PEPR '23 Conference Program

Designing and deploying world-scale logging pipelines on mobile devices while respecting user privacy is a challenging problem. Privacy engineers must find ways to enable critical data collection and at the same time ensure that the data has transparency and control. We will go over core principles and technical measures privacy engineers can use to achieve these goals. We will show how these principles and techniques help with policy enforcement and transparency. In the context of logging, we will discuss client and server-side checks, both static through annotations and at runtime. We will also go through some examples of data minimization, pseudonymization, anonymization and other privacy preserving techniques. This talk is partly motivated by our experience working on logging pipelines on Android at Google.

Earlier this year, WhatsApp announced their plans to launch key transparency for all WhatsApp users. Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal messaging applications in a transparent manner available to all. In this presentation, we will cover how key transparency works, what the improved end user experience is for those wishing to verify their contacts' public keys, and various deployment challenges and considerations we encountered when building our key transparency system. We also have released an open-source library called Auditable Key Directory (AKD) which we use in our deployment, and can potentially serve as a reference point for others that wish to deploy key transparency in the future.

Access control in the modern data warehouse is dizzyingly complex. Nested groups, inherited roles, and legacy permission models are just a few of the challenges we encountered at Cruise during our efforts to demystify cloud Identity and Access Management (IAM) in BigQuery. Access to read data is provisioned across many different roles and groups, in cloud service consoles and IaaS tools, with no universal source of truth. We built an internal tool, xray, to answer two questions:

1. Who has read access to a given BigQuery resource?
2. How are they getting this access (from what role and group)?

We have leveraged this tool to remediate overprovisioned access and enforce our need-based access policies for sensitive data. This talk will present the need for a software solution to audit cloud IAM, discuss the technical specifications of our solution, and provide examples of how we use xray to mitigate privacy risk at Cruise.

Differential privacy is, in many ways, like cryptography: even though its basic building blocks are conceptually simple, their implementation can be surprisingly tricky. This talk presents the result of our applied research about floating-point vulnerabilities on differential privacy implementations. First, we explain what it means for differential privacy software to be vulnerable to attacks, and how to reason about the severity of such vulnerabilities. Second, we present precision-based attacks, a new class of vulnerabilities which affects several open-source libraries. Finally, we outline a new technique to address this vulnerability, and all other possible attack vectors based on floating-point behavior.

Differential privacy (DP) is a notion of privacy that has quickly achieved widespread adoption, for example by the U.S. Census Bureau, Google, Apple, Microsoft, and Uber. While DP has the potential to provide strong privacy protections, its actual guarantees depend on key implementation details, such as the privacy loss budget and deployment model (e.g., local vs. central). However, these details are seldom communicated to data subjects, limiting their ability to make informed data-sharing decisions. Therefore, to reduce the opaqueness of DP protections, we are developing portable explanations of DP.

In this talk, I will briefly describe existing strategies for explaining DP currently used in industry. Then, I will present explanations that convey the probabilistic nature of DP's guarantees and briefly touch on explanations that convey which information flows are restricted depending on the DP model used. The explanations presented can be readily employed to increase transparency around DP, and can inform communication around other privacy-enhancing technologies broadly.

This talk will be based on research conducted by Rachel Cummings, Gabriel Kaptchuk, Priyanka Nanayakkara, Elissa M. Redmiles, and Mary Anne Smart.

In July 2023, the Israeli Ministry of Health made a differentially private release of the National Registry of Live Births for the year 2014. The data holds significant value for various stakeholders for multiple purposes, including demographic analysis, scientific research and policy-making. Nonetheless, releasing such data poses a privacy challenge, because medical and governmental data contain sensitive information on birthing people and newborns.

In this talk, we present how we co-designed the data release together with the stakeholders to fulfill four main requirements: (1) affordance of tabular format via synthetic data; (2) data quality concerning statistical analysis; (3) record-level faithfulness between released data and original data; and (4) privacy as a rigorous state-of-the-art guarantee and as stakeholders' expectation.

Ultimately, we will discuss the outlook for co-design approaches for PET-based data releases.

Authors: Shlomi Hod, Ran Canetti

Metrics help people make decisions. Most of the time, these are better decisions. But shockingly often, especially when privacy is in play, they are terrible decisions. These bad metrics are used by product teams trying to make their product better and making unknowingly terrible privacy calls, but they're also coming from inside the house: a preponderance of privacy program management is flat-out wrong. If your metrics are telling you to do something, how do you know they're pointing you in the wrong direction?

The right for users to obtain a copy of their personal data is a fundamental privacy expectation that should be respected, even as the data is stored in various systems and databases supported by many engineering teams.

In this talk, we describe a reliable system built to enable self-service data access for users across Meta's applications. We focus on utilizing data annotations and schematization to automate data access decisions, ensuring the protection of user data access rights while optimizing the engineering time required to create new products and features.

There is no standard and secure way to exchange data rights requests under the law and it's hard and time-consuming for consumers and companies alike. We think there should be a better way to process data rights requests that's streamlined and inexpensive.

A standard protocol that formalizes the components of a data rights request would allow for more consistency and efficiency for both consumers submitting requests and companies processing them. That's why Consumer Reports is incubating a Data Rights Protocol with a consortium of companies committed to strengthening consumer data rights. In this presentation we will describe the components of the Data Rights Protocol and how a system overlapping business, legal, and technical rules can streamline Data Rights requests.

This is the work of Ginny Fahs at the Consumer Reports Innovation Lab, Dazza Greenwood with CIVICS.com, and Ryan Rix.

The genomics community faces an increasing demand to leverage private data across institutional boundaries. Secure computation technologies, encompassing both trusted execution environments (TEEs) and secure multiparty computation (MPC) frameworks, promise to allow collaborative analysis while overcoming privacy concerns associated with genomic data sharing. However, discrepancies between real-world security needs and what these technologies provide present a key hurdle in deployment efforts. In this talk, I will present ideas for addressing this challenge from both technical and societal perspectives. First, I will describe our recent work on privacy-preserving genotype imputation using Intel SGX, which introduces new algorithmic strategies to provide resilience to side-channel vulnerabilities. Second, I will discuss an apparent disconnect in contextual norms and values between the conventional security models versus real-world settings in genomics. I will illustrate an alternative trust-based framework aimed at better aligning the tools with the institutional trust landscape and interests of human subjects. A sociotechnical design of privacy tools is crucial for realizing their potential in genomics.

Inclusive privacy is an approach to privacy design that takes into account the needs of all users, regardless of their abilities, characteristics, needs, identities, or values. It is a shift away from the traditional approach to privacy, which focuses on protecting the privacy of the "average" user. Inclusive privacy acknowledges that different users have different privacy needs and seeks to ensure equitable protection of personal data, accounting for the diverse needs, identities and experiences.

The presentation will explore how privacy intersects with identity markers such as race, gender, sexuality, disability, and class, among others. By analyzing these intersections, we can develop a nuanced understanding of how privacy is experienced and perceived by individuals from different backgrounds. We will also examine the ways in which privacy policies and practices can either promote or hinder inclusivity. We will draw on case studies to illustrate how inclusive privacy can be operationalized in practice.