A critical review of 10 years of Privacy Technology

This paper is still being revised. It will eventually appear in the proceedings of the 2010 surveillance studies conference. It can then be cited as follows: George Danezis and Seda Gürses, A critical review of 10 years of Privacy Technology, In the Proceedings of Surveillance Cultures: A Global Surveillance Society?, April 2010, UK. Since 2000 there has been a renewed interest amongst computer scientists in the field of ”privacy technology”. This includes mechanisms for “anonymous” communications, censorship resistance, selective disclosure credentials, as well as privacy in databases all of which are meant to shield the user from some aspects of on-line surveillance. Beyond the lab, some of those systems have been deployed and are widely used today. Yet, the type of surveillance against which privacy technologies are supposed to offer protection is often ill-defined, and widely varying between works: from an individual who wishes “to hide an occasional purchase from his spouse”, to “groups coordinating political dissent under totalitarian regimes”. While privacy is seen as the key unifying theme of these works only one aspect of it is systematically represented, namely ”confidentiality”. Privacy as self-definition, informational selfdetermination or as a public good that needs to be negotiated is often neglected. Further, the increasing omni-presence of surveillance technologies, the informatisation of every day life, as well as active resistance to on-line surveillance are used as justifying departure points for privacy technologies but they have so far not been explored in depth in the privacy research field. In this paper, we explore the development of contemporary privacy technologies, its key results and methodologies. At its heart our argument is that the field of privacy technology was seeded by computer security and cryptography experts that rushed to apply their tools to new problems, yielding mixed results. Additional pressures from different stakeholders to devise technology that will make large IT systems acceptable to the public, has led to further confusion about the goals and methods most appropriate to embed privacy friendly values into computer systems. Using concrete examples, we seek to explain why some paradigms came to dominate the field, their advantages, but also their blind spots, and unfulfilled promises. From the results of the analysis we expect to infer new requirements for future privacy research.

[1]  Chandra Prakash,et al.  SybilInfer: Detecting Sybil Nodes using Social Networks , 2011 .

[2]  Carmela Troncoso,et al.  PrETP: Privacy-Preserving Electronic Toll Pricing , 2010, USENIX Security Symposium.

[3]  Donald F. Towsley,et al.  Resisting structural re-identification in anonymized social networks , 2008, The VLDB Journal.

[4]  Danah Boyd,et al.  Social Network Sites: Definition, History, and Scholarship , 2007, J. Comput. Mediat. Commun..

[5]  Pierangela Samarati,et al.  Exploiting cryptography for privacy-enhanced access control: A result of the PRIME Project , 2010, J. Comput. Secur..

[6]  Susan Landau,et al.  Achieving Privacy in a Federated Identity Management System , 2009, Financial Cryptography.

[7]  Ilya Mironov,et al.  Differentially private recommender systems: building privacy into the net , 2009, KDD.

[8]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[9]  Michael K. Reiter,et al.  The Challenges of Effectively Anonymizing Network Data , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[10]  Nicola Zannone,et al.  Towards the development of privacy-aware systems , 2009, Inf. Softw. Technol..

[11]  Josep Domingo-Ferrer,et al.  From t-Closeness to PRAM and Noise Addition Via Information Theory , 2008, Privacy in Statistical Databases.

[12]  K. Liu,et al.  Towards identity anonymization on graphs , 2008, SIGMOD Conference.

[13]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Marit Hansen,et al.  Identity management throughout one's whole life , 2008, Inf. Secur. Tech. Rep..

[15]  Josep Domingo-Ferrer,et al.  A Critique of k-Anonymity and Some of Its Enhancements , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[16]  Mireille Hildebrandt,et al.  Profiling and the Identity of the European Citizen , 2008, Profiling the European Citizen.

[17]  Dan Suciu,et al.  The Boundary Between Privacy and Utility in Data Publishing , 2007, VLDB.

[18]  W. Orlikowski Sociomaterial Practices: Exploring Technology at Work , 2007 .

[19]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[20]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[21]  Philippe Golle,et al.  Private social network analysis: how to assemble pieces of a graph privately , 2006, WPES '06.

[22]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[23]  Cynthia Dwork,et al.  Calibrating Noise to Sensitivity in Private Data Analysis , 2006, TCC.

[24]  Sandra Steinbrecher,et al.  What user-controlled identity management should learn from communities , 2006, Inf. Secur. Tech. Rep..

[25]  Hugo Liu,et al.  Unraveling the Taste Fabric of Social Networks , 2006, Int. J. Semantic Web Inf. Syst..

[26]  Sandra Steinbrecher,et al.  Privacy Enhanced Identity Management: Design Considerations and Open Problems , 2005 .

[27]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[28]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[29]  D. Zwick,et al.  Whose Identity Is It Anyway? Consumer Representation in the Age of Database Marketing , 2004 .

[30]  Dogan Kesdogan,et al.  The Hitting Set Attack on Anonymity Protocols , 2004, Information Hiding.

[31]  Elisa Bertino,et al.  State-of-the-art in privacy preserving data mining , 2004, SGMD.

[32]  David J. Phillips Privacy policy and PETs , 2001, New Media Soc..

[33]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[34]  Bart Preneel,et al.  APES - Anonymity and Privacy in Electronic Services , 2003, Datenschutz und Datensicherheit.

[35]  Paul B. Massell STATISTICAL DISCLOSURE CONTROL FOR TABLES: DETERMINING WHICH METHOD TO USE , 2003 .

[36]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[37]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[38]  Felix Stalder,et al.  The Failure of Privacy Enhancing Technologies (PETs) and the Voiding of Privacy , 2002 .

[39]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[40]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[41]  Elizabeth D. Mynatt,et al.  Privacy Mirrors: Understanding and Shaping Socio-technical Ubiquitous Computing Systems , 2002 .

[42]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[43]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[44]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[45]  Gene Tsudik,et al.  Towards an Analysis of Onion Routing Security , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[46]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[47]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[48]  P. Agre THE ARCHITECTURE OF IDENTITY: Embedding privacy in market institutions , 1999 .

[49]  Stefan Brands,et al.  Rapid Demonstration of Linear Relations Connected by Boolean Operators , 1997, EUROCRYPT.

[50]  Roger Clarke,et al.  The Digital Persona and Its Application to Data Surveillance , 1994, Inf. Soc..

[51]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[52]  David Chaum,et al.  Showing Credentials Without Identification: SIgnatures Transferred Between Unconditionally Unlinkable Pseudonyms , 1985, EUROCRYPT.

[53]  David Chaum,et al.  Blind Signature System , 1983, CRYPTO.

[54]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .