Data collection has become the default for most companies. Unfortunately, the data that keeps a company running can inflict harmful side effects: security expert Bruce Schneier calls data a "toxic asset". The most privacy-conscious companies have proposed a simple solution to the problem: stop collecting data altogether. But abandoning data collection often means companies are "flying blind", an unacceptable trade-off for most CEOs. So, how do companies strike the right balance between preserving user privacy and driving successful product development?
Clean Insights is a privacy-oriented analytics tool that enables measurement of digital interactions in a safe, secure, and sustainable way. With Clean Insights, developers, data scientists, and others can extract value from data while preserving user privacy by discarding the "toxic" by-products typically generated by commercial analytics platforms. Their open-source Android SDK leverages techniques such as differential privacy, onion routing, and certificate pinning to facilitate this new level of control. In the time since its development, Clean Insights has been deployed on several applications.
Digital fabrication enables distributed manufacturing, which in turn gives rise to distributed supply chains. Manufacturers can source parts with greater speed and flexibility than ever before. Unfortunately, this new paradigm has problematic implications for traditional quality control protocols. How can manufacturers verify and trust distributed production? For example, how can parts be traced back to their origins when they fail in service?
To facilitate trustworthy and distributed manufacturing, 3D Steganography proposes to incorporate information about the manufacturing process for an object into the object itself. 3D printing steganography offers a means by which hidden messages can be embedded in digitally fabricated objects by perturbing toolpaths meaningfully at machine resolution. The hidden message can then be read back after scanning the 3D object. If widely deployed, "fingerprinting" parts in this manner could bring a greater degree of accountability and trust to distributed supply chains, allowing manufacturers to quickly identify the source of faulty parts and adjust accordingly. Messages could be encoded in hexadecimal, binary, or any other digitally readable system and protected via encryption.
Information Fiduciaries and Data Transparency
"Should we treat certain online businesses, because of their importance to people's lives, and the degree of trust and confidence that people inevitably must place in these businesses, in the same way [we treat doctors, lawyers, and accountants]?" (Jack Balkin, Yale Law School]
In an environment where consumers are becoming increasingly concerned with personal data privacy and security, corporations have an opportunity to proactively reassure current and potential customers of their commitment to protecting user data. To that end, the Information Fiduciary project aims to create a forum for actors across the private sector and academia to work collaboratively towards an Information Fiduciary Consortium (IFC), a joint effort which advocates a tier-based approach and will work to find a balance between corporate and public interest. The unique differentiator of the consortium relative to other security compliance regimes is that it commits itself to directly providing value to consumers in a transparent and intuitive manner, building trust between companies and their customers. Companies must commit to fair security and privacy practices around user data collection, analysis, use, disclosure, and sale. Ultimately, the IFC would advocate for additional legal and financial incentives for compliant member companies.
Data Transparency is an in-progress visualization tool intended to complement the ideas and initiatives of the IFC. Fully developed, the tool would enable companies to update a decentralized database to document their collection and use of consumer data. Consumers could then use the tool to monitor when, how, and why their data is being accessed and disseminated. A demo of the tool is available here along with more information about the Information Fiduciary project.
Within this year, there will be as many devices connected to the Internet as people on our planet, and upwards of 5.5 million new devices are connected each day. These devices inevitably have security vulnerabilities, some of which cannot readily be patched or fixed. Such vulnerabilities are being exploited to cause harm to individuals or networks, a problem which will only get worse as the so-called "Internet of Things" (IoT) continues its breakneck pace of expansion. The Sherlock Homes project aims to improve IoT security through two new open-source tools.
The first tool, Sherlock, acts a circuit breaker for home routers, shutting off suspicious communications to or from IoT devices. Operating at the router level, it flags and throttles unusual traffic through a mixture of volume control, whitelisting, and pattern analysis. If deployed, the project would partner would ISPs and device manufacturers to better understand traffic patterns and implement alert systems. Sherlock could also query software and firmware versions running on connected devices and prompt security-critical updates accordingly.
The second tool, Thingerprint, provides a mechanism for identifying communications as suspicious by creating a crowdsourced database of IoT device fingerprints. Any one researcher or team has access to only a limited number of devices and environments, but crowdsourcing could provide access to a diverse range of devices and operating conditions. A voluntarily installed app could collect select information from IoT devices connected to a home network and transmit it to a centralized database. Once collected, the data would be subjected to analysis by security researchers and developers. Thingerprint could serve as an essential complement to Sherlock, improving its capacity to identify and respond to suspicious network activity.
There is currently no mechanism for a non-technical user to easily share non-sensitive dataset attributes, facilitating discoverability without compromising data protections. Sharing data for the average user thus remains a binary choice - share everything or share nothing. As a result, dataset owners and qualified data users with whom they might be interested in sharing are often unable to find one another. Data discovery relies on unscalable personal contacts and relationships.
Undershare allows the user to share and discover datasets without exposing their sensitive contents, escaping this intractable "all or nothing" paradigm. Data owners can expose a limited set of dataset properties (e.g., row headers, or summary statistics) behind a "discovery" API. Those in search of data can query this API, follow up to negotiate deeper access, and exchange reputation-building feedback scores. This flexibility and control on the part of data owners has obvious applications for enterprise, academia, and the healthcare sector among others.