0x1A Great Papers in Computer SecurityH. Nissenbaum Privacy as Contextual Integrity (Washington Law Review 2004)Common-Law Right to PrivacyDefinitions of Privacy (1)Definitions of Privacy (2)Three Guiding Legal PrinciplesGray AreasDownsides of Three PrinciplesModern Privacy ThreatsContextual IntegrityCornerstone NormsPrivacy as Contextual IntegrityExample: Gramm-Leach-Bliley0x1A Great Papers inComputer SecurityVitaly ShmatikovCS 380Shttp://www.cs.utexas.edu/~shmat/courses/cs380s/H. NissenbaumPrivacy as Contextual Integrity(Washington Law Review 2004)Common-Law Right to PrivacyCharacterized by Samuel Warren and Louis Brandeis (1890)“An individual’s right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others”slide 3Definitions of Privacy (1)“Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves” --Charles Fried “Privacy is a limitation of others’ access to an individual through information, attention, or physical proximity” --Ruth Gavison“Privacy is the right to control information about and access to oneself” -- Priscilla Reganslide 4Definitions of Privacy (2)"Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extend information about them is communicated to others”“...privacy is the voluntary and temporary withdrawal of a person from the general society through physical or psychological means, either in a state of solitude or small-group intimacy or, when among larger groups, in a condition of anonymity or reserve”–A. Westin. “Privacy and Freedom” (1967)slide 5Three Guiding Legal PrinciplesProtecting privacy of individuals against intrusive government agents•1st, 3rd, 4th, 5th, 9th, 14th amendments, Privacy Act (1974)Restricting access to sensitive, personal, or private information •FERPA, Right to Financial Privacy Act, Video Privacy Protection Act, HIPAACurtailing intrusions into spaces or spheres deemed private or personal•3rd, 4th amendmentsslide 6Gray AreasPrivate vs. public spaceUSA PATRIOT Act“Credit headers”•Basic information in a credit report about the person to whom the credit report applies - name, variations of names, current and prior addresses, phone number, date of birth, SSNOnline privacy in the workplaceslide 7Downsides of Three PrinciplesNot conditioned on additional dimensions•Time, location, etc.Privacy based on dichotomies•Private – public•Sensitive – non-sensitive•Government – private …slide 8Modern Privacy ThreatsAutomated capture of enhanced/large amounts of information•RFID tags, EZ Pass, online tracking, video surveillance, DRM, etc.Consumer profiling, data mining, aggregation•ChoicePoint, Census, credit bureaus, etc.Public records online•Courts, county clerks, etc.•Local vs. global access of dataslide 9Contextual IntegrityPhilosophical account of privacy•Aims to describe what people care aboutMain idea: every transfer of personal information happens in a certain social contextContext-dependent norms govern the type of information and the principles of transmission•Information is categorized by type –Example: personal health information, psychiatric records, …–Rejects public/private dichotomy•Principles of transmission depend on context–Confidentiality, reciprocity, etcslide 10Cornerstone NormsNorms of appropriateness determine what types of information are or are not appropriate for a given contextNorms of distribution determine the principles governing flow or transfer of information from one party to another•Volunteered, inferred, mandated, expected, demanded, etc.•Discretion, entitlement, third-party confidentiality, commercial exchange, reciprocal vs. one-way, etc.slide 11Privacy as Contextual IntegrityContextual integrity is respected when norms of appropriateness and distribution are respectedIt is violated when any of the norms are infringed slide 12Example: Gramm-Leach-Blileyslide 13Sender role Subject roleAttributeTransmission principleFinancial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing