Showing papers on "Information privacy published in 2005"

Information revelation and privacy in online social networks

Abstract: Participation in social networking sites has dramatically increased in recent years. Services such as Friendster, Tribe, or the Facebook allow millions of individuals to create online profiles and share personal information with vast networks of friends - and, often, unknown numbers of strangers. In this paper we study patterns of information revelation in online social networks and their privacy implications. We analyze the online behavior of more than 4,000 Carnegie Mellon University students who have joined a popular social networking site catered to colleges. We evaluate the amount of information they disclose and study their usage of the site's privacy settings. We highlight potential attacks on various aspects of their privacy, and we show that only a minimal percentage of users changes the highly permeable privacy preferences.

Data privacy through optimal k-anonymization

Abstract: Data de-identification reconciles the demand for release of data for research purposes and the demand for privacy from individuals. This paper proposes and evaluates an optimization algorithm for the powerful de-identification procedure known as k-anonymization. A k-anonymized dataset has the property that each record is indistinguishable from at least k - 1 others. Even simple restrictions of optimized k-anonymity are NP-hard, leading to significant computational challenges. We present a new approach to exploring the space of possible anonymizations that tames the combinatorics of the problem, and develop data-management strategies to reduce reliance on expensive operations such as sorting. Through experiments on real census data, we show the resulting algorithm can find optimal k-anonymizations under two representative cost measures and a wide range of k. We also show that the algorithm can produce good anonymizations in circumstances where the input data or input parameters preclude finding an optimal solution in reasonable time. Finally, we use the algorithm to explore the effects of different coding approaches and problem variations on anonymization quality and performance. To our knowledge, this is the first result demonstrating optimal k-anonymization of a non-trivial dataset under a general model of the problem.

Privacy and rationality in individual decision making

Abstract: Traditional theory suggests consumers should be able to manage their privacy. Yet, empirical and theoretical research suggests that consumers often lack enough information to make privacy-sensitive decisions and, even with sufficient information, are likely to trade off long-term privacy for short-term benefits

Location Privacy in Mobile Systems: A Personalized Anonymization Model

Abstract: This paper describes a personalized k-anonymity model for protecting location privacy against various privacy threats through location information sharing. Our model has two unique features. First, we provide a unified privacy personalization framework to support location k-anonymity for a wide range of users with context-sensitive personalized privacy requirements. This framework enables each mobile node to specify the minimum level of anonymity it desires as well as the maximum temporal and spatial resolutions it is willing to tolerate when requesting for k-anonymity preserving location-based services (LBSs). Second, we devise an efficient message perturbation engine which runs by the location protection broker on a trusted server and performs location anonymization on mobile users' LBS request messages, such as identity removal and spatio-temporal cloaking of location information. We develop a suite of scalable and yet efficient spatio-temporal cloaking algorithms, called CliqueCloak algorithms, to provide high quality personalized location k-anonymity, aiming at avoiding or reducing known location privacy threats before forwarding requests to LBS provider(s). The effectiveness of our CliqueCloak algorithms is studied under various conditions using realistic location data synthetically generated using real road maps and traffic volume data

An anonymous communication technique using dummies for location-based services

Abstract: Recently, highly accurate positioning devices enable us to provide various types of location-based services. On the other hand, because such position data include deeply personal information, the protection of location privacy is one of the most significant problems in location-based services. In this paper, we propose an anonymous communication technique to protect the location privacy of the users of location-based services. In our proposed technique, such users generate several false position data (dummies) to send to service providers with the true position data of users. Because service providers cannot distinguish the true position data, user location privacy is protected. We also describe a cost reduction technique for communication between a client and a server. Moreover, we conducted performance study experiments on our proposed technique using practical position data. As a result of the experiments, we observed that our proposed technique protects the location privacy of people and can sufficiently reduce communication costs so that our communication techniques can be applied in practical location-based services.

Information Revelation and Privacy in Online Social Networks (The Facebook case) Pre-proceedings version. ACM Workshop on Privacy in the Electronic Society (WPES), 2005

Abstract: Participation in social networking sites has dramatically increased in recent years. Services such as Friendster, Tribe, or the Facebook allow millions of individuals to create online profiles and share personal information with vast networks of friends - and, often, unknown numbers of strangers. In this paper we study patterns of information revelation in online social networks and their privacy implications. We analyze the online behavior of more than 4,000 Carnegie Mellon University students who have joined a popular social networking site catered to colleges. We evaluate the amount of information they disclose and study their usage of the site’s privacy settings. We highlight potential attacks on various aspects of their privacy, and we show that only a minimal percentage of users changes the highly permeable privacy preferences.

A Taxonomy of Privacy

Abstract: Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law.

Top-down specialization for information and privacy preservation

Abstract: Releasing person-specific data in its most specific state poses a threat to individual privacy. This paper presents a practical and efficient algorithm for determining a generalized version of data that masks sensitive information and remains useful for modelling classification. The generalization of data is implemented by specializing or detailing the level of information in a top-down manner until a minimum privacy requirement is violated. This top-down specialization is natural and efficient for handling both categorical and continuous attributes. Our approach exploits the fact that data usually contains redundant structures for classification. While generalization may eliminate some structures, other structures emerge to help. Our results show that quality of classification can be preserved even for highly restrictive privacy requirements. This work has great applicability to both public and private sectors that share information for mutual benefits and productivity.

A formal model of obfuscation and negotiation for location privacy

Abstract: Obfuscation concerns the practice of deliberately degrading the quality of information in some way, so as to protect the privacy of the individual to whom that information refers. In this paper, we argue that obfuscation is an important technique for protecting an individual's location privacy within a pervasive computing environment. The paper sets out a formal framework within which obfuscated location-based services are defined. This framework provides a computationally efficient mechanism for balancing an individual's need for high-quality information services against that individual's need for location privacy. Negotiation is used to ensure that a location-based service provider receives only the information it needs to know in order to provide a service of satisfactory quality. The results of this work have implications for numerous applications of mobile and location-aware systems, as they provide a new theoretical foundation for addressing the privacy concerns that are acknowledged to be retarding the widespread acceptance and use of location-based services.

Enhancing Source-Location Privacy in Sensor Network Routing

Abstract: One of the most notable challenges threatening the successful deployment of sensor systems is privacy. Although many privacy-related issues can be addressed by security mechanisms, one sensor network privacy issue that cannot be adequately addressed by network security is source-location privacy. Adversaries may use RF localization techniques to perform hop-by-hop traceback to the source sensor's location. This paper provides a formal model for the source-location privacy problem in sensor networks and examines the privacy characteristics of different sensor routing protocols. We examine two popular classes of routing protocols: the class of flooding protocols, and the class of routing protocols involving only a single path from the source to the sink. While investigating the privacy performance of routing protocols, we considered the tradeoffs between location-privacy and energy consumption. We found that most of the current protocols cannot provide efficient source-location privacy while maintaining desirable system performance. In order to provide efficient and private sensor communications, we devised new techniques to enhance source-location privacy that augment these routing protocols. One of our strategies, a technique we have called phantom routing, has proven flexible and capable of protecting the source's location, while not incurring a noticeable increase in energy overhead. Further, we examined the effect of source mobility on location privacy. We showed that, even with the natural privacy amplification resulting from source mobility, our phantom routing techniques yield improved source-location privacy relative to other routing methods

RFID privacy: an overview of problems and proposed solutions

Abstract: As organizations aggressively deploy radio frequency identification systems, activists are increasingly concerned about RFID's potential to invade user privacy. This overview highlights potential threats and how they might be addressed using both technology and public policy.

Protecting Location Privacy Through Path Confusion

Abstract: We present a path perturbation algorithm which can maximize users’ location privacy given a quality of service constraint. This work concentrates on a class of applications that continuously collect location samples from a large group of users, where just removing user identifiers from all samples is insufficient because an adversary could use trajectory information to track paths and follow users’ footsteps home. The key idea underlying the perturbation algorithm is to cross paths in areas where at least two users meet. This increases the chances that an adversary would confuse the paths of different users. We first formulate this privacy problem as a constrained optimization problem and then develop heuristics for an efficient privacy algorithm. Using simulations with randomized movement models we verify that the algorithm improves privacy while minimizing the perturbation of location samples.

Privacy practices of Internet users: self-reports versus observed behavior

Abstract: Several recent surveys conclude that people are concerned about privacy and consider it to be an important factor in their online decision making. This paper reports on a study in which (1) user concerns were analysed more deeply and (2) what users said was contrasted with what they did in an experimental e-commerce scenario. Eleven independent variables were shown to affect the online behavior of at least some groups of users. Most significant were trust marks present on web pages and the existence of a privacy policy, though users seldom consulted the policy when one existed. We also find that many users have inaccurate perceptions of their own knowledge about privacy technology and vulnerabilities, and that important user groups, like those similar to the Westin "privacy fundamentalists", do not appear to form a cohesive group for privacy-related decision making.In this study we adopt an experimental economic research paradigm, a method for examining user behavior which challenges the current emphasis on survey data. We discuss these issues and the implications of our results on user interpretation of trust marks and interaction design. Although broad policy implications are beyond the scope of this paper, we conclude by questioning the application of the ethical/legal doctrine of informed consent to online transactions in the light of the evidence that users frequently do not consult privacy policies.

A scalable and provably secure hash-based RFID protocol

Abstract: The biggest challenge for RFID technology is to provide benefits without threatening the privacy of consumers. Many solutions have been suggested but almost as many ways have been found to break them. An approach by Ohkubo, Suzuki and Kinoshita using an internal refreshment mechanism seems to protect privacy well but is not scalable. We introduce a specific time-memory trade-off that removes the scalability issue of this scheme. Additionally we prove that the system truly offer's privacy and even forward privacy. Our third contribution is an extension of the scheme which offers a secure communication channel between RFID tags and their owner using building blocks that are already available on the tag. Finally we give a typical example of use of our system and show its feasibility by calculating all the parameters.

Security and Privacy Issues in E-passports

Abstract: Within the next year, travelers from dozens of nations may be carrying a new form of passport in response to a mandate by the United States government. The e-passport, as it is sometimes called, represents a bold initiative in the deployment of two new technologies: Radio-Frequency Identification (RFID) and biometrics. Important in their own right, e-passports are also the harbinger of a wave of next-generation ID cards: several national governments plan to deploy identity cards integrating RFID and biometrics for domestic use. We explore the privacy and security implications of this impending worldwide experiment in next-generation authentication technology. We describe privacy and security issues that apply to e-passports, then analyze these issues in the context of the International Civil Aviation Organization (ICAO) standard for e-passports.

Purpose based access control of complex data for privacy protection

Abstract: As privacy becomes a major concern for both consumers and enterprises, many research efforts have been devoted to the development of privacy protecting technology. We recently proposed a privacy preserving access control model for relational databases,where purpose information associated with a given data element specifies the intended use of the data element. In this paper, we extend our previous work to handle other advanced data managementsystems, such as the ones based on XML and the ones based on the object-relational data model. Another contribution of our paper isthat we address the problem of how to determine the purpose forwhich certain data are accessed by a given user. Our proposedsolution relies on the well-known RBAC model as well as the notionof conditional role which is based on the notions of role attributeand system attribute.

Two Can Keep a Secret: A Distributed Architecture for Secure Database Services

Abstract: Recent trends towards database outsourcing, as well as concerns and laws governing data privacy, have led to great interest in enabling secure database services. Previous approaches to enabling such a service have been based on data encryption, causing a large overhead in query processing. We propose a new, distributed architecture that allows an organization to outsource its data management to {\em two} untrusted servers while preserving data privacy. We show how the presence of two servers enables efficient partitioning of data so that the contents at any one server are guaranteed not to breach data privacy. We show how to optimize and execute queries in this architecture, and discuss new challenges that emerge in designing the database schema.

Toward privacy in public databases

Abstract: We initiate a theoretical study of the census problem. Informally, in a census individual respondents give private information to a trusted party (the census bureau), who publishes a sanitized version of the data. There are two fundamentally conflicting requirements: privacy for the respondents and utility of the sanitized data. Unlike in the study of secure function evaluation, in which privacy is preserved to the extent possible given a specific functionality goal, in the census problem privacy is paramount; intuitively, things that cannot be learned “safely” should not be learned at all. An important contribution of this work is a definition of privacy (and privacy compromise) for statistical databases, together with a method for describing and comparing the privacy offered by specific sanitization techniques. We obtain several privacy results using two different sanitization techniques, and then show how to combine them via cross training. We also obtain two utility results involving clustering.

Privacy preserving data classification with rotation perturbation

Abstract: Data perturbation techniques are one of the most popular models for privacy preserving data mining (Agrawal and Srikant, 2000; Aggarwal and Yu, 2004). It is especially convenient for applications where the data owners need to export/publish the privacy-sensitive data. A data perturbation procedure can be simply described as follows. Before the data owner publishes the data, they randomly change the data in certain way to disguise the sensitive information while preserving the particular data property that is critical for building the data models. Several perturbation techniques have been proposed recently, among which the most typical ones are randomization approach (Agrawal and Srikant, 2000) and condensation approach (Aggarwal and Yu, 2004).

Protection of Location Privacy using Dummies for Location-based Services

Abstract: Recently, highly accurate positioning devices enable us to provide various types of location-based services. On the other hand, because position data obtained by such devices include deeply personal information, protection of location privacy is one of the most significant issues of location-based services. Therefore, we propose a technique to anonymize position data. In our proposed technique, the psrsonal user of a location-based service generates several false position data (dummies) sent to the service provider with the true position data of the user. Because the service provider cannot distinguish the true position data, the user’s location privacy is protected. We conducted performance study experiments on our proposed technique using practical trajectory data. As a result of the experiments, we observed that our proposed technique protects the location privacy of users.

A study of preferences for sharing and privacy

Abstract: We describe studies of preferences about information sharing aimed at identifying fundamental concerns with privacy and at understanding how people might abstract the details of sharing into higher-level classes of recipients and information that are treated similarly. Thirty people specified what information they are willing to share with whom.. Although people vary in their overall level of comfort in sharing, we identified key classes of recipients and information. Such abstractions highlight the promise of developing expressive controls for sharing and privacy.

Privacy issues in vehicular ad hoc networks

Abstract: Vehicular Ad hoc NETworks (VANETs) demand a thorough investigation of privacy related issues. On one hand, users of such networks have to be prevented from misuse of their private data by authorities, from location profiling and from other attacks on their privacy. On the other hand, system operators and car manufacturers have to be able to identify malfunctioning units for sake of system availability and security. These requirements demand an architecture that can really manage privacy instead of either providing full anonymity or no privacy at all. In this paper we give an overview on the privacy issues in vehicular ad hoc networks from a car manufacturer's perspective and introduce an exemplary approach to overcome these issues.

RFID privacy issues and technical challenges

Abstract: Cheap tags and technology simple and secure enough to ensure personal data privacy are required before retailers implement and consumers trust and confidently use them on a mass scale.

RFID enhances visitors' museum experience at the Exploratorium

Abstract: Interactive RFID-enhanced museum exhibits let visitors continue their scientific exploration beyond the museum's walls. But museums must still help them understand the technology and address their data privacy concerns.

Your Privacy Is Sealed: Effects of Web Privacy Seals on Trust and Personal Disclosures

Abstract: Online privacy is an issue of increasing national importance, and voluntary privacy seals provided by third-party organizations such as TRUSTe and BBBOnline have been proposed as a means of assuring consumer privacy. Few studies have examined privacy seal effects. This study presents results of an online experiment that evaluated consumer response to privacy seals in a naturalistic exposure setting. Findings suggest that privacy seals enhance trust in the Web site and expectations that the site would inform the user of its information practices. While concern for privacy-threatening information practices had no influence, privacy self-efficacy, confidence in ability to protect one's privacy, moderated seal effects. Implications for the continued role of privacy seals are discussed. ********** Online consumer privacy has attracted the attention of state and federal regulators and poses a significant challenge to online marketers. Concerns for the confidentiality of personal information are widespread (Cole 2001; NTIA 2000; Pew Research 2000). However, 64% of adult consumers report never seeking out instructions on how to protect one's personal information on the Internet, and 40% report knowing almost nothing about how to prevent Web sites from collecting their information (Turow 2003). Three-fourths of nonusers see the Internet as a privacy threat (Cole 2001), suggesting that online privacy invasion is a deterrent to potential Internet shoppers as well. Privacy threats may lower participation in commercial activities online and are of particular concern to new users and women (Pew Research 2000), thereby limiting the growth potential of online commerce. The debate is not merely academic since the release of consumer credit information can transform Internet users into victims of credit card and other financial fraud. A content analysis of leading e-commerce sites by the Federal Trade Commission (FTC) found that only 20% met the agency's standards for preserving consumer privacy (FTC 2000), and more recently, violations of online privacy policies have been unveiled. Fair-practice database information and notice standards are sought by all stakeholders (FTC 2000; Milne and Rohm 2000). The FTC and industry leaders alike had hoped that voluntary third-party seal programs (e.g., TRUSTe, BBBOnline) with clear privacy policy language and iconic representation of privacy guarantees (Green et al. 2000) would provide a self-regulatory solution to adequate notice. The public demand for third-party verification (Harris Interactive 2002) and slow adoption of Platform for Privacy Preferences (P3P), the automated browser privacy program by individual Web sites, suggest that use of third-party seal verification programs is likely to increase (Festa 2002). To date, little research has examined consumer response to privacy seals. Notably, Miyazaki and Krishnamurthy (2002) examined the effects of privacy seal presence, in off-line conditions, with clearly stated privacy policies. Their findings suggest that seals may have the effects desired by online retailers but pose a problem for true consumer protection. Participants had more favorable perceptions of privacy policies at Web sites that displayed seals, and seals increased anticipated disclosures and patronage for individuals who viewed online shopping as risky. The results are discouraging for consumer protection since Miyazaki and Krishnamurthy (2002) also found no differences in the privacy policies of Web sites on the basis of seal display. More recently, LaRose and Rifon (forthcoming) found that sealed sites were significantly more invasive than the unsealed sites with respect to the amount of personal information requested. Other recent evidence suggests that a majority (57%) of consumers inaccurately interpret a Web site privacy policy's presence as an indication that the Web site does not collect or share their personal information (Turow 2003). …

Enabling video privacy through computer vision

Abstract: Closed-circuit television cameras used today for surveillance sometimes enable privacy intrusion. The authors' privacy console manages operator access to different versions of video-derived data according to access-control lists. Additionally, their PrivacyCam is a smart camera that produces a video stream with privacy-intrusive information already removed.

Examining Internet privacy policies within the context of user privacy values

Abstract: Internet privacy policies describe an organization's practices on data collection, use, and disclosure. These privacy policies both protect the organization and signal integrity commitment to site visitors. Consumers use the stated website policies to guide browsing and transaction decisions. This paper compares the classes of privacy protection goals (which express desired protection of consumer privacy rights) and vulnerabilities (which potentially threaten consumer privacy) with consumer privacy values. For this study, we looked at privacy policies from nearly 50 websites and surveyed over 1000 Internet users. We examined Internet users' major expectations about website privacy and revealed a notable discrepancy between what privacy policies are currently stating and what users deem most significant. Our findings suggest several implications to privacy managers and software project managers. Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacy-aware website development efforts.

Valuating privacy

Abstract: In several experimental auctions, participants put a dollar value on private information before revealing it to a group. An analysis of results show that a trait's desirability in relation to the group played a key role in the amount people demanded to publicize private information. Because people can easily obtain, aggregate, and disperse personal data electronically, privacy is a central concern in the information age. This concern is clear in relation to financial data and genetic information, both of which can lead to identity abuse and discrimination. However, other relatively harmless information can also be abused, including a person's gender, salary, age, marital status, or shopping preferences. What's unclear is whether it's the fear of such abuse that actually causes people's stated hesitance to reveal their data. Our hypothesis - and the motivation for our study - is that people reveal information when they feel that they're somewhat typical or positively atypical compared to the target group. To test this hypothesis, we conducted experiments that elicit the value people place on their private data. We found, with great significance (more than 95 percent statistical confidence) that a linear relationship exists between an individual's belief about a trait and the value he or she places on it. That is, the less desirable the trait, the greater the price a person demands for releasing the information. Furthermore, we found that small deviations in a socially positive direction are associated with a lower asking price.

Random-data perturbation techniques and privacy-preserving data mining

Abstract: Privacy is becoming an increasingly important issue in many data-mining applications. This has triggered the development of many privacy-preserving data-mining techniques. A large fraction of them use randomized data-distortion techniques to mask the data for preserving the privacy of sensitive data. This methodology attempts to hide the sensitive data by randomly modifying the data values often using additive noise. This paper questions the utility of the random-value distortion technique in privacy preservation. The paper first notes that random matrices have predictable structures in the spectral domain and then it develops a random matrix-based spectral-filtering technique to retrieve original data from the dataset distorted by adding random values. The proposed method works by comparing the spectrum generated from the observed data with that of random matrices. This paper presents the theoretical foundation and extensive experimental results to demonstrate that, in many cases, random-data distortion preserves very little data privacy. The analytical framework presented in this paper also points out several possible avenues for the development of new privacy-preserving data-mining techniques. Examples include algorithms that explicitly guard against privacy breaches through linear transformations, exploiting multiplicative and colored noise for preserving privacy in data mining applications.