sen-material: comparison handouts/ho07.tex

equal deleted inserted replaced

-:c913fe9bfd59
+:1d243ac51078
 of them. The person with the red flag was intended to warn the
 public, for example horse owners, about the impending
 novelty---a car. In my humble opinion, we are at the same
 stage of development with privacy. Nobody really knows what it
 is about or what it is good for. All seems very hazy. There
-are a few laws (cookie law, right-to-be-forgotten) which
+are a few laws (e.g.~cookie law, right-to-be-forgotten law)
-address problems with privacy, but even if they are well
+which address problems with privacy, but even if they are well
 intentioned, they either back-fire or are already obsolete
 because of newer technologies. The result is that the world of
 ``privacy'' looks a little bit like the old Wild West.
-For example, UCAS, a charity set up to help students to apply
+For example, UCAS, a charity set up to help students with
-to universities, has a commercial unit that happily sells your
+applying to universities, has a commercial unit that happily
-email addresses to anybody who forks out enough money in order
+sells your email addresses to anybody who forks out enough
-to be able to bombard you with spam. Yes, you can opt out very
+money in order to be able to bombard you with spam. Yes, you
-often in such ``schemes'', but in case of UCAS any opt-out
+can opt out very often in such ``schemes'', but in case of
-will limit also legit emails you might actually be interested
+UCAS any opt-out will limit also legit emails you might
-in.\footnote{The main objectionable point, in my opinion, is
+actually be interested in.\footnote{The main objectionable
-that the \emph{charity} everybody has to use for HE
+point, in my opinion, is that the \emph{charity} everybody has
-applications has actually very honourable goals (e.g.~assist
+to use for HE applications has actually very honourable goals
-applicants in gaining access to universities), but in their
+(e.g.~assist applicants in gaining access to universities),
-small print (or better under the link ``About us'') reveals
+but the small print (or better the link ``About
-they set up their organisation so that they can also
+us'') reveals they set up their organisation so that they can
-shamelessly sell email addresses they ``harvest''. Everything
+also shamelessly sell the email addresses they ``harvest''.
-is of course very legal\ldots{}moral?\ldots{}well that is in
+Everything is of course very legal\ldots{}moral?\ldots{}well
-the eye of the beholder. See:
+that is in the eye of the beholder. See:
 \url{http://www.ucas.com/about-us/inside-ucas/advertising-opportunities}
 or
 \url{http://www.theguardian.com/uk-news/2014/mar/12/ucas-sells-marketing-access-student-data-advertisers}}
 Another example: Verizon, an ISP who is supposed to provide
 you just with connectivity, has found a ``nice'' side-business
 too: When you have enabled all privacy guards in your browser
-(the few you have at your disposal) Verizon happily adds a
+(the few you have at your disposal), Verizon happily adds a
 kind of cookie to your
 HTTP-requests.\footnote{\url{http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/}}
 As shown in the picture below, this cookie will be sent to
 every web-site you visit. The web-sites then can forward the
 cookie to advertisers who in turn pay Verizon to tell them
 voting, exam marking and so on.
 \item \textbf{Privacy} is the ability or right to protect your
 personal secrets (secrecy for the benefit of an
 individual). For example, in a job interview, I might
-not like to disclose that I am pregnant, if I were
+not like to disclose that I am pregnant, if I were a
-a woman, or that I am a father. Similarly, I might not
+woman, or that I am a father. Lest they might not hire
-like to disclose my location data, because thieves might
+me. Similarly, I might not like to disclose my location
-break into my house if they know I am away at work.
+data, because thieves might break into my house if they
-Privacy is essentially everything which `shouldn't be
+know I am away at work. Privacy is essentially
-anybody's business'.
+everything which ``shouldn't be anybody's business''.
 \end{itemize}
 \noindent While this might provide us with some rough
 definitions, the problem with privacy is that it is an
 about my private life usually is used against me. As mentioned
 above, public location data might mean I get robbed. If
 supermarkets build a profile of my shopping habits, they will
 use it to \emph{their} advantage---surely not to \emph{my}
 advantage. Also whatever might be collected about my life will
-always be an incomplete, or even misleading, picture---for
+always be an incomplete, or even misleading, picture. For
-example I am sure my creditworthiness score was temporarily(?)
+example I am pretty sure my creditworthiness score was
-destroyed by not having a regular income in this country
+temporarily(?) destroyed by not having a regular income in
-(before coming to King's I worked in Munich for five years).
+this country (before coming to King's I worked in Munich for
-To correct such incomplete or flawed credit history data there
+five years). To correct such incomplete or flawed credit
-is, since recently, a law that allows you to check what
+history data there is, since recently, a law that allows you
-information is held about you for determining your
+to check what information is held about you for determining
-creditworthiness. But this concerns only a very small part of
+your creditworthiness. But this concerns only a very small
-the data that is held about me/you.
+part of the data that is held about me/you.
 To see how private matter can lead really to the wrong
 conclusions, take the example of Stephen Hawking: When he was
 diagnosed with his disease, he was given a life expectancy of
 two years. If employers would know about such problems, would
 they have employed Hawking? Now, he is enjoying his 70+
 birthday. Clearly personal medical data needs to stay private.
 A movie which has this topic as its main focus is Gattaca from
-1997.\footnote{\url{http://www.imdb.com/title/tt0119177/}}
+1997, in case you like to watch
+it.\footnote{\url{http://www.imdb.com/title/tt0119177/}}
 To cut a long story short, I let you ponder about the two
-statements that often voiced in discussions about privacy:
+statements that are often voiced in discussions about privacy:
 \begin{itemize}
-\item \textit{``You have zero privacy anyway. Get over it.''}\\
+\item \textit{``You have zero privacy anyway. Get over it.''}
 \mbox{}\hfill{}{\small{}by Scott Mcnealy (CEO of Sun)}
 \item \textit{``If you have nothing to hide, you have nothing
 to fear.''}
 \end{itemize}
 \end{center}
 \noindent Funnily, or maybe not so funnily, the author of this
 article carefully tries to construct an argument that does not
 only attack the nothing-to-hide statement in cases where
-governments \& Co collect people's deepest secrets, or
+governments \& co collect people's deepest secrets, or
 pictures of people's naked bodies, but an argument that
 applies also in cases where governments ``only'' collect data
 relevant to, say, preventing terrorism. The fun is of course
 that in 2011 we could just not imagine that respected
 governments would do such infantile things as intercepting
 \subsubsection*{Re-Identification Attacks}
 Apart from philosophical musings, there are fortunately also
 some real technical problems with privacy. The problem I want
 to focus on in this handout is how to safely disclose datasets
-containing very potentially private data, say health data. What can
+containing potentially very private data, say health records.
-go wrong with such disclosures can be illustrated with four
+What can go wrong with such disclosures can be illustrated
-well-known examples:
+with four well-known examples:
 \begin{itemize}
 \item In 2006, a then young company called Netflix offered a 1
 Mio \$ prize to anybody who could improve their movie
 rating algorithm. For this they disclosed a dataset
 containing 10\% of all Netflix users at the time
 (appr.~500K). They removed names, but included numerical
-ratings of movies as well as times of ratings. Though
+ratings of movies as well as times when ratings were
-some information was perturbed (i.e., slightly
+uploaded. Though some information was perturbed (i.e.,
-modified).
+slightly modified).
 Two researchers had a closer look at this anonymised
 data and compared it with public data available from the
 International Movie Database (IMDb). They found that
 98\% of the entries could be re-identified in the
 made public, the then governor assured the public that
 the released dataset protected patient privacy by
 deleting identifiers.
 A graduate student could not resist cross-referencing
-public voter data with the released data including birth
+public voter data with the released data that still
-dates, gender and ZIP-code. The result was that she
+included birth dates, gender and ZIP-code. The result
-could send the governor his own hospital record. It
+was that she could send the governor his own hospital
-turns out that birth dates, gender and ZIP-code uniquely
+record. It turns out that birth dates, gender and
-identify 87\% of people in the US. This work resulted
+ZIP-code uniquely identify 87\% of people in the US.
-in a number of laws prescribing which private data
+This work resulted in a number of laws prescribing which
-cannot be released in such datasets.
+private data cannot be released in such datasets.
 \item In 2006, AOL published 20 million Web search queries
 collected from 650,000 users (names had been deleted).
 This was again done for research purposes. However,
 within days an old lady, Thelma Arnold, from Lilburn,
 lives.
 \item Genome-Wide Association Studies (GWAS) was a public
 database of gene-frequency studies linked to diseases.
 It would essentially record that people who have a
-disease, say diabetes, have also these genes. In order
+disease, say diabetes, have also certain genes. In order
 to maintain privacy, the dataset would only include
-aggregate information. In case of DNA data this was
+aggregate information. In case of DNA data this
-achieved by mixing the DNA of many individuals (having
+aggregation was achieved by mixing the DNA of many
-a disease) into a single solution. Then this mixture
+individuals (having a disease) into a single solution.
-was sequenced and included in the dataset. The idea
+Then this mixture was sequenced and included in the
-was that the agregate information would still be helpful
+dataset. The idea was that the aggregate information
-to researchers, but would protect the DNA data of
+would still be helpful to researchers, but would protect
-individuals.
+the DNA data of individuals.
 In 2007 a forensic computer scientist showed that
-individuals can be still identified. For this he used
+individuals can still be identified. For this he used
 the DNA data from a comparison group (people from the
 general public) and ``subtracted'' this data from the
-published data. He was left with data that included
+published data. He was left with data that included all
-all ``special'' DNA-markers of the individuals
+``special'' DNA-markers of the individuals present in
-present in the original mixture. He essentially deleted
+the original mixture. He essentially deleted the
-the ``background noise''. Now the problem with
+``background noise'' in the published data. The
-DNA data is that it is of such a high resolution that
+problem with DNA data is that it is of such a high
-even if the mixture contained maybe 100 individuals,
+resolution that even if the mixture contained maybe 100
-you can now detect whether an individual was included
+individuals, you can now detect whether an individual
-in the mixture or not.
+was included in the mixture or not.
 This result changed completely how DNA data is nowadays
 published for research purposes. After the success of
 the human-genome project with a very open culture of
 exchanging data, it became much more difficult to
-anonymise datasuch that patient's privacy is preserved.
+anonymise data so that patient's privacy is preserved.
 The public GWAS database was taken offline in 2008.
 \end{itemize}
 \noindent There are many lessons that can be learned from
-these examples. One is that when making data public in
+these examples. One is that when making datasets public in
-anonymised form you want to achieve \emph{forward privacy}.
+anonymised form, you want to achieve \emph{forward privacy}.
-This means, no matter of what other data that is also available
+This means, no matter what other data that is also available
-or will be released later, the data does not compromise
+or will be released later, the data in the original dataset
-an individual's privacy. This principle was violated by the
+does not compromise an individual's privacy. This principle
-data in the Netflix and governor of Massachusetts cases. There
+was violated by the availability of ``outside data'' in the
-additional data allowed one to re-identify individuals in the
+Netflix and governor of Massachusetts cases. The additional
-dataset. In case of GWAS a new technique of re-identification
+data permitted a re-identification of individuals in the
-compromised the privacy of people on the list.
+dataset. In case of GWAS a new technique of re-identification
-The case of the AOL dataset shows clearly how incomplete such
+compromised the privacy of people in the dataset. The case of
-data can be: Although the queries uniquely identified the
+the AOL dataset shows clearly how incomplete such data can be:
-old lady, she also looked up diseases that her friends had,
+Although the queries uniquely identified the older lady, she
-which had nothing to do with her. Any rational analysis of her
+also looked up diseases that her friends had, which had
-query data must have concluded, the lady is on her deathbed,
+nothing to do with her. Any rational analysis of her query
-while she was actually very much alive and kicking.
+data must therefore have concluded, the lady is on her
+deathbed, while she was actually very much alive and kicking.
 \subsubsection*{Differential Privacy}
 Differential privacy is one of the few methods, that tries to
 achieve forward privacy with large datasets. The basic idea
 Database\\
 $x_1, \ldots, x_n$
 \end{tabular}
 \end{center}
+\ldots
 \subsubsection*{Further Reading}
 A readable article about how supermarkets mine your shopping
 habits (especially how they prey on young exhausted families
-;o) appeared in 2012 in a New York Times article.
+;o) appeared in 2012 in the New York Times:
 \begin{center}
 \url{http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html}
 \end{center}
 \begin{center}
 \url{http://cyberlaw.stanford.edu/files/publication/files/trackingsurvey12.pdf}
 \end{center}
 \noindent An article that sheds light on the paradox that
 people usually worry about privacy invasions of little
-significance, and overlook that might cause significant
+significance, and overlook the privacy invasion that might
-damage:
+cause significant damage:
 \begin{center}
 \url{http://www.heinz.cmu.edu/~acquisti/papers/Acquisti-Grossklags-Chapter-Etrics.pdf}
 \end{center}

changeset 313	1d243ac51078
parent 312	c913fe9bfd59
child 314	e01f55e7485a