scispace - formally typeset
Search or ask a question

Showing papers on "Information privacy published in 1998"


DOI
01 Jan 1998
TL;DR: The concept of minimal generalization is introduced, which captures the property of the release process not to distort the data more than needed to achieve k-anonymity, and possible preference policies to choose among diierent minimal generalizations are illustrated.
Abstract: Today's globally networked society places great demand on the dissemination and sharing of person-specific data. Situations where aggregate statistical information was once the reporting norm now rely heavily on the transfer of microscopically detailed transaction and encounter information. This happens at a time when more and more historically public information is also electronically available. When these data are linked together, they provide an electronic shadow of a person or organization that is as identifying and personal as a fingerprint, even when the sources of the information contains no explicit identifiers, such as name and phone number. In order to protect the anonymity of individuals to whom released data refer, data holders often remove or encrypt explicit identifiers such as names, addresses and phone numbers. However, other distinctive data, which we term quasi-identifiers, often combine unquely and can be linked to publicly available information to re-identify individuals. In this paper we address the problem of releasing person-specific data while, at the same time, safeguarding the anonymity of individuals to whom the data refer. The approach is based on the definition of k-anonymity. A table provides k-anonymity if attempts to link explicitly identifying information to its contents ambiguiously map the information to at least k entities. We illustrate how k-anonymity can be provided by using generalization and suppression techniques. We introduce the concept of minimal generalization, which captures the property of the release process not to distort the data more than needed to achieve k-anonymity. We illustrate possible preference policies to choose among different minimal generalizations. Finally, we present an algorithm and experimental results when an implementation of the algorithm was used to produce releases of real medical information. We also report ont he quality of the released data by measuring precision and completeness of the results for different values of k.

1,257 citations


Proceedings ArticleDOI
01 May 1998
TL;DR: This paper provides a computational disclosure technique for releasing information from a private table such that the identity of any individual to whom the released data refer cannot be de nitively recognized and describes an algorithm that, given a table, computes a preferred minimal generalization to provide anonymity.
Abstract: The proliferation of information on the Internet and access to fast computers with large storage capacities has increased the volume of information collected and disseminated about individuals. The existence os these other data sources makes it much easier to re-identify individuals whose private information is released in data believed to be anonymous. At the same time, increasing demands are made on organizations to release individualized data rather than aggregate statistical information. Even when explicit identi ers, such as name and phone number, are removed or encrypted when releasing individualized data, other characteristic data, which we term quasi-identi ers, can exist which allow the data recipient to re-identify individuals to whom the data refer. In this paper, we provide a computational disclosure technique for releasing information from a private table such that the identity of any individual to whom the released data refer cannot be de nitively recognized. Our approach protects against linking to other data. It is based on the concepts of generalization, by which stored values can be replaced with semantically consistent and truthful but less precise alternatives, and of k-anonymity . A table is said to provide k-anonymity when the contained data do not allow the recipient to associate the released information to a set of individuals smaller than k. We introduce the notions of generalized table and of minimal generalization of a table with respect to a k-anonymity requirement. As an optimization problem, the objective is to minimally distort the data while providing adequate protection. We describe an algorithm that, given a table, e ciently computes a preferred minimal generalization to provide anonymity.

845 citations


Proceedings ArticleDOI
23 May 1998
TL;DR: In this paper, the authors introduce a model of symmetrically private information retrieval (SPIR), where the privacy of the data, as well as the private of the user, is guaranteed.
Abstract: Private information retrieval (PIR) schemes allow a user to retrieve the ith bit of an n-bit data string x, replicated in k?2 databases (in the information-theoretic setting) or in k?1 databases (in the computational setting), while keeping the value of i private. The main cost measure for such a scheme is its communication complexity. In this paper we introduce a model of symmetrically-private information retrieval (SPIR), where the privacy of the data, as well as the privacy of the user, is guaranteed. That is, in every invocation of a SPIR protocol, the user learns only a single physical bit of x and no other information about the data. Previously known PIR schemes severely fail to meet this goal. We show how to transform PIR schemes into SPIR schemes (with information-theoretic privacy), paying a constant factor in communication complexity. To this end, we introduce and utilize a new cryptographic primitive, called conditional disclosure of secrets, which we believe may be a useful building block for the design of other cryptographic protocols. In particular, we get a k-database SPIR scheme of complexity O(n1/(2k?1)) for every constant k?2 and an O(logn)-database SPIR scheme of complexity O(log2n·loglogn). All our schemes require only a single round of interaction, and are resilient to any dishonest behavior of the user. These results also yield the first implementation of a distributed version of (n1)-OT (1-out-of-n oblivious transfer) with information-theoretic security and sublinear communication complexity.

485 citations


Book
01 Jan 1998
TL;DR: In this paper, the authors present a conceptual framework for analyzing and debating privacy policy and for designing and developing information systems in Canada and in Europe as well as in the United States.
Abstract: From the Publisher: Privacy is the capacity to negotiate social relationships by controlling access to information about oneself. As laws, policies, and technological developments increasingly structure our relationships with social institutions, privacy faces new threats and new opportunities. The essays in this book provide a new conceptual framework for analyzing and debating privacy policy and for designing and developing information systems. The authors are international experts in the technical, economic, and political aspects of privacy; the book's particular strengths are its synthesis of these three aspects and its treatment of privacy issues in Canada and in Europe as well as in the United States.

343 citations


Posted Content
TL;DR: It is argued that information and communications technology, by facilitating surveillance, by vastly enhancing the collection, storage, and analysis of information, by enabling profiling, data mining and aggregation, has significantly altered the meaning of public information.
Abstract: Philosophical and legal theories of privacy have long recognized the relationship between privacy and information about persons. They have, however, focused on personal, intimate, and sensitive information, assuming that with public information, and information drawn from public spheres, either privacy norms do not apply, or applying privacy norms is so burdensome as to be morally and legally unjustifiable. Against this preponderant view, I argue that information and communications technology, by facilitating surveillance, by vastly enhancing the collection, storage, and analysis of information, by enabling profiling, data mining and aggregation, has significantly altered the meaning of public information. As a result, a satisfactory legal and philosophical understanding of a right to privacy, capable of protecting the important values at stake in protecting privacy, must incorporate, in addition to traditional aspects of privacy, a degree of protection for privacy in public.

254 citations


Journal ArticleDOI
TL;DR: It is argued that information and communications technology, by facilitating surveillance, by vastly enhancing the collection, storage, and analysis of information, by enabling profiling, data mining and aggregation, has significantly altered the meaning of public information.
Abstract: Philosophical and legal theories of privacy have long recognized the relationship between privacy and information about persons. They have, however, focused on personal, intimate, and sensitive information, assuming that with public information, and information drawn from public spheres, either privacy norms do not apply, or applying privacy norms is so burdensome as to be morally and legally unjustifiable. Against this preponderant view, I argue that information and communications technology, by facilitating surveillance, by vastly enhancing the collection, storage, and analysis of information, by enabling profiling, data mining and aggregation, has significantly altered the meaning of public information. As a result, a satisfactory legal and philosophical understanding of a right to privacy, capable of protecting the important values at stake in protecting privacy, must incorporate, in addition to traditional aspects of privacy, a degree of protection for privacy in public.

254 citations


Journal ArticleDOI
TL;DR: The authors describe several mobile agent systems to illustrate different approaches designers have taken in addressing challenges in addressing agent mobility, naming, security issues, privacy and integrity, authentication, authorization and access control, and fault tolerance primitives.
Abstract: The article discusses system-level issues and agent programming requirements that arise in the design of mobile agent systems. The authors describe several mobile agent systems to illustrate different approaches designers have taken in addressing these challenges. The following areas are discussed: agent mobility, naming, security issues, privacy and integrity, authentication, authorization and access control, metering and charging mechanisms, programming primitives, agent communication and synchronization primitives, agent monitoring and control primitives, and fault tolerance primitives.

241 citations


Proceedings ArticleDOI
03 May 1998
TL;DR: A new formal semantics for decentralized labels and a corresponding new rule for relabeling data that is both sound and complete are defined, and it is shown that these extensions preserve the ability to statically check information flow.
Abstract: The growing use of mobile code in downloaded applications and servlets has increased interest in robust mechanisms for ensuring privacy and secrecy. Information flow control is intended to directly address privacy and secrecy concerns, but most information flow models are too restrictive to be widely used. The decentralized label model is a new information flow model that extends traditional models with per-principal information flow policies and also permits a safe form of declassification. This paper extends this new model further, making it more flexible and expressive. We define a new formal semantics for decentralized labels and a corresponding new rule for relabeling data that is both sound and complete. We also show that these extensions preserve the ability to statically check information flow.

204 citations


Journal ArticleDOI
TL;DR: Kang as mentioned in this paper provides a general primer on privacy in cyberspace and provides a clarifying structure of philosophical and technological terms, descriptions, and concepts that will help analyze any problem at the nexus of privacy and computing-communication technologies.
Abstract: Cyberspace is the rapidly growing network of computing and communication technologies that have profoundly altered our lives. We already carry out myriad social, economic, and political transactions through cyberspace, and, as the technology improves, so will their quality and quantity. But the very technology that enables these transactions also makes detailed, cumulative, invisible observation of our selves possible. The potential for wide-ranging surveillance of all our cyber-activities presents a serious threat to information privacy. To help readers grasp the nature of this threat, Professor Jerry Kang starts with a general primer on cyberspace privacy. He provides a clarifying structure of philosophical and technological terms, descriptions, and concepts that will help analyze any problem at the nexus of privacy and computing-communication technologies. In the second half of the article, he focuses sharply on the specific problem of personal data generated in cyberspace transactions. The private sector seeks to exploit this data commercially, primarily for database marketing, but many individuals resist. The dominant approach to solving this problem is to view personal information as a commodity that interested parties should contract for in the course of negotiating a cyberspace transaction. But this approach has so far failed to address a critical question: Which default rules should govern the flow of personal information when parties do not explicitly contract about privacy? On economic efficiency and human dignity

161 citations


Proceedings ArticleDOI
D.W. Manchala1
26 May 1998
TL;DR: The paper describes metrics and models for the measurement of trust variables and fuzzy verification of transactions and describes protocols to minimize breach of privacy and incorporate a non repudiable context using cryptographic techniques.
Abstract: The paper introduces the notion of quantifiable trust for electronic commerce. It describes metrics and models for the measurement of trust variables and fuzzy verification of transactions. Trust metrics help preserve system availability by determining risk on transactions. Furthermore, when several entities are involved in electronic transactions, previously know techniques are applied for trust propagation. Malicious transacting entities may try to illegitimately gain access to private trust information. Suitable protocols are developed to minimize breach of privacy and incorporate a non repudiable context using cryptographic techniques.

160 citations



ReportDOI
01 Jul 1998
TL;DR: In this paper, the authors explore the implications of changes in the health care delivery system for privacy and confidentiality, relevant national and international developments in public policies, professional standards, and laws; recommendations; and the identification of research needs.
Abstract: Few developments are likely to affect human beings more profoundly in the long run than the discoveries resulting from advances in modern genetics. Although the developments in genetic technology promise to provide many additional benefits, their application to genetic screening poses ethical, social, and legal questions, many of which are rooted in issues of privacy and confidentiality. The ethical, practical, and legal ramifications of these and related questions are explored in depth. The broad range of topics includes: the privacy and confidentiality of genetic information; the challenges to privacy and confidentiality that may be projected to result from the emerging genetic technologies; the role of informed consent in protecting the confidentiality of genetic information in the clinical setting; the potential uses of genetic information by third parties; the implications of changes in the health care delivery system for privacy and confidentiality; relevant national and international developments in public policies, professional standards, and laws; recommendations; and the identification of research needs.

Journal ArticleDOI
TL;DR: A survey of the three versions of SNMP is provided, including a discussion of the way in which management information is represented and the protocol functionality.
Abstract: The Simple Network Management Protocol is the most widely used protocol for the management of IP-based networks and internets. The original version, now known as SNMPv1, is widely deployed. SNMPv2 adds functionality to the original version but does not address its security limitations; this relatively recent standard has not achieved much acceptance. An effort is currently underway to develop SNMPv3, which will retain the functional enhancements of SNMPv2 and add powerful privacy and authentication features. This article provides a survey of the three versions of SNMP, including a discussion of the way in which management information is represented and the protocol functionality.

Proceedings ArticleDOI
17 Jun 1998
TL;DR: A series of novel approaches for achieving scalable security in IP multicast, providing privacy and authentication on a group-wide basis are proposed, and have low complexity (O(log N) or less) which grants scalability even for large groups.
Abstract: Proposals for multicast security that have been published so far are complex, often require trust in network components or are inefficient. We propose a series of novel approaches for achieving scalable security in IP multicast, providing privacy and authentication on a group-wide basis. They can be employed to efficiently secure multi party applications where members of highly dynamic groups of arbitrary size may participate. Supporting dynamic groups implies that newly joining members must not be able to understand past group communications, and that leaving members may not follow future communications. Key changes are required for all group members when a leave or join occurs, which poses a problem if groups are large. The algorithms presented here require no trust in third parties, support either centralized or fully distributed management of keying material, and have low complexity (O(log N) or less). This grants scalability even for large groups.

Journal ArticleDOI
TL;DR: A computerised record hash coding and linkage procedure is proposed to allow the chaining of medical information within the framework of epidemiological follow-up and shows a specificity of 100% and a sensitivity of 95%.

Book
01 Oct 1998
TL;DR: Swire and Litan as mentioned in this paper analyzed the potential sector-by-sector effects of the European Union Directive on Data Protection on financial services, human resources records, corporate intranets, and many other essential aspects of modern economies.
Abstract: The historic European Union Directive on Data Protection takes effect in October 1998. A key provision prohibits transfer of personal information from Europe to other countries if the European Commission decides that they lack "adequate" protection of privacy. If enforced as written, the Directive could significantly disrupt commerce between Europe and other countries, such as the United States, that do not have comprehensive privacy statutes. In this book, Peter Swire and Robert Litan analyze the tension between privacy laws, which restrict data flows, and modern information technologies, which encourage them. Based on study of actual data flows between Europe and the United States, the book provides the first detailed analysis of the potential sector-by-sector effects of the Directive. This analysis reveals significant problems under the Directive for financial services, human resources records, corporate intranets, and many other essential aspects of modern economies. The book offers policy recommendations for helping to avoid a possible trade war with Europe. This book will be of interest to the many individuals and organizations affected by the new European privacy laws and by proposed new privacy laws in the United States.

Journal ArticleDOI
TL;DR: It is argued that the practice of using data-mining techniques, whether on the Internet or in data warehouses, to gain information about persons raises privacy concerns that go beyond concerns introduced in traditional information-retrieval techniques in computer databases and are not covered by present data-protection guidelines and privacy laws.
Abstract: Privacy concerns involving data mining are examined in terms of four questions: (1) What exactly is data mining? (2) How does data mining raise concerns for personal privacy? (3) How do privacy concerns raised by data mining differ from those concerns introduced by ’traditional‘ information-retrieval techniques in computer databases? (4) How do privacy concerns raised by mining personal data from the Internet differ from those concerns introduced by mining such data from ’data warehouses?‘ It is argued that the practice of using data-mining techniques, whether on the Internet or in data warehouses, to gain information about persons raises privacy concerns that (a) go beyond concerns introduced in traditional information-retrieval techniques in computer databases and (b) are not covered by present data-protection guidelines and privacy laws.

Journal ArticleDOI
TL;DR: The authors offer a survey of Web security issues, focusing on particular areas of concern, such as server security, mobile code, data transfer, and user privacy.
Abstract: Developing security methods for the Web is a daunting task, in part because security concerns arose after the fact. Today, with an internationally connected user network and rapidly expanding Web functionality, reliability and security are critical. Vendors engaged in retrofitting security must contend with the Web environment's peculiarities, which include location irrelevance, statelessness, code and user mobility, and stranger-to-stranger communication. The authors offer a survey of Web security issues, focusing on particular areas of concern, such as server security, mobile code, data transfer, and user privacy.

Journal ArticleDOI
TL;DR: Examination of conventional paradigms in data protection, including the one-dimensional view of the ''data subject,'' that inhibit better conceptualizations and practices are examined, looking at some comparative survey evidence that casts light on the question of the distribution of privacy risks and concerns.
Abstract: It is commonly accepted that the use of personal information in business and government puts individual privacy at risk. However, little is known about these risks-for instance, whether and how they can be measured, and how they vary across social groups and the sectors in which personal data are used. Unless we can gain a purchase on such issues, our knowledge of the societal effects of information technology and systems will remain deficient, and the ability to make and implement better policies for privacy protection, and perhaps for a more equitable distribution of risk and protection, will remain impaired. The article explores this topic, examining conventional paradigms in data protection, including the one-dimensional view of the ''data subject,'' that inhibit better conceptualizations and practices. It looks at some comparative survey evidence that casts light on the question of the distribution of privacy risks and concerns. It examines theoretical issues in the literature on risk, raising questi...

Journal ArticleDOI
TL;DR: It was found that privacy concerns were rarely independently raised by interviewees as an important feature in making decisions about purchasing, but almost all of those interviewed...
Abstract: This article reports on a series of in-depth interviews with UK consumers about shopping, which served to investigate their views on the collection and use of consumers' personal information by commercial organizations. The interviews were used to analyze consumers' constructions of privacy infringement. No single type of information was found to count as personal in all situations. Rather, privacy infringement was constructed as a situated account. This ''situated privacy'' depended upon the visibility of a mediating technology; the perceived legitimacy of information requests; the representation of intrusion or disruption of legitimate activity; perceived imbalances of power and control; and representations of the social context. By focusing on the daily activity of shopping instead of asking direct questions about privacy, we found that privacy concerns were rarely independently raised by interviewees as an important feature in making decisions about purchasing. However, almost all of those interviewed...

Journal ArticleDOI
TL;DR: A comprehensive network security plan must encompass all the elements that make up the network and provide five important services: access-providing users with the means to transmit and receive data to and from any network resources with which they are authorized to communicate; confidentiality-ensures that the information in the network remains private (usually through encryption); authentication-ensured that the sender of a message is who he claims to be; integrity-ensure that a message has not been modified in transit; non-repudiation-enforces that the originator of the message cannot deny that he
Abstract: "Network security is the most important thing on the planet". We have heard these words uttered with great conviction many times. However, the first time it causes any inconvenience to system owners, administrators, or users, the same people hasten to add "except when it impacts performance, system complexity, or cost". Let's face it. Security is usually discarded when it contends with performance. The reason is simple, and at one time it may have even been valid: performance directly contributes to the bottom line while security provides only indirect benefits. But as the world becomes more tightly interconnected, organizations are feeling a greater need to rediscover network security. A thread that spans most definitions of network security is the intent to consider the security of the network as a whole, rather than as an endpoint issue. A comprehensive network security plan must encompass all the elements that make up the network and provide five important services: access-provides users with the means to transmit and receive data to and from any network resources with which they are authorized to communicate; confidentiality-ensures that the information in the network remains private (usually through encryption); authentication-ensures that the sender of a message is who he claims to be; integrity-ensures that a message has not been modified in transit; nonrepudiation-ensures that the originator of the message cannot deny that he sent the message and this is useful for both commercial and legal reasons.

Proceedings ArticleDOI
07 Dec 1998
TL;DR: Two new anonymous secure electronic voting schemes that protect the privacy of the voters and prevent double voting are proposed based on the ElGamal digital signature algorithm and can be applied to elections in a variety of situations.
Abstract: We propose two new anonymous secure electronic voting schemes that protect the privacy of the voters and prevent double voting. These schemes do not require any special voting channel and the communications can occur entirely over existing networks such as the Internet. The proposed schemes are based on the ElGamal digital signature algorithm and can be applied to elections in a variety of situations ranging from an election in a small organization to a country.


Journal ArticleDOI
TL;DR: It is argued that effective protections are difficult because complicated issues, such as the right of access to health care, are invariably implicated.
Abstract: Genetic privacy and confidentiality have both intrinsic and consequential value. Although general agreement exists about the need to protect privacy and confidentiality in the abstract, most of the concern has focused on preventing the harmful uses of this sensitive information. I hope to demonstrate in this article that the reason why genetic privacy and confidentiality are so difficult to protect is that any effort to protect them inevitably implicates broader and extremely contentious issues, such as the right of access to health care. Moreover, the tentative legislative and policy steps undertaken and proposed thus far have been, for the most part, misguided, simplistic, and ineffective.

Proceedings ArticleDOI
TL;DR: This work highlights the role of informed consent as an important consideration for privacy, identifies conditions under which the collection and centralization of personal information can be ethically justified, and offers an interpretation of a "reasonable expectation of privacy" for Internet cookies.
Abstract: We consider the privacy of personal information on the World Wide Web, emphasizing a concept of privacy as an aspect of social relationships between individuals We make three contributions to understanding the right to privacy on the Web: (1) we highlight the role of informed consent as an important consideration for privacy, (2) we identify conditions under which the collection and centralization of personal information can be ethically justified, and (3) we offer an interpretation of a "reasonable expectation of privacy" for Internet cookies, a mechanism used by Web sites to remember information about visits to that siteThe views, opinions, and conclusions of this paper are not necessarily those of the University of Illinois Preliminary versions of this paper were presented at the Seventh Annual Meeting of the Association for Practical and Professional Ethics, Dallas, TX, February 26[28, 1998, and the ACM Policy 98 Conference, Washington DC, May 10-12, 1998Address for correspondence: Michael C Loui, Graduate College, 801 S Wright Street, Champaign, IL 61820-6210, e-mail: m-loui@uiucedu, telephone: (217) 333-6715, fax: (217) 333-8019

01 Jan 1998
TL;DR: An updated version of a formal task-based privacy-model which can be used to technically enforce legal privacy requirements is presented and it is shown, how the privacy policy has been specified and implemented according to the Generalized Framework for Access Control (GFAC) approach.
Abstract: Privacy technologies are becoming more relevant, because individual privacy is at risk in the Global Information Society. In this paper, an updated version of a formal task-based privacy-model which can be used to technically enforce legal privacy requirements is presented. It is shown, how the privacy policy has been specified and implemented according to the Generalized Framework for Access Control (GFAC)approach.

Journal ArticleDOI
Lorrie Faith Cranor1
TL;DR: Why is so much of the recent attention to privacy issues focused on Internet privacy when consumers have had privacy concerns long before they started doing business online?
Abstract: Why is so much of the recent attention to privacy issues focused on Internet privacy when consumers have had privacy concerns long before they started doing business online? Certainly, the hype surrounding the Internet in general has contributed to the buzz. These days, anything that happens online seems much more exciting than the " real " world. But in the case of online privacy, there is some substance behind the hype.

Journal ArticleDOI
TL;DR: This paper argues that health privacy legislation is necessary both to improve patient care and to enhance the reliability of the health information used for research and public health initiatives.
Abstract: PROLOGUE: Irish author George Bernard Shaw once observed during a speech in New York that Americans have “no sense of privacy. [They] do not know what it means. There is no such thing in the country.” Indeed, in the wake of Kenneth Starr's referral to Congress, Shaw's words, spoken in 1933, seem perceptive, if not downright prescient. Shaw's cultural acumen notwithstanding, the health care arena presents a decidedly different picture of how Americans feel about privacy. Recent media reports abound with concerns about potential abuses of private medical information by government, employers, and insurance companies. The dilemma takes the following form: Although Americans seem to have legitimate concerns about the motives and possible actions of the stewards of their medical information, many in the medical and policy establishments fear that overzealous protections could pose serious obstacles to the improvement of medical care. Taking a somewhat unconventional stance, Janlori Goldman does not view this ma...

Book
01 Jan 1998