Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Control of Personal Information: A Dialogue Between a Technologist and a Lawyer” Radcliffe Inst. and Harvard Div. of E&AS Symposium on Security and Privacy.

Published byLillie Down Modified over 9 years ago

Similar presentations

Presentation on theme: "“Control of Personal Information: A Dialogue Between a Technologist and a Lawyer” Radcliffe Inst. and Harvard Div. of E&AS Symposium on Security and Privacy."— Presentation transcript:

1 “Control of Personal Information: A Dialogue Between a Technologist and a Lawyer” Radcliffe Inst. and Harvard Div. of E&AS Symposium on Security and Privacy April 23, 2004

2 The Technologist: Professor Joan Feigenbaum Yale Computer Science Department http://www.cs.yale.edu/homes/jf The Lawyer: Professor Peter Swire Moritz College of Law The Ohio State University http://www.peterswire.net

3 Overview 1 n Defining “control of personal information” (Peter) n The power and limitations of technology (Joan) n The power and limitations of law (Peter) n Combining the two approaches (Joan)

4 Overview 2 What can and should be achieved by n Software systems – Encryption – (DRM-like) Permissions systems n Hardware-supported “trusted systems” n Sector-specific regimes such as HIPAA n Broader legal regimes such as FIPs

5 I. Defining “Control of Personal Information” n Some meanings of “privacy” not primarily addressed today: – Roe v. Wade and right to privacy in bodily autonomy – Intellectual property rights such as right of publicity (they can’t use your face in ads) – Rules for search warrants and other compelled access to data that is held in private

6 Control of Personal Information n Focus on data protection for personally identifiable information n Today’s task includes control over: – Information in transit – Information in storage – Often held by (partially trusted) “third parties” n Less focus on spam and other intrusions

7 Some examples of data protection n You send an e-mail to a friend. – Can the ISPs and others read it? n You see a doctor. – Who else sees data? Nurse, insurer, employer n You buy software on-line. – What do advertisers learn about you? Your credit-card company? Can the vendor track your usage of the software?

8 II. The Power and Limitations of Technology Current state of the art: + We have the ability (if not always the will) to prevent improper access to information. – We have little or no ability to prevent improper use of information by parties authorized to access it.

9 Performing Tasks on a “Need to Know” Information Basis n Mundane tasks, e.g., storage or transmission of information: Use encryption! n More exotic tasks, e.g. – Privacy-preserving data mining – Privacy-preserving surveillance Computing exactly one fact about a distributed data set is precisely what cryptographic-protocol theory enables in principle!

10 Example 1: Secure, Multiparty Function Evaluation... x1x1 x2x2 x 3x 3 x n-1 x nx n y = F (x 1, …, x n ) Each i learns y. No i can learn anything about x j (except what he can infer from x i and y ). Very general positive results. Not very efficient.

11 Some Recent Progress on Special-Purpose SMFE Protocols n Lindell and Pinkas: Efficient 2-party protocol for ID3 data mining on x 1  x 2 n Aggarwal, Mishra, and Pinkas: Efficient n-party protocol for order statistics of x 1  …  x n n Freedman, Nissim, and Pinkas: Efficient 2-party protocol for x 1  x 2

12 Example 2: Protection of Digital IDs n General Problem: People use the same uid/pwd at many sites. n Example: Same uid/pwd at eBay and at a high-school alumni site n Threat: A break-in at a low-security site reveals many uid/pwd pairs that can be used at high-security sites.

13 Some Recent Progress on ID Protection http://crypto.stanford.edu/WebSecPwd/ Blake Ross, Dan Boneh, John Mitchell Browser plug-in that converts the user’s pwd to a unique, site-specific pwd.

14 Basic Algorithm Locate all pwd HTML elements on page: n When form is submitted, replace contents of pwd field with HMAC pwd (domain-name). n Send pwd hash to site instead of pwd.

15 Features n Conceptually simple solution! n Implementation includes: – pwd-reset page – remote-hashing site (used in, e.g., cafés) – list of domains for which domain of reset page is not domain of use page (e.g., MS Passport) n Dictionary attacks on hashes are much less effective than those on pwds and can be thwarted globally with a high-entropy plug-in pwd.

16 PORTIA Large-ITR, five-year, multi-institutional, multi-disciplinary, multi-modal research project on end-to-end handling of sensitive information in a wired world http://crypto.stanford.edu/portia/ Privacy, Obligations, and Rights in Technologies of Information Assessment

17 Core Technical Problem: The Unreasonable Effectiveness of Programmability n Many machine-readable permissions systems – Rights-management languages – Privacy policies – Software licenses n None is now technologically enforceable. – All software-only permissions systems can be circumvented. – Once data are transferred, control is lost.

18 Will “Trusted Systems” Help? n Hardware-based, cryptographic support for proofs that a data recipient’s machine is running a particular software stack n Potential problems: – Technical: Very hard to build – Business: Adoption hurdles – Philosophy: Privacy, fair use, MS hatred, etc. n Potential benefits: – Copyright enforcement? Maybe – Privacy enforcement? Much harder!

19 Dan Geer at YLS: “DRM ≡ Privacy” n Data objects are small. n Privacy regimes (e.g., HIPAA) are hard to automate. Complementary software systems are lacking, and relevant people are poorly trained. n Lots of leakage is permitted by these regimes! I don’t think so. Circumvention is not the worst threat to privacy. Instead, information leaks because:

20 III. The Power and Limitations of Law n Outline: – Technology as necessary but not sufficient – Data protection and Fair Information Practices – Toward “partially trusted systems” such as medical records under HIPAA

21 Technology as a Necessary Condition n Control over data only possible, even on average, if have good tech protections n Can have legal policy of “no sharing” – What if every script kiddie can get it? – Would you do $1 million transfers of funds in that environment? – Need technological protections against the malicious third party – Need technological support for well intentioned parties

22 Technology is Not a Sufficient Condition n Joan’s discussion: – Can prevent improper access to information – Can’t prevent improper use by parties authorized to access it n The role of law: – Laws today often prohibit transfers to 3rd parties, working with tech solutions. – Laws and institutions will be important to limiting improper uses by authorized users.

23 Data Protection and Fair Information Practices n Standard legal approach of FIPs – Notice – Choice (limits on secondary uses) – Access and Correction – Security – Accountability n If implemented, significant “control over personal information”

24 Fair Information Practices n “Security” recognized as a necessary condition for privacy n “Choice” and how to handle improper uses by those who can see the data n “Accountability” and the law – Go to jail, pay fines, lose your job – Laws state and help establish norms. – Publicity and the press

25 HIPAA as a “Partially Trusted” System n Reasons to share medical data – Treatment -- the nurse, second doctor, etc. – Payment -- insurance verifies that you received service – Research -- scan records for patterns to improve treatment; don’t double-count – Public health -- new case of contagious disease – Many others: oversight, litigation on malpractice, anthrax and alert Homeland Security; etc.

26 HIPAA (medical records) n Reasons not to share medical data – Democracy: people say they want medical privacy – Discrimination: employer or neighbor treats you differently – Encourage useful treatment: substance abuse, mental health, HIV need confidentiality – In short, we want confidence in the system.

27 Basic HIPAA approach n Fair information practices – Notice, choice, access, security, accountability – Chief privacy officer and administrative oversight – Free sharing for treatment, payment, and other listed purposes n For security – “Minimum necessary” use and sharing – Access controls often used to enforce that; let the nurse see data but not the janitor.

28 Technology & Law in HIPAA n Now is time of big shift from paper to electronic medical records. n HIPAA creates law, reg, norms, and institutions to protect privacy. n Access controls and other technical speed bumps to sharing; not strict “trusted system” n Diversity of settings, with 14% of GDP in health care; so level of protection varies n Overall institutional and legal structure designed to provide better privacy than if no rule.

29 Summary on the Law n “Defense in depth” as a strategy for providing control over personal data – Technology as a necessary condition – Legal rules: sanctions, norms – Institutions: administrative oversight in the organization, by CIO, CPO, and others – Publicity and the press lead to accountability. n No formal proof that privacy is protected

30 IV. Combining the Two Approaches n Technology cannot determine what is (or should be) legal. n Laws cannot determine what is technologically feasible. n “Systems” include people and procedures as well as hardware and software.

31 Use Technology for What It’s Good At n Storing large amounts of data n Transmitting large amounts of data n Retrieving or computing one piece of data that’s needed while hiding the rest of the data n Encoding and applying complex but deterministic rules for processing data

32 Don’t Rely Exclusively on Technology for Things It’s Not Good At n Deciding what personal information “should” and “should not” be used for n Pre-empting political disagreement about how to use this information n Encoding and applying rules that inherently involve human judgment

33 Institutional Support for Data Privacy n CIOs and CPOs n Privacy-impact assessments – Now required for new federal computer systems – Should facilitate technical and legal input early in design phase ? Strategy for legacy systems

34 Components of (Really) Trustworthy Systems 1 n Ownership, rights, and responsibilities in the personal-information domain – Laws – Enterprise policies – Public awareness and understanding n Technological support for compliance with the rules – Prevention of misuse – Detection and auditing – “Warning signs” for users

35 Components of (Really) Trustworthy Systems 2 n People and procedures to complement technological support for compliance n Penalties for failures to comply – No one can violate law with impunity. – Enterprises cannot violate their own policies with impunity.

36 Example: Airline Passenger-Record Transfers n Misleading user agreements ? n Inadequate tech support for policies and inadequate warnings about potential violations ? n Inadequate penalties for violations ? Would trustworthy systems of this sort have prevented the recent problems at Jet Blue, Northwest, and American ?

37 Components of (Partially) Trustworthy Systems n HIPAA as example of complex data uses, for diverse set of users and systems n Won’t get (really) trustworthy system n The rationale for the regulation is that defense in depth by (laws + technology + institutions + norms) create an overall regime that is better than alternatives. n Improved tech improves overall system.

38 V. Conclusion n It is too early to draw conclusions! n As a society, we are still at the beginning of our attempt to gain (at least some) control over personal information. n Questions?

Download ppt "“Control of Personal Information: A Dialogue Between a Technologist and a Lawyer” Radcliffe Inst. and Harvard Div. of E&AS Symposium on Security and Privacy."

Similar presentations

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.

HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.

Similar presentations

Ads by Google