Privacy: Challenges and Opportunities Tadayoshi Kohno Department of Computer Science and Engineering University of Washington

Definition - Oxford English Dictionary: “The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion.” Questions: Who: Who receives access to your information? What: What information is disclosed? When: Under what conditions is it exposed? Why: What will they use that information for?

Claim: It’s a lost cause - we’ve already lost our privacy Claim: “I’ve got nothing to hide” Claim: Users choose functionality over privacy Examples: The web (search engines, web mail, social networking sites, traffic through ISPs, …) Shopping (customer loyalty cards, conventional credit cards, RFID credit cards) Electronic voting (privacy issues seldom discussed)

Claim: Known privacy breaches change people’s perceptions (at least temporarily) Guardian

What are users’ privacy goals and values (users may differ)? How can we give users a more intuitive understanding of: What information leaks out; To whom; and For what purposes? Proposals like P3P (Platform for Privacy Preferences) help

Who should take responsibility? The data collector? Harden systems against attacks Sufficiently scrub data before sharing data with the public (recall the AOL logs) What about sharing data with corporate partners? The user? Don’t reveal information in the first place (cash purchases, no Web) Tor, anonymization systems, pseudonyms But what if data collectors aggregate information or are not trustworthy?

Privacy may come with a cost (efficiency, time to market, usability,...) Is the cost worth it? Assume products/services A, B, and C violate a user’s privacy Is it worth just fixing the privacy properties of A? What are the incentives when A, B, and C are produced by competing companies?

Scrubbing data while preserving utility is challenging What constitutes identifying (or too revealing) information? Recent examples: Identifying users in “anonymized” AOL logs De-anonymizing IP addresses in “anonymized” network traces Identifying encrypted web content (from MSR and elsewhere) Example directions (for query logs) [Adar, QLW WWW07] Remove queries that occur < n times New pseudonyms every t minutes Different pseudonyms for each “type” of query

Multiple parties involved Users, companies, and adversaries Different parties may have different goals, perceptions of privacy Users may not understand implications of revealing data Users may not even consider that data to be private Where should we focus our efforts? Users and usability? Individual products and services? Policy?

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Research Faculty Summit 2007