Group D
Privacy with
accountability, auditability
and transparency
Accountability, auditability
and transparency in
service of Privacy
Grand Challenge Statement
Develop technologies that allow
individuals, governments and
organizations to control the release
and use of information according to
flexible and understandable policies.
18 Nov 2003
3
Motivating Scenario
• It will soon be possible to determine an
individual’s complete genome
• Terrific benefits:
– Customized medical treatments
– Knowledge of predisposition for diseases
– Aid medical research
• Terrific risk of abuse:
– Unauthorized use by insurance, employers,
law enforcement
18 Nov 2003
4
Enabling Assumptions
1. There will be semi-trusted computing
platforms (can provide a program to a
machine and believe it will execute it
only as intended).
2. Legal mechanisms will be in place to
sufficiently deter misuse.
3. Perfect encryption primitives are
available.
We don’t believe any of these exist yet…
but close enough approximations do.
18 Nov 2003
5
Policy Questions
• Who should set the policies?
– Individuals: change balance of power
• It shouldn’t be up to individuals to understand and agree to a
service’s privacy policy
• Instead, individuals provide data in a way that enforces their
policies, and the service decides what service to provide
– Society: “owner” is not only one impacted
• Releasing my genome also releases information about my
sister, parents, etc.
• Society may deserve to know about criminal records,
infectious diseases, etc.
Non-technical issues, but technology must be able
to support range of desired policies.
18 Nov 2003
6
Policy Questions
• How do you express and reason about
policies?
– Average users need to understand what policies
allow and disallow, and select (maybe define)
policies that reflect their intent
– Privacy policies are complex: release of
information, history, location (jurisdiction),
remnants, independence
– Transfers between programs and organizations
Design languages for defining policies, tools for
reasoning about what policies allow, models for
presenting policies that are understandable
18 Nov 2003
7
Accountability
• Need workarounds: Doctor in foreign
country should be able to get medical
history of unconscious patient
• Auditability: policies can specify that
information is only released if an audit
record is produced
– Privacy of requestor may conflict with policy
• Policies can relate information release and
use to accountability of user: credentials
expand accountability, laws in user’s
jurisdiction
18 Nov 2003
8
Enforcement
• Control for release and use of data has to be
part of data itself
– Programs that release information according to a
policy (DRM-like)
• Constrain the use of that information after it is
released to one program, but not yet to
another (or a human)
• Revocation: if there is a mistake, can we
retrieve all information derived from bad data
18 Nov 2003
9
Timeline
Now
Enforcement
Policies
18 Nov 2003
3 years
Control
Release
Understandable
Release Policies
For Individuals
5 years
Control
Use
7 years
Revocation
Policies that vary
with Accountability,
Society-level
policies
Policies that
depend on
jurisdiction,
revocation
policies
10
Impact
Success criterion:
People are willing to provide their
genome to medical databases in a way
that enables customized treatments and
medical research, without fear that it will
be abused.
18 Nov 2003
11
Recap: Challenge Statement
Develop technologies that allow
individuals, governments and
organizations to control the
release and use of information
according to flexible and
understandable policies.
18 Nov 2003
12