Access Control is an Inadequate Framework for Privacy Protection - - PowerPoint PPT Presentation

access control is an inadequate framework for privacy
SMART_READER_LITE
LIVE PREVIEW

Access Control is an Inadequate Framework for Privacy Protection - - PowerPoint PPT Presentation

Dec 08, 2023 426 likes •544 views

Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal & Hal Abelson DIG @ CSAIL Monday 12 July 2010 Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the right to be let alone

slide-1
SLIDE 1

Access Control is an Inadequate Framework for Privacy Protection

Lalana Kagal & Hal Abelson DIG @ CSAIL

Monday 12 July 2010

slide-2
SLIDE 2
  • f 9

In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”.

Alternate Definitions of Privacy

2 Monday 12 July 2010

slide-3
SLIDE 3
  • f 9

In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”.

Alternate Definitions of Privacy

2

information access

Monday 12 July 2010

slide-4
SLIDE 4
  • f 9

In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”.

Alternate Definitions of Privacy

2

information access information usage

Monday 12 July 2010

slide-5
SLIDE 5
  • f 9

Privacy = Access Control ?

What’s wrong with Westin’s perspective of privacy People exchange sensitive information in return for better services online Users are unable to grasp privacy implications System is unable to prevent misuse of data after authorized access Sensitive information can be inferred from public resources

3

Image courtesy http://www.flickr.com/photos/sesh00/ Image courtesy First Monday , http://www.uic.edu

Monday 12 July 2010

slide-6
SLIDE 6
  • f 9

Alternate Approach

Brandeis and Warren perspective - focus on information usage Similar to how legal and social norms work in society Signs and signals in human society describe expected/optimal behavior Positive/negatives consequences of violating/ fulfilling the policy Not always immediately enforceable - depends on type of policy and enforcement mechanism

4

Image courtesy http://commons.wikimedia.org/wiki/

Monday 12 July 2010

slide-7
SLIDE 7
  • f 9

Possible Techniques to Investigate

Give users due notice Google dashboard etc. Support information accountability provenance machine understandable policies policy tools (reasoners, user interfaces, etc.)

5

Image courtesy Google Blog Image courtesy Google

Monday 12 July 2010

slide-8
SLIDE 8
  • f 9

Possible Techniques to Investigate

Privacy-enabling Interface Design Policy-awareness Privacy implications privacy nudges, Google Mail Goggles, abvenance

6

Image courtesy Creative Commons Image courtesy Google Blog

Monday 12 July 2010

slide-9
SLIDE 9
  • f 9

Work on Data Usage and Accountability

European Data Protection Supervisor Establishes a process for ensuring that the data protection standards set out in Regulation 45/2001 are met and for people to ensure that their data protection rights have been respected OpenForum.com.au Privacy & Trust http:// www.iispartners.com/PTP_working_paper.pdf Suggest a framework with focus on accountability and auditing Centre for Information Policy Leadership (CIPL) focus on transparency, conflicting national legal requirements, cross border data transfers, and government

7 Monday 12 July 2010

slide-10
SLIDE 10
  • f 9

Summary

Future of privacy protection lies in ensuring responsible use

  • f data !

Items for discussion Privacy = education + access control + usage control +

  • regulation. Will this provide the privacy we require ?

Possible to have a completely technical solution to privacy ? US vs EU privacy issues

8 Monday 12 July 2010

slide-11
SLIDE 11
  • f 9

References

9

Access Control is Inadequate for Privacy Protection, http:// www.w3.org/2010/api-privacy-ws/papers/privacy- ws-23.pdf This presentation, http://dig.csail.mit.edu/2010/Talks/ 0712-W3CPrivacy-lk/privacy.pdf Virgin Mobile Steals Teen's Flickr Photo For Ad Campaign, “Dump your pen friend”, http://www.switched.com/ 2007/09/21/virgin-mobile-steals-teens-flickr-photo-for- ad/ Project Gaydar, http://www.uic.edu/htbin/cgiwrap/bin/ojs/ index.php/fm/article/view/2611/2302

This work is licensed under a Creative Commons Attribution 3.0 License, with attribution to Decentralized Information Group.

Monday 12 July 2010