Big data. Session 10, stream 1 Coordinators: Rattan Datta & R.K. Shyamasundar Chairman: Erich Neuhold

Size: px

Start display at page:

Download "Big data. Session 10, stream 1 Coordinators: Rattan Datta & R.K. Shyamasundar Chairman: Erich Neuhold"

Carol Anthony
7 years ago
Views:

1 The 22nd IFIP World Computer Congress September 2012 Amsterdam the Netherlands Towards an innovative, secure and sustainable information society Big data Session 10, stream 1 Coordinators: Rattan Datta & R.K. Shyamasundar Chairman: Erich Neuhold

2 The 22nd IFIP World Computer Congress September 2012 Amsterdam the Netherlands Towards an innovative, secure and sustainable information society Dr. Anupam Datta Cylab, Carnegie Mellon University, USA

3 Privacy, Audit and Accountability Anupam Datta Carnegie Mellon University Big Data Session WCC 2012

4 Repositories of Personal Information

5 The Privacy Problem How can we ensure that organizations respect privacy expectations in the collection, disclosure and use of personal information?

6 Questions for the Session Does big data' necessarily mean 'small' privacy? How can 'big data' improve the quality of life?

7 Privacy Laws and Promises EU Privacy Directive HIPAA (Healthcare), GLBA (Financial), FERPA (Education) in US,

8 Healthcare Privacy Privacy Policy Hospital Auditor Patient informatio n Patient informatio n Patient information Patient Physician Nurse Drug Company 8

9 A Research Area Formalize Privacy Policies Precise semantics of privacy concepts Enforce Privacy Policies Audit Detect violations of policy Accountability Identify agents to blame for policy violations Punish to deter policy violations (resource allocation)

10 Formalizing and Enforcing Purpose Restrictions Joint work with Michael Tschantz and Jeannette Wing Carnegie Mellon University 2012 IEEE Symposium on Security and Privacy

11 Purpose in Privacy Policies Yahoo!'s practice is not to use the content of messages [ ] for marketing purposes. By providing your personal information, you give [Social Security Administration] consent to use the information only for the purpose for which it was collected.

12 Purpose Restrictions in Privacy Policies Not for Yahoo!'s practice is not to use the content of messages [ ] for marketing purposes. Only for By providing your personal information, you give [Social Security Administration] consent to use the information only for the purpose for which it was collected.

13 Purpose Restrictions are Ubiquitous OECD s Privacy Guidelines US Privacy Laws HIPAA, GLBA, FERPA, COPPA, EU Privacy Directive Enterprise Privacy Policies Google, Facebook, Yahoo, Hospitals, banks, educational institutions, govt

14 Goal Give a semantics to Not for purpose restrictions Only for purpose restrictions that is parametric in the purpose Provide automated enforcement of purpose restrictions for that semantics

15 Auditing Purpose restriction Auditee s behavior Environme nt Model Obeyed Inconclusiv e Violated

16 Motivating Example

17 Add x-ray X-ray taken Send record No diagnosis by specialist Medical Record X-ray added Med records used only for diagnosis Send record Diagnosis by specialist

18 Label Actions with Purposes Attempt 1: An action is for a purpose, if it labeled as such Problem 1: Begs the question Problem 2: One action can have different purposes depending upon context

19 Add x-ray X-ray taken Send record No diagnosis by specialist Not for diagnosis X-ray added For diagnosis For diagnosis Send record Add x-ray: diagnosis Send record: diagnosis Diagnosis by specialist

20 States Matter The purpose of an action may depend upon the state from which the agent takes that action Formalization of purpose must include states

21 Add x-ray X-ray taken Send record No diagnosis by specialist Not sufficient Necessary and sufficient X-ray added Send record Diagnosis by specialist

22 Necessary and Sufficient Attempt 2: an action is for a purpose if it is necessary and sufficient as a part of a chain of actions for achieving that purpose

23 Add x-ray X-ray taken Send record No diagnosis by specialist Diagnosis by MRI X-ray added Refer patient Send record Diagnosis by specialist

24 Non-redundancy Given a sequence of actions that reaches a goal state, an action in that sequence is non-redundant if removing that action from the sequence results in the goal no longer being reached Adapted counterfactual definition of causality Attempt 3: an action is for a purpose if it is part of a sufficient and non-redundant chain of actions for achieving that purpose

25 Add x-ray X-ray taken Send record No diagnosis by specialist X-ray added Send record Diagnosis by specialist

26 Add x-ray X-ray taken Send record Choice point No diagnosis by specialist Specialist Best choice fails X-ray added Send record 1/4 3/4 Diagnosis by specialist

27 Add x-ray X-ray taken Send record No diagnosis by specialist X-ray added Send record 1/4 3/4 Diagnosis by specialist

28 Planning Hypothesis: An action is for a purpose iff that action is part of a plan for furthering the purpose i.e., always makes the best choice for furthering the purpose

29 Auditing algorithm

30 Add x-ray X-ray taken No reward X-ray added No reward Send record Markov Decision Processes: States, actions, transitions, rewards Send record 1/4 3/4 No diagnosis by specialist No reward Diagnosis by specialist Reward!

31 Auditing Purpose restriction Auditee s behavior Environme nt model Obeyed Inconclusiv e Violated

32 Record only for diagnosis [, send record] Violated

33 Record only for treatment Policy implications Violated No [, send record] Actions optimal? MDP Solve r Optimal actions for each state

34 No False Positives Theorem (Soundness): If the algorithm returns violation, then the actions recorded in the log are not only for the purpose

35 Quality of Life Improvement + Privacy Protection Learn MDPs from large audit logs E.g., using reinforcement learning techniques Compute optimal plans in MDP Improve healthcare outcomes Improve privacy protection

36 Summary: Research Area Formalize Privacy Policies Precise semantics of privacy concepts Enforce Privacy Policies Audit Detect violations of policy Accountability Identify agents to blame for policy violations Punish to deter policy violations (resource allocation)

37 Thanks!

38 Publications (1) 1. J. Blocki, N. Christin, A. Datta, A. Sinha, Audit Mechanisms for Provable Risk Management and Accountable Data Governance, in Proceedings of 3rd Conference on Decision and Game Theory for Security, November M. C. Tschantz, A. Datta, J. M. Wing, Formalizing and Enforcing Purpose Restrictions in Privacy Policies, in Proceedings of 33rd IEEE Symposium on Security and Privacy, May A. Datta, J. Blocki, N. Christin, H. DeYoung, D. Garg, L. Jia, D. Kaynar, A. Sinha, Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms, 7th International Conference on Information Systems Security, December D. Garg, L. Jia, A. Datta, Policy Auditing over Incomplete Logs: Theory, Implementation and Applications, in Proceedings of 18th ACM Conference on Computer and Communications Security, October 2011

39 Publications (2) 5. J. Blocki, N. Christin, A. Datta, A. Sinha, Regret Minimizing Audits: A Learning-Theoretic Basis for Privacy Protection, in Proceedings of 24th IEEE Computer Security Foundations Symposium, June M. C. Tschantz, D. Kaynar, A. Datta, Formal Verification of Differential Privacy for Interactive Systems, Extended abstract in Proceedings of the 27th Annual Conference on Mathematical Foundations of Programming Semantics, May H. DeYoung, D. Garg, L. Jia, D. Kaynar, A. Datta, Experiences in the Logical Specification of the HIPAA and GLBA Privacy Laws, in Proceedings of 9th ACM Workshop on Privacy in the Electronic Society, October 2010

Privacy through Accountability: A Computer Science Perspective

Privacy through Accountability: A Computer Science Perspective Anupam Datta Associate Professor Computer Science, ECE, CyLab Carnegie Mellon University February 2014 Personal Information is Everywhere