?Traditionally: Many public records were “practically obscure.”• Stored at the local level on hard-to-search media, e.g., paper, microfiche, or offline computer disks.• Not often accurately and usefully indexed.Now: More and more public records, especially Federal records, are being put on public web pages in standard, searchable formats.What are “Public Records” Used For?In addition to straightforward, known uses (such as credential checks by employers and title searches by home buyers), they’re used for:•Commercial profiling and marketing•Dossier compilation•Identity theft and “pretexting”•Private investigation•Law enforcementQuestions about Public Records in the Internet Age• Will “reinventing oneself” and “social forgiveness” be things of the past?• Should some Internet-accessible public records be only conditionally accessible?• Should data subjects have more control? • Should data collectors be legally obligated to correct mistakes?Identification Infrastructure Today I• We are often asked to “present gov’t-issued photo ID.”– Airports– Buildings– Some high-value financial transactions• Many gov’t-issued photo IDs are easily forgeable.– Drivers’ licenses– Passports• We are often asked to provide personally identifying information (PII).– Social security number– Mother’s maiden name– Date of birth• Many people and organizations have access to this PII.Identification Infrastructure Today II• Security of “foundation documents” (e.g., birth certificates) is terrible.• According to the US Department of Justice, the rate of identity theft is growing faster than that of any other crime in the United States.• Existing technology could improve, if not perfect, ID security, e.g.: – Biometrics– Cryptographic authentication• There is extensive research interest in improving this technology (and the systemsthat support it).Are Standard, Secure ID Systems Desirable?+ Ordinary people could benefit from accurate, efficient identification, and identity thieves would have a harder time.- Multi-purpose, electronic IDs facilitate tracking, linking, dossier compilation, and all of the other problems currently facilitated by Internet-accessible “public records.”- Multi-purpose,