Joe Calandrino will present his preFPO on Friday April 8 at 4PM in Room 402. The members of his committee are: Ed Felten, advisor; Andrew Appel and Jen Rexford, readers; Brian Kernighan and David Walker, nonreaders. Everyone is invited to attend his talk. His abstract follow below. ------------------------------- Title: Control of Sensitive Data in Systems with Novel Functionality Abstract: Advances in computer science have enabled analysis of data in ways previously unthinkable. This has led to powerful new uses of data, often with positive results. For systems utilizing sensitive data, however, an adversary's ability to scrutinize revealed output for sensitive details has also increased. The threat is particularly great for systems with novel functionality. Novel uses of data are often accompanied by implicit assumptions. As a result, exposure of seemingly innocuous information may reveal underlying sensitive data in unexpected new ways. We study this issue in the context of three diverse cases. The first case that we consider is fill-in-the-bubble forms, which are used in a variety of situations where protection or confirmation of identity is critical. Although bubble-form surveys, elections ballots, or standardized test forms are often treated as anonymous, we demonstrate that individuals complete bubbles in a distinctive manner, allowing de-anonymization. Second, we consider collaborative filtering recommender systems, which often use sensitive transactions to infer relationships between items. We show that an attacker can exploit dynamic changes in recommendations to infer individual underlying transactions. Finally, we explore the use of machines and algorithms in election auditing to ensure an accurate election outcome efficiently without compromising ballot secrecy or trusting voting machines. Each case employs sensitive data in unique ways, yielding unique vectors for data leakage. For systems utilizing sensitive data in novel ways, developers must carefully assess the relationship between that data and the system's output. Undesirable inferences frequently stem from unstated or untested assumptions that no meaningful link exists. Careful evaluation can make these assumptions explicit and address them before releasing data to potential adversaries.