privacy appliance privacy appliance privacy appliance cross-source privacy appliance user query data source data source Government owned Independently operated Privately owned data source Privacy Appliance • Standalone devices • Under private control • Better assurance of correct operation • Sits between the analyst and each private data source • Easily added to an enterprise’s computing infrastructure • Like firewalls Benefits • Private data stays in private hands • Privacy controls isolated from the government
For lowest authorization: • Withhold identifying attributes • Prevent completion of inference channels • The privacy appliance will recognize • Which queries touch inference channels • Whether the user is authorized for the query Analyst query Check authorizations Input special authorizations Access control DB Modify query as needed to withhold data Mark access “history” • For higher authorization: • Can retrieve specific identifying info • Must specify scope of data authorized Analysis can’t combine non-sensitive queries to obtain sensitive info Send modified query to data source Access Control
Inference Tool • Earlier life: MLS databases • Detect inference channels from unclassified to classified data • Now: Privacy-Protection • Detect inference channels from non-sensitive to sensitive data • Example: • Select count(name) where gender = female • Select avg(grade) where gender = female = 1
Systems Issues • Logging • Log classified stuff at third-party sites! • Search through (encrypted) logs to prove abuse. • Trust issues • Finally a legitimate use for Palladium! • … • This is a big system!