Group D Privacy with accountability, auditability and transparency

1
Group DPrivacy with accountability,
auditability and transparency
2
Accountability, auditability and transparency in
service of Privacy
3
Grand Challenge Statement

• Develop technologies that allow individuals,
  governments and organizations to control the
  release and use of information according to
  flexible and understandable policies.

4
Motivating Scenario

• It will soon be possible to determine an
  individuals complete genome
• Terrific benefits
• Customized medical treatments
• Knowledge of predisposition for diseases
• Aid medical research
• Terrific risk of abuse
• Unauthorized use by insurance, employers, law
  enforcement

5
Enabling Assumptions

1. There will be semi-trusted computing platforms
   (can provide a program to a machine and believe
   it will execute it only as intended).
2. Legal mechanisms will be in place to sufficiently
   deter misuse.
3. Perfect encryption primitives are available.

We dont believe any of these exist yet but
close enough approximations do.
6
Policy Questions

• Who should set the policies?
• Individuals change balance of power
• It shouldnt be up to individuals to understand
  and agree to a services privacy policy
• Instead, individuals provide data in a way that
  enforces their policies, and the service decides
  what service to provide
• Society owner is not only one impacted
• Releasing my genome also releases information
  about my sister, parents, etc.
• Society may deserve to know about criminal
  records, infectious diseases, etc.

Non-technical issues, but technology must be
able to support range of desired policies.
7
Policy Questions

• How do you express and reason about policies?
• Average users need to understand what policies
  allow and disallow, and select (maybe define)
  policies that reflect their intent
• Privacy policies are complex release of
  information, history, location (jurisdiction),
  remnants, independence
• Transfers between programs and organizations

Design languages for defining policies, tools for
reasoning about what policies allow, models for
presenting policies that are understandable
8
Accountability

• Need workarounds Doctor in foreign country
  should be able to get medical history of
  unconscious patient
• Auditability policies can specify that
  information is only released if an audit record
  is produced
• Privacy of requestor may conflict with policy
• Policies can relate information release and use
  to accountability of user credentials expand
  accountability, laws in users jurisdiction

9
Enforcement

• Control for release and use of data has to be
  part of data itself
• Programs that release information according to a
  policy (DRM-like)
• Constrain the use of that information after it is
  released to one program, but not yet to another
  (or a human)
• Revocation if there is a mistake, can we
  retrieve all information derived from bad data

10
Timeline
Now
3 years
5 years
7 years
Revocation
Control Use
Control Release
Enforcement
Policies that vary with Accountability,
Society-level policies
Understandable Release Policies For Individuals
Policies that depend on jurisdiction, revocation p
olicies
Policies
11
Impact

• Success criterion
• People are willing to provide their genome to
  medical databases in a way that enables
  customized treatments and medical research,
  without fear that it will be abused.

12
Recap Challenge Statement

• Develop technologies that allow individuals,
  governments and organizations to control the
  release and use of information according to
  flexible and understandable policies.