PRIVACY AS & AND CONTEXTUAL INTEGRITY

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

PRIVACY AS & AND CONTEXTUAL INTEGRITY

Helen NissenbaumPresented by

Neelima Krishnan



2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Privacy As Contextual Integrity. Nut Shell • Definition of the core problem.• Discussion of 3 scenarios.• A 3 principled framework. • Defining Contextual Integrity

PAPER 1




The Core Problem:Public Surveillance – what it means and how it can affect. – A brief introduction.

What the paper defines?




Monitoring of individuals in public through a variety of media (audio, video, online data)

Where is data stored? 1. stand alone systems 2. massive database of government and other institutions 3. Distributed network of computers/devices

Defining Public Surveillance.




Hepting v. AT&T is a United States class action lawsuit filed in January 2006 by the Electronic Frontier Foundation (EFF) AT&T

Details of the Case:AT&T permitted NSA in unlawfully monitoring the

communications of USA.This included- 1. AT&T customers,Bussinesses, third parties whose comm where routed through AT&T’s

network. And also VOICE over IP- calls through internet.

CONS:




Case 1:Public Records Online• Initiatives to place public records online a. arrest records b. driving records c. birth and death records d. marriage records e. public school information f. property ownership; g. community planning records h. court records

1/3 scenarios




Pros Cons

Open Government. Concern ??!

Dating services/matrimonial services. Protested by National Network to End Domestic Violence and the American CivilLiberties Union – WHY?

Building family tree.

Property ownership issues.

Are these worries rational? Is there genuine cause for resistance?




Case 2: Consumer Profiling and Data Mining All the commercial activities leave digital trail that are stored

away in large databases somewhere.Used for mining “Gold” by companies! Often the information in question is not confidential or sensitive in nature.Why do people react with Indignation?Quoted Example: Lotus Marketplace

-where, your privacy is someone else’s bussiness….

2/3 scenario




Case 3:Radio Frequency Identification (RFID) Tags

focuses attention on enhanced modes of gathering or capturing information as in automated road toll systems like EZ Pass, video surveillance and face recognition systems, web browser cookies, biometrics and thermal imaging




1. Protecting Privacy of Individuals Against Intrusive Government Agents –

Solution Proposed: Principle 1/3




The Fourth Amendment- "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

What can Protect us:




http://groups.csail.mit.edu/mac/classes/6.805/student-papers/fall07-papers/social-networks.pdf

Just in case you are interested:




Principle 2: Restricting Access to Intimate, Sensitive, or Confidential Information

Giving privileges to data:-1. Non-Classifieda. Public Informationb. Personal Informationc. Routine Bussiness informationd. Privatee. Confidential Bussiness Information2. Classifiedf. Confidentialg. Secreth. Top Secret

Principle 2/3




Principle 3: Curtailing Intrusions into Spaces or Spheres Deemed Private or Personal

- “a man’s home is his castle”.The Bill of Rights of the U.S. Constitution expresses

commitment of a protected private zone in the Third and Fourth Amendments, defining explicit limits on government access to a home—

1. quartering soldiers in the Third, 2. security against search and seizure in the Fourth.

Principle 3/3




California v. Greenwood: Highlights: - Inspector Jenny Stracner suspects Greenwood of selling drugs.- Stracner asked the neighborhood's regular trash collector to pick up the

plastic garbage bags that Greenwood left on the curb in front of his house

- In the garbage, she found evidence of drug use.- used that information to obtain a warrant to search Greenwood's home- California Superior Court dismisses the case- on the ground that

unwarranted trash searches violated the U.S. Constitution's Fourth Amendment, as well as the California Constitution

- The US-Supreme court- granted certiorari and reversed the judgment of the California Court of Appeal

Quoted Case:




“[a]ccordingly, having deposited their garbage in an area particularly suited for public inspection and, in a manner of speaking, public consumption, for the express purpose of having strangers take it, respondents could have had no reasonable expectation of privacy in the inculpatory items that they discarded.”

Court’s Ruling




The PATRIOT ACT. Carnivore

Analyzing the 3 cases- and see if its possible to draw lines?

Applying the Three Principles—Some Gray Areas




1. Appliying Principle 2: Drawing lines in the case of intimate and sensitive information is also difficult and can be controversial. a. Designate credit headers as Personal or not? b. Case 1, Should public records ought to be available online?2. Principle 3- Interpretations of what counts as a private space ?a. Olmstead vs US case 1928b. Katz vs USA 1967c. Kyllo v. United States 2001d. Employee online activities in office space (pre- post 9/11)




Public Survillence – Does having all records online mean govt

intrusion – or that its always worng?Does having RFID tags mean – you are always

tagged.Does Online Profiling mean you are always

watched?

The Three Principles and Public Surveillance




Two features of the 3 principle framework help us define- CI –- a universal account of what does and does not warrant restrictive, privacy-motivated measures- it expresses a right to privacy in terms of dichotomies.Norm is a set of rules, which would help us in deciding if a

message can be transferred from one part to another. This depends on the source, destination and the appropriateness of the content.

- Personal information revealed in a particular context is always tagged with that context-These norms are relative, or non-universal

Defining Contextual Integrity




Norm of appropriation.- dictate what information about persons is

appropriate, or fitting, to reveal in a particular context.

- i.e, A patient can share information about hisor her physical condition with the physician but not vice versa.

How it works?




“In every case, I quoted, the sort of relationship that people have to one another involves a conception of how it is appropriate for them to behave with each other, and what is more, a conception of the kind and degree of knowledge concerning one another which it is appropriate for them to have. “




Norm of distribution (flow):This governs the flow or distribution of

information - movement, or transfer of information from one party to another or others.

Example scenarios-- Between friends.- Between a physician and a patient.




Case 1: Having records online. Example of new neighbors into a family neighborhood. Case 2: Digital foot print.Example of Amazon.comCase 3: RFID tagsExample of customers and sales assistant.

Applying Contextual Integrity to the Three Cases



Privacy And Contextual Integrity

Adam Barth, Anupam Datta, John C. Mitchell, Helen Nissenbaum

Stanford UniversityPresented By Neelima Krishnan

Virginia Tech




Introduction

This paper presents a formal framework for expressing privacy expectations and privacy practices, inspired by contextual integrity.

Lets say-- “Alice give Bob a certain piece of information about Charles “-Now, impact on privacy varies based on – context, roles, and a focus on the type of information transmitted




Intro- continued

Two kinds of norms - Positive (“allow”)- Negative (“deny”)A positive norm permits communication if its temporal

condition is satisfied, whereas a negative norm permits communication only if its temporal condition is satisfied.

norms are based only on the type of information communicated.

information is assumed to describe an individual rather than a group of individuals.




Defining Contextual Integrity

A philosophical account of privacy in terms of the transfer of personal information.

Who are involved?the one from whom the information flowsthe one to whom the information flows,and the one—the information subject—about

whom the information is.




The model and the formal language CI

In this model, the norms of transmission are expressed using Linear Temporal Logic (LTL).

We have Agents, Attributes, and Messages.Associated with each agent is a collection of the attributes

that agent knows.Let P be a set of agents, and let be a set of attributes.For e.g: Alice and Bob are agents, and “postal address” and

“height” are attributes. If (p, q, t)(a knowledge set), we say agent p knows the value

of attribute t of agent q. i.e. Alice knows Bob’s height. (Paper omits group attributes- like average height).




Data model- To structure attributes, we include computation

rules.- A computation rule is a pair (T, t), where T and t

Where,- That is, agent p learns attribute t about agent q. Let be a set of computation rules.- The relation is the transitive closure of




- An agent can send a message to another agent provided the sending agent knows all the attributes communicated by the message.

Messages m are drawn from a set M Content(m)= P x which is closed under

computation rules.The art of sending a messgae –

communication action and this is represented by triples “(p1,p2,m)”







Roles, Contexts, and Traces

Let R be a set of roles and C be a partition of R. We refer to elements c C as contexts and the roles r c as the roles of context c. For example, “teller” is a role in a banking context and “doctor” is a role in a health care context.

The roles are structured by a partial order R. If r1 R r2, then r1 is a specialization of role r2 and, symmetrically,r2 is a generalization of r1.

Agents can be active in multiple roles simultaneously. For example, Alice can be at once a doctor in a health care context and a customer in a banking context.




Temporal Logic

if Alice tells Bob her age under the principle of confidentiality, then, in the future, Bob must not disclose Alice’s age.







Norms of Transmission

are expressed as temporal formulas.Each norm is either positive or negativePositive norm: doctor Alice can send patient

Charlie’s test results to researcher Bob if Bob keeps the records in confidence.

Negative norm: communication can occur only if the temporal condition is satisfied.

Doctor Alice can send patient Charlie’s test results to researcher Bob only if Bob keeps the records in confidence.




In order to satisfy the norms, a communication must be allowed by at least one of the positive norms and it must respect all of the negative norms.

In the above formula , each individual norm applies to a downwardly closed set of attributesIf Sheiyi wants to send a messge to Tom- If the rule says, “allow disclosure of postal address” – then the formula lets you send the the postal code too.If the rule forbids the postal code from being send- then the whole disclosure is forbidden.




Properties and relations between policies

A privacy policy regulates what flows of information are permitted between agents in various roles.

A policy is a conjunction of contexts, requiring the norms of each context to be respected.

Example?Defining : Consistency, Entailment,

Compliance.




Consistency - A policy is consistent if it is possible for communicating agents to respect the policy.

Entailment :- Another metric for evaluating a privacy policy is to compare it against another policy. For example, a hospital’s privacy policy should not allow information flows prohibited by HIPAA.

Compliance: Given the sequence of past communications, does the policy permit a contemplated communication and, if so, what future requirements are incurred?




HIPAA Rules:

Health Insurance Portability and Accountability Act (1996)

This rule regulates the transmission of “protected health information” (phi), by covered entities.

forbids the disclosure of health information except to individuals or organizations acting in certain roles.







What the formulas represent?

Norm 2: allows Dr. Alice to show Bob an x-ray of his broken leg. It does not allow, however, Dr. Alice to show Bob’s x-ray to Charlie. Also it does not allow x-ray technician Debbie to give the x-ray to Dr. Alice.

Norm 3: Dr. Alice is not only a covered entity, but more specifically a health care provider, someone directly involved in the care of a patient. Here, Debbie plays the role of covered entity and is permitted to give Bob’s x-ray to Dr. Alice (Bob plays the role of patient).




Norm 4: A negative norm:If Dr Alice is a psychiatrist. Debbie is a nurse

practioner. Debbie cannot disclose the contents of the psychotherapy notes to the subject of the notes without the prior approval of a psychiatrist(Dr. Alice).

Note: The interplay between the positive and negative norms is subtle.

One positive norm (2) permits the disclosure of psychotherapy notes, but a negative norm (4) prevents it (unless approval is obtained).




Norm 5: A positive Norm: Allows a covered entity may “disclose the individual’s [general] condition and location within the facility to anyone asking for the individual by name”.

Norm 6: A positive norm: Allows members of the clergy to obtain information about a patient from the “directory information”

Directory-information is an attribute that contains (formally can be used to compute)the individual’s name, general condition, religious affiliation, and location within the facility.

What the clergy does with this information is beyond the scope of HIPAA rules.




Children’s Online Privacy ProtectionAct (COPPA)

protects the personal information children communicate to web sites

It contains two negative norms that restrict otherwise permissible flows of information.

Temporal conditions play a central role in COPPA

What are these temporal conditon? - Parental consent- Restricted acess







Norm 7: requires web site operators to obtain parental consent before collecting protected information from children.

Notice the strong form of “since” is required here to ensure that the parent actually granted consent.

Norm 8: implies the website operators have to provide 2 things-

1. a privacy notice describing their information practices 2. specific information they have collected from the child. COPPA also requires the operator to delete protected

information in its possession upon receiving revoke consent.




Gramm–Leach–Bliley Act (GLBA)

Broadly, GLBA requires financial institutions to inform their customers of their privacy practices and to allow customers to “opt-out” of certain kinds of information disclosures.

Financial institutions are required to send their customers privacy notices every year as long the customer relationship lasts.

There are 2 roles- Customer role.- Consumer role. And we have non-affiliated companies with whom costumers

and consumers can/not shar non-public personal information. Example?







The negative norm (9) requires institutions to periodically send privacy notices.

Norm 10: makes essential use of the three different roles (sender, recipient, and subject), as well as both past and future modalities in its temporal condition.

Norm 11: expresses the provision for consumers, and GLBA also contains an analogous non-affiliate opt-out norm for customers. That is - Consumers and customers also have the option of opting out sharing of credit reports and application information

Norm 12: This expresses the provision, and GLBA contains a similar norm for application information.




Comparison with other models.




Helen Nissenbaum - Stanford Center for Internet and Society

http://www.youtube.com/watch?v=4iRESwXnFoA




Documents

PRIVACY AS & AND CONTEXTUAL INTEGRITY