1
|
- Yuhui Zhong
- Bharat Bhargava
- {zhong, bb}@cs.purdue.edu
- Department of Computer Sciences
- Purdue University
|
2
|
- Privacy and trust form an adversarial relationship
- Internet users worry about revealing personal data. This fear held=
back
$15 billion in online revenue in 2001
- Users have to provide digital credentials that contain private
information in order to build trust in open environments like Inte=
rnet.
- Research is needed to quantify the tradeoff between privacy and tru=
st.
|
3
|
- How much privacy is lost by disclosing a piece of credential?
- How much does a user benefit from having a higher level of trust?=
li>
- How much privacy a user is willing to sacrifice for a certain amoun=
t of
trust gain?
|
4
|
- Formulate the privacy-trust tradeoff problem
- Design metrics and algorithms to evaluate the privacy loss. We cons=
ider:
- Information receiver
- Information usage
- Information disclosed in the past
- Estimate trust gain due to disclosing a set of credentials
- Develop mechanisms empowering users to trade trust for privacy.
- Design prototype and conduct experimental study
|
5
|
- Privacy Metrics
- Anonymity set without accounting for probability distribution =
[Reiter
and Rubin, ’99]
- Differential entropy to measure how well an attacker estimates an
attribute value [Agrawal and Aggarwal ’01]
- Automated trust negotiation (ATN) [Yu, Winslett, and Seamons, ̵=
7;03]
- Tradeoff between the length of the negotiation, the amount of
information disclosed, and the computation effort
- Trust-based decision making [Wegella et al. ’03]
- Trust lifecycle management, with considerations of both trust and =
risk
assessments
- Trading privacy for trust [Seigneur and Jensen, ’04]
- Privacy as the linkability of pieces of evidence to a pseudonym;
measured by using nymity [Goldberg, thesis, ’00]
|
6
|
- Set of private attributes that user wants to conceal
- Set of credentials
- R(i): subset of credentials revealed to receiver i
- U(i): credentials unrevealed to receiver i
- Credential set with minimal privacy loss
- A subset of credentials NC from U (i)
- NC satisfies the requirements for trust building
- PrivacyLoss(NC∪R(i)) – PrivacyLoss(R(i))) is minimized=
|
7
|
- Decision problem:
- Decide whether trade trust for privacy or not
- Determine minimal privacy damage
- Minimal privacy damage is a function of minimal privacy loss,
information usage and trustworthiness of information receiver.
- Compute trust gain
- Trade privacy for trust if trust gain > minimal privacy damage<=
/li>
- Selection problem:
- Choose credential set with minimal privacy loss
|
8
|
- Collusion among information receivers
- Use a global version Rg instead of R(i)
- Minimal privacy loss for multiple private attributes
- nc1 better for attr1 but worse fo=
r attr2
than nc2
- Weight vector {w1, w2, …, wm}
corresponds to the sensitivity of attributes
- Salary is more sensitive than favorite TV show
- Privacy loss can be evaluated using:
- The weighted sum of privacy loss for all attributes
- The privacy loss for the attribute with the highest weight
|
9
|
- Query-independent privacy loss
- User determines her private attributes
- Query-independent loss characterizes how helpful provided credenti=
als
for an adversarial to determine the probability density or probabi=
lity
mass function of a private attribute.
|
10
|
- Query-dependent privacy loss
- User determines a set of potential queries Q that she is reluctant=
to
answer
- Provided credentials reveal information of attribute set A. Q is a
function of A.
- Query-dependent loss characterizes how helpful provided credential=
s for
an adversarial to determine the probability density or probability=
mass
function of Q.
|
11
|
- High query-independent loss does not necessarily imply high
query-dependent loss
|
12
|
- Privacy loss is affected by the order of disclosure
- Example:
- Private attribute
- Potential queries:
- (Q1) Is Alice an elementary school student?
- (Q2) Is Alice older than 50 to join a silver insurance plan?
- Credentials
- (C1) Driver license
- (C2) Purdue undergraduate student ID
|
13
|
|
14
|
- C1 à C2
- Disclosing C1
- low query-independent loss (wide range for age)
- 100% loss for Query 1 (elem. school student)
- low loss for Query 2 (silver plan)
- Disclosing C2
- high query-independent loss (narrow range for age)
- zero loss for Query 1 (because privacy was lost by disclosing lic=
ense)
- high loss for Query 2 (“not sure” à “no - high probability”
- C2 à C1
- Disclosing C2
- low query-independent loss (wide range for age)
- 100% loss for Query 1 (elem. school student)
- high loss for Query 2 (silver plan)
- Disclosing C1
- high query-independent loss (narrow range of age)
- zero loss for Query 1 (because privacy was lost by disclosing ID)=
- zero loss for Query 2
|
15
|
- Entropy measures the randomness, or uncertainty, in private data.=
li>
- When an adversarial gains more information, entropy decreases
- The difference shows how much information has been leaked
- Conditional probability is needed for entropy evaluation
- Bayesian networks, kernel density estimation or subjective estimat=
ion
can be adopted
|
16
|
- Single attribute
- Domain of attribute a : {v1, v2,
…, vk}
- Pi and P*i are probability mass function bef=
ore
and after disclosing NC given revealed credential set R.
- Multiple attributes
- Attribute set {a1, a2 …,an}=
with sensitivity vector {w1, w2=
sub>,
…, wn}
|
17
|
- Single query Q
- Q is the function f of attribute set A
- Domain of f (A) : {qv1, qv2, R=
30;,
qvk}
- Multiple queries
- Query set {q1, q2 …,qn} with
sensitivity vector {w1, w2, …, wn=
}
- Pri is the probability that qi is asked
|
18
|
- Assume user provides one damage function dusage(PrivacyL=
oss) for
each information usage
- PrivacyDamage(PrivacyLoss, Usage, Receiver) =3D Dmax(Privac=
yLoss)×(1-Trustreceiver)
+ dusage(PrivacyLoss) ×Trustreceiver
- Trustreceiver is a number Є [0,1] representing the
trustworthy of information receiver
- Dmax(PrivacyLoss) =3D Max(dusage(PrivacyLoss=
) for
all usage)
|
19
|
- Increasing trust level
- Adopt research on trust establishment and management
- Benefit function TB(trust_level)
- Provided by service provider or derived from user’s utility
function
- Trust gain
- TB(trust_levelnew) - TB(tust_levelprev)
|
20
|
|
21
|
- User application sends query to server application.
- Server application sends user information to TERA server for trust
evaluation and role assignment.
- If a higher trust level is required for query, TERA server sends t=
he
request for more user’s credentials to privacy negotiator.=
li>
- Based on server’s privacy policies and the credential
requirements, privacy negotiator interacts with user’s priva=
cy
negotiator to build a higher level of trust.
- Trust gain and privacy loss evaluator selects credentials that will
increase trust to the required level with the least privacy loss.
Calculation considers credential requirements and credentials disc=
losed
in previous interactions.
- According to privacy policies and calculated privacy loss, user=
217;s
privacy negotiator decides whether or not to supply credentials to=
the
server.
- Once trust level meets the minimum requirements, appropriate roles =
are
assigned to user for execution of his query.
- Based on query results, user’s trust level and privacy police=
s,
data disseminator determines: (i) whether to distort data and if so=
to
what degree, and (ii) what privacy enforcement metadata should be
associated with it.
|
22
|
- This research addresses the tradeoff issues between privacy and tru=
st.
- Tradeoff problems are formally defined.
- An entropy-based approach is proposed to estimate privacy loss.
- A prototype is under development for experimental study.
|