Protecting Privacy in Terrorist
Tracking Applications
Teresa Lunt, PI
Jessica Staddon, Dirk Balfanz
Glenn Durfee, Tomas Uribe (SRI)
Diana Smetters, Jim Thornton
Paul Aoki, Brent Waters (intern)
David Woodruff (intern)
Privacy Appliance
• Standalone devices
– Under private control
– Better assurance of correct operation
• Sits between the analyst and each private data source
– Easily added to an enterprise’s computing infrastructure
– Like firewalls
privacy
appliance
user
query
Government owned
Benefits
crosssource
privacy
appliance
Independently
operated
data
source
privacy
appliance
privacy
appliance
data
source
data
source
Privately owned
• Private data stays in private hands
• Privacy controls isolated from the government
Access Control
For lowest authorization:
– Withhold identifying
attributes
– Prevent completion of
inference channels
The privacy appliance will recognize
Analyst
query
– Which queries touch inference
channels
– Whether the user is authorized for
the query
Check authorizations
Modify query
as needed to
withhold data
Mark access “history”
Analysis can’t combine
non-sensitive queries to
obtain sensitive info
Send modified
query to data
source
Access
control DB
Input special
authorizations
For higher authorization:
– Can retrieve specific
identifying info
– Must specify scope of data
authorized
Inference Tool
• Earlier life: MLS databases
– Detect inference channels from
unclassified to classified data
• Now: Privacy-Protection
– Detect inference channels from nonsensitive to sensitive data
– Example:
• Select count(name) where gender = female
• Select avg(grade) where gender = female
=1
Systems Issues
• Logging
– Log classified stuff at third-party sites!
– Search through (encrypted) logs to prove
abuse.
• Trust issues
– Finally a legitimate use for Palladium!
• …
– This is a big system!