SUSTAINABILITY, SOCIAL ,LEGAL AND ETHICS ISSUES IN COMPUTING

Lecture 3 : Protecting Privacy

Sherif H. El-Gohary , Phd
SCH 163 - Fall 2024 Based on slides prepared by Cyndi Chie, Sarah Frye and Sharon Gray.Fifth edition updated by Timothy Henry
 Outline — Introduction to Privacy in Computing
1) Introduction (def., dimensions, basic principles, …)
2) Recognition of the need for privacy
3) Threats to privacy
4) Privacy Controls
4.1) Technical privacy controls - Privacy-Enhancing Technologies (PETs)

4.2) Legal privacy controls

5) Selected Advanced Topics in Privacy
5.1) Privacy in pervasive computing
5.2) Using trust paradigm for privacy protection
5.3) Privacy metrics
5.4) Trading privacy for trust
Our Responsibility
1.Fair information principles
2.Inform people when you collect information.
3.Collect only the data needed.
4.Offer a way for people to opt out.
5.Keep data only as long as needed.
6.Maintain accuracy of data.
7.Protect security of data.
8.Develop policies for responding to law enforcement requests for data.
Protecting Privacy
Technology and Markets:
1. Privacy enhancing-technologies for consumers
2. Encryption
a. Public-key cryptography
3. Business tools and policies for protecting data
4. Privacy Controls

1) Technical privacy controls - Privacy-Enhancing Technologies

(PETs)

a) Protecting user identities

b) Protecting usee identities
c) Protecting confidentiality & integrity of personal data

2) Legal privacy controls

 Technical Privacy Controls

 Technical controls - Privacy-Enhancing Technologies (PETs)

[cf. Simone Fischer-Hübner]
Protecting user identities via, e.g.:
a. Anonymity - a user may use a resource or service without disclosing his/her
identity
b. Pseudonymity - a user acting under a pseudonym may use a resource or
service without disclosing his identity
c. Unobservability - a user may use a resource or service without others being
able to observe that the resource or service is being used
d. Unlinkability - sender and recipient cannot be identified as communicating
with each other
Technical Privacy Controls

a. The risk of reidentification (a threat to anonymity)

[cf. Simone Fischer-Hübner]

i. Types of data in statistical records:

1. Identity data - e.g., name, address, personal number
2. Demographic data - e.g., sex, age, nationality
3. Analysis data - e.g., diseases, habits

ii. The degree of anonymity of statistical data depends on:

1. Database size
2. The entropy of the demographic data attributes that can serve as
supplementary knowledge for an attacker
 Legal Privacy Controls
a) Legal World Views on Privacy [A.M. Green, Yale, 2004]

United States: “Privacy is the right to be left alone” - Justice

Louis Brandeis

UK: “the right of an individual to be protected against intrusion

into his personal life or affairs by direct physical means or by
publication of information

Australia: “Privacy is a basic human right and the reasonable

expectation of every person”
b) International Privacy Laws [cf. A.M. Green, Yale, 2004]

Two types of privacy laws in various countries:

1) Comprehensive Laws
a. Def: General laws that govern the collection, use and dissemination of personal information by
public & private sectors
b. Require commissioners or independent enforcement body
c. Difficulty: lack of resources for oversight and enforcement; agencies under government
control

d. Examples: European Union, Australia, Canada and the UK

2) Sectoral Laws
a. Idea: Avoid general laws, focus on specific sectors instead

b. Advantage: enforcement through a range of mechanisms

c. Disadvantage: each new technology requires new legislation
Sectoral Laws - United States [cf. A.M. Green, Yale, 2004]

1. No explicit right to privacy in the constitution

2. Limited constitutional right to privacy implied in number of provisions in the
Bill of Rights
3. A patchwork of federal laws for specific categories of personal information
a. E.g., financial reports, credit reports, video rentals, etc.

4. No legal protections, e.g., for individual’s privacy on the internet are in place
(as of Oct. 2003)
5. White House and private sector believe that self-regulation is enough and that
no new laws are needed (exception: medical records)
6. Leads to conflicts with other countries’ privacy policies
 Sectoral Laws - United States
American laws related to privacy include:
a. 1974 — US Privacy Act
i. Protects privacy of data collected by the executive branch of federal gov’t
b. 1984 — US Computer Fraud and Abuse Act
i. Penalties: max{100K, stolen value} and/or 1 to 20 yrs
c. 1986 — US Electronic Communications Privacy Act
i. Protects against wiretapping
ii. Exceptions: court order, ISPs
d. 1996 — US Economic Espionage Act
e. 1996 — HIPAA
i. Privacy of individuals’ medical records
f. 1999 — Gramm-Leach-Bliley Act
i. Privacy of data for customers of financial institutions
g. 2001 — USA Patriot Act
h. — US Electronic Funds Transfer Act
i. — US Freedom of Information Act
Observations and Conclusions [cf. A.M. Green, Yale, 2004]

1. Observation 1: At present too many mechanisms seem to operate on a

national or regional, rather than global level
a. E.g., by OECD
2. Observation 2: Use of self-regulatory mechanisms for the protection of
online activities seems somewhat haphazard and is concentrated in a
few member countries
3. Observation 3: Technological solutions to protect privacy are
implemented to a limited extent only
4. Observation 4: Not enough being done to encourage the
implementation of technical solutions for privacy compliance and
enforcement
a. Only a few member countries reported much activity in this area
Protecting Privacy
“Most people have figured out by now you can’t
do anything on the Web without leaving a
record”
- Holman W. Jenkins, Jr. 2000
Enhancing Privacy for Consumers

Many technologies developed over time

● Cookie disablers
● Web browsers add alert about cookies
● Software to block pop-up ads
● Security software that scan PCs and detect spyware
● Anonymizers
● Need permissions to access some web / blogs
● Self-destructing emails
 Encryption
● “Cryptography is the art and science of hiding data in plain sight”
● Used to protect data in transit and also stored information
● Includes a cryptographic algorithm, and keys. A very simple one: a
scrambled alphabet
● Usually the longer the key, the more difficult to break the cipher
● Government ban on export of strong encryption software in the
1990s (removed in 2000)
 Public-Key Encryption (PKE)

● Keys are secret information that is critical to the security/success of the

scheme. Can be numbers, strings, etc.
● In PKE, keys come in a pair:
○ one is made public to the world, called public key
○ one is kept only to oneself, called private key
● To provides “confidentiality”, i.e., only B can see the content of a received
message
○ A sender encrypts with B’s public key and sends it
○ B decrypts with B’s private key
Public Key Encryption (2)

● To provide “authentication”, we say entity A signs a

document
○ To do so, A encrypts with A’s private key and sends it
○ The receiver decrypts with A’s public key to verify

confidentiality
5. Selected Advanced Topics in Privacy
[cf. A.M. Green, Yale, 2004]

Outline

5.1) Privacy in pervasive computing

5.2) Using trust paradigm for privacy protection
5.3) Privacy metrics
5.4) Trading privacy for trust
Privacy in Pervasive Computing

1. In pervasive computing environments, socially-based paradigms (incl.

trust) will play a big role
2. People surrounded by zillions of computing devices of all kinds, sizes,
and aptitudes [“Sensor Nation: Special Report,” IEEE Spectrum, vol. 41, no. 7, 2004 ]

a. Most with limited / rudimentary capabilities

i. Quite small, e.g., RFID tags, smart dust
b. Most embedded in artifacts for everyday use, or even human bodies
i. Possible both beneficial and detrimental (even apocalyptic) consequences

3. Danger of malevolent opportunistic sensor networks

— pervasive devices self-organizing into huge spy networks
a. Able to spy anywhere, anytime, on everybody and everything
b. Need means of detection & neutralization
i. To tell which and how many snoops are active, what data they collect, and who they
work for
1. An advertiser? a nosy neighbor? Big Brother?
ii. Questions such as “Can I trust my refrigerator?” will not be jokes
1. The refrigerator snitching on its owner’s dietary misbehavior for her doctor
Privacy in Pervasive Computing

1. Will pervasive computing destroy privacy? (as we know it)

a. Will a cyberfly end privacy?
i. With high-resolution camera eyes and supersensitive microphone ears
b. If a cyberfly too clever drown in the soup, we’ll build cyberspiders
c. But then opponents’ cyberbirds might eat those up
d. So, we’ll build a cybercat
e. And so on and so forth …

2. Radically changed reality demands new approaches to privacy

a. Maybe need a new privacy category—namely, artifact privacy?
b. Our belief: Socially based paradigms (such as trust-based approaches) will play a big role in pervasive
computing
i. Solutions will vary (as in social settings)
1. Heavyweighty solutions for entities of high intelligence and capabilities (such as humans and intelligent systems)
interacting in complex and important matters
2. Lightweight solutions for less intelligent and capable entities interacting in simpler matters of lesser
consequence
Using Trust for Privacy Protection

1. Privacy = entity’s ability to control the availability and exposure of

information about itself
a. We extended the subject of privacy from a person in the original definition
[“Internet Security Glossary,” The Internet Society, Aug. 2004 ] to an entity—
including an organization or software
i. Controversial but stimulating
ii. Important in pervasive computing

2. Privacy and trust are closely related

a. Trust is a socially-based paradigm
b. Privacy-trust tradeoff: Entity can trade privacy for a corresponding gain in its
partners’ trust in it
c. The scope of an entity’s privacy disclosure should be proportional to the benefits
expected from the interaction
i. As in social interactions
ii. E.g.: a customer applying for a mortgage must reveal much more personal
data than someone buying a book
Using Trust for Privacy Protection

1. Optimize degree of privacy traded to gain trust

a. Disclose minimum needed for gaining partner’s necessary trust level
2. To optimize, need privacy & trust measures
Once measures available:
a. Automate evaluations of the privacy loss and trust gain
b. Quantify the trade-off
c. Optimize it
1. Privacy-for-trust trading requires privacy guarantees for further
dissemination of private info
a. Disclosing party needs satisfactory limitations on further dissemination (or the
lack of thereof) of traded private information
b. E.g., needs partner’s solid privacy policies
i. Merely perceived danger of a partner’s privacy violation can make the disclosing party
reluctant to enter into a partnership
1. E.g., a user who learns that an ISP has carelessly revealed any customer’s email will look for
another ISP
Using Trust for Privacy Protection
Conclusions on Privacy and Trust
a. Without privacy guarantees, there can be no trust and trusted interactions
i. People will avoid trust-building negotiations if their privacy is threatened by the
negotiations
ii. W/o trust-building negotiations no trust can be established
iii. W/o trust, there are no trusted interactions

b. Without privacy guarantees, lack of trust will cripple the promise of pervasive
computing
Bec. people will avoid untrusted interactions with privacy-invading pervasive devices /
systems
1. E.g., due to the fear of opportunistic sensor networks
Self-organized by electronic devices around us – can harm people in their midst

c. Privacy must be guaranteed for trust-building negotiations

Privacy Metrics

Outline

1. Problem and Challenges

2. Requirements for Privacy Metrics
3. Related Work
4. Proposed Metrics
A.Anonymity set size metrics
B.Entropy-based metrics
a) Problem and Challenges
1. Problem
a. How to determine that certain degree of data privacy is provided?

2. Challenges
a. Different privacy-preserving techniques or systems claim different degrees of
data privacy

b. Metrics are usually ad hoc and customized

i. Customized for a user model
ii. Customized for a specific technique/system

c. Need to develop uniform privacy metrics

i. To confidently compare different techniques/systems
 b) Requirements for Privacy Metrics
Privacy metrics should account for:
Dynamics of legitimate users
How users interact with the system?
E.g., repeated patterns of accessing the same data
can leak information to a violator
Dynamics of violators
How much information a violator gains by watching the
system for a period of time?
Associated costs
Storage, injected traffic, consumed CPU cycles, delay
d) Proposed Metrics

A. Anonymity set size metrics

B. Entropy-based metrics
 A. Anonymity Set Size Metrics
The larger set of indistinguishable entities, the lower probability of
identifying any one of them.
Can use to ”anonymize” a selected private attribute value within the domain of its all
possible values

“Hiding in a crowd”

“Less” anonymous (1/4)

“More” anonymous (1/n)

Privacy Metrics

Anonymity Set
Anonymity set A
A = {(s1, p1), (s2, p2), …, (sn, pn)}
si: subject i who might access private data
or: i-th possible value for a private data attribute
pi: probability that si accessed private data
or: probability that the attribute assumes the i-th possible value
Effective Anonymity Set Size

1. Effective anonymity set size is

| A|

L | A |  min( p ,1 / | A |)
i 1
i

a. Maximum value of L is |A| iff all pi’’s are equal to 1/|A|

b. L below maximum when distribution is skewed
skewed when pi’’s have different values

2. Deficiency:
L does not consider violator’s learning behavior
B. Entropy-based Metrics
1. Entropy measures the randomness, or uncertainty, in
private data
2. When a violator gains more information, entropy
decreases
3. Metric: Compare the current entropy value with its
maximum value
The difference shows how much information has been
leaked
Dynamics of Entropy
1. Decrease of system entropy with attribute disclosures
(capturing dynamics)
H*

Entropy
Level

Disclosed attributes All

attributes
(a) (b) (c) (d)

a. When entropy reaches a threshold (b), data evaporation can be invoked to increase entropy by
controlled data distortions

b. When entropy drops to a very low level (c), apoptosis can be triggered to destroy private data

c. Entropy increases (d) if the set of attributes grows or the disclosed attributes become less
valuable – e.g., obsolete or more data now available
Quantifying Privacy Loss
1. Privacy loss D(A,t) at time t, when a subset of attribute values A might
have been disclosed:

D( A, t )  H * ( A)  H ( A, t )

a. H*(A) – the maximum entropy

i. Computed when probability distribution of pi’s is uniform

b. H(A,t) is entropy at time t

| A|
 
H  A, t    
j 1
wj 

 i
 pi log2  pi 

Using Entropy in Data Dissemination

1. Specify two thresholds for D

a. For triggering evaporation
b. For triggering apoptosis
2. When private data is exchanged
a. Entropy is recomputed and compared to the thresholds
b. Evaporation or apoptosis may be invoked to enforce privacy
Entropy: Example
1. Consider a private phone number: (a1a2a3) a4a5 a6 – a7a8a9 a10
2. Each digit is stored as a value of a separate attribute
3. Assume:

a. Range of values for each attribute is [0—9]

b. All attributes are equally important, i.e., wj = 1

4. The maximum entropy – when violator has no information about the value of each
attribute:
a. Violator assigns a uniform probability distribution to values of each attribute
i. e.g., a1= i with probability of 0.10 for each i in [0—9]
 
 
9 10

H ( A)   w j
*
 0.1 log 0
2. 1  33.3
j 0  i 1 
Entropy: Example – cont.
1. Suppose that after time t, violator can figure out the state of the phone number, which
may allow him to learn the three leftmost digits
2. Entropy at time t is given by:

 9 
 
10

H  A, t   0  w j   0.1 log 2 0.1  23.3

j4  i0 
a. Attributes a1, a2, a3 contribute 0 to the entropy value because violator knows their correct
values
1. Information loss at time t is:

D A, t   H *  A  H  A, t   10.0
 Selected Publications
1. “Private and Trusted Interactions,” by B. Bhargava and L. Lilien.
2. “On Security Study of Two Distance Vector Routing Protocols for Mobile Ad Hoc Networks,” by W. Wang, Y. Lu and B.
Bhargava, Proc. of IEEE Intl. Conf. on Pervasive Computing and Communications (PerCom 2003), Dallas-Fort Worth, TX,
March 2003. http://www.cs.purdue.edu/homes/wangwc/PerCom03wangwc.pdf
3. “Fraud Formalization and Detection,” by B. Bhargava, Y. Zhong and Y. Lu, Proc. of 5th Intl. Conf. on Data Warehousing and
Knowledge Discovery (DaWaK 2003), Prague, Czech Republic, September 2003.
http://www.cs.purdue.edu/homes/zhong/papers/fraud.pdf
4. “Trust, Privacy, and Security. Summary of a Workshop Breakout Session at the National Science Foundation Information and
Data Management (IDM) Workshop held in Seattle, Washington, September 14 - 16, 2003” by B. Bhargava, C. Farkas, L. Lilien
and F. Makedon, CERIAS Tech Report 2003-34, CERIAS, Purdue University, November 2003.
5. http://www2.cs.washington.edu/nsf2003 or
6. https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2003-34.pdf
7. “e-Notebook Middleware for Accountability and Reputation Based Trust in Distributed Data Sharing Communities,” by P.
Ruth, D. Xu, B. Bhargava and F. Regnier, Proc. of the Second International Conference on Trust Management (iTrust 2004),
Oxford, UK, March 2004. http://www.cs.purdue.edu/homes/dxu/pubs/iTrust04.pdf
8. “Position-Based Receiver-Contention Private Communication in Wireless Ad Hoc Networks,” by X. Wu and B. Bhargava,
submitted to the Tenth Annual Intl. Conf. on Mobile Computing and Networking (MobiCom’04), Philadelphia, PA, September
- October 2004.
http://www.cs.purdue.edu/homes/wu/HTML/research.html/paper_purdue/mobi04.pdf
Introduction to Privacy in Computing

References

Ashley Michele Green, “International Privacy Laws. Sensitive Information in a Wired

World,” CS 457 Report, Dept. of Computer Science, Yale Univ., October 30, 2003.

Simone Fischer-Hübner, "IT-Security and Privacy-Design and Use of Privacy-

Enhancing Security Mechanisms", Springer Scientific Publishers, Lecture Notes of
Computer Science, LNCS 1958, May 2001, ISBN 3-540-42142-4.

Simone Fischer-Hübner, “Privacy Enhancing Technologies, PhD course,” Session 1

and 2, Department of Computer Science, Karlstad University,
Winter/Spring 2003,
[available at: http://www.cs.kau.se/~simone/kau-phd-course.htm].