Large

Information about individuals is collected by a variety of organizations including government agencies, banks, hospitals, research institutions, and private companies. In many cases, sharing this data among organizations can bring benefits in social, scientific, business, and security domains, as the collected information is of similar nature, of about similar populations. However, much of this collected data is sensitive as it contains personal information, or information that could damage an organization's reputation or competitiveness.

Today's Internet has some 1.7 billion users, fosters an estimated $1.5 trillion in annual global economic benefits, and is widely agreed to offer a staggering array of societal benefits. The network sees enormous demand---on the order of 40 Tbps of inter-domain traffic and an annual growth rate of 44.5%. Remarkably, in spite of the Internet's importance and rapid growth, the core protocols that support its basic functions (i.e., addressing, naming, routing) have seen little fundamental change over time.

Many compelling applications involve computations that require sensitive data from two or more individuals. For example, as the cost of personal genome sequencing rapidly plummets many genetics applications will soon be within reach of individuals such as comparing one?s genome with the genomes of different groups of participants in a study to determine which treatment is likely to be most effective. Such comparisons could have tremendous value, but are currently infeasible because of the privacy concerns both for the individual and study participants.

Many compelling applications involve computations that require sensitive data from two or more individuals. For example, as the cost of personal genome sequencing rapidly plummets many genetics applications will soon be within reach of individuals such as comparing one?s genome with the genomes of different groups of participants in a study to determine which treatment is likely to be most effective. Such comparisons could have tremendous value, but are currently infeasible because of the privacy concerns both for the individual and study participants.

Making the "right'' privacy decision --- that is, balancing revelation and protection of personal information in ways that maximize a user's welfare --- is difficult. The complexity is such that our judgments in this area are prone to errors, leading to decisions that we may later stand to regret. These errors stem from lack of information or computational ability; but also from problems of self-control and limited self-insight.