Re: Random Privacy
This is an old statistical technique. You need to know ahead of time which answer is more likely and have a bias in your randomizer. A classic example: Did you cheat on your wife last year? If you were born between January and September reverse your answer. -- Julian Assange|If you want to build a ship, don't drum up people |together to collect wood or assign them tasks and [EMAIL PROTECTED] |work, but rather teach them to long for the endless [EMAIL PROTECTED] |immensity of the sea. -- Antoine de Saint Exupery
Re: Random Privacy
On Sat, 21 Sep 2002 13:15:18 -0700, AARG!Anonymous [EMAIL PROTECTED] writes: On the contrary, TCPA/Palladium can solve exactly this problem. It allows the marketers to *prove* that they are running a software package that will randomize the data before storing it. And because Palladium works in opposition to their (narrowly defined) interests, they can't defraud the user by claiming to randomize the data while actually storing it for marketing purposes. Yup.. This bit I agree with (in contrary to the other reply to your message). There are still issues over the correctness of that aforementioned randomizing package; is it correctly designed and implemented. AFAIK Pd would let a user know it was being run. Ironically, those who like to say that Palladium gives away root on your computer would have to say in this example that the marketers are giving away root to private individuals. In answering their survey questions, you in effect have root privileges on the surveyor's computers, by this simplistic analysis. This further illustrates how misleading is this characterization of Palladium technology in terms of root privileges. Actually, I'd exactly call Palladium as being root over my machine, maybe a part of my machine (a Tor/NUB/whatever), but root.. It could be claimed that I have a choice as to whether or not I wish to run the 'other' software. However, I've always had that choice (the power switch). Its still root. The idea I believe is that I'm supposed to be mollified by the idea (as you suggest) that I can get root on someone elses machine, to control what they can and can't do.. However, little is said that the reverse applies to me; someone has root on *my* machine. Now, that might not be bad, if it weren't for the power inbalance between me and them. Why do I have a 'bonus saver' card for 3 grocery store chains? Why am I stuck with draconian EULA's that promise nothing and take away everything. Scott
Re: Random Privacy
| As a resident of Ontario, Canada, I'm quite surprised to learn that | Ontario has been annexed by the United States. Randomized geography. :) Ontario, California? I could see where people who read the article might assume that, I just happened to know that Dr. Ann Cavoukian is the Information Privacy Commissioner for Ontario, Canada. Of course, California is another country. :-). Heh, no kidding ;) -- [EMAIL PROTECTED] // RSA Key: 0x1606F91D // DSS Key: 0x83BB5BE4 The kind of man who wants the government to adopt and enforce his ideas is always the kind of man whose ideas are idiotic. -- H.L. Mencken
RE: Random Privacy
Said Greg Vassie: Right now, the rate of falsification on Web surveys is extremely high, says Dr Ann Coavoukian, the commissioner of information and privacy in Ontario, U.S.A. People are lying and vendors don't know what is false [or what is] accurate, so the information is useless. As a resident of Ontario, Canada, I'm quite surprised to learn that Ontario has been annexed by the United States. .. Heh-heh: the author must be lying. .. Blanc
Re: Random Privacy
On Sat, 21 Sep 2002, R. A. Hettinga wrote: Ontario, California? You will laugh, but some unattentive air travellers sometimes confuse these two :) Of course, California is another country. :-).
Re: Random Privacy
On Saturday, September 21, 2002, at 09:29 AM, Tim May wrote: Not a new idea. Ted Nelson (IIRC) wrote about using coin flips to randomize AIDS poll questions. (Have you engaged in unprotected sex? Flip a coin and XOR it with your actual answer.) I remember talking to Eric Hughes, Phil Salin, and others around 1990-91 about this. (However, IBM is probably busily copyrighting their new invention, just as Intel copyright their recent invention of the anonymous remailer.) I meant patented in both cases. Part of the continuing idiocy of our patent system, when obvious prior art going back more than a decade counts for nothing in the blizzard of patents. --Tim May
Re: Random Privacy
Greg Broiles wrote about randomizing survey answers: That doesn't sound like a solution to me - they haven't provided anything to motivate people to answer honestly, nor do they address the basic problem, which is relying on the good will and good behavior of the marketers - if a website visitor is unwilling to trust a privacy policy which says We'll never use this data to annoy or harm you, they're likely to be unimpressed with a privacy policy which says We'll use fancy math tricks to hide the information you give us from ourselves. That's not going to change unless they move the randomizing behavior off of the marketer's machine and onto the visitor's machine, allowing the visitor to observe and verify the correct operation of the privacy technology .. which is about as likely as a real audit of security-sensitive source code, where that likelihood is tiny now and shrinking rapidly the closer we get to the TCPA/Palladium nirvana. On the contrary, TCPA/Palladium can solve exactly this problem. It allows the marketers to *prove* that they are running a software package that will randomize the data before storing it. And because Palladium works in opposition to their (narrowly defined) interests, they can't defraud the user by claiming to randomize the data while actually storing it for marketing purposes. Ironically, those who like to say that Palladium gives away root on your computer would have to say in this example that the marketers are giving away root to private individuals. In answering their survey questions, you in effect have root privileges on the surveyor's computers, by this simplistic analysis. This further illustrates how misleading is this characterization of Palladium technology in terms of root privileges.
Re: Random Privacy
On Saturday, September 21, 2002, at 09:29 AM, Tim May wrote: On Saturday, September 21, 2002, at 02:16 AM, Blanc wrote: Interesting little article from http://pass.maths.org.uk/issue21/news/random_privacy/index.html: Excerpt: How old are you? How much do you earn? Not a new idea. Ted Nelson (IIRC) wrote about using coin flips to randomize AIDS poll questions. (Have you engaged in unprotected sex? Flip a coin and XOR it with your actual answer.) I remember talking to Eric Hughes, Phil Salin, and others around 1990-91 about this. (BTW, as you probably know or can imagine, there have been crypto methods proposed for safeguarding certain kinds of data collection, e.g., schemes using random coin flip protocols for answering questions like Are you homosexual? (supposedly useful for public health planners trying to deal with HIV/AIDS issues. The idea is that the pollee XORs his answer with a random bit. His answer then doesn't _implicate_ him, but overall statistics can still be deduced from a large enough sample.lawmakers will try to take us down the first path. Cordian correctly points out that merely XORing with a random bit gives the same statistics as the random bit(s). Now that I think about it, I recollect the proposal was something along these lines: Alice is confronted with a question with a yes or no answer. She flips a coin. If the outcome is H, she answers the question honestly. If the outcome is T, she then flips another coin and gives that outcome as her answer. Half the population of pollees is ostensibly answering honestly, the other half is randomizing. No particular person can be linked to an answer. More sophisticated versions, as I recall, had more complicated series of coin tosses (to reduce noise). --Tim May
Re: Random Privacy
At 12:32 PM -0400 on 9/21/02, Adam Shostack wrote: | Ontario, U.S.A. People are lying and vendors don't know what is false [or | what is] accurate, so the information is useless. | | As a resident of Ontario, Canada, I'm quite surprised to learn that | Ontario has been annexed by the United States. Randomized geography. :) Ontario, California? Of course, California is another country. :-). Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Random Privacy
On Sat, Sep 21, 2002 at 10:29:16AM -0700, Tim May wrote: | On Saturday, September 21, 2002, at 09:29 AM, Tim May wrote: | | Not a new idea. Ted Nelson (IIRC) wrote about using coin flips to | randomize AIDS poll questions. (Have you engaged in unprotected sex? | Flip a coin and XOR it with your actual answer.) I remember talking to | Eric Hughes, Phil Salin, and others around 1990-91 about this. | | (However, IBM is probably busily copyrighting their new invention, | just as Intel copyright their recent invention of the anonymous | remailer.) | | I meant patented in both cases. | | Part of the continuing idiocy of our patent system, when obvious prior | art going back more than a decade counts for nothing in the blizzard of | patents. Worse, patent attorneys tell me that pointing out prior art while a patent is being 'prosecuted' tends to weaken your case against it later if the patent examiner doesn't reject the thing whole cloth, because now the prior art has been considered. The one obvious part of the answer is to raise the cost of getting patents such that its worth the time of regular filers to consider if they want the patent, and such that patent examiners are paid well enough that they don't all leave in 3 years. (I say regular filers because there may be a good argument that small inventors should not be shut out of the system. Of course, they already are, because its close to impossible, even for an experienced practitioner to avoid any mistakes these days, which is why you often see half a dozen closely related patents on the same invention.) For example, IBM is granted something on the order of 1000 patents per year. The cost to them? A few million dollars. If the cost on the 50th patent was a million bucks, then perhaps they'd abuse the system less. I don't think Edison ever got 50 patents in a year, and lord knows he was more inventive than all of IBM. :) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Random Privacy
On Sat, Sep 21, 2002 at 11:08:54AM -0400, Greg Vassie wrote: | Interesting little article from | http://pass.maths.org.uk/issue21/news/random_privacy/index.html: | | Excerpt: | Right now, the rate of falsification on Web surveys is extremely high, | says Dr Ann Coavoukian, the commissioner of information and privacy in | Ontario, U.S.A. People are lying and vendors don't know what is false [or | what is] accurate, so the information is useless. | | As a resident of Ontario, Canada, I'm quite surprised to learn that | Ontario has been annexed by the United States. Randomized geography. :) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume
Re: Random Privacy
Tim wrote: Not a new idea. Ted Nelson (IIRC) wrote about using coin flips to randomize AIDS poll questions. (Have you engaged in unprotected sex? Flip a coin and XOR it with your actual answer.) I remember talking to Eric Hughes, Phil Salin, and others around 1990-91 about this. [snip] The idea is that the pollee XORs his answer with a random bit. His answer then doesn't _implicate_ him, but overall statistics can still be deduced from a large enough sample. Uh, excuse me?! I can see how such an idea works if you add a random variable with a known mean to the data. A researcher could do this before storing the data, in order to protect the confidentiality of individual respondents, and still be able to compute aggregate statistics. However, if you XOR a bit with a random bit, you have something equally likely to be in either state. Even a large collection of yes/no responses XORed with random bits is indistinguishable from random data. So I am afraid I must give the prior message my coveted Silliest Thing Said On the Internet This Week award. Chortle -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division Do What Thou Wilt Shall Be The Whole Of The Law
Re: Random Privacy
On Sat, Sep 21, 2002 at 01:15:18PM -0700, AARG!Anonymous wrote: | Greg Broiles wrote about randomizing survey answers: | | That doesn't sound like a solution to me - they haven't provided anything | to motivate people to answer honestly, nor do they address the basic | problem, which is relying on the good will and good behavior of the | marketers - if a website visitor is unwilling to trust a privacy policy | which says We'll never use this data to annoy or harm you, they're | likely to be unimpressed with a privacy policy which says We'll use | fancy math tricks to hide the information you give us from ourselves. | | That's not going to change unless they move the randomizing behavior | off of the marketer's machine and onto the visitor's machine, | allowing the visitor to observe and verify the correct operation of | the privacy technology .. which is about as likely as a real audit of | security-sensitive source code, where that likelihood is tiny now and | shrinking rapidly the closer we get to the TCPA/Palladium nirvana. | | | On the contrary, TCPA/Palladium can solve exactly this problem. It allows | the marketers to *prove* that they are running a software package that | will randomize the data before storing it. And because Palladium works | in opposition to their (narrowly defined) interests, they can't defraud | the user by claiming to randomize the data while actually storing it | for marketing purposes. No, it allows security geeks to talk about proof. My mom stil won't get it. Pd doesn't allow you to prove that there's no sniffer doing other things with the data, that nothing is logged at the wrong time, etc If you really want to randomize the data, do it close to me. Or better yet, run some software from Credentica and accept a proof of whatever data is in question. But the reality is that people hand over most of their data now. So why would I invest in this expensive technology? (Mike Freedman, Joan Feigenbaum, Tomas Sander and I did a paper which touches on the power imbalance between the companies that offer DRM technology and their customers...same analysis applies here... http://www.homeport.org/~adam/privacyeng-wspdrm01.pdf ) Adam -- It is seldom that liberty of any kind is lost all at once. -Hume