Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #21 Privacy March 29, 2005
Data and Applications Security Developments and Directions
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas
Lecture #21Privacy
March 29, 2005
Outline
Data Mining and Privacy - Review Some Aspects of Privacy Revisiting Privacy Preserving Data Mining Platform for Privacy Preferences Challenges and Discussion
Some Privacy concerns Medical and Healthcare- Employers, marketers, or others knowing of private medical
concerns Security- Allowing access to individual’s travel and spending data- Allowing access to web surfing behavior
Marketing, Sales, and Finance- Allowing access to individual’s purchases
Data Mining as a Threat to Privacy
Data mining gives us “facts” that are not obvious to human analysts of the data
Can general trends across individuals be determined without revealing information about individuals?
Possible threats:- Combine collections of data and infer information that is private
Disease information from prescription data Military Action from Pizza delivery to pentagon
Need to protect the associations and correlations between the data that are sensitive or private
Some Privacy Problems and Potential Solutions Problem: Privacy violations that result due to data mining- Potential solution: Privacy-preserving data mining
Problem: Privacy violations that result due to the Inference problem- Inference is the process of deducing sensitive information from
the legitimate responses received to user queries- Potential solution: Privacy Constraint Processing
Problem: Privacy violations due to un-encrypted data- Potential solution: Encryption at different levels
Problem: Privacy violation due to poor system design- Potential solution: Develop methodology for designing privacy-
enhanced systems
Some Directions:Privacy Preserving Data Mining
Prevent useful results from mining - Introduce “cover stories” to give “false” results - Only make a sample of data available so that an adversary is unable to come up with useful
rules and predictive functions Randomization- Introduce random values into the data and/or results- Challenge is to introduce random values without significantly affecting the data mining results- Give range of values for results instead of exact values
Secure Multi-party Computation- Each party knows its own inputs; encryption techniques used to compute final results
- Rules, predictive functions Approach: Only make a sample of data available- Limits ability to learn good classifier
Some Directions: Privacy Problem as a form of Inference Problem
Privacy constraints- Content-based constraints; association-based constraints
Privacy controller- Augment a database system with a privacy controller for
constraint processing and examine the releasability of data/information (e.g., release constraints)
Use of conceptual structures to design applications with privacy in mind (e.g., privacy preserving database and application design)
The web makes the problem much more challenging than the inference problem we examined in the 1990s!
Is the General Privacy Problem Unsolvable?
Privacy Constraint Processing
Privacy constraints processing- Based on prior research in security constraint processing - Simple Constraint: an attribute of a document is private- Content-based constraint: If document contains information
about X, then it is private- Association-based Constraint: Two or more documents taken
together is private; individually each document is public- Release constraint: After X is released Y becomes private
Augment a database system with a privacy controller for constraint processing
Architecture for Privacy Constraint Processing
User Interface Manager
ConstraintManager
Privacy Constraints
Query Processor:
Constraints during query and release operations
Update Processor:
Constraints during update operation
Database Design Tool
Constraints during database design operation
DatabaseDBMS
Semantic Model for Privacy Control
Patient John
CancerInfluenza
Has disease
Travels frequently
England
address
John’s address
Dark lines/boxes containprivate information
Some Directions:Encryption for Privacy
Encryption at various levels- Encrypting the data as well as the results of data mining- Encryption for multi-party computation
Encryption for untrusted third party publishing- Owner enforces privacy policies- Publisher gives the user only those portions of the document
he/she is authorized to access- Combination of digital signatures and Merkle hash to ensure
privacy
Some Directions:Methodology for Designing Privacy Systems
Jointly develop privacy policies with policy specialists Specification language for privacy policies Generate privacy constraints from the policy and check for
consistency of constraints Develop a privacy model Privacy architecture that identifies privacy critical components Design and develop privacy enforcement algorithms Verification and validation
Data Mining and Privacy: Friends or Foes?
They are neither friends nor foes Need advances in both data mining and privacy Need to design flexible systems- For some applications one may have to focus entirely on “pure”
data mining while for some others there may be a need for “privacy-preserving” data mining- Need flexible data mining techniques that can adapt to the
changing environments Technologists, legal specialists, social scientists, policy makers and
privacy advocates MUST work together
Aspects of Privacy
Privacy Preserving Databases- Privacy Constraint Processing
Privacy Preserving Networks- Sensor networks, - - - -
Privacy Preserving Surveillance- RFID
Privacy Preserving Semantic Web- XML, RDF, - - - -
Privacy Preserving Data Mining
Revisiting Privacy Preserving Data Mining
Association Rules- Privacy Preserving Association Rule Mining
IBM, - - - - - Decision Trees- Privacy Preserving Decision Trees
IBM, - - - - Clustering- Privacy Preserving Clustering
Purdue, - - - - Link Analysis- Privacy Preserving Link Analysis
UTD, - - - - -
Privacy Preserving Data MiningAgrawal and Srikant (IBM)
Value Distortion- Introduce a value Xi + r instead of Xi where r is a
random value drawn from some distributionUniform, Gaussian
Quantifying privacy- Introduce a measure based on how closely the
original values of modified attribute can be estimated
Challenge is to develop appropriate models- Develop training set based on perturbed data
Evolved from inference problem in statistical databases
Platform for Privacy Preferences (P3P): What is it?
P3P is an emerging industry standard that enables web sites t9o express their privacy practices in a standard format
The format of the policies can be automatically retrieved and understood by user agents
It is a product of W3C; World wide web consortiumwww.w3c.org
Main difference between privacy and security- User is informed of the privacy policies- User is not informed of the security policies
Platform for Privacy Preferences (P3P): Key Points
When a user enters a web site, the privacy policies of the web site is conveyed to the user
If the privacy policies are different from user preferences, the user is notified
User can then decide how to proceed
Platform for Privacy Preferences (P3P): Organizations
Several major corporations are working on P3P standards including:-Microsoft- IBM- HP- NEC- Nokia- NCR
Web sites have also implemented P3PSemantic web group has adopted P3P
Platform for Privacy Preferences (P3P): Specifications
Initial version of P3P used RDF to specify policiesRecent version has migrated to XMLP3P Policies use XML with namespaces for
encoding policiesExample: Catalog shopping- Your name will not be given to a third party but
your purchases will be given to a third party- <POLICIES xmlns =
http://www.w3.org/2002/01/P3Pv1><POLICY name = - - - -</POLICY></POLICIES>
Platform for Privacy Preferences (P3P): Specifications (Concluded)
P3P has its own statements a d data types expressed in XML
P3P schemas utilize XML schemasXML is a prerequisite to understanding P3PP3P specification released in January 20005 uses
catalog shopping example to explain conceptsP3P is an International standard and is an ongoing
project
P3P and Legal Issues
P3P does not replace lawsP3P work together with the lawWhat happens if the web sites do no honor their
P3P policies- Then appropriate legal actions will have to be
takenXML is the technology to specify P3P policiesPolicy experts will have to specify the policiesTechnologies will have to develop the
specificationsLegal experts will have to take actions if the
policies are violated
Challenges and Discussion
Technology alone is not sufficient for privacyWe need technologists, Policy expert, Legal
experts and Social scientists to work on PrivacySome well known people have said ‘Forget about
privacy”Should we pursue working on Privacy?- Interesting research problems- Interdisciplinary research- Something is better than nothing- Try to prevent privacy violations- If violations occur then prosecute
Discussion?