Privacy Research at Colleges and Universities Worldwide

From data masking to the societal impact of radio frequency identification, students
and faculty at colleges and universities worldwide are creating knowledge in many
privacy-related areas. Here is a sampling:

Hearing Things
Researchers at the University of Portsmouth have designed artificial intelligence software that would make closed circuit television (CCTV) cameras sensitive to sounds. Specifically, the software makes it capable for the microphone-laden cameras to recognize sounds associated with violence, such as smashing glass, crowd noise or specific words, and could automatically swivel to record in the direction of the sound.

Saving Face
While Google blurs the faces of those captured on Street View, researchers at Columbia University have developed software that essentially replaces the face on an image with a hybridized version. It keeps the original eyes, nose and mouth, but morphs the remainder of the image with suitable features from among the 33,000 photos available on photo-sharing sites such as Flickr.com. Developers believe the software has potential for military personnel or eyewitnesses to crimes, in addition to Street View.

On Shuffle
A data shuffling developer at Oklahoma State University is collaborating with a researcher at the University of Kentucky to create a commercial data shuffling software program. Data shuffling helps protect confidential information from data mining and other privacy-invasive technologies. Rathindra Sarathy, the OSU researcher and creator of the method, said that, unlike other methods for masking sensitive data, shuffling makes the data appear more natural to users.

Internet Exchanges
Internet exchanges (IXes), the crossroads for network traffic, are advantageously positioned for the gathering of surveillance data, according to a recently-released paper from two Cambridge University researchers. Using an experimental network, Steven Murdoch and Piotr Zielinski proved that, in using a single IX, it is possible to reveal a lot of information about users. It is expected that this research will be influential in future studies about Internet surveillance.

Not so Anonymous
University of Texas researchers discovered privacy risks inherent in supposedly anonymized data sets. Arvind Narayanan and Vitaly Shmatikov studied large, publicly available data sets that had been cleansed of personally identifiable information, finding that, using efficient algorithms, it was possible to identify individuals. Read the report here: www.cs.utexas.edu/~shmat/shmat_netflix-prelim.pdf.

Wearing Tags
Researchers at the University of Washington are exploring the repercussions—both positive and negative—of widespread use of radio frequency identification technology (RFID). This year, as part of their RFID Ecosystem project, they attached volunteers with RFID tags and outfitted an entire building with data-collecting antennas. "Our objective is to create a future world where RFID is everywhere," Professor Gaetano Borriello told the Seattle Times. "And figure out problems we'll run into before we get there."

Here's a summary on the project from Evan Welbourne, the lead graduate student on the RFID Ecosystem project and a Ph.D. candidate in Computer Science & Engineering.

The RFID Ecosystem project was motivated by the premise that, for better or for worse, tiny RFID chips may soon pervade every aspect of our daily lives. The project investigates consumer-oriented RFID systems in connection with technology, business and society.

Historically, RFID research has been limited to short-term experiments and user studies in restricted scenarios. In contrast, our project uses a permanent, building-scale test-bed with hundreds of RFID readers and thousands of RFID tags to create a living laboratory for long-term, in-depth research in applications, databases, privacy, security and systems. A central question in this research is in the balance between privacy and utility. Are there consumer RFID applications that are truly useful? If so, how can they be designed to minimize loss of privacy? Finally, if these applications are indeed useful, does their utility outweigh the potential loss of privacy? We're trying to answer these questions with careful, long-term user studies in which participation is optional and participants have control over their data and may
opt out at any time.

In our work thus far we have sought to develop and evaluate a variety of novel techniques to address the host of privacy concerns that crop up in consumer RFID applications. One such technique is to use access control policies that depend on sensed context. For example, one policy says that if the RFID system has detected an event (e.g. a business meeting, a lecture), the only users who can access information about the event by default are those who participated in the event.

Another research thrust has been in privacy control interfaces that incorporate socially-oriented checks and balances. For example, our friend-finder application counts each time you query a friend's location and reports an approximation of that count to your friend — the "social backpressure" created by this report mitigates excessive querying. In a longer term study we're trying to understand how long particular data items must be retained for various types of applications and how anonymization techniques can be applied to reduce the impact of a data breach. It's our hope that through these and similar studies, we can inform the community (including businesses and policy makers) of the risks, benefits and challenges of consumer-oriented RFID systems while proposing technological solutions whenever possible—and to do so before such systems become commonplace.

For project descriptions, publications, presentations, a video and a blog, visit the team's Web site at: http://rfid.cs.washington.edu.

Information Sharing
Researchers at six U.S. universities will spend the next five years exploring ways to ensure privacy and security of sensitive information during data sharing. The Department of Defense awarded $7.5 million to Purdue University, the University of Illinois at Urbana-Champaign, the University of Michigan, the University of Texas at Dallas, the University of Maryland-Baltimore County and the University of Texas at San Antonio. Research teams will look at ways to preserve privacy during data mining, among other privacy-enhancing areas.

Let the Games Begin
The city of Beijing installed 300,000 video surveillance cameras in anticipation of the Summer Olympic Games. Reports say there are no plans for the removal of these cameras when the Games conclude. In anticipation of the 2010 Winter Olympics in Vancouver, British Columbia, Canada, researchers at the University of Alberta have embarked on a project, "Privacy Games: The Vancouver Olympics, Privacy and Surveillance," that will scrutinize privacy dynamics of the event. Researchers will look at the technologies that may affect privacy, how citizens' personal information might be shared among security agencies and how officials are addressing potential threats to privacy, among other considerations.

Can You Find Me Now?
Is your mobile phone lessening your personal privacy? That's what researchers at Newfoundland, Canada's Memorial University are trying to discover. The team is looking into the technical feasibility of mobile phone users' privacy threats and is developing a comparative analysis of mobile phone systems available in Canada in terms of their ability to withstand privacy threats. The team will propose recommendations for addressing such threats.  

Time for Your Checkups!
"Privacy Pro-tection Checkups: Promoting Compliance and Providing Education for Business and Nonprofit Organizations" is a project of the Centre for Forensic and Security Technology Studies at the British Columbia Institute of Technology. The centre will offer free "privacy protection checkups" to selected retail merchants, professional firms and non-profit organizations that collect and use information about their customers. The checkups will provide organizations with a report on their compliance with privacy legislation and guidelines, as well as with recommendations for improvement where appropriate.