1. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style PRIVACY AS & AND CONTEXTUAL INTEGRITY Helen Nissenbaum Presented by Neelima Krishnan

2. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Privacy As Contextual Integrity.  Nut Shell Definition of the core problem. Discussion of 3 scenarios. A 3 principled framework. Defining Contextual Integrity 2 PAPER 1

3. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Core Problem: Public Surveillance – what it means and how it can affect. – A brief introduction. 3 What the paper defines?

4. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Monitoring of individuals in public through a variety of media (audio, video, online data)  Where is data stored? 1. stand alone systems 2. massive database of government and other institutions 3. Distributed network of computers/devices 4 Defining Public Surveillance.

5. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Hepting v. AT&T is a United States class action lawsuit filed in January 2006 by the Electronic Frontier Foundation (EFF) AT&T  Details of the Case:  AT&T permitted NSA in unlawfully monitoring the communications of USA.  This included- 1.  AT&T customers,  Bussinesses,  third parties whose comm where routed through AT&T’s network.  And also VOICE over IP- calls through internet. 5 CONS:

6. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Case 1:Public Records Online Initiatives to place public records online a. arrest records b. driving records c. birth and death records d. marriage records e. public school information f. property ownership; g. community planning records h. court records 6 1/3 scenarios

7. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science ProsCons Open Government.Concern ??! Dating services/matrimonial services.Protested by National Network to End Domestic Violence and the American Civil Liberties Union – WHY? Building family tree. Property ownership issues. 7 Are these worries rational? Is there genuine cause for resistance?

8. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Case 2: Consumer Profiling and Data Mining  All the commercial activities leave digital trail that are stored away in large databases somewhere.  Used for mining “Gold” by companies!  Often the information in question is not confidential or sensitive in nature.  Why do people react with Indignation?  Quoted Example: Lotus Marketplace -where, your privacy is someone else’s bussiness…. 8 2/3 scenario

9. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Case 3:Radio Frequency Identification (RFID) Tags  focuses attention on enhanced modes of gathering or capturing information as in automated road toll systems like EZ Pass, video surveillance and face recognition systems, web browser cookies, biometrics and thermal imaging 9

10. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  1. Protecting Privacy of Individuals Against Intrusive Government Agents – 10 Solution Proposed: Principle 1/3

11. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Fourth Amendment - "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." 11 What can Protect us:

12. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  http://groups.csail.mit.edu/mac/classes/6.805 /student-papers/fall07-papers/social- networks.pdf 12 Just in case you are interested:

13. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Principle 2: Restricting Access to Intimate, Sensitive, or Confidential Information  Giving privileges to data:- 1.Non-Classified a.Public Information b.Personal Information c.Routine Bussiness information d.Private e.Confidential Bussiness Information 2. Classified a.Confidential b.Secret c.Top Secret 13 Principle 2/3

14. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Principle 3: Curtailing Intrusions into Spaces or Spheres Deemed Private or Personal - “a man’s home is his castle”.  The Bill of Rights of the U.S. Constitution expresses commitment of a protected private zone in the Third and Fourth Amendments, defining explicit limits on government access to a home— 1.quartering soldiers in the Third, 2.security against search and seizure in the Fourth. 14 Principle 3/3

15. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  California v. Greenwood:  Highlights: - Inspector Jenny Stracner suspects Greenwood of selling drugs. -Stracner asked the neighborhood's regular trash collector to pick up the plastic garbage bags that Greenwood left on the curb in front of his house -In the garbage, she found evidence of drug use. -used that information to obtain a warrant to search Greenwood's home -California Superior Court dismisses the case- on the ground that unwarranted trash searches violated the U.S. Constitution's Fourth Amendment, as well as the California Constitution -The US-Supreme court- granted certiorari and reversed the judgment of the California Court of Appeal 15 Quoted Case:

16. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science “[a]ccordingly, having deposited their garbage in an area particularly suited for public inspection and, in a manner of speaking, public consumption, for the express purpose of having strangers take it, respondents could have had no reasonable expectation of privacy in the inculpatory items that they discarded.” 16 Court’s Ruling

17. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The PATRIOT ACT.  Carnivore  Analyzing the 3 cases- and see if its possible to draw lines? 17 Applying the Three Principles—Some Gray Areas

18. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 1. Appliying Principle 2: Drawing lines in the case of intimate and sensitive information is also difficult and can be controversial. a. Designate credit headers as Personal or not? b. Case 1, Should public records ought to be available online? 2. Principle 3- Interpretations of what counts as a private space ? a.Olmstead vs US case 1928 b.Katz vs USA 1967 c.Kyllo v. United States 2001 d.Employee online activities in office space (pre- post 9/11) 18

19. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Public Survillence –  Does having all records online mean govt intrusion – or that its always worng?  Does having RFID tags mean – you are always tagged.  Does Online Profiling mean you are always watched? 19 The Three Principles and Public Surveillance

20. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Two features of the 3 principle framework help us define- CI – - a universal account of what does and does not warrant restrictive, privacy-motivated measures - it expresses a right to privacy in terms of dichotomies.  Norm is a set of rules, which would help us in deciding if a message can be transferred from one part to another. This depends on the source, destination and the appropriateness of the content. - Personal information revealed in a particular context is always tagged with that context -These norms are relative, or non-universal 20 Defining Contextual Integrity

21. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Norm of appropriation. -dictate what information about persons is appropriate, or fitting, to reveal in a particular context. - i.e, A patient can share information about his or her physical condition with the physician but not vice versa. 21 How it works?

22. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science “In every case, I quoted, the sort of relationship that people have to one another involves a conception of how it is appropriate for them to behave with each other, and what is more, a conception of the kind and degree of knowledge concerning one another which it is appropriate for them to have. “ 22

23. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Norm of distribution (flow):  This governs the flow or distribution of information - movement, or transfer of information from one party to another or others.  Example scenarios- -Between friends. -Between a physician and a patient. 23

24. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Case 1: Having records online. Example of new neighbors into a family neighborhood.  Case 2: Digital foot print. Example of Amazon.com  Case 3: RFID tags Example of customers and sales assistant. 24 Applying Contextual Integrity to the Three Cases

25. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Privacy And Contextual Integrity Adam Barth, Anupam Datta, John C. Mitchell, Helen Nissenbaum Stanford University Presented By Neelima Krishnan Virginia Tech

26. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Introduction  This paper presents a formal framework for expressing privacy expectations and privacy practices, inspired by contextual integrity.  Lets say- - “Alice give Bob a certain piece of information about Charles “ -Now, impact on privacy varies based on – context, roles, and a focus on the type of information transmitted

27. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Intro- continued  Two kinds of norms -Positive (“allow”) -Negative (“deny”)  A positive norm permits communication if its temporal condition is satisfied, whereas a negative norm permits communication only if its temporal condition is satisfied.  norms are based only on the type of information communicated.  information is assumed to describe an individual rather than a group of individuals.

28. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Defining Contextual Integrity  A philosophical account of privacy in terms of the transfer of personal information.  Who are involved?  the one from whom the information flows  the one to whom the information flows,  and the one—the information subject—about whom the information is.

29. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science The model and the formal language CI

30. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

31. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

32. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

33. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Roles, Contexts, and Traces

34. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Temporal Logic  if Alice tells Bob her age under the principle of confidentiality, then, in the future, Bob must not disclose Alice’s age.

35. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

36. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Norms of Transmission  are expressed as temporal formulas.  Each norm is either positive or negative  Positive norm: doctor Alice can send patient Charlie’s test results to researcher Bob if Bob keeps the records in confidence.  Negative norm: communication can occur only if the temporal condition is satisfied.  Doctor Alice can send patient Charlie’s test results to researcher Bob only if Bob keeps the records in confidence.

37. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science In order to satisfy the norms, a communication must be allowed by at least one of the positive norms and it must respect all of the negative norms. In the above formula, each individual norm applies to a downwardly closed set of attributes If Sheiyi wants to send a messge to Tom- If the rule says, “allow disclosure of postal address” – then the formula lets you send the the postal code too. If the rule forbids the postal code from being send- then the whole disclosure is forbidden.

38. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Properties and relations between policies  A privacy policy regulates what flows of information are permitted between agents in various roles.  A policy is a conjunction of contexts, requiring the norms of each context to be respected.  Example?  Defining : Consistency, Entailment, Compliance.

39. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Consistency - A policy is consistent if it is possible for communicating agents to respect the policy.  Entailment :- Another metric for evaluating a privacy policy is to compare it against another policy. For example, a hospital’s privacy policy should not allow information flows prohibited by HIPAA.  Compliance: Given the sequence of past communications, does the policy permit a contemplated communication and, if so, what future requirements are incurred?

40. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science HIPAA Rules:  Health Insurance Portability and Accountability Act (1996)  This rule regulates the transmission of “protected health information” (phi), by covered entities.  forbids the disclosure of health information except to individuals or organizations acting in certain roles.

41. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

42. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science What the formulas represent?  Norm 2: allows Dr. Alice to show Bob an x-ray of his broken leg. It does not allow, however, Dr. Alice to show Bob’s x-ray to Charlie. Also it does not allow x- ray technician Debbie to give the x-ray to Dr. Alice.  Norm 3: Dr. Alice is not only a covered entity, but more specifically a health care provider, someone directly involved in the care of a patient. Here, Debbie plays the role of covered entity and is permitted to give Bob’s x-ray to Dr. Alice (Bob plays the role of patient).

43. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Norm 4: A negative norm:  If Dr Alice is a psychiatrist. Debbie is a nurse practioner. Debbie cannot disclose the contents of the psychotherapy notes to the subject of the notes without the prior approval of a psychiatrist(Dr. Alice).  Note: The interplay between the positive and negative norms is subtle.  One positive norm (2) permits the disclosure of psychotherapy notes, but a negative norm (4) prevents it (unless approval is obtained).

44. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Norm 5: A positive Norm: Allows a covered entity may “disclose the individual’s [general] condition and location within the facility to anyone asking for the individual by name”.  Norm 6: A positive norm: Allows members of the clergy to obtain information about a patient from the “directory information”  Directory-information is an attribute that contains (formally can be used to compute)the individual’s name, general condition, religious affiliation, and location within the facility.  What the clergy does with this information is beyond the scope of HIPAA rules.

45. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Children’s Online Privacy Protection Act (COPPA)  protects the personal information children communicate to web sites  It contains two negative norms that restrict otherwise permissible flows of information.  Temporal conditions play a central role in COPPA  What are these temporal conditon? -Parental consent -Restricted acess

46. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

47. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Norm 7: requires web site operators to obtain parental consent before collecting protected information from children.  Notice the strong form of “since” is required here to ensure that the parent actually granted consent.  Norm 8: implies the website operators have to provide 2 things- 1.a privacy notice describing their information practices 2.specific information they have collected from the child.  COPPA also requires the operator to delete protected information in its possession upon receiving revoke consent.

48. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Gramm–Leach–Bliley Act (GLBA)  Broadly, GLBA requires financial institutions to inform their customers of their privacy practices and to allow customers to “opt-out” of certain kinds of information disclosures.  Financial institutions are required to send their customers privacy notices every year as long the customer relationship lasts.  There are 2 roles -Customer role. -Consumer role.  And we have non-affiliated companies with whom costumers and consumers can/not shar non-public personal information.  Example?

49. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

50. Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The negative norm (9) requires institutions to periodically send privacy notices.  Norm 10: makes essential use of the three different roles (sender, recipient, and subject), as well as both past and future modalities in its temporal condition.  Norm 11: expresses the provision for consumers, and GLBA also contains an analogous non-affiliate opt- out norm for customers. That is - Consumers and customers also have the option of opting out sharing of credit reports and application information  Norm 12: This expresses the provision, and GLBA contains a similar norm for application information.

51. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Comparison with other models.

52. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Helen Nissenbaum - Stanford Center for Internet and Society http://www.youtube.com/watch?v=4iRESwXnFo A 52

53. Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 53