Modern organizations, such as businesses, non-profits, government agencies, and universities, collect and use personal information from a range of sources, shared with specific expectations about how it will be managed and used. Accordingly, they must find ways to comply with expectations, which may be complex and varied, as well as with relevant privacy laws and regulations, while they minimize operational risk and carry out core functions of the organization efficiently and effectively. Designing organizational processes to manage personal information is one of the greatest challenges facing organizations (see, e.g. a recent survey by Deloitte and the Ponemon Institute [TI07]), with far-reaching implications for every individual whose personal information is available to modern organizations, i.e. all of us.
This project responds to these challenges by developing methods, algorithms and prototype tools for integrating privacy, compliance, and risk evaluation into complex organizational processes. It explores, articulates and characterizes formally the scope and nature of privacy-expectations of stakeholders as well as those of key regulations, such as HIPAA, GLBA, COPPA, BASEL 2, and Sarbanes-Oxley (SOX). It incorporates the diverse perspectives and areas of expertise of its multidisciplinary research team, which includes three computer scientists, one philosopher, and collaborating researchers from IBM. This industry connection facilitates interaction with product teams that have served complex organizations concerned with business process integrity, information security, privacy, and information risk management. The research builds on "contextual integrity" (a philosophical account of privacy) as well as language and risk-based methods for privacy policy specification and enforcement. Extensive training and educational opportunities are provided to undergraduate and graduate students and research results integrated into courses at CMU, NYU, Stanford, and UPenn.
The project addressed crucial privacy problems that emerge when institutions enrich existing practices with personal information. This often occurs when IT systems are introduced into an organization, allowing the augmentation of internal systems with information/data in digital formats and enabling new ways of accessing institutional data -- internally and externally -- via digital electronic systems, often the Internet and Web. As one of four collaborative partners, NYU focused on ethical and policy dimensions of these privacy problems. Using the theory of contextual integrity as a lens, it sought rigorously to characterize these problems, to articulate approaches to addressing them, to demonstrate these ideas on cases and testbeds, and finally, to suggest technical approaches to implementing and enforcing ethically legitimate solutions. One primary case, of national importance, was the digitization and online placement of court records. A process well underway in many state jurisdictions and implemented with PACER, in Federal Courts it is motivated by the belief that successful transition to fully electronic record systems is vital to the good functioning of our justice system. The goal of our project was study how access to these records should be implemented so that the same principle of open access is embodied in an online system as is embodied in records maintained locally, in courthouses. A careful study, conducted collaboratively by an ethicist, a lawyer, and two computer scientists, yielded key insights, including the following: 1) There are significant and systematic disruptions in flow in the transition from local access to online access, debunking the notion that "public is public" no matter what the medium. This has implications for privacy that should not be ignored. 2) Certain mechanisms that courts regularly rely on, such as redaction and expungement, are no longer feasible with transition to open access online and may alter traditional ways courts have dealt with administrative policies for protecting certain portions of records. 3) Sophisticated tools developed in fields of information science and technology can and should be brought to bear in the design of systems providing public access to public records. It is simply false that public access requires open access with no restrictions whatsoever. In this part of the project we recommended systems that implement carefully honed policies for differential access to public access, including not merely open access but open accountable access. Our project devoted some attention to adapting these findings and principles to another arena grappling with questions of access to data and privacy, arguably even more sprawling and fundamental than court records, namely electronic health records. A second major line of research involved multidisciplinary studies of specific privacy enhancing technical strategies. One, obfuscation, is the subject of several articles and a book manuscript, involves the protection of privacy by the introduction of noise. Our research evaluated obfuscation from both scientific and ethical perspectives and, on the practical side, involved the development of two proof-of concept systems. We have found that obfuscating holds promise for circumstances in which traditional means of privacy protections (e.g. law, policy, technology) are unavailable and the need is limited to contextually effective, if relatively weak forms of protection, are sufficient.
