Invasion of Privacy?

How do we reap the benefits of a wired world while ensuring that online information remains both private and secure?

By ZIV HELLMAN
French Police officers 311 (photo credit: FRANCOIS MORI / AP)
French Police officers 311
(photo credit: FRANCOIS MORI / AP)
FOR THOSE OF US WHO HAVE embraced the digital, wired world – which means nearly all of us by now – our computers and smart-phones can sometimes feel like extensions of our very selves.
Along with all the obvious benefits that have led us so eagerly to adopt what the Web has to offer, however, as we grow increasingly comfortable with reams of data about ourselves, our likes and interests, and our histories being uploaded and stored on the “cloud” of cyberspace, what once seemed clearly defined boundaries between private and public life are also being blurred, to an extent that has raised no small amount of concern.
“To put it simply, Google now knows more about you than you know about yourself,” says Yehuda Lindell, a cryptologist at Bar-Ilan University’s Department of Computer Science, who was recently awarded a 2 million euro grant from the European Union to tackle the thorny question of how society can ensure that online information remains both private and secure, providing us with the benefits of a wired world without tossing aside into history’s dustbin the cherished concept of privacy. His published work, some of which is already regarded as landmark, is part of a growing interest in the subject of privacy in computer studies.
Lindell has no shortage of examples to explain why computer professionals should invest effort in reflecting on the possible threats to privacy that the digital world brings with it. Consider as basic an act as Web searching, something most of us could not conceive of doing without in our daily and business lives. It seems innocuous enough, but think about how much information about you someone could collect just by compiling a list of all the search terms you entered into a search engine, such as Google or Bing, over the past year. That list would inform whoever was reading it of what you were interested in, what you cared to learn and know, and when and how that evolved.
Were you looking up information on medieval history? Studying fashion tips? Asking for directions to a certain location? Seeking tips on how to kill your husband and get away with it? Looking for the plans for the construction of a nuclear device? In a sense, stringing together your search requests might be the nearest thing to a mind reader available today, which is not something you just want to hand away. But a good deal of what you get on the Web today is made available for free precisely because someone else has access to your searches.
That is the basis of targeted advertising, and there have already been cases in which databases of stored search histories have leaked.
Sites such as Amazon actively build profiles of their customers to tailor suggestions for future purchases on past purchases and browsing history. Technology seers have for some time been predicting that individualized, learning-capable “digital personal assistants” will be created for each of us, observing the patterns of our actions so well that they will be able to accurately predict what websites we wish to visit, or what purchases we may want to make.
Another possible trade-off between privacy and efficiency may soon arise if suggested digital medical histories of every individual, which would be made available to attending physicians, become a common reality. The lifesaving potential of such a personalized digital history is obvious. With a scan of a patient’s medical history, a physician will instantly be informed of critical data for diagnosis and the selection of the most effective and safest treatment.
“But suppose you go to have a light scratch of your skin treated,” asks Lindell.
“Should the doctor have access to information that, for example, you have been undergoing psychiatric treatment? There may be cases where that is relevant if you are taking medication that could react badly with another medication prescribed to you. But it may also be entirely irrelevant, and then questions of your right to privacy could be raised.”
Lindell sits in a spacious office on the Bar-Ilan University campus, equipped with a high-tech “smartboard” that can snap photographs of the equations that he writes on the board for later review or for sharing with a colleague or student. “It can be a very convenient collaborative tool,” he says.
There is no shortage of people who would be pleased to collaborate with him on a research project, given that some of his published papers are already considered groundbreaking and are widely cited.
Originally from Melbourne, Australia, Lindell came to Israel at age 20, following in the footsteps of his elder sister, and was later joined here by his parents. He earned his BSc and MSc degrees at Bar-Ilan University, and his PhD in Computer Science at the Weizmann Institute.
Following a successful two-year postdoctoral stint at the Cryptographic Research Group at the IBM Watson Research Laboratory in the United States, he returned to take a faculty position at Bar-Ilan University in 2004, where he is today an associate professor.
LINDELL STRESSES THAT concern about privacy, in the context of computer cryptography, is different from encryption of data, which is primarily intended to secure information in order to keep it hidden from people who have not been granted access to it.
“Classic” data encryption, such as the encryption implemented on hard disks or credit card information passed over the Web, is by now a fairly mature and wellestablished industry. Privacy concerns, which form a relatively new subject in computer science, look beyond the binary question of “no access” or “yes access” to check whether too much is being exposed even to those who have been granted legitimate access to the information. In a rough analogy, one might consider classic data encryption to be akin to the security guards posted at the entrance to a building containing classified secrets; only those who can get by security may read the classified documents.
But we may want those who are let in the building to be further distinguished in terms of what grade of classified information they have access to, and to be allowed to read the secret documents strictly on a need-to-know basis.
Sometimes the sheer volume of data available is enough to create new privacy issues that did not exist in the past, as the example of putting together a year’s worth of a person’s search queries illustrates – a single search item might not tell you a great deal about a person, but the patterns that emerge from looking at a sufficient number of searches give an entirely different perspective.
Another example that privacy advocates point to is the volume of data gathered by cameras erected in public areas.
Defenders of the cameras say that it is impossible to claim a right to privacy in a public square, since there was never a presumption of privacy in public places.
Opponents retort that, although it is true that in the past if you did not want anyone to know you were in London, and then your friends Alice and Bob saw you walking across Leicester Square, you were out of luck, now someone with access to the totality of camera captures throughout London could recapitulate your movements the entire day – information that in the past only a stalker could acquire.
Another theme that often emerges in discussions of technological privacy is that of security versus privacy. Data gathering by governments increased exponentially after the attacks on the United States in September 2001. Apparently, most people feel that they are willing to give up some aspects of data privacy if they receive increased security in return, the way they put up with frustrating and sometimes intrusive security inspections before they can board an airplane flight.
What researchers like Lindell are asking is to what extent can security be ensured without compromising privacy.
An example Lindell gives involves the “no-fly list” that the United States government has compiled, with names of suspect individuals who should not be permitted to board a flight. Any flight originating in the US, or scheduled to land there, must receive Homeland Security clearance, which is given after the manifest of passengers on the flight is submitted to authorities who compare the names to the names on the no-fly list.
“The problem with that is that the government now has much more information than what is needed for security,” explains Lindell, “which is the yes or no answer to the question of whether a suspect on the nofly list is trying to board a flight. I accept that that is necessary for security. But if the government always receives the full list of passengers, then beyond that it can store information on where each of us, even the non-suspects, is travelling and when. Why should the government be able to keep data on when I am flying from Boston to New York? Is security more important than privacy? Yes. But if we can get both, why not? The issue of security and privacy appears at many levels. Should the FBI have unfettered access to CIA files? Sometimes that is essential, but it should be limited. If all agencies share all information, a single mole can compromise all agencies.”
THE SOLUTION THAT LINDELL and fellow researchers have found for many of these privacy issues involves what they call “database intersection.”
Nearly all of the examples of threats to privacy raised by digital technology involve the holder of information found on one list, or database, seeking to ascertain whether his or her list’s information overlaps with the information on the list that another person or entity is holding. The nofly list example is precisely of this form: The government has a list of suspects not permitted to fly, and it seeks to know whether there is an overlap of the names on its list with the names on the passenger manifest of a scheduled airline flight.
The trick is to enable the overlap to be discovered without granting one party access to the entire database held by the other party. In the ideal situation, the fact of the overlap is made known to both parties, without either one learning more information than what is already on its databases.
Lindell has managed to create computer protocols that achieve precisely that goal, using standard smartcards already in circulation and a good deal of advanced mathematical analysis involving pseudorandom functions and secret keys.
“The advantages are that no party learns anything beyond the output it gives,” he says.
“At the same time, the output is guaranteed to be correct, and one party cannot make its input depend on the other party’s inputs, while security is preserved in the presence of adversarial behavior.”
Once one grasps the idea that solving database intersection challenges is the key to guarding many threats to privacy, many more examples come to mind. To take one, banks in Israel are granted access to the Interior Ministry’s population registry database.
There is legitimate reasoning behind this state of affairs, ranging from steps the banks are required to take to fight money laundering, to the need to inform banks of the deaths of clients, to avoid situations in which the bank accounts of the deceased remain inactive for long periods of time without anyone noticing. But all they need to know in that case is whether there is an overlap between their lists of clients and the list of deceased citizens, not full access to the population registry database.
“These sorts of issues can be solved in legal ways or technological ways,” says Lindell. “The technological solution is better if it is implemented in a way that cannot be circumvented.”
He points to another recent example, in 2008, when allegations arose of overlaps in the lists of registered members of the Likud and Kadima parties, creating a potential difficulty in Israel’s closed primary system.
The issue was resolved by granting thenattorney general Menachem Mazuz access to the databases of both party rolls to check for names appearing in both.
“This is an outrageous solution,” says Lindell. “Party membership is confidential.
And it is not that I do not trust the integrity of the attorney general. But can we be sure that he, or his clerks, know how to encrypt the data they receive in the most secure way? Can we be sure that people who want to gain access to the data will not infiltrate his office, even using the cleaning staff? My point is that a technological solution to the database intersection problem avoids all these questions.”
The EU grant which Lindell has been awarded is meant to develop his ideas on secure privacy protocols further and complete a “proof of concept” feasibility project that can influence government policy makers and corporate entities managing databases.
He is also working on finding ways to compute on encrypted databases on the Web without necessarily downloading entire databases. The two million euro, five-year European Research Council grant he has received comes to about 2 million shekels per year, an immense amount of money for an Israeli researcher. “It makes a huge difference,” he reports, “in paying for research assistants, PhD students, post-docs, software engineers, equipment and so forth.”
It is perhaps not surprising that the source of Lindell’s grant is European.
“There is low awareness of privacy issues in Israel,” he says. “In the US, the 9/11 attack shifted emphases from privacy to security.
In Europe there seems to be much greater awareness of it, partly because of their history with organizations like the Gestapo and the Stasi collecting information wholesale on people to be used against them.”
The European Union has put in place privacy laws that greatly limit the movement of information beyond the borders of the EU. In addition, in Europe the legal definition of personal data is broader than the corresponding definitions in the US, and the EU regards even names, addresses and phone numbers as constituting protected personal data.
Lindell’s work could have significant commercial application. He has worked as a consultant at Aladdin Knowledge Systems, an Internet and content security firm, and notes that “a website that is as good as its rivals, but has better guaranteed privacy, is likely to have an advantage in gaining customers.”
But the biggest interest at the moment is from governments around the world. And that alone is a potentially vast market.