Negotiated Privacy: (Extended Abstract)

Exponential growth in digital information gathering, stor- age, and processing capabilities inexorably leads to conflict between well- intentioned government or commercial datamining, and fundamental pri- vacy interests of individuals and organizations. This paper proposes a mechanism that provides cryptographic fetters on the mining of per- sonal data, enabling ecient mining of previously-negotiated properties, but preventing any other uses of the protected personal data. Our ap- proach does not rely on complete trust in the analysts to use the data appropriately, nor does it rely on incorruptible escrow agents. Instead, we propose conditional data escrow where the data generators, not the analysts, hold the keys to the data, but analysts can verify that the pre- negotiated queries are enabled. Our solution relies on verifiable, anony- mous, and deterministic commitments which play the role of tags that mark encrypted entries in the analyst's database. The database owner cannot learn anything from the encrypted entries, or even verify his guess of the plaintext on which these entries are based. On the other hand, the verifiable and deterministic property ensures that the entries are marked with consistent tags, so that the database manager learns when the num- ber of entries required to enable some query reaches the pre-negotiated threshold.