Archive for the ‘Privacy’ Category
Here are the three (3) principles for privacy-preserving computation based on the Enigma P2P distributed multi-party computation model:
(a) Bring the Query to the Data: The current model is for the querier to fetch copies of all the data-sets from the distributed nodes, then import the data-sets into the big data processing infra and then run queries. Instead, break-up the query into components (sub-queries) and send the query pieces to the corresponding nodes on the P2P network.
(b) Keep Data Local: Never let raw data leave the node. Raw data must never leaves its physical location or the control of its owner. Instead, nodes that carry relevant data-sets execute sub-queries and report on the result.
(c) Never Decrypt Data: Homomorphic encryption remains an open field of study. However, certain types of queries can be decomposed into rudimentary operations (such as additions and multiplications) on encrypted data that would yield equivalent answers to the case where the query was run on plaintext data.
One important news item this week from the IoT space is the support by Atmel of Intel’s EPID technology.
Enhanced Privacy ID (EPID) grew from the work of Ernie Brickell and Jiangtao Li based on previous work on Direct Anonymous Attestations (DAA). DAA is very relevant because it is built-in into the TPM1.2 chip (of which there are several hundred million in PC machines).
Here is a quick summary of EPID:
- EPID is a special digital signature scheme.
- One public key corresponds to multiple private keys.
- Private key generates a EPID signature.
- EPID signature can be verified using the public key.
Interesting Security Properties:
- Anonymous/Unlinkable: Given two EPID signatures one cannot determine whether they are generated from one or two private keys.
- Unforgeable: Without a private key one cannot create a valid signature.
Ray Campbell hits the ball out of the park again with his awesome suggestion in his blog: we need a HIPAA-like regime for the privacy of personal data. As a mental exercise, Ray has gone through the HIPAA document and substituted “individually identifiable health information” to “individually identifiable personal information“. The red-lined doc can also be found on his site.
The at the heart of his proposal is the notion of shifting the thought paradigm from the person as the absolute owner of his/her personal data to one where the person is seeking the right to know about who has his/her personal data, how they obtained it, what are they doing with it and to whom have they sold the data (the 4 questions).
Following on from Ray’s post and from Professor Sandy Pentland’s view on the New Deal on Data, I believe there should be a new market in the digital economy where individuals can meet directly with buyers of their personal data, and where individuals can opt-in to make more data about themselves available to these buyers. Cut out the middleman — the big data corporations that are not contributing to the efficiency of free markets.
MIT Media Lab – 2013 Legal Hack-a-thon on Identity
Ray Campbell argues quite elegantly and convincingly that the “data ownership” paradigm is not the correct paradigm for achieving privacy and control over personal data. The notion that “I own my data” can be impractical especially in the light of 2-party transactions, where the other party may also “own” portions of the transaction data and where they might be legally bound to keep copies of “my data”.
Instead, the better approach is to look at “transparency” and visibility into where our data reside and who is using it. Here are the four questions that Ray poses:
- Who has my data
- What data they have about me
- How did they acquire my data
- How are they using my data
Transparency becomes an important tool disclosure management of personal data. These questions could be the basis for the development of a trust framework on data transparency, one which can be used to frame Terms of Service that both myself and the Relying Party must accept.
Aaron Titus writes an interesting piece based on his analysis of the recent proposal from Trent Adams (PayPal) to modify the NSTIC governance rules. The abolition of the NSTIC Privacy Standing Committee may have unforeseen impact on the acceptance of the whole NSTIC Identity Ecosystem idea, notably from the privacy front.
During the last decade — starting from the Liberty vs Passport kerfufle — we have seen a number of proposals for components of an “identity infrastructure” for the Internet. All in all, there has been little adoption (by consumers) of these technologies for high-value transactions due IMHO to the lack of privacy-preserving features.
So far I have yet to see a sustainable business model for identities which is focus on the “individual” (i.e. individual centric) and which preserves his/her personal data. All the agreements and EULAs that we click “yes” to seem to be titled in favor of the provider. If a provider “loses” my personal information (including credit-card information), there is really little incentive (positive or negative) to get them to recover my data. The individual suffers all the losses. Little wonder there is no buy-in from the consumer
At lunch today Sal summarized in one sentence what I have been trying to express for the last couple of years:
There is a market out there for leakage in derived identities (in the Internet)
What we had been talking about was the (inevitable) need for something similar to what the Jericho Forum folks call Core Identity. In simple words, this is the notion that every entity/person should have a “main” secret identity (like a confidential SSN number), from which other usable identities (personas) are derived via a one-way function. (See the Jericho Forum “Identity Commandments”).
The question was how and who was going to manage the issuance and maintenance of the core identities of US citizens. Since the US federal government was the issuing authority for social security numbers in the US, one possibility would be for the US federal government to be the issuing and maintenance authority for core identities (independent of whether the day-to-day managing was actually outsourced to private sector organizations).
The “leakage” here refers to the obtaining (e.g. scraping off the Internet) of pieces of information about one of my persona stemming off my core identity. For example, in my “home-persona” the location of my house may be of interest to advertisers who are doing target-marketing in my neighborhood. We can call this “leakage” because I never authorized the release (and usage) of my home-persona to the relying party (i.e. the marketing company).