Showing papers on "Privacy software published in 2010"

Security and Privacy Challenges in Cloud Computing Environments

Abstract: Cloud computing is an evolving paradigm with tremendous momentum, but its unique aspects exacerbate security and privacy challenges. This article explores the roadblocks and solutions to providing a trustworthy cloud computing environment.

Differential privacy under continual observation

Abstract: Differential privacy is a recent notion of privacy tailored to privacy-preserving data analysis [11]. Up to this point, research on differentially private data analysis has focused on the setting of a trusted curator holding a large, static, data set; thus every computation is a "one-shot" object: there is no point in computing something twice, since the result will be unchanged, up to any randomness introduced for privacy. However, many applications of data analysis involve repeated computations, either because the entire goal is one of monitoring, e.g., of traffic conditions, search trends, or incidence of influenza, or because the goal is some kind of adaptive optimization, e.g., placement of data to minimize access costs. In these cases, the algorithm must permit continual observation of the system's state. We therefore initiate a study of differential privacy under continual observation. We identify the problem of maintaining a counter in a privacy preserving manner and show its wide applicability to many different problems.

Data mining with differential privacy

Abstract: We consider the problem of data mining with formal privacy guarantees, given a data access interface based on the differential privacy framework. Differential privacy requires that computations be insensitive to changes in any particular individual's record, thereby restricting data leaks through the results. The privacy preserving interface ensures unconditionally safe access to the data and does not require from the data miner any expertise in privacy. However, as we show in the paper, a naive utilization of the interface to construct privacy preserving data mining algorithms could lead to inferior data mining results. We address this problem by considering the privacy and the algorithmic requirements simultaneously, focusing on decision tree induction as a sample application. The privacy mechanism has a profound effect on the performance of the methods chosen by the data miner. We demonstrate that this choice could make the difference between an accurate classifier and a completely useless one. Moreover, an improved algorithm can achieve the same level of accuracy and privacy as the naive implementation but with an order of magnitude fewer learning samples.

Privacy wizards for social networking sites

Abstract: Privacy is an enormous problem in online social networking sites. While sites such as Facebook allow users fine-grained control over who can see their profiles, it is difficult for average users to specify this kind of detailed policy.In this paper, we propose a template for the design of a social networking privacy wizard. The intuition for the design comes from the observation that real users conceive their privacy preferences (which friends should be able to see which information) based on an implicit set of rules. Thus, with a limited amount of user input, it is usually possible to build a machine learning model that concisely describes a particular user's preferences, and then use this model to configure the user's privacy settings automatically.As an instance of this general framework, we have built a wizard based on an active learning paradigm called uncertainty sampling. The wizard iteratively asks the user to assign privacy "labels" to selected ("informative") friends, and it uses this input to construct a classifier, which can in turn be used to automatically assign privileges to the rest of the user's (unlabeled) friends.To evaluate our approach, we collected detailed privacy preference data from 45 real Facebook users. Our study revealed two important things. First, real users tend to conceive their privacy preferences in terms of communities, which can easily be extracted from a social network graph using existing techniques. Second, our active learning wizard, using communities as features, is able to recommend high-accuracy privacy settings using less user input than existing policy-specification tools.

Privacy by Design

Abstract: In view of rapid and dramatic technological change, it is important to take the special requirements of privacy protection into account early on, because new technological systems often contain hidden dangers which are very difficult to overcome after the basic design has been worked out. So it makes all the more sense to identify and examine possible data protection problems when designing new technology and to incorporate privacy protection into the overall design, instead of having to come up with laborious and time-consuming “patches” later on. This approach is known as “Privacy by Design” (PbD).

Privacy-friendly energy-metering via homomorphic encryption

Abstract: The first part of this paper discusses developments wrt. smart (electricity) meters (simply called E-meters) in general, with emphasis on security and privacy issues. The second part will be more technical and describes protocols for secure communication with E-meters and for fraud detection (leakage) in a privacy-preserving manner. Our approach uses a combination of Paillier's additive homomorphic encryption and additive secret sharing to compute the aggregated energy consumption of a given set of users.

Myths and fallacies of "Personally Identifiable Information"

Abstract: Developing effective privacy protection technologies is a critical challenge for security and privacy research as the amount and variety of data collected about individuals increase exponentially.

An Overview of Privacy and Security Issues in the Internet of Things

Abstract: While the general definition of the Internet of Things (IoT) is almost mature, roughly defining it as an information network connecting virtual and physical objects, there is a consistent lack of consensus around technical and regulatory solutions. There is no doubt, though, that the new paradigm will bring forward a completely new host of issues because of its deep impact on all aspects of human life. In this work, the authors outline the current technological and technical trends and their impacts on the security, privacy, and governance. The work is split into short- and long-term analysis where the former is focused on already or soon available technology, while the latter is based on vision concepts. Also, an overview of the vision of the European Commission on this topic will be provided.

Differential privacy via wavelet transforms

Abstract: Privacy preserving data publishing has attracted considerable research interest in recent years. Among the existing solutions, ∈-differential privacy provides one of the strongest privacy guarantees. Existing data publishing methods that achieve ∈-differential privacy, however, offer little data utility. In particular, if the output dataset is used to answer count queries, the noise in the query answers can be proportional to the number of tuples in the data, which renders the results useless. In this paper, we develop a data publishing technique that ensures ∈-differential privacy while providing accurate answers for range-count queries, i.e., count queries where the predicate on each attribute is a range. The core of our solution is a framework that applies wavelet transforms on the data before adding noise to it. We present instantiations of the proposed framework for both ordinal and nominal data, and we provide a theoretical analysis on their privacy and utility guarantees. In an extensive experimental study on both real and synthetic data, we show the effectiveness and efficiency of our solution.

Differential Privacy for Statistics: What we Know and What we Want to Learn

Abstract: We motivate and review the definition of differential privacy, survey some results on differentially private statistical estimators, and outline a research agenda. This survey is based on two presentations given by the authors at an NCHS/CDC sponsored workshop on data privacy in May 2008.

Communication Privacy Management Theory: What Do We Know About Family Privacy Regulation?

Abstract: For families, managing private information is challenging. Family members reveal too much, they allow more privacy access to outsiders than others desire, parents attempt to negotiate Internet disclosures with their teens, and family health issues often change the way private information is defined altogether. The complexities of privacy regulation call for a systematic way to grasp how privacy management operates in families. This article presents the evidenced-based theory of communication privacy management (CPM) and corresponding research on family privacy regulation that provides a road map to understand the multifaceted nature of managing private information (Petronio, 2002). The article discusses contributions of CPM to conceptualizing privacy in meaningful ways, along with current research trends and future directions for CPM research and theorizing.

A Framework for Computing the Privacy Scores of Users in Online Social Networks

Abstract: A large body of work has been devoted to address corporate-scale privacy concerns related to social networks. Most of this work focuses on how to share social networks owned by organizations without revealing the identities or the sensitive relationships of the users involved. Not much attention has been given to the privacy risk of users posed by their daily information-sharing activities.In this article, we approach the privacy issues raised in online social networks from the individual users’ viewpoint: we propose a framework to compute the privacy score of a user. This score indicates the user’s potential risk caused by his or her participation in the network. Our definition of privacy score satisfies the following intuitive properties: the more sensitive information a user discloses, the higher his or her privacy risk. Also, the more visible the disclosed information becomes in the network, the higher the privacy risk. We develop mathematical models to estimate both sensitivity and visibility of the information. We apply our methods to synthetic and real-world data and demonstrate their efficacy and practical utility.

Moving beyond untagging: photo privacy in a tagged world

Abstract: Photo tagging is a popular feature of many social network sites that allows users to annotate uploaded images with those who are in them, explicitly linking the photo to each person's profile. In this paper, we examine privacy concerns and mechanisms surrounding these tagged images. Using a focus group, we explored the needs and concerns of users, resulting in a set of design considerations for tagged photo privacy. We then designed a privacy enhancing mechanism based on our findings, and validated it using a mixed methods approach. Our results identify the social tensions that tagging generates, and the needs of privacy tools to address the social implications of photo privacy management.

Privacy Preserving Clustering by Data Transformation

Abstract: Despite its benefit in a wide range of applications, data mining techniques also have raised a number of ethical issues. Some such issues include those of privacy, data security, intellectual property rights, and many others. In this paper, we address the privacy problem against unauthorized secondary use of information. To do so, we introduce a family of geometric data transformation methods (GDTMs) which ensure that the mining process will not violate privacy up to a certain degree of security. We focus primarily on privacy preserving data clustering, notably on partition-based and hierarchical methods. Our proposed methods distort only confidential numerical attributes to meet privacy requirements, while preserving general features for clustering analysis. Our experiments demonstrate that our methods are effective and provide acceptable values in practice for balancing privacy and accuracy. We report the main results of our performance evaluation and discuss some open research issues.

Combining fragmentation and encryption to protect privacy in data storage

Abstract: The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.

A Privacy Model for Smart Metering

Abstract: Electricity suppliers have started replacing traditional electricity meters with so-called smart meters, which can transmit current power consumption levels to the supplier within short intervals. Though this is advantageous for the electricity suppliers' planning purposes, and also allows the customers a more detailed look at their usage behavior, it means a considerable risk for privacy. The detailed information can be used to judge whether persons are in the household, when they come home, which electric devices they use (e.g. when they watch TV), and so forth. In this work, we introduce the "smart metering privacy model" for measuring the degree of privacy that a smart metering application can provide. Moreover, we present two design solutions both with and without involvement of trusted third parties. We show that the solution with trusted party can provide "perfect privacy" under certain conditions.

Standardizing privacy notices: an online study of the nutrition label approach

Abstract: Earlier work has shown that consumers cannot effectively find information in privacy policies and that they do not enjoy using them. In our previous research we developed a standardized table format for privacy policies. We compared this standardized format, and two short variants (one tabular, one text) with the current status quo: full text natural-language policies and layered policies. We conducted an online user study of 764 participants to test if these three more-intentionally designed, standardized privacy policy formats, assisted by consumer education, can benefit consumers. Our results show that standardized privacy policy presentations can have significant positive effects on accuracy and speed of information finding and on reader enjoyment of privacy policies.

The Privacy Jungle:On the Market for Data Protection in Social Networks

Abstract: We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, nondecisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites’ privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites’ privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximize sign-up numbers and encourage data sharing from the pragmatic majority of users.

Privacy-preserving P2P data sharing with OneSwarm

Abstract: Privacy -- the protection of information from unauthorized disclosure -- is increasingly scarce on the Internet The lack of privacy is particularly true for popular peer-to-peer data sharing applications such as BitTorrent where user behavior is easily monitored by third parties Anonymizing overlays such as Tor and Freenet can improve user privacy, but only at a cost of substantially reduced performance Most users are caught in the middle, unwilling to sacrifice either privacy or performanceIn this paper, we explore a new design point in this tradeoff between privacy and performance We describe the design and implementation of a new P2P data sharing protocol, called OneSwarm, that provides users much better privacy than BitTorrent and much better performance than Tor or Freenet A key aspect of the OneSwarm design is that users have explicit configurable control over the amount of trust they place in peers and in the sharing model for their data: the same data can be shared publicly, anonymously, or with access control, with both trusted and untrusted peers OneSwarm's novel lookup and transfer techniques yield a median factor of 34 improvement in download times relative to Tor and a factor of 69 improvement relative to Freenet OneSwarm is publicly available and has been downloaded by hundreds of thousands of users since its release

Private record matching using differential privacy

Abstract: Private matching between datasets owned by distinct parties is a challenging problem with several applications. Private matching allows two parties to identify the records that are close to each other according to some distance functions, such that no additional information other than the join result is disclosed to any party. Private matching can be solved securely and accurately using secure multi-party computation (SMC) techniques, but such an approach is prohibitively expensive in practice. Previous work proposed the release of sanitized versions of the sensitive datasets which allows blocking, i.e., filtering out sub-sets of records that cannot be part of the join result. This way, SMC is applied only to a small fraction of record pairs, reducing the matching cost to acceptable levels. The blocking step is essential for the privacy, accuracy and efficiency of matching. However, the state-of-the-art focuses on sanitization based on k-anonymity, which does not provide sufficient privacy. We propose an alternative design centered on differential privacy, a novel paradigm that provides strong privacy guarantees. The realization of the new model presents difficult challenges, such as the evaluation of distance-based matching conditions with the help of only a statistical queries interface. Specialized versions of data indexing structures (e.g., kd-trees) also need to be devised, in order to comply with differential privacy. Experiments conducted on the real-world Census-income dataset show that, although our methods provide strong privacy, their effectiveness in reducing matching cost is not far from that of k-anonymity based counterparts.

Differential privacy in new settings

Abstract: Differential privacy is a recent notion of privacy tailored to the problem of statistical disclosure control: how to release statistical information about a set of people without compromising the the privacy of any individual [7].We describe new work [10, 9] that extends differentially private data analysis beyond the traditional setting of a trusted curator operating, in perfect isolation, on a static dataset. We ask• How can we guarantee differential privacy, even against an adversary that has access to the algorithm's internal state, eg, by subpoena? An algorithm that achives this is said to be pan-private.• How can we guarantee differential privacy when the algorithm must continually produce outputs? We call this differential privacy under continual observation.We also consider these requirements in conjunction.

Introduction to Privacy-Preserving Data Publishing: Concepts and Techniques

Abstract: Gaining access to high-quality data is a vital necessity in knowledge-based decision making. But data in its raw form often contains sensitive information about individuals. Providing solutions to this problem, the methods and tools of privacy-preserving data publishing enable the publication of useful information while protecting data privacy. Introduction to Privacy-Preserving Data Publishing: Concepts and Techniques presents state-of-the-art information sharing and data integration methods that take into account privacy and data mining requirements. The first part of the book discusses the fundamentals of the field. In the second part, the authors present anonymization methods for preserving information utility for specific data mining tasks. The third part examines the privacy issues, privacy models, and anonymization methods for realistic and challenging data publishing scenarios. While the first three parts focus on anonymizing relational data, the last part studies the privacy threats, privacy models, and anonymization methods for complex data, including transaction, trajectory, social network, and textual data. This book not only explores privacy and information utility issues but also efficiency and scalability challenges. In many chapters, the authors highlight efficient and scalable methods and provide an analytical discussion to compare the strengths and weaknesses of different solutions.

Privacy, Social Network Sites, and Social Relations

Abstract: With the growth of the Internet comes a growth in a ubiquitous networked society. Common Web 2.0 applications include a rapidly growing trend for social network sites. Social network sites typically converged different relationship types into one group of “friends.” However, with such vast interconnectivity, convergence of relationships, and information sharing by individual users comes an increased risk of privacy violations. We asked a small sample of participants to discuss what friendship and privacy meant to them and to give examples of a privacy violation they had experienced. A thematic analysis was conducted on the interviews to determine the issues discussed by the participants. Many participants experienced privacy issues using the social network site Facebook. The results are presented here and discussed in relation to online privacy concerns, notably social network site privacy concerns and managing such information.

unfriendly: multi-party privacy risks in social networks

Abstract: As the popularity of social networks expands, the information users expose to the public has potentially dangerous implications for individual privacy. While social networks allow users to restrict access to their personal data, there is currently no mechanism to enforce privacy concerns over content uploaded by other users. As group photos and stories are shared by friends and family, personal privacy goes beyond the discretion of what a user uploads about himself and becomes an issue of what every network participant reveals. In this paper, we examine how the lack of joint privacy controls over content can inadvertently reveal sensitive information about a user including preferences, relationships, conversations, and photos. Specifically, we analyze Facebook to identify scenarios where conflicting privacy settings between friends will reveal information that at least one user intended remain private. By aggregating the information exposed in this manner, we demonstrate how a user's private attributes can be inferred from simply being listed as a friend or mentioned in a story. To mitigate this threat, we show how Facebook's privacy model can be adapted to enforce multi-party privacy. We present a proof of concept application built into Facebook that automatically ensures mutually acceptable privacy restrictions are enforced on group content.

How internet users' privacy concerns have evolved since 2002

Abstract: Internet privacy was the topic in this paper. A 2008 survey revealed that US Internet users' top three privacy concerns haven't changed since 2002, but privacy-related events might have influenced their level of concern within certain categories. The authors describe their results as well as the differences in privacy concerns between US and international respondents. They also mentioned that individuals have become more concerned about personalization in customized browsing experiences, monitored purchasing patterns, and targeted marketing and research.

On the Difficulties of Disclosure Prevention in Statistical Databases or The Case for Differential Privacy

Abstract: In 1977 Tore Dalenius articulated a desideratum for statistical databases: nothing about an individual should be learnable from the database that cannot be learned without access to the database. We give a general impossibility result showing that a natural formalization of Dalenius’ goal cannot be achieved if the database is useful. The key obstacle is the side information that may be available to an adversary. Our results hold under very general conditions regarding the database, the notion of privacy violation, and the notion of utility. Contrary to intuition, a variant of the result threatens the privacy even of someone not in the database. This state of affairs motivated the notion of differential privacy [15, 16], a strong ad omnia privacy which, intuitively, captures the increased risk to one’s privacy incurred by participating in a database.

Cybercasing the joint: on the privacy implications of geo-tagging

Abstract: This article aims to raise awareness of a rapidly emerging privacy threat that we term cybercasing: using geo-tagged information available online to mount real-world attacks. While users typically realize that sharing locations has some implications for their privacy, we provide evidence that many (i) are unaware of the full scope of the threat they face when doing so, and (ii) often do not even realize when they publish such information. The threat is elevated by recent developments that make systematic search for specific geo-located data and inference from multiple sources easier than ever before. In this paper, we summarize the state of geo-tagging; estimate the amount of geo-information available on several major sites, including YouTube, Twitter, and Craigslist; and examine its programmatic accessibility through public APIs. We then present a set of scenarios demonstrating how easy it is to correlate geotagged data with corresponding publicly-available information for compromising a victim's privacy. We were, e.g., able to find private addresses of celebrities as well as the origins of otherwise anonymized Craigslist postings. We argue that the security and privacy community needs to shape the further development of geo-location technology for better protecting users from such consequences.