Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory.

Published byJustina Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory."— Presentation transcript:

1 Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory

2 Collaborators Joint with Joan Feigenbaum, Rebecca Wright – Parts also with Jim Hendler, Danny Weitzner, and Hongda Xiao

3 Overview “Accountability” is used in lots of ways – Complements preventive security – Is generally viewed as good – This space needs formal definitions What are the goals? Formalize accountability and related notions – Facilitate reasoning about this – Enable comparison (and discussion) across sytems What is the role of identity/identifiability?

4 What Are the End Goals? Deterrence – Focus here Others – Comply with requirements on processes With an eye on these, don’t make things implicit that don’t need to be

5 Temporal Spectrum [FJWX’12] PreventionDetectionEvidenceJudgmentPunishment Violation Many systems focus on various (different) aspects of evidence/judgment/punishment – E.g., accountable blacklistable credentials, accountable signatures, e-cash, reputation schemes,...

6 Focus on Punishment Shift focus – At least if end goal is deterrence – Effect on violator instead of information about Reduce the built-in identity assumptions – May still want to use evidence, etc., but don’t want this (and especially identity) implicit in definitions

7 Comments on Accountability “Accountability is a protean concept, a placeholder for multiple contemporary anxieties.” [Mashaw] “[A]ccountability has not yet had time to accumulate a substantial tradition of academic analysis.... [T]here has been little agreement, or even common ground of disagreement, over the general nature of accountability or its various mechanisms.” [Mulgan]

8 A CS Definition of Accountability “Accountability is the ability to hold an entity, such as a person or organization, responsible for its actions.” [Lampson]

9 Working Definition [FJW’11] An entity is accountable with respect to some policy (or accountable for obeying the policy) if, whenever the entity violates the policy, then, with some non-zero probability, it is, or could be, punished.

10 Working Definition of Accountability Builds on definition of Lampson – Avoids “hold... responsible”---explicitly don’t require external action Shift focus from evidence and judgment to punishment – Reduce need for identity – May want to reserve “accountable” for when violator is identified [Weitzner] Need to be able to distinguish those cases

11 Punishment Desiderata Unrelated things events shouldn’t affect whether a violator is viewed as being punished – “Luck” shouldn’t affect things – Punishment should be related to violation in question

12 Automatic and Mediated Punishment Intuitively: – Punishment should be connected to the violation – Punishment could be mediated by the action(s) of some authority responding to the violation (or a conviction) – Punishment could happen without any punishing act being done This might reduce need for identifiability!

13 Formal Model (Outline) [FJW’11] System behavior as event traces Utility functions for participants – Maybe only know distribution or “typical” utility Principal(s) associated to events What qualifies as “punishment” for a violation?

14 Mediated Punishment Punishing event must be caused by the fact of the violation Compare outcomes after punishment with those without the punishment – Need to remove other events caused by the violation Punishing event Subtrace Violation

15 Approach: Automatic Punishment The violation is automatically punished if the violator’s utility is lower in the outcomes extending the violating trace Te than in the outcomes extending T but not Te. Violation e T

16 Example: Three Strikes Using “typical” utilities, we capture the idea that even sociopaths are punished – Expected utilities might be skewed What is “effective” punishment?

17 Open/Closed Systems Degree to which a system is “open” or “closed” appears to be important Principals, identities/nyms, and systems – What does system boundary require of mapping between principals and identities Computational or algebraic restrictions Example potential tradeoff – Deterrence may be effective if we punish the nym Contexts where being able to act using that identity is important Wouldn’t need to be able to invert mapping – Other times, may need more (computable) information about mapping

18 Primitives Temporal spectrum (evidence, judgment, punishment) – What do these need to provide abstractly? E.g., to what extent must evidence be independently verifiable? Blame/violation Causality Identity-related – Binding between principals and identities; linkages between actions

19 Other Dimensions [FJWX’12] Information – Is identity required to participate in the system? – Are violations disclosed? How broadly? – Is the violator identified? How broadly? Action – Centralized v. decentralized (generally and in response to violations) – Automatic v. mediated – Requires continued access to violator?

20 Social Aspects Should we reserve “accountability” for approaches that require identification? That might be consistent with common uses of “to hold someone accountable.” – This may not be the fundamental goal; we may really be after deterrence. – One can be deterred even if one will not be identified Possible approach: Allay user concerns by promoting “deterrence” instead of “accountability”

21 Questions Are these the right notions to formalize? – Will this framework be useful for proving things? – Capturing identity? What about related notions – Compensation, detection/diagnostics, authorization Open/closed systems – Compare with international-relations example of non-accountability Subset/delegated accountability – Don’t (immediately) have individual punishment – Reduce level of identifiability – How to induce participation?

Download ppt "Accountability, Deterrence, and Identifiability Aaron D. Jaggard U.S. Naval Research Laboratory."

Similar presentations

TAKING PART CONFERENCE: OPEN SPACES: SUMMARY Taking Part Conference Venues: Southbank Centre and Goldsmiths, University of London Dates: October 29th and.

TAKING PART CONFERENCE: OPEN SPACES: SUMMARY Taking Part Conference Venues: Southbank Centre and Goldsmiths, University of London Dates: October 29th and.
Immanuel Kant ( ) Theory of Aesthetics

Immanuel Kant ( ) Theory of Aesthetics
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.

D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
Legal Options to Secure Community-Based Property Rights. Fernanda Almeida.

Legal Options to Secure Community-Based Property Rights. Fernanda Almeida.
4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.

4/30/20151 Quality Assurance Overview. 4/30/20152 Quality Assurance System Overview FY 04/05- new Quality Assurance tools implemented, taking into consideration.
Auditing Concepts.

Auditing Concepts.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
1 1 What Is Economics? Why does public discussion of economic policy so often show the abysmal ignorance of the participants? Whey do I so often want.

1 1 What Is Economics? Why does public discussion of economic policy so often show the abysmal ignorance of the participants? Whey do I so often want.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
1 Accountability and Deterrence in Online Life Joan Feigenbaum 3 rd Web Sciences Conf.; June 16, 2011 Joint work with.

1 Accountability and Deterrence in Online Life Joan Feigenbaum 3 rd Web Sciences Conf.; June 16, 2011 Joint work with.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Towards a Better Understanding of Accountability Work in progress (joint with Joan Feigenbaum and Rebecca Wright) 10 December 2010 Security & Privacy Day.

Towards a Better Understanding of Accountability Work in progress (joint with Joan Feigenbaum and Rebecca Wright) 10 December 2010 Security & Privacy Day.
QR 38 4/10 and 4/12/07 Bayes’ Theorem I. Bayes’ Rule II. Updating beliefs in deterrence III. Hegemonic policy.

QR 38 4/10 and 4/12/07 Bayes’ Theorem I. Bayes’ Rule II. Updating beliefs in deterrence III. Hegemonic policy.
Psychological Aspects of Risk Management and Technology – G. Grote ETHZ, Fall09 Psychological Aspects of Risk Management and Technology – Overview.

Psychological Aspects of Risk Management and Technology – G. Grote ETHZ, Fall09 Psychological Aspects of Risk Management and Technology – Overview.
Specifying a Purpose, Research Questions or Hypothesis

Specifying a Purpose, Research Questions or Hypothesis
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
The Architecture Design Process

The Architecture Design Process
Determinants of Judgment Performance By: Lea Sulaiman Saputra D1555.

Determinants of Judgment Performance By: Lea Sulaiman Saputra D1555.
Specifying a Purpose, Research Questions or Hypothesis

Specifying a Purpose, Research Questions or Hypothesis
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Similar presentations

Ads by Google