Information leakage happens when a system helps an adversary achieve some goal. We can understand leakage through quantitative information flow (QIF), a robust framework that gives ways to quantify the amount of leakage of a system. In this post, we will walk through how we can statically model a system as a channel matrix. We'll also see how a channel maps a prior probability distribution to a hyper-distribution that helps an adversary narrow down the…
I've put together a few of my favorite resources on cryptography. My general recommendation is to watch lecture videos. Academic papers and textbooks can be quite dense, but authors clear things up in their PowerPoint presentations and videos. I've included links to some of my favorite talks but I also list some courses and textbooks. These resources are about the math and theory behind cryptography and don't address implementation. Fundamental Cryptography Here are some resources on…
After listening to *many* of these particular talks, I have some faculty interview presentation tips for you (and maybe some general presentation tips too). Take what you need. Some background My computer science department, like so many others right now, is undergoing a rapid expansion to meet the growing demand for AI and cybersecurity researchers. For the interviewee, this process involves a full day of talking with faculty, touring the facilities, and giving a presentation…
Following the rollout of the EU’s General Data Protection Regulation (GDPR) and a string of high-visibility privacy scandals at U.S. companies (like Equifax, Facebook, and Google), Federal regulators are finally getting serious about privacy.
The National Institute of Standards and Technology (NIST) is convening a series of workshops to develop a new Privacy Framework, which the body envisions will be a voluntary set of standards for assessing organizations’ privacy risks. This isn’t regulation and it won’t be mandatory, but it will create a benchmark against which companies’ data handling practices can be judged. And voluntary standards can become de facto mandates: if a company in the midst of a privacy PR disaster promises to do better by adhering to NIST standards, they can be held accountable by the FTC (under their “deceptive practices” enforcement authority) if they fail to do so.
Simultaneously, the National Telecommunications and Information Administration (NTIA) is developing an “approach” to consumer privacy on behalf of the Department of Commerce which has the potential to eventually inform privacy rules made by Federal agencies.
If you’re interested in all of this and want to weigh in during the policymaking process, now may be your best chance. Until November 9th, the NTIA is seeking public comment on a draft set of high-level goals and intended outcomes for the upcoming policy. You can write whatever you want, but effective public comments are brief, focused on a specific recommendation or point of clarification, and introduce relevant technical facts to make a cogent argument.
Below I’ve reproduced a comment I submitted to the NTIA’s request arguing that the way they use the term “personal information” is insufficiently vague and that it must be defined more broadly than it has been in other U.S. data protection laws. (more…)
tl;dr Diverse representation within computer science matters. Stock images, clip art, and textbook examples affect us in subtle and perhaps unconscious ways. They dictate who we expect to see in certain roles. They even influence which roles we see ourselves assuming. When we rely on one default representation, we create a box for ourselves from which it is difficult to break free. We become unable to see others in a specific role and if we…