Archive for 'Research'

NSF Grant on Regulatory Compliance Software Engineering

Friday, August 10th, 2012

The National Science Foundation recently awarded researchers from The Privacy Place a grant to work on Regulatory Compliance Software Engineering with UCON_LEGAL! You can read the abstract below. More details are available at research.gov.

Abstract: Software engineers need improved tools and methods for translating complex legal regulations into workable information technology systems. Compliance with legal requirements is an essential element in trustworthy systems. The research proposed herein will advance the cutting edge for creating more accurate, efficient, and reliable RCSE (Regulatory Compliance Software Engineering), resulting in compliant software systems. System specifications typically concentrate on system-level entities, whereas legal discussions emphasize fundamental rights and obligations discursively. This work bridges three cultures of scholarship and research: software specification, law, and access control. By empowering software developers and policy makers to better understand regulatory texts and the access controls specified within these texts, current and future software systems will be better aligned with the law.

There are three main expected results of this work: (1) Framework, methodology and heuristics to identify UCONLEGAL components in legal texts; (2) extended TLA (Temporal Logic of Actions) rules from UCONABC and mapping of predicates, actions, states, variables and obligations between UCONLEGAL and UCONABC; (3) validated and extended role-based access controls to meet healthcare and financial legal requirements through further development of UCONLEGAL. The impacts of this work are expected to be far reaching; law and regulations govern the collection, use, transfer and removal of information from software systems in many sectors of society, and this research explicitly calls for models and theories for analyzing and reasoning about security and privacy in a regulatory and legal context.

The Evolution of Internet Users’ Privacy Concerns

Wednesday, July 29th, 2009

The Privacy Place is proud to announce the release of a new technical report by Dr. Annie I. Antón, Dr. Julia B. Earp, and Jessica D. Young detailing the evolution of Internet users’ privacy concerns since 2002. This research has been submitted to IEEE Security and Privacy Magazine, but you can read the detailed technical report on this research today by downloading the full paper here: How Internet Users’ Privacy Concerns Have Evolved Since 2002

Abstract:

In 2002, we established a baseline for Internet users’ online privacy values. Through a survey we found that information transfer, notice/awareness, and information storage were the top online privacy concerns of Internet users. Since this survey there have been many privacy-related events, including changes in online trends and the creation of laws, prompting us to rerun the survey in 2008 to examine how these events may have affected Internet users’ online privacy concerns. In this paper, we discuss the 2008 survey, which revealed that U.S. Internet users top three privacy concerns have not changed since 2002; however, their level of concern within these categories may have been influenced by these privacy-related events. In addition, we examine differences in privacy concerns between U.S. and international respondents.

Data Privacy Day 2009

Wednesday, January 28th, 2009

Last year on January 28th, the first annual Data Privacy Day celebration was held in the United States at Duke University. Today marks the second annual Data Privacy Day, and the celebration has grown dramatically.

Last year, Governor Easley proclaimed January 28th as Data Privacy Day for the state of North Carolina. This year, he proclaimed January Data Privacy Month. North Carolina, Washington, California, Oregon, Massachusetts, and Arizona have also declared January 28th to be state-wide Data Privacy Day. Last but certainly not least, Congressman David Price and Congressman Cliff Stearns introduced House Resolution 31 which was passed on January 26th with a vote of 402 to 0 to make today National Data Privacy Day in the United States. It is truly outstanding to see such strong support in the form of resolutions and proclamations.

The best way to support or celebrate Data Privacy Day is to take action. Since the goal of Data Privacy Day is to promote awareness and education about data privacy, one easy way to act is to check out all the great educational resources made available in conjunction with Data Privacy Day. For example, Google has posted about what it has done to protect privacy and increase awareness of privacy. Microsoft is holding an event tonight and has more information on data privacy on their website.

Here at The Privacy Place, we were once again pleased to have the opportunity to celebrate Data Privacy Day at Duke University by attending the panel discussion on Protecting National Security and Privacy. The panel discussion was extremely well-attended and well-received. This event had a number of sponsors, including Intel who has a fantastic website with extensive information on Data Privacy Day. If you weren’t able to make it to the panel, I would strongly encourage you to check out Intel’s site.

Lastly, Data Privacy Day is all about awareness and education, so be sure to spread the word!

[Update: Fixed the link to the House Resolution that passed on Monday.]

Silver Bullet Security Podcast Interviews Dr. Williams

Wednesday, December 24th, 2008

Two days ago, the 33rd episode of the Silver Bullet Security Podcast was released. If you are new to the this podcast, it’s a monthly podcast featuring interviews with noted security experts. It’s co-sponsored by IEEE Security and Privacy Magazine and Cigital. I would highly recommend it for anyone interested in software security and privacy research. I’ve been a loyal listener almost since it started, and I have yet to find an episode that didn’t teach me something new.

In it, Dr. Gary McGraw, the host of the series, interviews Dr. Laurie Williams, an Associate Professor of Computer Science at North Carolina State University. They discuss the work the Software Engineering Realsearch Group is doing in software security, testing, and agile development. In my humble and admittedly biased opinion, Dr. Williams is an excellent teacher and the podcast is absolutely worth checking out.

In a previous episode, Dr. Annie Antón, a Professor of Computer Science at North Carolina State University and the Director of The Privacy Place, was also interviewed by Dr. McGraw. They discussed the our work here at The Privacy Place including research on privacy policies, the role of regulations in computer privacy and security, and the relationship between privacy and security. Of course, my opinion as to this podcast is even more biased, but I would still encourage you to check it out. 🙂

Previous podcasts have included interviews with luminaries such as Ed Felten, Bruce Schneier, Dorothy Denning, Eugene Spafford, Adam Shostack, and Matt Bishop. I am tempted to simply list all the interviewees because each episode is fantastic, but I’ll leave the rest as a teaser. If you were so inclined, you could even follow their RSS or iTunes feed as a New Year’s resolution. 😉

ThePrivacyPlace.Org Privacy Survey

Tuesday, September 23rd, 2008
Privacy Survey 2008

ThePrivacyPlace.Org Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).
Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
gifts from IBM and Blue Cross and Blue Shield of North Carolina
On behalf of the research staff at ThePrivacyPlace.Org, thank you!

Privacy Survey

Monday, August 11th, 2008
Privacy Survey 2008

ThePrivacyPlace.Org Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).

Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
gifts from IBM and Blue Cross and Blue Shield of North Carolina

On behalf of the research staff at ThePrivacyPlace.Org, thank you!

Value Of Privacy: A Users Perspective

Monday, February 27th, 2006

The year 2005 was not only the year of the Rooster; it was also the year of privacy invasion and ID theft. On thinking about the last year, news flashes such as “ChoicePoint data theft widens to 145,000 people“, “Stolen laptop puts 98,000 at risk of ID theft” (UC Berkley), “Personal info on 310,000 people possibly stolen, 10 times more than what was disclosed last month” (Siesent), comes to mind.

This past year, more than 152 security breaches exposed at least 57.7 million Americans to ID theft ( 1 ) and privacy invasions, which suitably makes “privacy” the biggest concern of generic internet population, businesses and governing bodies. The result: legislatures being passed by the government and billions of dollars being invested by businesses to confirm to these legislatures. More than fifty bills were introduced in the first session of the 107th Congress to regulate online privacy, resulting in a national cost of complying to be approximately US$9-36 billion (Hahn 2001). With so much at stake it becomes important to measure not only the economic cost of privacy per person, but also the trade offs (for example convenience and rewards) that lure people to succumb and provide PII to organizations.

A peek into sociological research regarding user behavior clearly indicates that individuals perform a privacy calculus, assessing the cost and benefit of providing information ( 2 ). The calculus depends on factors such as self-ego, environmental stimuli, and interpersonal relationships (Laufer and Wolfe 1977; Stone and Stone 1990).

Studies indicate a huge deficit between the compliance expenditure and the net worth of privacy. This deficit may be owing to limited user awareness and the fact that privacy concerns are usually traded for environmental stimuli such as rewards and convenience.

Read the rest of this entry »

To Centralize or Not To Centralize

Friday, February 3rd, 2006

That is the question that this blog post pontificates. According to a recent study by the Privacy Rights Clearinghouse, of 113 data breaches since February 2005, 55 of them took place at colleges, universities, and university-affiliated medical centers. A list of data breaches for 2005 have been posted by Neo Scale here, but a few noteworthy ones are Stanford University, UC-Berkeley, and Carnegie Mellon University.

One of the primary reasons cited for the disproportionate number of data breaches at universities is the decentralized environment — data being spread out in various locations on campus which makes it difficult to control the access to the data. To a degree, this doesn’t seem very intuitive and certainly contrary to the old saying ‘don’t put all your eggs in one basket’. Centralization not only serves as an even more enticing target for would-be hackers, but it also means the result of a successful breakin would be even more catastrophic. However, centralization is more cost effective, as it requires organizations to procure less hardware which results in cost savings.

Decentralization, on the other hand, means that if there were a breakin, consumers/students are less likely to have their information compromised. However, decentralization also means that it is possible that there are multiple copies of a person’s information floating around. The preferable and more secure approach is not entirely clear.

It seems that the largest problem facing decentralized environments is accountability, management, and standards. What can be done about this? Certainly, formalized, comprehensive privacy and security policies would be a step in the right direction. Adherence to these policies is essential. And continued research efforts into technologies and techniques to combat intrusions.

A full article on the Privacy Clearinghouse study can be found here on the UCSD Guardian Online.

2005 ThePrivacyPlace.org Survey!

Wednesday, October 26th, 2005

ThePrivacyPlace.Org 2005 Privacy Survey is Underway!


Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values.    The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us establish with our investigations of privacy policy expression and user comprehension thereof.


We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey which takes about 5  to 15 minutes to complete.  The results will be made available in 2006 via our project website (http://www.theprivacyplace.org/).
Prizes include
$50 Amazon.com gift certificates
and
IBM sponsored giveaways!


On behalf of the research staff at ThePrivacyPlace.Org, thank you!

Protecting Privacy is Good For Business

Tuesday, February 15th, 2005

A recent survey found that protecting the privacy of consumer information is actually good for business. We’ve been preaching this message for years, but it seems that someone has actually provided some hard evidence. By protecting consumer information, businesses experience less downtime from security breaches and less defections from customers.

Read more here.