access control is an inadequate framework for privacy
play

Access Control is an Inadequate Framework for Privacy Protection - PowerPoint PPT Presentation

Dec 08, 2023 •426 likes •541 views

Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal & Hal Abelson DIG @ CSAIL Monday 12 July 2010 Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the right to be let alone

  1. Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal & Hal Abelson DIG @ CSAIL Monday 12 July 2010

  2. Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”. 2 of 9 Monday 12 July 2010

  3. Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”. information access 2 of 9 Monday 12 July 2010

  4. Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the “right to be let alone” In 1986, Alan Westin’s seminal work described privacy as the ability for people to determine for themselves “when, how, and to what extent, information about them is communicated to others”. The UN Declaration of Human Rights stipulates that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”. information access information usage 2 of 9 Monday 12 July 2010

  5. Privacy = Access Control ? What’s wrong with Westin’s perspective of privacy People exchange sensitive information in return for better services online Users are unable to grasp privacy implications System is unable to prevent misuse of data after authorized access Image courtesy http://www.flickr.com/photos/sesh00/ Sensitive information can be inferred from public resources Image courtesy First Monday , http://www.uic.edu 3 of 9 Monday 12 July 2010

  6. Alternate Approach Brandeis and Warren perspective - focus on information usage Similar to how legal and social norms work in society Image courtesy http://commons.wikimedia.org/wiki/ Signs and signals in human society describe expected/optimal behavior Positive/negatives consequences of violating/ fulfilling the policy Not always immediately enforceable - depends on type of policy and enforcement mechanism 4 of 9 Monday 12 July 2010

  7. Possible Techniques to Investigate Give users due notice Google dashboard etc. Support information accountability provenance machine understandable policies policy tools (reasoners, user interfaces, etc.) Image courtesy Google Blog Image courtesy Google 5 of 9 Monday 12 July 2010

  8. Possible Techniques to Investigate Privacy-enabling Interface Design Policy-awareness Privacy implications privacy nudges, Google Mail Goggles, abvenance Image courtesy Creative Commons Image courtesy Google Blog 6 of 9 Monday 12 July 2010

  9. Work on Data Usage and Accountability European Data Protection Supervisor Establishes a process for ensuring that the data protection standards set out in Regulation 45/2001 are met and for people to ensure that their data protection rights have been respected OpenForum.com.au Privacy & Trust http:// www.iispartners.com/PTP_working_paper.pdf Suggest a framework with focus on accountability and auditing Centre for Information Policy Leadership (CIPL) focus on transparency, conflicting national legal requirements, cross border data transfers, and government 7 of 9 Monday 12 July 2010

  10. Summary Future of privacy protection lies in ensuring responsible use of data ! Items for discussion Privacy = education + access control + usage control + regulation. Will this provide the privacy we require ? Possible to have a completely technical solution to privacy ? US vs EU privacy issues 8 of 9 Monday 12 July 2010

  11. References Access Control is Inadequate for Privacy Protection, http:// www.w3.org/2010/api-privacy-ws/papers/privacy- ws-23.pdf This presentation, http://dig.csail.mit.edu/2010/Talks/ 0712-W3CPrivacy-lk/privacy.pdf Virgin Mobile Steals Teen's Flickr Photo For Ad Campaign, “Dump your pen friend”, http://www.switched.com/ 2007/09/21/virgin-mobile-steals-teens-flickr-photo-for- ad/ Project Gaydar, http://www.uic.edu/htbin/cgiwrap/bin/ojs/ index.php/fm/article/view/2611/2302 This work is licensed under a Creative Commons Attribution 3.0 License, with attribution to Decentralized Information Group. 9 of 9 Monday 12 July 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files & processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search

Oblivious Computation in Public Cloud for Privacy-aware Access Control Policies and Data Search Ph.D. Dissertation Defense Zeeshan Pervez Department of Computer Engineering Kyung Hee University, Global Campus, Korea email:

650 views • 24 slides
W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

Laurent Bussard and Moritz Y. Becker Microsoft (EMIC and MSRC) W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines Scenario: Privacy Policies and Preferences Links with Access Control Our

636 views • 17 slides
Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar ,

Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar ,

Visualizing Privacy Implications of Access Control Policies in Social Networks Mohd Anwar , Philip W. L. Fong , Xue-Dong Yang , Howard Hamilton University of Calgary, Alberta, Canada University of Regina, Saskatchewan,

341 views • 31 slides
SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry & Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
iLayer: Toward an Application Access Control Framework for Content Management Systems Gorrell

iLayer: Toward an Application Access Control Framework for Content Management Systems Gorrell

University of North Carolina at Charlotte iLayer: Toward an Application Access Control Framework for Content Management Systems Gorrell Cheek, Mohamed Shehab, Truong Ung, Ebonie Williams The Laboratory of Information Integration, Security and

911 views • 24 slides
= no shared accounts In open systems it should rely on authenticity of the information, in

= no shared accounts In open systems it should rely on authenticity of the information, in

Access Control Pierangela Samarati Dipartimento di Tecnologie dellInformazione Universit` a degli Studi di Milano e mail: samarati@dti.unimi.it FOSAD 2008 1 Privacy and Data Protection Pierangela Samarati c Access control It

1.41k views • 77 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Brian Beamish Information and Privacy Commissioner of Ontario January 26, 2017 Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The Freedom of Information and Protection of Privacy Act (FIPPA) o

356 views • 17 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Pediatric Situational Assessment INADEQUATE ACCESS TO COMMUNITY REGISTERED DIETITIAN SERVICES

Pediatric Situational Assessment INADEQUATE ACCESS TO COMMUNITY REGISTERED DIETITIAN SERVICES

Pediatric Situational Assessment INADEQUATE ACCESS TO COMMUNITY REGISTERED DIETITIAN SERVICES FOR A HIGH-RISK, VULNERABLE PATIENT POPULATION Susan Bird BScFN, MScFN (c) Brescia University College Pediatric Situational Assessment

319 views • 16 slides
Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline

Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline

Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline Problem definition Principles Disclosure Control Methods Inference Control Access control: protecting information and information systems from

703 views • 52 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter

Computer Security 3e Dieter Gollmann Chapter 6: 1 Security.di.unimi.it/sicurezza1516/ Chapter 6: Reference Monitors Chapter 6: 2 Agenda Reference monitor, security kernel, and TCB Placing the reference monitor Status information

533 views • 37 slides
access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency

access control 1 last time (1) network fjlesystem caching open-to-close consistency compromise: consistent for typical use check on open write on close callbacks for caching server notifjes interested clients disconnected operation

785 views • 49 slides
Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 ,

Fine-grained Data Access Control Systems with User Accountability in Cloud Computing Jin Li 1 , Gansen Zhao 2 , and Xiaofeng Chen 3 Chunming Rong 4 , Yong Tang 2 1 Guangzhou University, China South China Normal University 2 3 Xidian University

784 views • 21 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
PeopleSoft Security Reports November 2011 1 1 Learning Objectives Discuss the main

PeopleSoft Security Reports November 2011 1 1 Learning Objectives Discuss the main

PeopleSoft Security Reports November 2011 1 1 Learning Objectives Discuss the main objectives of the security review Explain the purpose of the PeopleSoft Security reports Demonstrate ways to manage the information in the reports

491 views • 35 slides
Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Why We Should Take a Second What do we learn from Look at Access Control in Unix this?

Introduction A model for Unix Why We Should Take a Second What do we learn from Look at Access Control in Unix this? Concluding remarks Jason Crampton Information Security Group Royal Holloway, University of London NordSec 2008

590 views • 27 slides
Time-Storage Trade-Offs for Cryptographically-Enforced Access Control Jason Crampton Information

Time-Storage Trade-Offs for Cryptographically-Enforced Access Control Jason Crampton Information

Time-Storage Trade-Offs for Cryptographically-Enforced Access Control Jason Crampton Information Security Group Royal Holloway, University of London ESORICS 2011 Traditional Access Control ? SECRET Time-Storage

707 views • 45 slides
CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Security goals Table of Contents

794 views • 26 slides

More recommend