Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Control of Your Data Butler Lampson August 8, 2013.

Published byDayna Warren Modified over 9 years ago

Similar presentations

Presentation on theme: "Personal Control of Your Data Butler Lampson August 8, 2013."— Presentation transcript:

1 Personal Control of Your Data Butler Lampson August 8, 2013

2 Background What is new about online data? It is: – Widespread in time and space Persistent, easy to copy, visible to anybody – Accessible: easy to find (by search), connect (by linking) No privacy through obscurity, anonymity is hard Data about people in the physical world will be just as important as data that is born digital – Photos, videos, license plates, location tracks,... Technology and rules must work hand in hand – Technology supports rules, but doesn’t determine them – “Not allowed to”: regulation; “Can’t”: technology

3 Principles What is regulation for? – To maintain a balance of power among people, companies, and governments. – To serve the public good innovation, research, law enforcement, traffic control,.... Existing law covers many cases – Examples: intellectual property, fraud, public records,... Choices presented to people must be simple One screen for the normal case (+ drill-down) Regulations change slowly, have unintended consequences.

4 More Regulation is Coming People: Want personal control of their data – Even if they know they probably won’t exercise it – Allow data handlers they trust to access their data Regulators: Control of data is a human right – Especially the EU, but perhaps US states too Firms: Many want consistent, accepted rules, to – Build strong relationships with consumers – Comply with regulation more easily; safe harbor

5 Who Wins, Who Loses? Regulation serves personal control Regulation costs everyone who is regulated

6 An Ideal for Personal Control You keep all your data in a vault you control I bring you a query If you like the query, you return a result – Otherwise you tell me to go away This isn’t practical – Too expensive – Too slow – Unclear how I may use the result

7 Practical Personal Control: Goals You are empowered to control your data – Find it, limit its use, claim it – Everywhere—Across the whole internet – Anytime, not just when it’s collected – Consistently for all data handlers and devices – Remaining anonymous if you wish

8 Practical Personal Control: Mechanisms Data tagged with metadata that links to policy Simple, coarse-grained policy and good defaults Personas to manage your different identities No central database. Instead, two kinds of players: – Agents you choose—like choosing an email provider Personal Agent: handles personas and claiming; can be offline Policy Service: tells handlers your policy; must be online – Data handlers, subject to regulation Anyone who stores or processes your data and is following the rules

9 Personal Control You are empowered to control your data: – Find it, claim it – Limit its use – Anytime, not just at collection – Everywhere on the internet – Consistently for all data handlers and devices – With simple, coarse policy With good defaults – Anonymously if you wish With personas to manage IDs No central database. Instead – Agents you choose: Personal agent for personas, claims Policy service to answer handler queries – Data handlers, regulated

10 Scenarios You move, and you want to know who has your contact information – You update some, erase others you don’t want A school needs to contact a parent in an emergency – They use an app that has access to your location data, but reveals only the phone number to call You want to see fewer, more interesting ads – You disable DoubleClick, keep Neiman-Marcus A traffic camera records your license plate – DMV records identify you, but you know about the record

11 How it Works Data handler tags your data with metadata – Includes a link to your policy – Your agent supplies it along with your data – Stays with the data when the data is copied Rule: Handler must check policy before using data – Handler follows policy link and queries policy service Policy link is NID + URL PS – NID: Numeric ID Anonymized unless you sign in – URL PS : to your policy service On re-identification, handler supplies the metadata Especially for physical world data— photos, license plates,... Policy service tracks handlers, so people can find them Simple policy, for wide deployment

12 Who Controls What You are in control Regulator makes rules Data items:... Handler h Your agent Identity: NID data, NID+→ (3) Get policy NID→  data items Numeric IDs (NIDs) are public keys NID+ is the metadata (4) Claim data (2) Provide data  handler,type,NID Y/N→ (1) Set policy Policy: →Y/N... Your policy service

13 Onward Transfer Numeric IDs (NIDs) are public keys  handler h2, type, NID Y/N→ Data items:... Handler h1 Data items:... Handler h2 (2.5) Transfer data data, NID→ Identity: NID data, NID+→ (3) Get policy NID→  data items (4) Claim data (2) Provide data (1) Set policy You are in control Regulator makes rules Your agent Policy: →Y/N... Your policy service

14 Anonymity NIDs are public keys Different relationships call for different kinds of NIDs Anonymous:Fresh each session Known:Per web site, tied to cookie Signed-in: Per account, when signed in You know about your personas Your persona map tracks ’s used for each persona Your agent Persona map: persona→NIDs You are in control Regulator makes rules Data items:... Handler h Your agent Persona map: persona→NIDs Policy: →Y/N... Your policy service data, NID→ Get policy NID→  data items Claim data Provide data  handler,type,NID Y/N→ Set policy for each NID

15 Cheaper Anonymous NIDs NIDs are costly: Costly to generate keys Costly to store policy for each one Instead, tag with a token that hides NID Token = TID = Seal(NID, K PS ) different each time URL PS points to a popular policy service K claim = Hash(TID + K person ) TIDs are single-use, so handlers can’t link Policy Service can unseal to get the NID You can claim data from a handler with K claim You are in control Regulator makes rules Handler h Your agent Persona map: persona→NIDs Policy: →Y/N... Get policy  data items Claim data Provide data Y/N→ Set policy Your policy service for each NID → data, →  handler,type, Data items:... NID+ NID token x NID token K claim TID token x

16 Finding Your Data Policy Service: Chosen by you Stores policy for each NID Keeps track of handlers You can: Choose your personas and policy service Set policy for your data Query for handlers that have your data Claim your data from a handler List of handlers You are in control Regulator makes rules Data items:... Handler h Your agent Persona map: persona→NIDs Policy: →Y/N... Your policy service for each NID data, NID+→ Get policy NID→  data items Claim data Provide data  handler,type,NID Y/N→ Set policy List of handlers Set policy Query handlers Policy: →Y/N Your policy service for each NID... Control starts with knowing who has your data This is tricky: You talk to lots of handlers Handlers transfer data to other handlers

17 Control vs. Privacy There’s no free lunch, because of coercion – Tracking handlers is useful, but vulnerable Like browsing history Forms of coercion – Law enforcement/national security Need a warrant or subpoena – Personal: parents, spouses, employers,... Mitigations – Tell policy service to not track handlers, to delete tracks – Transfer tracks to your personal agent – Plausible deniability of the true tracks Can crypto help?

18 Policy Data-centric, not device or service centric – Metadata stays with the data, points to the data’s policy Interface to policy is  Yes/No – Can pass more information, maybe get a richer result Basic policy is very simple, for wide deployment – 7 ± 2 types of data: contact, location, transaction,... Can extend a type with a tree of subtypes that can be ignored – Atomic policy: handler h can/can’t use data type t – Composing policies: and, or, else on sets of atomic policies Encode complex policy in apps – Treat an app as a handler; the app tags its output suitably

19 User Experience: Principles One screen holds most people’s policy – In big type – Drill down to more details, for geeks Templates (from 3 rd parties) + your exceptions A reasonable default to protect carefree users – Easy to change default to a 3 rd party template Biggest area for future work – Only the crudest prototype so far

20 Refinements Metadata stays with data unless it’s aggregated – Need to certify apps that do enough aggregation Different personas for personal and enterprise – The enterprise may manage that persona Default for joint rights: the parties must agree – Agree to allow: Photographer vs. subject – Agree to forbid: person vs. public data, e.g., real estate records Track provenance with extended metadata – Log every change, add log pointer to metadata Multiple policy services, aggregated by your agent – Some could be generic, not personal, e.g., Good Housekeeping Extend policy or data type—ignorable, as in html

21 Details Changing your policy service – The old one forwards tokens to the new one – Optional key escrow for backup Control data uses through apps – Treat an app as a handler, control its access to data Security of policy queries – Handler and policy service authenticate by SSL UX for personas – Make the current persona visible on the screen – Default to consistent use of personas on sites

22 Summary More regulation is coming – People want personal control of their data Practical personal control – You are empowered to control your data Find it, limit its use, claim it, everywhere, anytime Consistently for all data handlers, and anonymously Metadata attached to data, linking to policy Personas to manage your anonymous identities No central database

Download ppt "Personal Control of Your Data Butler Lampson August 8, 2013."

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Building Secure Mashups D. K. Smetters PARC Usable.
The Complete Visitor Management System

The Complete Visitor Management System
SharePoint Forms All you ever wanted to know about forms but were afraid to ask.

SharePoint Forms All you ever wanted to know about forms but were afraid to ask.
Keeping Your Child Safe on the Internet

Keeping Your Child Safe on the Internet
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Internet Safety James Fuller Internet Rules To Remember When asked by friends or strangers, online or offline, never share Account IDs and Passwords.

Internet Safety James Fuller Internet Rules To Remember When asked by friends or strangers, online or offline, never share Account IDs and Passwords.
Digital Citizenship L’école élémentaire Beachy Cove Elementary School January 2013.

Digital Citizenship L’école élémentaire Beachy Cove Elementary School January 2013.
What you don’t know CAN hurt you!

What you don’t know CAN hurt you!
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Internet Privacy Jillian Brinberg, Maggie Kowalski, Sylvia Han, Isabel Smith-Bernstein, Jillian Brinberg.

Internet Privacy Jillian Brinberg, Maggie Kowalski, Sylvia Han, Isabel Smith-Bernstein, Jillian Brinberg.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Cloud Computing Lecture #6 Information Policy Jimmy Lin The iSchool University of Maryland Wednesday, October 7, 2008 This work is licensed under a Creative.

Cloud Computing Lecture #6 Information Policy Jimmy Lin The iSchool University of Maryland Wednesday, October 7, 2008 This work is licensed under a Creative.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation Mike Smorul, Joseph JaJa, Yang Wang, and Fritz McCall.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Cloud Computing and Information Policy: Computing in a Policy Cloud? Jimmy Lin The iSchool University of Maryland Thursday, April 2, 2009 This work is.

Cloud Computing and Information Policy: Computing in a Policy Cloud? Jimmy Lin The iSchool University of Maryland Thursday, April 2, 2009 This work is.
Copyright ©: 1995-2011 SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Social networks and communities Suitable for: Improver.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Social networks and communities Suitable for: Improver.
Internet Standard Grade Computing. Internet a wide area network spanning the globe. consists of many smaller networks linked together. Service a way of.

Internet Standard Grade Computing. Internet a wide area network spanning the globe. consists of many smaller networks linked together. Service a way of.
Methods of communication

Methods of communication
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.

Similar presentations

Ads by Google