ebook img

Personal Data: Thinking Inside the Box PDF

0.12 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Personal Data: Thinking Inside the Box

Personal Data: Thinking Inside the Box Hamed Haddadi1, Heidi Howard2, Amir Chaudhry2, Jon Crowcroft2, Anil Madhavapeddy2, and Richard Mortier2 1 2 Queen Mary University of London Computer Laboratory,University of Cambridge INTRODUCTION entaillodginginformationinthecloudwheretheservice Weareinthemiddleofa‘personaldatagoldrush’driven is running. This naturally leads to a host of trust issues by the dominance of advertising as the primary source for users, who find themselves not just having to trust of revenue for most online companies. Internet services, the service directly but also the infrastructure providers advertisers,andevengovernmentsareallcasting a wide involved, other parties such as local law enforcement in nettoaccumulatepersonaldataaboutindividuals. This the specific jurisdiction, and the possibility of collusion accumulationisgenerallyoccurringwithminimalconsid- between these cloudservicesto build ever more detailed erationofus,theindividualsattheheartofthisprocess. models of individuals. Governments and regulatory bodies, such as the Euro- Individuals’ responses to this are largely complex and 5 peanUnion,haveattemptedtoimposeregulatoryframe- context dependent [4]: for example, Westin classifies 1 works that force the market to recognise certain rights people by whether they are privacy unconcerned, pri- 0 of individuals. Unfortunately, legal systems are not suf- vacy fundamentalists, or privacy pragmatists [27]. He 2 ficiently agile to keep up with the rapid pace of change finds that 16% are unconcerned, 24% are fundamental- n in this area. Self-regulation proposals such as the Do ist,and60%ofallrespondentsfallintothelastcategory, a Not Track headers1 havebeenineffectiveinreducingbe- whereattitudestoprivacyaredependentonawiderange J havioural targeting and advertising. For example, in a ofspecifics suchasthe particulardataandits relevance, 0 2012 study by Balebako et al. [1], only two of the thou- the industry involved, and so on. Though this form of 2 sands of existing advertising agencies had agreed to re- classificationhasbeenrecentlychallenged[25],inessence spect the headers. This number has since grown to 20,2 it demonstratesthat ‘personaldata’is inherently social: ] but this remains an insignificant fraction of such ser- itisgenerallynotapracticalresponsetodecide towith- Y vices [6]. Fundamentally, imposing constraints that ig- draw completely from all online activity. C nore the interests of advertisersand analytics providers, We propose there is a need for a technical platform en- . inmany casesthe businessmodels that drive“free”web s ablingpeopletoengagewiththecollection,management c services and mobile apps, is likely to fail [12, 26]. This and consumption of personal data; and that this plat- [ further reinforces the notion that if you are not paying for it, you are the product.3 form should itself be personal, under4the direct control 1 of the individual whose data it holds. In what follows, v A range of personal data technology startups have been we refer to this platform as the Databox, a personal, 7 formed in recent years, in response to growing public networked service thatcollatespersonaldataandcanbe 3 awareness about how our data is processed. These aim used to make those data available. While your Databox 7 to put users explicitly in control of their personal data is likely to be a virtual platform, in that it will involve 4 (or metadata, see openPDS [3]), providing platforms multiple devices and services, at least one instance of 0 through which they can permit advertisers and content it will exist in physical form such as on a physical form- . 1 providers to enjoy metered access to valuable personal factorcomputingdevicewithassociatedstorageandnet- 0 data. In exchange, participating users could potentially working, such as a home hub. 5 benefit by receiving a portion of the monetary value 1 generated from their data as it is traded in an increas- : WHYDOWENEEDADATABOX? v ingly complex ecosystem [6]. Unfortunately, all these Today, many businesses rely on personal data while i approaches provide both a logical and a physical single X manyservices(notablyonlinesocialnetworks)operateas point of control over our personal data: typically, they walled gardens — increasing lock-in and network exter- r a 1http://donottrack.us/ nalities are preventing formation of a truly competitive 2http://donottrack.us/implementations market. In addition, regular data leakages and the pri- 3Although nothing precludes being both a paying customer vacy issues of cloud-based data silos (see recent media and theproduct being sold. reports concerning account data and password leakage byDropboxandSkype),theopaquenatureofdatainfer- encesconstructedbyadvertisingagencies,andthe trade of cookies and personal data between third parties, all call for means to index and control our ever-increasing portfolio of personal data. 4Weacceptthatthenotionofindividualownershipofafun- damentally shared asset such as data is itself problematic, and we will discuss this in more detail subsequently. Thesheeramountofactivityinthis sectorsuggeststhat • Agency. The ability to control and manage “our” thereis atleastsome unmet needhere,thoughitis per- data and access to it, so we can have the capacity to hapsless clearpreciselywhatthatis. In particular,why act effectively in these systems as we see fit. would we each want a Databox. One very practicalmo- • Negotiability. The ability to continually navigate tivation is the range of privacy threats that arise due our way through the ways that data is social in con- to, for example, the range and reach of the information struction and use (consider how little of “your” data being stored about us by third-party websites [6].5 This concerns only you and no-one else). is in addition to privacy threats from data aggregators However, in providing these mechanisms it is critical over which users have no control, including government to realise the enormous heterogeneity in users and at- agencies interested in surveillance such as the NSA and titudes: while some will want detailed engagement with GCHQ, advertisers and credit scoring companies. many forms and uses of their data, others will not care. More importantly, one of the benefits of having a Thus the last point, negotiability, is key: ways in which Databoxsystemwouldbetoenableadecentralisedplat- wecansetandmanagepoliciesexpressingwhatwewant formthatotherdeveloperscantargettoprovideservices to happen and providing a way to negotiate with other and software on. In the current world of centralised si- involvedsubjects, that we can interactwith and mutate los, all Independent Software Vendors (ISV) are at the over time is at least as important as the more obvious whimofthelargeplatformandAPIproviders. Usersand requirements for mechanisms allowing us to see what is ISVs suffer whenever there is a conflict of interest with known and used about us, and to control the collection those providers, which hampers innovation and can dis- and use of such data. tortmarkets. PlatformsliketheDataboxwillnotreplace dedicated,application-specificservicessuchasFacebook WHATISADATABOX? and Gmail, and neither are they oriented solely towards SojustwhatisaDatabox? Thatis,whatarethefeatures privacy, and the prevention of activities involving per- andcapabilitiesthat oneshouldprovide? We divide our sonal data. Rather, they enable new applications able answerintofourparts: itmustbeatrustedplatform pro- to combine data from many silos to draw inferences un- viding facilities for data management of data at rest for availableinthe existing marketplace. Atthe same time, the data subjects as well as controlled access for other they provide for the HDI concepts of legibility, agency parties wishing to use their data, and supporting incen- and negotiability, going some way to redress the highly tives for all parties. asymmetricpowerrelationshipthatpertainscurrentlyin the personal data ecosystem. This potentially opens up a range of market and social approaches to the ways in TrustedPlatform which we conceive of, manage and exploit “our” data. Your Databox sits at the heart of your online presence. Itcaptures,indexes,storesandmanagesdataaboutyou AhostofothermotivationsandusesforsuchaDatabox and data generated by you. To do so, you will have havebeenpresentedelsewhere[20, 17, 8]. These include to trust it a great deal. As well as manually adding privacy-preserving advertising, market research, health dataandindexesintoyourDatabox,datacanbeinferred applications, Quantified Self, and personal archives. In- from a variety of sources such as installed apps, brows- deed, an alternative, or additional, regulatory response ing habits and online behaviour, in a privacy-conscious in form of interventions could lead to increased compe- manner. This potentially makes it a much more knowl- tition in the data market. In aggregate, these examples edgeableandintrusivesystem(albeitmoreuseful),when point to a need for individuals to have tools that allow comparedtotraditionaldatasilossuchasAmazon,Spo- them to take more explicit control over the collection tify and Google, and thus imposes requirements to pro- and consumption of their data and the information in- tect users’ privacy [10]. ferred from their online activities. However, given the relianceofthe existingwebecosystemonthe use ofper- Trustintheplatformalsorequiresreliablebehaviourasa sonal data, it is important that evolutionary paths are piece ofinfrastructure. Thatis,aDataboxmustbe con- available to enable the ecosystem to survive. For ex- sistently available so that it can usefully help the user ample, control mechanisms may include the ability for manage their online interactions. At the same time it individuals to sell or donate their data, in whole or in must provide straightforward means for the user to in- part [11]. tervene in the data collection and sharing operations it is carrying out, to prevent breach in cases where auto- Mapping these motivations to the Human-Data Interac- maticactionsderivedfromconfigurationandpolicyhave tionmodel [18], we eachneeda point-of-presencein this unforeseen consequences. data ecology, providing: Finally, all of these actions and behaviours must be • Legibility. The ability to collate, inspect and reflect supported by pervasive logging, with associated tools, on “our” data, so we can understand what data is so that users and (potentially) third-party auditors can being collected and how it is being processed. buildtrustthatthesystemisoperatingasexpectedand, 5Thatis,websitesthatwedonotinteractwithexplicitlybut should something unforeseen happen, the results can at which are invokedby ‘first party‘websites we actually visit. least be tracked. ControlledAccess those services. However,a more acceptable and scalable ThepurposeofaDataboxisnot simplytogatherallyour option would rather be to provide means for those ser- personal data into one place, but to enable controlled vicestochargetheuserinotherways: thosewhowishto accesstothatdata. Bythis wemeanthatitmustbe se- pay through access to their data may do so, while those lectively query-able: users should have fine-grainedcon- who do not may pay through more traditional mone- trol over what data are made available to third parties. tary means. That is, the Databox must be able to ‘talk More complex possibilities include supporting privacy- money’,enablinguserstotracepaymentsalongsidedata preserving data analytics techniques such as differential flow to and from different third-party services, available privacy [5] and homomorphic encryption [21]. via some form of app store. One important factor, often fleetingly considered (if at The Databox could also act as an exposure reduction all!) by current systems, is the need to control the ac- mechanism for commercial organisations which may no cess period on a per-case basis. Specifically, the need longerintendtoholdandcontrolarangeofprivatedata to revoke previously granted access. In a system where directly (e.g., health records), and rather let the data access is granted to process data locally but not to take subject take control of their sensitive information. The copiesofdata,this isrelativelystraightforward[16]; but commercialorganisationcouldstillaccessandquerythe in a system where data is, by default, copied out to the data as previously described. This is particularly rele- third-party, cooperation on their part is required to im- vant for international organisations that otherwise have plement something like a time-to-live function for data. to be aware of a plethora of legal frameworks. An anal- A challenge in this space is the difficulty in measuring ogy might be the way online stores use third-party pay- the impact of release of any given datum as it will be ment services such as PayPalor Google Wallet to avoid difficult at best for the Databox to maintain or other- the overhead of Payment Card Infrastructure compli- wiseobtainthe existingandfuture information-statesof ance6 for processing credit card fees. all potential third parties that might access the newly released datum. WHAT’SINTHEDATABOX? As soon as one begins to examine the requirements for DataManagement a Databox,one thing becomes veryclear: data is a dan- As well as collating your data and providing means for gerous word. In particular, personal data is so complex grantingcontrolledaccesstothem,aDataboxmustpro- and rich that treating it homogeneously is almost al- videmeansforuserstointeractwithandreflectuponthe ways a mistake. Various of the authors have attempted dataitcontains. Thiswillenableuserstomakemorein- at various times to collate their digital footprints, and formed decisions about the behaviours they implement, it proves a remarkably complex task. Subsequently de- whether directly themselves or indirectly by passing off ciding which devices should be able to share in and ac- control to others. cessthedigitalfootprint,evenbeforeconsideringsharing As part of these interactions, and to support trust in with other people, makes it even harder. Issues such as the platform, users must be able to edit and delete data mixed data formats (potentially proprietary), high vari- from their Databox as a way to handle the inevitable ability in datum sizes, the multiplicity of standards for cases where bad data is uncoveredor discoveredto have authenticationtodifferentsystemstoretrievedata(even been inferred and distributed. Similarly, it may be ap- within a single sector, e.g., banking), lack of standard propriate for some data and desirable for some users to data processing pipelines and tools, and myriad other havethe Databoxnot exhibit the usualdigitaltendency reasons make this job infinitely fiddly – none of these of perfect record. Means to enable the Databox auto- problemsareinherentlydifficultbutactuallyassembling matically to forget data that are no longer relevant or and then maintaining the tools and data together in- have become untrue may act as another factor increas- evitably takes considerable time and effort. ing trust in the platform by users [15]. Even if data By way of example, one of the authors recently went has previously been used, it may still need to be ‘put throughthis exerciseagain. The (partial)footprint that beyond use’ by users who wish to redact it for the fu- resulted is over 55GB in size, with data from different ture [2]. Such local and global concepts as the Right to sources spanning times from yesterday to over 10 years be Forgotten require adherence to agreedprotocols. and ago. Data types recoveredinclude: other forms of cooperation, by third-party services and data aggregators. • Communications. Email, Instant Messaging (over 6 services, some of which accounts have been idle for SupportingIncentives several years), phone call records, SMS exchanges. Developmentofinnovativeusesofpersonaldatarequires • Financial. Bank statements (both personal and incentives. A consequence of the controlled access envi- joint accounts), credit card statements, housing con- sionedaboveisthatusersmaychoosetodenythird-party tracts/mortgagedetails. services (e.g., advertisers or cloud service providers) ac- cess to their data. In the simplest case this might lead 6Payment Card Infrastructure standards, tothoseuserssimplynolongerbeingabletomakeuseof https://www.pcisecuritystandards.org/ • Family. Photographs (some of which contain family, Databox will protect the user against breach of data some containlocationmetadata), trips, householden- due to, e.g., repeated queries or inference across differ- ergy consumption, shared calendars, children’s health ent datasets; and (ii) the need to trust that the soft- records. ware running on the Databox is trustworthy and not • Individual. Personal location traces, personal calen- acting maliciously – open source and virtualization or dars, address books, sleep tracking data. othersandboxingtechnologies,seemlikely tohavea key • Online Social Networks. The usual candidates role to play here. (Twitter, Facebook, Google+) as well as those no More broadly, there is a need for uptake of such a ser- longer in existence (Orkut). vice tobeginsomewhere–howarethe earlyadoptersto This data is initially collated on a reasonably powerful be encouraged to use the facility, and once they start, computer, with ample storage, CPU, and memory. But how is this trust in the facility to be represented and access to this data is desirable from a range of other propagated to others. Early experiences with both past devices including remote machines, tablets, and smart- attempts at personal data management systems as well phones. While sync protocols such as BitTorrent Sync7 as others such as online social networks, also suggests are approaching an adequately straightforward way to thattrustin these systemsis morecomplex thansimply collate a lot of this data,it soonbecomes clearthat it is providing perfect recall: while we might be happy for notsostraightforwardinpractice. Factorssuchasdiffer- our Databox to record everything perfectly in private, ent device capacities and capabilities mean that simply we might expect it to “forget” data over time, at least copying all this data to all devices is not a viable pol- as far as others are concerned. icy even when simply managing one’s own data among Complexity. Existing systems intended to help users one’sowndevices. Howeverthislimitationwouldalsobe managetheirpersonaldatahavefounditdifficulttocon- a security and privacy minimising option, as one would trol the associated complexity. User preferences in this at most have one or two strongly trusted – i.e., utilising space are inherently complex: socially derived and con- trusted hardware under the user’s full control – devices text dependent. They need to be expressed in machine- with access to the complete index of the data, with all readableformsothatsoftwarecanassistusinthisman- otherdevicessending onlylimited queriestothe trusted agement, while also capturing the very broad range of sources. intents andrequirements. Twoparticularexamplescap- turesomeoftheinherentdifficultieshere. First,athree- WHEREISMYDATABOX? year German study ending in 20128 showed that the Having laid out motivation for Databox for all, and more people disclosed about themselves on social me- briefly exploredsome of the requirements and practical- dia, the more privacy they said they desired. Sabine ities, it is natural to next ask: so where is mine? There Trepte (the lead author of the study) observed that the have been several attempts to build systems that pro- paradox indicated dissatisfaction from the participants vide some or all of these features, but none have really with what they got in return for giving away so much been successful. We believe that this is because there about themselves. And yet, she added, “they continued arefundamentalbarriers,technicalandsocial,thathave to participate because they were afraid of being left out yet to be successfully addressed. or judged by others as unplugged and unengaged losers”. Availability. IftheDataboxisgoingtotakesuchacen- Second,manydataareinherently,ratherthanexplicitly, tralplaceinouronlinelives,thenwecannotaffordforit shared in that they implicate more than one individual. to become unreachable. This means that, as a network Common examples include domestic energy consump- connecteddevice,myDataboxmustbe(securely)acces- tiondata,anduseofcloudemailservicessuchasGmail: sible no matter where I am; and it must also be itself even if a user opts out by choosing not to use Gmail, reliable and robust against loss of power, connectivity, there is a high chance9 that the recipient of their email etc. is usingGmail andso the sender cannotpreventGoogle The limitations imposed by extensive use of firewalls, discovering the contents of their message. It is thus not NATsandothermiddleboxfeaturesinthecurrentInter- always clear who owns which piece of data or has the net have pushed past approaches to focus on use of the right to grant permissions to a shared data item. cloud to ensure connectivity under the assumption that Usability. Related to the issue of complexity is that connectivity to Internet-hosted servers is more widely of usability, one area in which the centralised platform available and reliable than connectivity between devices providershaveexcelled. Thecomplexitythatisinherent at the edge of the network. Pushing all connectivity to to the systems being created needs to be made legible, be via the cloud mitigates many of the problems intro- empowering end-users to understand the choices they duced by middleboxes but brings a host of other issues, notably trust and cost. 8http://www.nytimes.com/2014/10/05/sunday-review/we-want-privacy- Trust. This is a multi-faceted aspect of a system. Two 9A 2014 analysis showed that “51% of the emails [that the key aspects stand out: (i) the need to trust that the author] replied to arrived from Google.”, making hiding information from Google impractical for the lay person, 7http://www.getsync.com/ http://mako.cc/copyrighteous/google-has-most-of-my-email-because-it- have available and the consequences of their actions. A consent models from current practices of obtaining “in- successful Databox will need consistent user interaction formed consent” (be it never so informed) to something models and will enable developers of Databox applica- moreakinto“consumerprotection”(youdonotgivein- tions to make use of these models. One area of inspi- formed consent to buy food from a supermarket – you ration here might be the work done in the Homework assumethatthefoodonsaleisgenerallyfitforconsump- project which prototyped and, through a number of de- tion) [13]. ployments of severalmonths each, studied use ofseveral From a technology design point of view, the general ap- novel task-specific interfaces assisting users in the com- proach proposed is that of “privacy by design” (PbD): plexbusinessofunderstandingandmanagingtheirhome it remains to be seen whether PbD can be successfully broadband networks [19]. It is worth noting that the implemented in a space such as this where policy and highpenetrationofbroadbandandevenlargeradoption technology need to co-evolve. Even then, there also ofsmartphones,individualstodayaresubstantiallymore needstobeanexplicitinvolvementofthesocialaspects: sophisticatedthanthenaive usersofthepast,andcapa- it is unlikely that either state of everything-public or ble of embracing the data management capabilities of a everything-hidden is desirable for society. Ultimately, Databox. Moreover,duetolargecoverageofprivacyand thelitmustestofsuccessforpersonaldatacontainerswill personal data issues in the media, users may be seeking be their wide-scale adoption and operation. In order to out solutions like a Databox but without sacrificing the evaluate their effectiveness and the possibility of release user-experiences they have become familiar with. or sale of personal data, there needs to be a method Cost. Asalways,withanewfacilitysuchasaDatabox, for determining the marginal rate of substitution11 for therearearangeofincentivesthatneedtobealignedfor personal data. The sale of personal data and the rich success. OperationalcostsofrunningaDataboxhaveto insights and analytics derived from it is considered the be acceptable to users. Coupled with this, the costs of key utility in this ecosystem, and the individuals’ pref- third-parties accessing the system, and potentially hav- erences are the fundamental descriptors and success in- ingtorecompenseforaccesstodatathatpreviouslythey dicators. Perhaps availability of such rich and indexed would’ve simply gathered, will have to be recouped. It data in one central aggregation point would enable one remains to be seen how this can be done in practice: tobuildadigitalimageofmyselffromthe outsideworld Are users willing and able to pay in practice? What pointofview,dependingonwhatinformationisreleased will be the response of users when offered pay-for ver- to which external actors. sions of previously free-to-use services? There is some Evenobservinganumberofindividualsusingsuchatool evidencethatatleastsomeuserswillbe willing tomake in the wild will enable understanding of their real will- this trade-off, but the same studies also show that the ingness to pay for services, or marginal willingness to situation is complex [24]. pay for privacy. It has been argued that privacy is ne- gotiated through collective dynamics, and hence society WHENCANIHAVEMYDATABOX? reactstothesystemsthataredevelopedandreleased[9]. Having made a case for each of us to have a Databox, This calls for trial deployments and in-the-wild studies the only remaining question is when can we have it? In of personal data containers in partnership with individ- a market-basedeconomy, as ever, this requires the right uals,inadditiontosuccessfulnegotiationwithconsumer combination of sufficiently high demand and sufficiently rights groups, privacy advocates, the advertising indus- low cost that the need can be met. We are pursuing re- try, lawmakers, and regulators. Considering the churn duction in cost through development of associated tech- experienced in the personal data startup space, with a nologies,includingNymote10 anditsconstituentcompo- number ofnew buttypicallyshort-livedentrantsandof- nents including Mirage [14], Irmin [7] and Signpost [23]. fering, it seems that few truly viable business models In addition, we are developing methodologies for index- haveyetbeendiscoveredinthisspace. Ourbeliefisthat ingandtrackingthepersonaldataheldaboutusbythird the power of personal data can only be realised when parties. proper considerationis givento its socialcharacter,and itcanbelegiblyandnegotiablycombinedwithdatafrom However, the problem of demand highlights several un- externalsources. Inthis case,wemightanticipatemany resolvedchallengesinthisspace: if,byandlarge,people potential business models [22]. do not see the need for technologies like this unless and until they suffer some kind of harm from a data breach, Acknowledgements it may remain difficult to reach sufficiently high levels We appreciate constructive feedback on this paper from of demand; though this may change as public educa- Ian Brown (University of Oxford), Essam Mansour tion programsproceedto teach people about the poten- (QCRI), Irene Ng (University of Warwick), Paul Fran- tials and challenges of personal data. It is even possible cis (MPI-SWS), and Jeremy Yallop (University of Cam- that governments will feel compelled to regulate to pro- bridge). tect their citizens even before there is clear popular de- mand: somehaveposited,forexample,aneedtochange 11Thismeasurestherateatwhichtheconsumerisjustwilling 10http://nymote.org to substituteone good for another. REFERENCES 18. Mortier, R., Haddadi,H., Henderson, T., McAuley, D., 1. Balebako, R., Leon, P. G., Shay,R., Ur, B., Wang, Y., and Crowcroft, J. Human-datainteraction: The human and Cranor, L.F. Measuring theeffectivenessof privacy face of thedata-driven society. SSRN (Oct.1 2014). tools for limiting behavioral advertising. In In Web 2.0 http://dx.doi.org/10.2139/ssrn.2508051. Workshop on Security and Privacy (2012). 19. Mortier, R., Rodden,T., Tolmie, P., Lodge, T., 2. Brown, I., and Laurie, B. Security against compelled Spencer,R.,Crabtree, A.,Sventek,J., and Koliousis, A. disclosure. In Computer Security Applications, 2000. Homework: Puttinginteraction intothe infrastructure. ACSAC ’00. 16th Annual Conference (Dec2000), 2–10. In Proceedings of the 25th Annual ACM Symposium on User Interface Software and Technology, UIST’12, 3. de Montjoye, Y.-A.,Shmueli, E., Wang, S.S., and ACM (NewYork,NY,USA,2012), 197–206. Pentland, A.S. openpds: Protecting theprivacy of metadata through safeanswers. PLoS ONE 9, 7 (07 20. Mun,M., Hao, S., Mishra, N., Shilton, K., Burke,J., 2014). Estrin,D., Hansen,M., and Govindan,R.Personal data vaults: A locus of control for personal data streams. In 4. Dourish, P. What we talk about when we talk about Proceedings of the 6th International COnference, context. Personal Ubiquitous Comput. 8, 1 (Feb.2004), Co-NEXT ’10, ACM (NewYork,NY,USA,2010), 19–30. 17:1–17:12. 5. Dwork, C. Differential privacy.In Automata, Languages 21. Naehrig, M., Lauter, K., and Vaikuntanathan,V.Can and Programming, M. Bugliesi, B. Preneel, V. Sassone, homomorphic encryption be practical? In Proceedings and I.Wegener, Eds., vol. 4052 of LNCS. Springer of the 3rd ACM Workshop on Cloud Computing Berlin / Heidelberg, 2006, 1–12. Security Workshop, CCSW ’11, ACM (New York,NY, USA,2011), 113–124. 6. Falahrastegar, M., Haddadi, H.,Uhlig, S., and Mortier, R. Anatomy of thethird-party web tracking ecosystem. 22. Ng, I.C. Engineering a Market for Personal Data: The CoRR abs/1409.1066 (2014). Hub-of-all-Things (HAT),A Briefing Paper . WMG Service Systems Research Group Working Paper Series 7. Gazagnaire, T., Chaudhry,A., Crowcroft, J., (2014). Madhavapeddy,A., Mortier, R.,Scott, D., Sheets, D., and Tsipenyuk,G. Irmin: a branch-consistent 23. Rotsos, C., Howard, H., Sheets, D., Mortier, R., distributed library database. In Proceedings ICFP Madhavapeddy,A., Chaudhry,A.,and Crowcroft, J. OCaml User and Developer Workshop (Sept. 5 2014). Lost in the edge: Findingyourway with signposts. In Proceedings 3rd USENIX Workshop on Free and Open 8. Guha, S., Reznichenko,A., Tang, K., Haddadi, H., and Communications on the Internet (FOCI) (Washington Francis, P. Servingads from localhost for performance, D.C., USA,Aug. 13 2013). privacy,andprofit.InACM Workshop on Hot Topics in Networks (2009). 24. Skatova,A., Johal, J., Houghton, R., Mortier, R., Bhandari, N., Lodge, T., Wagner, C., Goulding, J., 9. Gu¨rses, S. Can you engineer privacy? Commun. ACM Crowcroft, J., and Madhavapeddy,A. Perceived risks of 57, 8 (Aug.2014), 20–23. personal data sharing. In Proceedings Digital Economy 10. Haddadi, H., Hui,P., and Brown, I. Mobiad: private 2013: Open Digital (Nov. 2013). andscalable mobileadvertising.ACMMobiArch(2010). 25. Urban,J. M., and Hoofnagle, C. J. The privacy 11. Haddadi, H., Mortier, R., Hand,S., Brown, I., Yoneki, pragmatic as privacy vulnerable. In Symposium on E., McAuley,D., and Crowcroft, J. Privacy analytics. Usable Privacy and Security (SOUPS 2014) Workshop ACM Computer Communication Review (April2012). on Privacy Personas and Segmentation (PPS) (July 2014). 12. Leontiadis, I., Efstratiou, C., Picone, M., and Mascolo, 26. Vallina-Rodriguez, N., Shah,J., Finamore, A., C. Don’t kill my ads!: balancing privacy in an Grunenberger, Y.,Papagiannaki, K., Haddadi,H., and ad-supported mobile application market. ACM Crowcroft, J. Commercial break: Characterizing mobile HotMobile (2012). advertising. In ACM SIGCOMM Internet measurement 13. Luger,E., andRodden,T.Aninformed viewonconsent conference (2012). for ubicomp. In Proceedings of the 2013 ACM 27. Westin,A. F. E-commerce & Privacy: What Net Users international joint conference on Pervasive and Want. Privacy & American Business, Hackensack,NJ, ubiquitous computing, ACM (2013), 529–538. 1998. 14. Madhavapeddy,A., Mortier, R.,Rotsos, C., Scott, D., Singh, B., Gazagnaire, T., Smith, S., Hand,S., and Crowcroft, J. Unikernels: Library operating systems for the cloud. In Proceedings 18th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (Houston,TX, USA, Mar. 16–20 2013). 15. Mayer-Schonberger, V.Delete: The Virtue of Forgetting in the Digital Age. Princeton University Press, 2009. 16. McAuley, D., Mortier, R.,and Goulding, J. The Dataware Manifesto. In Proceedings of the 3rd IEEE International Conference on Communication Systems and Networks (COMSNETS) (Bangalore, India, January 2011). Invited paper. 17. Mortier, R., Greenhalgh, C., McAuley,D., Spence,A., Madhavapeddy,A., Crowcroft, J., and Hand, S.The personal container, or your life in bits. Proceedings of Digital Futures (2010).

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.