Catálogo de publicaciones - libros

Despite enormous benefits and the extremely fast proliferation of data mining in recent years, data owners and researchers alike have acknowledged that data mining also revives old and introduces new threats to individual privacy. Many believe that data mining is, and will continue to be, one of the most significant privacy challenges in years to come.

We live in an information age where vast amounts of personal data are regularly collected in the process of bank transactions, credit-card payments, making phone calls, using reward cards, visiting doctors and renting videos and cars, to mention but a few examples. All these data are typically used for data mining and statistical analysis and are often sold to other companies and organizations.

A breach of privacy occurs when individuals are not aware that the data have been collected in the first place, have been passed onto other companies and organizations, or have been used for purposes other than the one for which they were originally collected. Even when individuals approve of use of their personal records for data mining and statistical analysis, for example in medical research, it is still assumed that only aggregate values will be made available to researchers and that no individual values will be disclosed.

Various techniques can be employed in order to ensure the confidentiality of individual records and other sensitive information. They include adding noise to the original data, so that disclosing perturbed data does not necessarily reveal the confidential individual values. Some techniques were developed specifically for mining vertically and/or horizontally partitioned data. In this scenario each partition belongs to a different party (e.g., a hospital), and no party is willing to share their data but they all have interest in mining the total data set comprising all of the partitions. There are other techniques that focus on protecting confidentiality of logic rules and patterns discovered from data.

In this chapter we introduce the main issues in privacy-preserving data mining, provide a classification of existing techniques and survey the most important results in this area.

Statistical database security focuses on the protection of confidential individual values stored in so-called and used for statistical purposes. Examples include patient records used by medical researchers, and detailed phone call records, statistically analyzed by phone companies in order to improve their services. This problem became apparent in the 1970s and has escalated in recent years due to massive data collection and growing social awareness of individual privacy.

The techniques used for preventing statistical database compromise fall into two categories: noise addition, where all data and/or statistics are available but are only approximate rather than exact, and restriction, where the system only provides those statistics and/or data that are considered safe. In either case, a technique is evaluated by measuring both the information loss and the achieved level of privacy. The goal of statistical data protection is to maximize the privacy while minimizing the information loss. In order to evaluate a particular technique it is important to establish a theoretical lower bound on the information loss necessary to achieve a given level of privacy. In this chapter, we present an overview of the problem and the most important results in the area.

When private information is stored in databases that are under the control of others, the only possible way to protect it is to encrypt it before storing it. In order to efficiently retrieve the data, a search mechanism that still works over the encrypted data is needed. In this chapter an overview of several search strategies is given. Some add meta-data to the database and do the searching only in the metadata, others search in the data itself or use secret sharing to solve the problem. Each strategy has its own advantages and disadvantages.

In the framework of secure computation based on threshold homomorphic cryptosystems, we consider scenarios in which a lightweight client device provides encrypted input to a secure computation to be performed on the server side. The computational power at the server side is assumed to be much higher than on the client side. We show how to trade-off work for the client against work for the server such that the total amount of work increases moderately. These client-server trade-offs are considered in detail for two applications: private biometrics and electronic voting.

The more real business and interaction with public authorities is performed in digital form, the more important the handling of identities over open networks becomes. The rise in identity theft as a result of the misuse of global but unprotected identifiers like credit card numbers is one strong indicator of this. Setting up individual passwords between a person and every organization he or she interacts with also offers very limited security in practice. Federated identity management addresses this critical issue. Classic proposals like Kerberos and PKIs never gained wide acceptance because of two problems: actual deployment to end users and privacy. We describe modern approaches that solve these problems. The first approach is browser-based protocols, where the user only needs a standard browser without special settings. We discuss the specific protocol types and security challenges of this protocol class, as well as what level of privacy can and cannot be achieved within this class. The second approach, private credentials, solves the problems that none of the prior solutions could solve, but requires the user to install some local software. Private credentials allow the user to reveal only the minimum information necessary to conduct transactions. In particular, it enables unlinkable transactions even for certified attributes. We sketch the cryptographic solutions and describe how optional properties such as revocability can be achieved, in particular in the idemix system.

In this chapter we motivate the need for anonymity at the communication layer and describe the potential risks of having traceable communications. We then introduce the legal requirements on data retention and motivate the need for revocability of anonymity upon the request of law enforcement.

We describe the main building blocks for anonymous communication and for anonymity revocation. We explain how these building blocks can be combined in order to build a revocable anonymous communication infrastructure that fulfills both privacy and law enforcement requirements.

This chapter gives a concise introduction to digital rights management (DRM) systems by first presenting the basic ingredients of the architecture of DRM systems for (audio and/or video) content delivery, followed by an introduction to two open-standard DRM systems, one developed in the mobile world (Open Mobile Alliance DRM) and another one in the world of consumer electronics (Marlin).

The bulk of today’s commercial audio and video content is distributed on (optical) media. As this business model is vulnerable to copying, the content is protected with some (CPS) or other. In this chapter we look at the historic origins of Copy Protection and the basic technological ingredients of a CPS: media binding, broadcast encryption, and key hierarchies. Attention will also be devoted to auxiliary technologies such as watermarking and secure authenticated channels. We conclude with a review of new CPS components in upcoming protection systems.

In this chapter, we give a brief introduction to digital watermarking and discuss its applications in DRM systems. Watermarks are particularly useful in DRM systems due to their ability to bridge the gap between analog and digital domains. In playback control applications, a watermark is embedded in the master copy of a content and encodes associated usage rules, which are enforced by compliant devices during playback. On the other hand, in forensic tracking applications, a unique watermark is embedded in each individual copy of the content; this watermark allows the authorities to identify the source of an illegal copy. After discussing the basic principles of spread spectrum watermarks, we outline the architecture of an online content distribution system that employs watermarks in order to enable forensic tracking.

This chapter discusses two important concepts in digital rights management (DRM). The first concept is authorized domains, which bind content to a domain allowing, content to be accessible on a set of devices. The second concept is person-based DRM, which binds content to a person and makes it available after authentication. Special focus is given to the combination of these concepts, which we call the personal entertainment domain (PED). We discuss the advantages and present the architecture of this concept.