\documentclass[dvipsnames,14pt,t]{beamer}+ −
\usepackage{../slides}+ −
+ −
% beamer stuff + −
\renewcommand{\slidecaption}{SEN 07, King's College London}+ −
\newcommand{\bl}[1]{\textcolor{blue}{#1}}+ −
+ −
\begin{document}+ −
+ −
%% Differential privacy+ −
%% http://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{%+ −
\begin{tabular}{@ {}c@ {}}+ −
\\+ −
\LARGE Security Engineering (6)\\[-3mm] + −
\end{tabular}}\bigskip\bigskip\bigskip+ −
+ −
\normalsize+ −
\begin{center}+ −
\begin{tabular}{ll}+ −
Email: & christian.urban at kcl.ac.uk\\+ −
Office: & N7.07 (North Wing, Bush House)\\+ −
Slides: & KEATS (also homework is there)\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Taking Stock}+ −
+ −
\begin{itemize}+ −
\item \ldots 9,000 customers of Tesco bank have their account suspended + −
\item \ldots 2 weeks ago there was a blackout for US websites because+ −
of a DoS attack from IoT devices (see paper by Shamir et all)+ −
+ −
\item \ldots Dirty Cow\ldots Linux privilege-escalation bug under active exploit+ −
(``any user can become root in < 5 seconds in my testing'')+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Facebook Privacy}+ −
+ −
\begin{itemize}+ −
\item \large Who has a Facebook account?\pause\medskip+ −
+ −
\item \large Who keeps the list of friends private?\pause\medskip+ −
+ −
\item \large Who knows that this is completely pointless?+ −
\textcolor{gray}{\small (at least at the end of 2013)}\pause\medskip+ −
\end{itemize}+ −
+ −
\only<4>{Create a fake account. Send a friend-request.+ −
Facebook answers with ``People you may know'' feature.+ −
Conveniently, it has also a ``see all'' button.}+ −
+ −
\only<5>{\small\it ``Our policies explain that changing the+ −
visibility of people on your friend list controls how they+ −
appear on your Timeline, and that your friends may be visible+ −
on other parts of the site, such as in News Feed, Search and+ −
on other people's Timelines. This behavior is something we'll+ −
continue to evaluate to make sure we're providing clarity.'' }+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Facebook Privacy Australia}+ −
+ −
\begin{itemize}+ −
\item Tinger requires a Facabook profile when signing up. + −
\item Helpfully, FB Australia wants to encourage that your group+ −
of friends to find and connect with other groups out in the+ −
real world.+ −
\item \ldots{}it reveals which of your Facebook friends are also+ −
on Tinder (for Australia it is an opt-out)+ −
\end{itemize}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}+ −
\frametitle{UCAS (a charity)}+ −
\mbox{}\\[-15mm]\mbox{} + −
\small+ −
\begin{quote}+ −
``The Universities and Colleges Admissions Service received more+ −
than \pounds{12m} last year in return for sending targeted advertising+ −
to subscribers as young as 16.+ −
+ −
The service, which controls admissions to UK universities and+ −
attracts 700,000 new applicants each year, sells the access+ −
via its commercial arm, Ucas Media.+ −
+ −
Vodafone, O2, Microsoft and the private university+ −
accommodation provider Pure Student Living are among those who+ −
have marketed through Ucas, which offers access to over a+ −
million student email addresses\ldots + −
+ −
Applicants can opt out of receiving direct marketing, but only+ −
at the cost of missing out on education and careers mailings+ −
as well.''\bigskip\\+ −
\footnotesize\hfill The Guardian, 12 March 2014+ −
\end{quote}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}+ −
\frametitle{Verizon}+ −
\mbox{}\\[-23mm]\mbox{} + −
+ −
\begin{center}+ −
\includegraphics[scale=0.21]{../pics/verizon.png}+ −
\end{center}+ −
\vfill\footnotesize+ −
\url{http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works}+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Privacy, Anonymity et al}+ −
+ −
Some terminology:+ −
+ −
\begin{itemize}+ −
\item \alert{\bf secrecy} is the mechanism used to limit the+ −
number of principals with access to information (e.g.,+ −
cryptography or access controls)+ −
+ −
\item \alert{\bf confidentiality} is the obligation to protect the+ −
secrets of other people or organizations (secrecy for+ −
the benefit of an organisation)+ −
+ −
\item \alert{\bf anonymity} is the ability to leave no evidence of+ −
an activity (e.g., sharing a secret, whistle blowing)+ −
+ −
\item \alert{\bf privacy} is the ability or right to protect your+ −
personal secrets (secrecy for the benefit of an+ −
individual)+ −
+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Privacy vs Anonymity}+ −
+ −
\begin{itemize}+ −
+ −
\item everybody agrees that anonymity has its uses (e.g.,+ −
voting, whistleblowers, peer-review, exams)+ −
+ −
\end{itemize}\bigskip\pause+ −
+ −
+ −
But privacy?\bigskip\medskip+ −
+ −
\textit{``You have zero privacy anyway. Get over it.''}\\+ −
{\small\hfill{}Scott Mcnealy (CEO of Sun)}\bigskip\\+ −
+ −
+ −
\textit{``If you have nothing to hide, you have nothing + −
to fear.''}\medskip\pause+ −
+ −
\textit{+ −
A few years ago a Google executive tried to allay worries about+ −
Google pooring over all your emails on Gmail. He said something+ −
along the lines: You are watched by an algorithm; this is like being+ −
naked in front of your dog.+ −
}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Privacy Problems}+ −
+ −
Private data can be often used against me:+ −
+ −
\begin{itemize}+ −
+ −
\item if my location data becomes public, thieves will switch+ −
off their phones and help themselves in my home+ −
\item if supermarkets can build a profile of what I buy, they+ −
can use it to their advantage (banks - mortgages)+ −
\item my employer might not like my opinions\bigskip\pause+ −
+ −
\item one the other hand, Freedom-of-Information Act + −
\item medical data should be private, but medical research+ −
needs data + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Privacy Problems}+ −
+ −
\begin{itemize}+ −
+ −
\item Apple takes note of every Siri dictation (sent over the+ −
Internet to Apple; retained for 2 years)+ −
+ −
\item markets often only work, if data is restricted (to build+ −
trust)+ −
+ −
\item social networks can reveal data about you + −
+ −
\item have you tried the collusion (lightbeam?) extension for+ −
FireFox?+ −
+ −
\item I do use Dropbox, store cards+ −
+ −
\end{itemize}+ −
+ −
\begin{textblock}{5}(12,9.9)+ −
\includegraphics[scale=0.2]{../pics/gattaca.jpg}\\+ −
\small Gattaca (1997)+ −
\end{textblock}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[t]+ −
\frametitle{Privacy}+ −
+ −
\begin{minipage}{1.05\textwidth}+ −
\begin{itemize}+ −
+ −
\item we \alert{do} want that government data is made public+ −
(free maps for example)+ −
+ −
\item we \alert{do not} want that medical data becomes public+ −
(similarly tax data, school records, job search)\bigskip+ −
+ −
\item personal information can potentially lead to fraud+ −
(identity theft)+ −
+ −
\end{itemize}\pause+ −
+ −
{\bf ``The reality'':}+ −
\only<2>{\begin{itemize}+ −
\item London Health Programmes lost in 2011 unencrypted+ −
details of more than 8 million people (no names, but+ −
postcodes and details such as gender, age and ethnic+ −
origin)+ −
\end{itemize}}+ −
+ −
\only<3>{\begin{itemize}+ −
\item also in 2011, Sony got hacked: over 1M users' personal+ −
information, including passwords, email addresses, home+ −
addresses, dates of birth, and all Sony opt-in data+ −
associated with their accounts.+ −
\end{itemize}}+ −
+ −
\only<4>{\begin{itemize}+ −
\item in 2007, Gordon Brown needed to apologise for the loss+ −
of tax data of 25M people (a junior civil servant sent+ −
a CD in the mail, which got lost)+ −
\end{itemize}}+ −
\end{minipage}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Privacy and Big Data}+ −
\mbox{}\\[-16mm]\mbox{}+ −
+ −
Selected sources of ``Big Data'':\smallskip{}+ −
+ −
\begin{itemize}+ −
\item Facebook + −
\begin{itemize}+ −
\item 40+ Billion photos (100 PB)+ −
\item 6 Billion messages daily (5 - 10 TB)+ −
\item 900 Million users + −
\end{itemize}+ −
\item Common Crawl+ −
\begin{itemize}+ −
\item covers 3.8 Billion webpages (2012 dataset)+ −
\item 50 TB of data+ −
\end{itemize}+ −
\item Google+ −
\begin{itemize}+ −
\item 20 PB daily (2008)+ −
\end{itemize}+ −
\item Twitter+ −
\begin{itemize}+ −
\item 15 Million active users in the UK; 500M tweets per day+ −
\item a company called Datasift is allowed to mine all tweets since 2010+ −
\item they charge 10k per month for other companies to target advertisement+ −
\end{itemize}+ −
\end{itemize}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Cookies\ldots}+ −
+ −
``We have published a new cookie policy. It explains what cookies are + −
and how we use them on our site. To learn more about cookies and + −
their benefits, please view our cookie policy.\medskip+ −
+ −
If you'd like to disable cookies on this device, please view our information + −
pages on 'How to manage cookies'. Please be aware that parts of the + −
site will not function correctly if you disable cookies. \medskip+ −
+ −
By closing this + −
message, you consent to our use of cookies on this device in accordance + −
with our cookie policy unless you have disabled them.''+ −
+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Scare Tactics}+ −
+ −
The actual policy reads:\bigskip+ −
+ −
``As we explain in our Cookie Policy, cookies help you to get the most + −
out of our websites.\medskip+ −
+ −
If you do disable our cookies you may find that certain sections of our + −
website do not work. For example, you may have difficulties logging in + −
or viewing articles.''+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Netflix Prize}+ −
+ −
Anonymity is \alert{necessary} for privacy, but \alert{not} enough!\bigskip+ −
+ −
\begin{itemize}+ −
\item Netflix offered in 2006 (and every year until 2010) a 1 Mio \$ prize for improving their movie rating algorithm+ −
\item dataset contained 10\% of all Netflix users (appr.~500K)+ −
\item names were removed, but included numerical ratings as well as times of rating+ −
\item some information was \alert{perturbed} (i.e., slightly modified)+ −
\end{itemize}+ −
+ −
\hfill{\bf\alert{All OK?}}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{Re-identification Attacks}+ −
+ −
Two researchers analysed the data: + −
+ −
\begin{itemize}+ −
\item with 8 ratings (2 of them can be wrong) and corresponding dates that can have a margin 14-day error, 98\% of the+ −
records can be identified+ −
\item for 68\% only two ratings and dates are sufficient (for movie ratings outside the top 500)\bigskip\pause+ −
\item they took 50 samples from IMDb (where people can reveal their identity)+ −
\item 2 of them uniquely identified entries in the Netflix database (either by movie rating or by dates)+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Re-identification Attacks}+ −
+ −
+ −
\begin{itemize}+ −
+ −
\item in 1990 medical databases were routinely made public+ −
with names removed, but birth dates, gender, ZIP-code+ −
were retained\medskip+ −
+ −
\item could be cross referenced with public voter registration+ −
data in order to find out what the medical record of the+ −
governor of Massachusetts was (in 1997 Latanya Sweeney)+ −
\bigskip+ −
+ −
\small+ −
(his record included diagnoses and prescriptions)+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}[c]+ −
\frametitle{}+ −
+ −
\begin{itemize}+ −
\item Birth data, postcode and gender (unique for\\ 87\% of the US population)+ −
\item Preferences in movies (99\% of 500K for 8 ratings)+ −
\end{itemize}\bigskip+ −
+ −
Therefore best practices / or even law (HIPAA, EU): + −
+ −
\begin{itemize}+ −
\item only year dates (age group for 90 years or over), + −
\item no postcodes (sector data is OK, similarly in the US)\\+ −
\textcolor{gray}{no names, addresses, account numbers, licence plates}+ −
\item disclosure information needs to be retained for 5 years+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{AOL Search Queries}+ −
+ −
\begin{itemize}+ −
\item In 2006, AOL published 20 million Web search queries + −
collected from 650,000 users (names had been deleted)\medskip+ −
+ −
\item \ldots{}within days an old lady, Thelma Arnold, from+ −
Lilburn, Georgia, (11,596 inhabitants) was identified as+ −
user No.~4417749\medskip+ −
+ −
\item some of the queries that identified her away: + −
\begin{itemize}+ −
\item landscapers in Lilburn, Ga+ −
\item 60 single men+ −
\item nicotine effects on the body+ −
\item \ldots + −
\end{itemize} + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[b]+ −
\frametitle{FOI: New York Taxi DB}+ −
+ −
\begin{itemize}+ −
\item in 2013 somebody requested the Taxi DB (50GB of+ −
data, 173 million individual rides)\medskip+ −
+ −
\item data contained pickup and drop-off times, locations,+ −
data that identified the taxi, amount paid + tip\bigskip+ −
+ −
\item no passenger data included\pause\medskip+ −
+ −
\item well paparazzi photos contain taxi licence (and sometimes+ −
photos are time stamped)\medskip+ −
+ −
\item a PhD student could identify rides of + −
Bradley Cooper and Jessica Alba (more have been done+ −
since then)+ −
\end{itemize}+ −
+ −
\only<2->{+ −
\begin{textblock}{5}(10,7)+ −
\includegraphics[scale=0.15]{../pics/newyorktaxi.jpg}\\+ −
\end{textblock}}+ −
+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}<2>[c]+ −
\frametitle{\large How to Safely Disclose Information?}+ −
+ −
\only<1>{+ −
\begin{itemize}+ −
\item Assume you make a survey of 100 randomly chosen people.+ −
\item Say 99\% of the surveyed people in the 10 - 40 age group have seen the+ −
Gangnam video on youtube.\bigskip+ −
+ −
\item What can you infer about the rest of the population? + −
\end{itemize}}+ −
\only<2>{+ −
\begin{itemize}+ −
\item Is it possible to re-identify data later, if more data is released? \bigskip\bigskip\pause+ −
+ −
\item Not even releasing only aggregate information prevents re-identification attacks.+ −
(GWAS was a public database of gene-frequency studies linked to diseases;+ −
you only needed partial DNA information in order+ −
to identify whether an individual was part of the study --- DB closed in 2008) + −
\end{itemize}}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large We cannot exclude all Harm}+ −
+ −
\begin{itemize}+ −
\item Analysis of a given data set teaches us that smoking causes cancer. + −
Mary, a smoker, is harmed by this analysis: her insurance premiums rise. + −
Mary’s premiums rise whether or not her data are in the data set. In other words, + −
Mary is harmed by the finding smoking causes cancer.\bigskip+ −
+ −
\item \ldots of course she is also helped; she might quit smoking+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large We cannot exclude all Harm}+ −
+ −
Supervising queries will also not work in general:+ −
+ −
\begin{itemize}+ −
\item denying a request can already disclose information+ −
+ −
\item in general it is not decidable, whether a sequence+ −
of queries can identify a person+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\mode<presentation>{+ −
\begin{frame}<2>[c]+ −
\frametitle{Differential Privacy}+ −
+ −
\begin{itemize}+ −
\item Goal: Nothing about an individual should be learnable from the database that + −
cannot be learned without access to the database.\pause\bigskip+ −
+ −
\item Differential privacy is a ``protocol'' which you run on some dataset \bl{$X$} producing+ −
some output \bl{$O(X)$}.\bigskip+ −
+ −
\item You want to achieve \alert{\bf forward privacy}.+ −
\end{itemize}+ −
+ −
\end{frame}}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Differential Privacy}+ −
+ −
\begin{center}+ −
User\;\;\;\; + −
\begin{tabular}{c}+ −
tell me \bl{$f(x)$} $\Rightarrow$\\+ −
$\Leftarrow$ \bl{$f(x) + \text{noise}$}+ −
\end{tabular}+ −
\;\;\;\;\begin{tabular}{@{}c}+ −
Database\\+ −
\bl{$x_1, \ldots, x_n$}+ −
\end{tabular}+ −
\end{center}+ −
+ −
+ −
\begin{itemize}+ −
\item \bl{$f(x)$} can be released, if \bl{$f$} is insensitive to+ −
individual entries \bl{$x_1, \ldots, x_n$}\\+ −
\item Intuition: whatever is learned from the dataset would be learned regardless of whether+ −
\bl{$x_i$} participates\bigskip\pause + −
+ −
\item Noise needed in order to prevent queries:\\ Christian's salary $=$ + −
\begin{center}+ −
\bl{\large$\Sigma$} all staff $-$ \bl{\large$\Sigma$} all staff $\backslash$ Christian+ −
\end{center} + −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%\frametitle{Example}+ −
%+ −
%\begin{center}+ −
%\begin{tabular}{l|l}+ −
%Name & Has the disease?\\\hline+ −
%Alice & yes\\ + −
%Bob & no\\+ −
%Charlie & yes\\+ −
%Eve & no\\+ −
%Chandler & yes\\+ −
%\end{tabular}+ −
%\end{center}+ −
%+ −
%How many people have a disease?+ −
%+ −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Adding Noise}+ −
+ −
Adding noise is not as trivial as one would wish:+ −
+ −
\begin{itemize}+ −
\item If I ask how many of three have a disease and get a result+ −
as follows + −
+ −
\begin{center}+ −
\begin{tabular}{l|c}+ −
Alice & yes\\+ −
Bob & no\\+ −
Charlie & yes\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
then I have to add a noise of \bl{$1$}. So answers would be in the+ −
range of \bl{$1$} to \bl{$3$}+ −
+ −
\bigskip+ −
\item But if I ask five questions for all the dataset (has the disease, is male, below 30, \ldots),+ −
then one individual can change the dataset by \bl{$5$}+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{\Large Differential Privacy Problems}+ −
+ −
\begin{itemize}+ −
\item How to do differential privacy ``offline'' is still+ −
an active research question?+ −
+ −
\item What constitutes a single entry in the database?+ −
+ −
\item Evolution of a database:+ −
\end{itemize}+ −
+ −
\begin{center}\small+ −
\begin{tabular}{l|ll}+ −
Name & Has the disease?\\\hline+ −
Alice & yes\\ + −
Bob & no\\+ −
Charlie & yes\\+ −
Eve & no\\+ −
Chandler & yes\\+ −
Marc & yes & $\Leftarrow$ new entry\\+ −
\end{tabular}+ −
\end{center}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
%\begin{frame}[c]+ −
%\frametitle{Tor}+ −
%+ −
%\begin{center}+ −
%??+ −
%\end{center}+ −
%\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
+ −
+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+ −
\begin{frame}[c]+ −
\frametitle{Take Home Point}+ −
+ −
According to Ross Anderson: \bigskip+ −
\begin{itemize}+ −
\item Creating large databases of sensitive personal information is intrinsically + −
hazardous (NHS)\bigskip+ −
+ −
+ −
\item Privacy in a big hospital is just about doable.\medskip+ −
\item How do you enforce privacy in something as big as Google+ −
or complex as Facebook? Nobody knows.\bigskip+ −
+ −
Similarly, big databases imposed by government.+ −
\end{itemize}+ −
+ −
\end{frame}+ −
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + −
+ −
+ −
\end{document}+ −
+ −
%%% Local Variables: + −
%%% mode: latex+ −
%%% TeX-master: t+ −
%%% End: + −
+ −