Data collection with self-enforcing privacy
Consider a pollster who wishes to collect private, sensitive data from a number of distrustful individuals. How might the pollster convince the participants that it is trustworthy? Alternately, what mechanism could the individuals insist upon to ensure that mismanagement of their data is detectable and publicly demonstrable? We detail this problem, and provide simple data submission protocols with the properties that a) leakage by the pollster results in ``evidence' of the transgression and b) the evidence can not be fabricated without breaking cryptographic assumptions. With such guarantees, a responsible pollster could post a ``privacy-bond', available to anyone who can provide such evidence of leakage. The individuals are assured that appropriate penalties are applied to a leaky pollster, while the protection from spurious indictments ensures that any honest pollster has no disincentive to participate in such a scheme.
Golle, P. ; Mironov, I.; McSherry, F. Data collection with self-enforcing privacy. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06); 2006 October 30 - November 3; Alexandria; VA. NY: ACM; 2006; 69-78.