Data Privacy HELP! - Page 2

Fiberoptic · 07-22-2009, 08:45 AM

This is way beyond our area of expertise. If anyone from the forum has any ideas, please throw them out here. If not I can work on getting some guest writers to come by and throw in their two cents.

thekl0wn · 07-22-2009, 09:09 AM

This is definitely nothing we have to deal with at work... In fact we're forced the opposite way: All data has to be directly linked to a user (though not always visible to the users).

Fiberoptic · 07-22-2009, 12:26 PM

I talked with Bugbyte about this on the phone. he has been on vacation the last two weeks which has limited his forum posting. Hopefully I am paraphrasing this correctly. He suggested the idea of encrypting the GPS trails where the user holds the decryption key and the user decides what to do with the data and if and when to delete it.
After further thought, I don't know that this addresses the problem where a user gave the server permission to use the trails for map creation or some other harmless permission, i don't see how that gets us out of the privacy or subpoena trap. I would think we would still have access to the data after the initial permission was given.
We could ask people to daily opt in, but that eliminates the passive nature of the data collection. Maybe Bugbyte can elaborate when he gets back from vacation later in the week.

Fiberoptic · 07-23-2009, 11:06 AM

I just talked with Peter Wayner, author of translucent databases.

He seemed to think we were off to a good start here with the ideas we have. Things we talked about were:

creating an anonymous user name
having the client randomly delete the first and last few minutes of every trail. He made the point to keep the amount deleted random to prevent revealing a range of potential starting points.
Keep adding privacy features until the majority of the community is happy

If vacation plans allow, Peter is going to try to swing by our meet up on August 22nd.

Fiberoptic · 07-24-2009, 04:19 PM

So maybe we could start with a server or client side application that strips off a random amount of the beginning and the end of each trail. Each trail would also be associated with a random userid. We should also allow users to upload their full data if they have less privacy concerns. Maybe there could be a slider bar depending on how much privacy you want. Does that make sense?

Bugbyte · 07-27-2009, 03:01 PM

I like the idea of randomly assigning a gps track to a user ID, or even just a random track number ID. That would be the equivalent of a black box where the user hands over a gps track, the server verifies that this is a legitimate user, then disconnects the track from the user ID and assigns it to a random ID number.

One issue might be how to detect if someone is either intentionally or unintentionally uploading spurious or erroneous tracks. Previously, we had talked about comparing tracks from a user to other tracks they had uploaded to ensure data quality. We couldn't do that under this scheme.

However, we could do something like compare the tracks to reality (do they exceed 250 mph, are the points anywhere near each other, are the dates/times sequential, etc.) and rate them with a confidence factor of some type or another.

Bugbyte · 07-27-2009, 04:26 PM

Quote: Originally Posted by Fiberoptic

I talked with Bugbyte about this on the phone. he has been on vacation the last two weeks which has limited his forum posting. Hopefully I am paraphrasing this correctly. He suggested the idea of encrypting the GPS trails where the user holds the decryption key and the user decides what to do with the data and if and when to delete it.
Maybe Bugbyte can elaborate when he gets back from vacation later in the week.

What I was talking about was giving the user the key to unlock his/her identity for the tracks.

In other words, I'm given a strong key that is very difficult to break and I use it to either hide or expose my identification with the tracks. In addition, if I choose, I can use my key to remove all of my tracks from the database, if I wish.

The intended benefit is two-fold:
1. You may have gps tracks but you can't know who I am unless *I* allow you to know.
2. I may decide that at some point in the future, I don't want my passive tracks to be used as part of the database.

The downside would be that if you upload tracks to the database and some time passes before you decide to remove them, they *might* have been used or even duplicated by someone with legit access to the database. Although that pool of people is probably small, you don't really know for sure what it might be in the future.

User Name		Remember Me?
Password