P2D2: A Mechanism for PrivacyPreserving Data Dissemination

About This Presentation

Title:

P2D2: A Mechanism for PrivacyPreserving Data Dissemination

Description:

'Guardian: ... owner can be a guardian for her own private data ... Destination Guardian (DG) provides public key ... – PowerPoint PPT presentation

Number of Views:86

Avg rating:3.0/5.0

Slides: 64

Provided by: llil3

Category:

more less

Transcript and Presenter's Notes

Title: P2D2: A Mechanism for PrivacyPreserving Data Dissemination

1
P2D2 A Mechanism forPrivacy-Preserving Data
Dissemination

Leszek Lilien
http//www.cs.wmich.edu/llilien/
Department of Computer Science
Western Michigan University
Kalamazoo, Michigan 49008
Affiliated with
Center for Education and Research in Information
Assurance and Security (CERIAS), Regenstrief
Center for Healthcare Engineering (RCHE) both
at Purdue University
With contributions from Prof. Bharat Bhargava and
Ms. Yuhui Zhong
Department of Computer Sciences, Purdue
University.
Supported in part by NSF grants IIS-0209059 and
IIS-0242840.

2
Interactions and Trust

Trust new paradigm of security
Replaces/enhances CIA (confid./integr./availab.)
Adequate degree of trust required in interactions
In social or computer-based interactions
From a simple transaction to a complex
collaboration
Must build up trust w.r.t. interaction partners
Human or artificial partners
Offline or online
We focus on asymmetric trust relationships
One partner is weaker, another is stronger
Ignoring same-strength partners
Individual to individual, most B2B,

3
Building Trust by Weaker Partners

Means of building trust by weaker partner in his
strongeer (often institutional) partner (offline
and online)
Ask around
Family, friends, co-workers,
Check partners history and stated philosophy
Accomplishments, failures and associated
recoveries,
Mission, goals, policies (incl. privacy
policies),
Observe partners behavior
Trustworthy or not, stable or not,
Problem Needs time for a fair judgment
Check reputation databases
Better Business Bureau, consumer advocacy groups,
Verify partners credentials
Certificates and awards, memberships in
trust-building organizations (e.g., BBB),
Protect yourself against partners misbehavior
Trusted third-party, security deposit,
prepayment,, buying insurance,

4
Building Trust by Stronger Partners

Means of building trust by stronger partner in
her weaker (often individual) partner (offline
and online)
Business asks customer for a payment for goods or
services
Bank asks for private information
Mortgage broker checks applicants credit history
Authorization subsystem on a computer observes
partners behavior
Trustworthy or not, stable or not,
Problem Needs time for a fair judgment
Computerized trading system checks reputation
databases
e-Bay, PayPal,
Computer system verifies users digital
credentials
Passwords, magnetic and chip cards, biometrics,
Business protects itself against customers
misbehavior
Trusted third-party, security deposit,
prepayment,, buying insurance,

5
Trading Weaker Partners Privacy Loss for
Stronger Partners Trust Gain

In all examples of Building Trust by Stronger
Partners but the first (payments)
Weaker partner trades his privacy loss for his
trust gain as perceived by stronger partner
Approach to trading privacy for trust
Zhong and Bhargava, Purdue
Formalize the privacy-trust tradeoff problem
Estimate privacy loss due to disclosing a
credential set
Estimate trust gain due to disclosing a
credential set
Develop algorithms that minimize privacy loss for
required trust gain
Bec. nobody likes loosing more privacy than
necessary

6
Privacy-Trust Tradeoff andDissemination of
Private Data

Dissemination of private data
Related to trading privacy for trust
Examples above
Not related to trading privacy for trust
Medical records
Research data
Tax returns
Private data dissemination can be
Voluntary
When theres a sufficient competition for
services or goods
Pseudo-voluntary
Free to decline and loose service
E.g. a monopoly or demand exceeding supply)
Mandatory
Required by law, policies, bylaws, rules, etc.

7
Dissemination of Private Datais Critical

Reasons
Fears/threats of privacy violations reduce trust
Reduced trust leads to restrictions on
interactions
In the extreme
refraining from interactions, even self-imposed
isolation
Very high social costs of lost (offline and
online) interaction opportunities
Lost business transactions, opportunities
Lost research collaborations
Lost social interactions
gt Without privacy guarantees, pervasive
computing will
never be realized
People will avoid interactions with pervasive
devices / systems
Fear of opportunistic sensor networks
self-organized by electronic devices around them
can help or harm people in their midst

8
Recognition of Needfor Privacy Guarantees (1)

By individuals Ackerman et
al. 99
99 unwilling to reveal their SSN
18 unwilling to reveal their favorite TV show
By businesses
Online consumers worrying about revealing
personal data
held back 15 billion in online revenue in 2001
By Federal government
Privacy Act of 1974 for Federal agencies
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)

9
Recognition of Needfor Privacy Guarantees (2)

By computer industry research
Microsoft Research
The biggest research challenges
According to Dr. Rick Rashid, Senior Vice
President for Research
Reliability / Security / Privacy / Business
Integrity
Broader application integrity (just
integrity?)
gt MS Trustworthy Computing Initiative
Topics include DRMdigital rights management
(incl. watermarking surviving photo editing
attacks), software rights protection,
intellectual property and content protection,
database privacy and p.-p. data mining, anonymous
e-cash, anti-spyware
IBM (incl. Privacy Research Institute)
Topics include pseudonymity for e-commerce, EPA
and EPALenterprise privacy architecture and
language, RFID privacy, p.-p. video surveillance,
federated identity management (for enterprise
federations), p.-p. data mining and p.-p.mining
of association rules, Hippocratic (p.-p.)
databases, online privacy monitoring

10
Recognition of Needfor Privacy Guarantees (3)

By academic researchers
CMU and Privacy Technology Center
Latanya Sweeney (k-anonymity, SOSSurveillance of
Surveillances, genomic privacy)
Mike Reiter (Crowds anonymity)
Purdue University CS and CERIAS
Elisa Bertino (trust negotiation languages and
privacy)
Bharat Bhargava (privacy-trust tradeoff, privacy
metrics, p.-p. data dissemination, p.-p.
location-based routing and services in networks)
Chris Clifton (p.-p. data mining)
UIUC
Roy Campbell (Mist preserving location privacy
in pervasive computing)
Marianne Winslett (trust negotiation w/ controled
release of private credentials)
U. of North Carolina Charlotte
Xintao Wu, Yongge Wang, Yuliang Zheng (p.-p.
database testing and data mining)

11
Outline

PART 1 Mechanism for privacy-preserving data
dissemination
The Problem
Challenges
Proposed Approach
Bundling
Apoptosis
Evaporation
Prototype Implementation
PART 2 Taxonomy of solutions for dealing with
illegal data replication
Copying of digital vs. non-digital data
Online and offline replication of digital data
Basic approaches to dealing with illegal
replication of digital data
Prevent illegal copying
Impede illegal copying
Trace back illegal copying

12
1) The Problem
Guardian 1 Original Guardian
Owner (Private Data Owner)
Data (Private Data)
Guardian 5 Third-level
Guardian 2 Second Level
Guardian 4
Guardian 3
Guardian 6

Guardian
Entity entrusted by private data owners with
collection, processing, storage, or transfer of
their data
owner can be an institution or a system
owner can be a guardian for her own private data
Guardians allowed or required to
share/disseminate private data
With owners explicit consent
Without the consent as required by law
For research, by a court order, etc.

13
The Problem cont.

Guardian passes private data to another guardian
in a data dissemination chain
Chain within a graph (possibly cyclic)
Sometimes owner privacy preferences not
transmitted due to neglect or failure
Risk grows with chain length and milieu
fallibility and hostility
If preferences lost, even honest receiving
guardian unable to honor them

14
Trust Model for P2D2 Mechanism

Owner builds trust in Primary Guardian (PG)
As shown in Building Trust by Weaker Partners
Trusting PG means
Trusting the integrity of PG data sharing
policies and practices
Transitive trust in data-sharing partners of PG
PG provides owner with a list of partners for
private data dissemination (incl. info which data
PG plans to share, with which partner, and why)
OR
PG requests owners permission before any private
data dissemination (request must incl. the same
info as required for the list)
OR
A hybrid of the above two
E.g., PG provides list for next-level partners
AND each second- and lower-level guardian
requests owners permission before any further
private data dissemination

15
2) Challenges

Ensuring that owners metadata are never
decoupled from his data
Metadata include owners privacy preferences
Efficient protection in a hostile milieu
Threats - examples
Uncontrolled data dissemination
Intentional or accidental data corruption,
substitution, or disclosure
Detection of data or metadata loss
Efficient data and metadata recovery
Recovery by retransmission from the original
guardian is most trustworthy

16
3) Proposed Approach

Design self-descriptive bundles
- bundle private data metadata
- self-descriptive bec. includes metadata
Construct a mechanism for apoptosis of bundles
- apoptosis clean self-destruction
Develop context-sensitive evaporation of bundles

17
Related Work

Self-descriptiveness (in diverse contexts)
Meta data model Bowers and Delcambre, 03
KIF Knowledge Interchange Format Gensereth and
Fikes, 92
Context-aware mobile infrastructure
Rakotonirainy, 99
Flexible data types Spreitzer and A. Begel, 99
Use of self-descriptiveness for data privacy
Idea mentioned in one sentence Rezgui,
Bouguettaya and Eltoweissy, 03
Term apoptosis (clean self-destruction)
Using apoptosis to end life of a distributed
services (esp. in strongly active networks,
where each data packet is replaced by a mobile
program) Tschudin, 99
Specification of privacy preferences and policies
Platform for Privacy Preferences Cranor, 03
ATT Privacy Bird ATT, 04

18
Bibliography for Related Work

ATT Privacy Bird Tour http//privacybird.com/tou
r/1 2 beta/tour.html. February 2004.
S. Bowers and L. Delcambre. The uni-level
description A uniform framework for representing
information in multiple data models. ER
2003-Intl. Conf. on Conceptual Modeling, I.-Y.
Song, et al. (Eds.), pp. 4558, Chicago, Oct.
2003.
L. Cranor. P3P Making privacy policies more
useful. IEEE Security and Privacy, pp. 5055,
Nov./Dec. 2003.
M. Gensereth and R. Fikes. Knowledge Interchange
Format. Tech. Rep. Logic-92-1, Stanford Univ.,
1992.
A. Rakotonirainy. Trends and future of mobile
computing. 10th Intl. Workshop on Database and
Expert Systems Applications, Florence, Italy,
Sept. 1999.
A. Rezgui, A. Bouguettaya, and M. Eltoweissy.
Privacy on the Web Facts, challenges, and
solutions. IEEE Security and Privacy, pp. 4049,
Nov./Dec. 2003.
M. Spreitzer and A. Begel. More flexible data
types. Proc. IEEE 8th Workshop on Enabling
Technologies (WETICE 99), pp. 319324, Stanford,
CA, June 1999.
C. Tschudin. Apoptosis - the programmed death of
distributed services. In J. Vitek and C. Jensen,
eds., Secure Internet Programming.
Springer-Verlag, 1999.

19
A. Self-descriptive Bundles

Comprehensive metadata include
owners privacy preferences
owners contact information
guardians privacy policies
metadata access conditions
enforcement specifications
data provenance
context-dependent and
other components

How to read and write private data
Needed to request owners access permissions, or
notify the owner of any accesses
For the original and/or subsequent data guardians
How to verify and modify metadata
How to enforce preferences and policies
Who created, read, modified, or destroyed any
portion of data
Application-dependent elements Customer trust
levels for different contexts Other metadata
elements

20
Implementation Issues for Bundles

Provide efficient and effective representation
for bundles
Use XML work in progress
Ensure bundle atomicity
metadata cant be split from data
A simple atomicity solution using asymmetric
encryption
Destination Guardian (DG) provides public key
Source Guardian (or owner) encrypts bundle with
public key
Can re-bundle by encrypting different bundle
elements with public keys from different DGs
DG applies its corresponding private key to
decrypt received bundle
Or decrypts just bundle elements reveals data
DG needs to know
Can use digital signature to assure
non-repudiation
Extra key mgmt effort requires Source Guardian
to provide public key to DG
Deal with insiders making and disseminating
illegal copies of data they are authorized to
access (but not copy)
Considered below (taxonomy)

21
Notification in Bundles (1)

Bundles simplify notifying owners or requesting
their consent
Contact information in the owners contact
information
Included information
notification notif_sender, sender_t-stamp,
accessor, access_t-stamp,
access_justification, other_info
request req_sender, sender_t-stamp,
requestor, requestor_t-stamp,
access_justification, other_info
Notifications / requests sent to owners
immediately, periodically, or on demand
Via
automatic pagers / text messaging (SMS) / email
messages
automatic cellphone calls / stationary phone
calls
mail
ACK from owner may be required for notifications
Messages may be encrypted or digitally signed for
security

22
Notification in Bundles (2)

If permission for a request or request_type is
Granted in metadata
gt notify owner
Not granted in metadata
gt ask for owners permission to access her data
For very sensitive data no default permissions
for requestors are granted
Each request needs owners permission

23
Optimization of Bundle Transmission

Transmitting complete bundles between guardians
is inefficient
They describe all foreseeable aspects of data
privacy
For any application and environment
Solution prune transmitted bundles
Adaptively include only needed data and metadata
Maybe, needed transitively for the whole down
stream
Use short codes (standards needed)
Use application and environment semantics along
the data dissemination chain

24
B. Apoptosis of Bundles

Assuring privacy in data dissemination
Bundle apoptosis vs. private data apoptosis
Bundle apoptosis is preferable prevents
inferences from metadata
In benevolent settings
use atomic bundles with recovery by
retransmission
In malevolent settings
attacked bundle, threatened with disclosure,
performs apoptosis

25
Implementation of Apoptosis

Implementation
Detectors, triggers and code
Detectors e.g. integrity assertions identifying
potential attacks
E.g., recognize critical system and application
events
Different kinds of detectors
Compare how well different detectors work
False positives
Result in superfluous bundle apoptosis
Recovery by bundle retransmission
Prevent DoS (Denial-of-service) attacks by
limiting repetitions
False negatives
May result in disclosure very high costs
(monetary, goodwill loss, etc.)

26
Optimizationof Apoptosis Implementation

Consider alternative detection, trigerring and
code implementations
Determine division of labor between detectors,
triggers and code
Code must include recovery from false positives
Define measures for evaluation of apoptosis
implementations
Effectiveness false positives rate and false
negatives rate
Costs of false positives (recovery) and false
negatives (disclosures)
Efficiency speed of apoptosis, speed of recovery
Robustness (against failures and attacks)
Analyze detectors, triggers and code
Select a few candidate implementation techniques
for detectors, triggers and code
Evaluation of candidate techniques vis simulate
experiments
Prototyping and experimentation in our testbed
for investigating trading privacy for trust

27
C. Context-sensitive Evaporation of Bundles

Perfect data dissemination not always desirable
Example Confidential business data shared within
an office but not outside
Idea
Context-sensitive bundle evaporation

28
Proximity-based Evaporationof Bundles

Simple case Bundles evaporate in proportion to
their distance from their owner
Bundle evaporation prevents inferences from
metadata
Closer guardians trusted more than distant
ones
Illegitimate disclosures more probable at less
trusted distant guardians
Different distance metrics
Context-dependent

29
Examples of Distance Metrics

Examples of one-dimensional distance metrics
Distance business type
Distance distrust level more trusted entities
are closer
Multi-dimensional distance metrics
Security/reliability as one of dimensions

30
Evaporation Implemented asControlled Data
Distortion

Distorted data reveal less, protects privacy
Examples
accurate data more and more distorted data

250 N. Salisbury Street West Lafayette, IN 250
N. Salisbury Street West Lafayette, IN home
address 765-123-4567 home phone
Salisbury Street West Lafayette, IN 250 N.
University Street West Lafayette, IN office
address 765-987-6543 office phone
somewhere in West Lafayette, IN P.O. Box
1234 West Lafayette, IN P.O. box 765-987-4321
office fax
31
Evaporation Implemented asControlled Data
Distortion

Distorted data reveal less, protects privacy
Examples
accurate data more and more distorted data

Context-dependent apoptosis for implementing
evaporation
Apoptosis detectors, triggers, and code enable
context exploitation
Conventional apoptosis as a simple case of data
evaporation
Evaporation follows a step function
Bundle self-destructs when proximity metric
exceeds predefined threshold value

33
Application of Evaporation for DRM

Evaporation could be used for active DRM
(digital rights management)
Bundles with protected contents evaporate when
copied onto foreign media or storage device

34
4) Prototype Implementation

Our experimental system named PRETTY (PRivatE and
TrusTed sYstems)
Trust mechanisms already implemented

35
Information Flow for PRETTY

User application sends query to server
application.
Server application sends user information to TERA
server for trust evaluation and role assignment.
If a higher trust level is required for query,
TERA server sends the request for more users
credentials to privacy negotiator.
Based on servers privacy policies and the
credential requirements, privacy negotiator
interacts with users privacy negotiator to build
a higher level of trust.
Trust gain and privacy loss evaluator selects
credentials that will increase trust to the
required level with the least privacy loss.
Calculation considers credential requirements and
credentials disclosed in previous interactions.
According to privacy policies and calculated
privacy loss, users privacy negotiator decides
whether or not to supply credentials to the
server.
Once trust level meets the minimum requirements,
appropriate roles are assigned to user for
execution of his query.
Based on query results, users trust level and
privacy polices, data disseminator determines
(i) whether to distort data and if so to what
degree, and (ii) what privacy enforcement
metadata should be associated with it.

36
Outline

PART 1 Mechanism for privacy-preserving data
dissemination
The Problem
Challenges
Proposed Approach
Bundling
Apoptosis
Evaporation
Prototype Implementation
PART 2 Taxonomy of solutions for dealing with
illegal data replication
Copying of digital vs. non-digital data
Online and offline replication of digital data
Basic approaches to dealing with illegal
replication of digital data
Prevent illegal copying
Impede illegal copying
Trace back illegal copying

37
1) Copying of Digital vs. Non-digital Data

Replication (copying) of data
Copying of digital data
Digital data are online (in cyberspace)
Explored below
Copying of non-digital data
Non-digital data are offline (in real world)
Bypassed in this research
Why? Because I am a (digital) computer
scientist

38
2) Online and Offline Replication of Digital
Data

Online copying of digital data
Any cut-and-paste
File copying
Offline copying of digital data includes
Memorizing from display recreating from memory
Copying manually from display
Taking notes, etc.
Photographing or videotaping display, recording
sounds
Future PER devices (PER personal experience
recorder)
PER records all that its owner has seen and heard
cf. MS Stuff Ive Seen NSF IDM 2003

39
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying
For Offline Copying
For Offline Copying
For Online Copying
40
3) Basic Approaches to Dealing with Illegal
Copying of Digital Data

Prevent illegal copying (make it impossible)
Prevent online or offline copying
Preventing offline copying might seem
impossible...
Impede illegal copying (make it difficult)
Impede online or offline copying
Trace back illegal copying
Trace back online or offline for accountability
Can trace legal data replication, too
Hybrid approaches
Different approaches used for different portions
of data

41
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Prevent
Trace Back
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying
For Offline Copying
For Online Copying
For Offline Copying
42
A. Prevent Illegal Copying of Digital Data

Application-based solutions examples
An option in PDF documents prevents selecting
text (and thus copying it from screen)
An option in IRM in MS Word prevents forwarding
or copying Word documents by unauthorized people
IRM Intellectual Rights Mgmt
Blog software provides no copying option for
blog text
System-based solutions
E.g., system keeps track of all bundles and
disallows capture of their screen images

43
B. Impede Illegal Copying of Digital Data

If Prevent solutions dont work 100, they
become Impede solutions
Other application- or system-based solutions
Searching for existing Impede solutions
Thinking about new Impede solutions

44
C. Trace Back Illegal Copying of Digital Data

Threat of being traced back is here the only
barrier against illegal copying
Technological-and-legal barrier against illegal
copying
Technologicalmostly the online part
Legalmostly the offline part
Tracing back alternatives
Trace back online (onT)
For online copying (onT-onC)
For offline copying (onT-offC)
Trace back offline (offT)
For online copying (offT-onC)
For offline copying (offT-offC)

45
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline (Toff)
Trace Online (Ton)
For Online Copying (Ton-onC)
For Offline Copying (Toff-offC)
For Offline Copying (Ton-offC)
For Online Copying (Toff-onC)
46
Online Traceback forOnline Copying (onT-onC)
Solutions

Solutions
Application-level solution
Record in bundle metadata info (id, time, etc.)
for all who access it
System-level solution
System logs record all bundle accesses
Bundles detected by system OR self-register upon
arrival
Both may warn of legal consequences of copying
bundles
Both notify guardians and owners (or their
delegates)
What about impostors (using sb elses id) and
intruders?
The better system security the fewer such
attackers
Penalize/prosecute offline (makes it a hybrid
solution)

47
Online Traceback for OfflineCopying (onT-offC)
A Solution

Recall offline copying includes
Memorizing recreating data
Copying manually from display
Photographing or videotaping display, recording
sounds
Future personal experience recorders
A solution
E.g., computer cameras monitoring users
activities or the whole neighborhood
automatic alarms for suspect situations (AI
software)

48
Offline Traceback for Online Copying (offT-onC)
Solutions

All offline actions available via crime
investigations
Penalties for privacy violations
Social stigma
Employer reprimand, dismissal, etc.
Prosecution
Use of computer tools (in addition to offline
tools) for traceback would make it a hybrid
category solution

49
Offline Traceback for Offline Copying
(offT-offC) Solutions

Need offline traceback solutions for offline
copying by
Memorizing recreating data (offT-offC/1)
Copying manually from display (offT-offC/2)
Photographing or videotaping display, recording
sounds (offT-offC/3)
Future personal experience recorders
(offToffC/4)

50
Illegal Copying Problem and Solution Taxonomy
Illegal Data Replication
Copying Non-digital Data
Copying Digital Data
Online Replication
Offline Replication
PROBLEMS
SOLUTIONS
Same categories as for Online Replication
Impede
Trace Back
Prevent
Hybrid Approaches
Trace Offline
Trace Online
For Online Copying (Ton-onC)
For Offline Copying (Ton-offC)
For Offline Copying
For Online Copying (Toff-onC)
4 solutions (offT-offC/1-4)
51
Offline Traceback for Offline Memorizing
Recreating (offT-offC/1)

Offline copying by memorizing recreating data
is not reliable for all but small amounts of data
but
Day-by-day copying over a long period can add up
to large amounts of data
Context info facilitates remebering
E.g. easy to remember many West Lafayette phones
start with 765-743, 765-463, etc.
Mnemonic techniques help

52
Offline Traceback for Offline
Memorizing Recreating (offT-offC/1)

Solutions for memorizing recreating data (1)
Embed watermarks that survive memor. recreating
Seemingly essential or honey-pot data that will
be memorized and recreated with high probability
E.g., street number 123A instead of 123
E.g., non-existing extension for phone number
E.g., useless (and false) salary data
Watermarks dont harm info contents for
authorized accesses
E.g., a letter carrier delivers to 123
E.g., can reach the proper person w/o using the
extension
E.g., no authorized data use requires salary
Watermarks facilitate forensics (a trail of
watermarks)

53
Offline Traceback for OfflineMemorizing
Recreating (offT-offC/1)

Solutions for memorizing recreating data (2)
Restrict read access to authorized personnel
Compartmentalize
Most people cant see enough data to harm its
owner
Analyze logs for superfluous or unusual accesses
Incl. suspicious prolonged accesses or repeat
accesses
Accountability detect and prosecute disclosures

54
Offline Traceback for Offline Manual Copying
(offT-offC/2)

Offline data replication by manually copying from
display
Solutions
Same as for memorizing recreating
PLUS
Disallow offline notes and recordings
Monitor users of computer terminals visually
(offline) (online monitoring would fall into
onT-offC category)

55
Offline Traceback for Offline Photographing,
Etc. (offT-offC/3)

Offline copying by photographing or videotaping
display, or sound recording
E.g., copied image converted back to text via OCR
OCR optical character recognition
Solutions
Same as for memorizing recreating
PLUS
Embed visual or sonic watermarks
These are classic watermarks
Less difficult to plant than watermarks for
memorizing recreating, or for manual copying
Timestamp recordings to facilitate forensics
Future Record camera/camcorder/etc. position to
facilitate forensics
Only GPS-equipped equipment allowed on business
premises

56
Offline Traceback for Offline PER Recording
(offT-offC/4)

Offline copying by PER recording (PER personal
experience recorders)
Records all that its owner experienced whether
online or offline
Existing online PER precursor Microsofts Stuff
I've Seen (SIS) http//research.microsoft.com/adap
t/sis/
By default, SIS indexes the following sources
Everything in your Outlook profile (e-mail
messages, calendar entries, tasks, etc. in all
your exchange folders and PSTs that are visible
when you start Outlook)
All files in your "My Documents" folder
All web pages in your Internet cache
Solutions
Same as above (for photographing or videotaping
screen, or sound recording)

57
Using Traceback also forPreventing/ Impeding
Illegal Copying

For preventing copying
trace unsuccessful copying attacks
Only unsuccessful attacks (unless prevention
fails)
For impeding copying
trace both unsuccessful and successful
attacks

58
Conclusions

Intellectual merit
A mechanism for preserving privacy in data
dissemination (bundling, apoptosis, evaporation)
Taxonomy of problems and solutions in illegal
data replication
Broader impact
Educational and research impact student
projects, faculty collaborations
Practical (social, economic, legal, etc.) impact
Enabling more collaborations
Enabling more pervasive computing
By reducing fears of privacy invasions
Showing new venues for privacy research
Applications
Collaboration in medical practice, business,
research, military
Location-based services
Future impact
Potential for extensions enabling pervasive
computing
Must adapt to privacy preservation, e.g., in
opportunistic sensor networks (self-organize to
help/harm)

59
Future Work

Provide efficient and effective representation
for bundles (XML for metadata?)
Run experiments on the PRETTY system
Build a complete prototype of proposed mechanism
for private data dissemination
Implement
Examine implementation impacts
Measures Cost, efficiency, trustworthiness,
other
Optimize bundling, apoptosis and evaporation
techniques
Focus on selected application areas
Sensor networks for infrastructure monitoring
(NSF IGERT proposal)
Healthcare enginering (work for RCHE -
Regenstrief Center for Healthcare Engineering at
Purdue)

60
Future Work - Extensions

Adopting proposed mechanism for DRM, IRM
(intellectual rights managenment) and
proprietary/confidential data
Privacy
Private data owned by an individual
Intellectual property, trade/diplomatic/military
secrets
Proprietary/confidential data owned by an
organization
Custimizing proposed mechanismm for selected
pervasive environments, including
Wireless / Mobile / Sensor networks
Incl. opportunistic sens. networks
Impact of proposed mechanism on data quality

61
My Research Activities

Current research
Privacy privacy-preserving data dissemination
Trust pervasive trust paradigm and its
realizations
Vulnerabilities and Threats analysis,
avoidance, tolerance
Former research areas
Database systems
Fault tolerance and recovery / Data integrity /
Concurrency control /
Database design / Query processing
Distributed computing systems
Decentralized control / Fault tolerance and
recovery
Major application areas
Pervasive Systems esp. opportunistic sensor
networks
Healthcare Engineering

62
Selected Proposals and Publications on Trust,
Privacy, and Security

Proposals
Vulnerability Analysis and Threat
Assessment/Avoidance, B. Bhargava (PI) and L.
Lilien (co-PI). Awarded by the National Science
Foundation, awarded 212,000, 2003-2006.
Selected publications
L. Lilien, Z.H. Kamal. and A. Gupta,
Opportunistic Sensor Networks The Concept and
Reseqrch Challenges, submitted for conference
publication.
V. Bhuse, A. Gupta, and L. Lilien, Research
Challenges in Lightweight Intrusion Detection for
Sensornets, submitted for conference publication
V. Bhuse, A. Gupta, and L. Lilien, DPDSN
Detection of packet-dropping attacks for wireless
sensor networks, Proc. 4th International Trusted
Internet Workshop (TIW), Goa, India, December
2005 (to appear).
L. Lilien and B. Bhargava, A Scheme for
Privacy-preserving Data Dissemination, IEEE
Transactions on Systems, Man and Cybernetics (to
appear).
B. Bhargava and L. Lilien, "Vulnerabilities and
Threats in Distributed Systems," Proc. Intl.
Conf. on Distributed Computing Internet
Technology (ICDCIT 2004), Bhubaneswar, India,
Dec. 2004.
B. Bhargava, L. Lilien, A. Rosenthal, and M.
Winslett, "PervasiveTrust," IEEE Intelligent
Systems, vol. 19(5), Sep./Oct.2004.
B. Bhargava and L. Lilien, "Private and Trusted
Collaborations," Proc. Secure Knowledge
Management (SKM 2004) A Workshop, Amherst, NY,
Sep. 2004.
Trust, Privacy, and Security. Summary of a
Workshop Breakout Session at the National Science
Foundation Information and Data Management (IDM)
Workshop held in Seattle, Washington, September
14 - 16, 2003 by B. Bhargava, C. Farkas, L.
Lilien and F. Makedon, CERIAS Tech Report
2003-34, CERIAS, Purdue University, Nov. 2003.
L. Lilien, "Developing Pervasive Trust Paradigm
for Authentication and Authorization," Proc.
Third Cracow Grid Workshop (CGW03), Cracow,
Poland, October 2003.
L. Lilien and A. Bhargava, "From Vulnerabilities
to Trust A Road to Trusted Computing," Proc.
International Conference on Advances in Internet,
Processing, Systems, and Interdisciplinary
Research (IPSI-2003), Sv. Stefan, Serbia and
Montenegro, October 2003.

63
Selected Publications on Database Systems and
Distributed Systems

Database systems
Fault tolerance and recovery Pessimistic
Quasipartitioning Protocols for Distributed
Database Systems, IEEE Journal on Selected Areas
in Communications ? Quasi-partitioning A New
Paradigm for Transaction Execution in Distributed
Database Systems, Proc. IEEE Fifth International
Conference on Data Engineering ? Expert Systems
for Fault Tolerant Distributed Database Systems,
in Essays in Computer Vision and Other Topics,
Academia Sinica
Data integrity Database Integrity Block
Construct Concepts and Design Issues, IEEE
Transactions on Software Engineering ? A Scheme
for Batch Verification of Integrity Assertions in
a Database System, IEEE Transactions on Software
Engineering
Concurrency control A Performance Analysis of
an Optimistic and a Basic Timestamp-ordering
Concurrency Control Algorithms for Centralized
Database Systems, Proc. IEEE Fourth
International Conference on Data Engineering ?
An Abstract Model of Concurrency Control
Algorithms in Distributed Database Systems,
Proc. IFIP Working Conference on Distributed
Processing
Database design An Adaptive Mixed Relation
Decomposition Algorithm for Conjunctive Retrieval
Queries, Information Sciences ? An Extended
Entity-Relationship (E2R) Database Specification
and its Automatic Verification and Transformation
into the Relational Logical Design, Proc. Sixth
International Conference on Entity-Relationship
Approach
Query processing Adaptive Techniques for
Distributed Query Optimization, Proc. IEEE
Second International Conference on Data
Engineering
Distributed computing systems
Decentralized control Degrees of Concurrency in
Distributed Computing Systems, Proc. IEEE
Seventh International Conference on Computer
Science ? Optimistic Algorithms in Distributed
Systems, Proc. Second International Conference
on Computers and Applications ? "A Paradigm of
Modern Mixed Economy for Decentralized Control in
Massive Distributed Computing Systems," Working
Paper
Fault tolerance and recovery Redistribution of
Hierarchically Structured Software in Response to
Distributed System Site Crashes, International
Journal of Computer Systems Science and
Engineering