Privacy Incidents Database - October 2016
Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.
PI(s): Jessica Staddon
Researchers: Pradeep Murukannaiah, Esha Sharma
This project is building the first comprehensive encyclopedia and database of privacy incidents. Most privacy incidents, such as cyber-bullying/slander/stalking, revenge porn, social media oversharing, data reidentification and surveillance, do not involve a security breach. Therefore, such incidents are not represented in current security incident databases. This lack of a centralized resource leads to widely varying measurements, for example, the Privacy Rights Clearinghouse datafinds less than 400 data breach incidents in 2014, whereas based on proprietary data from 70 companies and organizations, Verizon finds over 2000 breaches in 2014. Our publicly accessible database will enable the privacy technology and policy communities to reach consensus around patterns in privacy incidents.
HARD PROBLEM(S) ADDRESSED
- Policy-Governed Secure Collaboration:
-
The patterns and characteristics of security incidents are a significant driver of security technology innovation. Patterns are detected by analyzing repositories of malware/viruses/worms, incidents affecting control/SCADA systems, general security alerts and updates and data breaches. This project is building the repository to enable the identification of patterns in incident root causes, entities, location, etc., that will inform product and policy development and privacy training.
-
PUBLICATIONS
-
Pradeep Murukannaiah, Jessica Staddon, Heather Lipford, Bart Knijnenburg. 2016. PrIncipedia: A Privacy Incidents Encyclopedia. Privacy Law Scholars Conference.
URL: https://drive.google.com/file/d/0B-is7Sqpwv0bZy1UTEQ2UnZkVUE/view
ACCOMPLISHMENT HIGHLIGHTS
- Launched the database web site: http://research.csc.ncsu.edu/privacyincidents/pages/index.php
- Developed, and are iteratively improving, a classifier for semi-automatically populating the database using privacy news articles as an input stream. The classifier's goal is to identify incidents in articles. We currently are relying mostly on the New York Times and Guardian news feeds.
- Completed a user study to measure the precision of the database, finding high precision overall; precision is the fraction of database entries that users report to be privacy incidents.