PEPR '22 Conference Program

Differential privacy is a model of privacy protection currently being adopted by commercial enterprises and government institutions. Using differential privacy, data custodians can share data in new ways while quantifying the potential privacy loss incurred by individuals present in the data. However the choice to limit privacy loss in the model of differential privacy must be weighed against the impact on the accuracy of the data shared.

The full complexity of making choices about privacy/utility trade-offs has rarely been considered by the research community. Using a real case study of Internal Revenue Service data shared with the Department of Education, we describe the social and technical challenges faced by data custodians as they negotiate with data consumers to establish standards for data release.

Differential privacy in practice proved to be hard: there are a lot of subtle, easy-to-get-wrong implementation nuances, it can be difficult to preserve data utility, choose optimal parameters, interpret results, etc.

In this talk we introduce PipelineDP, a tool that allows Python developers to produce differentially-private versions of their data processing pipelines. PipelineDP was designed with small and massive applications in mind: it can be run both locally and on scalable data processing such as Apache Spark or Beam. Our aspiration is that PipelineDP allows differential privacy to be deployed in production by engineers who are not experts in DP.

Working with privacy-sensitive data today, whether it is in health-care, insurance or any other industry, is a complex and slow process often involving long manual reviews by compliance teams. The recent development of differential privacy helped standardize what privacy protection means. As such it has the potential to unlock the automation and scaling of data analysis on privacy sensitive data. To help realize this promise, we designed and built a framework in which an analyst can write data analysis jobs with common data-science tools and languages: SQL, numpy, pandas, scikit-learn, and have them compiled into differentially private jobs executed remotely on the sensitive data. In this talk, we will describe how a user expresses his job declaratively in python and how his python code is analyzed and compiled, before it is run and a result is eventually returned.

This applied research talk will discuss the privacy threat modeling gap, challenges and opportunities of privacy threat modeling in practice, and a new qualitative threat model currently under development. In privacy risk management, there are well-respected methods for modeling vulnerabilities and consequences (or harms), but there is no commonly used model nor lexicon for characterizing privacy threats. We will discuss the gap in privacy risk modeling, how privacy threat-informed defense could better protect systems from privacy harms, and a working definition for a “privacy attack.” Then we will present a draft qualitative threat model – the Privacy Threat Taxonomy – developed to fill this gap in privacy risk modeling. This model was generated iteratively and collaboratively using a dataset of almost 150 non-breach privacy events, which includes directed, accidental, and passive attacks on systems. We will also discuss how practitioners can incorporate a threat model into their privacy risk management program.

Annoyingly, many things can go wrong when it comes to privacy engineering. Even more annoyingly, they often do. To make matters worse, many issues are more complex than mere bugs in the implementation. This talk will address flaws – defects on an architectural or design level – that result in privacy issues. Using real-world examples, we will demonstrate how common flaws lead to undesirable outcomes, and how to intentionally build systems with privacy in mind in order to avoid these flaws when designing a new system or reviewing an existing system.

The Data Privacy Vocabulary (DPV) enables expressing machine-readable metadata about the use and processing of personal data for declarative use in systems, documents, processes, and logic for assisting with requirements of legal compliance, such as the General Data Protection Regulation (GDPR). The DPV is the most extensive collection of its kind, a community effort, an output of W3C DPVCG, and is open and available at https://w3id.org/dpv.

The breach of users’ location privacy can be catastrophic. To provide users with privacy protection, numerous location privacy methods have been developed. While several literature surveys exist in this field, the lack of comparative empirical evaluations imposes challenges for adopting location privacy by applications and researchers in a wide range of domains. This talk presents our recent study which fills the gap by evaluating location privacy with real-world datasets. For utility evaluation, we consider various types of measures, such as distortion-based and count-based measures, as well as individual's mobility patterns; for privacy protection evaluation, we design two empirical privacy risk measures via inference and re-identification attacks. Furthermore, we study the computational overheads incurred by location privacy. The results show that it is possible to strike a balance between utility and privacy when sharing location data with untrusted servers.

Disclosing gender online can present serious accessibility and privacy concerns for members of marginalized groups. Despite these issues, non-inclusive (and likely unnecessary) gender disclosure forms are widespread in computing applications. Developers who implement gender disclosure forms may be unaware of the privacy implications of using gender in programming. I will present results from an interview study with developers and a complementary analysis of Reddit posts on developer target sub-forms. I will conclude by discussing how changes in software engineering education could improve the status quo in order to better respect users.

At Cruise, Privacy Engineering faces a large scale data mapping challenge: maintaining visibility on petabytes of sensitive data collected daily–location, imagery, and copious metadata. If that weren’t enough, data mapping must be done in the context of a rapidly changing product as we launch self-driving cars to the public. This talk describes how we did it.

In more detail, we summarize the background research that informed our approach to data mapping. Then, we cover key aspects of the technical implementation: a custom web application, high accuracy detectors for Cruise-specific sensitive data, and a validation stack for machine-assisted label verification. Finally, we present the technical privacy risk mitigations we have built on top of data mapping. These pieces all fit together into a foundational capability for Cruise Privacy Engineering, greatly aiding our ability to understand the flow of sensitive data in a way that is not possible without automation.

Data export, management, and deletion are complex processes with multiple feedback loops. This is exacerbated in a microservices-based environment. In this talk, we will discuss the Lyft data export and erasure architectures and its interactions with our data management systems. The solutions we developed took into account Lyft’s dynamic and fast-paced product and engineering environment. To make this system operationally efficient, our goal was to seamlessly integrate with Legal, Fraud, and Safety. The system also needed to respect user data rights while protecting against fraudulent activities and safety concerns. We’ll share some insights into the hardest technical challenges and surprises we had to overcome.

A critical aspect of incorporating data privacy is the process of classifying personal or sensitive data. At Twitter, the personal data protection (PDP) annotation system provides a solution to automatically classify columns of data in databases. Listen in as we explore the annotation system that combines Elasticsearch queries with a neural network to provide probabilistically calibrated predictions on PDP data types for every column.

In this talk we present a decentralized messaging protocol and storage system in use across North America, Europe, and South East Asia. Built at the behest of an international nonprofit working group, the protocol and system are designed to address a unique problem at the intersection of financial crime regulation, distributed ledger technology, and user privacy. In our talk we discuss the many lessons learned in the process of architecting, implementing, and fostering adoption of this system. We present the Secure Envelope, a data structure that employs a combination of methods (symmetric and asymmetric encryption, mTLS, protocol buffers, etc) to safeguard data privacy both at rest and in flight.

In this panel, Lourdes M. Turrecha and Nishant Bhajaria will present on the foundational TROPT Defining the Privacy Tech Landscape Whitepaper 2021, which defines and categorizes the emerging privacy tech industry. In addition to defining each category they've identified, they go over the customer persona(s), basic features, and current limitations of available solutions. They help privacy tech buyer-users articulate their technical privacy pain points, coach them to advocate internally for the privacy tech budget they need and deserve, and teach them how to identify available privacy tech solutions to their biggest technical privacy problems. This panel helps privacy technologists, privacy engineers, and other privacy domain experts to find privacy tech opportunities, from landing privacy tech advisory, consulting, and in-house roles, to cofounding a privacy tech startup and even Angel investing in them.