Foundations of Privacy
Modern organizations, such as businesses, non-profits, government agencies, and universities, collect
and use information from a variety of sources. These information sources, ranging from individuals
entering personal information into social networking websites to cooperating enterprises exchanging
customer or supplier information, may provide information of varying quality under specific
expectations about how this information will be transmitted and used. Organizations, in turn, may be required by
contract, regulations, or market forces to track conditions associated with the information they use,
with failure to use information correctly potentially resulting in embarrassment, brand erosion, or
financial loss. Thus, complex modern organizations face the problem of handling information in
ways that respect privacy promises to individuals, comply with privacy laws and other regulations,
minimize operational risk, and yet allow the core functions of the organization to be carried out
efficiently and effectively. This problem is recognized as one of the greatest challenges facing organizations today
(see, for example, a recent survey from Deloitte and the Ponemon Institute [TI07]),
with far-reaching implications for every individual in contemporary society.
This project develops methods, algorithms and prototype tools
for integrating privacy, compliance, and risk evaluation into complex organizational processes.
We also plan to explore, articulate and characterize formally the scope and nature of privacy
expectations and regulations, addressing questions such as: what precise operating restrictions do
laws such as HIPAA, GLBA, and FERPA impose on organizations? Can parts of
these laws be formalized and used in information systems? What expectations does the public have
for insurance companies, social networking sites, universities, and government agencies that collect
personal information? How can those expectations be met and what is the risk of not doing so?
How can aggregate anonymized information be revealed while still protecting personal privacy?
This project draws on, develops and integrates ideas from philosophical studies of privacy, logical methods, quantitative
methods for database privacy, and economics-inspired methods for privacy risk management.
Publications:
-
A. Barth,
A. Datta,
J.
C. Mitchell, S. Sundaram,
Privacy and Utility in Business Processes,
to appear in Proceedings of 20th IEEE Computer Security Foundations Symposium, July 2007.
[ Paper ]
-
A. Barth,
A. Datta,
J.
C. Mitchell, H.
Nissenbaum,
Privacy and Contextual Integrity: Framework and Applications,
in
Proceedings of 27th IEEE Symposium on Security and Privacy , pp.
184-198, May 2006.
[ Paper ]
Related Articles:
-
A New Perspective on Protecting Personal Data, in
Security Management Online, May 2007.
[ Article ]
-
The Logic of Privacy, in
The Economist, January 2007.
[ Article ]
[ Economist link ]
-
C. E. Landwehr,
Speaking of Privacy, in
IEEE Security and Privacy (Editorial), Vol 4., No. 4, pp. 4-5,
July/August 2006.
[ Paper ]
-
H.
Nissenbaum,
Privacy as Contextual Integrity,
in
Washington Law Review, Vol 79, No. 1, pp. 119-158, February 2004.
[ Paper ]