Is Transparency a useful Paradigm for Privacy?

Transcription

1 Is Transparency a useful Paradigm for Privacy? Shonan Seminar, August 6 th, 2013 Japan Prof. Dr. Dr. h.c. Günter Müller Institute of Computer Science and Social Studies Department of Telematics

2 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Meta Model and Questions for the Seminar

3 The Users View on Privacy Don t copy my data Delete my data if I say so

4 The American View on Privacy The right to be left alone. Louis Brandeis, 1890 (Harvard Law Review) Numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the housetops Spatial understanding of Privacy Louis D. Brandeis,

5 European View on Privacy Privacy and Civilization Jewish law ( free from being watched ) Justice of Peace act (England 1361) Privacy is a human right Universal declaration of human rights, article 12 (1948) European convention on human rights, article 8 (1970) The desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others. Alan Westin, 1967 ( Privacy And Freedom ) 5

6 Do Non-functional Views Matter? Informational self-determination (Germany, Japan, EU) Privacy sphere Spatial privacy (Anglo- Saxon) My Home is my castle "I don't want to live in a world where there's no privacy, and therefore no room for intellectual exploration and creativity. (Snowden 2013) Young people should change their names at 6 a certain age. Eric Schmidt (Google), 2012

7 Do Users care? Behavioral Patterns and Privacy Paradox Privacy laymen 1 (SL 1): The credulous naiv Absolute majority 65% Willingness to learn and sense of danger extremely low Privacy Enforcers (SL 3): The self-confident expert Frequent use of Internet Expertise on Privacy mechanisms Approx. 15 % of the users The Internet Trustee 2 (SL 2): The impatient expert or the Privacy partadox Privacy violations are considered important Privacy mechanisms are only used with immediate comprehensibility and without extra efforts Approx. 20% of the users Kaiser J., Reichenbach M.: Evaluating Usable Security; IFIP 2002 Accquisti A., Gross R., Stutzmann F.:Silent Listeners: The Evolution of Privacy and Disclosure on Facebook; Journal of Privacy and Condentiality (2012) 7

8 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Meta Model and Questions for the Seminar

9 Big Data and Privacy: Data Collection - Collecting unrelated data - How do you want to appear to your friends - Where are you? - How do you live?

10 Regulation at the wrong place Data consumer Data provider d, d Data consumer d Data provider Emphasis on Prevention: Legal: Data Minimization Technical: Privacy Enhancing Technology (PET) New challenge: Transparency Legal: Monitoring of data usage Technical: Transparency Enhancing Technology (TET)

11 The Business Model of Data Centric Services Business Model Service Provider Consumer Free service Advertising platform Business Customer Value (v1) Value (v2) Privacy by Hiding Privacy by Transparency Policy Dashboard Analytics 11

12 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Information Assymmetry and Meta Model?

13 Privacy Options Prevention Detection Provider can guarantee adherence to an obligation Undetected vulnerabilites lead to Privacy leaks 100% Privacy according to privacy model Provider can detect violation of an obligation either before, during or after transaction A: Transparency is either lack of any protection mechanism B: Transparency is Prevention by tracing actions 13

14 PET - TET Usage Control TET Transparency Enhancing Technology Privacy PII Detection PET Privacy Enhancing Technology Privacy Transparency Pseudonymity Attributes / PII Fully Anonymity 14

15 PET: Identity Management (IM) 15 Alice = Bob, Tarzan, , I m Bob Bob: 1975 You re born 1975 Master ID: Alice Tarzan: UTA I m Tarzan Universal Theatre Abo owns (a) cert of birth < today -18, (b) UTA cert, all to same MasterID : Ticket show certified attributes Ticket for the evening theatre Prof. Dr. G. Müller 15

16 PET: Identity - Problems Declared values may be untrustworthy More information requested than necessary (violates basic privacy principle) Regular security breaches that compromise credentials Linkability of transactions: Transactions of the same person can be identified... even if purchase is otherwise anonymous (KU Leuven: 94% of all Browser can be correctly connected to user. 16

17 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Meta Model and Questions for the Seminar

18 The four Myth about PET Myth # 1: The major privacy risk is from unauthorized access to information Reality: 80% of all security and privacy breaches are from within. Myth # 2: Privacy can be adequately protected by removing personally identifying information (PII) from records to be released. Reality: PII not needed, Statiscal accuracy, KU Leven with Browser Myth # 3: Notice and choice is an adequate framework for privacy protection Reality: Intermediary role of Provider leaves opt-out with large costs Myth # 4: Privacy is about individuals Reality: Profiles are more about association to classes of behavior 18

19 Myth # 1: Finding Medical Records (Sweeney 2002) Former Governor of Massachusetts

20 Myth #2: Removing Personal Data Amazon Robertson shilled

21 Myth # 3: Notice and Choice Information Leakage from Social Networks Jernigan and Mistree (2007) 21

22 Fraction of users 1-identified Myth # 4: Identification and item suppression 0,6 0,5 0,4 0,3 Drop 88% of items to protect current users against 1- identification! 88% of items => 28% ratings 0,2 0, ,2 0,4 0,6 0,8 1 Fraction of items suppressed

23 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Meta Model and Questions for the Seminar

24 TET Usage Control TET Transparency Enhancing Technology Privacy PII Detection PET Privacy Enhancing Technology Privacy Transparency Pseudonymity Attributes / PII Fully Anonymity 24

25 Analysis of Transparency and Control Provisions: cover the time up to the access ( past and present ) Obligations: cover the time after the access ( future ) Set of rules rule = access control part + contracts contract = obligation + enforcement info controllable contracts observable contracts trusted contracts Provisions Obligations request access t 25

26 Enforcement 1:Service Request and Policy identification 2: Acceptance / Evaluation / Access 4: Log/ Audit / Compliance 3: Enforcement of Policy

27 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Trace(Content, Issuer, Receiver)

28 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter). Tr(MüPri.JPG, MüFaceb.,Amazon) Trace(Content, Issuer, Receiver)

29 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Trace(Content, Issuer, Receiver)

30 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram) Trace(Content, Issuer, Receiver) Tr(MüPri.JPG,J.Friends, Anonym)

31 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram) Trace(Content, Issuer, Receiver) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG,Anonym,Sasaki) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends

32 Step 1: Distribution Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram) Tr(MüPri.JPG,Joa,TheSun) Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Trace(Content, Issuer, Receiver) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG,Anonym,Sasaki) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG,Joa,TuWien) Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym)

33 Step 2: Tracking Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram) Tr(MüPri.JPG,Joa,TheSun) Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Trace(Content, Issuer, Receiver) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG,Anonym,Sasaki) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends Tr(MüPri.JPG,Joa,TuWien) Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym)

34 Step 2: Tracking Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram)????????? Anonymous????????? Tr(MüPri.JPG,Anonym,Joa) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends Trace(Content, Issuer, Receiver) Tr(MüPri.JPG,Anonym,Sasaki) Tr(MüPri.JPG,J.Friends, Anonym) Tr(MüPri.JPG, MüFaceb.,J.Friends

35 Step 2: Tracking Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG,J.Friends, Instagram) Tr(MüPri.JPG,MüFaceb.,J.Friends) MüFaceb.,J.Friends)????????? Anonymous????????? Trace(Content, Issuer, Receiver)

36 Step 2: Tracking Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon)????????? Anonymous????????? Trace(Content, Issuer, Receiver)

37 Step 2: Tracking Tr(MüPri.JPG, MüFaceb.,Amazon) Tr(MüPri.JPG, Amazon.,Twitter) Tr(MüPri.JPG, MüFaceb.,Amazon)????????? Anonymous????????? Trace(Content, Issuer, Receiver)

38 Step 2: Tracking Tr(MüPri.JPG, Mü.FB.,Amazon)????????? Anonymous????????? Trace(Content, Issuer, Receiver)

39 Step 3: Enforcement OASIS Architecture Subject Ff User Service PEP Policy enforcement point Request Referencemonitor Object WEB SERVICE Authorisation Request PDP Policy decision point Policyrequest Authorisation answer Policyrules Contextinformation Request Contextinformation PIP Policy information point PRP Policy retrieval point Policy PAP Policy administration point Policy Store Nach: O Neill: WS Security, McGraw-Hill 39

40 Outline A Privacy and its conceptions B Big Data Privacy C D E F PET: Example Identity Management 4 Myths of PET The three Hurdles of TET Meta Model and Questions for the Seminar

41 Information Assymetry Screening Signalling Privacy an error of evolution? Transparency XOR Suspicion? Privacy limits technical progress Privacy is follower of technology... 41

42 Architecture Layers Freiburg Meta Model Business Application Infrastructure Business Rules Data Objects Artifacts Business Objects Application Service Business Processes Infrastructure Service Business Goals Application Component Representation Business Roles Application Roles Subjects Security, Privacy and e Requirements By design Runtime A posteriori Mechanisms

43 Seminar Questions A: Is Privacy and transparency a contradiction, since it cannot prevent violations? B: What is the relation between user s privacy concerns and their trust in a particular service, based on the research available to this end? C: Does the available body of evidence support the assumption that more transparency would lead to more trust? D. Which transparency enhancing tools are available and in use at this moment, and what is experience with regard to enhancing privacy? E. What are the societal requirements, and does privacy lead to behavioral changes, economic inefficiencies caused by a setback in technical progress?