--- a/slides/slides07.tex Sun Nov 09 01:05:57 2014 +0000
+++ b/slides/slides07.tex Mon Nov 10 05:57:10 2014 +0000
@@ -1,112 +1,14 @@
\documentclass[dvipsnames,14pt,t]{beamer}
-\usepackage{proof}
-\usepackage{beamerthemeplaincu}
-%\usepackage[T1]{fontenc}
-%\usepackage[latin1]{inputenc}
-\usepackage{mathpartir}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage[absolute,overlay]{textpos}
-\usepackage{ifthen}
-\usepackage{tikz}
-\usepackage{courier}
-\usepackage{listings}
-\usetikzlibrary{arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-\usepackage{graphicx}
-\usetikzlibrary{shapes}
-\usetikzlibrary{shadows}
-\usetikzlibrary{plotmarks}
-
-
-\isabellestyle{rm}
-\renewcommand{\isastyle}{\rm}%
-\renewcommand{\isastyleminor}{\rm}%
-\renewcommand{\isastylescript}{\footnotesize\rm\slshape}%
-\renewcommand{\isatagproof}{}
-\renewcommand{\endisatagproof}{}
-\renewcommand{\isamarkupcmt}[1]{#1}
-\newcommand{\isaliteral}[1]{}
-\newcommand{\isactrlisub}[1]{\emph{\isascriptstyle${}\sb{#1}$}}
-
-
-% Isabelle characters
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharbar}{\isamath{\mid}}
-\renewcommand{\isasymiota}{}
-\renewcommand{\isacharbraceleft}{\{}
-\renewcommand{\isacharbraceright}{\}}
-\renewcommand{\isacharless}{$\langle$}
-\renewcommand{\isachargreater}{$\rangle$}
-\renewcommand{\isasymsharp}{\isamath{\#}}
-\renewcommand{\isasymdots}{\isamath{...}}
-\renewcommand{\isasymbullet}{\act}
-
-
-
-\definecolor{javared}{rgb}{0.6,0,0} % for strings
-\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
-\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
-\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
-
-\lstset{language=Java,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
-
-\lstdefinelanguage{scala}{
- morekeywords={abstract,case,catch,class,def,%
- do,else,extends,false,final,finally,%
- for,if,implicit,import,match,mixin,%
- new,null,object,override,package,%
- private,protected,requires,return,sealed,%
- super,this,throw,trait,true,try,%
- type,val,var,while,with,yield},
- otherkeywords={=>,<-,<\%,<:,>:,\#,@},
- sensitive=true,
- morecomment=[l]{//},
- morecomment=[n]{/*}{*/},
- morestring=[b]",
- morestring=[b]',
- morestring=[b]"""
-}
-
-\lstset{language=Scala,
- basicstyle=\ttfamily,
- keywordstyle=\color{javapurple}\bfseries,
- stringstyle=\color{javagreen},
- commentstyle=\color{javagreen},
- morecomment=[s][\color{javadocblue}]{/**}{*/},
- numbers=left,
- numberstyle=\tiny\color{black},
- stepnumber=1,
- numbersep=10pt,
- tabsize=2,
- showspaces=false,
- showstringspaces=false}
+\usepackage{../slides}
% beamer stuff
-\renewcommand{\slidecaption}{APP 07, King's College London, 19 November 2013}
-\newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
+\renewcommand{\slidecaption}{APP 07, King's College London}
\newcommand{\bl}[1]{\textcolor{blue}{#1}}
-
-
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}<1>[t]
+\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
@@ -114,11 +16,8 @@
\LARGE Privacy Policies (7)\\[-6mm]
\end{tabular}}\bigskip\bigskip\bigskip
- %\begin{center}
- %\includegraphics[scale=1.3]{pics/barrier.jpg}
- %\end{center}
-\normalsize
+ \normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
@@ -127,609 +26,556 @@
\end{tabular}
\end{center}
-
-\end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{}
-
- Recall the following scenario:
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \begin{itemize}
- \item If \textcolor{blue}{Admin} says that \textcolor{blue}{\isa{file}}
- should be deleted, then this file must be deleted.
- \item \textcolor{blue}{Admin} trusts \textcolor{blue}{Bob} to decide whether
- \textcolor{blue}{\isa{file}} should be deleted (delegation).
- \item \textcolor{blue}{Bob} wants to delete \textcolor{blue}{\isa{file}}.
- \end{itemize}\bigskip
- \small
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{3D}{\isacharequal}}}\small\begin{tabular}{l}
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}},\\
- \isa{{\isaliteral{28}{\isacharparenleft}}Admin\ says\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}},\\
- \isa{Bob\ says\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}\\
- \end{tabular}}\medskip
-
- \textcolor{blue}{\isa{{\isaliteral{5C3C47616D6D613E}{\isasymGamma}}\ {\isaliteral{5C3C7475726E7374696C653E}{\isasymturnstile}}\ del{\isaliteral{5F}{\isacharunderscore}}file\isaliteral{5C3C5E697375623E}{}}}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {\hspace{-2mm}}c@ {}}The Access Control Problem\end{tabular}}
+\frametitle{Man-in-the-Middle}
+
+\begin{itemize}
+\item Border Gateway Protocol (BGP) --- routers believe their neighbours
+\item it is possible to advertise bad routes
+\item can be done over continents\bigskip
+\end{itemize}
+\hfill\footnotesize\url{http://www.renesys.com/2013/11/mitm-internet-hijacking/}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[t]
+\frametitle{Facebook Privacy}
+
+\begin{itemize}
+\item \large Who has a Facebook account?\pause\medskip
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, -0.5) rectangle (1.5,2);
- \draw (-2.7,1) node {\begin{tabular}{l}access\\request\\ (\bl{$F$})\end{tabular}};
- \draw (4.2,1) node {\begin{tabular}{l}provable/\\not provable\end{tabular}};
- \draw (0.6,0.8) node {\footnotesize \begin{tabular}{l}AC-\\ Checker:\\ applies\\ inference\\ rules\end{tabular}};
-
- \draw[red, ->, line width = 2mm] (1.7,1) -- (2.7,1);
- \draw[red,<-, line width = 2mm] (-0.6,1) -- (-1.6,1);
- \draw[red, <-, line width = 3mm] (0.6,2.2) -- (0.6,3.2);
-
- \draw (0.6,4) node {\begin{tabular}{l}\large Access Policy (\boldmath\bl{$\Gamma$})\end{tabular}};
+\item \large Who keeps the list of friends private?\pause\medskip
+
+\item \large Who knows that this is completely pointless?
+{\small (at least at the end of 2013)}\pause\medskip
+\end{itemize}
+
+\only<4>{ Create a fake account. Send a friend request.
+Facebook answers with ``People you may know'' feature.
+Conveniently it has also a ``see all'' button. }
- \end{tikzpicture}
-\end{center}
+\only<5>{\small\it ``Our policies explain that changing the
+visibility of people on your friend list controls how they
+appear on your Timeline, and that your friends may be visible
+on other parts of the site, such as in News Feed, Search and
+on other people's Timelines. This behavior is something we'll
+continue to evaluate to make sure we're providing clarity.'' }
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
+\frametitle{Privacy, Anonymity et al}
+
+Some terminology:
\begin{itemize}
-\item \bl{$P \,\text{says}\, F$} means \bl{$P$} can send a ``signal'' \bl{$F$} through a wire, or
-can make a ``statement'' \bl{$F$}\bigskip\pause
+\item \alert{secrecy} is the mechanism used to limit the number of
+principals with access to information (e.g., cryptography or access controls)
-\item \bl{$P$} is entitled to do \bl{$F$}\smallskip\\
-\bl{$P \,\text{controls}\, F \,\dn\, (P\,\text{says}\, F) \Rightarrow F$}\medskip
+\item \alert{confidentiality} is the obligation to protect the secrets of other people
+or organizations (secrecy for the benefit of an organisation)
-\begin{center}
-\bl{\infer{\Gamma \vdash F}{\Gamma \vdash P\,\text{controls}\, F & \Gamma \vdash P\,\text{says}\,F}}
-\end{center}
+\item \alert{anonymity} is the ability to leave no evidence of an activity (e.g., sharing a secret)
+\item \alert{privacy} is the ability or right to protect your personal secrets
+(secrecy for the benefit of an individual)
\end{itemize}
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Security Levels}
- \small
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy vs Anonymity}
- \begin{itemize}
- \item Top secret (\bl{$T\!S$})
- \item Secret (\bl{$S$})
- \item Public (\bl{$P$})
- \end{itemize}
+\begin{itemize}
+\item everybody agrees that anonymity has its uses (e.g., voting, whistleblowers, peer-review, exams)
+\end{itemize}\bigskip\bigskip\pause
+
- \begin{center}
- \bl{$slev(P) < slev(S) < slev(T\!S)$}\pause
- \end{center}
+But privacy?\bigskip\bigskip
+
+``You have zero privacy anyway. Get over it.''\\
+\hfill{}Scott Mcnealy (CEO of Sun)\bigskip\\
+
- \begin{itemize}
- \item Bob has a clearance for ``secret''
- \item Bob can read documents that are public or sectret, but not top secret
- \end{itemize}
+If you have nothing to hide, you have nothing to fear.
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading a File}
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
+
+private data can be often used against me
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- \only<2->{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$}}\\
- \only<2->{\hspace{3cm}}Bob controls Permitted $($File, read$)$\\
- Bob says Permitted $($File, read$)$\only<2->{\\}
- \only<2>{\textcolor{red}{$slev($File$)$ $<$ $slev($Bob$)$}}%
- \only<3>{\textcolor{red}{$slev($File$)$ $=$ $P$}\\}%
- \only<3>{\textcolor{red}{$slev($Bob$)$ $=$ $S$}\\}%
- \only<3>{\textcolor{red}{$slev(P)$ $<$ $slev(S)$}\\}%
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
+\begin{itemize}
+\item if my location data becomes public, thieves will switch off their phones and help themselves in my home
+\item if supermarkets can build a profile of what I buy, they can use it to their advantage (banks - mortgages)
+\item my employer might not like my opinions\bigskip\pause
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
+\item one the other hand, Freedom-of-Information Act
+\item medical data should be private, but medical research needs data
+\end{itemize}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Substitution Rule}
- \small
-
- \bl{\begin{center}
- \begin{tabular}{c}
- $\Gamma \vdash slev(P) = l_1$ \hspace{4mm} $\Gamma \vdash slev(Q) = l_2$
- \hspace{4mm} $\Gamma \vdash l_1 < l_2$\\\hline
- $\Gamma \vdash slev(P) < slev(Q)$
- \end{tabular}
- \end{center}}\bigskip\pause
-
- \begin{itemize}
- \item \bl{$slev($Bob$)$ $=$ $S$}
- \item \bl{$slev($File$)$ $=$ $P$}
- \item \bl{$slev(P) < slev(S)$}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading a File}
-
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $slev($File$)$ $<$ $slev($Bob$)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $($File, read$)$\\
- Bob says Permitted $($File, read$)$\\
- $slev($File$)$ $=$ $P$\\
- $slev($Bob$)$ $=$ $T\!S$\\
- \only<1>{\textcolor{red}{$?$}}%
- \only<2>{\textcolor{red}{$slev(P) < slev(S)$}\\}%
- \only<2>{\textcolor{red}{$slev(S) < slev(T\!S)$}}%
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy Problems}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Transitivity Rule}
- \small
-
- \bl{\begin{center}
- \begin{tabular}{c}
- $\Gamma \vdash l_1 < l_2$
- \hspace{4mm} $\Gamma \vdash l_2 < l_3$\\\hline
- $\Gamma \vdash l_1 < l_3$
- \end{tabular}
- \end{center}}\bigskip
-
- \begin{itemize}
- \item \bl{$slev(P) < slev (S)$}
- \item \bl{$slev(S) < slev (T\!S)$}
- \item[] \bl{$slev(P) < slev (T\!S)$}
- \end{itemize}
+\begin{itemize}
+\item Apple takes note of every dictation (send over the Internet to Apple)
+\item markets often only work, if data is restricted (to build trust)
+\item Social network can reveal data about you
+\item have you tried the collusion (lightbeam?) extension for FireFox?
+\item I do use Dropbox, store cards
+\end{itemize}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Reading Files}
-
- \begin{itemize}
- \item Access policy for Bob for reading
- \end{itemize}
+\begin{textblock}{5}(12,9.9)
+\includegraphics[scale=0.2]{../pics/gattaca.jpg}\\
+\small Gattaca (1997)
+\end{textblock}
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $\forall f.\;slev(f)$ \only<1>{$<$}\only<2>{\textcolor{red}{$\le$}} $slev($Bob$)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $(f$, read$)$\\
- Bob says Permitted $($File, read$)$\\
- $slev($File$)$ $=$ \only<1>{$P$}\only<2>{\textcolor{red}{$T\!S$}}\\
- $slev($Bob$)$ $=$ $T\!S$\\
- $slev(P) < slev(S)$\\
- $slev(S) < slev(T\!S)$
- \end{tabular}\\
- \hline
- Permitted $($File, read$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Writing Files}
-
- \begin{itemize}
- \item Access policy for Bob for {\bf writing}
- \end{itemize}
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{Privacy}
- \bl{\begin{center}
- \begin{tabular}{c}
- \begin{tabular}{@ {}l@ {}}
- $\forall f.\;slev($Bob$)$ $\le$ $slev(f)$ $\Rightarrow$\\
- \hspace{3cm}Bob controls Permitted $(f$, write$)$\\
- Bob says Permitted $($File, write$)$\\
- $slev($File$)$ $=$ $T\!S$\\
- $slev($Bob$)$ $=$ $S$\\
- $slev(P) < slev(S)$\\
- $slev(S) < slev(T\!S)$
- \end{tabular}\\
- \hline
- Permitted $($File, write$)$
- \end{tabular}
- \end{center}}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encrypted Messages}
+\begin{minipage}{1.05\textwidth}
+\begin{itemize}
+\item we \alert{do} want that government data is made public (free maps for example)
+\item we \alert{do not} want that medical data becomes public (similarly tax data, school
+records, job offers)\bigskip
+\item personal information can potentially lead to fraud
+(identity theft)
+\end{itemize}\pause
- \begin{itemize}
- \item Alice sends a message \bl{$m$}
- \begin{center}
- \bl{Alice says $m$}
- \end{center}\medskip\pause
-
- \item Alice sends an encrypted message \bl{$m$}\\ (with key \bl{$K$})
- \begin{center}
- \bl{Alice says $\{m\}_K$}
- \end{center}\medskip\pause
-
- \item Decryption of Alice's message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
- {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
+{\bf ``The reality'':}
+\only<2>{\begin{itemize}
+\item London Health Programmes lost in June two years unencrypted details of more than 8 million people
+(no names, but postcodes and details such as gender, age and ethnic origin)
+\end{itemize}}
+\only<3>{\begin{itemize}
+\item also in June two years ago, Sony got hacked: over 1M users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.
+\end{itemize}}
+\end{minipage}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Encryption}
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \begin{itemize}
- \item Encryption of a message\smallskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_K}
- {\Gamma \vdash \text{Alice}\;\text{says}\;m & \Gamma \vdash \text{Alice}\,\text{says}\,K}}}
- \end{center}
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Trusted Third Party}
-
-Simple protocol for establishing a secure connection via a mutually
-trusted 3rd party (server):
-
-\begin{center}
-\begin{tabular}{@ {\hspace{-7mm}}l@{\hspace{2mm}}r@ {\hspace{1mm}}l}
-Message 1 & \bl{$A \rightarrow S :$} & \bl{$A, B$}\\
-Message 2 & \bl{$S \rightarrow A :$} & \bl{$\{K_{AB}\}_{K_{AS}}$} and \bl{$\{\{K_{AB}\}_{K_{BS}} \}_{K_{AS}}$}\\
-Message 3 & \bl{$A \rightarrow B :$} & \bl{$\{K_{AB}\}_{K_{BS}} $}\\
-Message 4 & \bl{$A \rightarrow B :$} & \bl{$\{m\}_{K_{AB}}$}\\
-\end{tabular}
-\end{center}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\frametitle{Privacy and Big Data}
+\mbox{}\\[-16mm]\mbox{}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Sending Rule}
-
- \bl{\begin{center}
- \mbox{$\infer{\Gamma \vdash Q \;\text{says}\; F}
- {\Gamma \vdash P \;\text{says}\; F & \Gamma \vdash P \;\text{sends}\; Q : F}$}
- \end{center}}\bigskip\pause
-
- \bl{$P \,\text{sends}\, Q : F \dn$}\\
- \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
+Selected sources of ``Big Data'':\smallskip{}
- \begin{center}
- \bl{\begin{tabular}{l}
- $A$ sends $S$ : $\text{Connect}(A,B)$\\
- \bl{$S \,\text{says}\, (\text{Connect}(A,B) \Rightarrow$}\\
- \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
- \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
- $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ : $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}\bigskip\pause
-
-
- \bl{$\Gamma \vdash B \,\text{says} \, m$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Public/Private Keys}
-
- \begin{itemize}
- \item Bob has a private and public key: \bl{$K_{Bob}^{pub}$}, \bl{$K_{Bob}^{priv}$}\bigskip
- \begin{center}
- \bl{\mbox{\infer{\Gamma \vdash \text{Alice}\;\text{says}\;m}
- {\Gamma \vdash \text{Alice}\;\text{says}\;\{m\}_{K_{Bob}^{pub}} &
- \Gamma \vdash K_{Bob}^{priv}}}}
- \end{center}\bigskip\pause
-
- \item this is {\bf not} a derived rule!
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-% \begin{itemize}
-% \item Alice calls Sam for a key to communicate with Bob
-% \item Sam responds with a key that Alice can read and a key Bob can read (pre-shared)
- % \item Alice sends the message encrypted with the key and the second key it recieved
- % \end{itemize}\bigskip
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Sending Rule}
+\begin{itemize}
+\item Facebook
+\begin{itemize}
+\item 40+ Billion photos (100 PB)
+\item 6 Billion messages daily (5 - 10 TB)
+\item 900 Million users
+\end{itemize}
+\item Common Crawl
+\begin{itemize}
+\item covers 3.8 Billion webpages (2012 dataset)
+\item 50 TB of data
+\end{itemize}
+\item Google
+\begin{itemize}
+\item 20 PB daily (2008)
+\end{itemize}
+\item Twitter
+\begin{itemize}
+\item 7 Million users in the UK
+\item a company called Datasift is allowed to mine all tweets since 2010
+\item they charge 10k per month for other companies to target advertisement
+\end{itemize}
+\end{itemize}\pause
- \bl{\begin{center}
- \mbox{\infer{\Gamma \vdash Q \;\textit{says}\; F}
- {\Gamma \vdash P \;\textit{says}\; F & \Gamma \vdash P \;\textit{sends}\; Q : F}}
- \end{center}}\bigskip\pause
-
- \bl{$P \,\text{sends}\, Q : F \dn$}\\
- \hspace{6mm}\bl{$(P \,\text{says}\, F) \Rightarrow (Q \,\text{says}\, F)$}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Trusted Third Party}
-
- \begin{center}
- \bl{\begin{tabular}{l}
- $A$ sends $S$ : $\textit{Connect}(A,B)$\\
- \bl{$S \,\text{says}\, (\textit{Connect}(A,B) \Rightarrow$}\\
- \hspace{2.5cm}\bl{$\{K_{AB}\}_{K_{AS}} \wedge
- \{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}})$}\\
- $S$ sends $A$ : $\{K_{AB}\}_{K_{AS}}$ \bl{$\wedge$} $\{\{K_{AB}\}_{K_{BS}}\}_{K_{AS}}$\\
- $A$ sends $B$ : $\{K_{AB}\}_{K_{BS}}$\\
- $A$ sends $B$ : $\{m\}_{K_{AB}}$
- \end{tabular}}
- \end{center}\bigskip\pause
-
-
- \bl{$\Gamma \vdash B \,\text{says} \, m$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Challenge-Response Protocol}
-
- \begin{itemize}
- \item an engine \bl{$E$} and a transponder \bl{$T$} share a key \bl{$K$}\bigskip
- \item \bl{$E$} sends out a \alert{nonce} \bl{$N$} (random number) to \bl{$T$}\bigskip
- \item \bl{$T$} responds with \bl{$\{N\}_K$}\bigskip
- \item if \bl{$E$} receives \bl{$\{N\}_K$} from \bl{$T$}, it starts engine
- \end{itemize}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Challenge-Response Protocol}
-
- \begin{center}
- \bl{\begin{tabular}{l}
- $E \;\text{says}\; N$\hfill(start)\\
- $E \;\text{sends}\; T : N$\hfill(challenge)\\
- $(T \;\text{says}\; N) \Rightarrow (T \;\text{sends}\; E : \{N\}_K \wedge$\\
- \hspace{3.5cm} $T \;\text{sends}\; E : \text{Id}(T))$\;\;\;\hfill(response)\\
- $T \;\text{says}\; K$\hfill(key)\\
- $T \;\text{says}\; \text{Id}(T)$\hfill(identity)\\
- $(E \;\text{says}\; \{N\}_K \wedge E \;\text{says}\; \text{Id}(T)) \Rightarrow$\\
- \hspace{5cm}$ \text{start\_engine}(T)$\hfill(engine)\\
- \end{tabular}}
- \end{center}\bigskip
-
- \bl{$\Gamma \vdash \text{start\_engine}(T)$}?
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{Exchange of a Fresh Key}
-
-\bl{$A$} and \bl{$B$} share a (``super-secret'') key \bl{$K_{AB}$} and want to share another key
-
- \begin{itemize}
- \item assumption \bl{$K_{AB}$} is only known to \bl{$A$} and \bl{$B$}\bigskip
- \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}
- \item<2> \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}
- \end{itemize}\bigskip
-
- Assume \bl{$K^{new}_{AB}$} is compromised by \bl{$I$}
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \mode<presentation>{
- \begin{frame}[c]
- \frametitle{The Attack}
-
-An intruder \bl{$I$} convinces \bl{$A$} to accept the compromised key \bl{$K^{new}_{AB}$}\medskip
-
-\begin{minipage}{1.1\textwidth}
-\begin{itemize}
- \item \bl{$A \,\text{sends}\, B : A, \{N_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{N_A + 1, N_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{N_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\;\;recorded by \bl{$I$}\pause
- \item \bl{$A \,\text{sends}\, B : A, \{M_A\}_{K_{AB}}$}
- \item \bl{$B\,\text{sends}\, A : \{M_A + 1, M_B\}_{K_{AB}}$}
- \item \bl{$A \,\text{sends}\, B : \{M_B + 1\}_{K_{AB}}$}
- \item \bl{$B \,\text{sends}\, I : \{K^{newer}_{AB}, N^{newer}_B\}_{K_{AB}}$}\;intercepted by \bl{$I$}
- \item \bl{$I \,\text{sends}\, A : \{K^{new}_{AB}, N^{new}_B\}_{K_{AB}}$}\pause
- \item \bl{$A \,\text{sends}\, B : \{msg\}_{K^{new}_{AB}}$}\;\;\;\;\bl{$I$} can read it also
- \end{itemize}
- \end{minipage}
-
- \end{frame}}
- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-
-A Man-in-the-middle attack in real life:
-
-\begin{itemize}
-\item the card only says yes or no to the terminal if the PIN is correct
-\item trick the card in thinking transaction is verified by signature
-\item trick the terminal in thinking the transaction was verified by PIN
-\end{itemize}
-
-\begin{minipage}{1.1\textwidth}
-\begin{center}
-\mbox{}\hspace{-6mm}\includegraphics[scale=0.5]{pics/chip-attack.png}
-\includegraphics[scale=0.3]{pics/chipnpinflaw.png}
-\end{center}
-\end{minipage}
-
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{Problems with EMV}
-
-\begin{itemize}
-\item it is a wrapper for many protocols
-\item specification by consensus (resulted unmanageable complexity)
-\item its specification is 700 pages in English plus 2000+ pages for testing, additionally some
-further parts are secret
-\item other attacks have been found
-
-\item one solution might be to require always online verification of the PIN with the bank
-\end{itemize}
-
-\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Problems with WEP (Wifi)\end{tabular}}
+\frametitle{Cookies\ldots}
+
+``We have published a new cookie policy. It explains what cookies are
+and how we use them on our site. To learn more about cookies and
+their benefits, please view our cookie policy.\medskip
+
+If you'd like to disable cookies on this device, please view our information
+pages on 'How to manage cookies'. Please be aware that parts of the
+site will not function correctly if you disable cookies. \medskip
+
+By closing this
+message, you consent to our use of cookies on this device in accordance
+with our cookie policy unless you have disabled them.''
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Scare Tactics}
+
+The actual policy reads:\bigskip
+
+``As we explain in our Cookie Policy, cookies help you to get the most
+out of our websites.\medskip
+
+If you do disable our cookies you may find that certain sections of our
+website do not work. For example, you may have difficulties logging in
+or viewing articles.''
+
+
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Netflix Prize}
+
+Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip
\begin{itemize}
-\item a standard ratified in 1999
-\item the protocol was designed by a committee not including cryptographers
-\item it used the RC4 encryption algorithm which is a stream cipher requiring a unique nonce
-\item WEP did not allocate enough bits for the nonce
-\item for authenticating packets it used CRC checksum which can be easily broken
-\item the network password was used to directly encrypt packages (instead of a key negotiation protocol)\bigskip
-\item encryption was turned off by default
+\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm
+\item dataset contained 10\% of all Netflix users (appr.~500K)
+\item names were removed, but included numerical ratings as well as times of rating
+\item some information was \alert{perturbed} (i.e., slightly modified)
+\end{itemize}
+
+\hfill{\bf\alert{All OK?}}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attacks}
+
+Two researchers analysed the data:
+
+\begin{itemize}
+\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the
+records can be identified
+\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause
+\item they took 50 samples from IMDb (where people can reveal their identity)
+\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)
\end{itemize}
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Re-identification Attacks}
+
+
+\begin{itemize}
+\item in 1990 insurance databases were made public with names removed, but birth dates,
+gender, ZIP-code were retained\medskip
+\item could be cross referenced with public voter registration data in order to find out what the
+medical record of the governor of Massachusetts was
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Protocols are Difficult}
+\frametitle{}
+
+\begin{itemize}
+\item Birth data, postcode and gender (unique for\\ 87\% of the US population)
+\item Preferences in movies (99\% of 500K for 8 ratings)
+\end{itemize}\bigskip
+
+Therefore best practices / or even law (HIPAA, EU):
\begin{itemize}
-\item even the systems designed by experts regularly fail\medskip
-\item try to make everything explicit (you need to authenticate all data you might rely on)\medskip
-\item the one who can fix a system should also be liable for the losses\medskip
-\item cryptography is often not {\bf the} answer\bigskip\bigskip
+\item only year dates (age group for 90 years or over),
+\item no postcodes (sector data is OK, similarly in the US)\\
+\textcolor{gray}{no names, addresses, account numbers, licence plates}
+\item disclosure information needs to be retained for 5 years
\end{itemize}
-logic is one way protocols are studied in academia
-(you can use computers to search for attacks)
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{\large How to Safely Disclose Information?}
+
+\only<1>{
+\begin{itemize}
+\item Assume you make a survey of 100 randomly chosen people.
+\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the
+Gangnam video on youtube.\bigskip
+
+\item What can you infer about the rest of the population?
+\end{itemize}}
+\only<2>{
+\begin{itemize}
+\item Is it possible to re-identify data later, if more data is released? \bigskip\bigskip\pause
+
+\item Not even releasing only aggregate information prevents re-identification attacks.
+(GWAS was a public database of gene-frequency studies linked to diseases;
+you only needed partial DNA information in order
+to identify whether an individual was part of the study --- DB closed in 2008)
+\end{itemize}}
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{\Large We cannot exclude all Harm}
+
+\begin{itemize}
+\item Analysis of a given data set teaches us that smoking causes cancer.
+Mary, a smoker, is harmed by this analysis: her insurance premiums rise.
+Mary’s premiums rise whether or not her data are in the data set. In other words,
+Mary is harmed by the finding smoking causes cancer.\bigskip
+
+\item \ldots of course she is also helped; she might quit smoking
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}<2>[c]
+\frametitle{Differential Privacy}
+
+\begin{itemize}
+\item Goal: Nothing about an individual should be learnable from the database that
+cannot be learned without access to the database.\pause\bigskip
+
+\item Differential privacy is a ``protocol'' which you run on some dataset \bl{$X$} producing
+some output \bl{$O(X)$}.\bigskip
+
+\item You want to achieve \alert{forward privacy}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\mode<presentation>{
\begin{frame}[c]
-\frametitle{Public-Key Infrastructure}
+\frametitle{Differential Privacy}
+
+\begin{center}
+User\;\;\;\;
+\begin{tabular}{c}
+tell me \bl{$f(x)$} $\Rightarrow$\\
+$\Leftarrow$ \bl{$f(x) + \text{noise}$}
+\end{tabular}
+\;\;\;\;\begin{tabular}{@{}c}
+Database\\
+\bl{$x_1, \ldots, x_n$}
+\end{tabular}
+\end{center}
+
\begin{itemize}
-\item the idea is to have a certificate authority (CA)
-\item you go to the CA to identify yourself
-\item CA: ``I, the CA, have verified that public key \bl{$P^{pub}_{Bob}$} belongs to Bob''\bigskip
-\item CA must be trusted by everybody
-\item What happens if CA issues a false certificate? Who pays in case of loss? (VeriSign
-explicitly limits liability to \$100.)
+\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to
+individual entries \bl{$x_1, \ldots, x_n$}\\
+\item Intuition: whatever is learned from the dataset would be learned regardless of whether
+\bl{$x_i$} participates\bigskip\pause
+
+\item Noised needed in order to prevent queries:\\ Christian's salary $=$
+\begin{center}
+\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian
+\end{center}
\end{itemize}
\end{frame}}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Example}
+
+\begin{center}
+\begin{tabular}{l|l}
+Name & Has the disease?\\\hline
+Alice & yes\\
+Bob & no\\
+Charlie & yes\\
+Eve & no\\
+Chandler & yes\\
+\end{tabular}
+\end{center}
+
+How many people have a disease?
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Adding Noise}
+
+Adding noise is not as trivial as one would wish:
+
+\begin{itemize}
+\item If I ask how many of three have a disease and get a result
+as follows
+
+\begin{center}
+\begin{tabular}{l|c}
+Alice & yes\\
+Bob & no\\
+Charlie & yes\\
+\end{tabular}
+\end{center}
+
+then I have to add a noise of \bl{$1$}. So answers would be in the
+range of \bl{$1$} to \bl{$3$}
+
+\bigskip
+\item But if I ask five questions for all the dataset (has the disease, is male, below 30, \ldots),
+then one individual can change the dataset by \bl{$5$}
+\end{itemize}
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Tor (private web browsing)\end{tabular}}
+
+\begin{itemize}
+\item initially developed by US Navy Labs, but then opened up to the world
+\item network of proxy nodes
+\item a Tor client establishes a ``random'' path to the destination server (you cannot trace back where the information came from)\bigskip\pause
+\end{itemize}
+
+\only<2>{
+\begin{itemize}
+\item malicious exit node attack: someone set up 5 Tor exit nodes and monitored the traffic:
+\begin{itemize}
+\item a number of logons and passwords used by embassies (Usbekistan `s1e7u0l7c', while
+Tunesia `Tunesia' and India `1234')
+\end{itemize}
+\end{itemize}}
+\only<3>{
+\begin{itemize}
+\item bad apple attack: if you have one insecure application, your IP can be tracked through Tor
+\begin{itemize}
+\item background: 40\% of traffic on Tor is generated by BitTorrent
+\end{itemize}
+\end{itemize}}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{Tor Nodes}
+
+Dan Egerstad wrote:\bigskip
+
+\it ``If you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they're using lots of bandwidth, they're heavy-duty servers and so on. Who would pay for this and be anonymous?"
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[t]
+\frametitle{\begin{tabular}{@{}c@{}}Skype\end{tabular}}
+
+\begin{itemize}
+\item Skype used to be known as a secure online communication (encryption cannot be disabled),
+but \ldots\medskip
+
+\item it is impossible to verify whether crypto algorithms are correctly used, or whether there are backdoors.\bigskip
+
+\item recently someone found out that you can reset the password of somebody else's
+account, only knowing their email address (needed to suspended the password reset feature temporarily)
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@{}c@{}}Take Home Point\end{tabular}}
+
+According to Ross Anderson: \bigskip
+\begin{itemize}
+\item Creating large databases of sensitive personal information is intrinsically
+hazardous (NHS)\bigskip
+
+
+\item Privacy in a big hospital is just about doable.\medskip
+\item How do you enforce privacy in something as big as Google
+or complex as Facebook? No body knows.\bigskip
+
+Similarly, big databases imposed by government
+\end{itemize}
+
+
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
\end{document}
%%% Local Variables: