Building Privacy-aware Systems using Contextual Integrity Principles

使用上下文完整性原则构建隐私感知系统

• 批准号: RGPIN-2022-04595
• 负责人: Shvartzshnaider, Yan
• 金额: $ 1.82万
• 依托单位: York University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=758074
• 关键词: Building; Privacy; aware; Systems; using

Inappropriate information sharing can lead to privacy violations and cause real harms. Modern services generate, collect, share, and trade vast amounts of information, as part of a large digital ecosystem of third-party services and actors. What makes this reality problematic is that information handling practices often go beyond the immediate needs of their service. My research program focuses on designing privacy-preserving systems that respect users' privacy by ensuring that underlying information flows align with privacy expectations, social norms, and existing regulations. As we become increasingly dependent on online services, we frequently ask "Is this service/app safe, privacy-preserving, and secure?" For an average consumer, it is difficult to find definitive answers. These questions are particularly relevant in the wake of the COVID-19 pandemic that forced a sudden transition to online systems. This further aggravated the fundamental mismatch between current "best practices" and the privacy and ethical expectations of computer system users. The current "informed consent" model also places the burden on the user to comprehend and consent to all of the practices across all components. Users need to a) be familiar with the services' privacy policy; b) be aware of existing relevant laws and regulations; c) check the apps granted permissions which may change with successive updates; and finally, d) analyze the traffic generated by the service. Furthermore, regulation often lags technological innovation, privacy expectations and societal norms shift. Drawing on our past work, this proposal aims to develop methods for discovery of societal privacy norms and to build systems that respect users' privacy. More specifically, the research program comprises objectives relating to two main research themes. Theme A involves designing methods for automatic extraction of rules prescribed by existing policies and regulations. Theme B involves developing a tool to map out information flows in complex sociotechnical systems and devising a comparative framework to identify gaps among information handling practices, regulation, and users' privacy expectations. As part of this work, 2 PhD students, 3 Master's student and 6 undergraduates will be trained. PhD and Master's students will lead the research conducted in each of the themes. The research program will advance existing efforts that foster a range of downstream privacy-enhancing systems and applications by developing novel privacy-enhancing methodologies that incorporate Canadian privacy regulation, societal norms, and users' privacy expectations as part of the system design.

不适当的信息共享会导致侵犯隐私，造成真实的伤害。现代服务产生、收集、共享和交易大量信息，作为第三方服务和参与者的大型数字生态系统的一部分。使这一现实成为问题的是，信息处理的做法往往超出了他们的服务的直接需求。我的研究项目侧重于设计隐私保护系统，通过确保底层信息流符合隐私期望，社会规范和现有法规来尊重用户的隐私。 随着我们越来越依赖在线服务，我们经常会问“这个服务/应用程序安全吗？“对于普通消费者来说，很难找到明确的答案。在COVID-19大流行迫使突然过渡到在线系统之后，这些问题尤其重要。这进一步加剧了当前“最佳做法”与计算机系统用户的隐私和道德期望之间的根本不匹配。目前的“知情同意”模式还要求用户理解和同意所有组成部分的所有做法。用户需要a）熟悉服务的隐私政策; B）了解现有的相关法律法规; c）检查授予权限的应用程序，这些权限可能会随着后续更新而变化;最后，d）分析服务产生的流量。此外，监管往往滞后于技术创新、隐私期望和社会规范的转变。根据我们过去的工作，该提案旨在开发发现社会隐私规范的方法，并建立尊重用户隐私的系统。更具体地说，研究计划包括与两个主要研究主题有关的目标。主题A涉及设计自动提取现有政策和法规规定的规则的方法。主题B涉及开发一种工具，以绘制复杂社会技术系统中的信息流，并设计一个比较框架，以确定信息处理实践、监管和用户隐私期望之间的差距。作为这项工作的一部分，2名博士生，3名硕士生和6名本科生将接受培训。博士和硕士生将领导在每个主题进行的研究。该研究计划将推进现有的努力，通过开发新的隐私增强方法，将加拿大隐私法规，社会规范和用户的隐私期望作为系统设计的一部分，促进一系列下游隐私增强系统和应用程序。