Citation Context

...hanged, it must be transmitted over a secure channel and stored securely to prevent unauthorized access. There is extensive literature on access control and encryption that is relevant [12] [38] [45] =-=[46]-=-. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] [24] [5...

Citation Context

...nd granularity analysis is that the redundancy may be hidden in the application code. Hence it would be nice to have minimal query generation. Will the work done in the context of universal relations =-=[54]-=- apply here? 5.4 Limited Disclosure Our strawman design works well at limiting disclosure when the set of external recipients is clearly defined at the time information is submitted. However, allowing...

Citation Context

...e validity of the data. 5. Resiliency, the ability to recover from system failures without losing data. Other database text books also provide a similar list for the capabilities of a database system =-=[16]-=- [40] [48]. For instance, in [48], the primary goal of a database system is said to be providing an environment that is both convenient and efficient to use in retrieving and storing information. The ...

Citation Context

...compromises [8], suppression of data cells of small size [9], and clustering entities into mutually exclusive atomic populations [61]. The perturbation family includes swapping values between records =-=[12]-=-, replacing the original database by a sample from the same distribution [33] [42], adding noise to the values in the database [52] [57], adding noise to the results of a query [4], and sampling the r...

Citation Context

...ption has serious performance implications. Encrypting a column renders it useless for searching other than exact matches. How do we index encrypted data? How do we run queries against them? See [21] =-=[49]-=- for some current work on searches over encrypted data. 5.7 Openness At first glance, openness may appear easy: is it any different from checking a bank account online? However, consider a scenario wh...

Citation Context

...ses was motivated by the desire to be able to provide statistical information (sum, count, average, maximum, minimum, th percentile, etc.) without compromising sensitive information about individuals =-=[1]-=- [47]. The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results [13] [18], controllin...

Citation Context

...idity of the data. 5. Resiliency, the ability to recover from system failures without losing data. Other database text books also provide a similar list for the capabilities of a database system [16] =-=[40]-=- [48]. For instance, in [48], the primary goal of a database system is said to be providing an environment that is both convenient and efficient to use in retrieving and storing information. The contr...

Citation Context

...t. We assume the standard suite of database security features such as access control [7] [30]. Some data items maybe stored in encrypted form (using the Encryption Support) to guard against snooping =-=[21]-=- [22] [39]. We did not discuss support for the Principle of Openness in this section. While supporting openness may seem easy at first glance, it in fact leads to a set of interesting problems that we...

Citation Context

...8] [45] [46]. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases =-=[23]-=- [24] [50]. It allows multiple levels of security (e.g., top secret, secret, confidential, unclassified) to be defined and associated with individual attribute values. The security level of a query ma...

Citation Context

...h out a strawman design for a Hippocratic database in Section 4. We give a set of technical challenges in Section 5, and conclude with some closing remarks in Section 6. 2 Current Database Systems In =-=[53]-=-, the following two properties are considered fundamental for a database system: 1. The ability to manage persistent data. 2. The ability to access a large amount of data efficiently. In addition, the...

Citation Context

...he perturbation family includes swapping values between records [12], replacing the original database by a sample from the same distribution [33] [42], adding noise to the values in the database [52] =-=[57]-=-, adding noise to the results of a query [4], and sampling the result of a query [11]. Hippocratic databases share with statistical databases the goal of preventing disclosure of private information, ...

Citation Context

... assume the standard suite of database security features such as access control [7] [30]. Some data items maybe stored in encrypted form (using the Encryption Support) to guard against snooping [21] =-=[22]-=- [39]. We did not discuss support for the Principle of Openness in this section. While supporting openness may seem easy at first glance, it in fact leads to a set of interesting problems that we disc...

Citation Context

...of purposes combined with the information in the privacy-authorizations table will be used to restrict access. Data Preprocessing The Data Accuracy Analyzer may run some data cleansing functions [19] =-=[41]-=- against the data to check for accuracy either before or after data insertion, thus addressing the Principle of Accuracy. In our example, Alice’s address may be checked against a database of street ad...

Citation Context

...nauthorized access. There is extensive literature on access control and encryption that is relevant [12] [38] [45] [46]. Hippocratic databases will also benefit from the work on database security [7] =-=[30]-=-. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] [24] [50]. It allows multiple levels of security (e.g., top secret, secret, confidential, un...

Citation Context

...al permission from the Endowment. Proceedings of the 28th VLDB Conference, Hong Kong, China, 2002 that the Internet makes it easy for new data to be automatically collected and added to databases [6] =-=[10]-=- [58] [59] [60]. Privacy is the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. 2 Privacy concerns are being fueled by a...

Citation Context

...nt unauthorized access. There is extensive literature on access control and encryption that is relevant [12] [38] [45] [46]. Hippocratic databases will also benefit from the work on database security =-=[7]-=- [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] [24] [50]. It allows multiple levels of security (e.g., top secret, secret, confidentia...

Citation Context

...od balance between expressibility and usability is a difficult problem. Ideas for reducing the complexity of the policy language include arranging purposes in a hierarchy (P3P uses a flat space). See =-=[26]-=- for some recent work in this direction. Subsumption relationships may also be defined for retention periods and recipients. For instance, the P3P recipients can be listed in descending order of priva...

Citation Context

...pose and by that user. The detector uses the Query Intrusion Model built by analyzing past queries for each purpose and each authorizeduser. This problem is related to that of intrusion detection [3] =-=[34]-=-. In our example, the profile for queries issued by customer-service and tagged purchase might be that the query only accesses customers whose order status is not “fulfilled”, and that customer-servic...

Citation Context

...ecurity number is often used in the U.S. as identification, which is problematic given the ease with which social security numbers can be obtained.work on symmetrically private information retrieval =-=[20]-=- [36]. However, the computational cost of these algorithms is still too high for large-scale deployment. 5.8 Compliance Universal Logging Generating audit trails that are in the hands of users could p...

Citation Context

... set of purposes combined with the information in the privacy-authorizations table will be used to restrict access. Data Preprocessing The Data Accuracy Analyzer may run some data cleansing functions =-=[19]-=- [41] against the data to check for accuracy either before or after data insertion, thus addressing the Principle of Accuracy. In our example, Alice’s address may be checked against a database of stre...

Citation Context

...We recognize that technology alone cannot address all of the concerns surrounding a complex issue like privacy. The total solution has to be a goulash of laws, societal norms, markets, and technology =-=[32]-=-. However, by advancing what is technically realizable, we can influence the proportion of the ingredients and the overall quality of the solution. We also recognize that all of the world’s data does ...

Citation Context

...[18], controlling the overlap among successive queries [14], keeping audit trails of all answered queries and constantly checking for possible compromises [8], suppression of data cells of small size =-=[9]-=-, and clustering entities into mutually exclusive atomic populations [61]. The perturbation family includes swapping values between records [12], replacing the original database by a sample from the s...

Citation Context

...roadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results [13] [18], controlling the overlap among successive queries =-=[14]-=-, keeping audit trails of all answered queries and constantly checking for possible compromises [8], suppression of data cells of small size [9], and clustering entities into mutually exclusive atomic...

Citation Context

... individuals [1] [47]. The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results [13] =-=[18]-=-, controlling the overlap among successive queries [14], keeping audit trails of all answered queries and constantly checking for possible compromises [8], suppression of data cells of small size [9],...

Citation Context

...riginal database by a sample from the same distribution [33] [42], adding noise to the values in the database [52] [57], adding noise to the results of a query [4], and sampling the result of a query =-=[11]-=-. Hippocratic databases share with statistical databases the goal of preventing disclosure of private information, and hence some of the techniques developed for statistical databases will find applic...

Citation Context

...was motivated by the desire to be able to provide statistical information (sum, count, average, maximum, minimum, th percentile, etc.) without compromising sensitive information about individuals [1] =-=[47]-=-. The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results [13] [18], controlling the...

Citation Context

...entities into mutually exclusive atomic populations [61]. The perturbation family includes swapping values between records [12], replacing the original database by a sample from the same distribution =-=[33]-=- [42], adding noise to the values in the database [52] [57], adding noise to the results of a query [4], and sampling the result of a query [11]. Hippocratic databases share with statistical databases...

Citation Context

...1]. The perturbation family includes swapping values between records [12], replacing the original database by a sample from the same distribution [33] [42], adding noise to the values in the database =-=[52]-=- [57], adding noise to the results of a query [4], and sampling the result of a query [11]. Hippocratic databases share with statistical databases the goal of preventing disclosure of private informat...

Citation Context

...about individuals [1] [47]. The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results =-=[13]-=- [18], controlling the overlap among successive queries [14], keeping audit trails of all answered queries and constantly checking for possible compromises [8], suppression of data cells of small size...

Citation Context

...ies into mutually exclusive atomic populations [61]. The perturbation family includes swapping values between records [12], replacing the original database by a sample from the same distribution [33] =-=[42]-=-, adding noise to the values in the database [52] [57], adding noise to the results of a query [4], and sampling the result of a query [11]. Hippocratic databases share with statistical databases the ...

Citation Context

...ion is exchanged, it must be transmitted over a secure channel and stored securely to prevent unauthorized access. There is extensive literature on access control and encryption that is relevant [12] =-=[38]-=- [45] [46]. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [2...

Citation Context

... purpose and by that user. The detector uses the Query Intrusion Model built by analyzing past queries for each purpose and each authorizeduser. This problem is related to that of intrusion detection =-=[3]-=- [34]. In our example, the profile for queries issued by customer-service and tagged purchase might be that the query only accesses customers whose order status is not “fulfilled”, and that customer-s...

Citation Context

...5] [46]. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] =-=[24]-=- [50]. It allows multiple levels of security (e.g., top secret, secret, confidential, unclassified) to be defined and associated with individual attribute values. The security level of a query may be ...

Citation Context

...es between records [12], replacing the original database by a sample from the same distribution [33] [42], adding noise to the values in the database [52] [57], adding noise to the results of a query =-=[4]-=-, and sampling the result of a query [11]. Hippocratic databases share with statistical databases the goal of preventing disclosure of private information, and hence some of the techniques developed f...

Citation Context

...6]. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] [24] =-=[50]-=-. It allows multiple levels of security (e.g., top secret, secret, confidential, unclassified) to be defined and associated with individual attribute values. The security level of a query may be highe...

Citation Context

...rmission from the Endowment. Proceedings of the 28th VLDB Conference, Hong Kong, China, 2002 that the Internet makes it easy for new data to be automatically collected and added to databases [6] [10] =-=[58]-=- [59] [60]. Privacy is the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. 2 Privacy concerns are being fueled by an eve...

Citation Context

...untability [43]. Consent and disclosure limitation are covered under collection limitation and use limitation respectively. Countries around the world have used OECD guidelines to develop legal codes =-=[5]-=-. The Canadian Standard Association’s Model Code for the protection of Personal Information builds upon the OECD guidelines and suggests standards for the design of information systems. The CSA Model ...

Citation Context

...onal cost of privacy checking in the path length of a record fetch? Multilevel secure databases face similar efficiency issues and it will be instructive to adopt techniques from this literature [23] =-=[25]-=- [50]. It is easy to see that in some cases, the record level checks can be converted into meta-data level checks. We need to understand under what conditions can these checks be compiled away or thei...

Citation Context

...rom the Endowment. Proceedings of the 28th VLDB Conference, Hong Kong, China, 2002 that the Internet makes it easy for new data to be automatically collected and added to databases [6] [10] [58] [59] =-=[60]-=-. Privacy is the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. 2 Privacy concerns are being fueled by an ever increasi...

Citation Context

...ty number is often used in the U.S. as identification, which is problematic given the ease with which social security numbers can be obtained.work on symmetrically private information retrieval [20] =-=[36]-=-. However, the computational cost of these algorithms is still too high for large-scale deployment. 5.8 Compliance Universal Logging Generating audit trails that are in the hands of users could provid...

Citation Context

...tabases are increasing even faster [37]. In concert with this dramatic and escalating increase in digital data, concerns about the privacy of personal information have emerged globally [15] [17] [37] =-=[51]-=-. Privacy issues are further exacerbated now 1 Translation by Heinrich Von Staden. In a Pure and Holy Way: Personal and Professional Conduct in the Hippocratic Oath. Journal of the History of Medicine...

Citation Context

...y Regulations and Guidelines The United States Privacy Act of 1974 set out a comprehensive regime limiting the collection, use, and dissemination of personal information held by Federal agencies [43] =-=[44]-=-. The Act requires the agencies to i) permit an individual to determine what records pertaining to him are collected, maintained, used, or disseminated; ii) permit an individual to prevent records per...

Citation Context

...ch occur as a result of willful or intentional action which violates any individual’s right under this Act. The concepts underlying the Privacy Act have come to be known as Fair Information Practices =-=[55]-=-, and have contributed to the development of important international guidelines for privacy protection. The most well known of these are the OECD guidelines, which set out eight principles for data pr...

Citation Context

...s restricting the size of query results [13] [18], controlling the overlap among successive queries [14], keeping audit trails of all answered queries and constantly checking for possible compromises =-=[8]-=-, suppression of data cells of small size [9], and clustering entities into mutually exclusive atomic populations [61]. The perturbation family includes swapping values between records [12], replacing...

Citation Context

...m for ensuring that users can be informed about privacy policies before they release personal information, it does not provide a mechanism for making sure sites act according to their stated policies =-=[28]-=- [44]. Hippocratic databases can go a long way in adding enforcement dimension to the P3P initiative. A P3P policy essentially describes the purpose of the collection of information along with the int...

Citation Context

...ion from the Endowment. Proceedings of the 28th VLDB Conference, Hong Kong, China, 2002 that the Internet makes it easy for new data to be automatically collected and added to databases [6] [10] [58] =-=[59]-=- [60]. Privacy is the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others. 2 Privacy concerns are being fueled by an ever inc...

Citation Context

...it trails of all answered queries and constantly checking for possible compromises [8], suppression of data cells of small size [9], and clustering entities into mutually exclusive atomic populations =-=[61]-=-. The perturbation family includes swapping values between records [12], replacing the original database by a sample from the same distribution [33] [42], adding noise to the values in the database [5...

Citation Context

...mber of databases are increasing even faster [37]. In concert with this dramatic and escalating increase in digital data, concerns about the privacy of personal information have emerged globally [15] =-=[17]-=- [37] [51]. Privacy issues are further exacerbated now 1 Translation by Heinrich Von Staden. In a Pure and Holy Way: Personal and Professional Conduct in the Hippocratic Oath. Journal of the History o...

Citation Context

...ol over the use of their personal information on web sites they visit. P3P provides a way for a Web site to encode its data-collection practices in a machine-readable XML format known as a P3P policy =-=[35]-=-, which can be programmatically compared against a user’s privacy preferences [31]. A major criticism of P3P has been that while P3P provides a technical mechanism for ensuring that users can be infor...

Citation Context

... of the data. 5. Resiliency, the ability to recover from system failures without losing data. Other database text books also provide a similar list for the capabilities of a database system [16] [40] =-=[48]-=-. For instance, in [48], the primary goal of a database system is said to be providing an environment that is both convenient and efficient to use in retrieving and storing information. The control of...

Citation Context

...s exchanged, it must be transmitted over a secure channel and stored securely to prevent unauthorized access. There is extensive literature on access control and encryption that is relevant [12] [38] =-=[45]-=- [46]. Hippocratic databases will also benefit from the work on database security [7] [30]. Of particular interest is work on multilevel relations in the context of multilevel secure databases [23] [2...

Citation Context

...ttributed to Alan Westin, Professor Emeritus of Public Law and Government, Columbia University. 3 Samuel Warren and Louis Brandeis. The right to privacy. Harvard Law Review 4 (1890) 193–220. See also =-=[2]-=-.Hippocratic databases can provide guidance for incorporating similar principles in other types of data repositories. The structure of the rest of the paper is as follows. Section 2 discusses current...

Citation Context

...rivacy Regulations and Guidelines The United States Privacy Act of 1974 set out a comprehensive regime limiting the collection, use, and dissemination of personal information held by Federal agencies =-=[43]-=- [44]. The Act requires the agencies to i) permit an individual to determine what records pertaining to him are collected, maintained, used, or disseminated; ii) permit an individual to prevent record...