Dimensions of Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Slides:



Advertisements
Similar presentations
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Advertisements

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HRD as a Tool for Good Governance in Cooperatives
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.
Project Update : Claims/Clinical Linkage Project MHDO Board of Directors June 6, 2013.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Hybrid Policies Overview Chinese Wall Model Clinical Information Systems Security Policy ORCON RBAC Introduction to Computer Security ©2004 Matt Bishop.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Privacy Research Overview
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Engineering Privacy November 6, 2008.
Privacy Chris Kelly iLaw July 5, 2002.
Course Review Anupam Datta CMU Fall A: Foundations of Security and Privacy.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.
On Privacy and Compliance: Philosophy and Law meets Computer Science Anupam Datta Stanford University Oakland PC Crystal Ball Workshop January 2007.
C MU U sable P rivacy and S ecurity Laboratory Philosophical definitions of privacy Lorrie Faith Cranor October 19, 2007.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Data Privacy.
Anupam Datta Anupam DattaCMU Joint work with Adam Barth, John Mitchell (Stanford), Helen Nissenbaum (NYU) and Sharada Sundaram (TCS) Privacy and Contextual.
Contextual Integrity in PORTIA PI: Helen Nissenbaum Students: Timothy Weber & Michael Zimmer New York University In collaboration with: Sam Hawala (U.S.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University
Contextual Integrity & its Logical Formalization 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Privacy as contextual integrity Helen Nissenbaum New York University September 6, 2007 Ars Electronica, Linz Support.
Publishing Microdata with a Robust Privacy Guarantee
Li Xiong CS573 Data Privacy and Security Healthcare privacy and security: Genomic data privacy.
Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be.
0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Contextual Integrity as a Normative Guide for Privacy Helen Nissenbaum New York University * School of Information, UC Berkeley April 2, 2008 * Supported.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Types of privacy (Solove, Understanding Privacy)
Robert Guerra Director, CryptoRights Foundation Implementing Privacy Implementing Privacy: Rules of the Game for Developers Mac-Crypto Conference on Macintosh.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Data Anonymization – Introduction and k-anonymity Li Xiong CS573 Data Privacy and Security.
Privacy as Contextual Integrity Helen Nissenbaum Department of Culture & Communications, NYU
Use Case Diagram The purpose is to communicate the system’s functionality and behaviour to the customer or end user. Mainly used for capturing user requirements.
IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy in Context: Contextual Integrity Peter Radics Usable Security – CS 6204.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Privacy-preserving data publishing
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
1 UNDERSTANDING FUNDS, ATTRIBUTES AND NEW ACCOUNTS AT UM A discussion of fund accounting, the various fund groups, account structure and logic, account.
Anonymity and Privacy Issues --- re-identification
Social Institutions, the Sociological Imagination, and Critical Thinking If the public issues (social and historical context) that shape private troubles.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Unit 1: Health IT Teams Examples and Characteristics Component 17/ Unit 11 Health IT Workforce Curriculum Version 1.0/Fall 2010.
1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.
Unraveling an old cloak: k-anonymity for location privacy
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Internet 2 and DoDHE: Research Issues From The iSchool Perspective Mike Eisenberg Dean and Professor The Information School University of Washington, Oct.
PCOR Privacy and Security Research Scenario Initiative and Legal Analysis and Ethics Framework Development Welcome and Please Sign In »Please sign into.
1 Ethical Issues in Computer Science CSCI 328, Fall 2013 Session 13 Privacy as a Value.
ROLE OF ANONYMIZATION FOR DATA PROTECTION Irene Schluender and Murat Sariyar (TMF)
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
Database Privacy (ongoing work) Shuchi Chawla, Cynthia Dwork, Adam Smith, Larry Stockmeyer, Hoeteck Wee.
CIS-2005 : Xi’an - China 1 A New Conceptual Framework within Information Privacy: Meta Privacy Mr. Geoff Skinner Dr Song Han Prof. Elizabeth Chang Curtin.
An agency of the European Union Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070 Industry.
University of Texas at El Paso
Michael Spiegel, Esq Timothy Shimeall, Ph.D.
Executive Director and Endowed Chair
Executive Director and Endowed Chair
Lecture 27: Privacy CS /7/2018.
18734: Foundations of Privacy
Presentation transcript:

Dimensions of Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009

Privacy in Organizational Processes Patient medical bills Insurance CompanyHospitalDrug Company Patient information Patient Advertising Achieve organizational purpose while respecting privacy expectations in the transfer and use of personal information (individual and aggregate) within and across organizational boundaries Aggregate anonymized patient information PUBLIC Complex Process within a Hospital

Dimensions of Privacy What is Privacy? Philosophy, Law, Public Policy Express and Enforce Privacy Policies Programming Languages, Logics, Usability Database Privacy Statistics, Cryptography

Philosophical studies on privacy  Reading  Overview article in Stanford Encyclopedia of Philosophy  Alan Westin, Privacy and Freedom, 1967  Ruth Gavison, Privacy and the Limits of Law, 1980  Helen Nissenbaum, Privacy as Contextual Integrity, 2004 (more on Nov 8)

Westin 1967  Privacy and control over information “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”  Relevant when you give personal information to a web site; agree to privacy policy posted on web site  May not apply to your personal health information

Gavison 1980  Privacy as limited access to self “A loss of privacy occurs as others obtain information about an individual, pay attention to him, or gain access to him. These three elements of secrecy, anonymity, and solitude are distinct and independent, but interrelated, and the complex concept of privacy is richer than any definition centered around only one of them.”  Basis for database privacy definition discussed later

Gavison 1980  On utility “We start from the obvious fact that both perfect privacy and total loss of privacy are undesirable. Individuals must be in some intermediate state – a balance between privacy and interaction …Privacy thus cannot be said to be a value in the sense that the more people have of it, the better.”  This balance between privacy and utility will show up in data privacy as well as in privacy policy languages, e.g. health data could be shared with medical researchers

Contextual Integrity [Nissenbaum 2004]  Philosophical framework for privacy  Central concept: Context  Examples: Healthcare, banking, education  What is a context?  Set of interacting agents in roles  Roles in healthcare: doctor, patient, …  Informational norms  Doctors should share patient health information as per the HIPAA rules  Norms have a specific structure (descriptive theory)  Purpose  Improve health  Some interactions should happen - patients should share personal health information with doctors

Informational Norms “ In a context, the flow of information of a certain type about a subject (acting in a particular capacity/role) from one actor (could be the subject) to another actor (in a particular capacity/role) is governed by a particular transmission principle.” Contextual Integrity [Nissenbaum2004]

10 Privacy Regulation Example (GLB Act) Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs Exactly as CI says! Sender roleSubject role Attribute Recipient role Transmission principle

Privacy Laws in the US  HIPAA (Health Insurance Portability and Accountability Act, 1996)  Protecting personal health information  GLBA (Gramm-Leach-Bliley-Act, 1999)  Protecting personal information held by financial service institutions  COPPA (Children‘s Online Privacy Protection Act, 1998)  Protecting information posted online by children under 13  More details in later lecture about these laws and a formal logic of privacy that captures concepts from contextual integrity

Database Privacy  Releasing sanitized databases 1. k-anonymity [Samarati 2001; Sweeney 2002] 2. (c,t)-isolation [Chawla et al. 2005] 3. Differential privacy [Dwork et al. 2006] (next lecture)

Sanitization of Databases Real Database (RDB) Sanitized Database (SDB) Health records Census data Add noise, delete names, etc. Protect privacy Provide useful information (utility)

Re-identification by linking Linking two sets of data on shared attributes may uniquely identify some individuals: Example [Sweeney] : De-identified medical data was released, purchased Voter Registration List of MA, re-identified Governor 87 % of US population uniquely identifiable by 5-digit ZIP, sex, dob

1. K-anonymity  Quasi-identifier: Set of attributes (e.g. ZIP, sex, dob) that can be linked with external data to uniquely identify individuals in the population  Issue: How do we know what attributes are quasi-identifiers?  Make every record in the table indistinguishable from at least k-1 other records with respect to quasi- identifiers  Linking on quasi-identifiers yields at least k records for each possible value of the quasi-identifier

K-anonymity and beyond Provides some protection: linking on ZIP, age, nationality yields 4 records Limitations: lack of diversity in sensitive attributes, background knowledge, subsequent releases on the same data set, syntactic definition Utility: less suppression implies better utility l-diversity, m-invariance, t-closeness, …

2. ( c,t )-isolation  Mathematical definition motivated by Gavison’s idea that privacy is protected to the extent that an individual blends into a crowd. Image courtesy of WaldoWiki:

Definition of ( c,t )-isolation  A database is represented by n points in high dimensional space (one dimension per column)  Let y be any RDB point, and let δ y =║q-y║ 2. We say that q ( c,t )-isolates y iff B(q,cδ y ) contains fewer than t points in the RDB, that is, |B(q,cδ y ) ∩ RDB| < t. q y δyδy cδ y x2x2 x1x1 x t-2

Definition of ( c,t )-isolation (contd)

Another influence  Next lecture: Issues with this definition of privacy (impossible to achieve for arbitrary auxiliary information) and an alternate definition (differential privacy) 20