Exploring personalized life cycle policies

Ambient Intelligence imposes many challenges in protecting people's privacy. Storing privacy-sensitive data permanently will inevitably result in privacy violations. Limited retention techniques might prove useful in order to limit the risks of unwanted and irreversible disclosure of privacy-sensitive data. To overcome the rigidness of simple limited retention policies, Life-Cycle policies more precisely describe when and how data could be first degraded and finally be destroyed. This allows users themselves to determine an adequate compromise between privacy and data retention. However, implementing and enforcing these policies is a difficult problem. Traditional databases are not designed or optimized for deleting data. In this report, we recall the formerly introduced life cycle policy model and the already developed techniques for handling a single collective policy for all data in a relational database management system. We identify the problems raised by loosening this single policy constraint and propose preliminary techniques for concurrently handling multiple policies in one data store. The main technical consequence for the storage structure is, that when allowing multiple policies, the degradation order of tuples will not always be equal to the insert order anymore. Apart from the technical aspects, we show that personalizing the policies introduces some inference breaches which have to be further investigated. To make such an investigation possible, we introduce a metric for privacy, which enables the possibility to compare the provided amount of privacy with the amount of privacy required by the policy.

[1]  Jennifer Widom,et al.  Vision Paper: Enabling Privacy for the Paranoids , 2004, VLDB.

[2]  Elisa Bertino,et al.  Privacy-Preserving Database Systems , 2005, FOSAD.

[3]  Ramakrishnan Srikant,et al.  Implementing P3P using database technology , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[4]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[5]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[6]  Marc Langheinrich,et al.  A Privacy Awareness System for Ubiquitous Computing Environments , 2002, UbiComp.

[7]  R. Power CSI/FBI computer crime and security survey , 2001 .

[8]  Lorrie Faith Cranor,et al.  P3P: Making Privacy Policies More Useful , 2003, IEEE Secur. Priv..

[9]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[10]  Adam Meyerson,et al.  On the complexity of optimal K-anonymity , 2004, PODS.

[11]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.

[12]  Luc Bouganim,et al.  InstantDB: Enforcing Timely Degradation of Sensitive Data , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[13]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[14]  James A. Landay,et al.  Approximate Information Flows: Socially-Based Modeling of Privacy in Ubiquitous Computing , 2002, UbiComp.

[15]  Gerome Miklau,et al.  Securing history: Privacy and accountability in database systems , 2007, CIDR.

[16]  Elisa Bertino,et al.  Micro-views, or on how to protect privacy while enhancing data usability: concepts and challenges , 2006, SGMD.

[17]  Einar Snekkenes,et al.  Concepts for personal location privacy policies , 2001, EC '01.

[18]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..