1. Group D Privacy with accountability, auditability and transparency

2. Accountability, auditability and transparency in service of Privacy

3. 18 Nov 2003 3 Grand Challenge Statement Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.

4. 18 Nov 2003 4 Motivating Scenario It will soon be possible to determine an individual’s complete genome Terrific benefits: –Customized medical treatments –Knowledge of predisposition for diseases –Aid medical research Terrific risk of abuse: –Unauthorized use by insurance, employers, law enforcement

5. 18 Nov 2003 5 Enabling Assumptions 1.There will be semi-trusted computing platforms (can provide a program to a machine and believe it will execute it only as intended). 2.Legal mechanisms will be in place to sufficiently deter misuse. 3.Perfect encryption primitives are available. We don’t believe any of these exist yet… but close enough approximations do.

6. 18 Nov 2003 6 Policy Questions Who should set the policies? –Individuals: change balance of power It shouldn’t be up to individuals to understand and agree to a service’s privacy policy Instead, individuals provide data in a way that enforces their policies, and the service decides what service to provide –Society: “owner” is not only one impacted Releasing my genome also releases information about my sister, parents, etc. Society may deserve to know about criminal records, infectious diseases, etc. Non-technical issues, but technology must be able to support range of desired policies.

7. 18 Nov 2003 7 Policy Questions How do you express and reason about policies? –Average users need to understand what policies allow and disallow, and select (maybe define) policies that reflect their intent –Privacy policies are complex: release of information, history, location (jurisdiction), remnants, independence –Transfers between programs and organizations Design languages for defining policies, tools for reasoning about what policies allow, models for presenting policies that are understandable

8. 18 Nov 2003 8 Accountability Need workarounds: Doctor in foreign country should be able to get medical history of unconscious patient Auditability: policies can specify that information is only released if an audit record is produced –Privacy of requestor may conflict with policy Policies can relate information release and use to accountability of user: credentials expand accountability, laws in user’s jurisdiction

9. 18 Nov 2003 9 Enforcement Control for release and use of data has to be part of data itself –Programs that release information according to a policy (DRM-like) Constrain the use of that information after it is released to one program, but not yet to another (or a human) Revocation: if there is a mistake, can we retrieve all information derived from bad data

10. 18 Nov 2003 10 Timeline Now3 years5 years7 years RevocationControl Use Control Release Enforcement Policies that depend on jurisdiction, revocation policies Policies that vary with Accountability, Society-level policies Understandable Release Policies For Individuals Policies

11. 18 Nov 2003 11 Impact Success criterion: People are willing to provide their genome to medical databases in a way that enables customized treatments and medical research, without fear that it will be abused.

12. 18 Nov 2003 12 Recap: Challenge Statement Develop technologies that allow individuals, governments and organizations to control the release and use of information according to flexible and understandable policies.