Managing Privacy Risks
Today is The Day We Fight Back, a day to call for change in NSA's surveillance activity focused on US citizens. We thought it was particularly appropriate to bring you US Patent 8,141,160, "Mitigating and managing privacy risks using planning", a privacy patent funded by the National Security Agency (NSA), those folks collecting reams of information about US citizens compromising our constitutional rights to privacy and protection against illegal search and seizure. Prepare yourself. Cognitive dissonance and intellectual vertigo may set in.
The patent was awarded to a team of 10 inventors from IBM working on a contract for NSA. The first named inventor is from Washington, DC, three are from San Jose, three from New York, and two from Columbia, Maryland, home of Fort Meade, NSA's headquarters. The patent is a testament to innovation economy geographically disbursed inventorship. Using the contract information contained in the government interest statement on the patent Way Better Patents tracked the source of the funding back to contract numbers associated with NSA. Unlike other patents granted under this contracts which specifically identify NSA as the funding agency, this one simply states:
This invention was made with Government support under Contract No.: H98230-04-3-0001 awarded by U.S. Dept. of Defense. The Government has certain rights in this invention.
Ok, this is technically correct. The Cyber Command is part of the US Air Force which is part of the Department of Defense.
The background of the invention says,
Without digging into the deep technical details of how the invention works, it is fundamentally an implementation of role based security applied to privacy.
Among the many elements of the invention described in the patent is the following:
…based on the type of information requested, the stream processing system selects a privacy model that protects particular types of data according to privacy laws, an organization's internal policies, and the like. In another embodiment, a repository for privacy models resides at the information processing system or at a remote system….For example, purpose of access "treatment" and role "physician" can be mapped into a constraint that allows the creation of output streams that include a category "medical records" but does not allow a category of "employment records". The constraint is then represented as an "allow" and "exclude" list of categories. In another embodiment, the privacy-related information is added to the user's request automatically by the stream processing system without the user's involvement.
The patent continues:
For example, based on the type of information requested, the stream processing system selects a privacy model that protects particular types of data according to privacy laws, an organization's internal policies, and the like. In another embodiment, a repository for privacy models resides at the information processing system or at a remote system.
Claim 1 reads:
1. A computer-implemented method for managing and mitigating privacy risks in a system comprising a network of processing elements, the method comprising the steps of: receiving a request for at least one output product from the system, the request including a set of privacy parameters; in response to receiving the request, analyzing a set of processing component descriptions associated with a plurality of processing components in the system, the set of processing component descriptions describing a set of attributes associated with the processing components; creating, based at least on the set of privacy parameters and the set of processing component descriptions, at least one set of workflow generating strategies that results in the output product having a privacy risk value below a predefined threshold, the at least one set of workflow generating strategies indicating how to configure a set of the processing components together to provide the output product with the privacy risk value below the predefined threshold; and deploying at least one of the workflow generating strategies for automatically producing the at least one output product.
So there you have it. NSA, an organization that collects vast amounts of data about Americans, funded work with IBM that led to a patent on implementing privacy policies to protect personally identifiable information. General Alexander makes the rounds where he talks about the vast amount of American intellectual property being stolen by our cyber adversaries. He and his agency apparently have bestowed upon IBM a nice collection of patents through their federal funding that focus on, well, privacy and information security. (We'll post the rest of the list of patents shortly)
An NSA Funded Privacy Patent!!
Like many things about patents, getting to the details of who paid for the R&D or funded the contract that led to a patent funded by the US taxpayer can be an adventure. This one was worth the hunt — an NSA funded invention designed to protect privacy.