Computer Science Colloquium, 2006-2007

Yaron Kanza
University of Toronto
December 20, 2006

Protecting privacy without misleading users, in the realm of XML

In many organizations, private data should be revealed to some people while being concealed from others. In a hospital database system, for instance, a physician should be allowed to see the medical history of her patients; however, such medical data should not be available to the public. To support research over medical data while protecting privacy, only some of the data should be accessible to researchers. A common approach for protecting privacy is to manipulate sensitive data so that private information would not be revealed (e.g., by changing data values or transforming its structure). But, such manipulations can mislead users who are not aware of them and, thus, cause errors.

In my talk, I will present a novel access-control mechanism for XML that protects privacy without misleading users. XML is a primary format for exchanging and publishing data on the Internet, in which data is presented in a hierarchical format. Our model uses the hierarchal nature of XML but also guarantees that private information will not be inferred because of the hierarchy, a challenge that is not required in the relational model.
The mechanism employs rules for specifying the private data, and queries are validated with respect to these rules. Only queries that do not reveal private information are authorized and executed. I will talk about the complexity of validating queries, the privacy protection provided by our approach and how to test that a set of rules provides the desired concealment.

No prior knowledge of XML or privacy is required.

This is a joint work with Alberto Mendelzon, Renee Miller and Zheng Zhang.

Benny Pinkas