Google’s Privacy Dashboard Doesn’t Tell Us Anything We Didn’t Know Before (ReadWriteWeb)

We’re pleased to announce that our report, “How to Read a Privacy Policy,” has been published in the October newsletter of Inside 1to1: Privacy, a publication produced by the International Association of Privacy Professionals (IAPP) and the Peppers & Rogers Group.

Our report, first published on our website in July, provides a “how to read” guide for the user who is curious about what is happening to his or her data online, but has little understanding of the technological and legal mechanisms at work.  The report walks through seven questions meant to pinpoint the issues CDP believes are most crucial for a user’s privacy, from questions on how “personal information” is defined to the kind of choices offered to users regarding how their information is shared.

We’d love to hear what you think!

Here’s a brief rundown of what we’re doing.

Grace is multi-tasking on 3 papers.

Personal Data License We’re conducting a thought experiment to think through what the world might look like if there was an easy way for individuals to release personal information on their own terms.

Organizational Structures We’ve conducted a brief survey of a few organizational structures we think are interesting models for the datatrust “trusted” entities from Banks to Public Libraries and “member-based” organizations from Credit Unions to Wikipedia. We tried to answer the question: What institutional structures can be practical defenses against abuses of power as the datatrust becomes a significant repository of highly sensitive personal information?

Snapshot of Publicly Available Data Sources A cursory overview of some of the more interesting data sets that are available to the public from government agencies to answer the question: How is the datatrust going to be different / better than the myriad data sources we already have access to today?

We also now have 2 new contributors to CDP: Tony Gibbon and Grant Baillie.

A couple of months ago, Alex wrote about a new anonymization technology coming out of Microsoft Research: PINQ. It’s an elegant, simple solution, but perhaps not the most intuitive way for most people to think about guaranteeing privacy.

Tony is working on a demonstration of PINQ in action so that you and I can see how our privacy is protected and therefore believe *that* it works. Along the way, we’re figuring out what makes intuitive sense about the way PINQ works and what doesn’t and what we’ll need to extend so that researchers using the datatrust will be able to do their work in a way that makes sense.

Grant is working on a prototype of the datatrust itself which involves working out such issues as:

• What data schemas will we support? We think this one to begin with: Star Schema.
• How broadly do we support query structures?
• Managing anonymizing noise levels.

To help us answer some of these questions, we’ve gathered a list of data sources we think we’d like to support in this first iteration. (e.g. IRS tax data, Census data) (More to come on that.)

We will be blogging about all of these projects in the coming week, so stay tuned!

Probably yes, if the private movie preferences of Netflix members are taken as an example. The New York Times summarizes the findings of an academic study that examined customer information Netflix is proud to keep anonymous.

By comparing the film preferences of some anonymous Netflix customers with personal profiles on imdb.com, the Internet movie database, the researchers said they easily re-identified some people because they had posted their e-mail addresses or other distinguishing information online.

Vitaly Shmatikov, an associate professor of computer science at the University of Texas at Austin and a co-author of the “de-anonymization” study, says the researchers were able to analyze users’ public postings and connect that to their Netflix preferences — including how a person may have rated films with controversial themes. Those are choices a person may or may not want to make public, Mr. Shmatikov said.

A weakness for Nora Ephron movies is, of course, very different from having some nasty genetic predispositions you don’t want the insurance company to know about.

One obvious area where Congress could act right away to allay fears – pass a law to forbid re-identification; there is currently no federal statute to make it illegal.

The basics: last month, a jury found in favor of a woman who alleged her former employer had improperly obtained her private home phone records (by calling the phone company and impersonating her), in an effort to see whether she was siphoning off clients after being fired from the job.

The fancy word for this is pre-texting. Hewlett Packard got in trouble for engaging in the practice to detect leaks to the media in 2006.

The whole tale is strikingly low-fi and TV-ish: threats made in the office over a impending business deal, a spy lurking in a car outside a home, and a concerned dad who fishes a key piece of evidence out of the trash.

A few weeks ago, the New York Times has a thoughtful piece on patients sharing their data online to push for more efficient research.  Dr. Amy Farber, after being diagnosed with a rare but deadly disease called LAM, founded the LAM Treatment Alliance and LAMsight, “a Web site that allows patients to report information about their health, then turns those reports into databases that can be mined for observations about the disease.”

In a completely different arena, we also had news that Google Maps is using GPS information from mobile phones to improve traffic data.  Google had used data from local highway authorities for traffic data on major highways, but now, GPS data from users of Google Maps with the My Location feature will provide data for local roads as well.

Pretty exciting stuff. Crowdsourcing isn’t new.  But thus far, it’s been used mostly for things that are subjective. Like Hot or Not.  Customer reviews.  It’s also been primarily voluntary. You choose to write a review and shared your data. Or if it’s involuntary, it’s not something that is accessible to the public (e.g. search results, credit card data, mortgage data, etc.).

What’s exciting now is that we’re starting to get into discussions about crowdsourcing for stuff like

1. Medical research – where people are trying to extract objective conclusive results from data.
2. Traffic data – where data is automatically collected (opt-in/opt-out, whatever) and made available to the public.

The two most common objections are around the supposed inaccuracy of self-reported data and the privacy risks of providing so much individualized information.

But as Ian Eslick, the MIT doctoral student developing LAMsight points out,

No one expects that observational research using online patient data will replace experimental controlled trials…“There’s an idea that data collected from a clinic is good and data collected from patients is bad,” he said. “Different data is effective at different purposes, and different data can lead to different kinds of error.”

And as the people behind Google Maps explain, they worked hard to increase accuracy by making participation as easy as possible.

The issue of privacy is a little trickier.  Google says you can opt-out of contributing your data easily, and Google promises that even those who contribute data can trust that their data will remain anonymous, “Even though the vehicle carrying a phone is anonymous, we don’t want anybody to be able to find out where that anonymous vehicle came from or where it went — so we find the start and end points of every trip and permanently delete that data so that even Google ceases to have access to it.”

There are certain to be some people who won’t feel comfortable with Google’s promises. Yet I doubt they will have much impact on Google’s ability to deliver this service. The bigger issue for me is  how privacy may be holding back smaller, less established players from developing potentially valuable services based on crowdsourced data collection?

In other words, is our currently ad-hoc and unsatisfactory approach to privacy inadvertently stifling competition by making it nearly impossible for startups to compete with the establishment wherever sensitive personal information is involved?

What data would you like to gain access to that might face similar privacy challenges?

]]> http://blog.myplaceinthecrowd.org/2009/09/10/crowdsourcing-data/feed/ 0 http://blog.myplaceinthecrowd.org/2009/09/10/crowdsourcing-data/ http://feedproxy.google.com/~r/MyPlaceInTheCrowd/~3/CJA38Ussr1c/ http://blog.myplaceinthecrowd.org/2009/09/09/what-does-it-take-to-be-an-iapp-certified-privacy-professional-what-should-it-take/#comments Wed, 09 Sep 2009 20:06:42 +0000 Grace Meng http://blog.myplaceinthecrowd.org/?p=574

UPDATE: I recently was referred to this thoughtful blog post on a similar topic, “Nurturing an Accountable Privacy Profession.” Well-worth a read.

A few weeks ago, I was very relieved to find out I had passed the IAPP exam to be a “Certified Information Privacy Professional” or CIPP.  I got this certificate and even a pin, which is more than I ever got for passing the bar exams of New York and California.

So what exactly did I need to know to become a CIPP?

To be certified in corporate privacy law, you’re expected to know what’s covered in the CIPP Body of Knowledge, primarily major U.S. privacy laws and regulations and “the legal requirements for the responsible transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions.”

You’re also expected to pass the Certification Foundation, required for all three certifications offered by IAPP.  That covers basic privacy law, both in the U.S. and abroad, information security principles and practices, and “online privacy,” which includes an overview of the technologies used by online companies to collect information and the particular issues to be considered in this context.

So what do you think?  Should you be able to pass an all-objective, 180 question, three-hour exam (counting the CIPP and Certification Foundation exams together) on the above topics and be able to call yourself a “privacy professional”?

There are no sample questions available online, and I was too cheap to take a prep course, but if I remember correctly, a typical question on the exam went something like this:

The Gramm-Leach-Bliley Act authorizes financial institutions to share consumer information with third parties if:

a. The information is not personally identifiable.

b. The consumer is informed and given the opportunity to opt-out.

c.  Any information without notice if it is shared with affiliated companies.

d.  All of the above.

The answer would be “C,” since the consumer is only required to be given notice if the third party is “non-affiliated.”  My sample is poorly constructed, and there are also questions that require you to analyze a fact pattern, but essentially, the exam covers existing laws, practices, and technologies.

It doesn’t ever ask you, “What would you do if you were advising RealAge and they told you they wanted to sell answers from a health questionnaire to pharmaceutical companies?”  Or, “Is Facebook doing enough to prevent third parties from misusing images of Facebook members in their ads?”

IAPP presumably doesn’t ask you these questions because there’s no “objectively” right answer.  There may, one day, be an objectively legal answer, depending on if and when legislation gets passed.  Still, it’s obvious that in the field of privacy, the most interesting aspects are not what laws do exist, but what laws should exist, what practices should be used, what innovations, both technological and social, should be promoted to protect privacy in meaningful ways.  But the exam only covers what is, not what could be or what should be.

Privacy may be an ancient concept, but it’s a very modern, very new, very undefined profession, which perhaps is even more reason for the IAPP to exist.  We as a society, particularly in the U.S., are struggling to figure out what privacy means and what we need to do to protect it.  While the medical profession has the Hippocratic Oath dating back to the 4th century B.C., and the legal profession’s adherence to the concept of attorney-client privilege goes back at least as far as the 16th century, the privacy profession has no clear guiding principle.  We don’t know yet what it should be.

I’m not really criticizing the IAPP for having a test that doesn’t quite encompass the dynamic, constantly changing field of privacy.  It’s not like other professions do better.  The bar exam certainly doesn’t screen out incompetent, unethical people from practicing law, even if you are actually required to pass an ethics exam.  And the IAPP does provide resources to its members for tracking changes in privacy law and policy.  But I’m curious to see where the IAPP goes as it tries to “professionalize” the profession, whether the certification exam will change and what expectations will be set for IAPP-certified privacy professionals.  Perhaps in another 100 years, or hopefully sooner, we’ll have a code of conduct for privacy professionals.

Stimulus Funding Map is “Slick as Hell” (FlowingData)

Why Anonymized Data Isn’t (Slashdot)

PINQ is a layer between the analyst and the datastore

Privacy Challenges with Aggregates

One of the key realizations that lead to the creation of CDP was that the data that is valuable for analysis (generally aggregate statistical data) is not, in principle, the data that concerns privacy advocates (identifiable, personal information). While that is true in many cases, the details are a bit more complicated.

I often quote the following statistic from Latanya Sweeney’s famous 2000 paper:

87% of people in the US can be uniquely identified by a combination of their zip code, their gender and their date of birth.

(Since then there has been some debate around that fact – Philippe Golle at PARC said in 2006 its really 63%.) But the fact remains that often your seemingly innocuous demographic data can actually be as unique a fingerprint as your social security number. A ways back I wrote about how it is standard practice for pollsters to tie a set of “anonymous” survey responses to any number of public databases that also contain those demographic details and tie your name(s), address(es), income, title(s), car(s), to your “anonymous” survey results. (Anonymous is in quotes because it’s CDP humor – we believe the term is used incorrectly most of the time.)  It’s like the Statistician’s Edition of Trivial Pursuit. In fact, zip code, gender and birth date are just an example – the more characteristics of any person (or place or object or anything really) you collect, the more likely it is that the set is unique. How unique is the set of purchases on your monthly credit card statement?

This reality poses a potentially showstopping problem for the datatrust: sure, aggregates are probably fine most of the time, but if we want to store and allow analysis of highly sensitive data, how can we be sure identities won’t be derived from even the aggregates?

PINQ: Privacy Integrated Queries

Enter PINQ, just made public by Frank McSherry at Microsoft Research under the standard MSR license. PINQ or Privacy Integrated Queries, is an implementation of a concept called Differential Privacy (Cynthia Dwork’s paper seems to be a good overview before diving into the math behind it, Frank’s paper speaks to the PINQ in particular. There’s also a tutorial for those who want to get their hands dirty.) PINQ provides a layer between the data analyst and the datastore that ensures no privacy disclosures.

Wait, one better: It guarantees no privacy disclosures. How could that be?

Here’s an example: Imagine you record the heights of each of the people in your subway car in the morning, and calculate the average height. Then imagine that you also recorded each person’s zip code, gender and birth date. According to Sweeney above, if you calculated the “average” height of each combination of zip code, gender and birth date, you would not only know the exact height of 87% of the people on the car, but, with the help of some other public databases, you’d also know who they were.

Here’s where differential privacy helps. Take the height data you recorded (zip codes and all) and put it behind a differential privacy software wall. By adding just the right amount of noise to the results, you the analyst can query for statistical representations of all different combinations of the characteristics, and you’ll get an answer and a measure of the accuracy of the response. Instead of finding out that the average height was 5′ 5.23″, you might find out that the average height was 5′ 4″ +/- 0.75″. (I’m making these numbers up and over-simplifying.)

A Programmatic Privacy Guarantee

The guarantee of differential privacy in the above example is that if you remove any one person from the subway car dataset, and asked PINQ again for the average height, the answer would be the same (same level of accuracy) as the answer when they were included in the set.

For the analyst trying to understand the big picture, PINQ offers accurate answers and privacy. For the attacker (to use the security-lingo) seeking an individual’s data, PINQ offers answers so inaccurate they are useless.

What every prototype needs: Road Miles

Does it work? I’ve chatted with Frank a lot, and there seems to be a growing consensus in the research communities that it does; based on what I have seen I am very optimistic. However, at least right now, the guarantee is less of a concern than usability: How hard is it to understand a dataset when all you can extract from it are noisy aggregates? We’re hoping that it is more useful than not having any access to certain sensitive datasets, but we don’t know yet.

PINQ Workflow: Query, Execution, Noise, Results

So what will we be doing for the next few months? Taking PINQ out on the highway. And trying to figure out what role it can play in the datatrust. We’ll keep you posted!

Facebook Ratchets Up Privacy Controls (Again)

Ole Miss to Tweet Its Watts (CNET News)