[talks] J Calandrino preFPO

Melissa Lawson mml at CS.Princeton.EDU
Mon Apr 4 10:21:17 EDT 2011

Joe Calandrino will present his preFPO on Friday April 8 at 4PM in Room 402.  The members
his committee are:  Ed Felten, advisor; Andrew Appel and Jen Rexford, readers; Brian
and David Walker, nonreaders.  Everyone is invited to attend his talk.  His abstract
follow below.

Title:  Control of Sensitive Data in Systems with Novel Functionality

Advances in computer science have enabled analysis of data in ways 
previously unthinkable.  This has led to powerful new uses of data, 
often with positive results.  For systems utilizing sensitive data, 
however, an adversary's ability to scrutinize revealed output for 
sensitive details has also increased.  The threat is particularly great 
for systems with novel functionality.  Novel uses of data are often 
accompanied by implicit assumptions.  As a result, exposure of seemingly 
innocuous information may reveal underlying sensitive data in unexpected 
new ways.  We study this issue in the context of three diverse cases.

The first case that we consider is fill-in-the-bubble forms, which are 
used in a variety of situations where protection or confirmation of 
identity is critical.  Although bubble-form surveys, elections ballots, 
or standardized test forms are often treated as anonymous, we 
demonstrate that individuals complete bubbles in a distinctive manner, 
allowing de-anonymization.  Second, we consider collaborative filtering 
recommender systems, which often use sensitive transactions to infer 
relationships between items.  We show that an attacker can exploit 
dynamic changes in recommendations to infer individual underlying 
transactions.  Finally, we explore the use of machines and algorithms in 
election auditing to ensure an accurate election outcome efficiently 
without compromising ballot secrecy or trusting voting machines.  Each 
case employs sensitive data in unique ways, yielding unique vectors for 
data leakage.

For systems utilizing sensitive data in novel ways, developers must 
carefully assess the relationship between that data and the system's 
output.  Undesirable inferences frequently stem from unstated or 
untested assumptions that no meaningful link exists.  Careful evaluation 
can make these assumptions explicit and address them before releasing 
data to potential adversaries.

More information about the talks mailing list