xrds

Crossroads The ACM Magazine for Students FA LL 2013 v ol .2 0 • no.1 xrds.acm.org

The
Complexities
of Privacy
and
Anonymity
Why You Should Care
About Cryptocurrencies
Understanding
the Public vs. Private
Debate
Learning @ ScaLe
ATLANTA, GEORGIA MARCH 4–5 2014

Call for Papers

Learning @ ScaLe iMPortant DateS
ACM will host the first acM conference
on Learning at Scale to be held March noVeMber 8, 2013
4-5, 2014 in Atlanta, GA. Paper submissions due.
Inspired by the emergence of Massive
Open Online Courses (MOOCs) and the noVeMber 8, 2013
shift in thinking about education, ACM Tutorial proposals due.
created this conference as a new scholarly
DeceMber 23, 2013
venue to explore how learning and teaching
Notification to authors of accepted full papers.
can improve when done “at scale.”
JanuarY 2, 2014
about the conference Work-in-progress submissions due.
Learning at Scale refers to new approaches
JanuarY 14, 2014
for students to learn and teachers to
Notification to authors of accepted work-in-progress.
teach, when engaging hundreds or even
thousands of students; be it face-to-face or JanuarY 17, 2014
remotely, synchronous or asychronous. ALL revised and camera-ready material due.
Topics will include (but are not limited
to) Usability Studies, Tools for Automated
Feedback and Grading, Learning Analytics,
Investigation of Student Behavior and
Correlation with Learning Outcomes, New
Learning Tools and Techniques at Scale.

caLL for PaPerS

Authors are encouraged to visit the
Learning @ Scale website
http://learningatscale.acm.org/
➤ for details about the conference and

guidelines for paper submissions,

including an array of subject examples
to explore.
➤ Authors are encouraged to consider submitting a full paper (10-pages max); a tutorial proposal

for a 1-4 hour discussion on a relevant tool, technology, or methodology related to learning at
scale; or a work-in-progress poster or demo.
➤ Papers must tackle topics “at scale.”
Be more than a word on paper.
UNI FRESHMAN
QUALS MENTORS MAJOR
CUM LAUDE EXAMS PROFESSORS
HIGH SCHOOL GRADUATION TUMBLR
COMP SCI THESIS TECHNOLOGY GLOBAL
SEMESTER XRDS QUALITY JUNIOR
VOLUNTEER EDUCATION COLLEGE
VOICE EDITORS CHANGE
SENIOR FINALS
TECH
COMMUNITY CREATIVITY CS
CHALLENGE TEAM WORK LAB ACM
LECTURE
DINING HALL
RECOGNITION SOPHOMORE
FACEBOOK CONTROL GRAD SCHOOLS
PRECEPT PHD SCHOLARSHIP
ACADEMIA DISSERTATION DEFENSE
LIBRARY ADVISOR TWITTER
SPRING BREAK

Join XRDS as a student editor and

be the voice for students worldwide.
If you are interested in volunteering as a
student editor, please contact xrds@hq.acm.org with
"Student Editor" in the subject line.

XRDS
 Crossroads
The ACM Magazine for Students
FA L L 2 01 3 v ol . 2 0 • no . 1

begin
05 letter from the editors

08 INBOX

09 INIT
Keeping Your Little Back Shop
By Maire Byrne-Evans
and Christine Task

10 benefit
XRDS Mobilizes
By Debarka Sengupta

10 advice
Managing Your Time
By Vaggelis Giannikas

11 updates
Revitalizing ACM Student Chapters
By Michael Zuba

12 BLOGS
Algorithms Fit for Compilation?
By Olivia Simpson
Habits: Our cognitive shortcut
By Gidi Nave
Coordination When Information
is Scarce: How privacy can help
By Aaron Roth
The New Firefox Cookie Policy
By Jonathan Mayer

Cover Illustration by Patrick George

2 XRDS • fall 2013 • Vol.20 • No.1

 The Complexities Of Privacy and Anonymity

22 32 69

features end
18 feature 45 feature 62 labz
What is Public and Private Anyway? The Tor Project: An inside view CyLab Usable Privacy
A Pragmatic Take on By Kelley Misata and Security Laboratory
Privacy and Democracy By Rich Shay
By Andreas Birkbak 48 feature
It’s Not About Winning, 64 back
22 FEATURE It’s About Sending a Message: WLAN Security
Something Bad Might Happen: Hiding information in games By Finn Kuusisto
Lawyers, anonymization, and risk By Philip C. Ritchey
By Marion Oswald 65 hello world
53 feature Zero-Knowledge Proofs
27 feature  n Illustrated Primer
A By Marinka Zitnik
Personal, Pseudonymous, in Differential Privacy
and Anonymous Data: By Chrisine Task 68 eventS
The problem of identification
By Iain Bourne 58 INTERVIEW 70 acronyms
Cynthia Dwork on
Image for page 32 by Vyacheslav Pokrovskiy. Image for page 69 by S. Borisov.

32 feature Differential Privacy 70 pointers

Talking ‘Bout Your Reputation By Michael Zuba
By David Birch 72 bemusement
60 profile
36 FEATURE Jessica Staddon: Managing
Understanding the Google’s privacy research
Data Environment By Adrian Scoică
By Elaine Mackey and Mark Elliot

40 FEATURE
What is Bitcoin?
By Dominic Hobson

XRDS • fall 2013 • Vol.20 • No.1 3

 1962 CR Arrow Circle Ad-Quarter-F.pdf 2/9/2012 4:59:08 PM

Computing Reviews
is on the move E DI T ORI A L B O A RD
Editors-in-Chief
Peter Kinnaird
Carnegie Mellon
University, USA
Inbal Talgam-Cohen
Stanford University, USA
A d v is ory B o ard
Mark Allman,
International Computer
Science Institute
Bernard Chazelle,
Princeton University
SUB S C RIBE
Subscriptions ($19
per year includes XRDS
electronic subscription)
are available
by becoming an
ACM Student Member

C
Our new URL is Departments Chief
Laurie Faith Cranor,
Carnegie Mellon
www.acm.org/
membership/student
Vaggelis Giannikas Non-member
M ComputingReviews.com University of Cambridge,
UK
Alan Dix,
Lancaster University
subscriptions:
$80 per year
David Harel, http://store.acm.org/
Y
Weizmann Institute acmstore
Issue Editors of Science
CM
Maire Byrne-Evans ACM Member Services
University of Panagiotis Takis Metaxas , To renew your ACM
Southampton, UK Wellesley College membership or XRDS
MY subscription, please send
Christine Task Noam Nisan, Hebrew a letter with your name,
CY
Purdue University, USA University Jerusalem address, member number
Issue Feature Editor Bill Stevenson , and payment to:
CMY Richard Gomer Apple, Inc. ACM General Post Office
University of P.O. Box 30777
Southampton, UK Andrew Tuson,
K City University London New York, NY
10087-0777 USA
Jeffrey D. Ullman,
Feature Editors InfoLab, Stanford
Jed Brubaker University Postal Information
University of California XRDS (ISSN# 1528-4981)
Irvine, USA Moshe Y. Vardi, is published quarterly in
Rice University spring, winter, summer
Erin Claire Carson and fall by Association for
University of California Computing Machinery,
Berkeley, USA E dit oria l S TA F F 2 Penn Plaza, Suite 701,
Ryan Kelly Director, Group New York, NY 10121.
University of Bath, UK Publishing Application to mail at
Scott E. Delman Periodical Postage rates
Hannah Pileggi is paid at New York, NY
Georgia Institute of XRDS Managing Editor & and additional mailing
A daily snapshot of what is new and hot in computing. Technology, USA Senior Editor at ACM HQ offices.
Denise Doig
Michael Zuba
University of Connecticut, Production Manager POSTMASTER: Send
USA Lynn D’Addessio addresses change to:
Art Direction XRDS: Crossroads ,
JOIN THE INNOVATION. Department Editors
Andrij Borys Associates, Association for
Arka Bhattacharya Andrij Borys, Computing Machinery,
Qatar Computing Research National Institute of Mia Balaquiot 2 Penn Plaza, Suite 701,
Technology, India New York, NY 10121.
Institute seeks talented scientists and Director of Media Sales
software engineers to join our team Luigi De Russis Jennifer Ruzicka Offering# XRDS0171
Politecnico di Torino, Italy ISSN# 1528-4972 (print)
and conduct world-class applied jen.ruzicka@acm.org
ISSN# 1528-4980
research focused on tackling Rohit Goyal Copyright Permissions (electronic)
large-scale computing challenges. West Chester East High Deborah Cotton
School, USA permissions@acm.org Copyright ©2013 by the
We offer unique opportunities for a John Kloosterman Public Relations Association for Computing
strong career spanning academic and University of Michigan, Coordinator Machinery, Inc. Permission
applied research in the areas of Arabic We also welcome applications for USA Virginia Gold to make digital or hard
post-doctoral researcher positions. copies of part of this work
language technologies including Finn Kuusisto for personal or classroom
natural language processing, University of use is granted without fee
Wisconsin-Madison, USA ACM
information retrieval and machine As a national research institute Association for provided that copies are
translation, distributed systems, data and proud member of Qatar Founda- Ashok Rao Computing Machinery not made or distributed
University of 2 Penn Plaza, for profit or commercial
analytics, cyber security, social tion, our research program offers a advantage and that copies
Pennsylvania, USA Suite 701
computing and computational science collaborative, multidisciplinary team New York, NY bear this notice and the
and engineering. environment endowed with a compre- Debarka Sengupta 10121-0701 USA full citation on the first
hensive support infrastructure. Indian Statistical +1 212-869-7440 page or initial screen of
Institute, India the document. Copyrights
Scientist applicants must hold (or C ON TA C T for components of this
Successful candidates will be offered a Adrian Scoică General feedback:
University of Cambridge, work owned by others than
will hold at the time of hiring) a PhD highly competitive compensation xrds@acm.org ACM must be honored.
degree, and should have a package including an attractive UK
For submission Abstracting with credit
compelling track record of tax-free salary and additional benefits Marinka Zitnik guidelines, please see is permitted. To copy
University of Ljubljana, otherwise, republish, post
accomplishments and publications, such as furnished accommodation, Slovenia
http://xrds.acm.org/
on servers, or redistribute
strong academic excellence, excellent medical insurance, generous authorguidelines.cfm
requires prior specific
effective communication and Marketing Editor
annual paid leave, and more. Casey Fiesler
permission and a fee.
collaboration skills. Permissions requests:
Georgia Institute PUBLIC AT IONS BOA RD
For full details about our vacancies of Technology, USA Co-Chairs
permissions@acm.org.
Software engineer applicants must and how to apply online please visit Ronald F. Boisvert
hold a degree in computer science, http://www.qcri.qa/join-us/ Web Editor and Jack Davidson
Shelby Solomon Darnell
computer engineering or related field; For queries, please email Clemson University, USA Board Members
MSc or PhD degree is a plus. QFJobs@qf.org.qa Nikil Dutt, Carol Hutchins,
Joseph A. Konstan,
Ee-Peng Lim,
Catherine C. McGeoch,
/QCRI.QA @QatarComputing QatarComputing QatarComputing www.qcri.qa M. Tamer Ozsu,
Vincent Y. Shen,
Mary Lou Soffa

4 XRDS • fall 2013 • Vol.20 • No.1

LETTER FROM
LETTER FROM THE
THE EDITORs
EDITORs

Equip Yourself
for Creativity
A
privacy issue of XRDS couldn’t be better timed. Given the rapid and continuing
revelations about the NSA from Edward Snowden, anything we write here might
be out of date by the time it reaches you. One piece that we feel will remain
relevant—unless, and until, a paradigm shift occurs in the mathematics behind
cryptographic technologies and/or in the international culture around privacy and
human rights—appeared recently in ACM Queue. In his column titled “More Encryption
Is Not the Solution,” Poul-Henning The foremost things that the Hu- cessful graduate students we know
Kamp makes a rigorous argument that man-Computer Interaction Ph.D. Pro- what was the single most valuable
is well worth a read. Instead of focusing gram at Carnegie Mellon seek in appli- course they took in undergrad. Top-
directly on the issue at hand, we wish cants are past academic achievement ping the list were philosophy courses
to start a discussion we hope will equip and creativity—not incidentally the covering classics like Plato, Socrates,
readers to come up with out of the box subject of the previous issue of XRDS. Descartes, Sartre, and Kierkegaard.
solutions to the privacy problem, or any They tell prospective students CMU These philosophers speculated on
other for that matter. won’t be able to supply more creativity the nature of reality, how we trust
and that these two factors are the most that others aren’t mere figments of
important factors in predicting a suc- our imagination, and more. The value
Upcoming Issues cessful research career. of such courses often does not come
While a Ph.D. program is about dig- only from the specific ideas they
Winter 2013 ging deep, research supports the idea cover, but from the way they are de-
[December issue] that having a breadth of knowledge scribed and discussed.
enhances creativity. This idea isn’t In our unofficial poll we found a
Wearable Computing
new; it’s the subject of numerous con- surprising number of computer sci-
Article deadline: September 15, 2013 ference keynote addresses and gradu- ence majors enjoy philosophy cours-
ation ceremony speeches. It’s easy to es. Both fields focus on conjuring
Spring 2014 suggest to someone they should try to rigorous logic from the thoughts of
[March issue] learn about lots of different things. But the writer. Computer scientists write
actually getting someone (yourself) to code that either compiles and runs
Off the (Academic) Grid Computing
do that is somewhat harder. correctly, or does not. The creative
Article deadline: December 2, 2013 To get some motivation, we asked challenge is in sorting out how to go
a couple of the most creative and suc- from nil to a functional program. In

XRDS • fall 2013 • Vol.20 • No.1 5

 interactions’ website FEATURES

interactions.acm.org,
is designed to
BLOGS
capture the influen-
tial voice of its
print component in FORUMS

covering the fields

that envelop the DOWNLOADS

study of people and

computers.
The site offers a
rich history of the conversa-
tions, collaborations, and
discoveries from issues past,
present, and future.
Check out the current issue,
follow our bloggers, look up
a past prototype, or discuss
an upcoming trend in the
communities of design and
human-computer interaction. 

interactions.acm.org

Association for
Computing Machinery

ACM
ACM Conference
Conference
Proceedings
Proceedings
Now
Now Available via
Available via
Print-on-Demand!
Print-on-Demand!
Did you know that you can
now order many popular
ACM conference proceedings
via print-on-demand?
Institutions, libraries and
individuals can choose
from more than 100 titles
on a continually updated
list through Amazon, Barnes
& Noble, Baker & Taylor,
Ingram and NACSCORP:
CHI, KDD, Multimedia,
SIGIR, SIGCOMM, SIGCSE,
SIGMOD/PODS,
and many more.
For available titles and
ordering info, visit:
librarians.acm.org/pod
XRDS • fall 2013 • Vol.20 • No.1
philosophy, it’s up to the reader to
figure out if there are any “bugs in
the code”; that is, does the argument
make sense? What are the assump-
tions it relies on (the “operating sys-
tem,” if you will)? It’s not a coinci-
dence that one of the most profound
philosophical results of the 20th cen-
tury came from logician Kurt Goedel,
who had a thing or two to say that
informed modern computer science
theoretical work as well.
Training your mind to root out logi-
cal fallacies and recognize assump-
tions behind arguments is an enor-
mously powerful exercise that will
help you to think critically about all
knowledge you encounter. Philosophy
(and no doubt other fields) will give
you the toolbox you need to think criti-
cally about ideas from just about any-
where else.1
Students, and in particular gradu-
ate students, are accustomed to hear-
ing about lots of creative projects com-
ing out of academia. We’re continually
1 For those interested in startups and busi-
ness, this is likely similar to the notion of Lat-
ticework upheld by Warren Buffett’s partner
Charles Munger.
It’s not a coincidence
that one of
the most profound
philosophical results
of the 20th century
came from
logician Kurt Goedel,
who had a thing
or two to say
that informed
modern computer
science theoretical
work as well.
amazed at the ones we hear about that
come from off the academic grid.
Paola Santana is a cofounder of
Matternet, which will maintain a fleet
of drones (autonomous aircrafts) to de-
liver medicine to villages in the devel-
oping world where there are no physi-
cal roads leading to them.
Marc Roth is starting a business
that’s outfitting shipping containers
(like the ones that are used on trains
and cargo ships) with computers and
3-D printers. He’s training homeless
people to operate them and sell their
products for a source of income.
Aereo was sued for taking over the
air television and allowing custom-
ers to stream it online. Broadcasters
argued in court that this wasn’t the
intended use of over-the-air TV, be-
cause they expect each viewer to have
their own antenna. Aereo promptly
installed millions of tiny antennas on
their server.
Blueseed.co is considering a novel
way to avoid the mess of paperwork
associated with immigrating to the
U.S. They plan to park a cruise ship
off the coast of San Francisco and
helicopter international executives
between their Silicon Valley jobs and
international waters every day get-
ting them to and from work. (We’re
planning to cover off the grid ideas
like these in a future issue, so feel
free to send us any cool pointers.)
It’s definitely not clear that any of
these are good ideas. What is clear
is that they are truly out of the box
answers to difficult problems. Pull-
ing them off requires a great deal
of expertise in one area as well as a
breadth of knowledge. Fundamen-
tally, providing that kind of breadth
is what magazines like XRDS strive
to achieve. Each issue brings you a
number of articles from a field that is
probably not your own, which we re-
cruit and curate in an effort to deliver
high-quality content that will spawn
ideas by keeping you well informed.
And when you’re done with this issue
of XRDS, go read some philosophy :)
—Peter
— Kinnaird and
Inbal Talgam-Cohen
7
begin
inbox
AROUND THE WEB
If you’re curious about how
the Twitter API works, stay
tuned for my article in this
summer’s issue of the @
XRDS_ACM magazine.
—Robert Aboukhalil, PhD
student @ CSHL, Editor-in-
Chief @TechnophilicMag,
Twitter (@RobAboukhalil)
@XRDS_ACM your latest
mag on Sci Computing
has winged its way
to Australia, lks like
another great read :)
—Patrick Sunter, Public-
spirited urban researcher
and computer geek,
Twitter (@PatSunter)
8 XRDS • fall 2013 • Vol.20 • No.1
Thanks to @XRDS_ACM A
fascinating article on “The
well-programmed clavier:
style in computer music
composition”
—A run Tripathi, Twitter
(@BitterRancor)
Is there any way to access
the magazine as an ebook
(EPUB or similar; *not*
PDF!)? If not, there should
be—the HTML site is
hard to navigate and PDFs
are not accessible to
vision-impaired users.
Plus many people these
days prefer to read
reflowable text on
their e-reader of choice.
—Pat Kujawa,
Facebook
Editor’s Reply
Hello Pat! We just launched
our new mobile apps. They
might be closer to what you
had in your mind. Happy to
hear your comments
˲˲ iTunes:
http://bit.ly/130Lnyk
˲˲ Google play:
http://bit.ly/1046Ba2
˲˲ Amazon:
http://amzn.to/15a7xS6
blast from the past
Dear XRDSians,
You are going beyond my
expectations. The Scientific
Computing issue is really
fabulous. I enjoyed all the
articles and your efforts
are worth appreciating.
Hope that you will keep up
this good work. I had
a criticism about the
authors’ demography for
the last issue, but this one
is quite perfect from all
perspectives.
I suggest including a
piece on deep learning,
which is becoming quite
catchy these days.
Best wishes,
Malay
Photograph by Sergey Nivens
Ex-XRDSian (2009-12)
How to contact XRDS: Send a letter to
the editors or other feedback by email
(xrds@acm.org), on Facebook by posting
on our group page (http://tinyurl.com/
XRDS-Facebook), via Twitter by using
#xrds in any message, or by post to
ACM Attn: XRDS, 2 Penn Plaza, Suite 701,
New York, New York 10121, U.S.
init
Keeping Your Little Back Shop
A
s with any good dis­
cussion of a com­
plicated issue, we
should start by de-
fining our terms. What do
we mean by privacy? By ano-
nymity? By disclosure, inva-
sion, or reasonable protec-
tion? As we draw a few lines
with some assurance, we
want you to join us in giving
them some serious thought.
An ex-admirer relentless-
ly tracking down your real-
world information through
supposedly protected on-
line spaces, and finding cre-
ative ways to terrorize your
waking life, is an invasion
of privacy. This can and
does happen to victims of
cyber-stalking.
If it’s anonymity you
want for protection, there
are tools that can help.
Tools that are very sophis-
ticated and incredibly
important for protecting
people such as dissident
journalists in totalitarian
states, where privacy is a
matter of life or death. Tor
is perhaps the best known
of these. Kelley Mistata dis-
scusses how Tor works and
why it’s important.
But an anonymous on-
line world has consequenc-
es too; as with any weapon,
what protects the victim can
also be taken and used by
* Building on Michel de Montaigne
(Essays, 1588), we suggest, “We
must keep a little back shop
where we can be ourselves with-
out reserve. In solitude alone can
we know true freedom.”
XRDS • fall 2013 • Vol.20 • No.1
the attacker. Is what you re-
ally want anonymity or pri-
vacy? Or is it pseudanonym-
ity? What exactly do those
words mean? Dave Birch
asks whether we could move
to a world where transac-
tions are covered by creden-
tials, rather than identity, to
protect privacy.
Is anonymity sufficient
protection to provide pri-
vacy, anyway? We can take
your name off the data and
make sure it doesn’t include
your address. However, there
are lots of ways to identify
someone. Your health issues,
frequent geographical loca-
tions, or favorite websites can
all be used to help pick you
out of an anonymized crowd.
While there are many argu-
ments to be made that our
new interconnected world
provides too little privacy,
Andreas Birkbak points out
it may also provide too much.
From a policy perspective,
anonymity has quite serious
effects on transparency, for
example. If governments
release data on their own
performance, this will inevi-
tably involve data about us—
their citizens. Elaine Mackey
and Mark Elliot ask how ef-
fectively can we anonymize
and yet release data that in-
forms and provides knowl-
edge of crime, education,
or health? Are there places
where the information en-
vironment heightens the
risk of statistical disclosure?
What effect does the world of
big data have on this? What
effect might transparency
have when information is
routinely released, rather
than gathered under FOIA?
How do we quantify risk?
Marion Oswald asks how
can we assess risk, the likeli-
hood of something happen-
ing and the impact if it does?
And Iain Bourne asks how do
we change data protection
law, when we not only need
information to be available,
but protected? Is it possible
to have a transparent society
while not becoming trans-
parent citizens?
The real world is messy,
almost unavoidably. There
are very big complicated
questions to untangle. Oc-
casionally, just occasionally,
a mathematician can step
into the chaos of the world,
take a rigorous stand on a
problem, and turn a piece
of the mess into something
quite manageable. We have
a few shining examples here:
Philip C. Ritchey provides a
clever technique for sending
provably, private messages
encoded in simple games
like tic-tac-toe; and Domi-
nic Hobson describes how
Bitcoin provides privacy to
its users.
And as a hopeful finale,
we have an interview with
Cynthia Dwork, the inven-
tor of differential privacy.
Differential privacy is an
approach to data mining
that provides a strong math-
ematical guarantee that the
privacy of individuals in the
data set will be protected.
Want to see how it’s done?
Preceding the interview is
a brief stick-figure comic
Christine Task created to
help explain the trick. It’s
her inaugural oeuvre in that
medium, and she hopes you
find it entertaining.
There are complicated
problems to be addressed
as our world evolves, techni-
cally, culturally, and in poli-
cy. The students of today are
likely to be the ones who will
be addressing them, with
their voices, their votes, and
their technical expertise.
That’s you. And as you’ll see,
you’re going to be arriving on
the scene just in time. So pay
attention, there will be a test.
—Maire
— Byrne-Evans and
Christine Task, Issue Editors
9
begin
768 bits
The largest RSA key known
to have been brute-forced.
benefit
XRDS
Mobilizes
To make content more
accessible to the student
readers, XRDS has recently
launched its new mobile
app. The app will enable
Android and iOS users to
browse the magazine on the
go from their Android or
iOS enabled smart phones
or tablets.
Each issue of XRDS
features a theme, such
as “The Role of Academia
in the Startup World”
or “Big Data,” with coverage
of research trends and
interviews. Students can
also read timely updates
on upcoming major
conferences, grants,
fellowships, and contests.
Even better, students can
now get all this in a more
convenient way—their
hand-held devices.
The application
is powered by
Godengo+Texterity.
With these newly
launched apps, XRDS
wishes to extend its
reach among the student
community. So don’t delay;
get your favorite magazine
on your smart phone
and recommend your
friends do the same.
The links to the app are:
˲˲ iTunes:
http://bit.ly/130Lnyk
˲˲ Google Play:
http://bit.ly/1046Ba2
˲˲ Amazon:
http://amzn.to/15a7xS6
—Debarka
— Sengupta
10
30,000
The approximate number of accounts Google released
information about to the U.S. government in 2012.
advice
Managing Your Time
L
et me ask you a very simple and
short question. Do you feel you
manage your time well? If the
answer is yes, then you should
be the one writing this article; not me. I
mean it! Personally, I have issues when
it comes to time management and until
today I haven’t met anyone who doesn’t.
But if you truly don’t, please drop me an
email and I’ll publish your advice on
time management in one of our future
issues. In the meantime, even if I am
not an expert in the area, here are some
tips that might help you improve.
1. Time is not manageable. I am not a
physicist but time used to be, still is,
and seems like it is going to be perfectly
managed. Each hour has 60 minutes
and each minute has 60 seconds and
there is nothing you can do to control
it (at least in practice). My point is the
first step is to realize that you don’t have
to manage time. You have to manage
yourself—your own activities—in order
to make sure you can accomplish them
in the available time.
2. To-do lists and prioritization. OK, a
list might be a bit too obvious, but it
is one of the fundamental things you
should have a system for. As people who
enjoy computing, I am sure you can find
the right software that can help you
write down what you have to do and
when. Find a proper system and make
sure it can help you at least capture your
tasks and schedule. Old-style notepads
and diaries can do the job too.
3. Don’t be afraid of drafts. If you think
about it, drafts are amazing. It is like
giving yourself the opportunity to do
something of ambiguous quality with-
out having anyone judge you. Drafts for
students are like rehearsals for actors or
practice sessions for athletes. You need
to use them in your favor. Even if you
have to submit your draft to somebody
such as your supervisor, worst-case sce-
nario he will give you some harsh feed-
back that will help you improve your
draft. No evaluation, no marks, nothing
to be afraid of.
4. Consider the possibility of saying no.
Yes, this is a real possibility. One you
can use and be acceptable to the other
party. Even if it might not always sound
nice, the answer to “could you please...”
can be negative; perhaps in a more kind
and friendly way, but still negative. Hav-
ing said that, you need to be careful
when and how to deny your help/ser-
vice. Make sure to consider “no” as one
of your available options before making
your final decision.
5. Just do it. Do you know how many
“time management” workshops, semi-
nars, books, and tutorials you can find
out there? A simple Google search will
give you more than a billion results
with websites full of tips on how to
effectively manage your time. Do you
know what’s the only way to make them
work? Do them! Choose some, try them,
adopt them, and use them in your every-
day life. Believe me, I have spent a lot
of my time trying to improve my time
Photograph by IR Stone
management skills, but there is a huge
gap between deciding to use them and
putting them into practice. Simliar to
deciding to go to the gym...
—Vaggelis
— Giannikas
XRDS • fall 2013 • Vol.20 • No.1

updates
Revitalizing ACM Student Chapters
A Look at How to Refresh Student Initiatives
R
un n i ng a n ACM
student chapter is a
demanding task. In
a world where com-
puting has touched nearly
every aspect of our daily
lives, it still seems difficult
to bring students togeth-
er. Further, given the over
stimulating environment
in which students are im-
mersed while pursuing their
studies, it appears there is a
natural occurrence of “roller
coaster” based involvement
and interest in ACM student
initiatives. As the torch is
passed down every few years
to the next generation of stu-
dents, the newly appointed
ACM student chapter lead-
ers are faced with the task of
trying to appeal to the con-
stantly changing interests
and directions of their peers
and professional commu-
nity. In this issue of XRDS we
solicited student chapters
who were working hard to
revitalize their student in-
volvement and bring a new
face to their student chapter.
The ACM student chap-
ter at the University of Mas-
sachusetts Lowell (UML)
has been around since the
1990s, but has suffered from
several years of inactivity.
Recently this past spring,
dedicated students working
with faculty advisor Dr. Jesse
Heines have refreshed their
student chapter in efforts
to bring together a diverse
XRDS • fall 2013 • Vol.20 • No.1
group of students to form an
active computing commu-
nity. In the first semester of
the chapter’s reformation,
the student leaders, with
help from the UML Alumni
Association, have managed
to provide strong initiatives
for their student communi-
ty. These events ranged from
a speaker series to tutorial
sessions such as an Android
Development night, dur-
ing which students learned
to create Android applica-
tions. The chapter hosted
an impressive list of speak-
ers including Google’s Rich
Miner, start-up guru Abby
Fichtner, cyber-security ex-
pert Gary Miliefsky, and in-
teractive fiction author An-
drew Plotkin.
Newly appointed Presi-
dent of the ACM chapter at
UML, Shawna O’Neal, ex-
plained some of the issues
their ACM chapter faces:
“UML is a unique campus
where students are sepa-
rated by location and major.
The technolog y, science,
and business domains are
on the north side of the Mer-
rimack River, while the hu-
manities, social sciences,
and arts are on the south
side. We also have a heavy
commuter base on our cam-
pus. What this means for us
is that our sense of commu-
nity can suffer.” However,
given these challenges, Ms.
O’Neal explains an ACM
1,462
The number of privacy policies the average American views
per year. Fun fact: Facebook’s privacy policy is more than
9,500 words long.
Rich Miner’s visit to UML as part of ACM’s speaker series.
chapter can help to overcome
this divide: “We believe that
the ACM chapter is a place
for students to connect
with common interests. We
are not just a computer sci-
ence club—we have 43 active
members from various fields,
including math, English,
engineering, and business
backgrounds. Going forward,
we would love to see more
disciplines and backgrounds
come together. There is seri-
ous potential to rebuild our
campus community.”
Moving forward, the ACM
student chapter at UML
plans to continue its speak-
er series after the positive
student feedback provided
from the previous events.
Additionally, there is inter-
est in starting a “Game De-
velopment Night,” which the
chapter hopes will showcase
student-created gaming ap-
plications that can be used
by the UML community for
leisurely fun and to solicit
development advice from
other students. Feedback
from the chapter’s previous
development night has pro-
vided a well-valued insight
into the common interests
of the student community.
When asked for advice
on how to build an ACM
community, Ms. O’Neal of-
fered the following words
of wisdom: “Never give up.
What we have learned over
the past six months is that
there will be events in which
attendance is high and feed-
back is great, and converse-
ly, events in which only two
people attend or technical
difficulties interfere with
the event itself. However, as
difficult as it may be to pull
students out of their dorms,
or to convince commuter
students to stay on campus
late—it is absolutely pos-
sible to create a successful
chapter. Keep trying.”
If you would like to read
more about ACM student ini-
tiatives at UML, you can visit
their website at the follow-
ing link: http://umlacm.org.
—Michael
— Zuba
11
begin
The XRDS blog highlights a range of topics from open access to
neuroscience. Selected blog posts, edited for print, will be featured
in every issue. Please visit xrds.acm.org/blog to read each post
in its entirety. For this issue we have included two guests posts
on privacy and anonymity, which have also been edited for print.
BLOGS
Algorithms Fit
for Compilation?
By Olivia Simpson
Most researchers differ in their workflow. For researchers
in the algorithms world (or at least, those I know), the work
is in the design. Our hours are spent at the blueprint stage.
Algorithms are designed, improved, reformulated, or
reapplied in different problems, mostly on paper. But this
is unarguably only the first stage in successfully developing
a new algorithm. There are still the matters of proving and
testing the algorithm, and submitting the result to the
public. When are we done drafting our blueprint? How do
we package and ship the blueprint to the engineers and
construction team?
Let’s address the more straightforward question first.
What is the best way to present an algorithm? How descrip-
tive and specific should it be? Should it be entirely self-
contained or, for instance, could we have a pointer to a “…
subroutine of choice”? Is implementability more important
than readability?
In an introductory algorithms course, algorithms are
often described as recipes, step-by-step instructions for ob-
taining the result of a calculation. However, it is often made
explicit that algorithms are not pseudocode. Leslie Lamp-
ort developed the PlusCal algorithm language to address
this notion explicitly. According to the description on his
Microsoft Research page, the PlusCal language is for writing
algorithms, as programming languages are meant for writ-
ing programs. Many LaTeX packages for writing algorithms
specify that they should not be used to write pseudocode
(although this might not be coincidental considering Lamp-
ort himself wrote LaTeX). His solution uses the language of
mathematics, giving descriptions of procedures in terms of
logical constructs. PlusCal is different from programming
languages two important ways: It allows for non-determin-
ism and it makes analysis easy by keeping track of atomic
steps. Lamport highlights these as some distinguishing
12
features between algorithms and programs.
Of course, there is no need to present an algorithm un-
less we are sure of its correctness and power. This question
may very well be the fire behind the algorithm/pseudocode
distinction question. Without a mechanism for testing an
algorithm, we are subject to proving its correctness only by
hand. This leaves much room for error. So then, what are the
tools for testing? Well, programs.
Lamport has a solution to this as well. Along with the
PlusCal language, Lamport has designed the TLA+ specifica-
tion language with tools for model checking and a TLAPS
proof system. It is part of the Tools for Proofs (http://www.
msr-inria.fr/projects/tools-for-proofs/) project at Microsoft
Research. During a recent talk at UCSD, Lamport explained
that the model checking system of TLA+ has vastly improved
his own work process and also makes collaboration much
more comfortable.
Aside from attending his talk, I find myself asking these
questions because, in writing an algorithm down, I almost
reliably find errors in its design. Transcribing inevitably
enables debugging. Even better is implementation! How can
I be so sure of my algorithm if I myself cannot use it? So, this
is part of my workflow. But what does this mean for my read-
ers? Do I spare these details for a more pleasurable reading
experience? After all, everyone has his own flavor of imple-
mentation. Or should I let the details given in the algorithm
speak for itself?
Lamport has his own answers to all of these questions.
I am personally still in the development phase, but I feel
it is important to begin a dialogue within the community.
Developing a standard in the way of algorithms languages
would improve productivity and remove ambiguity. A com-
mon language for algorithmists could even open up new
doors of collaboration. If nothing else, it will answer some
questions I have.
Olivia Simpson is a graduate student at UCSD, enjoying all the sun, sand, and graph theory
that San Diego has to offer.
Habits: Our cognitive shortcut
By Gidi Nave
Photograph by Andrey Armyagov
I like my shopping routine at the grocery store around the
corner, where my cart seems to easily navigate itself through
the isles. Once in a while I make adventurous purchases (the
Halloween-edition beer with pumpkin aroma still awaits
in my fridge), but I usually stick to the products that have
already made me happy before. Whenever in a new town, I
XRDS • fall 2013 • Vol.20 • No.1

try to shop at the same chain, where I know the products and
their location on the shelves.
One morning, the parking lot of the usual store was
packed. I decided to explore and went to the supermarket
across the street for the first time. My experience at the new
place was mildly traumatizing: Confronted by all sorts of
new packages calling from the shelves, I felt helpless. How
should I know what I would like?
In my first blog post, I wrote about our mind’s limited
computational capacity. When we shop, examining all of
the products, predicting how much we will enjoy them,
and whether the price is reasonable (compared with the
alternative) is very costly in terms of cognitive effort.
Luckily, our brains have figured out a shortcut that saves
a lot of time and mental effort, making it easy to navigate
through the local convenient store and fill ours cart with
the usual products.
Faced with a novel situation, we usually don’t know what
to do. Sooner or later, after a short exploration period of
trial and error, we learn what works for us. Animals are not
much different. In 1898 American psychologist Edward
L Thorndike invented the “puzzle boxes”—cages that the
animal (say, a cat) could exit (and get a food reward) only by
using a specific response (like pulling a lever, for example).
Thorndike found the time it took the animals to escape and
get their food reward decreased with their experience.
This is not news for anyone who ever had a pet: Animals
quickly figure out what action would get them the reward.
The process of associating a state of the world with an action
and its outcome in the animal’s brain, called “instrumental
conditioning,” can be used to teach animals, like raccoons,
to perform complicated tasks, like playing basketball.
Do animals learn to associate the sensory stimulus
and their responsive actions with the reward, or maybe
they are just reinforced to perform the action, regardless
of the reward value? To answer this question, Dickinson
and colleagues trained mice to push a lever in order to
get food.1 After 120 successful trials, the mice were fed to
satiety. Lacking the motivation to get food, the mice stopped
pressing the lever, providing evidence that they had learnt
the consequence of their actions, and weren’t just blindly
responding to the lever in their cage.
Dickinson repeated his experiment with a new group of
mice, but this time he extended the training period to 360
(rather than 120) trials. The effect of over-training on the
mice behavior was dramatic: Even after they were fed to
satiety and no longer wanted the food, they kept pressing the
1 A. Dickinson, et. al. Motivational control after extended instrumental
training. Animal Learning & Behavior 23, 2 (1995), 197-206.
XRDS • fall 2013 • Vol.20 • No.1
U.S. intelligence agencies are
building a data center in Utah
to store in the trillions of terabytes
of surveillance data.
lever. The mice picked up a lever-pressing habit.
Although we all have natural, automatic responses to
events in our environment (like the urge to step out of the
elevator even though it had stopped on the wrong floor),
us, humans, have a sense of control. We believe in our
ability to suppress habitual tendencies more easily than
other animals. In 2009, Elizabeth Tricomi and colleagues
recruited Rutgers college students, making sure that none
of the subjects were dieting. Participants fasted for six
hours, and then performed a simple task. In each trial, they
were instructed to push one of four buttons in order to get
a food reward. In some trials, the reward was an M&M; in
others it was corn chips (the researcher verified that all of
the subjects liked both foods).
Like in Dickinson’s mice studies, subjects were divided
into two groups: The first performed the task only for
a single day, in two eight-minute training sessions; the
second performed four sessions each day for three days—
six times as much training. Now came the fun part. After
the last training session, participants were given one of the
food types, and were instructed to eat until it was no longer
pleasant to them. With one of the food “devalued,” subjects
went back to perform the task for three more minutes.
What do you think happened? When the rewarded food
was no longer desirable, the first group stopped pushing
buttons, as expected. Surprisingly (or not) the over-trained
subjects became habitual, and kept pressing buttons even
when the food reward had become unpleasant.
Habit formation imposes a trade-off. Most of the time,
the shortcut works well: We easily navigate our cars and
carts in familiar avenues without having to pay too much
attention. Faced with a new situation, however, we are prone
to make mistakes, or even worse— pick up unhealthy habits.
Obesity, alcoholism, and other addictions are often a result
of a long reinforcement history (of alcohol, drugs or fried-
chicken) that ended up turning into out of control habits.
Accepting the habitual system as an inseparable part of
our minds, understanding its limitation, and the way it works
may help us to achieve our long-term goals. Forcing ourselves
to start working out and eat healthy is effortful, but the
investment will pay off. After a period of reinforcement (by
endorphin rush, feeling lighter and getting compliments),
our brains will pick up the habit. Going to the gym or having
kale salad may become effortless or even enjoyable.
Gidi Nave is a Computation and Neural Systems Ph.D. student in Colin Camerer’s lab
at Caltech. His research is in the field of neuroeconomics—the intersection between
neuroscience, psychology and economics. He uses a medley of theoretical and experimental
methods for reverse-engineering the processes underlying human decision-making. By
understanding how emotions and cognition generate judgments and decisions under
uncertainty, he seeks to contribute models that take into account the biological origins of
the decision process in the brain. For more information visit www.gidinave.com.
13
begin
Coordination When
Information is Scarce:
How privacy can help
Originally posted on http://aaronsadventures.blogspot.com
By Aaron Roth
This post is the first in a (hopefully) series of posts about
how tools and ideas from differential privacy can be useful
in solving problems in game theory. The connection might
at first be surprising, but is in fact very natural. The field of
differential privacy studies algorithms whose inputs are
generated by the reports of n players. It provides tools for
bounding the sensitivity of the output of the algorithm in
a precise, probabilistic sense to unilateral changes to the
input by a single one of these players. This notion of uni-
lateral deviations is very similar to the notions of stability
at equilibrium that game theory is concerned about, and
this is the root of the connection. For a general overview of
the area, let me plug the survey on differential privacy and
mechanism design that Mallesh and I wrote for the most
recent issue of SIGecom Exchanges. In this post, I’ll discuss
a result that Michael Kearns, Mallesh Pai, Jon Ullman, and
I have had kicking around for awhile. We only recently hit
upon the interpretation of the result that I’ll discuss here
though, which I rather like. For more details, you can check
out the arXiv paper, “Mechanism Design in Large Games:
Incentives and Privacy,” which we recently revised. I should
add the story that accompanies our technical contribu-
tions is the result of discussions with many people as we’ve
gone about and presented it. Tim Roughgarden and Ricky
Vohra deserve special thanks.
In game theory, there are several popular abstractions for
what players in a game know about their opponents.
˲˲ In games of complete information, players know exactly
the utility functions that each of their opponents is trying
to optimize.
˲˲In games of incomplete information, players don’t
know what their opponent’s utility functions are. In
Bayesian games, players utility functions are parameter-
ized by “types,” which are drawn from a known (possibly
correlated) prior distribution. Agents know the distribu-
tion from which their opponents’ types are drawn, but not
the types themselves.
In games of complete information, the standard solu-
tion concept is the Nash equilibrium: Informally, everyone
should be playing an action such that no single player
14
PCI DSS
The Payment Card Industry Data Security Standard is
a mandatory data protection standard for businesses
that handle credit card information.
can benefit by making a unilateral deviation. Players can
randomize, so actions are evaluated in expectation over
the random choices of one’s opponents, but their utility
functions are known.
In games of incomplete information, strategies are
thought of as mappings from types to actions. The standard
solution concept is the “Bayes Nash Equilibrium,” which in-
formally states everyone should be playing a strategy such
that no single player can benefit by making a unilateral
deviation, where now strategies are evaluated in expecta-
tion both over the random choices of one’s opponents, and
also over the random realization of the ty pes of one’s oppo-
nents, as drawn from the known prior distribution.
Games of complete information are attractive for a num-
ber of reasons: not least of which that they are much cleaner
and more analytically tractable than games of incomplete
information. However, when talking about large n player
games, where players don’t all know each other, have limited
abilities to communicate, and might think of their types as
proprietary information, games of incomplete information
are probably a more reasonable model of reality.
Unfortunately, the quality of Bayes Nash Equilibria can
be much worse than the corresponding Nash equilibria of
the full information game, even in the worst case over type
realizations. The reason is not knowing the utility functions
of your opponents can make coordination very difficult. Con-
sider the following toy example, borrowed from Bhawalkar
and Roughgarden:
There are n players, and n+ √n “goods” to be distributed.
Each player i has utility uij ∈{0,1} for receiving a good j. The
game is played as follows: Each player i names a single good
si. Each good j is allocated at random to one of the players
that named it. Now suppose that types are drawn from the
following distribution. The goods are randomly partitioned
into two sets, S and T, with |S| = n and |T| = √n. For every
player i and good j ∈ T, uij = 1. A perfect matching μ is selected
at random between agents I and goods in S. Agents have
value u(i, μ(i)) = 1 for the good μ(i) ∈ S that they are matched to,
and value u(i,j) = 0 for every good j ≠ μ(i) in S that they are not
matched to. In other words, every player has a “special” good
in S that she uniquely desires, and everyone desires all of the
goods in T. If we are in the complete information setting,
then since everyone has the option of requesting their spe-
cial good si = μi in any reasonable equilibrium (with nobody
requesting a good they don’t want) n goods are allocated
to bidders who desire them, for total social welfare of n.
However, in the incomplete information setting, because of
the symmetry of the distribution, no player can distinguish
their special good from amongst the √n+1 goods that they
XRDS • fall 2013 • Vol.20 • No.1

value. Its not hard to see that in this case, in equilibrium
only O(√n)goods get allocated.
So if we find ourselves in a setting of incomplete informa-
tion, we might nevertheless prefer to implement an equilib-
rium of the game of complete information defined by the
realized types of the players. How can we do that, especially if
we have limited power to modify the game?
One tempting solution is just to augment the game to
allow players to publicly announce their types (and thus
make the game one of complete information). Of course
equilibria of the complete information game might not be
unique, so to help solve the coordination problem, we could
introduce a weak “proxy” that players can choose whether
or not to use. Players can “opt in” to the proxy, which means
that they report their type to the proxy, which then recom-
mends an action for them to play. At this point they are free
to follow the recommendation, or not. Alternately, they can
“opt out” of the proxy, which means they never report their
type, and then just choose an action on their own. It would
be nice if we could design a proxy such that:
1. Simultaneously for every prior on agent types, it is a
Bayes-Nash equilibrium for agents to opt-in to the proxy, and
then follow its suggested action, and
2. Given that all players behave as in (1), that the resulting
play forms an equilibrium of the complete information game
induced by the actual, realized types of the players.
Its tempting to think that to design such a proxy, it is
sufficient to have it compute a Nash equilibrium of the
complete information game defined by types of the players
who opt in, and then suggest that each player play her part
of this Nash equilibrium. After all, if everyone is opting in
and playing their part of a Nash equilibrium, how can you
do better than to do the same? By definition, in a Nash equi-
librium, your suggested action is a best response given what
all other players are playing. And in fact, in the toy alloca-
tion example we discussed above, this works, since there is
an equilibrium of the complete information game that is
simultaneously optimal for all players.
In general, however, this approach fails. The flaw in our
reasoning is that by opting out, you change what the proxy
is computing: it is now computing a different equilibrium,
for a different game, and so by opting out, you are not
merely making a unilateral deviation from a Nash equi-
librium (which cannot be beneficial), you are potentially
dramatically changing what actions all other players are
playing. The Nash equilibrium condition does not pro-
tect against deviations like that, and in fact it’s not hard
to construct an example in which this is a real problem.
Consider, e.g. toy example #2: There are n players who each
XRDS • fall 2013 • Vol.20 • No.1
Early version of web browsers restricted
the length of cryptographic keys for
non-U.S. users, because of U.S. restrictions
on exporting cryptography.
have one of two types—(M)ountain, or (B)each. Each player
has two actions— they can go to the beach, or go to the
mountain. Players prefer the activity that corresponds to
their own type, but they also like company. So if a p frac-
tion of people go to the Mountain, an M type gets utility
10 ∙ p, if he goes to the mountain, and 5 ∙ (1 – p), if he goes
to the beach. A B type gets utility 5 ∙ p, if she goes to the
mountain, and 10 ∙ (1 – p), if she goes to the beach. A proxy
that suggests that all players go to the beach if type M is in
the majority, and otherwise suggests that all agents go to
the mountain always computes a Nash equilibrium of the
complete information game defined by the reported types.
Nevertheless, any player that is pivotal has incentive to
opt-out of the proxy, since this causes the proxy to send all
other players to her preferred location.
But what if it were possible to compute an equilibrium
in such a way so that whether or not any player i opted in
had very little affect on the distribution over actions sug-
gested by the proxy to all other player j ≠ i? In this case, the
problem would be solved: any unilateral deviation from
the all-opt-in-and-follow-the-proxy’s-suggestion solution
would not (substantially) affect the play of one’s oppo-
nents, and so they would all continue playing their part of
an equilibrium of the complete information game, defined
on all player’s realized types. The equilibrium condition
would now directly guarantee that such a deviation could
not be beneficial.
So to design a good proxy, its not enough to just have
an algorithm that computes an equilibrium of the game
defined by the reported types, but it is enough if that algo-
rithm also satisfies a strong enough stability condition. It
turns out that a sufficient “stability” condition is a variant
on differential privacy: informally, that any unilaterial de-
viation by a single player i should not change (by more than
a (1 ± ε) factor) the probability that any particular profile of
n – 1 actions is suggested to the n – 1 players .
And in fact it is possible to implement this plan, at least
for certain classes of games. We study the class of “large
games”, which informally, are n player games in which the
affect of any player i’s action on the utility of any player j≠i
is bounded by some quantity which is diminishing in n.
The Beach/Mountain example is of this type, as are many
large population games. Our main technical result is
an algorithm satisfying the required differential privacy
stability condition, which computes a correlated equilib-
rium of any large game. The upshot is that in large games,
it is possible to design a very weak proxy (that doesn’t have
the power to make payments, force players to opt in, or
enforce actions once they do opt in) that implements an
15
begin
η-approximate correlated equilibrium of the complete
information game, as an η-approximate Bayes Nash equi-
librium of the partial information game, no matter what
the prior distribution on agent types is. Here η is some
approximation parameter that is tending to zero in the size
of the game—i.e. as the game grows large, the equilibria
become exact.
To emphasize the purely game theoretic aspects of this
problem, I have ignored the fact that differential privacy of
course also provides a good guarantee of “privacy.” Aside
from straightforward incentive issues, there are other
reasons why players might be reluctant to announce their
types and participate in a complete information game:
perhaps their types are valuable trade secrets, or would be
embarrassing admissions. Because our solution also hap-
pens to provide differential privacy, it is able to implement
an equilibrium of the complete information game, while
maintaining the privacy properties inherent in a game of
incomplete information.
To conclude, differential privacy thus far has been
primarily a problem-driven field that has borrowed
techniques from many other areas to solve problems in
private data analysis. But in the process, it has also built
up a strong conceptual and technical tool kit for think-
ing about the stability of randomized algorithms to small
changes in their inputs. I hope this and future posts serve
to convince you that there is something to be gained by
borrowing the tools of differential privacy and applying
them to solve problems in seemingly unrelated fields.
Aaron Roth is the Raj and Neera Singh assistant professor of Computer and Information
Sciences at the University of Pennsylvania. Prior to this, he was a postdoctoral researcher
at Microsoft Research, New England, and earned his PhD at Carnegie Mellon University.
He is the recipient of a Yahoo! Academic Career Enhancement Award, and an NSF CAREER
award. His research focuses on the algorithmic foundations of data privacy, game theory
and mechanism design, and the intersection of the two topics.
The New Firefox Cookie Policy
Originally posted on WebPolicy.org
By Jonathan Mayer
Editor’s Note: Earlier this year Stanford grad student Jona-
than Mayer discussed cookies, Web tracking, and changes to
Mozilla’s cookie policy on his personal blog.
The default Firefox cookie policy will, beginning with
release 22, more closely reflect user privacy preferences.
This mini-FAQ addresses some of the questions that I’ve
received from Mozillans, Web developers, and users.
16
How does the new Firefox cookie policy work?
Roughly: Only websites that you actually visit can use
cookies to track you across the Web.
More precisely: If content has a first-party origin, noth-
ing changes [1]. Content from a third-party origin only has
cookie permissions if its origin already has at least one
cookie set.
How does Firefox’s new policy compare to the other
major browsers?
˲˲ Chrome: Allows all cookies.
˲˲ Internet Explorer: Cookie permissions vary by P3P com-
pact policy. In practice, almost all third-party tracking cook-
ies are allowed [2].
˲˲ Safari: First-party content has cookie permissions.
Third-party content only has cookie permissions if the con-
tent already has at least one cookie set.
In short, the new Firefox policy is a slightly relaxed ver-
sion of the Safari policy [3].
Will the new Firefox policy break websites?
Collateral impact should be limited. Safari’s cookie policy
has been in place for over a decade, and it is included in
both the desktop and iOS versions of the browser. A few
websites may require a tiny code change to accommodate
Firefox in the same way as Safari.
Just to be sure, the Mozilla privacy team is closely
monitoring the policy before final release. The patch will
spend about six weeks each in the pre-alpha, alpha, and
beta builds. If you spot any oddities, please report them to
Mozilla support!
IS IT NECESSARY?
Consumers neither expect nor approve of Web tracking
[4]. Mozilla has been a frequent advocate for its users,
advancing technologies that signal preferences (Do Not
Track), lend transparency (Collusion), and facilitate
privacy-friendly Web services (Persona and Social API).
Last fall, the Mozilla community began a concerted effort
in a new direction: technical countermeasures against
tracking [5]. One of our first projects has been a revision of
the Firefox cookie policy [6].
Cookie policies are inherently imprecise. Some un-
wanted tracking cookies might slip through, compromis-
ing user privacy (“underblocking”). And some non-tracking
cookies might get blocked, breaking the Web experience
(“overblocking”). The challenge in designing a cookie
policy is calibrating the tradeoff between underblocking
and overblocking [7].
The patch that I developed is an intentionally cautious
XRDS • fall 2013 • Vol.20 • No.1
first step: It aims to substantially reduce underblocking
with little (if any) overblocking. The revised policy is so
cautious, it isn’t even new: It’s drawn directly from Safari
[8]. Almost every iPhone, iPad, and iPod Touch user is al-
ready running the revised Firefox cookie policy. Web engi-
neers are already familiar with designing to accommodate
the policy. The notion is simple: Start by raising Firefox
to the present best practice among competing browsers,
then iteratively innovate improvements.
Firefox’s revised cookie policy landed in the pre-
alpha build in late February. Since then, Mozillans and
I have carefully monitored bug reports. It appears that
we achieved our aim: There are only two confirmations
of inadvertent breakage [9]. We did not hear any novel
concerns when the patch advanced to alpha in early April.
Recently, Mozilla’s CTO requested a hold on the revised
policy for an extra release cycle to measure its perfor-
mance. At the same time, he reaffirmed that Mozilla is
“committed to user privacy” and “committed to shipping
a version of the patch that is ‘on’ by default.”
I agree we should be quantitatively rigorous in our
approach to iterating the Firefox cookie policy. An extra
six-week release cycle would allow us to further validate
our hypothesis that the patch delivers improved privacy
without breakage [10], as well as lay the groundwork for
future updates. Going forward, our challenge will be to
understand and improve the underblocking and over-
blocking properties of the Firefox cookie policy.
Underblocking and Overblocking
There are at least three substantial areas of underblocking
that we know we need to address with future
improvements.
˲˲ Old cookies. The revised policy does not limit preexist-
ing tracking cookies. Firefox users who update to the revised
policy will not fully benefit until they clear their cookies.
˲˲ Temporary visits. Sometimes a user temporarily visits
a tracking website, such as after clicking an advertisement
(intentionally or inadvertently). The revised policy indefi-
nitely allows tracking cookies from a website after just one
temporary visit.
˲˲ Dual-use domains. Several popular websites use the
same domain for both consumer services and tracking. Ya-
hoo, for example, operates both its homepage and adver-
tisement tracking from yahoo.com. If a user visits the Ya-
hoo homepage, the company will be able to track the user
across other websites. Google, on the other hand, largely
hosts search on google.com but advertising tracking on
doubleclick.net. If a user runs a query with Google, they
XRDS • fall 2013 • Vol.20 • No.1
will still be protected against Google ad tracking.
As for overblocking, again, I am not aware of any signifi-
cant shortcomings with the revised cookie policy [11].
Next STEPS
We have a number of tools at our disposal for improving
our understanding of the Firefox cookie policy,
including feedback solicitations, user surveys, browser
measurements, Web crawls, and much more. There
are many possible directions for product innovation,
including heuristics, machine learning, community
reporting, manually-curated lists, mechanisms for
confirming user preferences, new user interfaces, new
APIs, and new institutions.
I look forward to continuing collaboration with Mozilla
and its community on web privacy and security. I’m excited
to get the revised cookie policy into users’ hands. And I’m
even more excited about building what comes next.
This work is licensed under a Creative Commons Attribution
3.0 Unported License.
Notes
[1] An origin is determined by public suffix + 1.
[2] Many researchers have criticized Microsoft’s approach for being ineffective,
convoluted, and relying on the de facto deprecated P3P standard. For background,
see Token Attempt: The Misrepresentation of Website Privacy Policies Through the
Misuse of P3P Compact Policy Tokens by Leon et al.
[3] The difference is primarily owing to engineering convenience.
[4] See the survey paper “Third-Party Web Tracking: Policy and Technology” for
background. In the context of this post, “tracking” means the collection of a user’s
browsing history by a third-party website.
[5] For an overview of Mozilla’s open-source community model, see MozillaWiki »
Community and Mozilla.org » Governance. Many members of the Mozilla community
have now contributed to the tracking countermeasures effort.
[6] Apple and Microsoft have both automatically limited tracking cookies for a decade.
There was an effort to block tracking cookies by default in Firefox three years ago,
but it was withdrawn under contested circumstances.
[7] Other considerations could include types of underblocking and overblocking, as
well as possible reactions to the policy. Future posts might address these topics,
depending on reader interest.
[8] In the interest of precision, the revised Firefox cookie policy is slightly more
permissive than the Safari policy owing to implementation specifics.
[9] The sites are dayonecenter.com (Alexa rank > 1M) and western.org (Alexa rank ≈
200K).
[10] As I understand our release conditions, the patch will move forward unless there’s
confirmed breakage, the breakage is so substantial as to outweigh longstanding
user demand for privacy, and the breakage cannot be ameliorated through outreach,
mitigation measures, or rapid iteration. Under present circumstances, the patch
plainly satisfies these release conditions.
[11] We may wish to relatedly take steps to accommodate websites (if any) that have
a third-party domain, do not compromise consumer privacy, do not break the
consumer Web experience without cookies, cannot deploy an accommodation
for the revised cookie policy, require cookies for functionality, and have lost that
functionality on account of the revised policy.
Jonathan Mayer is a grad student at Stanford University in computer science and law.
But he doesn’t live in the ivory tower. His research homes are the Security Lab (advised by
John Mitchell), CISAC, and CIS. Wherever information technology, public policy, and law
intersect, Mayer is interested.
17
feature

What is Public and

Private Anyway?
A Pragmatic Take on
Privacy and Democracy
Revealing private content on the Web can also spark public engagement.
To understand this, we need to challenge our common sense notions
of privacy and democracy.

By Andreas Birkbak
DOI: 10.1145/2508969

T
he Web should work in the most democratic way viable, while doing as much as possible
to protect the privacy of its users. These are statements that most people seem to agree
with, to an extent where they have become common sense. The widespread uptake of
social media use, however, suggests the conventional distinction between something
private and something public does not always hold in practice. For example, prominent Web
scholars like Nancy Baym and danah boyd note how we might understand social media better
if we see that “even the most private of selves are formed in relation to diverse others.”
This insight is taken from pragma- observation that as our societies grow boundaries of the immediate situation
tist philosophy, and I would like to sug- increasingly technological, our ac- in which the act takes place. The re-
gest that this line of thinking is fruitful tions also tend to have an increasing sult is that a public needs to be formed
for challenging our tendency to think number of unforeseen and indirect in order to take care of the indirect
about the Web in terms of a strong consequences. In order for people to consequences. One might take pollu-
public/private dichotomy. My source live democratically, by which Dewey tion as a simple example: If a father is
of inspiration is the classic American simply means to be able to direct burning garden waste, and the direct
pragmatist John Dewey [1]. one’s own life in a meaningful way, it consequence is the smoke prevents
In a deceptively small book from is imperative to come to grabs with all his children from playing outside, it is
1927, The Public and its Problems, Dew- these indirect consequences. This is a private matter to put out the fire or
ey offers an alternative take on the where the public enters the picture. postpone any playing outdoors. How-
public/private distinction. Like any Dewey distinguishes between di- ever, if the father is also burning ma-
other pragmatist his vantage point is rect and indirect consequences of ac- terial that contains toxic chemicals,
Illustration by JNT Visual

practice, that is, human actions. What
Dewey is interested in is how we might
come to better understand our actions
and their consequences. More specifi-
cally, the problems of the public that
Dewey is pointing to arise from the
tions. If consequences are direct, it
means they are contained in the situa-
tion where the act is taking place, and
they can be dealt with privately in that
situation. If consequences are indi-
rect, however, they spread beyond the
his actions might have the indirect
consequence of polluting the air in the
whole neighborhood. In this situation,
a public is needed to a) sort out the con-
sequences, e.g. by putting up air qual-
ity measurement instruments and b)

18 XRDS • fall 2013 • Vol.20 • No.1

feature

XRDS • fall 2013 • Vol.20 • No.1 19

feature
legislate so that the father will hesitate
to repeatedly release toxics into the air.
The important thing to notice
here is the apparently private act of
burning waste needs to be qualified
as having public consequences in
order to be controlled. A process of
inquiry has to take place, the result
of which is that it becomes clear the
burning of waste is in fact polluting.
The act of burning waste is now seen
in an entirely new light: It is no longer
a mundane everyday event, but an
unacceptable practice.
In my work on social media groups,
I have noticed how infrastructures like
Facebook groups sometimes come to
serve this purpose of qualifying acts
as having indirect consequences. One
case I have studied is the use of open
Facebook groups during a severe
snowstorm on the Danish island of
Bornholm [2]. People in the more rural
parts of the island were snowbound for
up to a week, something few of them
were prepared for. In dealing with the
situation, some inhabitants not only
searched for information and tried to
help each other, but also questioned
whether the authorities on Bornholm
had done enough to remove the snow
from their roads. This concern formed
the rationale behind the Facebook
group that became an important meet-
ing point for a couple of hundred snow-
bound islanders.
With Dewey we might come to
understand this Facebook group on
Bornholm as contributing to democ-
racy in the pragmatist sense in so far
as the members collectively qualified
their snowstorm troubles as not only
a result of forces of nature, but also of
the (in)actions of the local authorities.
The snowbound Facebook users came
to understand their situation as also
an indirect consequence of the author-
ities’ act of not removing more snow.
Importantly, the members of the Face-
book group did not ask the authori-
ties to do the impossible, but rather to
understand the situation of people in
the rural parts of Bornholm. The rural
dwellers felt overlooked and misunder-
stood. In order to compensate for that,
they used Facebook to share updates
about the snowstorm and its conse-
quences from their perspectives.
This is where the story becomes in-
20
teresting for a discussion of privacy.
The Facebook users on Bornholm had
to share private stories, photos, and
videos in order to qualify their situa-
tion as a public issue of uncontrolled
indirect consequences (of the inac-
tion of the authorities). In other words,
the sharing of personal accounts
formed the basis of public engage-
ment. Revealing private content, even
unintentionally, can have productive
consequences for how other people un-
derstand the issues they struggle with.
Powerful “we-identities” can be built
around deeply personal stories that
people can relate to.
Such we-identities can then provide
the self-confidence needed to take ac-
tion on issues, as when the snowbound
Facebook users on Bornholm worked
together to attract national media at-
tention to their situation and help each
other in other, more mundane ways.
What is more, democracy does not nec-
essarily hinge on rational deliberation
in an abstract public sphere. Rather,
public engagement happens when
people work to qualify their personal
problems as public issues. What I have
observed is social media platforms like
Facebook provide interesting ways of
making such moves.
However, we are not used to think-
ing about the Web in these pragmatist
terms. Rather, our ideas about how the
Web should work are informed by oth-
er kinds of philosophies. Let me high-
light two widespread concerns with
how the contemporary Internet works.
First, some fear that too much is
The widespread
uptake of social
media use,
however, suggests
the conventional
distinction between
something private
and something
public does not
always hold
in practice.
revealed too easily on the Web. The
notion of having privacy only makes
sense in relation to its counterpart—
the notion of exposing something pri-
vate in public, that is, a breach of priva-
cy. Here, public simply means “visible”
and private simply means “hidden.” Or
to put it in terms of control, public is
taken to mean “deliberately revealed”
while private means “only shown to a
select audience.” Such an understand-
ing of the public/private distinction is
highly intuitive and indeed captures
many of the concerns with user privacy
in the age of social media.
Second, some fear that the Web is
harmful to democracy. These concerns
have to do with the notion of public
space as something fundamentally im-
portant in a democracy. The concern
here is not that we are too exposed by
our social media content, but quite
the opposite: What happens on so-
cial media tends to be “too private” to
qualify as public deliberation. Here is a
tendency to talk about public and pri-
vate in binary terms. A popular way to
describe this is to use Cass Sunstein’s
term “echo chambers,” which de-
scribes how the groups we participate
in on social media tend to confirm our
own (read: biased) beliefs rather than
challenge them. This is not conven-
tionally seen as a good dynamic, since
democracy is understood as depen-
dent on the clash of divergent opinions
in an open public space.
The two sets of concerns—privacy
and democracy—are key to the way
scholars in Web science and related
disciplines try to capture the current
Web as a domain of “networked pub-
lics.” The concerns stem from under-
standing the relationship between
the private and the public domains
as fundamentally problematic. Con-
cerning privacy, the thinking goes, it
is a good thing that people can share
content from their everyday lives with
each other through the Web, but peo-
ple need to be able to control where
the line between public and private is
drawn. Concerning democracy, it is a
good thing that people get new ways of
engaging through social media, but if
people are not entering into a dialogue
with opposing viewpoints, the contri-
bution to democracy is far from clear.
In the worst case, social media might
XRDS • fall 2013 • Vol.20 • No.1
distract people from engaging in the
“proper” public deliberation that is
seen as key to any real democracy.
My question is: Are these dilemmas
inevitable? One way to find out is to
investigate the assumptions on which
they rest. For this purpose, it is useful
to go beyond understanding public/
private as meaning visible/hidden,
but also take into account the norma-
tive relationship between the notion
of public space and democracy, as just
introduced. The reason is that these
normative ideas draw on well-known
political philosophies that understand
“the public” and “the private” as differ-
ent spheres that should ideally be kept
separate. This idea is the source of our
dilemmas about privacy and democ-
racy on the Web, and there are at least
two prominent ways of arriving at it.
“People are the best versions of them-
selves in their private spheres.” This is a
key idea in liberal political philosophy.
The logic is that the state should be of
minimal size, only just large enough to
secure the fundamental rights of its in-
dividual citizens. Apart from protect-
ing basic freedoms and safety, the pub-
lic sector should stay out of the private
sphere. In a comparative perspective,
this kind of liberal logic is more pro-
liferate in the U.S. than in Europe, but
it offers an extremely influential argu-
ment for why the private and the public
should be kept separate.
“People are the best versions of them-
selves in the public sphere.” This is a
notion central to republican politi-
cal philosophy. This set of ideas turns
the liberal logic on its head, but has
the same result of imposing a strong
public/private distinction. According
to the republican ideal, private inter-
ests need to be contained in order to
achieve the public goods that benefit
everyone. The logic is that being a good
citizen means shoving private inter-
ests aside in order to make space for
communal interests. This kind of logic
is arguably more widespread in Europe
than in the U.S., but it certainly also ex-
ists in both places, offering another in-
fluential argument why the private and
the public needs to be kept apart.
While these two powerful logics
seem mutually exclusive, they co-exist
in practice. How is this possible? Apart
from the fact that humans seem to
XRDS • fall 2013 • Vol.20 • No.1
Revealing private
content, even
unintentionally,
can have productive
consequences
for how other people
understand
the issues they
struggle with.
have an amazing capability of uniting
in practice what seems hopelessly di-
vided in the abstract, the coexistence
of liberal and republican ideas is argu-
ably made possible through the idea of
free-market capitalism. The logic I am
thinking about is the idea that while
we might be egoists when we pursue
our private interests, the “invisible
hand” of the market ensures these in-
dividual pursuits are at the same time
good for everyone. At a stroke (of an
invisible hand), the liberal and repub-
lican ideals may coexist.
This is hardly the place to go into
discussions about how capitalism jus-
tifies itself, or not. The point I want
to make by venturing into political
philosophy is merely if it feels intui-
tively right that the public and the pri-
vate are domains that should be kept
separate, it is probably because of the
powerful and widespread logics just
described. These are important po-
litical philosophies that will no doubt
continue to be central to the way we
think about and practice democracy.
However, by pointing to the philo-
sophical origins of our ideas about
public and private, it also becomes
possible to see that there must be
philosophical alternatives.
The alternative vantage point for
thinking about the Web in terms of
publics, which I find most fruitful, is
that of pragmatism. One general in-
sight pragmatist thought has to offer
is that in practice, we never exist as
isolated individuals. Even in our most
private moments, we always draw on
the habits, skills, and ideas passed
over to us from others, and we con-
stantly imagine the thoughts and re-
actions of others when we decide on a
course of action. This means any ideal
of perfect privacy must be taken with
a grain of salt.
At the same time, importantly,
there is also no collective level floating
around over the heads of individuals,
such as “society,” “democracy,” or “the
public sphere.” In practice, it is always
individuals who act. Even when we say
we are all caught up in an uncontrol-
lable process of globalization, for ex-
ample, it always takes an individual
to actually trade stocks across conti-
nents, and a prime minister or an ac-
tivist to express concern that we have
lost control over the global economy.
The consequence of this pragmatist
viewpoint is that when we talk about
“the public” it never exists automati-
cally, but is brought into being by a lot
of connected individual acts.
The point I would like to reiterate
is the widespread intuition that the
public and private should ideally be
kept separate oversimplifies how these
things work in practice. This is what I
tried to illustrate with the case study of
how Facebook groups were used in the
Bornholm snowstorm. The philosoph-
ical assumptions lying behind the con-
ventional view on privacy and democ-
racy come from a specific place and
might thus be replaced. One fruitful
experiment might be to replace these
assumptions with more pragmatist
ones. Because while we should not ac-
cept uncritically what shiny, new Web
technologies have to offer, we should
also not discount the ways in which
social media might make productive
moves across the public/private divide
easier for millions of regular users in
thousands of specific situations.
References
[1] Birkbak, A. From Networked Publics To Issue Publics:
Reconsidering the public/private distinction in web
science. In Proceedings of WebScience ’13 (Paris,
May 2-4). ACM Press, New York, 2013.
[2] Birkbak, A. Crystallizations in the Blizzard:
Contrasting informal emergency collaboration in
Facebook groups. In Proceedings of NordiCHI ’12
(Copenhagen, Denmark, Oct. 14-17) ACM Press,
New York, 2012.
Biography
Andreas Birkbak is a Ph.D. fellow in the Techno-Anthropology
Research Group at Aalborg University, Copenhagen. His work
is on social media and technological democracy.
Copyright held by Owner/Author(s).
Publication rights licensed to ACM $15.00
21
feature

22 XRDS • fall 2013 • Vol.20 • No.1

 feature

Something Bad
Might Happen:
Lawyers,
anonymization,
and risk
The line between personal and anonymous information is often unclear.
Increasingly it falls to lawyers to understand and manage the risks associated
with the sharing of “anonymized” data sets.

By Marion Oswald
DOI: 10.1145/2508970

I
f you wanted to predict the future, who would you call upon? An economist, a statistician,
Nate Silver? A lawyer might not be high on your list. Yet when faced with questions of
individual privacy and data anonymization, this is what lawyers are being asked to do.
This article aims to illustrate how this is the case and consequently why lawyers need help
from computer scientists.
LEGAL BACKGROUND becomes subject to a number of (some- nymized, a crucial question the courts
Anonymization presents lawyers with times complex) duties and responsi- often have to decide is whether this
somewhat of a challenge. Take the Eu- bilities designed to safeguard the data. supposedly anonymized dataset in
ropean Data Protection Directive for If personal data can be converted into fact falls within the definition of per-
instance. It applies to personal data, anonymized form in such a way that sonal data. Why then does this in-
that is any information relating to an a living individual can no longer be volve predicting the future? Because
identified or identifiable natural per- identified from it (taking into account it involves an assessment of risk, or
son. An identifiable person is one who all the means likely reasonably to be as David Spiegelhalter has put it, “the
can be identified, directly or indirectly, used by anyone receiving the data), possibility that something bad might
in particular by reference to an iden- disclosure of information in this ano- happen” [1]. This is usually decon-
tification number or to one or more nymized form will not be disclosure of structed into “the likelihood of some-
factors specific to his or her physical, personal data, and therefore those du- thing happening and the impact if it
physiological, mental, economic, cul- ties and responsibilities will not apply actually does.” Then some attempt is
tural or social identity. to the disclosed data. made to quantify the magnitude of
If data is personal, the organiza- these two dimensions.
tion that decides how and why the IDENTIFIABILITY In its Code of Practice “Anonymiza-
data is processed (the data controller) Where personal data has been ano- tion: Managing data protection risk,”

XRDS • fall 2013 • Vol.20 • No.1 23

feature
the UK’s Information Commissioner
Office advised the Data Protection Act
does not require the process of anony-
mization to be completely risk free—
data controllers must instead mitigate
the risk of re-identification until the
risk is “remote.”
So when lawyers are presented with
an anonymized dataset and asked “is
it personal data?”, they have to assess
the possibility of something bad hap-
pening; i.e. the likelihood of someone
being able to re-identify an individual,
and the harm or impact if that re-iden-
tification occurred. And tending to be
conservative creatures, lawyers may
be tempted to respond: Yes, it could
happen, therefore there is a risk,
therefore the data is personal data.
THE POSSIBILITY OF SOMETHING
BAD HAPPENING
There are situations where the risk
of re-identification is undoubtedly
high: the likelihood of re-identifi-
cation high, the potential for harm
high, and the certainty factor high.
Take the request under the UK’s Free-
dom of Information Act for details of
disciplinary action taken against em-
ployees of the Magherafelt District
Council in Northern Ireland. Should
the Council disclose a schedule con-
taining the penalty issued and the
reason for the action, but which ex-
cluded the date of the action, and the
gender, job title, and department of
the employee?
No, said the Upper Tribunal Ad-
ministrative Appeals Chamber [2].
The information was personal data,
and it would be unfair to disclose it.
But the information had been ano-
nymized—why was it personal data?
The issue was not whether the in-
formation was personal data in the
hands of the Council, but whether it
was personal data in the hands of the
general public. A crucial question was
whether the public could identify the
individuals to whom the summarized
schedule related.
The Tribunal considered evidence
that the Council was a small authority
with only 150 employees, all known to
each other, in a district with a popula-
tion of 39,500. The Council was likened
to a family, with a high level of knowl-
edge of each other’s affairs.
24
The Tribunal made use of the “mo-
tivated intruder” test; a motivated in-
truder being someone who has access
to the Internet and public documents
and would use investigatory tech-
niques such as making enquiries of
people likely to have additional knowl-
edge. The requestor was an investiga-
tive journalist, and so might have been
highly motivated to identify individu-
als using other information available
and common investigative steps. The
Tribunal concluded an investigative
journalist “would have little difficulty
in making the necessary enquiries
which could lead to the identification
of individuals subject to disciplinary
proceedings,” particularly as the com-
munity was small and close-knit, and
that identification would be all the
more likely when the sanction was sus-
pension or dismissal.
BIG AND OPEN DATA
The Magherafelt decision dealt with a
relatively small set of data where prior
or personal knowledge about a par-
ticular individual may already have
existed or could have been obtained.
The UK Government’s Open Data
agenda is particularly concerned with
regional or national datasets where
the likelihood of personal knowledge
having an impact on re-identification
risk is minimized. How should we as-
sess the risk of re-identification in re-
lation to such datasets?
Paul Ohm, in his paper “Broken
Promises of Privacy,” argued “re-iden-
tification science exposes the prom-
Where personal
data has been
anonymized, a
crucial question the
courts often have to
decide is whether
this supposedly
anonymized dataset
in fact falls within
the definition of
personal data.
ise made by [privacy/data protection]
laws—that anonymization protects
privacy—as an empty one” [3]. Ohm
highlighted “release-and-forget” an-
onymization, with generalized rather
than suppressed identifiers, as of
particular concern. He also pointed
out that other “data fingerprints”
such as search queries or social me-
dia postings can be combined with
anonymized data to attempt re-iden-
tification. However others disagree
with Ohm’s view that re-identifica-
tion can be achieved with “aston-
ishing ease.” In her new guidance,
“Looking Forward: De-identification
Developments—New Tools, New
Challenges,” Ann Cavoukian, the In-
formation and Privacy Commission-
er of Ontario, Canada, restated her
opinion that re-identification “is not
easy” and that the most significant
privacy risks arise from ineffectively
de-identified data. Commenting on
big data, she said: “As masses of in-
formation are linked across multiple
sources it becomes more difficult to
ensure the anonymity of the informa-
tion” [4]. On the other hand, big data
could make de-identification easier
to achieve; “smaller datasets are
more challenging to de-identify as it
is easier to be unique in a small data-
set,” as seen in the Magherafelt case
discussed previously.
So who should we believe?
TRUST, RISK, AND
ANONYMIZATION STUDIES
“…[O]ur views of the facts about big
risks are often prompted by our politics
and behaviour, even as we insist that
the rock on which we build our beliefs is
scientific and objective, not the least bit
personal” [5].
In Nick Pidgeon’s view, emotional
responses are very important in the
assessment of risk. “If you do not trust
the parties who manage the risk, you
are not likely to have confidence that
the risk is being safely managed” [1].
Kieron O’Hara has said “trust is an im-
portant risk and complexity manage-
ment tool…The stronger X’s trust, the
higher the degree, and the greater the
risk he is willing to take” [6].
A recent Ipsos MORI study of Public
Understanding of Statistics examined
how much trust the participants had
XRDS • fall 2013 • Vol.20 • No.1
in information provided by certain
categories of people. Information pro-
vided by scientists was the most trust-
ed (28 percent trusted the information
“a great deal” and 46 percent “a fair
amount,”) compared to politicians (1
percent “a great deal” and 7 percent “a
fair amount”) [7].
And so we might expect scientific
studies of anonymization to increase
public (and decision-maker’s) under-
standing of the risks of re-identifica-
tion. The opposite may sometimes be
the case.
Trust cannot fail to be affected
by what Daniel Barth-Jones has de-
scribed as “anxiety-inducing media
storms” over recent re-identification
research and demonstrations. He
has argued “many, if not most, re-
identification demonstration attacks,
particularly because of the way their
results have been reported to the
public, serve to inherently distort the
public’s (and, perhaps, policy-mak-
er’s?) perceptions of the likelihood of
‘real-world’ re-identification risks” [8].
He analyzed a recently reported DNA
Hack carried out by Yaniv Erlich’s lab,
which had been reported using such
headlines as “DNA hack could make
medical privacy impossible.”
Barth-Jones’s analysis of the study
concluded only 6 percent of the U.S.
population was at risk of having their
last name correctly guessed by the
method used (which excluded all fe-
males), and that this was not equiva-
lent to re-identifying them. Additional
demographics could be used to at-
tempt a unique identification, Erlich’s
study estimating 17-18 percent of
males in the U.S. might be unique with
regard to combination of surname,
age in years, and state of residence
and potentially re-identifiable. In a
real-world implementation however,
the intruder would not know whether
the last name was correct or a false
positive. Barth-Jones also pointed out
this research targeted a population
sub-group with Mormon ancestry, al-
ready at increased risk of re-identifica-
tion due to their participation in other
projects. While not downplaying the
likelihood that the risks associated
with this attack will increase over the
next decade, Barth-Jones commented
on the impact of fear on the ability to
XRDS • fall 2013 • Vol.20 • No.1
Decisions to release
anonymized data
must be taken with
great care taking into
consideration the
latest anonymization
techniques and
risk-assessment
procedures, and
continually assessing
the changing risk
environment.
assess risk rationally: “When a re-iden-
tification attack has been brought to
life, like some Frankenstein monster,
our assessment of the probability of
it actually being implemented in the
real-world may subconsciously be-
come 100 percent, which is highly dis-
tortive of the true risk/benefit calculus
that we face.”
Even this non-techie author could
identify discrepancies between some
media reporting of Latanya Sweeney’s
Personal Genome Project re-identifi-
cation exercise and the reality as ex-
pressed in the accompanying paper
[9]. It was not the case, as reported in
one article, that the study “elucidated
the genome” of more than 1,000 par-
ticipants of the Personal Genome
Project or that 84–97 percent of par-
ticipants were accurately re-identified.
Sweeney’s paper disclosed some Ge-
nome project participants had volun-
teered demographic data, such as date
of birth, gender, and ZIP code. In addi-
tion, some documents that had been
uploaded from outside sources were
found to contain the participant’s
name or nickname. Sweeney’s study
only analyzed about half the public
profiles available (579 out of 1,130),
which were the ones disclosing date
of birth, gender, and five-digit ZIP.
Re-identification was attempted us-
ing a sample of voter registrations and
an online public records website. The
tests yielded 241 (42 percent ) names
that might match to a profile. These
were submitted to the Project and it
was confirmed 84 percent had been
matched correctly (increasing to 97
percent allowing consideration for
possible nicknames).
Sweeney’s paper noted to reduce
the risk of re-identification the par-
ticipant could make the date of birth
and ZIP code information less specif-
ic, and (a rather obvious step it must
be said) remove his or her name from
uploaded documents. Sweeney and
her co-authors did not deal with what
Barth-Jones has termed “the myth
of the perfect population register,”
which says without a complete and ac-
curate population listing, an intrud-
er could not be certain whether the
name was a correct identification or
a false positive, unless additional in-
formation was available about the in-
dividual [10]. “Some people will always
be missing from any easily obtained
source of data” and Barth-Jones has
argued studies often miss the step of
assessing the impact of “the myth of
the perfect population register,” thus
making highly conservative estimates
(potentially overestimating) of the
true re-identification risks.
TIME AND ONLINE CONTENT
In the debate over re-identification
risk, it is also relevant to draw at-
tention to recent scholarship on the
impact of time on privacy and infor-
mation lifecycles. Contrary to the com-
mon view that information posted on
the Internet will be there to haunt the
individual forever, in her paper “It’s
About Time,” Meg Ambrose consid-
ered studies that have shown that 59
percent of Web content disappears
after one week, and 85 percent after a
year (which is in itself concerning from
an historical records perspective). Am-
brose commented “it is possible that
content can be easily accessible for a
very long time, but permanence does
not, at this point, appear to be a perva-
sive threat to most” [11].
But as data’s online permanence
is not yet predictable, it ought for the
time being to remain a factor. Contri-
butions from computer scientists will
be essential to the on-going debate
on how this factor, amongst others,
should feed into the assessment of re-
identification risk.
25
feature
CACM_JOCCH_one-third_page_vertical:Layout 1 7/30/09 5:50 PM Page 1

FINAL THOUGHTS sions should be more wide-ranging, in-

We will all be aware of the arguments
in favor of anonymization: It protects
privacy while allowing information
to be used for important secondary
purposes, for instance monitoring the
ACM quality of healthcare. More could be
done to increase transparency about
cluding not only lawyers but also rep-
resentatives of all interested parties
in the domain, those demanding the
data, the data controllers (who under-
take the risks of publication), domain
experts (who know about the power of
data in that domain, and the potential

Journal on the methods, risks, reasons for and

benefits of anonymization, thus con-
harms), and technical experts” [6].
In questions of anonymization, this
tributing to genuine understanding is sound advice.
Computing and and potentially reducing the fear fac-
tor bound to affect not only lawyers
Cultural but others involved in taking deci-
sions about data disclosure. “People
References
[1] United Kingdom. House Of Commons. Oral
Evidence Taken Before The Science And Technology

Heritage need full information and guidance

for action, rather than just reassur-
ance, and their concerns must be
taken seriously,” wrote Blastland and
Spiegelhalter [5].
But we cannot be complacent. Deci-
sions to release anonymized data must
be taken with great care taking into
consideration the latest anonymiza-
tion techniques and risk-assessment
procedures, and continually assessing
the changing risk environment. Ca-
voukian noted the increase in genetic
research, including the trend toward
large-scale biobanks, poses new pri-
vacy risks. “Improved methods for the
◆ ◆ ◆ ◆ ◆
de-identification of genome sequences
or genomic data are needed,” [4].
JOCCH publishes papers of In addition it may only be a matter
Committee. Risk Perception and Energy
Infrastructure. Uncorrected Transcript of Oral
Evidence. 18 January 2012.
[2] Information Commissioner v. Magherafelt District
Council [2012] UKUT 263 AAC. Available at: http://
www.osscsc.gov.uk/Aspx/view.aspx?id=3536
[3] Ohm, P. Broken promises of privacy: Responding
to the surprising failure of anonymization (August
13, 2009). UCLA Law Review 57 (2010), 1701; U
of Colorado Law Legal Studies Research Paper
No. 9-12. Available at SSRN: http://ssrn.com/
abstract=1450006
[4] Cavoukian, A. Looking forward: De-identification
developments—new tools, new challenges. Office
of the Information and Privacy Commissioner of
Ontario. May 2013. (PDF)
[5] Blastland, M. and Spiegelhalter, D. The Norm
Chronicles. Profile Books, London, 2013.
[6] O’Hara, K. Transparency, Open data and trust in
government: Shaping the infosphere. In Proceedings
of the 3rd Annual ACM Web Science Conference
(Evanston, IL, Jun. 22–24). ACM Press, New York,
2012.
[7] Ipsos MORI Public Understanding of Statistics
Topline Results. Royal Statistical Society. April 2013.
(PDF)

significant and lasting value in
all areas relating to the use of ICT
in support of Cultural Heritage,
seeking to combine the best of
computing science with real
attention to any aspect of the
cultural heritage sector.
◆ ◆ ◆ ◆ ◆
www.acm.org/jocch
www.acm.org/subscribe
of time before a re-identification risk is
created by the open and uncoordinat-
ed release by separate public bodies of
two similar or identical datasets, one
anonymized effectively, the other not.
And what about re-identification risks
that may be created by personal data
disclosed by a breach?
Courts faced with a dispute over a
proposed or existing release of an ano-
nymized dataset will increasingly be
called upon to assess the robustness of
the risk assessment. But what will be
judged an acceptable risk? 10 percent,
2 percent, 0.001 percent? How do per-
centages equate to “remote” or “mini-
mal” risks? The question of whether
data is, or is not, personal data is ulti-
mately a legal one; lawyers need con-
text in order to tackle it, not something
that lawyers can do alone.
As per Kieron O’Hara, “…data pro-
tection is not sufficient for preserving
privacy, or public trust, or indeed the
usability of data, and the right discus-
[8] Barth-Jones, D. Public Policy Considerations for
Recent Re-Identification Demonstration Attacks
on Genomic Data Sets: Part 1 (Re-Identification
Symposium). Bill of Health (blog), Harvard Law
School , May 29, 2013.
[9] Sweeney, L., Abu, A., and Winn, J. Identifying
Participants in the Personal Genome Project by
Name. Harvard University. Data Privacy Lab. White
Paper 1021-1. April 24, 2013. (PDF)
[10] Barth-Jones, D. The ‘Re-Identification’ of Governor
William Weld’s Medical Information: A Critical
Re-Examination of Health Data Identification
Risks and Privacy Protections, Then and Now (June
4, 2012). Available at SSRN: http://ssrn.com/
abstract=2076397
[11] Ambrose, M. L. It’s About Time: Privacy, information,
life cycles, and the right to be forgotten. Stanford
Technology Law Review 16 , 2 (2013). (PDF)
Biography
Marion Oswald is a practicing solicitor and Head of
the Centre for Information Rights at the University of
Winchester. Before joining the University, Oswald worked
in legal management roles within private practice,
international technology companies and UK central
government, including the Ministry of Defence, and
specializes in data protection, freedom of information and
information technology.
Copyright held by Owner/Author(s).
Publication rights licensed to ACM $15.00

26 XRDS • fall 2013 • Vol.20 • No.1

feature

Personal,
Pseudonymous, and
Anonymous Data:
The problem
of identification
Why defining what counts as personal data is important
for data protection and information sharing.

By Iain Bourne
DOI: 10.1145/2508972

D
ata protection (DP) law has been around in one form or another for around 40 years.
In the United Kingdom, DP law came into effect back in 1998, based on a directive
published in 1996 that had been in gestation since the early ‘90s. A lot has happened
since then. Think of the information technology and resources that were around
almost 20 years ago, and compare them to the ones you have now. Back then, you probably
kept an address book of friends and acquaintances on a slow, non-networked home PC; had
physical files relating to your own commercial affairs; held records relating to the family
members’ health checks, school re- friends so it’s possible for you all to simple and there is currently a great
ports, and employment; and had a meet up in a local café. In amongst deal of debate within the DP commu-
basic mobile phone containing indi- this activity lies a wealth of personal nity about what sort of information is
viduals’ contact details and maybe a data, and we need to ensure such data “personal data” and, therefore, about
ping-pong game, if you were lucky. is used and managed safely. This is the scope of DP law. This is currently
Nowadays, you can have a host where DP law comes in. coming to a head as work on our next
of email addresses and Twitter ac- DP law does good things for citizens iteration of DP law—the proposed DP
counts under a variety of different and should make sense for organiza- Regulation—continues in Europe. This
names; maintain a social networking tions. In short, it means your personal is not solely an academic matter; it has
account to make contact with people data has to be used fairly and lawfully, great real-world consequences for the
all over the world; store your pictures and organizations must store it secure- rights and protections we enjoy as indi-
and videos in the cloud; sell your un- ly, have to be open about what they do viduals and for what organizations have
wanted birthday presents on an e- with it, and have to give you access to it to do to comply with the law. The prob-
commerce site; and use your mobile when you ask. That’s about it really—so lem is that we have data protection law,
phone to share geo-location data with far so good. However, it’s not quite that and will continue to have data protec-

XRDS • fall 2013 • Vol.20 • No.1 27

feature
ART TK
tion law, but it is (arguably) becoming
less clear what sort of information the
law applies to. And, of course, the law
doesn’t work very well unless it is clear
what it applies to.
THE PERSONAL DATA PROBLEM
Put simply, personal data is informa-
tion that identifies someone or can
allow someone to be identified when
combined with other information. On
the face of it, that’s a fairly straightfor-
ward definition that should make it
easy to say whether or not a particular
piece (or set) of information counts as
personal data. There is no problem say-
ing information related to your health
record, tax contributions, or bank ac-
count is your personal data. The in-
formation identifies you and relates
to you, so that’s easy. However, there
are two reasons as to why the situation
around the peripheries of personal
data can be far less clear. First, there
are now lots of different ways of iden-
28
tifying people—this is no longer just search engine anonymously, i.e. with-
about real-world or civic identifica- out being signed in through your email
tion. Second, the question is not only account. It is clear the service provider
about whether information does iden- has no “real-world” information about
tify someone, but also whether it could you, such as your name, address, or
identify someone. phone number. However, it is also clear
To look at the first point, what does that you are being identified, but in a
it mean to “identify” someone? Imag- different way. The personalization of
ine you go online and use, say, a major your browsing experience and the be-
havioral advertisements you receive are
evidence of this. This all works through
the IP address that allows the website
A pseudonym can be to recognize you—or more precisely the
both a way of hiding device you use to go online—coupled
with cookies and other data linked to
identity and, at the that IP address. I would argue this op-
same time, a means eration involves the processing of per-
sonal data and should be covered by
of revealing it in a DP law, albeit in a modified way. This is
different way. This just one illustration of an alternative or
“non-obvious” form of identification, a
lies at the heart of phenomenon that was not anticipated
the pseudonymous when current DP law was drafted.
I think the example above is fairly
data problem. straightforward. However, let’s think
XRDS • fall 2013 • Vol.20 • No.1
 ART TK

about identification in the context of,
say, a photograph of a crowd of people.
It could be a shot entitled “New Year’s
Eve revellers in Trafalgar Square” pub-
lished in a newspaper. The publisher
has no interest in identifying any of the
people in the crowd and has no means
of doing so. However, it is certainly pos-
sible to single out one person from an-
other and there is no doubt the people
in the picture would be able to identify
themselves, as would people who know
them. A current stream of thought ar-
gues the information is personal data
if one individual can be singled out
from another. This is a view that holds
considerable sway in some European
Union member states’ DP authorities.
However, there is currently much de-
bate about this within DP circles.
Recall the second part of the per-
sonal data problem is whether informa-
tion could identify someone. Clearly,
this can be very difficult to assess with
any real objectivity. Let’s return to our
New Year’s Eve revelers example. The
publisher of the newspaper may not
wish to identify (and may not even be
able to identify) anyone in the crowd,
but imagine if there was a terrorist in-
cident in Trafalgar Square shortly after
the photograph was taken. The pub-
lisher later hands over all of its photog-
rapher’s shots to the police for inves-
An overly wide
definition of
personal data and
an overly restrictive
application of the
law could take our
society backwards
in terms of access
to information.
tigation. If the police review pictures
of known suspects and use a televised
appeal to the public for assistance, it
becomes much more likely that some,
or all, of the individuals in the original
picture will be identified in the old-
fashioned, real-world sense of being
named. This brings the photograph
much more firmly within the scope of
personal data. This also illustrates the
current debate about whether the test
for information being personal data
is identification, the reasonable likeli-
hood of identification (the formulation
in current DP law), or identification and
the possibility of identification. Some
argue the latter formulation would pro-
vide better protection for individuals
and would “catch” significant informa-
tion around the peripheries of the cur-
rent definition of personal data. Others
argue it would widen the scope of DP
law unacceptably and would bring per-
sonally inconsequential information
within its scope.

XRDS • fall 2013 • Vol.20 • No.1 29

feature
PSEUDONYMOUS DATA
The English word “pseudonym” derives
from the Greek word pseudōnumon, via
the French pseudonyme. In Greek it
means “false name,” a meaning that
still corresponds extremely closely
to its ordinary English one. In one
respect, a pseudonym is a privacy-
enhancing construct intended to pre-
vent individual identification, rather
than to facilitate it. However, as is of-
ten the case in DP law, things aren’t
that straightforward. A pseudonym
may indeed be a “false” name, but it
is still a name and can still be used to
single one person out from another.
Let’s consider the use of an alias,
such as a nom de guerre. When Car-
los the Jackal committed his crimes
he used his alias to a) hide his real
identity­—Ilich Ramírez Sánchez—from
the authorities, and b) to let the public
know he was responsible for the various
actions they were reading about in their
newspapers. So, a pseudonym can be
both a way of hiding identity and, at the
same time, a means of revealing it in a
different way. This lies at the heart of the
pseudonymous data problem, which
has translated into a complex current
debate about whether a pseudonym is
(potentially) personally identifiable—
and is therefore personal data—or can
be anonymous (and is not, therefore,
personal data). The Information Com-
missioner’s Office, the UK regulator of
DP law, would argue it can be either,
depending on how the pseudonym is
produced and the context in which it is
used. However, others reject this view
and argue if a pseudonym allows an in-
Table 1: A fictional example of redacted personal data.
1. 2. 3.
Name, Period of Body
address, Special Mass
date Index
Assistance
of birth
Benefit
­­ < 2 years 21
> 5 years 19
< 2 years 20
> 5 years 23
< 2 years 20
30
dividual to be singled out from another
individual, then the information is per-
sonal data. And that’s that. However,
let’s look at an example to see how this
plays out in practice.
Table 1 shows a redacted version of
a set of personal data that is being used
by researchers to examine the relation-
ship between the receipt of a state ben-
efit and a person’s weight. The original
dataset—which also included research
subjects’ names, addresses, and dates
of birth—has been irreversibly deleted.
The “research cohort reference num-
ber” was generated from individuals’
names using a one-way irreversible
encryption algorithm. This is the sort
of dataset commonly used to conduct
longitudinal studies into health and
other research or analytics, where the
objective is to study information about
particular individuals without iden-
tifying any of them. In this example,
it is clearly possible to single out one
individual from another, but is any
individual really identified? Does this
table contain any individual’s per-
sonal data? I would argue it does not,
because although each row relates to a
particular individual, it does not iden-
tify any of them, and nor could any
individual ever be identified because
the original source data no longer ex-
ists. (In reality this type of dataset is
normally given additional protection
through value-swapping, perturbation,
blurring, and other techniques, mean-
ing the information remains valuable
to researchers but does not—and can-
not—be used to identify anyone.) How-
ever, others would disagree with this
4. 5.
Age Research
Range Cohort
reference
number
40-45 QA5FRD4
50-55 2B48HFG
40-45 RC3URPQ
45-50 SD289K9
45-50 5E1FL7Q
analysis and say the dataset contains
the personal data of the five “singled
out” individuals and, in fact, data like
this can always be linked back to an
identified individual and is therefore
always personal data. This begs the
question of how the research organi-
zation would grant subject access (the
statutory right of access to your per-
sonal information) to an individual,
or how it would tell individuals that it
has their personal data, as it could be
required to do under DP law. The prac-
tical problems of an overly wide defini-
tion could be very great.
PSEUDONYMOUS DATA AND
THE NEW DP REGULATION
There is a lot of discussion at the mo-
ment about the possibility of introduc-
ing a new class of pseudonymous data
into the proposed DP Regulation. The
argument seems to be introducing a
new sub-class of something akin to
potentially identifiable personal data
would extend the regulation’s cover-
age, offering better protection to in-
dividuals while also providing more
“lite” regulatory coverage for organi-
zations processing this form of data.
However, as we have seen, the issue of
what a pseudonym is, and of whether
pseudonymous data is a form of per-
sonal data or is anonymous, is far from
straightforward. There seem to be
three basic meanings in circulation:
1. Pseudonymous data is data
where a “real” identifier—such as
somebody’s name or National Insur-
ance number—is replaced by a “false”
identifier such as a hashed code num-
ber. This is a privacy-enhancing tech-
nique used in contexts such as medical
research or online analytics. It allows
individuals to be tracked longitudi-
nally without their identities being re-
vealed. However, the link between the
data and the individual could be per-
manently and irreversibly broken, al-
though there is much debate about the
possibility of this. This corresponds
most closely with the ordinary English
meaning of pseudonymous.
2. Pseudonymous data is an alter-
native form of personal identification,
such as when an online services com-
pany uses an IP address and associated
cookie logs to target content at a par-
ticular device user.
XRDS • fall 2013 • Vol.20 • No.1
 3. Pseudonymous data is data that
could potentially be combined with
other data to produce personal data.
This could apply to data from which all
personal identifiers have been removed
and where there is no reasonable likeli-
hood of re-identification. This is what,
in the UK at least, would currently be
considered as anonymous data.
This situation is complex, particular-
ly because the process of pseudonymiz-
ing personal data can result in either
anonymous data or a different form of
personal data altogether (see meaning
no. 2). This depends on how the pseud-
onymization is done; whether it is com-
bined with other privacy-enhancing
techniques and what other linkable
information is available elsewhere. I
would argue some pseudonymous data
can be anonymous, whilst other pseud-
onymous data is a form of personal
data. Clearly, these subtleties make
it difficult to translate the concept of
pseudonymous data into a legal text and
to map relevant exemptions and moder-
ations of the law’s provisions onto it.
WHAT IS ANONYMOUS DATA?
If we have a schema that consists of
ordinary personal data and pseud-
onymous personal data, we could also
need a definition of anonymous (or
non-personal data) to describe indi-
vidual level or other data that is not be-
ing, and cannot be, used as any form
of identifier—obvious, non-obvious,
or otherwise. A good example of this
might be individual-level data de-
rived from patients’ records. This data
should be manipulated in such a way
that it can never again be linked to a
particular individual or used to inform
any decision in respect of any individ-
ual. In a context such as this, unlike
the use of cookie and IP information
discussed above, there is no inten-
tion—or, depending on system design,
possibility—of using the information
in such a way that it can have any effect
on any particular individual.
A formal definition of anonymous—
or non-personal data—could presum-
ably be reverse engineered from the
DP Regulation’s definition of personal
data. It might say that:
Anonymous data is data that does
not identify any natural person, or al-
low any natural person to be identified,
XRDS • fall 2013 • Vol.20 • No.1
It means your
personal data has
to be used fairly
and lawfully, and
organizations must
store it securely, have
to be open about what
they do with it, and
have to give you access
to it when you ask.
directly or indirectly, by means reason-
ably likely to be used by the controller or
by any other natural or legal person.
We believe DP law must be finite;
there must be a point at which we can
say with a reasonable degree of cer-
tainty that this information is not per-
sonal data and can be used and shared
outside the constraints of DP law. This
is extremely important if socially desir-
able activity, like medical research, is
to proceed with the certainty that the
pseudonymous data in use—when pro-
tected by sufficient privacy-enhancing
techniques and technical/organiza-
tional arrangements—is anonymous.
WHY DEFINING PERSONAL
DATA MATTERS
There are a number of important so-
cial policy objectives which mean
that the status of personal data, and
information derived from personal
data, is crucial.
First, modern societies run on in-
formation, and much of it is actual per-
sonal data or information derived from
it. Resultant examples of this are public
health, evidence-based policy, service
planning, economic forecasting, and
just satisfying the basic human need to
know more about ourselves and society
This manifests itself most obviously
in initiatives like Open Data and the
duties placed on some organizations
to publish a whole lot of information
about what they do. In the health ser-
vice, for example, published informa-
tion is ultimately derived from patients’
records, doctors’ prescription data, so
forth. Second, a great deal of informa-
tion released under the U.K.’s Freedom
of Information law consists of—or is
derived from—personal data. We need
to make sure we have data protection
law that doesn’t reduce the availabil-
ity of information but makes sure that
we, the people, are properly protected
and we have a transparent society with-
out becoming transparent citizens. An
overly wide definition of personal data
and an overly restrictive application of
the law could take our society backward
in terms of access to information.
Well-drafted and well-regulated DP
law can also give us an appropriate
degree of privacy and control over our
personal information. DP law becomes
more socially relevant—and necessary,
I think—given the different ways in
which the identification of individuals
now takes place, as well as the sheer
scale and sophistication of state and
corporate data processing. It is there-
fore important that current and future
DP law is sufficiently wide in scope to
protect and give rights to individuals
in respect of new forms of identifica-
tion—ones that make our names and
addresses seem decidedly old-fash-
ioned. However, there are some dif-
ficult legal and technological issues
here. It is by no means clear to what
extent rights like subject access can be
delivered in respect of the “non-obvi-
ous” or pseudonymous data described
above where, in reality, service provid-
ers do not really know who anyone they
process personal data about is. This
needs some serious thinking-through
as work on the new DP Regulation
continues. It is clear individuals need
rights that can be delivered in practice
and that organizations cannot be re-
quired by law to do what is impossible
in practice. This would bring data pro-
tection into disrepute and make it less
relevant to the lives of ordinary people.
Biography
Iain Bourne is group manager for policy delivery at the
Information Commissioner’s Office (ICO), an independent
regulatory body dealing with data protection and privacy
law in the United Kingdom. Bourne has dealt with a wide
range of areas, including health service compliance,
emerging technologies, international issues, and privacy
at work. During the last few years he has headed up
the ICO’s work on information sharing, privacy notices,
personal information online, and anonymization. He is
currently involved in the ICO’s work on the European
Commission’s proposal for new data protection regulation.
Copyright held by Owner/Author(s).
Publication rights licensed to ACM $15.00
31
feature

Talking
‘Bout Your
Reputation
People think they want anonymity, but actually desire privacy.
But how do we reframe the debate surrounding privacy and security?
Perhaps technology is the answer.

By David Birch
DOI: 10.1145/2517998

T
here are sound rationales both for and against anonymity [1] and these are
brought into sharp relief by the combination of social networking, mobile phones,
online business, and government. Real issues ranging from online bullying to
activism under repressive regimes mean we as a society need to think about what
we want from the emerging infrastructure and how anonymity should work, or even exist,
within that infrastructure.
I imagine if you were to walk down a important that they can login to a web- anonymity should be stopped because
typical street with a clipboard and ask site about trade unionism, or diseases, it allows child pornographers, terror-
members of the general public whether or pornography, or anything else they ists, and drug dealers to congregate
Photograph by Vyacheslav Pokrovskiy

they think online anonymity is impor-
tant, most would say “yes.” They would
say it is important that they can pay
for something in cash without it being
tracked and traced by the government.
They would say it is important that they
can vote in a secret ballot without their
choices being observed by party activ-
ists (or spouses). They would say it is
might not want other people to know
they have been looking at. I take a guilty
pleasure in occasionally visiting the Dai-
ly Mail website to read the readers’ com-
ments on the major news stories of the
day, but I certainly don’t want friends or
work colleagues to know about that!
However, if you set out clipboard in
hand and asked people whether online
in virtual space with impunity, they
would similarly say “yes.” As I noted,
sound rationales for and against. Per-
haps I might generalize and say people
want anonymity for themselves, but
not for other people. So why do they
want anonymity for themselves?
In the UK, there are some people
who don’t want to register their Oys-

32 XRDS • fall 2013 • Vol.20 • No.1

XRDS • fall 2013 • Vol.20 • No.1 33
feature
ter card—the contactless “tap and go”
mass transit card used in London—
because they don’t want “the man” to
know where they’ve been. I’m sure it
comes as quite a surprise to such peo-
ple that if they drop their Oyster card
down a drain and lose it, they can’t get
the money back by phoning up Trans-
port for London. I imagine the next
time that person gets an Oyster card
one of the very first things they will
do is register the card online so in the
case of it being lost, stolen, or broken
they can get their money back.
I would argue the Oyster card ac-
tually represents a very good way of
balancing privacy and security. When
you use your Oyster card in London
the record of the journey is kept for a
few weeks and then it is anonymized
for use in statistical analysis and cal-
culations. Thus if a crime is com-
mitted somewhere on the system,
then the police can go to Transport
for London with a warrant and ask
for a list of all of the people who had
been through such and such a barrier
at such and such a time, provided it
was within the last few weeks. What
law enforcement can’t do, even if
they were to access the system extra-
legally, is trawl back through a non-
anonymized historical dataset. I
would have thought that most people
would find this reasonable, but ano-
nymity only sounds good to people
who do not consider its implications.
Take voting for example. In the UK
we have a supposedly secret ballot, yet
the ballot papers are numbered and
can be traced back in the event there
are suspicions of irregularities at the
poll. You have effective anonymity at
the ballot, but if there is reasonable
suspicion of fraud that anonymity can
be removed. Here is another pointed
example of something that sounds
good but isn’t: cash. Is it right that a
corrupt politician can take cash bribes
and hide them in his freezer? It isn’t; he
got 13 years [2]. Is it right that criminals
can engage in kidnapping, tax evasion,
or money laundering? Should people
be able to engage in commercial trans-
actions that can never be traced? At
first glance it is very tempting to say yes
because the alternative—which is a Big
Brother government in a big data world
eradicating any element of individual
34
It is not anonymity
that society wants;
it is privacy.
Anonymity is
a clumsy hack that
we have to use
because we don’t have
the proper control
over information.
privacy—is so horrible. But I don’t
think I want to live in a world that al-
lows anonymous transactions and nor
does the U.S. government, given their
recent actions against financial insti-
tutions with poor know-your-customer
procedures. I think I want to live in a
better world.
The way to resolve the tension be-
tween the perfectly reasonable argu-
ments for and against anonymity is to
reframe them in terms of privacy. We
need an infrastructure that delivers pri-
vacy, not anonymity. Privacy is a good
thing. Privacy permits individuals to
express unpopular ideas to people they
trust without having to worry about
how society will judge them. It is vital
to democracy and it contributes to the
“marketplace of ideas” and the promo-
tion of the truth [3]. It is central to our
idea of democracy and expressed (cer-
tainly in the case of the U.S.) in the right
to privacy by association [4].
It is not anonymity that society
wants; it is privacy. Anonymity is a
clumsy hack we have to use because
we don’t have the proper control over
information. In the absence of such
controls, anonymity is really the only
option open to individuals. But it’s not
optimal for them and it is not optimal
for society either. It annoys me when
people—politicians especially—frame
this discussion in terms of finding the
right balance between privacy and se-
curity. I don’t want a balance between
them, I want both of them and I’m
not sure if the politicians and regula-
tors understand the technology well
enough to realize that modern com-
munications and cryptography have
the capabilities to make this possible.
Technology Can Do Better
Let’s take the payments example as an
easy case study. My bank, Barclays, lets
me choose any picture I like to go on
my debit card. But let’s say they could
just as easily let me choose any name
I like to go on my debit card. I might
decide that I’d like to have a debit card
in the name of “Johnny Mnemonic.” I
stroll down to Marks & Spencer and I
buy myself a nice pair of trousers with
my debit card. When it comes time to
pay I put in my card and punch in my
PIN. Job done. I take the trousers home,
but when I go to put them on I discover
that they have a hole in them. So I take
them back to Marks & Spencer and I get
a refund by presenting the same card.
At no point during any of these transac-
tions do Marks & Spencer need to know
that I am actually Dave Birch. They
don’t know who I really am, but—cru-
cially—they know Barclays does.
It’s not as if I can do anything bad
with that card and get away with it. If
that card is used in some criminal en-
terprise of one form or another, the po-
lice can go to Barclays with a warrant
and ask them who Johnny Mnemonic
is. Barclays will, of course, tell them
that it’s me.
This example makes a very general
point. There are very few transactions
any of us do that require the amount of
identification we routinely provide. And
if you look at the problem the other way
round, an increased number of trans-
actions that do require identification
make those identities less secure and
more likely to be abused. There’s a kind
of minimization principle at work. Mi-
crosoft’s Kim Cameron rather neatly
encapsulated issues such as this in his
“seven laws of identity,” one of which
was that we should design an identity
metasystem with minimal disclosure
for constrained use [5]. In other words,
the metasystem should provide only the
information needed to enable the spe-
cific transaction at hand: You shouldn’t
have to show a driving license with your
name and address on it in a bar when
you are actually trying to prove that you
are over 21.
Let’s apply this to a more complex
example of unpopular free speech us-
ing the prosaic case study of newspaper
comments. If I read an interesting ar-
ticle in the newspaper, I might be very
XRDS • fall 2013 • Vol.20 • No.1
interested in reading comments from
intelligent and informed readers. Yet
some of those readers will not make
honest comments if they are identi-
fied. I’m one of them. If I respond to
an article in a UK newspaper, I want
to be able to choose between respond-
ing as me (because my qualifications,
experience, or position is relevant to
the issue) or responding as Joe Bloggs,
because although I think Ed Miliband
would make an excellent Prime Minis-
ter, I know my boss hates him. However
revolting some people’s opinions are,
I’d rather know they are their opinions
and not have them submerged.
Suppose someone who knows who
I am—let’s say the Royal Mail (who
knows where I live as well)—gives me a
digital certificate that only states I live
in the UK. That’s good enough. I use it
to get a Twitter account. Using the Twit-
ter account, I tweet Ed Miliband is a
communist fellow traveler and an eco-
nomic ignoramus with no experience
of the real world. This is an opinion and
free speech. Ed can complain as much
as he likes, but tough. Now suppose I
tweet his home address and suggest
he should be beaten up. That’s against
the law. Ed obtains a court order, and
the Royal Mail tells him who I am and
where I live. This way, privacy is man-
aged correctly through the legal system.
Then What Will Happen?
Think about what is coming in terms
of transactions. By and large the world
that we will be living in will be a world
in which transactions are between my
phone and someone else’s phone—not
between me and someone else. What
seems complicated—storing keys, issu-
ing certificates, and managing reputa-
tions—for individuals is trivial for apps.
Modern smartphones are perfectly ca-
pable of dealing with digital signatures,
trust chains, electronic identities, and
similar constructs. Therefore although
you can turn up at my door claiming to
be an employee of the electricity com-
pany, I can use my phone to read your
phone, which lets me know whether
that’s true or not. I do not need to know
who you are, but I do need to know what
you are. If you subsequently batter me
over the head and steal my life savings,
then the police can go back to the elec-
tricity company to find out who you are,
XRDS • fall 2013 • Vol.20 • No.1
and contact the phone company to find
out where you are.
This is what I’ve taken to calling
“smash the glass” privacy. You have
privacy so long as you behave, but if
you do something bad then the author-
ities can “smash the glass” to sound an
alarm. Of course, if you live in a coun-
try where you do not trust the authori-
ties or the legal system, then we need
to look at other solutions. How would a
human rights activist in Iran obtain a
digital certificate to prove they are hu-
man rights activist, yet make it impos-
sible to identify them? The technology
to do this is easy—it is called “cryp-
tographic blinding” and it has been
around for a generation [6]—but the
metasystem is still not there.
It is possible, I think, to see the out-
line of a suitable metasystem taking
shape with the efforts of the National
Strategy for Trusted Identities in Cy-
berspace (NSTIC) in the U.S. and the
Cabinet Office’s Identity Assurance
Programme (IDA) in the UK, creating
public/private frameworks in which
a variety of identity providers can op-
erate. In the UK, the government has
announced the first eight identity pro-
viders—The Post Office, PayPal, Cas-
sidian, Digidentity, Experian, Ingeus,
Mydex, and Verizon—and, with the
support of the trust framework indus-
try body Open Identity Exchange (OIX),
has begun a number of what they call
Alpha Projects1 to explore the issues
around developing the IDA scheme.
The essential idea behind these
kinds of initiatives is not only can in-
dividual citizens, organizations, and
businesses choose who they want for
their identity provider (IDP), the IDPs
can be separate from the attribute
provider (AP) relevant to a transaction.
So, suppose I choose Barclays to be my
IDP. I then log in to some service some-
where using my Barclays ID. The service
needs to know I have a valid driving
license. Barclays does not know this,
but they know an AP who does (i.e. in
the UK, the Driver and Vehicle Licens-
ing Agency) so the bank can obtain the
relevant attribute (with my permission)
and then present it to the service.
1 Please note that Consult Hyperion provide
paid consultancy services in connection with
one of these Alpha Projects.
Just as you have a few different pay-
ment cards in your wallet today, imag-
ine in the future you will have a few
different “identities”: a work identity,
a personal identity, a hobby identity, a
self-certified “John Doe” identity, and
so on. While I am walking down the
street, my phone will be set to the John
Doe default identity. When I walk into
a shopping mall, the shopping mall
will know I am John Doe and last time
I came in I went to Starbucks—if the
mall sends me a coupon for Costa Cof-
fee, that’s absolutely fine. I sit down for
a coffee and I use my hobby identity to
post a few comments on a newspaper
article about contactless payments (my
hobby). When I go to Marks & Spencer,
my Marks & Spencer app will open up
and use my personal identity, with my
permission. I will have an identity that
is partitioned, with a simple remote
control (my mobile phone).
So What?
I think the paradigm shift from transac-
tions based on identity to transactions
based on credentials represents a very
straightforward way to handle privacy
in a realistic way. There is no need to
choose between anonymity and crime,
or a police state and order. We do not
need to choose between security and
privacy. Technology can provide both.
References
[1] Marx, G. Identity and Anonymity: Some Conceptual
Distinictions and Issues for Research. In
Documenting Individual Identity—The Development
of State Practices in the Modern World. Princeton,
Princeton University Press, 2001.
[2] Barakat, M. (2009, 13th Nov.). “William Jefferson,
Ex-Congressman, Gets 13 Years in Freezer Cash Case.”
The Huffington Post. Retrieved 29th May, 2013.
[3] Solove, D. Anonymity and Accountability. in The
Future of Reputation . New Haven, Yale, 2007.
[4] Landau, S. Politics, love and death in a world of no
privacy. IEEE Security & Privacy 11, 3 (2013).
[5] Cameron, K. The Laws of Identity. Microsoft pp. 12
(11th May 2005).
[6] Chaum, D. Achieving Electronic Privacy. Scientific
American (Aug. 1992).
Biography
David G.W. Birch is a director of Consult Hyperion, an IT
management consultancy that specializes in electronic
transactions. Here he provides specialist consultancy
support to clients around the world, including all of the
leading payment brands, major telecommunications
providers, governments bodies, and international
organizations including the OECD. Before helping to found
Consult Hyperion in 1986, he spent several years working
as a consultant in Europe, the Far East, and North America.
He graduated from the University of Southampton with a
B.Sc (Hons.) in physics.
Copyright held by Owner/Author(s).
Publication rights licensed to ACM $15.00
35
feature

36 XRDS • fall 2013 • Vol.20 • No.1

Understanding
the Data Environment
Protecting data privacy and anonymity requires a better
understanding of the conditions and mechanisms under
which they may be threatened.

By Elaine Mackey and Mark Elliot

DOI: 10.1145/2508973

T
he data environment is a new concept in the field of data confidentiality. Although
there have been references to its various aspects, manifestations, and impacts,
it is only now that it has become a focus of inquiry in its own right. It is a focus,
we would argue, that is long overdue and rather urgent given the manner and
pace in which the data landscape is evolving. The huge amounts of data being generated,
combined with the economic drivers and political will to share it more widely, means
concerns about data privacy and anonymity are ever more founded. Here, we explain why
we need to understand the data envi- more extensive than this; for example, removed, obscured, aggregated, and
ronment in order to minimize threats schools also collect data on their pu- or altered in some way. There are two
to data privacy and anonymity. pils’ exam scores, special educational types of identifiers that organizations
When we talk about protecting data needs, and health; law enforcement need to think about when processing
privacy and maintaining anonym- also collects data on crime and anti-so- data: formal identifiers and complex
ity in the data confidentiality field, we cial behavior; and retailers also collect identifiers. Formal identifiers are rela-
are in essence talking about ensuring data on shopping and leisure habits, tively easy to spot and deal with and
anonymized data remains anonymous finance, employment status, and oc- include data such as a subject’s name,
once it is shared, disseminated, and cupation. This information will in all address, and unique reference num-
released in the data environment. So likelihood be stored in databases that bers (e.g. their social security number
what does this actually mean in prac- hold very many individual level records or National Health Service number).
tice? To answer this, we will first dis- of information. Complex identifiers are less easy to
cuss data and anonymization, as this This data is termed personal data, spot and deal with. They could in prin-
will set the scene for what we really which, as described by the UK Data ciple include any piece of information
want to discuss, the data environment. Protection Act (DPA, 1998), is “data (or combination of pieces of informa-
that relates to living individuals who tion). For example, take age and mari-
DATA AND ANONYMIZATION are or can be identified from the data.” tal status. Considered in the abstract,
All organizations will collect some Organizations that want or need to they are not immediately obvious iden-
information from their customers/cli- share and disseminate their data for tifiers. But, if we consider the case of
ents/service users as part and parcel of secondary use are obliged under the an 18 year-old widow, our implicit de-
their organizational activities. Almost DPA (1998) to process the data in such mographic knowledge tells us this is
always, this will include classic identi- a way as to render it anonymous and a rare combination (at least in peace
fiers such as client’s names, address- therefore no longer personal. The time). This means such an individual
es, and contact details. However, the transforming of data from personal could potentially be re-identified by,
information that is collected is often to anonymous requires identifiers are for example, someone spontaneously

XRDS • fall 2013 • Vol.20 • No.1 37

feature
recognizing that this record corre-
sponded to their friend/neighbor/col-
league/family member.
Just this example alone presents a
data complexity problem, which dem-
onstrates anonymizing data is not
straightforward. To complicate mat-
ters further, organizations preparing
data for dissemination don’t just have
to think about sufficiently anonymiz-
ing their data, but also about retain-
ing data utility. After all, there is little
point in sharing and disseminating
data that doesn’t represent whatever it
is that it is meant to represent (because
it has been altered during the ano-
nymisation process).
Because anonymization is difficult
and has to be balanced against data
utility, the risk a re-identification will
happen will never be zero. In other
words, there will be a risk (although
extremely small) of de-anonymization
present in all useful anonymized data.
The only way to remove this risk entire-
ly is not to share any data at all, which
is obviously undesirable if we are to ex-
ploit the undoubtedly huge social and
economic value locked up in the data.
Statistical Disclosure
For researchers in the data confidenti-
ality field, the first step to determining
how best organizations can minimize
the risk of de-anonymization and op-
timize the trade-off they must make
between anonymization and data util-
ity is to assess how the process of de-
anonymization might actually occur.
The term commonly used in the field
to denote the process of de-anonymiza-
tion (and one that we will use from here
on in) is “statistical disclosure.” A sta-
tistical disclosure, we should point out,
incorporates not just the idea of de-
anonymization (or re-identification),
but also captures the idea that con-
fidential information is revealed (or
disclosed). See Duncan et al. or Hun-
depool et al. for recent reviews of the
statistical disclosure control field [1, 2].
Formally, we describe a statisti-
cal disclosure as a form of data con-
fidentiality breach that occurs when,
through statistical matching, an in-
dividual population unit is identified
within an anonymized dataset and/
or confidential information about
them is revealed. However, determin-
38
ing how a statistical disclosure might
actual occur and then play out is not
straight forward. This is the crux of the
problem. As it stands, we know little
about the factors, conditions, and
mechanisms involved in a statistical
disclosure largely because we know
little about the data environment. We
will give a technical description of this
term shortly; for now, consider it as
the context for any piece of data, with-
out which the data has no meaning.
You may wonder why it is only now
attention is being directed toward the
data environment. After all, it would
seem like an obvious point of focus
given the task in hand. The explana-
tion for this lies with: (i) the particular
perspectives that have underpinned
and informed data confidentiality
work, and (ii) the intractability of un-
derstanding and gathering data from
the data environment.
The traditional perspective was one
where statistical disclosure risk was
seen as originating from, and there-
fore largely contained within, the
data to be disseminated, released, or
shared. It meant data researchers and
practitioners rarely looked beyond
the statistical properties of the data
in question. More precisely, it meant
they did not concern themselves with
issues such as how or why a data in-
truder might make a disclosure at-
tempt, or with what skills, knowledge,
or access to other data they would
require to ensure their attempt was
a success. As a consequence, the
statistical models they built to as-
sess disclosure risk, while statisti-
cally sophisticated, were based on
very crude assumptions about the
context of the risk they were trying
We can only
effectively guard
against the threat
to data privacy and
anonymity when
we have a clear idea
of what it is we are
guarding against.
to model. To address these failings,
there has been a broadening of per-
spective in the last 20 years, which has
seen attempts to incorporate some
context beyond the data itself. This
has usually taken the form of intruder
scenario analysis, which has shifted
attention away from the traditional
position of asking “how risky is the
data for release” to a more critical po-
sition of asking “how a statistical dis-
closure might actually occur.” Some
inroads in addressing this latter ques-
tion have been made, most notably:
(i) the development of a framework
for identifying plausible intrusion
scenarios and (ii) the identification
of sets of key variables, i.e., informa-
tion that can be used for statistically
matching one dataset with another
[3]. But, for all intents and purposes,
this is where the work has stalled not
least because much of it is theoretical.
It is certainly true that we lack a real
worldview of statistical disclosure and
have relatively little direct data on it.
This may be because an act of statis-
tical disclosure is a rare event and or
is one in which the key protagonists
(i.e., the data intruder and the organi-
zation releasing data) are both incen-
tivized to conceal (albeit for differing
reasons). It is difficult to speculate
productively on this and we do not do
so here. The important point we wish
to make is while there is little direct
data in the form of cases of disclosure,
it does not mean there isn’t any (key)
data; the data environment can poten-
tially tell us all we need to know about
how a statistical disclosure might ac-
tually happen.
THE DATA ENVIRONMENT
The data environment is made up of
a small number of components: data,
agents, and infrastructure. It is these
components that we need to look at in
order to ascertain how a statistical dis-
closure might occur and play out.
Data. What (other) data exists in
the data environment? This is what
we need to know in order to identify
what data (key variables) are risky, i.e.,
can be used for statistically match-
ing one dataset with another thereby
providing (some of the) conditions for
statistical disclosure. This is still a
developing area, which, at Manches-
XRDS • fall 2013 • Vol.20 • No.1
ter University, we have been push-
ing forward. Our Data Environment
Analysis Service (a bespoke service
for the Office for National Statistics)
has involved developing a methodol-
ogy for investigating, cataloging, cat-
egorizing, and documenting data in
the data environment. However, this
methodology is operationalized man-
ually and is therefore constrained in
its scope and ability to deal with the
complexity of the problem. The next
step is to develop a methodology for
automating these processes in order
to enable comprehensive capturing of
the global data environment.
Agents. Who are the key protago-
nists, and how might they act and
interact to bring about a disclosure
event? What might the consequences
of this be? There is no risk of statistical
disclosure without human action.
This may seem an obvious point, but
it is one worth emphasizing. As of yet,
we know little about the key protago-
nists and how they might interact. We
are currently working on an approach
using a game theoretic reasoning
to develop greater insights into how
agents might act and interact strategi-
cally, within specific contexts, to create
a statistical disclosure [4].
Infrastructure. How does infra-
structure and wider social and eco-
nomic structures shape the data envi-
ronment? Infrastructure can be best
thought of as the set of interconnect-
ing structures (physical and technical)
and processes (organizational, mana-
gerial, contractual, and legal) that
frame and shape the data environment.
It provides the context to data and agents,
so, for example, it will influence what
data is shared, to whom it is given,
and how that process takes place. It
will also influence key agents, such as
National Statistical Institutes, any or-
ganization releasing data, data users,
specialist interest groups, the general
public, and the media in terms of their
possible actions, interactions, and
counter responses. Infrastructure in-
cludes storage systems, information
systems, data security systems, gov-
ernance structures, and national and
international legislation.
Thus far, we have talked about the
data environment in the definite sin-
gular; in other words, we are referring
XRDS • fall 2013 • Vol.20 • No.1
The transforming
of data from
personal to
anonymous requires
identifiers are
removed, obscured,
aggregated, and or
altered in some way.
to the global system. But the global
system has internal structure; it is
partitioned and that partitioning cre-
ates many local environments. For
example, a secure data center can be
termed a discrete data environment:
It has context-specific physical, tech-
nical, organizational, and managerial
structures that determine what data
goes in; how data is stored, processed,
and risk assessed; and in what format
data comes out, who the user commu-
nity is, and how they can interact with
that data. By defining and regulating
a local environment, the data owner/
controller can render data anonymous
that would, “in the wild,” not be. So
when we share data we are in effect
moving it from one environment to
another. Data environments can be
looser in form than the secure data
center. An environment might be de-
fined purely by regulation and licens-
ing. For example, a community of al-
lowed users might have access to data,
and that community—and the instru-
ments that define what can and cannot
be done with the data comprise—the
environment. Such an environment
cannot be as tightly controlled as the
secure data center environment, but it
does allow for some control of the data
environment not (currently) present
when for example data is published on
the Internet.
All data environments will con-
tain the features outlined above but
are likely to differ in form depend-
ing on how they are made up and
how they are operationalized. A local
data environment may in turn con-
tain sub-environments. For example,
an organization may have multiple
servers with differential access. Indi-
vidual machines themselves are then
sub-environments.
Note that all sub-environments
are, to some degree, permeable since
users move in and out of them with
knowledge of the external environ-
ment. So, even if I am a bona fide user
of an environment acting in a legal
and compliant fashion, my knowledge
of the external environment might
cause spontaneous de-anonymization
(e.g., if I recognize the 18 year-old wid-
ow as my neighbor).
In conclusion, understanding and
building models of the data environ-
ment is of paramount importance if we
are to continue to protect data privacy.
The reason for this is that we can only
effectively guard against the threat to
data privacy and anonymity when we
have a clear idea of what it is we are
guarding against. While we have some
understanding of the factors, mecha-
nisms, and conditions under which
data privacy and anonymity may be
threatened, the long and the short of it
is, at this present time, we do not know
enough about them. Further work on
this topic is both necessary and urgent.
References
[1] Duncan, G., Elliot, M. J., and Salazar, J. J. Statistical
Confidentiality. Springer, New York, 2011.
[2] Hundepool, A., Domingo-Ferrer, J., Franconi, L.,
Giessing, S., Schulte Nordholt, E., Spicer, K., and
de Wolf, P-P. Statistical Disclosure Control. Wiley,
London, 2012.
[3] Elliot, M. J. and Dale, A. Scenarios of attack: the data
intruder’s perspective on statistical disclosure risk.
Netherlands Official Statistics , Spring 1999, 6-10.
[4] Mackey, E. M. and Elliot, M. J. The application of game
theory to disclosure events. Proceedings of UNECE
Worksession on Statistical Confidentiality (Bilbao,
Spain , Dec. 2-4). 2009.
Biographies
Elaine Mackey is a well-established researcher into the
broader aspects of statistical confidentiality where the
statistical, data management, and social policy meet. Her
Ph.D. demonstrated the value of using game theory to map
disclosure attack scenarios. She has recently worked as
part of the Data Environment Analysis Service mapping
the data that an attacker might feasibly use to identify
individuals in anonymized datasets.
Mark Elliot has an international reputation in the field
of data privacy. He has led numerous interdisciplinary
projects in the field and his special unique methods are at
the center of the SUDA system for anonymization decision
support developed at the University of Manchester and
used in statistical agencies across the world. He has a
long track record of relevant stakeholder engagement
most recently through his work on the Administrative Data
Liaison Service (www.adls.ac.uk) and as lead for the UK
Anonymisation Network (www.ukanon.net).
Copyright held by Owner/Author(s).
Publication rights licensed to ACM $15.00
39
feature

What is Bitcoin?
Strengths and weaknesses of the leader in a new generation
of emerging cryptocurrencies.

By Dominic Hobson
DOI: 10.1145/2510124

C
ontrol over your personal data is an important part of privacy. The Web enables
personal data to be gathered, shared, and traded with unimaginable ease, and keeping
a firm grasp on personal data is becoming more and more challenging.
One motivation for the mass movement of personal data around the Web is money.
Before the advent of the Internet, sending money from one side of the world to the other was
not as straight forward a task as it is today. But, just like personal information, the transfer
of money enabled by the Web has big implications for privacy. As we have moved from cash,
to checks, to credit cards—away from money” brings back literally millions Enter Bitcoin, a pseudo-anony-
physical gold standards—our money of results. mous, peer-to-peer currency protocol
has gradually become just numbers on As well as possession of money, cen- created and released, quite fittingly,
a computer. Inevitably, that computer tralized services also get possession of by a mysterious pseudonym, “Satoshi
belongs to someone else. personal data relating to purchases. Nakamoto,” whom has since disap-
Privacy, that is, the ability to be Supermarket chains can—and do— peared. Bitcoin is the leader in a new
able to reveal personal information infer age, gender, household salary generation of emerging currencies
through choice, is near impossible to bracket, and more from the items you known as “cryptocurrencies,” which
attain when a third party holds all your purchase in their stores to aid market- aim to, among other things, facilitate
money, personal information, as well ing and advertising efforts. In 2011, the movement of money electronical-
as every electronic transaction you’ve Visa announced a system called “Real ly while still maintaining a sense of
ever made. Part of the motivation for Time Messaging,” which sent offers privacy. Bitcoin disrupts this move to
creating the Internet was resilience and discounts direct to phones based centralized money services, putting
to attack through distribution with as on information deduced from card the Internet to the use for which it
few single points of failure as possible. use, such as location. was originally intended—fully decen-
Despite having such a system, users These are just a few examples of tralized services.
have still flocked en masse to central- how large companies are using per- It’s been suggested that by print-
ized services such as PayPal. With re- sonal data related to your payments ing our names and details on our
spect to privacy, we have given all our and transaction to target advertis- debit and credit cards we undermine
control; our personal data regarding ing and sell more efficiently. Many thousands of pounds of smart chip,
our transactions; our balances; and people may be comfortable with this. which is a privacy enabling technol-
who we pay, why, and when over to a After all, if somebody is going to try ogy. Unfortunately the biggest group
few large centralized services. and sell something to you wouldn’t of people helped isn’t ourselves, but
For some, this shift of monetary you rather it be something relevant to those with nefarious intent. It begs
control has its benefits. In theory, your you, which you might actually want? the question that in a system where
money is safer in a large organization’s However, there is virtually no alter- everything and everyone is represent-
virtual vault than under your bed. For native to holding money in a bank or ed as numbers on a computer, do we
others, this hand over of monetary other centralized services—which in even need a name? It is this approach
control has been more costly: Search- turn buy, sell, and profit from your that gives the Bitcoin protocol one of
ing for the phrase “PayPal took my personal data. its many strengths.

40 XRDS • fall 2013 • Vol.20 • No.1

 ART TK

XRDS • fall 2013 • Vol.20 • No.1 41

feature
Breaking Down Bitcoin
The Bitcoin protocol itself stores no
personal data. Bitcoin offers its privacy
by design through novel use of cryptog-
raphy. Nothing personally identifiable
is recorded. Instead, users have many
wallet addresses, which are hashes
of public keys. Users can, and are en-
couraged to, have as many different
wallet addresses as required (ideally
one per transaction). The correspond-
ing private keys, required to authorize
a transaction, are stored locally in the
users wallet file.
Users maintain full control and
possession of their local wallet file. But
“with great power comes great respon-
sibility.” Should a user accidentally de-
lete or lose their wallet file, they also
lose any associated bitcoins. Although
the bitcoins are still technically stored
on a peer-to-peer network, the private
keys required to authorize a new trans-
action are lost, effectively making the
coins unspendable.
Behind the scenes, Bitcoin doesn’t
store each coin and who owns it. In-
stead, it uses a distributed ledger
book system (called a “blockchain”)
based on the logic that if you know
every transaction an address has
made, then you know if it has money
to spend. This may appear initially
quite contradictory: A privacy protect-
ing money system that lets the en-
tire world see every transaction ever
made. However, from a privacy per-
spective, it doesn’t matter if everyone
can see every transaction, if the only
identifying information in a transac-
tion is a seemingly random number of
which everyone can have many.
Transactions are verified through a
process known as “mining.” The min-
ing process also serves as the mecha-
nism by which bitcoins are initially
produced and distributed. Mining is
effectively the act of adding transac-
tions to the blockchain so everyone
can agree on the same set of transac-
tions. A node that chooses to mine
runs mining software, which repeats
the following:
1. Gather up all unverified trans-
actions into a block (ensuring they’re
all valid transactions) along with the
hash of the last block added to the
blockchain and a random number
called a “nonce.”
42
2. Hash this block. Look at the
newly produced hash, specifically how
many zeros it starts with: (a) If the
number of leading zeros is less than a
predefined number (known as “diffi-
culty”) then start again from step 1, in-
crementing the nonce to ensure a dif-
ferent hash is reached. (b) If there are
more leading zeros than the required
difficulty, then proceed to step 3.
3. The miner has successfully
mined a block, adding it to the block-
chain. They then broadcast their hash,
along with the transactions in it and
the nonce to others. The successful
miner also receives newly created bit-
coins as a reward in a special coin base
transaction—this is how bitcoins are
initially produced.
4. Other miners receive the new
block and its contents. They check that
all transactions in the block are valid
and not double spends, and check that
when hashed, they give the right result.
If everything is valid, they use the new
block hash and start to mine the next
block with new transactions.
The mining process is effectively
trial and error. As more people try
mining, they would in theory be able
to mine blocks more quickly. For this
reason after every 2,016 blocks that
are found (which happens approxi-
mately every two weeks), the pre-
defined number of leading zeros that
must be in a hash for it to be success-
ful (the difficulty) is adjusted. This
is based on the average time it has
taken to mine a block. If this time is
more than 10 minutes, the difficulty
is decreased. This effectively restricts
the mining process to a block every
10 minutes.
Bitcoin disrupts
this move to
centralized money
services, putting
the Internet to the
use for which it was
originally intended—
fully decentralized
services.
The reward a miner receives for find-
ing a block is the sum of the transac-
tion fees of all the transactions in that
block, as well as a block reward that is
currently 25BTC. This reward halves
every four years, so no more than 21
million bitcoins will ever be produced.
The aim of this is supposedly to mimic
a finite resource such as gold. With
3,600 bitcoins being produced a day
and each bitcoin worth around $100,
mining has become an industry and
profession itself.
Miners typically invest thousands
into their mining rigs in order to hash
just a little bit faster in hope of find-
ing a block before another miner does.
People are even going as far as creating
Application Specific Integrated Cir-
cuits (ASICs) that can cost tens of thou-
sands of dollars each for the sole pur-
pose of mining. For Bitcoin users, the
more people mining and hashing, the
more secure and resistant the block-
chain is to attack.
To attack the network, a malicious
actor would have to create or modify
a transaction in a block and mine it
faster than the rest of the entire net-
work can mine a block. Mining faster
than the rest of the network on aver-
age requires the same or more hash-
ing power than the entire network
combined, which is currently hover-
ing at around 1500 petaFLOPS (float-
ing point operations per second). To
put that in perspective, Tianhe-2, the
world’s fastest supercomputer, has
managed to muster a measly 31 pet-
aFLOPS and theoretically maxes out
at just 54.9 petaFLOPS.
Even if an attacker could acquire
such power, malicious transactions
must still be accepted as valid by other
miners. With more than 50 percent
of the network power, a malicious ac-
tor can only prevent transactions, and
reverse or double spend transactions.
Should a malicious party have more
than 50 percent of the hashing power,
they would earn more by legitimately
mining then they could with fraudu-
lent transactions.
Ultimately, providing you look af-
ter your wallet, your bitcoins are safe,
unless somebody manages to break
the military-grade cryptographic al-
gorithm ECDSA (Elliptic Curve Digi-
tal Signature Algorithm). Even if this
XRDS • fall 2013 • Vol.20 • No.1
Figure 1: The price of a bitcoin at the largest exchange, MtGox, in the first four months of 2013 in dollars.
Mt. Gox (USD)
Apr 25, 2013 — Daily Op:154.2, Hi:162, Lo:150.6, CI:152.8
600K
550K
500K
450K
400K
350K
300K
250K
200K
150K
100K
50K
0K
Jan 13
were to happen, rolling out a new cli-
ent and switching over to a new block-
chain (called a “hard fork”) would
solve the problem. Even a full break
in ECDSA would have little to no im-
plication for privacy of Bitcoin as
there is still no personal data stored
within the protocol.
Weaknesses of Bitcoin
So with such secure algorithms,
what makes Bitcoin only pseudo-
anonymous? One reason is that Bit-
coin can’t guarantee that users will not
somehow accidentally or intentionally
link themselves to a wallet address. For
example, let’s assume Alice published
a wallet address of hers on Twitter
for donations and received 20BTC. By
looking through the blockchain, any-
one can find the addresses that Alice
sent her money to, and it’s more than
likely Alice knows the people she sends
money to. Alice may wish to support a
controversial group and anonymously
donate. She naively sends money to
an address the group posted on their
Twitter feed. Anyone looking up Alice’s
donation address in the blockchain
would only have to Google the address-
es she sent bitcoins to in order to link
her with the controversial group.
All the above could have been avoid-
ed if either party had used a script to
XRDS • fall 2013 • Vol.20 • No.1
Vol: 36.93K
Feb Mar
automatically generate a new Bitcoin
address for each individual. Unfortu-
nately, the vast majority of the popu-
lation probably doesn’t know how to
do that. A potential flaw in Bitcoin,
as it stands, is that it is so incredibly
novel and ingenious; it’s not yet intui-
tive or easily understandable for most
of the population. How can someone
be expected to trust something new
that they don’t understand? Bitcoin
was originally created and used by
people with a technical disposition,
so its lack of ease of use is most likely
a feature of being a first generation
cryptocurrency.
There are already clones of Bitcoin
being created using the Bitcoin source
code as the base. Although none of
these improve the usability, they do
offer variations in block production
time and rate. Some of these “altcoin”
clones offer mining algorithms that
are considered fairer by hashing blocks
with the Scrypt algorithm. Producing
a hash using the Scrypt algorithm is
more memory intensive than SHA256
and as a result doesn’t benefit as much
with mass parallelization provided by
more expensive hardware such ASICs.
Some altcoins use a variation of Bit-
coin’s proof of work algorithm, mak-
ing them in theory more resistant to a
51 percent attack.
mtgoxUSD
UTC – http://bitcoincharts.com
280
260
240
220
200
180
160
140
120
100
80
60
40
20
0
Apr
However, these clones still share
some of the same weaknesses as Bit-
coin. In order to cash out Bitcoins into
a fiat currency such as £ or $, typically
one must go through an exchange.
The price of a Bitcoin varies. In the
first four months of 2013, the price of
a bitcoin went from $20 to more than
$250, down to $60, and back up to
$160 (see Figure 1). Such volatility is
unheard of in fiat currencies and has
brought Bitcoin’s value as a stand-
alone currency (i.e., not pegged to a
fiat currency) into question.
Such volatility can lead to practical
issues. For example, let’s assume a min-
ing hardware company accepted pre-
orders in bitcoins on equipment worth
$30,000. After missing shipping dates,
some customers requested refunds.
However, when some customers paid
in bitcoins, the value of a bitcoin was as
low as $20, whereas now they’re worth
more than fives times that amount. If
the company has to pay back custom-
ers with the amount of bitcoins the cus-
tomer paid, then they will be paying the
customers more than fives times the
dollar equivalent they originally paid.
However, paying out the dollar value to
the customer in bitcoins is also not fair,
as the user will end up with consider-
ably less bitcoins than they had before
they bought the product.
43
feature
The volatility of Bitcoin can be at
least partially attributed to the fact
that nobody really knows the intrinsic
value of a bitcoin. It’s been suggested
there is a loose correlation with price
of electricity since the act of mining
uses a significant amount of electrici-
ty—one source suggests the amount of
electricity put toward mining bitcoins
for a single day is enough to power
more than 30,000 homes. There was
also speculation that the rise in price
of Bitcoin early this year was linked to
the Cyprus bailout. Cypriots with more
than 100,000 EUR had money taken
from their accounts in order to sup-
port the country. This wouldn’t have
been possible if Cypriots stored their
money in bitcoins. However, traffic
figures from exchange websites where
bitcoins can be purchased suggested
no notable increase in traffic from Cy-
prus. Other things that seem to affect
Bitcoins volatility include media cover-
age, Bitcoin services being hacked, and
downtime on popular services.
The more money that goes into Bit-
coin, the more stable it is likely to be-
come as the currency finds its value.
The Winkelvoss twins—famous for
claims that Mark Zuckerberg stole
their idea for Facebook—recently an-
nounced they had invested $11 million
in Bitcoin, giving them, at the time, 1
percent of all bitcoins in circulation.
While this amount of investment is
useful in some respects, with Bitcoin
being a relatively small market, indi-
viduals with such large amounts could
still sway the price at the exchanges.
Furthermore, the exchanges where
bitcoins can be purchased and sold
are not a part of the Bitcoin protocol,
so they may not be as safe. This has big
implications for privacy and security.
Anyone can run an exchange, regard-
less of his or her competence, knowl-
edge, reliability, or trustworthiness.
Most exchanges are websites where a
fiat currency or bitcoins are deposited,
and then converted to numbers in a da-
tabase. This subjects them to the same
vulnerabilities as other websites, mak-
ing them a target for hackers. A lot of
articles in mainstream media relating
to Bitcoin have focused on hacks at the
exchanges and rarely make a distinc-
tion between the exchanges and the
Bitcoin protocol itself.
44
A potential flaw
in Bitcoin, as it
stands, is that it is so
incredibly novel and
ingenious; it’s not
yet intuitive or easily
understandable
for most of the
population.
Unlike the Bitcoin protocol, these
exchanges are ultimately centralized:
Backed and run by people against
whom laws can be enforced. In most
jurisdictions, exchanges are subject
to “anti-money laundering” laws that
require certain kinds of businesses
to “know your customer” (i.e., know
as AML/KYC regulations.) This in-
volves formally identifying customers
through official documentation—typi-
cally passports and utility bills—pre-
senting yet another place where a Bit-
coin wallet address can be related to a
real world identity.
In reality, Bitcoin offers enough
anonymity for it to become inefficient
for authorities to pursue a person for
small scale and minor crimes. As a re-
sult, Bitcoin has been used for trading
in illegal goods and services online.
Perhaps the most notable case, which
was the focus of most Bitcoin related
media attention in 2011, is Silkroad,
described as the “Amazon market-
place of drugs.” Silkroad operates on
the anonymizing network Tor, and al-
lows users to buy and sell drugs, guns,
guides on hacking, forged documents,
and more—all paid for in bitcoins. In
2012, research into Silkroad suggested
an average of just more than $2 mil-
lion worth of bitcoins a month went
through the site. There are typically
between $30 million and $70 million
in transactions a day with bitcoins, so
it’s important to remember Silkroad’s
$2 million a month makes up just a
tiny fraction of trades that take place
with Bitcoin.
The protection Bitcoin provides
is a strength and a weakness. On one
hand, many of the things on sale on
Silkroad were legal in some country
somewhere in the world. A libertarian
might argue people should be allowed
to buy and sell what they want with
their money. On the other hand, trade
in guns, particularly on a black market
like Silkroad, can severely impact the
lives of others and attract negative at-
tention from the press and public.
It’s important to emphasize cryp-
tocurrencies are effectively tools, and
tools on their own do not break laws.
Paper cash, for example, shares many
of the features of a cryptocurrency—
relatively anonymous, fast, and peer-
to-peer—yet it is a valuable part of
society. Although the way people use
tools can be illegal, a lot of media at-
tention around cryptocurrencies fo-
cuses on their illicit use, effectively
labeling and criminalizing those
who simply want some privacy, or a
useful service.
The Future of Cryptocurrencies
Like most privacy enabling services,
Bitcoin serves its purpose when un-
derstood and used properly. However,
the novel nature of Bitcoin can make
it hard to grasp properly. Regardless
of privacy, Bitcoin provides users with
ultimate control over their money, and
allows fast and secure transfers around
the world with transactions fees lower
than virtually all-existing alternatives.
As a first-generation cryptocurrency,
it still has its quirks and is ultimately
reliant on third-party services, which
are not yet mature enough to offer the
same strengths as the protocol itself.
The shallow but rapidly growing mar-
ket around Bitcoin creates a level of
volatility that can make Bitcoin a bit of
an inconvenience in some cases. But
it’s still most likely the first of many
emerging systems that will force us to
fundamentally rethink how our money
and the associated private data should
be handled in the age of the Web.
Biography
Shaped by daily access to the Web from the tender age of
five, Dominic Hobson has spent his life on and around the
Web. After completing a degree in computing science at
University of Wales, Bangor, he went on to Southampton
to complete a master’s in Web science, looking at criminal
use of virtual payment systems. Still at Southampton,
Hobson is now working toward a Ph.D., studying
cryptocurrencies and their surrounding communities.
© 2013 ACM 1529-4972/13/09 $15.00
XRDS • fall 2013 • Vol.20 • No.1
The Tor Project:
An inside view
A decade since the first version was released, Tor continues
to be at the center of the debate around online privacy.

By Kelley Misata
DOI:10.1145/2510125

T
en years has flown by since The Tor Project released the first version of the Tor
software in 2002. Since those early days Tor’s technology, research, company, and
mission has grown to meet the needs of constantly changing global landscape.
Fueled by a passionate team of more than 30 core employees and contractors—
including myself—we along with more than 3,000 dedicated volunteers and a community
of sponsors share in Tor’s mission in bringing a voice to global debates around privacy,
anonymity, and censorship circumvention.
Today, with more than 2.4 billion peo- The Tor Project’s place in the arena grow of relays and Tor bridges from
ple online, Tor continues to be on the of privacy and anonymity is complex March 16 through June 14, 2013.
front lines helping people across scien- and ever changing. Therefore, in the in-
tific, charitable, civic, government, and terest of space, this article will explore a ANONYMITY LOVES COMPANY
educational sectors stay safe and com- few key areas that illustrate Tor’s broad Ongoing trends in law, policy, and tech-
municate freely. global impact. Much more about us, our nology threaten anonymity as never be-
Protecting the rights of privacy mission, and our projects can be found fore, undermining our ability to speak
and anonymity for all isn’t always the on www.torproject.org or, even better, and read freely online. These trends
most popular or easy place to stand join the ongoing conversations with Tor also undermine national security and
when the public is faced with reports developers on IRC at #tor-dev. critical infrastructure by making com-
of national and international privacy munication among individuals, orga-
breaches. However, Tor maintains a HOW TOR WORKS nizations, corporations, and govern-
consistent focus on technology and Relay operators are really the heart of ments more vulnerable to analysis.
the passion to help people stay safe. the Tor network. We could not exist Each new user provides additional di-
We empower NGOs, law enforcement, without the loyalty and passion of these versity, enhancing Tor’s ability to put
and survivors of crime through our 3,000-plus volunteers. By downloading control over your security and privacy
technology. We give ordinary citizens a Tor’s software and setting up as a relay, back into your hands. (For more on how
fighting chance against criminals who operators manage a constant flow of anonymity loves company I would di-
steal identities and bandwidth to com- online traffic through the Tor network rect readers to “On the Economics of
mit crime. Without Tor in the world, every day. Each relay has a direct impact Anonymity,” written by Roger Dingle-
the bad actors will find another tool on Tor network’s ability to run better dine, Paul Syverson, and Alessandro
to achieve their objectives. With Tor in and faster for all users. A Tor relay can Acquisti; http://freehaven.net/doc/fc03/
the world, the good actors will contin- run on almost any operating systems, econymics.pdf.)
ue to have a tool and experts commit- but currently runs best on Windows, The Tor community is often por-
ted to providing safe online channels Mac, Linux, and on Amazon cloud ser- trayed in the media as being comprised
of communication. vices. Figure 1 illustrates the steady only of immoral, unjust, and malicious

XRDS • fall 2013 • Vol.20 • No.1 45

feature
individuals. Unfortunately, in the bor-
derless cyber world we live in today, and
because Tor’s technology is available
open source and free some of this is
true. Like other open-source technolo-
gies, anyone is free to download Tor.
However, we firmly believe the bad ac-
tors in this arena are few and do not
make up Tor’s core user community.
Our community consists of a wide va-
riety of people, groups, and organiza-
tions that all share a common vision:
Privacy is important and anonymity
has a place in daily life. Journalists of-
ten use Tor to communicate more safe-
ly with whistleblowers and dissidents.
Non-governmental organizations
(NGOs) use Tor to allow their employ-
ees to connect securely and privately
while they’re in a foreign country, with-
out notifying everybody nearby who
they’re working for. Activist groups
recommend Tor as a mechanism to
maintain civil liberties online; for ex-
ample, the Electronic Frontier Founda-
tion (EFF) is an open supporter of The
Tor Project. Corporations see the value
in Tor to conduct competitive analysis
safely, protect sensitive procurement
patterns from eavesdroppers, and, in
some cases, replace traditional VPNs.
Governments around the world use Tor
for open-source intelligence gathering
and their teams use Tor to communi-
cate safely while deployed. Law enforce-
ment uses Tor for visiting or surveilling
websites without leaving government
IP addresses in their Web logs, as well
as to provide an additional layer of se-
curity during sting operations. Every
day people use Tor to get online safely
and securely, to protect their identity,
protect their children online, and pro-
Table 1. The Top 10 Countries Connected to Tor
Country
United States
Italy
Germany
Spain
France
Ukraine
Russia
United Kingdom
Brazil
Netherlands
46
Protecting the Windows, Mac OS X, or Linux platforms
in 14 languages and growing.
rights of privacy and 2. Tails. A live operation system for
anonymity for all preconfigured CD/DVD or USB allows
users to use Tor’s state-of-the art cryp-
isn’t always the most tographic tools any time, anywhere,
popular or easy place without leaving a trace on the computer
they are using. Tails 0.18 is now avail-
to stand when the able for download. Current and poten-
public is faced with tial Tails users should keep an eye on
the Tor blog for continue updates and
reports of national Tor news.
and international 3. Orbot. Tor on Google Android
devices provides mobile anonymity
privacy breaches. through a free proxy application.
4. Pluggable Transports or Obf-
sproxy. By transforming how traffic ap-
pears to those who may be monitoring
tect their right to research sensitive it, therefore preventing the detection of
topics without being tracked. Tor traffic, this tool circumvents cen-
Figure 2 illustrates how the num- sorship. Though the technology works
ber of Tor users around the globe has behind the scenes independently from
grown since 2010, and Table 1 lists the Tor, developers have configured an in-
top 10 countries that connected to the ternal protocol to minimize any end-
Tor network from March 16 through user intervention. In addition there are
June 14, 2013. prototypes in development by univer-
sity researchers and developers of cir-
TOR’S ECOSYSTEM cumvention tools.
The Tor Project ecosystem continues
to expand to meet global technical TOR’S RESEARCH
challenges and a constantly chang- The research arm of Tor is critical to the
ing threat landscape. A complete list success of the entire ecosystem. Many
of all the projects the development people around the world are conducting
team is working on can be found on valuable research in the space of priva-
the Tor project page of our website. cy, anonymity, and censorship circum-
However, here is a quick glimpse of vention and Tor is actively participat-
Tor’s top technologies. ing. To keep current we foster essential
1. Tor Browser Bundle (TBB). Tor’s partnerships with leading research and
flagship software allows users to academic institutions around the world
bounce Internet communication or ac- and continually engage with leading re-
cess block websites using Tor’s distrib- searchers through the Tor research por-
uted network of more than 3,000 volun- tal. Our current research efforts are fo-
teer relay operators. TBB is available on cusing on how to improve Tor’s design,
understanding what’s going on within
the Tor network, and more general re-
search on privacy and anonymity.
Mean daily users
83352 (15.90%) TOR AROUND THE WORLD
57577 (10.99%) The conversations around privacy
46185 (8.81%) and anonymity that are facing policy
39985 (7.63%)
makers, technologists, and indus-
try are not confined to online chats
38736 (7.39%)
or boxes of wires sitting on desks. It
20830 (3.97%)
is incredible to witness the number
17105 (3.26%)
of people who think Tor is just one
15739 (3.00%)
person or a few individuals working
15723 (3.00%)
in a dark basement somewhere. The
12069 (2.30%) fact is we are at the forefront of many
critical dialogues addressing privacy,
XRDS • fall 2013 • Vol.20 • No.1
anonymity, and issues of freedom of
speech online. Frequently invited as Figure 1. A steady growth of relays and Tor bridges.
privacy and anonymity experts, mem- Number of relays Relays Bridges
bers of the Tor team travel the global 3500
speaking about these issues, helping 3000
people learn about the technology and 2500
the risks to privacy in various environ- 2000
ments and gathering new insights into 1500
the behaviors of online users, which 1000
we can use to improve the usability of 500
the Tor technology or provide more ef- 0
fective learning tools. Apr 2013 May 2013 Jun 2013
We have seen, first hand, the value of The Tor Project https://metrics.torproject.org/
bringing all the stakeholders to the table
on these issues and others surround-
ing freedom of speech online. Below is Figure 2. The number of Tor Users around the world has grown significantly since
a snapshot of some of the places Tor has 2012.
been during the month of May 2013: Directly connecting users from all countries
1. The Advisory Council on
Child Trafficking Symposium;
Baltimore, MD 800,000
2. ITWeb Security Summit;
Johannesburg, South Africa 600,000
3. Oslo Freedom Forum;
Oslo, Norway 400,000
4. Pixelache Festival; Hesinki,
Finland/Tallinn, Estonia 200,000

5. CryptoParty; Frankfurt, Germany

6. IEEE Symposium; 0

San Francisco, CA 2010 2011 2012 2013

7. Stockholm Internet Forum
Conference; Stockholm, Sweden
8. Consilience 2013 Conference;
Bangalore, India
9. NATO Discussion Forum;
Brussels, Belgium
10. DIMACS Working Group
on Measuring Anonymity;
Rutgers University, NJ
11. Youth Internet Governance
Forum
12. New England Give Camp at Micro-
soft Research; Cambridge, MA
This does not fully capture our ex-
tended community helping to raise
awareness. Imagine the countless oth-
er conversations the Tor team has par-
ticipated in over the past 10 years and
many other important conversations
that still need to happen.
The Tor Project: https://metrics.torproject.org
tinue to improve usability of the Tor
ecosystem, security and anonymity,
stronger cryptography capabilities, and
new tools to offset increasingly persis-
tent probes for censorship being used
in global societies. We will continue to
support the network through the ongo-
ing expansion of the Tor help desk vol-
Our community
consists of a wide
variety of people,
groups, and
unteer pool, capabilities, and languag-
es to serve the global community. We
will continue to bring a strong, confi-
dent voice to the conversations. We will
continue to raise awareness and foster
partnerships to help everyone stay safe
and free online.
Basically, Tor will continue to do
what we have done since 2002; build-
ing innovative, sustainable technology
solutions, which meet the needs of the
world and protecting everyone from
the threats to privacy and censorship.
We want to make it possible for people
to actively choose their level of privacy
and anonymity online; this is what the
Tor Project is all about. We’re making

CONCLUSION
organizations that progress, but we need your help. Please
consider running a relay, volunteering,
Recent events remind us all how impor- all share a common as a developer, attending an event, or
tant and complex privacy and anonym-
ity are in today’s digital environment.
vision: Privacy is contacting us for training or education.

Tor will continue to be at the ready to important and Biography

respond with technology solutions,

research, and an active role in global
anonymity has a Kelley Misata is the director of marketing,
communications and outreach with The Tor Project, Inc.

decisions. Our technical team will con- place in daily life. © 2013 ACM 1529-4972/13/09 $15.00

XRDS • fall 2013 • Vol.20 • No.1 47

feature

It’s Not About Winning,

It’s About Sending
a Message: Hiding
information in games
New information hiding techniques use online games to transmit
secrets covertly. The technique is simple, but the problem of detecting
these covert channels is far from solved.

By Philip C. Ritchey
DOI: 10.1145/2510126

A
lice and Bob have been imprisoned under the guard of the watchful warden Wendy.
The two of them want to collaborate on an escape plan, but the only means of
communication they have is a public channel that is vigilantly monitored by Wendy.
On top of that, Wendy will not allow them to use cryptography to obscure the contents
of their messages. If she sees a message that she cannot read, she will throw both Alice and
Bob into solitary confinement and they will not be allowed any further communication at all.
What can they do to communicate covertly over a public channel?
Alice and Bob’s situation can be re- can now be proven for steganographic secret data. The resulting change in
solved through steganography—the techniques. Despite having once been the image is imperceptible to a human
art and science of sending messages regarded as a defective form of cryp- observer, and an 8-megapixel grayscale
in such a way that only the sender and tography, steganography in the digi- image can hold one megabyte of secret
the intended recipient are aware of tal age is almost as indispensable as data without noticeably reducing im-
the existence of the message. Whereas cryptography. From watermarks for age quality. The spacing between words
cryptography is concerned with keep- use in digital rights management and or lines in a text can be used to hide in-
ing the contents of a message secret, intellectual property protection, to formation as well. Many network pro-
steganography is concerned with protecting anonymity online, to cen- tocols and file formats have unused
keeping the existence of a message sorship resistant technologies, to fin- (or misused) fields that can hold secret
secret. In the past, steganography has gerprinting digital objects for traitor data. The possibilities are really only
been discounted as being security-by- tracing and authentication, stegano- limited by one’s imagination.
obscurity, which is to say: No security graphy is everywhere.
at all. However, modern steganogra- The standard example of digital HIDING INFORMATION IN GAMES
phy does not rely on methodological steganography is hiding secret data Much to the dismay of Chess-by-mail
obscurity, and equivalent notions of in images by replacing the least sig- players during World War II, the imagi-
security to those used in cryptography nificant bit of each pixel with a bit of nation of the censorship offices of the

48 XRDS • fall 2013 • Vol.20 • No.1

 U.S. and Britain led them to ban Chess-
by-mail because the game could be
used to send secret messages. But how
does one send secret messages using a
game? Let’s look at Tic-Tac-Toe, a pen
and paper game where two players, X
and O, take turns marking spaces in a
3x3 grid (see the layout in Figure 1). The
players take turns marking the spaces
until there are no spaces remaining, or
until one of them wins by placing three
of his or her marks in a row (horizon-
tally, vertically, or diagonally).
And so, when you come to that
point in your life where your name is
Alice and you’re sitting there wonder-
ing how you’re ever going to talk to
Bob without Wendy reading every-
Illustration by Lukas Radavicius
thing you write because you’re not al-
lowed to encrypt your messages, you
will probably end up playing Tic-Tac-
Toe and Wendy will think nothing
of it. The key to making Tic-Tac-Toe,
or any other game, work as a covert
communication channel comes from
XRDS • fall 2013 • Vol.20 • No.1
information theory: Where there is
choice, there is information. Because
Alice can choose where she places her
mark, she can use that choice to send
Bob some bits of information. Bob, on
his end, because he knows what choice
Alice made, can determine the bits
Alice sent. Similarly, Bob can use his
choice of move to send bits of informa-
tion back to Alice. If we stopped here,
we would have a system whose secu-
rity relies on the method remaining
unknown to Wendy, i.e. security-by-
obscurity, which is no security at all.
We will have to fix that in a moment,
but for now we will leave it unsecure so
that we can look more closely at how
this system works.
Let’s assume Alice is playing X, so
she goes first. With her first move, she
must choose which space to mark.
With her first choice, Alice will send
some bits of secret information. The
number of bits she can send depends
on the number of available options
and how likely she is to choose each
option. Assuming she will choose each
option with equal probability, Alice
can send three bits of information to
Bob with her choice of opening move.
In general, when the choice is made so
that each option is equally likely to be
chosen, the capacity of each move is
the base-2 logarithm of the number of
available moves:
C = floor(log2 (n)),
where n is the number of available
moves. In an ordinary game, Alice
would choose the move she thinks
would maximize her chances of win-
ning. But in a game played for the
purpose of sending secret informa-
tion, Alice must choose the move that
sends the correct bits. Let’s assume
Alice is trying to send data that begins
with bits 11001. We can label each
available move with a C-bit string that
represents the meaning of the move,
i.e. what bits will be sent to Bob by se-
lecting that move. The easiest way to
49
feature

in a new game. This will continue,

Figure 1. Alice is sending the bits 11001. With her first move, she sends the bits possibly for many games, until Alice
110 by choosing the bottom left corner space. With her second move, she sends has sent all the bits of her secret.
the bits 01 by choosing the top right corner space. This will continue until Alice no
longer has bits to send. DETECTING HIDDEN INFORMATION
What does this exchange look like
to Wendy? If we put ourselves in her
shoes and look at what Alice and Bob
send over the channel, we can see it
looks like two people playing ordinary
games of Tic-Tac-Toe. At least, that’s
how it looks at first. After a while, Wen-
dy will see something suspicious hap-
pen too often to be chalked up to ran-
dom chance: One or the other player
will make a stupid move, such as fail-
ing to win when they could, or failing
do this is to start in the top left corner can then send some bits of his own to block their opponent’s win (see the
with the number zero in C-bit binary back to Alice by relabeling all the example in Figure 2). It is at this point
(000, since C=3), then the number moves and picking his move based on Wendy can make her first attempt
one (001) in the top middle, then 010, what his secret bits are. Or, Bob can at detecting Alice and Bob’s usage
and so on until we get to the bottom just play along with Alice and only re- of a secret communication channel.
middle, which is 111. To keep things ceive but not send. For simplicity, we She does so by defining a threshold
simple, we make the remaining op- will not have Bob send data back to value for the number (or rate) of stu-
tions nulls that do not encode any bits Alice. Once Bob makes his move, he pid moves she will allow. If Alice and
at all, as shown in Figure 1. The first sends the updated board back to Al- Bob exceed this threshold, she will cut
three bits Alice wants to send are 110, ice. If Alice expects Bob to be sending them off and throw them into solitary
so she will choose the move in the bot- his own data, now is when she would confinement. Our experiments show
tom left corner. After marking an X in extract it. Since she does not expect if Alice and Bob are not playing smart,
the space, she sends the board to Bob to receive data from Bob, she can go Wendy’s classification accuracy can
for him to make his move. straight to encoding the next bits of be as high as 95 percent if she watches
Upon receiving the board, Bob can her message. With two moves already them play for just five games.
extract the bits Alice sent by undoing on the board, there are seven options To prevent bad play from giving the
her last move and carrying out the remaining for Alice, which allows players away, Alice and Bob can make
same steps that she did to label the her to send two more bits. The bits a slight adjustment to their system
moves. Then Bob just needs to look she needs to send are 01, so she will so that they are only choosing their
at what move Alice chose and record place her mark in the space labeled next move from the set of not-stupid
those bits. In this case, Bob would see 01, which is the top right corner space, moves. Where before they were play-
Alice moved in the bottom left corner, and send the updated board to Bob. ing “random” we say they are now play-
which has the label 110, so he writes If the game ends while Alice still has ing “greedy.” Meaning they will win if
down 110 as the bits Alice sent. Bob more bits to send, she will engage Bob they can block a win, but otherwise
play randomly. While this slightly re-
duces the total information hiding ca-
Figure 2. Continuing the game started in Figure 1, Bob takes the center space. But, pacity of their system, from an average
suppose Alice still has bits to send, namely she now needs to send the bits 10. To of 15.748 bits per game when playing
send the bits 10, she must choose the middle right space. Unfortunately, this is a random to 14.105 bits per game when
stupid move and, if it happens too often, will signal to Wendy that, instead of play- playing greedy, it also completely cir-
ing to win, Alice is sending a message. cumvents Wendy’s detector since now
they don’t make any stupid moves.
The onus is now on Wendy to find a
way to distinguish between gameplay
that is clean (contains no hidden in-
formation) and gameplay that is dirty.
What happens if Wendy goes one step
further than simply requiring that
Alice and Bob not play stupidly, and
insists they play perfectly? Wendy’s
thinking is humans are rather good at
Tic-Tac-Toe and so can play perfectly,

50 XRDS • fall 2013 • Vol.20 • No.1

so perhaps requiring perfect play will
not leave any room for covert commu-
nication. If so, then Alice and Bob will
have to deviate from perfect play in
order to transmit their secret messag-
es. Do you think Wendy is onto some-
thing? Or, do you think Alice and Bob
can play perfectly and still have capac-
ity left for covert communication?
In fact, it turns out Alice and Bob
are able to satisfy the perfect play re-
quirement and be left with an aver-
age of 11.815 bits of total capacity per
game. And so, yet again, Wendy finds
herself suspecting Alice and Bob are
using Tic-Tac-Toe to share secrets,
yet she is still unable to determine
when they are doing so. I’ll tell you
now that she may be down, but she’s
far from out.
Right now, there should be a
screaming objection in your head: Why
doesn’t Wendy just decode what Alice
sends? If she knows the method, she
can extract the bits just as easily as Bob
can, and if she sees anything mean-
ingful she can prove they were using
the game as a covert channel. That is
exactly why security-by-obscurity is
no security at all. Therefore, Alice and
Bob need to introduce an extra step
and a secret key into their system so
that only someone with the secret key
will be able to correctly decode the
gameplay. Simply put, Alice and Bob
should encrypt their messages before
hiding them in the game. That way,
when Wendy extracts the bits from the
gameplay, she will get something that
appears to be random. To determine if
the covert channel is being used, Wen-
dy must be able to distinguish between
encrypted data and random data when
analyzing the extracted bits. While
this is, in theory, possible, it requires
Wendy to wait until she has a very large
number of bits before she can make
a decision. Alice and Bob may finish
their communication before Wendy
even has enough bits to be able to test
them for randomness.
What else can Alice and Bob do to
make Wendy’s job even more difficult?
Imagine Alice and Bob each have a
coin and whenever one coin is flipped,
the other is flipped at the same time
and the result is the same for both.
If the coin lands on heads, then the
next move is used to hide secret bits;
XRDS • fall 2013 • Vol.20 • No.1
The standard
example of digital
steganography is
hiding secret data in
images by replacing
the least significant
bit of each pixel with
a bit of secret data.
otherwise the move is made normally
and does not hide any secret bits. If
the coin is fair (50 percent chance of
heads), then Alice and Bob will see
their capacity cut in half since only
half of the moves will be hiding data.
But, Wendy’s detection task now be-
comes harder since the covert channel
usage is diluted and dirty moves are
in amongst clean moves. Her accura-
cy will drop from above 95 percent to
below 75 percent when Alice and Bob,
playing random, switch from hiding
data in every move to hiding it in only
half of the moves. If they use a coin that
lands on heads 33 percent of the time,
so that a third of all moves are hiding
data, Wendy’s accuracy drops to 50
percent. This is equivalent to guessing,
meaning Wendy cannot distinguish
between dirty and clean gameplay.
Meanwhile, Alice and Bob realize an
average total capacity of 5.249 bits per
game. This illustrates the tradeoff be-
tween capacity and security. By giving
up some capacity, Alice and Bob can
significantly increase their security
against Wendy, from having almost no
security to having nearly perfect secu-
rity. Note, however, this assumes Wen-
dy does not realize Alice and Bob are
not hiding data in every move. If Wendy
figures out how often their coin lands
on heads, she can adjust her detector
to take that into account and reclaim
some of her advantage. For this reason,
the secret key must include not only
the seed for the random number gen-
erator, but also the parameter which
controls how often the coin lands
on heads. Note, also, that all of this
doesn’t even matter since it assumes
Alice and Bob are playing stupidly
again. If Wendy is checking for stupid
play and Alice and Bob don’t make any
stupid moves (they use either a greedy
or optimal strategy), then Wendy’s ac-
curacy will be no better than guessing
and Alice and Bob will have perfect se-
curity against her, even when they use
all of the available capacity by using ev-
ery move to send data. But, it is worth-
while to know that, should they need it,
they can trade capacity for security.
ARTIFICIAL VERSUS
AUTHENTIC PLAY
Wendy’s task all along has been to
distinguish between gameplay that
is, and is not, used to hide secret data.
An equivalent statement is Wendy is
attempting to distinguish between
gameplay generated by a computer
(artificial gameplay) and gameplay
generated by a human (authentic
gameplay). Authentic gameplay is
clean by definition, since, in order to
hide data in a move, the move is not se-
lected by the human, but rather by the
secret data and the stego-system. It is
impossible for you, a human, to make
the moves you want to make while
at the same time sending the secret
data you need to send. Therefore, if a
move is used to transmit data, then we
know a computer generated the move.
Logically, artificial moves are neces-
sary, but not sufficient, for hiding data
in games. However, because Wendy is
the warden and she makes the rules,
Wendy can decide the only gameplay
allowed is authentic gameplay. That
is, because it is impossible for Wendy
to tell the difference between artifi-
cial and dirty gameplay, she must con-
sider artificial gameplay dirty even if
it is not being used to send secrets. If
Wendy can accurately classify moves
as authentic or artificial, then she can
also accurately classify moves as clean
or dirty.
In artificial intelligence, there is a
name for the task of distinguishing
between an artificial source and an au-
thentic source: the Turing test. Turing
originally formulated the test using
natural language, since humans are
very good at using and understanding
language and computers are, so far,
not that good. Natural language pro-
cessing is a hard AI problem and the
Turing test is effectively the true test
of whether we’ve solved it. What about
51
feature

a Turing test for gameplaying? Can every day. But does a Turing test for After collecting some human game-
you, as a human, play chess against gameplay even make sense? It must, play data for Tic-Tac-Toe, we used it to
an online opponent and determine because that is precisely what Wendy build a classifier for Tic-Tac-Toe game-
whether your opponent is a human needs. She needs to be able to look at a play. Our classifier achieves 95 percent
or a computer? Probably not with ac- conversation between two players who accuracy when shown 10 games for all
curacy anywhere close to the accu- use the language of gameplay and de- six computer strategies that we have
racy with which you could distinguish cide whether they are humans or com- tested so far. So, whether Alice and
between a human and a computer puters. To do this, she needs a better Bob’s stego-system is playing random-
conversational partner. This is likely understanding of how humans play ly, or greedy, or optimal, or a hybrid of
due to the fact that you use language games and what human generated these, Wendy can observe just 10 games
every day but you do not play chess gameplay looks like. and accurately determine whether they
were played by humans or computers.
Trying to send a secret in less than 10
Figure 3. With focused research and development, computer players could defeat games, which still gives Wendy accura-
the best human players at most games, but there are games at which they may cy better than guessing, means Alice can
never be able to beat top humans. While a computer may never become a champion only send a few words to Bob. There’s
at Mao or Calvinball, creating a computer that has the ability to play such games, no hope for Alice to pack more bits into
without boring their human opponent, will be a considerable achievement. There is each game, so, if she needs to send more
more to playing games than simply winning. information, she must increase the
number of games Wendy needs to ob-
serve in order to make a decision.
The next step for Alice and Bob is
to design a strategy that more closely
mimics the actual gameplaying be-
havior of humans, putting them in
the same boat as Wendy. Both sides
want to have the best, most accurate,
model of human gameplaying behav-
ior so that they can generate realistic
gameplay or detect the slight varia-
tions that betray artificially generated
gameplay. In fact, this type of work
has been going on for a long time in
video games, where developers are
continually striving to provide more
realistic non-player characters and
opponents for human players to in-
teract with and play against. But, no
matter what the game, from simple
pen-and-paper games to MMORPGs,
where there is choice, there is infor-
mation; any game can be used to send
secret messages.

Acknowledgment
This research has been supported by
the following grants: NSF CNS-0716398
and NSF CCF-0939370.

Biography
Philip C. Ritchey is a graduate student in the Department
of Computer Science at Purdue University. He is a member
of the Center for Education and Research in Information
Assurance and Security and the Center for the Science of
Information. He received his B.S. in computer engineering
from Texas A&M University in 2008. His research interests
include information assurance and security, interactive
artificial intelligence and machine learning, and
computational models of human problem solving.

Copyright held by Owner/Author(s).

Publication rights licensed to ACM $15.00

52 XRDS • fall 2013 • Vol.20 • No.1

feature

 n Illustrated
A
Primer in
Differential Privacy
The vast amounts of data that are now available provide new opportunities to
social science researchers, but also raise huge privacy concerns for data subjects.
Differential privacy offers a way to balance the needs of both parties. But how?

By Chrisine Task
DOI: 10.1145/2510127

G
ood grief there is data everywhere now, just everywhere! Our governments, our
doctors, our schools, our Web browsers, our social networks, our cameras, our
phones, our cars, our shoes, and now even our glasses can collect reams and reams
of electronic data about us. Storage is cheap, data-ownership is often poorly defined:
There is so much data about you already scattered around the world. You’re aware of this.
If you’ve made it this far in this issue of XRDS, I expect you’re rather alarmed. But, really,
you should be a little excited too. In the hands of social science researchers this data gives us
a real chance at
building a world that

SAVE THE WORLD

Discover Hidden
works. The globe is Links Between
spitting out infor- Illnesses!

mation about itself
all over, it is now
and forever more in
“verbose” mode, and
if we listen, we can
learn something use-
ful. We can begin to
really understand our
world in an objective,
quantitative way, and
we can start to make
it a better place. I
drew you a picture to
give you an idea.
WITH DATA!
Track The Spread
of Disease!
Stop Epidemics!
Medical Records!
Sensitive Data!
Better Understand
Improve
Struggling Families
Location Data! Public
and Communities!
Transportation!
Diagnose Problems
Address
With Failing Students
Traffic
and Schools!
Congestion!

XRDS • fall 2013 • Vol.20 • No.1 53

feature
Sounds awesome right? All ready to
contribute your data? Great! All we
need is your name, age, date of birth,
medical history, financial status,
academic records, drug and alcohol
usage, history of sexual interactions,
list of childhood traumas, social
network accounts, who you call, where
you drive, what you eat….
That doesn’t sound quite so
awesome! In fact, it’s a little scary.
What if your information got into
the wrong hands, like your potential
future employer, your ex-boyfriend, or
the person who approves your home
loan? We’ve got good reason to use
your data, but you’ve got an even bet-
ter one to hang on tight to it. So what
do we do? Well, that’s what this story
is all about.
Of course, like any research in
information assurance, our story is
really a parable about Bob and Amy.
Let’s give our main characters
a proper introduction. Bob is an
undergrad at X University, and Alice
works for a local non-profit.
Bob receives an email from Alice asking
him to participate in a survey. The
survey asks for details about his high
school experience with alcohol and
drugs, and his current grades and
major. It also asks for demographic
information, such as his gender,
birthdate, and the neighborhood
he grew up in. Alice is investigating
potential influences for risk behavior
and how those behaviors can cause self-
destructive cycles. This is foundational
research whose data will be shared
with many other groups to help inform
how intervention programs are
directed and designed. It’s very useful…
but it’s also a very creepy survey. Does
he dare fill it out? What happens when
the study’s results are published;
what if someone used them to find
out his private information? Is he OK
with his potential future employers
knowing that he smoked marijuana
in high school? The past 15 years of
research in privacy preserving data
mining have been spent trying to solve
this problem, but each time a solution
for protecting data is proposed, new
vulnerabilities are found. Let’s have a
little conversation with history.
54
Hi! I have a master’s in CS,
Hi! I’m an undergrad
 nd I’m data analyst for a social
a
CS major. I like writing apps,
welfare non-profit. I like strategy
biking, comics, and I plan to
games, long distance running,
propose to my girlfriend
comics, and my husband and I hope
when we graduate in June!
to buy a house soon!
Bob Bob
Alice Christine Alice Chris
If I fill out your survey, 
how do I know my private
data w  ill be safe?
Oh, it’s OK! You don’t have to put
your name down. Our data set will
be completely anonymous!
But you’ll have my email! And
the exact date and zip code where
I was born.Couldn’t someone
just use those to figure out  Good point! OK, we’ll also black out
which survey’s mine? any “personally identifying information”
like that. We’ll just say you’re in the
18-20 age group, and grew up
somewhere near Nacogdoches, TX.
What about the other data?
What if I’m the only senior CS
major from Texas?
Hmm… Alright, I’ve got it. W
 e’ll make
sure we have at least three of every type
of person… even if we have to add
fake people to the data set. That
So… Jack and his two friends are
the only CS guys from NY, but I think way you can’t be singled out!
all three did pot inhigh school. Your
data-set would hide which of the three
potheads was Jack, but not t hat
Jack did pot.
…Yeah. That’s a problem.
Wait! I have a solution!
Bob Alice Christine
XRDS • fall 2013 • Vol.20 • No.1
 We seem to have a new character. Hi! I’m a CS Ph.D. student studying differential
Let’s give her a proper introduction too. privacy, and I wrote this article! I got my B.S. in math at
Ohio State University, I like hiking and comics, and my
husband and I just moved to DC!
Cynthia Dwork and her colleagues at Microsoft Research
Labs invented differential privacy, but I’m too terrible
at drawing to make a stick figure of her, so I’m here to
explain things in her place.
Bob Alice Christine

There was something said about

a solution to Amy and Bob’s privacy What if we could guarantee that no one would be
problem? able to tell the difference whether or not you submitted
a survey, Bob, no matter what else they knew about you?
Since we only want to learn about big, significant trends in
the data, one person’s information shouldn’t make much
difference to our final conclusions anyway. So rather than
This is an exciting, if somewhat ambigu- publicly publishing the actual anonymized data-set, we’ll
ous, idea! Publishing anonymized data do some aggregation of the data ourselves first (count
Bob Alice
sets is just plain problematic for privacy;
Christine things up) and then publish that instead. We’ll design
there’s always the risk that with the our aggregation method carefully to make sure no single
right outside information, an attacker person can make too much difference to its results, and
could figure out the real names of the an- we’ll add random noise to help cover up the difference they
onymized participants from their data do make. Cynthia Dwork called it “Difference-al” Privacy.
(and as we’ve noted, data is everywhere Wait, no, she used a real word. Differential Privacy!
these days). But what are we using these
anonymized data sets for, anyway? We …Um. OK? How?
perform data-analysis on them to learn
about patterns of behavior in the popu-
lations they represent. So, rather than
just making the whole anonymized data
sets available to the public, perhaps we
can perform some preliminary data-
analysis ourselves and publicly release
the results of that instead. We’ll design
our analysis so it minimizes the differ-
Bob Bob Alice Christine
Alice Ch
ence any single individual can make to
the results, and then we’ll add noise to
help cover up that difference. The end
Two Possible Worlds
result is it will be, with a shiny absolute
Total Difference Bob Makes In Aggregated Survey Results Is 2:
provable mathematical guarantee, very
difficult for an attacker to guess whether 1+1=2
or not any particular person is in the
Survey Results Survey Results
data set.
GPA A B C D/F GPA A B C D/F
So, let’s get started. The first thing HS Alcohol 54 93 98 75 HS Alcohol 55 93 58 35
to do, of course, is define our terms. HS Drugs 27 43 62 43 HS Drugs 28 43 62 43
We keep throwing around the word
HS Neither 152 193 59 18 HS Neither 152 193 59 18
“difference.” What does that mean,
precisely? Well, Alice has decided that
for her preliminary data analysis, No way! Sure!
she’s going to add up all her surveys
into a two-dimensional histogram
comparing high school habits and
university GPA. Let’s look at the
difference that Bob makes in Alice’s
aggregated survey results. Bob Does Not Take the Survey Bob Does Take the Survey

XRDS • fall 2013 • Vol.20 • No.1 55

feature

If Bob decides to fill out a survey, he will answer “yes” to two of the questions (he
had some wild days in his youth), and so he changes two of Alice’s counts by one
each. One plus one is two, and thus we say Bob’s total impact on Alice’s results is
two. If you look at it, you’ll see that in this survey it’s impossible for any person to
affect more than two of the counts. Bob is making the largest possible difference
on the results, so if we can protect Bob, we’ll also protect everyone else in the
data set. We call the largest difference any one person can make on the analysis
results, the “global sensitivity” of the analysis. This is what we need to cover up
with random noise. But how should we go about adding that noise? Alice is going to
sample a random value from the Laplace distribution. (It’s OK. It’s not much more
complicated than rolling dice to get a random number. )

Sampling a Random Noise Value

Six-Sided Die Laplacian Random Variable ( =2)

How? Roll the die. How? Run the script.

Python 2.6 on win 32

>>import
sicpy.stats.distributions as D
>>D.laplace.rvs(0,2)

What happens? What happens?

1, 6, 3, 3, 4, 2, 1, 5, 4, 1, 5, 6, -0.96489…, 0.27056…, 1.97060…, -1.70566…
You get values like these. You get values like these.

What’s the probability distribution look like? What’s the probability distribution look like?
0.3 0.3

0.2 0.2

0.1 0.1

0.0 0.0
–7 –6 –5 –4 –3 –2 –1 0 1 2 3 4 5 6 –7 –6 –5 –4 –3 –2 –1 0 1 2 3 4 5 6

If we add this noise to our true result? If we add this noise to our true result?

If our real 56, with probability (1/6)
answer 57, with probability (1/6)
were 55, 58, with probability (1/6)
we’d get: 59, with probability (1/6)
60, with probability (1/6)
61, with probability (1/6)
If our real A value between 50 and 60,
answer with 92% probability
were 55, A value greater than 60,
we’d get: with 4% probability
A value less than 50,
with 4% probability

56 XRDS • fall 2013 • Vol.20 • No.1

Now that Alice has aggregated her survey results, she’s figured out how much
difference someone can make in the results, and she’s going to add Laplacian noise
to cover that difference up. We’re all set for the big finish.

Differential Privacy in Action!

Alice will take the aggregated results from her survey about GPA and high school
substance use, and add Laplacian random noise to each of the twelve counts in order
to privatized them. Differential Privacy in Action!
Alice will take the aggregated results from her survey about GPA and high school
Consider the
substance first
use, andcount in Alice’s random noise to each of the twelve counts in order
add Laplacian
survey results: The number of 0.25
to privatized them.
people who both drank in high 0.2
school and get A’s in college. If
Consider 0.15
Bob takesthe thefirst count
survey , thatin Alice’s
count
survey results: The number
will be will 55. Alice is going to of 0.25
0.10
people who both
pick a random drank from
number in highthe 0.2
0.05
school
Laplaceand get A’s in college.
distribution to add toIf 0.15
0.0
Bob takes the
the count, survey, that
privatizing it. Thecount
will be will 55. Alice is going to 0.1045 47 49 51 53 55 57 59 61 63 65
probability distribution of the
pick a random number
randomly privatized count will from the 0.05
Laplace
look like distribution
this. to add to
0.0
the count, privatizing it. The
45 47 49 51 53 55 57 59 61 63 65
probability distribution of the
If Bob doesn’t take the survey,
randomly privatized count will 0.25
then Alice’s results will show
look like this. 0.2
that 54 people drank in high
school and got A’s in college. 0.15
If
InBob
thatdoesn’t
case, thetake the survey,
probability
0.25
0.10
then Alice’s results
distribution for the will show
privatized
that
count 54will
people drank
look like thisin (See,
high it’s 0.05
0.2
school Differential privacy provides a
shiftedand justgot A’s bit
a tiny in college.
to the left, 0.0
0.15
In
sothat case, the
the mean’s at probability
54) 45 47 49 51 53 55 57 59 61 63 65 mathematical guarantee that for any
0.10 privatized result R and any two data
distribution for the privatized
count will look like this (See, it’s 0.05 sets—D1, D2—that differ by one per-
shifted
Bob makes just a tiny bit to the left, 0.0 Alice privatizes son (like Bob), the probability R came
so
histhe mean’s at 54)
decision! I’ve made my decision.45 47 49 51 53 55 57 59 her 61 63 65
results! from D1 will always be in a close ratio
 ee you later, Alice. Good
S to the probability R came from D2. I’ve
luck with your research! Thanks for your time, Bob.
skipped over the math here, but I’m a
Bob makes LoOKs like my first p
 rivatized Alice privatizes
count is 56.3465!
math-major at heart and I’ve gone over
his decision! her results!
some more of it in loving detail at my
website, http://www.cs.purdue.edu/
homes/ctask/. The world has a lot of
data now, and like any powerful thing,
So did Bob decide to submit a survey or not?
that produces both benefits and dan-
gers. But as long as there are people
Bob
Privatized Result: 56.3465 Alice BobChristine Alice Christine
working hard to combat those dangers,
So did Bob decide to submit a survey or not?
Probability that the privatized things will get better. We hope that dif-
0.25 count came from the possible world ferential privacy will be one tool to help
0.2
Privatized Result: 56.3465 where Bob took the survey : 62% teach the era of big data how to use its
0.15 powers for good.
Probability that
Probability that the
it came from the
privatized
0.10
0.25 possible
count world
came where
from the Bob didn’t
possible take
world Biography
0.05
0.2 the survey:
where 38%the survey : 62%
Bob took Christine Task is a Ph.D. candidate at Purdue University
0.0 researching differentially private social network analysis.
0.15
45 47 49 51 53 55 57 59 61 Probability
63 65 that it came from the She has a B.S. in theoretical mathematics, an M.S. in
0.10 possible world where Bob didn’t take computer science, and five years experience teaching
undergraduate discrete math (often in terms of pirates
0.05 the survey: 38% and beer). She eagerly anticipates graduation and, with
We’re not telling. That’s private. luck, a research career taming the chaos of the world with
0.0 the power of mathematics.
45 47 49 51 53 55 57 59 61 63 65
Copyright held by Owner/Author(s).
We’re not telling. That’s private. Publication rights licensed to ACM $15.00

XRDS • fall 2013 • Vol.20 • No.1 57

feature

Cynthia Dwork
on Differential Privacy
Distinguished Scientist at Microsoft Research, Dr. Cynthia Dwork,
provides a first-hand look at the basics of differential privacy.

By Michael Zuba
DOI: 10.1145/2510128

L
arge-scale statistical databases, specifically those that contain aggregate information
about a population, are becoming an ever-important resource in our world. These
databases are valuable assets to researchers, businesses, and governments. Researchers
can use them to try and discover commonalities in a population for diseases, business
can use them to understand how to effectively market their products and services, and
governments are provided with knowledge about their citizens. Differential privacy techniques
are applied to these databases in order to minimize the risk of a person or group being able
to associate information in these data- MZ: What inspired the idea of individual that the adversary could have
bases with a specific person. Differential differential privacy? learned without interacting with the
privacy is essentially a “definition” database. But this leads to problems
of privacy for statistical databases. CD: Differential privacy was inspired by whenever the database is actually
In this interview, Dr. Cynthia Dwork shares two negative theoretical results. The useful: If the adversary is from Mars
with us a first-hand look at this emerging first showed that, roughly speaking, and believes that all humans have two
topic of differential privacy. “overly accurate” answers to “too left feet, and the adversary then learns
many” questions is completely NON- from the statistical database that
Michael Zuba: For those who are not private. In this particular case, “overly almost all humans have one left food
in the domain, how would you explain accurate” meant something like and one right foot, then the adversary
differential privacy? “accurate to within smaller than the has learned something about me (and
sampling error” and “too many” was about most humans) not learnable by a
Cynthia Dwork: Differential privacy is roughly the number of people in the Martian without access to the database.
a guarantee, made by a data curator to a data set. But if the data set is ver y Should this be viewed as a violation
data owner: No additional harm (or benefit) large—Internet scale—then asking of my privacy? The whole point of
will come to you as a result of permitting this many questions is probably statistical databases is to learn about
your data to be used in a statistical study. impractical. This suggested an the population as a whole, meaning that
In a little more detail, differential privacy investigation of what can be achieved learning facts about the population,
is a mathematical statement about a data if the number of questions is cur tailed, such as “smoking causes cancer in
analysis algorithm, which in English says which quickly led to a precursor of humans,” is actually the goal. So instead
that the outcome of any analysis is differential privacy. we ask that the adversary learn no MORE
essentially equally likely to be observed, The second negative result about me than the adversary would have
independent of whether any individual concerned mathematical definitions learned were I not in the database. And
or small group of individuals opts into or of privacy. One way to try to define that’s exactly differential privacy.
opts out of the data set. The probability privacy is to say that an adversary,
in “equally likely” is over random choices interacting with a privacy-preserving MZ: Can you give some examples of where
made by the algorithm. database, learns nothing about an differential privacy could be used?

58 XRDS • fall 2013 • Vol.20 • No.1

CD: Differential privacy is best suited to
large data sets. Analysis of census data
has always been a motivating example
for me; other favorite examples including
monitoring of over-the-counter drug
sales for early detection of epidemics and
recently I have been thinking of differential
privacy for analysis of smart meter data.
MZ: How about a real world example of
where differential privacy is currently
being used?
CD: OnTheMap from the U.S. Census
Bureau; http://onthemap.ces.census.gov/.
[Editor’s Note: For our readers who are
unfamiliar with OnTheMap, it is a Web-
based mapping and reporting application
developed by the U.S. Census Bureau. It
is used to show where workers live and
are employed, reports on age, earnings,
industry distributions, race, ethnicity,
and sex. Its main purpose is to provide an
easy-to-use interface for creating and
viewing workforce related data.]
MZ: What are the current big differential
privacy challenges?
CD: On the technical side, there are
algorithmic challenges of efficiency and
accuracy. There are also social challenges:
Can researchers accustomed to working
with raw data adapt to a setting in which
access is through a differentially private
mechanism?
MZ: Where do you see differential privacy
in five or 10 years?
CD: I certainly expect continued
theoretical and experimental
investigations into what can be achieved
with differential privacy and a deeper
understanding of its connections to other
fields, such as statistics, game theory
and machine learning. My hope is that
differential privacy can democratize
research, giving to members of the public
who are not “credentialed researchers”
the ability to learn about the population
XRDS • fall 2013 • Vol.20 • No.1
as a whole, much as can now be achieved
via the U.S. Census Bureau’s OnTheMap
website. As data sources become
increasingly detailed—think of smart
meter data—we may move away from
the traditional data enclave approach for
enabling researchers to access sensitive
information. In this case, differential
privacy may provide a useful alternative to
traditional methods.
MZ: Do you have any advice for
students who are looking to get into
privacy research?
CD: Distrust your intuition and pay
attention to definitions! Study the
methodology of modern cryptography,
for example, the definitions of security
for digital signatures in the SIAM 1988
paper of Goldwasser, Micali, and Rivest.
Read privacy papers to see how the
authors formulate the privacy goals.
Notice how the adversary and its goals
are formalized—if at all—and the
assumptions about the information
and computational power to which
the adversary has access. Are the
assumptions reasonable? See what the
authors prove (or what you can prove)
about the resilience of any proposed
scheme to adversaries of this type. Study
the literature on privacy “breaks” with
these things in mind.
MZ: What areas or techniques should
students really hone their skills on to be a
good privacy researcher?
CD: I am amazed at the range of areas
in cryptography, theoretical computer
science, mathematics, statistics, and
probability that have been brought
to bear on differential privacy. To this day,
I am inspired by the works of Goldwasser
and Micali from the 1980s (semantic
security, digital signatures and zero-
knowledge); and I would start there.
A good understanding of random
variables and concentration bounds
is extremely valuable.
Biography
Michael Zuba is a Ph.D. candidate at the University of
Connecticut. His research is on underwater acoustic
communication and networking. He is the recipient of
an NSF EAPSI fellowship and a Department of Education
GAANN fellowship in advanced computing.
© 2013 ACM 1529-4972/13/09 $15.00
59
 profile   Department Editor, Adrian Scoică
Jessica Staddon
Managing Google’s
Privacy Research
DOI: 10.1145/2517256
As we witness
questions regarding the
secrecy of our emails
and voice calls break
loose into the realm of
politics, little attention
is paid to the researchers and engineers
who bear the burden of keeping our
digital estates safe from prying eyes. We
sat down with Jessica Staddon, privacy
research manager at Google, who offers
rare insight into what it takes to become a
privacy scientist for one the world’s best-
known software companies.
Staddon’s research career path
started out in security. In the years
preceding the dot-com bubble, she
was a Ph.D. candidate in Berkeley’s
Mathematics Department, working on
the management of encryption keys. “I
was drawn to mathematics because I
was really interested in problems that are
easy to describe; you don’t need a lot of
terminology or background to state the
problems, but they are very hard to solve.”
After being awarded her Ph.D., she
sought a broader work scope. Staddon
joined RSA Labs, then first moved on to
Bell Labs, and later to Xerox PARC before
finally joining Google in 2010. Each time,
she said, her interdisciplinary outlook
on computer science expanded, and she
was exposed to increasingly dynamic and
exciting work environments.
It was during the mid 2000s that
her prior work in a progressively
interdisciplinary applied research
environment allowed her to recognize
the emerging field of privacy and
consequently shift her research interests
from security. She recalls “people
started realizing that although privacy
and security are related, they are not
the same thing.” Once she started
focusing on privacy, she witnessed the
establishment of the field, as we know it
60
today, with the introduction of numerous
DARPA and IARPA programs as significant
historical milestones. “A lot of the work
was in data mining and pattern detection,
maybe identifying potential terrorists, but
there was also this increasing awareness
that this needed to be paired with we
needed to protect the privacy of the users
in some way, in addition to finding those
aggregate patterns.” It was through this
quest for safeguarding user privacy that
inference detection was developed, which
she proudly acknowledged as the most
evolved of her scientific contributions.
Staddon describes Google as
“the epitome” of applied research
environments. “Google is a fantastic place
to work on privacy. It really values the
work tremendously, it is really concerned
about privacy as a problem area, and...
from personal experience, it has sort of a
broader sense of what it takes to tackle
privacy.” With Google under constant
public pressure to maintain impeccable
privacy standards, I wanted to know what
she thought were the most rewarding
aspects of her job.
“First, I think I would put the impact
out there,” she replied. “I never feel
that I’m going to come to work and not
make any difference. A lot of places have
these sort of active research labs, where
researchers have a lot of interesting
ideas, but the technology transfer
never happens. PARC has a tradition for
great ideas that the consumer actually
never gets to see, because they are not
productionalized. It is simply not an
issue at Google. Here, research is very
embedded, and technology transfer
happens as part of your job.” Secondly,
she expressed a deep appreciation toward
her colleagues, who create an inspiring
and engaging work environment within
the company culture.
Despite not having remained in
academia after her Ph.D., her constant
stream of publications throughout the
years serves to dispel the myth that
working in the industry rarely gets you
published. This fear of lack of visibility
intimidates countless young researchers
each year. “It is hard to imagine while
you are in grad school, that there are
other ways to have impact on the world
which are not publication-oriented,”
commented Staddon, adding she strongly
encourages grad students to find other
ways to have impact on the world. “Here at
Google, you develop something and it can
go on to a product that millions of users
experience all the time. So the research
is more oriented towards user impact
and product impact, with publications
being an offshoot of that, as opposed
to the main goal. However, publishing is
understood to be an important part of the
job,” she reassured me.
Looking back on her career, the
importance of a broad scientific outlook
easily stands out as valuable advice for
emerging privacy researchers. “Certainly
in privacy, it is often the case that ideas
which are really established and second
nature in other disciplines can really have
an impact. ” It is no wonder that in the light
of the recent NSA scandal, she believes
intensified media attention will prove
healthy to research and help invigorate
progress. “I do think that for research,
overall that’s a good thing, with different
corners of the world all thinking about this
issue. I would like to see the discussion
even broader than it is, actually. In the
sense that these conversations cause
more people to think about these things,
I do think that it’s valuable.”
© 2013 ACM 1529-4972/13/09 $15.00
XRDS • fall 2013 • Vol.20 • No.1
h t tp: // w w w. ac m.or g /dl
end
labz
CyLab Usable Privacy
and Security Laboratory
Pittsburgh, PA
T
he recent spying disclosures
from Edward Snowden are
just the latest front of a long-
standing debate within our
society. As we struggle to balance
computer security, privacy, and the
public good, a research lab at Carn-
egie Mellon University remains dedi-
cated to addressing the broad array of
challenges collectively called “usable
privacy and security.”
The CyLab Usable Privacy and Secu-
rity Laboratory (CUPS) brings together
a diverse team of researchers includ-
ing computer scientists, engineers,
public policy experts, and economists
at Carnegie Mellon University. The
director of CUPS is Professor Lorrie
Faith Cranor, who is a faculty member
at both the Institute for Software Re-
search in the School of Computer Sci-
ence and the Engineering and Public
Policy department of the College of
Engineering.
Researchers work on issues at the
convergence of security, privacy, and
usability. One example of the research
conducted at CUPS is an ongoing
passwords project. Passwords are be-
coming increasingly ubiquitous as we
entrust them with more and more of
our data. They are often the only bar-
rier keeping out a potential attacker.
Researchers at CUPS are investigating
how to provide policies and guidance
for users creating passwords. The goal
is for organizations to be able to give
their users guidelines that lead to se-
cure yet memorable passwords. CUPS
password research has ranged from
62
in-person surveys to Mechanical Turk
studies with 12,000 participants. Re-
searchers at CUPS have also explored
how to measure and compare the
strength of passwords in a meaning-
ful way, and this work has included the
development of a technique to deter-
mine when a given password-cracking
algorithm would crack a given pass-
word in much less time than actually
running the algorithm.
Another arm of CUPS research in-
volves understanding how users make
privacy decisions, specifically looking
at whether website privacy policies
can be presented in a more human-
readable form—such as using a design
inspired by food nutrition labels. Re-
cent work has examined what leads
CUPS seeks
to navigate
the increasingly
complex space
of computer
security and
privacy in order
to help users
be more secure
and better able
to make privacy
decisions.
Twitter users to regret their posts, and
whether a proposed set of data-shar-
ing categories for smartphone apps is
consistently understood by users. In
each of these cases, CUPS researchers
are interested in how computer users
think and make decisions, in order to
help those users make better, more in-
formed choices.
CUPS is also actively engaged in re-
search to gain a better understanding
of how the practice of online behavior-
al advertising affects user privacy. In
online behavioral advertising, compa-
nies track users online to show them
targeted ads. What options do adver-
tising companies provide for users
not to be tracked? Can users manage
to use the available options to protect
their privacy? Are online advertisers
following their own disclosure rules?
These are among the questions CUPS
lab members have addressed through
this research.
CUPS researchers have delved into
many other areas as well. Work has
examined how users react to different
computer warnings, such as the warn-
ings browsers display when a user at-
tempts to navigate to a website with an
invalid certificate. Other areas of inter-
est include looking at how users man-
age the data and files on their devices
in the home environment. Still other
work has investigated how to train us-
ers to avoid phishing attacks. The re-
searchers working on that project de-
veloped an online training game and
other anti-phishing tools. They ended
up starting a company called Wombat
Security to commercialize these tools
and sell them to companies around
the world to train their employees.
Students contribute meaningfully
to all phases of CUPS research. With
faculty guidance, students take part in
creating and developing study instru-
ments and software, gathering data,
performing data analysis, and writing
up the results for publication. In fact,
many research projects within CUPS
XRDS • fall 2013 • Vol.20 • No.1

have their roots in student ideas and
class projects.
The latest news from CUPS is that
many of its faculty are collaborating
to offer a unique master’s degree for
privacy engineers. Called the Master
of Science in Information Technology-
Privacy Engineering, this degree is
offered jointly through Carnegie
Mellon University’s School of Com-
puter Science and College of En-
gineering. The one-year graduate
program is intended to prepare its
students to create and develop sys-
tems to protect user privacy through
a combination of classes on privacy
and security and a practical hands-on
capstone project. The first class in this
program began Fall 2013.
As you can see, the CUPS lab is
engaged in many different strands
of research. These diverse projects,
however, all share a common ob-
XRDS • fall 2013 • Vol.20 • No.1
Internet Explorer is the only
browser that ships with the
Do Not Track HTTP header
enabled by default.
jective: CUPS seeks to navigate the Researchers from the CyLab Usable
increasingly complex space of com- Privacy and Security Laboratory at CMU.
puter security and privacy in order to
help users be more secure and better
able to make privacy decisions. CUPS
research also influences public policy
makers. CUPS faculty members have
been invited to testify at Congressio-
nal hearings and are regularly called
upon to advise U.S. federal agencies
on privacy issues. Further, CUPS re-
search is published at the top secu-
rity and human-computer interaction
conferences, as well as at SOUPS, the
Symposium On Usable Privacy and
Security, which was founded by CUPS
director Lorrie Faith Cranor.
Biography
Rich Shay is a Ph.D. student at Carnegie Mellon University
in the School of Computer Science. He conducts research
on usable privacy and security. His current research
focuses on password-composition policies, as well as
online privacy and online behavioral advertising.
63
CACM_TACCESS_one-third_page_vertical:Layout 1
ACM
Transactions on
Accessible
Computing
◆ ◆ ◆ ◆ ◆
This quarterly publication is a
quarterly journal that publishes
refereed articles addressing issues
of computing as it impacts the
lives of people with disabilities.
The journal will be of particular
interest to SIGACCESS members
and delegrates to its affiliated
conference (i.e., ASSETS), as well
as other international accessibility
conferences.
◆ ◆ ◆ ◆ ◆
www.acm.org/taccess
www.acm.org/subscribe
64
6/9/09 1:04 PM Page 1
European regulators have forced
Facebook to stop running facial
recognition software on photos
uploaded by users.
back
WLAN Security
It is entirely likely that you, reader, are within 10 feet of a device that can
communicate on a wireless local area network (WLAN). Perhaps there is even
one in your hand or pocket right now. It’s no big surprise that much of the world
is becoming absolutely inundated with such devices, and it’s been a long time
coming. With such a drastic increase in the number of these devices, however,
comes a drastic increase in the amount of private information that is broadcast
on radio waves for anyone who is willing to listen. Fortunately, we have ways of
protecting this information, but it hasn’t always been so secure.
The first wireless network was developed by Dr. Norman Abramson at the
University of Hawaii. It was called ALOHAnet and included seven computers
across four islands. ALOHAnet pioneered a lot of interesting technology and
some ideas that are in use today, but most modern WLANs are implemented
using the IEEE 802.11 standards. The first of these was released in 1997 and
included a clause describing Wired Equivalency Privacy (WEP). WEP used the
RC4 stream cipher for encryption and a 24-bit initialization vector. The way WEP
uses RC4 and the short initialization vector, however, was shown to be exploitable
in 2001 by Scott Fluhrer, Itsik Mantin, and Adi Shamir. This fact, along with
further demonstrated exploits, led to the development of Wi-Fi Protected Access
(WPA) and Wi-Fi Protected Access II (WPA2). WPA was meant to be a temporary
replacement for WEP until WPA2 became available in 2004 as part of the 802.11i
amendment. It implemented much of the 802.11i amendment and adopted
the Temporal Key Integrity Protocol (TKIP), which generates a new key for each
packet. This made WPA secure from the types of attacks that had previously
plagued WEP. WPA2 went further and introduced the Counter Cipher Mode and
Block Chaining Message Authentication Code Protocol (CCMP) based on the
Advanced Encryption Standard (AES) block cipher. The ratification of the 802.11i
draft standard, which marked the release of WPA2, also officially deprecated
WEP. A security flaw was revealed in 2011 for routers that had the Wi-Fi Protected
Setup (WPS) feature enabled, but WPA2 is still far more secure than other options
Wireless network (left) by Porao. Linksys router by Jonathan Zander (Digon3).
and is still in common use. —Finn Kuusisto
WEP WPA2
Base Standard 802.11 - 1997 802.11 - 2007
Year Introduced 1997 2004
Year Deprecated 2004 —
Superseded — WPA
Cipher RC4 AES
Cipher Type Stream Block
Routers with Wi-Fi Protected Setup
Flaws Multiple
feature enabled are vulnerable
XRDS • fall 2013 • Vol.20 • No.1
 hello world

Zero-Knowledge Proofs
BY Marinka Zitnik

A
zero-knowledge proof allows
one person to convince an-
other person of some state-
ment without revealing any
information about the proof other than
the fact that the statement is indeed
true. Zero-knowledge proofs are of
practical and theoretical interests in
cryptography and mathematics. They
achieve a seemingly contradictory goal
of proving a statement without reveal-
ing it. We will describe the interactive
proof systems and some implica-
tions that zero-knowledge proofs
have on the complexity theory. We will
then conclude with an application of
zero-knowledge proofs in cryptog-
raphy, the Fiat-Shamir identification
protocol, which is the basis of current
zero-knowledge entity authentication
schemes.

Interactive Proof Systems

Definition 1: Definitions of parties participating in Fiat-Shamir identification We first give an overview of an
protocol in Python. interactive proof system. There are
two participants in the system, Peggy
from fractions import gcd and Victor. Peggy is the “prover” and
from numpy.random import random_integers Victor is the “ verifier.” Peggy knows a
fact and she wishes to communicate to
class Prover():
Victor she knows it without revealing
def __init__(self, tc, s):
it. We can think of Peggy and Victor
assert gcd(s, tc.n) == 1, ‘Secret s and n are not coprime.’
self.n = tc.n as being probabilistic algorithms that
self.__s = s communicate to each other through a
tc.set_up((self.__s**2)%self.n) communication channel. Initially, they
both possess some input object (i.e. a
def generate(self): graph representation). The objective is
self.r = random_integers(1, self.n-1) for Peggy to convince Victor that this
x = (self.r**2)%self.n
object has a specified property, i.e.
return x
that it is a yes-instance of a particular
def response(self, e): decision problem. For instance,
y = (self.r*self.__s)%self.n if e else self.r we could ask if the given graph is
return y isomorphic to another graph [1] or if a
given graph is 3-colorable [1].
class Verifier(): The interactive proof is a challenge
def __init__(self, tc): and response protocol that consists
self.tc = tc
of a number of iterations. In each
def set_up(self, x): iteration Peggy and Victor do the
self.x = x following: (1) Victor challenges Peggy
with a problem instance, (2) Peggy
def challenge(self): performs some private computation,
self.e = random_integers(0, 1) and (3) she sends a response to
return self.e Victor. At the end of the proof, Victor
either accepts or rejects, depending
def verify(self, y):
on whether or not Peggy successfully
test = (self.x*self.tc.v**self.e)%self.tc.n
if y==0 or (y**2)%self.tc.n != test: replies to all of Victor’s challenges.
return False Interactive proof systems have to be
return True sound and complete [1]. A proof is
complete if honest Victor will always
class TrustedCenter(): be convinced of a true statement by
def __init__(self, n): honest Peggy. It is sound, if cheating
self.n = n Peggy can convince honest Victor that
the same false statement is actually
def set_up(self, v):
self.v = v true with only a small probability.
A zero-knowledge proof is an
interesting type of an interactive proof.

XRDS • fall 2013 • Vol.20 • No.1 65

 ACM’s This is one in which Victor, at the
end of the proof, still has no idea

Career & Job Center

of how to prove by himself that an
object has a property of interest.
Readers can find a formal definition
of the zero-knowledge strategy in
Looking for your next IT job? Cryptography: Theory and Practice
and “Definitions and Properties of
Need Career Advice? Zero-knowledge Proof Systems” by
Goldreich and Oren [1, 2].

Visit ACM’s Career & Job Center at: Fiat-Shamir Identification Protocol
Zero-knowledge proofs in cryptog-
raphy have natural applications for

http://jobs.acm.org entity authentication. We assume

Peggy possesses some secret s
that only she can know. She proves
Offering a host of career-enhancing benefits: to Victor she is indeed Peggy
by proving she possesses that
secret. Obviously she wants to do
➜ A highly targeted focus on job opportunities in so without revealing the secret to
the computing industry any eavesdropper. The Fiat-Shamir
identification protocol [3] serves
➜ Access to hundreds of corporate job postings as the basis of modern zero-knowl-
edge identification protocols, such
as Feige-Fiat-Shamir and Guillou-
➜ Resume posting keeping you connected to the
Quisquater schemes.
employment market while letting you maintain Three parties (see Definition 1)
full control over your confidential information participate in the protocol, which
consists of two phases: initialization
➜ An advanced Job Alert system notifies you of and identification (see Definition 2).
In initialization a trusted center
new opportunities matching your criteria selects two primes p and q , keeps
them secret and publishes the n=pq .
➜ Career coaching and guidance from trained Then Peggy selects a secret number
experts dedicated to your success s that is coprime to n , computes
v = s 2 mod n and registers v with
trusted center as her public key.
➜ A content library of the best career articles
The identification phase is repeated
compiled from hundreds of sources, and much t times and if Victor successfully
more! completes all t iterations, he
accepts. In each iteration, Peggy
chooses a random r and sends
x = r2 mod n to Victor. Then Victor
The ACM Career & Job Center is the perfect place to randomly selects a bit b and sends it
begin searching for your next employment opportunity! to Peggy. She privately computes y = r
(if b =0) or y = rs (if b =1) and sends y

http://jobs.acm.org to Victor. Finally, Victor rejects if y =0

or if y 2 ≡
/ x v b (mod n).
The Fiat-Shamir protocol is
complete because honest Peggy
can always correctly provide
Victor with y based on bit b that
he selected. Therefore, honest
Victor will successfully complete
all t iterations and will accept with

CareerCenter_TwoThird_Ad.indd
66 1 4/3/12 1:38 PM XRDS • fall 2013 • Vol.20 • No.1
 probability 1. If Peggy (or an impostor)
does not possess the secret s , then
she can provide only a random guess
of y = r or y = rs . Honest Victor will
reject with probability ½ in every
iteration. That implies an overall
probability of 2–t that cheating Peggy
will not be caught and as a result the
Fiat-Shamir protocol is sound. The
Fiat-Shamir scheme also upholds the
property of zero-knowledge. The only
information revealed in each round is
the x and y. Such pairs (x ,y) could be
simulated by choosing y randomly and
then computing the corresponding
x . These pairs are computationally
indistinguishable from pairs generated
by the protocol.
Definition 1 is a straight-forward
implementation of the described Fiat-
Shamir identification protocol. Let see
an example with p =7 and q =5. Then
n =35 and n is published to a trusted
center. Let assume Peggy secretly
chooses s =16, which is coprime to
35. She publishes v =11 to the trusted
center. Victor requires 10 successful
rounds of the protocol in order for him
to accept (see Definition 3).
Zero-Knowledge Proofs
and NP Complexity Class
Zero-knowledge proofs exist for
decision problems, such as graph
isomorphism, 3-colorability, quadratic
residuosity, and non-residuosity.
Readers would now ask, for which
problems can we design zero-
knowledge proofs. Powerful and
general result exists [4] that informally
say that any language for which
membership can be efficiently verified
Definition 2: Initialization and identification phases of Fiat-Shamir
identification protocol in Python.
def fiat_shamir_initialization(n, s):
tc = TrustedCenter(n)
peggy = Prover(tc, s)
return tc, peggy
def fiat_shamir_identification(t, tc, peggy):
victor = Verifier(tc)
for _ in xrange(t):
victor.set_up(peggy.generate())
c = victor.verify(peggy.response(victor.challenge()))
if not c:
print ‘Reject’
return
print ‘Accept’
Definition 3: An example run of the Fiat-Shamir identification protocol.
Suppose the trusted center selects an RSA-like modulus n=35, Peggy secretly
chooses s=16, and Victor requires t=10 successful iterations of the protocol.
>>> tc, peggy = fiat_shamir_initialization(35, 16)
>>> fiat_shamir_identification(10, tc, peggy)
Accept
cheating. At the outset of the game, that she did the work. This is an
parties commit to the secret inputs NP-statement since the work is a
and random coins of the prescribed valid witness, which Alice has in her
tools they are supposed to use. They possession. Bob will believe the proof,
then carry out the game procedures but he will not be able to convincingly
and with each output message they transfer the transcript of that proof
prove to each other in zero-knowledge to anybody else. For all we know,
that the message was honestly Bob could have created the encoded
obtained under the committed inputs transcript of the homework on his own
and random coins. Properties of zero- by running a simulator. In other words,
knowledge systems guarantee us that Alice’s proof is deniable, in that she can
participants have to act honestly in plausibly claim she was not responsible
order to be able to provide a valid proof for producing it.
(i.e. soundness) and the proofs cannot
compromise the privacy of their secret References

can be proved in zero-knowledge. Zero-
knowledge proofs exist for all problems
in NP, provided that one-way functions
exist. That result is utilized for the
design of cryptographic protocols,
because it enforces parties to behave
according to predetermined standards.
Conclusion
Zero-knowledge proofs have some
fascinating applications. We might
use them to enforce honest behavior.
For instance, parties in an interactive
game could prove they are not
inputs (i.e. zero-knowledge).
Zero-knowledge systems are useful
to assure deniability and prevent
unwanted transfer of information.
Suppose Alice wants to prove her
classmate Bob that she did her essay
homework. One way to do this is for
Alice to show her homework to Bob.
However, what if Bob is ignorant and
wants to cheat by copying Alice’s
essay? The problem is an essay
identifying Alice as an author is
transferable. Instead, Alice should
prove to Bob using zero-knowledge
[1] Stinson, D. R. Cryptography: Theory and Practice.
Chapman & Hall, Boca Raton, FL, 2005.
[2] Oded Goldreich and Yair Oren. Definitions and
properties of zero-knowledge proof systems.
Journal of Cryptology, 7, 1 (1994), 1-32.
[3] Fiat, A. and Shamir, A. How to prove yourself:
practical solutions to identification and signature
problems. Advances in Cryptology-Crypto’86 ,
(1987), 186-194.
[4] Goldreich, O., Micali, S., and Wigderson, A. Proofs
that yield nothing but their validity or all languages in
NP have zero-knowledge proof systems. Journal of
the ACM , 38, 3 (1991), 690-728.
© 2013 ACM 1529-4972/13/09 $15.00

XRDS • fall 2013 • Vol.20 • No.1 67

end

Events The World Security Summit 2013 Third International Conference

(WSS 2013) on Computer Science and Network
conferences Global Lanka Technology (ICCSNT 2013)
Colombo, Sri Lanka Dalian Jiaotong University
Second Nordic Symposium on Cloud September 11-13, 2013 Dalian, China
Computing & Internet Technologies http://www.asdf-wss.org/ October 12-13, 2013
(NORDICLOUD 2013) http://www.iccsnt.org/
SINTEF ICT Eighth International Workshop on
Oslo, Norway Data Privacy Management (DPM 2013) Visualization for Cyber Security
September 1-3, 2013 Royal Holloway, University of London (VizSec 2013)
http://nordicloud.net/ Egham, UK Marriott Marquis Hotel
September 12-13, 2013 Atlanta, GA
Fifth Latin American Conference http://research.icbnet.ntua.gr/ October 14, 2013
on Networked and Electronic Media DPM2013/ http://vizsec.org/
(LACNEM 2013)
Manizales, Colombia Central European Conference on First IEEE Conference on
September 1-4, 2013 Information and Intelligent Systems Communications and Network
http://lacnem.org/ (CECIIS 2013) Security (IEEE CNS 2013)
Varazdin, Croatia Washington D.C.
International Conference on September 18-20, 2013 October 14-16, 2013
Availability, Reliability and Security http://ceciis.foi.hr/app/index.php/ http://www.ieee-cns.org/
(ARES 2013) ceciis/2013
University of Regensburg Ninth International Conference on
Regensburg, Germany Sixth Balkan Conference Network and Service Management
September 2-6, 2013 in Informatics (BCI 2013) (CNSM 2013)
http://www.ares-conference.eu/conf/ The Met Hotel Swissotel Zurich
Thessaloniki, Greece Zurich, Switzerland
Federated Conference on Computer September 19-21, 2013 October 14-18, 2013
Science and Information Systems http://bci2013.bci-conferences.org/ http://www.cnsm-conf.org/2013/index.
(FedCSIS) index.php html
AGH University of Science and
Technology The Second International Conference The Ninth International Conference
Krakow, Poland on Informatics & Applications on Intelligent Information Hiding and
September 8-11, 2013 (ICIA 2013) Multimedia Signal Processing (IIH-
http://fedcsis.org/ Technical University of Lodz MSP 2013)
Lodz, Poland Beijing University of Technology
On the Move 2013 September 23-25, 2013 Beijing, China
Graz, Austria http://sdiwc.net/conferences/2013/ October 16-18, 2013
September 9-13, 2013 icia2013/ http://www.bjut.edu.cn/college/dzxxkz/
http://www.onthemove-conferences.org/ iihmsp13/
International Conference on Advanced
The 18 European Symposium on
th Computer Science and Information Ninth IEEE International Conference
Research in Computer Security Systems (ICACSIS 2013) on Collaborative Computing:
(ESORICS 2013) Pullman Bali Legian Nirwana Networking, Applications and
Royal Holloway, University of London Bali, Indonesia Worksharing
Egham, UK September 28-29, 2013 Hilton Austin
September 9-13, 2013 http://icacsis.cs.ui.ac.id/index.php/ Austin, TX
http://esorics2013.isg.rhul.ac.uk/ icacsis2013/ICACSIS2013 October 20-23, 2013
http://collaboratecom.org/2013/
Security and Trust The Seventh International Conference show/home
Management 2013 (STM 2013) on Application of Information and
Egham, UK Communication Technologies The 38th IEEE Conference on Local
September 9-13, 2013 (AICT 2013) Computer Networks (LCN 2013)
https://sites.google.com/site/ Technical University of Lodz Novotel Central Sydney
sectrustmgmt2013/Home Baku, Azerbaijan Sydney, Australia
October 9-11, 2013 October 21-24, 2013
http://www.aict. http://www.ieeelcn.org/index.html
info/2013/#sthash.058BBz4T.dpbs

68 XRDS • fall 2013 • Vol.20 • No.1

 19th International Conference IEEE International Workshop on
on Advanced Computing and Information Forensics and Security featured event
Communications (ADCOM 2013) (WIFS 2013)
Indian Institute of Technology Chime Long Hotel
Chennai, India Guangzhou, China
October 21-25, 2013 November 18-21, 2013
http://accsindia.org/accs-adcom-2013. http://www.wifs13.org/index.asp#.
html UbCG_dI9FLE

Eighth IEEE Workshop on Network Australasian Telecommunication

Security (WNS) Networks & Applications Conference
Sydney, Australia (ATNAC 2013)
October 24, 2013 The Chateau on the Park
http://wns-lcn2013.conference.nicta. Christchurch, New Zealand
com.au/ November 20-22, 2013
http://www.atnac.org/
ACM International Conference Workshop on Privacy in
on Information and Knowledge The Sixth International Conference on the Electronic Society
Management (CIKM 2013) Security of Information and Networks Berlin, Germany
San Francisco Airport Marriott (SINCONF 2013) November 4, 2013
Waterfront Aksaray University
Burlingame, CA Aksaray, Turkey All of us are living in this vastly
October 27-November 1, 2013 November 26-28, 2013 changing digital world, so it’s no
http://www.cikm2013.org/index.php http://www.sinconf.org/sin2013/ surprise that privacy is one of the
biggest and most serious problems
XXIV International Conference on International Conference on Research facing us all. With more than a
Information, Communication & and Innovation in Information billion users on Facebook and
Automation Technologies (ICAT 2013) Systems (ICRIIS 2013) Twitter, and people sharing vast
Sarajevo, Bosnia and Herzegovina Universiti Tenaga Nasional amounts of information online,
October 30- November 1, 2013 Selangor, Malaysia the concern for maintaining one’s
http://icat.etf.unsa.ba/icat-2013/cms/ November 27-28, 2013 own identity and secrecy has never
http://seminar.spaceutm.edu.my/ been as high. According to Andrew
Workshop on Privacy in the Electronic icriis2013/index.html Grove, co-founder and former CEO
Society (WPES) of Intel, there exists a force right at
Berlin, Germany the heart of Internet culture that
November 4, 2013 wants to know everything about a
CONTESTS & EVENTS
http://wpes2013.di.unimi.it/ person, and once the information
Zero Robotics High School is obtained it becomes a very
20th ACM Conference on Computer valuable asset to be traded upon.
Tournament 2013
and Communications Security To address the problems of
Zero Robotics is a robotics
(CCS 2013) privacy, the Workshop on Privacy
programming competition where the
Berlin Congress Centre in the Electronic Society will be
robots are SPHERES (Synchronized
Berlin, Germany held this fall in conjunction with
Position Hold Engage and Reorient
November 4-8, 2013 the 20th ACM Conference on
Experimental Satellites) satellites inside
http://www.sigsac.org/ccs/CCS2013/ Computer and Communications
the International Space Station (ISS).
The competition kicks off online (http:// Security. There will be discussions
2013 15th International Conference and presentations on topics
www.zerorobotics.org), where teams
on Communication Technology ranging from Internet and data
compete to solve an annual challenge
(ICCT 2013) privacy to human rights and
guided by mentors. Participants can
Guillin, China privacy policies. The workshop
create, edit, share, save, simulate, and
November 17-19, 2013 promises to address the problems
submit code, all from a Web browser.
http://conference.bupt.edu.cn/icct2013/ and solutions of privacy in globally
The participants compete to win
index.html interconnected communities.
a technically challenging game by
Photograph by S. Borisov

programming their strategies into Workshop organizers are seeking

the SPHERES satellites. The game
is motivated by a current problem
of interest to DARPA, NASA, and
MIT. After several phases of virtual
submissions both from academia
and industry. For details, log onto
http://wpes2013.di.unimi.it/.
—Arka
— Bhattacharya

XRDS • fall 2013 • Vol.20 • No.1 69

end
acronyms
ECHR European Convention on Human
Right: An international treaty to
protect human rights and fundamental
freedoms in Europe. Its Article 8
guarantees the individual’s right to
respect for their “private and family life.”
PII Personally Identifiable Information:
A legal concept, mainly used in
information security. It is any
information that can be used on its own
or with other information to contact,
locate, or identify a single person or an
individual in a given context.
POWF Physical One-Way Function: An
optical PUF, practically unclonable.
PUF Physically Unclonable Function:
In practical cryptography, a PUF is a
function that is embodied in a physical
structure and is easy to evaluate but
not to predict.
TIA Total (now, Terrorism) Information
Awareness: A DARPA program started
in 2003, with the goal to integrate
information technologies into a
prototype system to provide tools to
better detect, classify, and identify
potential foreign terrorists. Due to
public criticism that the system could
lead to a mass surveillance system,
Congress defunded the program before
year’s end.
TOR The Onion Router: A network of
virtual tunnels that allows people and
groups to improve their privacy and
security on the Internet. Its goal is to
enable online anonymity.
70
competition, finalists are selected to
compete in a live championship aboard
the ISS. An astronaut will conduct
the championship competition in
microgravity with a live broadcast!
High school students ages 16-18 may
participate in this competition that
begins on September 7th of this year.
Columbia Startup Weekend
Columbia Startup Weekend will be a 54-
hour event held in Columbia, Missouri
designed to mobilize technical
and non-technical entrepreneurs.
Starting with Friday night pitches and
continuing through brainstorming,
business plan development, and basic
prototype creation, this event will
culminate with Sunday night demos
and presentations. Participants will
create working startups during the
event and collaborate with like-minded
individuals outside of their daily
networks. All teams will attend talks by
industry leaders and receive valuable
feedback from local entrepreneurs.
Whether you are looking for feedback
on an idea, a co-founder, specific skill
sets, or a team to help you execute,
Columbia Startup Weekend is the
perfect environment in which to test
your idea and take the first steps
toward launching your own startup.
For more information see http://
swcolumbia2013-eorg.eventbrite.com/.
GRANTS, SCHOLARSHIPS &
FELLOWSHIPS
Microsoft Ph.D. Fellowship Program
Website: http://research.microsoft.com/
en-us/collaboration/awards/apply-us.aspx
Deadline: October 2013
Eligibility: Second and third-
year Ph.D. students in computer
science, electrical engineering, and
mathematics studying in the U.S. or
Canada.
Benefits: Two years of tuition and fees,
$28,000 stipend, $4,000 travel budget.
Explanation: The two-year fellowship
program is for outstanding Ph.D.
students nominated by their universities.
Fellowships are granted by Microsoft
Research at the discretion of Microsoft.
Hertz Fellowship
Website: http://www.hertzfoundation.
org/dx/fellowships/application.aspx/
Deadline: Fall 2013
Eligibility: Citizens or permanent
residents of the U.S. who are “willing
to morally commit to make their skills
available to the United States in time
of national emergency.”
Benefits: Tuition and $31,000- $35,000
stipend for up to five years.
Explanation: The Hertz Foundation
awards fellowships to students
pursuing a Ph.D. in the applied
physical biological, and engineering
sciences. The selection process
includes a technical interview.
Paul and Daisy Soros Fellowship
Program For New Americans
Website: http://www.pdsoros.org/overview/
Deadline: November 8, 2013
Eligibility: Recent American
permanent residents and children of
naturalized U.S. citizens before their
second year in a graduate program.
Benefits: Tuition and living expenses
for two years.
Explanation: This fellowship is
awarded to 30 new Americans.
The selection criteria are based only
on merit, not on financial need.
National Physical Science
Consortium Fellowship
Website: http://www.npsc.org/index.html
Deadline: November 30, 2013
Eligibility: U.S. citizens pursuing
graduate work at an NPSC member
institution.
Benefits: Two to six years of support.
Explanation: This fellowship includes
one or two paid summer internships at
a government agency. Nine-five percent
of awardees have been female or an
ethnic minority living within in the U.S.
POINTERS
PRIVACY RESOURCES
“The Panopticon is a marvelous
machine which, whatever use one
may wish to put it to, produces
homogeneous effects of power,”
wrote Michel Foucault in 1975. Since
then, the “panoptical concept” has
evolved from dystopian prisons and
schools to the Internet, which in its
openness lends itself to a massive
surveillance state. Indeed there’s
a tension between the systematic
XRDS • fall 2013 • Vol.20 • No.1
perversion of privacy thanks to
government spying and the need
for information to be free. As our
private actions are tracked, questions
of whether the government and
business should be more accountable
have arisen. Where does that leave
the question of privacy in the
digital age? Scientists, hackers,
philosophers, and journalists
have debated that since the days of
ARPANET. Look no further, presented
are some gems surrounding this
discussion!   —Ashok Rao
READING LIST
The Transparent Society: Will
Technology Force Us to Choose
Between Privacy and Freedom
David Brin, Basic Books (1999)
“The Transparent Society is a call for
‘reciprocal transparency.’ If police
cameras watch us, shouldn’t we be
able to watch police stations? If credit
bureaus sell our data, shouldn’t we
know who buys it? Rather than cling to
an illusion of anonymity—a historical
anomaly, given our origins in close-
knit villages—we should focus on
guarding the most important forms
of privacy and preserving mutual
accountability. The biggest threat
to our freedom, Brin warns, is that
surveillance technology will be used
by too few people, now by too many.”
(From Amazon)
Broken Ballots: Will Your Vote Count?
Douglas W. Jones and Barbara Simons,
Center for the Study of Language and
Information (2012)
Voting machines have been slow to
adapt to the digital revolution and,
yet, even the newest devices can fall
prey to classical flaws. This book
takes a tour through the American
voting system “gauging how
inaccurate, unreliable, and insecure
[they] are.” It’s an “important
book for election administrators,
political scientists, and students of
government and technology policy.”
After reading it, you’ll understand
how we came to acquire the “complex
technology” we now depend on to
count our votes. Thinking like an
adversary gives a whole different
XRDS • fall 2013 • Vol.20 • No.1
perspective to democracy’s most
sacrosanct action.
“Magaupload, the Copyright Lobby,
and the Future of Digital Rights”
by Robert Amsterdam and Ira Rothken
The question of privacy is intimately
connected with that of digital rights.
Remember the Internet outcry over
SOPA? This is a biased, but detailed
and interesting, look through
the careful relationship between
government and technology viewed
through the prism of law.
http://www.kim.com/whitepaper.pdf
Little Brother
Cory Doctorow, Tor Books (2010)
An award-winning book that you
might not guess is fiction.
“Marcus, a.k.a ‘w1n5t0n,’ is only 17
years old, but he figures he already
knows how the system works–and
how to work the system. Smart, fast,
and wise to the ways of the networked
world, he has no trouble outwitting
his high school’s intrusive but clumsy
surveillance systems. But his whole
world changes when he and his
friends find themselves caught in
the aftermath of a major terrorist
attack on San Francisco. In the wrong
place at the wrong time, Marcus
and his crew are apprehended
by the Department of Homeland
Security and whisked away to a secret
prison where they’re mercilessly
interrogated for days. When the
DHS finally releases them, Marcus
discovers that his city has become
a police state where every citizen
is treated like a potential terrorist.
He knows that no one will believe
his story, which leaves him only
one option: to take down the DHS
himself.” (From Amazon)
“A Simple Public Choice Theory
of Universal Surveillance”
In a blog post from earlier this year,
Tyler Cowen, professor of economics
at George Mason University and
blogger, sparks a robust discussion
about surveillance and who is harmed
in the process.
http://marginalrevolution.com/
marginalrevolution/2013/06/a-simple-
public-choice-theory-of-universal-
surveillance.html
“Edward Snowden, NSA files source: ‘If
they want to get you, in time they will’”
In this new digital world, there
exists both social media and PRISM,
the government’s robust spying
apparatus. Some praise the heroism
of whistleblowers against a large
government, and others the initiative
thereof in preventing future acts
of terror. But as a footnote, I wonder,
are these not both flip sides
of the same coin? Read more in
this exclusive interview.
http://www.guardian.co.uk/world/2013/
jun/09/nsa-whistleblower-edward-
snowden-why
NOTEWORTHY WEBSITES
Tor
It’s all about encryption and
privacy. Even if you don’t care about
surveillance, the computer science
behind the concept is brilliant.
https://www.torproject.org/
Applied Cryptography and Encryption
If you want to understand digital
privacy, you have to understand
cryptography. This is a free online
class taught by David Evans at the
University of Virginia. Provided
you have a basic understanding of
programming and number theory,
this course will take you through the
quest of breaking secrets in every day
life. And you’ll learn all about Tor in
the process!
https://www.udacity.com/course/cs387
Bitcoin
It’s the Tor of currency. The
pseudonymous “Satoshi Nakamoto”
lies out the theoretical groundwork
of his system in this paper
(http://bitcoin.org/bitcoin.pdf).
It’s not too hard to understand, at
least intuitionally, and worth every
minute of the read. This is only an
introduction. If the topic interests you
be sure to read, on Page 40, all
about its strengths and weaknesses,
both of which are many.
http://bitcoin.org
71
end

BEMUSEMENT

A Quiet Evening At Home

PhD Comics ©Jorge Cham

Puzzles:
Calendar
Confusion
Security Three days ago, yesterday was
the day before Sunday. What day
will it be tomorrow?
Source: http://www.mathisfun.com/puzzles/
calendar-confusion-solution.html.

Happy
Birthday
When asked about his birthday,
a man said: “The day before yesterday
I was only 25 and next year I will
turn 28.” This is true only one day in
http://xkcd.com/538/

a year: When was he born?

Source: http://malini-math.blogspot.
com/2009/08/simple-math-puzzles.html

Find the solution at: http://xrds.acm.

org/bemusement/2013.cfm

Wikileaks submit a puzzle

Can you do better?
Bemusements would like your
puzzles and mathematical games
(but not Sudoku). Contact
xrds@acm.org to submit yours!
http://xkcd.com/834/

72 XRDS • summer 2 01 3 • V ol .19 • No.4

 acm STUDENT MEMBERSHIP APPLICATION

CODE: CRSRDS
Join ACM online: www.acm.org/joinacm
Name Please print clearly
INSTRUCTIONS
Address
Carefully complete this application and return
with payment by mail or fax to ACM. You must
City State/Province Postal code/Zip
be a full-time student to qualify for student rates.
Country E-mail address
CONTACT ACM
Area code & Daytime phone Mobile phone Member number, if applicable
phone: 800-342-6626
MEMBERSHIP BENEFITS AND OPTIONS (US & Canada)
• Free software and courseware through the ACM • ACM e-news digest TechNews (thrice weekly) +1-212-626-0500
Academic Initiative • ACM online newsletter MemberNet (monthly) (Global)
• Free e-mentoring services from MentorNet® • Student Quick Takes, ACM student e-newsletter (quarterly) hours: 8:30am–4:30pm
• Electronic subscriptions to Communications of the ACM US Eastern Time
• Free "acm.org" email forwarding address plus filtering
and XRDS: Crossroads magazines through Postini fax: +1-212-944-1318
• Online courses, online books and videos • Option to subscribe to the full ACM Digital Library email: acmhelp@acm.org
• ACM's CareerNews (twice monthly) • Discounts on ACM publications and conferences, mail: Association for Computing
valuable products and services, and more Machinery, Inc.
PLEASE CHOOSE ONE:
General Post Office
❏ Student Membership: $19 (USD) P.O. Box 30777
❏ Student Membership PLUS Digital Library: $42 (USD) New York, NY 10087-0777
❏ Student Membership PLUS Print CACM Magazine: $42 (USD)
❏ Student Membership w/Digital Library PLUS Print CACM Magazine: $62 (USD) For immediate processing, FAX this
application to +1-212-944-1318.
P U B L I C AT I O N S Please check
Check the appropriate box and calculate Issues
amount due on reverse. per year Code Member Rate Air Rate* PAYMENT INFORMATION
• ACM Inroads 4 178 $16 ❐ $58 ❐
• Communications of the ACM 12 101 $25 ❐ $58 ❐ Payment must accompany application
• Computers in Entertainment (online only) 4 247 $43 ❐ N/A
Member dues ($19, $42, or $62) $
Computing Reviews 12 104 $55 ❐ $39 ❐
• Computing Surveys 4 103 $36 ❐ $32 ❐ To have Communications of the ACM
Evolutionary Computation (MIT Press) 4 177 $32 ❐ $30 ❐ sent to you via Expedited Air Service,
• interactions, new visions of human-computer interaction 6 123 $22 ❐ $35 ❐
(included in SIGCHI membership) add $58 here (for residents outside of
• Int’l Journal of Network Management (online only) (Wiley) 6 136 $92 ❐ $30 ❐ North America only). $
Int’l Journal on Very Large Databases 4 148 $83 ❐ $30 ❐
• Journal of Educational Resources in Computing (see TOCE) N/A N/A N/A N/A Publications $
• Journal of Experimental Algorithmics (online only) 12 129 $31 ❐ N/A
• Journal of Personal and Ubiquitous Computing 6 144 $65 ❐ $30 ❐ Total amount due $
• Journal of the ACM 6 102 $55 ❐ $58 ❐
• Journal on Computing and Cultural Heritage 4 173 $49 ❐ $23 ❐ Check or money order (make payable to ACM,
• Journal on Data and Information Quality 4 171 $49 ❐ $25 ❐
• Journal on Emerging Technologies in Computing Systems 4 154 $42 ❐ $23 ❐
Inc. in U.S. dollars or equivalent in foreign currency)
• Linux Journal (SSC) 12 137 $31 ❐ $33 ❐
• Mobile Networks and Applications 6 130 $72 ❐ $29 ❐ ❏ Visa/Mastercard ❏ American Express
• Wireless Networks 4 125 $72 ❐ $29 ❐
• XRDS (included with membership) 4 XRoads $39 ❐ N/A
Transactions on: Card number Exp. date
• Accessible Computing 4 174 $49 ❐ $24 ❐
• Algorithms 4 151 $52 ❐ $23 ❐
• Applied Perception 4 145 $43 ❐ $23 ❐ Signature
• Architecture & Code Optimization 4 146 $43 ❐ $23 ❐
Member dues, subscriptions, and optional contributions
• Asian Language Information Processing 4 138 $39 ❐ $23 ❐
are tax deductible under certain circumstances. Please
• Autonomous and Adaptive Systems 4 158 $41 ❐ $23 ❐ consult with your tax advisor.
• Computational Biology and Bioinformatics 4 149 $20 ❐ $49 ❐
• Computer-Human Interaction 4 119 $43 ❐ $25 ❐
• Computational Logic 4 135 $44 ❐ $25 ❐ EDUCATION
• Computation Theory 8 176 $49 ❐ $32 ❐
• Computer Systems 4 114 $47 ❐ $25 ❐
• Computing Education (formerly JERIC) 277 $25 ❐ N/A
• Database Systems 4 109 $46 ❐ $25 ❐
Name of School
• Design Automation of Electronic Systems 4 128 $43 ❐ $25 ❐
• Economics and Computation 4 192 $49 ❐ $23 ❐ Please check one: ❐ High School (Pre-college, Secondary
• Embedded Computing Systems 4 142 $44 ❐ $23 ❐ School) College: ❐ Freshman/1st yr. ❐ Sophomore/2nd yr.
• Graphics 4 112 $51 ❐ $25 ❐ ❐ Junior/3rd yr. ❐ Senior/4th yr. Graduate Student: ❐
• Information and System Security 4 134 $44 ❐ $23 ❐
Masters Program ❐ Doctorate Program ❐ Postdoctoral
• Information Systems 4 113 $47 ❐ $25 ❐
• Intelligent Systems and Technology 4 179 $46 ❐ $72 ❐ Program ❐ Non-Traditional Student
• Interactive Intelligent Systems 4 191 $49 ❐ $76 ❐
• Internet Technology 4 140 $42 ❐ $23 ❐
• Knowledge Discovery From Data 4 170 $50 ❐ $23 ❐ Major Expected mo./yr. of grad.
• Management Information Systems 4 190 $47 ❐ $22 ❐
• Mathematical Software 4 108 $47 ❐ $25 ❐ Age Range: ❐ 17 & under ❐ 18-21 ❐ 22-25 ❐ 26-30
• Modeling and Computer Simulation 4 116 $51 ❐ $25 ❐
• Multimedia Computing, Communications, and Applications 4 156 $42 ❐ $23 ❐ ❐ 31-35 ❐ 36-40 ❐ 41-45 ❐ 46-50 ❐ 51-55 ❐ 56-59 ❐ 60+
• Networking 6 118 $29 ❐ $52 ❐
• Programming Languages & Systems 6 110 $59 ❐ $32 ❐ Do you belong to an ACM Student Chapter? ❐ Yes ❐ No
• Reconfigurable Technology & Systems 4 172 $49 ❐ $24 ❐
• Sensor Networks 4 155 $42 ❐ $23 ❐ I attest that the information given is correct and that I will
• Software Engineering and Methodology 4 115 $43 ❐ $25 ❐ abide by the ACM Code of Ethics. I understand that my
• Speech and Language Processing (online only) 4 253 $33 ❐ N/A membership is non transferable.
• Storage 4 157 $42 ❐ $23 ❐
• Web 4 159 $41 ❐ $23 ❐
Marked • are available in the ACM Digital Library
* Check here to have publications delivered via Expedited Air Service. Signature
For residents outside North America only. PUBLICATION SUBTOTAL:
 CARE ERS AT THE N ATI ONAL S ECURI TY A GE NCY

Rise Above
the Ordinary
A career at NSA is no ordinary job. It’s a
profession dedicated to identifying and
defending threats to our nation. It’s a
dynamic career filled with challenging
and highly rewarding work that you can’t
do anywhere else but NSA.

You, too, can rise above the ordinary. Whether

it’s producing valuable foreign intelligence or
preventing foreign adversaries from accessing
sensitive or classified national security
information, you can help protect the nation
by putting your intelligence to work.

NSA offers a variety of career fields,

paid internships, co-op and scholarship
opportunities.

Learn more about NSA and how your career

can make a difference for us all.

KNOWINGMATTERS

Excellent Career Opportunities in the Following Fields:

n Computer/Electrical Engineering n Cryptanalysis
n Computer Science n Signals Analysis
n Cybersecurity n Business Management
n Information Assurance n Finance & Accounting
n Mathematics n Paid Internships,
n Foreign Language Scholarships and Co-op
n Intelligence Analysis >> Plus other opportunities

Search NSA to Download

WHERE INTELLIGENCE GOES TO WORK®

U.S. citizenship is required. NSA is an Equal Opportunity Employer. All applicants for employment are considered without regard to race, color, religion, sex, national origin, age,
marital status, disability, sexual orientation, or status as a parent.