Sunday, July 30, 2006

Mosquito Fever

If you were to ask me what is the first thing I've notice in Nashville? Is it the music? Is it the fried catfish? Is it the heat and humidity? Nope, nope, and double nope. It's the mosquitos! The little buggers are super bionic! They can get you anywhere, at any time, and in any amount of time. I just let Jake the Wonderpup outside for 30 seconds and WHAM WHAM WHAM WHAM - 4 mosquito bites. And they itch like nothing I've felt before.

Oh my, there's one in the house and it keeps coming for me. No matter how I attack, it evades all of my offenses. I think my new middle name is Deet.

And Like That...

Once upon a time, a boy and girl had the greatest set of friends in the world. Thanks to everyone in the ‘burgh for touching our lives and changing us for the better. Sara, Jake the Wonderpup, and I are grateful, will miss you (and your dogs), and hope you all come to visit us in Nashville.

Closing Shop (July 20, 2006)

Yet again, I find myself in an airport. That’s right! This blog entry comes to you from sunny Charlotte, NC. Though I wouldn’t know what Charlotte is like, since I never leave the airport. Ah, vicariously living through airports.

Sara has been harassing me. She says, “Why haven’t you updated your blog? Without my daily dose of Bradley, my day is incomplete.” This was followed by “I am nothing without you.” She really said that. Really.

Anyway, it’s been a pretty hectic couple of weeks. After returning from Cambridge, I stayed in Pittsburgh for 3 days and celebrated the 4th of July in relaxation. Then, it was back to Nashville for another week of meetings, pictures (for the faculty directory), and research. Yep, you heard me correctly, I actually had time to sit down, do some stats, programming, experiments, writing. Quite satisfying.

After Nashville, I returned to Pittsburgh for a week. Research continues, (Yeah!) but most of my spare time has been spent cleaning out the house, and attending going away happy-hours, dinners, and parties (mostly for Sara - her employer and co-workers love her).

And along with cleaning out the house comes... a yard sale! So, our duplex-buddies Joe and Amy held the sale with us this past weekend. Lucky for us, the weather held and we were able to make some sweet moola with Uncle Rico (obligatory Napolean Dynomite reference). But as fast as the money comes in, so too does it go out. Hmm... where does it go? Could it be the new bike rack we bought? Could it be the going away bash we sponsored?

Or maybe it’s the house we’re buying today! And thus we come to the climax of the long rambling story. Sara and are flying down to Nashville to close on our new house. By this afternoon we’ll be homeowners.

Yet, as with any traveling experience that has included me in the past month - nothing is without its trials and tribulations. To summarize, this morning we had a direct flight from Pittsburgh to Nashville. Hip Hip Hooray! However, Sara and I checked into the airport at 7:45am for an 8:30 flight. It would have been fine - and in fact, lately, this has been my check in time of late for most flights. Except this time we were checking bags (dropping off some clothes, pots, pans, and such), and US Air said this was too late for checking luggage. Soooo, they rebooked us for an 8:35 flight through Charlotte! No kidding, a 5 minute difference resulted in an extra 2.5 hours of travel!

Needless to say, this has not made us the happiest of campers this morning. So what do you do when you’re not happy - get goofy (see above picture - we are tentatively captioning it “Whoa, someone farted and it wasn’t us”).

Internet Safety Education by MySpace (July 14, 2006)

The AP is reporting that MySpace and Fox will invest millions of dollars over the next couple of years in an education plan for parents and teens. Kudos. However, I’m concerned. While they are investing millions - it doesn't appear to be towards technology development, but rather education of parents and teens. It's like saying, "we only build the technology"... Hmm... I've heard this argument before.

Heading Home (July 2, 2006)

Well, all good things must come to end. It is time for me to bid adieu to Cambridge. I offer many thank you’s to a city that shines as a beacon of how a city can accommodate the bicyclist. Cheers!

Now, as my previous experiences have illustrated, no trip in England is without it’s catch. And so it is with my train trip from Cambridge this morning. After a fun-filled evening of soccer-watching and pubbing, I awoke at 6:00 am to shower, settle my bill with the master of the house, and hike back to the train station. It was a problem-walk, about forty-five minutes. Upon arriving at the station, I asked when the next train to Kings Cross was - and to my surprise, there aren’t any direct trains. Wonderful. Instead I had to catch the 8:10 train to Letchworth; then take the bus to Welling Park (or something like that); then catch another train to Kings Cross. They said the trip should take around an hour and forty-five minutes. Are you kidding me? Come on England.

Well, I’m on the train from Cambridge to Letchworth, so here we go....

Ah, it was Letchworth Garden City to Welwyn Garden City. That was quite an event. After making it to Welwyn, there was no clear way to the trains. The bus dropped us off at the entrance to the trains or so it seemed. But when we went in, you had to take an elevator or stairs up to the trains. Well, the elevator filled up quickly, so I settled for the stairs (I’m getting tired from the lack of sleep and early morning hike). When we got out of the stairwell, we found ourselves in the middle of a mall and no information on where the trains might be. We had to ask people in the mall who pointed us toward the escalator and up one floor. Apparently taking the elevator did not make finding the trains any easier either. The elevator group ended up following the stairs group. Brilliant.

When we made it to the platforms, the board said that the next train to Kings Cross was not leaving until 9:30am from Platform 3. So, I asked someone if the train currently on the platform was going to Kings Cross, they told me that yes it was going to Kings Cross, but that this was the 9:23 train and not listed on the board. Amazing.

So, now I’m sitting on the train waiting to go to Kings Cross, so that I can transfer to the Victoria underground and then to Gatwick by above ground. This is crazy...

Finally made it to Gatwick - and it only took 3 hours. Wow. Anyway, Gatwick was a breeze. It took around 5 minutes in line to get my ticket and about 5 min to make it through security. Then a twenty minute walk to the gate. The fun never ends does it?

Well, I’ll stop complaining. It’s just the weariness speaking. I’m on the flight and headed home and that’s all that matters.

I’ll only be in Pittsburgh for 2.5 days before I head back out to Nashville for a week. So, if you’re looking for me - you better be quick about it.

The Day After (July 2, 2006)

If you ever wanted to know what it feels like to see a stake driven into the heart of a nation - then welcome to England after being bounced from the Wold Cup. Yesterday, I watched the England / Portugal match in the Kings Street Run, with a down-to-earth soccer loving crowd. After spending three hours with such an enthusiastic set of guys and girls, you can’t help but share in their agony.

My consolation was watching Brazil get thrashed by a superb group of frenchmen. The French are getting stronger with every game, and I look forward to cheering them on when they play Portugal next week. Only 2 more games to go and then I won’t be watching soccer for months.

I’m a soccer-junkie. I know. I love to play soccer. I love to watch soccer. I love to talk about soccer. I love to teach people how to play the game. But a World Cup is almost too much soccer. It pushes the limit of your dedication to the sport - especially when your country is no longer in the competition. The saving grace is that as the tournament moves forward, the tenacity grows and the quality of play and players (usually) rises.

Post PET (July 1, 2006)

Wow. Those were two excellent World Cup games.

After the Privacy Enhancing Technology Conference finished, I had had some excellent discussion with Alastair Beresford regarding the use of maximum matchings in bipartite graphs for optimal linkage or re-identification. It turns out our research in graph theory and its applications is quite similar; virtually complementary to each other.

Following the discussion, I made my way with a couple of people to a The Mill - a renowned local pub - to watch the final thirty minutes of the Germany / Argentina game. I grabbed a pint of Guinness (it really is a bout 100x better than in the US) and let the atmosphere take over. It’s just a corner pub and by the time the game went into penalties, the place was jam-packed. As you know Germany won and the place erupted into cheers.

Later in the evening, I made it over to a large pub in the middle of the city for the Italy / Ukraine game. I grabbed a pint of Old Speckled Hen - not a big fan - especially on a warm summer evening. Anyway, though the Italians bulldozed the Ukranians, the pub was a buzz. It was an extremely large pub of which the entire second floor was standroom early and packed with Italians. Towards the end of the game, all you could hear was chanting and foot-stomping to IT-AL-IA, IT-AL-IA, IT-AL-IA. Now that’s a country behind its team.

Now if only pubs in this country would serve food at dinnertime. I still have yet to understand why they only do lunch.

So, today is Saturday and some of the conference attendees are getting together to “punt” down to Grantchester (think gondalas on a river). It sounds like a terrific opportunity, but I think I’ll have to pass. I have spent most of my time in meetings and have yet to truly explore any of Cambridge and its excellent shops. Also, I have to return my bicycle by 5pm at the latest. But really, I’m going to return it at 3:30pm - the England / Portugal game is on at 4 and this game must be watched - how can you not do as the British do.

PET Workshop - Day 3 (June 30, 2006)

Day 3, the final day of the workshop (which is really a conference). The final day, and I have the final presentation. The final presentation that happens to begin 30 minutes before the Germany / Argentina World Cup match. What are the chances that I’ll have a relatively small set of people at my talk?

Anyway, on to today’s talks:

Session 5: Private Multiparty Computation

Presentation 1: Private Resource Sharing
- Claims to be an efficient solution to the private matching
problem in both the semi-honest and potentially malicious
- Researchers provide encrypted credentials that they are
on a need-to-know basis via metadata
- Assumption: metadata is static
- Resource then has to prove that they have the requested
- Private Key Generator maintains “master secret” --> Alice
retrieves key for “alice” --> She passes the message that is
assigned with her private key to Bob --> Bob uses the
public key “alice” to verify
- Assume each owner possess a unique master secret for
an IBS private signature scheme

Presentation 2: Honest-Verifier Private Disjointness Testing Without Random Oracles
- New idea “testable and homomorphic commitments”
- Private Disjointness Testing: two parties add their datasets
and they learn if their is an intersection or not (1 or 0)
- Application Examples: 1) No Fly List, 2) Anonymous Login
- Prior solution: secure function evaluation (GMW’87) &
zero-knowledge sets (MRK’03)
- Uses 2 tools
1) Embeds set representations as polynomials
- Roots of polynomial are points in the set
2) Homomorphic encryption:
Addition: E(x) + E(y) = E(x + y)
Constant Mutliplication: E(x)y = E(xy)
- Prior Solution
- Alice will publish encrypted coefficients
- Anoyone can come obviously evaluated polynomial
- But this solution is not private - because people learn f
(b), where b is the coefficient
- FNP extension: multiple everything by random value r. If f
(b) is nonzero (i.e. there’s an intersection) then we learn
random value
- Problem: only works in semi-honest; a malicious party
can just encrypt and evaluate zero
- Today’s solution extension to FNP
- Private Operations: 1) Commitment, 2) Equality Test of
commitments (uses Pederson commitments)
- Open question: security against malicious verifiers?

Presentation 3: A Flexible Framework for Secret Handshakes: Multiparty Anonymous and Unobservable Authentication
- How can people authenticate each other if they are not
permitted to divulge their affiliations
- Prior work uses one-time pseudonyms, but supports only 2
party handshakes
- This research avoids pseudonyms and extends to n-party
handshakes by using reusable group signatures
- Also has the ability for self-distinction: given more than 2
people in a group, it can be determined that everyone in
the system is unique

Session 6: Authentication and Cryptography

Presentation 1: On the Security of the Tor Authentication Protocol
- Uses a customized variation of Diffie-Helman encryption
- Until last year Tor’s authentication model was broken.
- An initial message could be intercepted & ignored
- Then a false response could be sent by the adversary
and the adversary can control Alices Tor route.
- This has been patched and this research proves that the
new authentication protocol is resistant to this problem in
the random oracle model
- Resistance to “reaction attack”
- Alice encrypts and sends message to Bob
- Mallory modifies ciphertext, sends to Bob (sometimes
its meaningful, sometimes its not)
- If meaningful, Bob responds and Mallory can learn
information about Bob

Presentation 2: Optimal Key-Trees for Tree-Based Private Authentication
- Motivation: Mobile user that authenticates himself at each
access point, but an eavesdropper tracks the user and
collects his authentications
- Key-tree based on private authentication
- First authenticates with top key (i.e. root note) and the
server is told which branch of the tree the key resides
- Keys in the next level of the branch are enumerated
until proper key is found
- This repeats recursively until key is found in leaf node
of tree
- Privacy of members, measured in anonymity set size is
increasingly destroyed as more people in the tree are
- Solution: phrase as an optimization problem and orient the
tree so that it is compromise-level is minimized.

Presentation 3: Simple and Flexible Private Revocation Checking
- Problems with premature revocation of certificates
- Certificates only need to be verified once
- But prior to communication, you should always check the revocation status
- Privacy leaks: third parties can learn
- Source of revocation query
- Target of the query (focus of this talk)
- Problem identified by Kikuchi in “Privacy-preserving
revocation check in PKI”
- Modify certificate revocation trees (CRT) structure
- Range queries
- Instead of querying for a single node, query for a
range of nodes
- My concern - increase in network traffic?
- Permuted Ordering of tree
- Potential problem - near neighbors could be related
and that can reveal “concept” that of query
- Pseudorandom permutation to guarantee uniform

Session 7: Traffic and Location Analysis

Presentation 1: Breaking the Collusion Detection Mechanism of MorphMix
- P2P anonymous networking overlay
- No centralized component
- Nodes only need a local view
- Tunnels are constructed via a witness
- Collusion detection mechanism
- Assumes more difficult to control multiple IPs (16-bit
- Assumes attacks provide all or many malicious nodes
- Assume will provide random selection of malicious
- Get the list of potential nodes from each node
- Count the number of nodes in common and compute
- Attacker Goal
- Link connection initiator with outgoing network
- Control at least the first intermediate and last node
- Potential Solutions
- increase the size of potential nodes
- increase length of tunnels (currently set at 5)

Presentation 2: Linking Anonymous Transactions: The Consistent View Attack
- Multiple credentials sent to a user from an organization
- Adversary knows all of the pseudonyms that are issued
to users
- Goal: Partition the set of pseudonyms into equivalence
- Adversary must remove all inconsistent partitions
- partition is inconsistent if issuing of pseudonym occurs
after another pseudonym that has yet to be used
- Enumeration of all groups is NP-complete
- Proof: convert history file into Boolean circuit

Presentation 3: Preserving User Location Privacy in Mobile Data Management Infrastructures
- A data framework that trades location privacy and service
- Introduce a definition of “query quality”
- Cloaked Location Model
- Density over where a query could come from or
correspond to
- Cloaking Agent
- Policy Translator (Sends Privacy Prefs and Cloaked
Location to Service Provider)
- e.g. k-anonymity
- Privacy vs. Accuracy vs. Control with respect to
particular locations or providers
- Service Translator
- Result Translator
- Imprecise location range query --> get probability that
someone / something satisfies range query
- Experimental analysis on IBM City Simulator illustrates a
tradeoff between privacy (in terms of range) and accuracy
or quality of service
- Question asked: How do you communicate “quality” or
probability to a user

Presentation 4: The Effects of Location Access Behavior on Re-identification Risk in a Distributed Environment
- It’s my talk.

And now I’m off to go watch the Germany / Argentina world cup match.

PET Workshop - Day 2 (June 29, 2006)

It’s Thursday, the second day of the Privacy Enhancing Technologies Workshop and I’m still adjusting to the jet lag. Below are notes from today’s sessions. But first, I’ll summarize the rest of day:

Today’s meetings ended with a rump session, in which anyone could get up and talk about their new projects or proposals for 5 minutes. There was high-level research, low-level research, proposals for conference hosting, calls for research support, and even self-confessionals. Quite unlike anything I’ve seen before. It was simply a whirlwind of people and topics.

This evening the attendees went to dinner at a very cute hotel restaurant. It was a short bike ride from my B&B - ah the freedom of bicycling in this wonderful town! The food was excellent and I had excellent table conversations. But what I found most interesting was how we began dinner with an apertif of “pims”. Quite a curious little highballish drink that included strawberries, lemons, cucumbers, fresh mint, and who knows what else.

Now, back to the sessions.

Font color = Red Session 2: Privacy Policies

Presentation 1: Enhancing Consumer Privacy in the Liberty Alliance Identity Federation and Web Services Frameworks
- Systematic walkthrough of frameworks to identify potential
privacy breaches, then makes recommendations on how
to fix them
- Liberty alliance is a framework for federated identity
- Allows a user to connect to multiple sites using different
logins, but based on common core
- Example Problem: Introduction of users to new groups
may be privacy violation
- Proposed Solution: Get user consent for every

Presentation 2: Traceable and Automatic Compliance of Privacy Policies in Federated Digital Identity Management
- Investigation of inter-organization management of identity
- Description of policy “harmonization” mechanisms
- Approach relies upon the prespecification of an ontology to
model semantic relationships
- Use of privacy policy templates to ease policy specification
- Question from the audience: how can we address
matching of schemas across organizations
- Speaker Comment: Goal is try to allow service providers to
exchange information about a user without contacting a
user first?
- Speaker Comment: Belief it can be done if policies specify
this is agreeable

Presentation 3: Privacy Injector: Automated Privacy Enforcement Through Aspects
- Want to address 2 challenges: 1) How can we
“consistently” enforce a privacy policy throughout the life
cycle of data
- Uses aspect oriented programming (AOP) language, such
as AspectJ (Java-based)
- Desirable property of AOP:
i) modularization (i.e., decomposition of events/
ii) crosscutting concerns (which affect the who
iii) it does not change existing applications - works on
bytecode, not sourcecode
- Privacy Injector: an AOP application for administering
sticky policies
1) Tracks data by assigning metadata and storing
structured policies
2) Attempts to ensure persistence and enforcement on
the fly (e.g., querying storage DB)

Presentation 4: A Systematic Approach to Automate Privacy Policies Within Enterprises
- HP Labs approach to “Privacy aware access control”
- Simple approach: perform queries against database, such
that purpose, consent, and actions (such as filtering /
obfuscation) at runtime of queries
- Query rewriting to achieve solution (think JDBC proxy)
- Extension to business / enterprise level
- Prior examples include IBM/Tivoli privacy manager, IBM
Hippocratic databases

- HP uses “identity management” perspective, which
- User provisioning & Account Management
- Privacy-Aware Access Control System
- Manages consent & other preferences
- Obligation Management System
- Privacy obligations and policies
- All of which sits on top of data repositories
- Front end access via web portal
- Architecture based on “Validator” and “Enforcer”

Session 3: Privacy in the Real World

Presentation 5: One Big File Is Not Enough: A Critical Evaluation of the Dominant Free-Space Sanitization Technique (Garfinkle & Malan)
- One model for overwriting disk is to create one BIG file
(i.e., pick a sector and continually grow the file)
- Alternative, create lots of little files.
- Back to the big file situation - works assuming that you can
access all sectors.
- Unfortunately, can not access “slack space”: a file that is
partially overwritten with another smaller file leaves a small
amount of information.
- Question: can we recover files in the slack space?
- Developed a technique to find the slack space and
evaluated against different erasing and secure erasing
- Experiments show you can find some of the slack space,
the signature of files, and reconstruct files.
- Also looked at Big+Little technique
- Big file deletes most “deleted” files, but:
- many file names & times remain
- there are times when complete files remain
- “Journaled” file systems harder to sanitize
- Big conclusion: need to work at file-system level for
proper / complete sanitization

Presentation: Protection Privay with the MPEG-21 IPMP Framework
- Parallel between copyright and privacy protection
- MPEG-21: specifications for using, manipulating, &
navigating multimedia content
- MPEG-21 Intellectual Property Management for digital
rights management (DRM) protection
- Application required a
1) Rights expression language for privacy specification
P3P - though does not defined enforcement
EPAL & XACML - do not have a vocabulary
***MPEG REL & ODRL - does not support elements
used in privacy - so they extended the
2) Enforcement System
3) Suite of tools for user / ease of use (web based)

Presentation: Personal Rights Management
- Worried about cellphone cameras being used and published all over the place (Blogs, Flickr, MySpace, etc.)
- Try to allow people to control pictures of me that are taken
by different people
- Legal controls in Europe and other realms
- Related Work:
Artificial Shutter Noise
Camera Blockers: Restrict cameras (HP) Blind cameras
with lasers (GaTech)
Cell Phone Ban (Policy-specific)
- Goals:
1) defend against non-professionals (i.e., can’t handle
hacking, telescope lenses, etc.)
2) Protect photographer as well (don’t infringe on
photographer’s privacy)
- Model: Camera sends pictures to website (without consent
of individual?
- Digital Watermarks vs. Hashing of pictures
- Broadcast what is available on the web and allow me to
find it and take it down.
- Open problems, blogs and de-identification or
trustworhiness, “beating people up with a script”, public
internet pillory.

Session 2: Privacy Policies

Presentation 1: Improving Sender Anonymity in a Structured Overlay with Imprecise Routing
- Why study? Good for building network servies - Routing
predictably and efficiently converges; usually fault tolerant
(see Chord)
- Goal: make it difficult for an adversary to determine which
key was contributed (or is administrated) by which IP
address (i.e., the “finger” position).
- Solution: obscure some information in the routing table
- Instead of reporting exact node position, report random
point within a defined range (a.k.a. imprecise routing)

Presentation 2: Selectively Traceable Anonymity
- It’s one way to deal with abuse
- Some systems have “implicit” tracing policies - but which
ones can be supported?
- Result summary
- Many models can be augmented to support tracing
- Transformation preserves “coercible” anonymity scheme
- Tracability achieved via group signatures & voting
- Little Problem 1: incentive to read unsigned messages
- Little Problem 2: sender has no incentive to sign
- Big Problem: No incentive to pass along unsigned
- Solution: Prove sender output is consistent with signed
- Uses noninteractive zero knowledge proofs.
- Basic example of a non-coercible anonymity scheme -
Shamir Secret Sharing
- But it’s uncoercible because you can lie about the
share that you held
- Extension to coercible: use commitments with the shares

Presentation 3: Valet Services: Improving Hidden Services with a Personal Touch
- Example: Censorship resistant publishing
- Example: Multilevel secure chat servers
- Goals:
Accessible from anyone / anywhere
Resistent to authorized users, DoS attack, physical attack
- Existing model: Rendezvous at a server via Tor/Onion
- In current network, everyone knows the “Introduction
points” that lead to hidden services
- But if we introduce “Valet” nodes, or intermediaries, we
can obscure the introduction nodes
- Public directory servers don’t know private hidden
servers don’t know hidden service exists, nor how to
access it
- Reduces denial of service attacks and adds quality
of service as an option
- Extended model: add “Valet Nodes” - in theory can give
out to each person per contact ticket / session
- Alice connects to Valet, then Valet connects to entry point
- Decreases probability malicious parties can detect
the introduction points

Presentation 4: Blending Different Latency Traffic With Alpha Mixing
- Research looks at the batching strategy of mix-nets. In
other words, high latency makes larger batches of
messages and more anonymity
- Most use high latency for anonymous email and low for
web browsing (most users)
- Alpha mixing - introduce a delay parameter that is
specified by the user (per mix)
- Adding a parameter T, the period, for each time period,
alpha gets decremented. When alpha = 0, messages get
forwarded on.
- Alternative, when n messages with alpha = 0 are
accumulated, then the messages are forwarded
- Brad’s Opinion - for those of you that have not read it, this
research is very similar in spirit to the following paper for k-
Buğra Gedik and Ling Liu. A Customizable k-Anonymity Model for
Protecting Location Privacy. International Conference on
Distributed Computing Systems, IEEE ICDCS 2005.

PET Workshop - Day 1 (June 28, 2006)

Blogging to you from Robinson College, Cambridge University. It’s been quite a successful first day to the Privacy Enhancing Technologies workshop. It appears things are getting more competitive here. In the greetings / introduction, it was announced, there were about 100 paper submissions this year, and a 25% accept rate.

Talks at the workshop kicked off with a keynote by Susan Landau of Sun Microsystems, and one of the architects of the Liberty Alliance framework. The talk touched upon the history of privacy laws and regulations, but the main crux of the talk was about how we can learn from Pugwash and become more ethical in our research.

The first session had several interesting papers. The second paper focused on how to use crypto to prevent the tracking of individuals in transportation systems. In other words, how can I use an RFID for payment, but not let people follow my signal. Interesting notion.

The final paper was by Alessandro Acquisti, who (in research with Ralph Gross of the Data Privacy Lab @ CMU) presented results from a survey of Facebook members and nonmembers regarding privacy beliefs and information they put online. The most interesting finding was that people don’t even believe what Facebook says they’ll do. For instance, if Facebook says it will combine lots of external information on you - respondents tended to answer “I don’t believe that”. Amazing. My main concern is that the reason why people share so much information on Facebook, is that the system defaults to asking users fill out their page and that all information is requested. And since people want to do the best they can, they believe they should answer every question on the form. It’s just a thought, but if it’s true it’s an example of how defaults in the Facebook system need to be reconsidered.

Better blogging and notes on the talks tomorrow. Promise.

The reception at Microsoft Research was excellent. Yummy food and tasty beverages. It’s a beautiful facility and it was a lovely bike ride from Robinson college. The greenspace out here is truly astounding, as is how bike-friendly the town has revealed itself to be.

In Cambridge

An update - I made it to Cambridge and this is a bicyclists dream. Bikes, bikes, everywhere. There are so many bikes. Anyway, I rented a bike for the week and it is excellent. Cambridge is old and beautiful and seeing it by bike is just terrific.

Granted, trying to bike in a city that you don’t know has some hazards, such as... I got lost for about 45 minutes while trying to find the bed & breakfast I’m staying at. It’s hard to keep a mental model of the city map - and the streets are more convoluted and strange than Pittsburgh. Roundabouts everywhere. Alright - time to take a nap.

On the Road to Cambridge (June 27, 2006)

Shruuuuuubberies! Get your shrubberies here! Getting to Cambridge from Gatwick is like trying to get from Pittsburgh to Cleveland by way of Columbus, by train, underground, bus, and foot. This is crazy.

Since arriving in London (Gatwick) at 9am, I’ve been making my way, double-backing, making my way, double-backing some more, and well you get the picture. To elaborate. After making it through customs, I bought a train ticket from Gatwick to Cambridge. In the directions I have from the conference, it says take the train to Victoria, the underground to Kings Cross, and then take a train to Cambridge. Sounds easy right? But hmmm... the guy at the train counter says, don’t go to Kings Cross go to Finsbury Park. To which I respond, “Um... are you sure?” And he says, yes it’s faster. Well, ok Mr. Train Ticket Salesman. No problem.

So, I catch a train to Victoria and upon arrival find myself staring at the gigantic oversized board that flashes which train is going where. Unfortunately, none of the trains are going to Kings Cross or Finsbury! Ugh. So, I ask a coffee shop worker how to get to Finsbury and they said they don’t know because they don’t really use the trains. Great! Next up, I walked over towards the platforms and asked one of the workers how to get to Cambridge. To this inquery he responds that I don’t want a “train”, I want the “underground” to Kings Cross. Thank you very much, but are you sure I want to go to Kings Cross? The answer - definitely - and I must take Platform 2. Alrighty.... here I go.

So, into the underground I go. I have my train ticket, but now I’m in the underground, will my train ticket work? I look around, but everyone’s underground ticket looks completely different than my train ticket. Great. I can’t find an underground employee anywhere, it’s super super super crowded (Tokyo-style), the face-to-face ticket counters are jam-packet (there must be at least 50 people in line), and I’m standing in the middle of the underground ticket-purchasing section with a confused touristy look on my face. Oh boy - not good. I repeat - oh boy - not good. *ding* *ding* *ding*.... The warning bells are going off in my head. So, I go to stand in line for an automatic ticket machine that accepts credit cards (Halleluya - because I have yet to hit an ATM yet - yeah, I know what you’re thinking, but I’m a bit sleep deprived).

When I get to the front of the line, everything goes smoothly in the transaction. Single zone ticket? Check. Insert card? Check. Remove card? Check. Error - your card can not be read, please find an attendant or cancel this transaction. This process repeated several times, someone behind me (a non-Londoner also) tries to help out - but alas. In the end I cancel the transaction and let the angry hoard behind me continue on with their day.

Now, I still don’t like option 1 (try to use my train ticket) or option 2 (wait in the 50+ person line for the person at the ticket window), so what do I do? Well, I find another ticket machine. This time all works well. Whew! Double Whew! And I’m just about ready to get down on my knees and thank the lord!

Alright, so now I’ve got my ticket, now I’ve got to figure out which Victoria line I want. Can you believe it - there are two lines a yellow/green line and a blue line. After a minute of deliberation I realize both go to Kings Cross and the blue line is actually called the “Victoria” line. So blue it is.

I use my ticket and have to go down (it is the “underground”) to the platforms. Yet another dilemma - there is only a Platform 3 and a Platform 4. There is no Platform 2! What planet that I walk onto? What the dangnabbit is going on? Ok, ok, no need to panic - I find out that if need be, there is a walkway (albeit a long one) to the yellow/green line to see if those are actually Platform 1 and 2. But first I check to see where Platform 3 goes. Thankfully, after some confusion I realize it goes to Kings Cross. And it goes to Finsbury a couple of stops later. Woohoo. I’m in good shape - or so it seems (que the Twiight Zone music)

So, I grab the next train and get off at Kings Cross. Now, which underground/train line do I need? Could it be the “Northern” line? That would make sense since I’m going “north”, but there are two other underground lins and I have no idea, so I figure I’ll go upstairs and ask a worker. And that’s what I do. The answer - yes, you can grab a connection to Cambridge from here. Hmm... connection? Does she mean an underground or train? Well, no time to ask, because apparently I can’t grab a connection today. You see, normally you can, but.... not when there’s a fire - that’s right a fire - the previous evening at Kings Cross. Are you kidding me? My transfer to Cambridge was just not meant to be.

So, back down to the Victoria line I go. I grab the next train to Finsbury, get off and proceed to ask a worker how to get to Cambridge. Go left, left, up and you’re there. Um... ok. So I go left, left, then up and.... I have another choice, I can either go right to the underground or left and up again. Lucky for me there are a multitude of cops/bobbies/whatever patrolling and helping out with the mass confusion that I realized was going on around me. You see, everything that was leaving from Kings Cross was rerouted to Finsbury. Wonderful. A nice officer says, go on up - track 3. Finally! So, up I go and a I’m about to get on the train when that little voice in my head tells me that with everything that’s been going on I should ask if this is the right train before getting on. So I do. And what do you know? The train is not going to Cambridge. The next train will go to Cambridge - they think.

You think? I ask what he means by this statement. He says, well there aren’t any fixed schedules today because of the Kings Cross fiasco. So I ask if they have an idea when the next train to Cambridge will come along. The answer is not reassuring - neither he, nor the other workers were sure, but they would let all of us know when the train did come along. Where am I, a third world country? Who knew that London could have such problems.

So, I take my seat and end up in a conversaion with a recently graduated Cambridge student who is making his way back to the city after a holiday. Nice guy, he reassured me that it isn’t always this crazy to get to Cambridge - but that sometimes it really is. In fact, he says, that on particular days, such as the Sunday that I’ll be going back, the train doesn’t run at all! He response - “WHAT?!?!?!?”! But no fear - they will run a shuttle bus in that case and I’ll be fine. This is absolutely crazy.

Anyway, after a couple of trains and a half-hour later, the cambridge train finally arrives. It’s been an hour now, and I’m still on the train to Cambridge, but at least I know I’ll actually get there today.

Reminder to self - Pay the extra $500 and fly to London - Stanstead Airport. It’s north of the city and only a 20 mile ride to Cambridge.

But solace - to some extent - at least I’ll be there with plenty of time to find a pub and watch the Brazil-Ghana world cup match!

En Route to London (June 27, 2006)

This blog is coming to you from high above the ocean on a transatlantic flight to London.

Ah, the joys of flying coach on an international flight. I know some of you fight on my side in the eternal struggle of sleep vs. flight. For some reason, I just can’t seem to reconcile the two. Well, at least not without an eyemask and earplugs - and guess what I forgot to bring with me.

Yet, even with the handy-dandy mask and plugs, I still have a rough time. Maybe it’s the people moving around me. Maybe it’s the fact that it’s 2AM Pittsburgh time, but it’s morning and light outside. Maybe it’s the loud talkers behind me, the children in front of me, and the flight attendants walking around me (an aisle seat, oh how lovely!). Maybe it’s the fact that I’m sitting up very close to upright in anuncomfortable chair and “Big Momma’s House 2” as the creme-de-la-creme film choice of the evening, I mean morning, I mean - what time of day would you call this? There must be some sniglet that fits the bill.

Anyway, I ask - no I implore - Sleep where are you? Oh, what I wouldn’t give for a Hilton king-sized bed in coach.

P.S. I’m also trying not to think about how many people have farted in this seat, and to what degrees, but how can you not?

Decentralization for Federal Health Privacy? (June 26, 2006)

Electronic medical records, affectionately known as EMRs, are the way of the future. There are reports that “prove” they help reduce errors in healthcare, while other reports “prove” they introduce or magnify errors, and still other repots that “prove” evidence belongs to neither side of the fence. Clearly, there are many factors that play a role in the effect that EMRs have, including organization size, training of workers, type of treatment a provider specializes, etc.

In the midst of the debate, however, it is clear that we are in an information society and just about every aspect of our lives, including our medical records are moving toward electronic documentation. And, as with any personal information system, there are privacy issues abound. Concerns over privacy in healthcare are not new. In fact, health-related information is considered to be some of the most sensitive types of information about an individual. This sentiment has helped to introduce various state and federal regulations regarding the control and distribution of person-specific health records. Yet, in light of current events, i.e. recent concerns over the NSA’s snooping of phone records, AT&T’s recent amendment to their privacy policy to claim further ownership of data over their network, and financial record monitoring by the federal government, of course the American populace is on high-alert and is sincerely concerned about privacy issues.

Back to the story at hand. . . As some of you may (not) know, the the US is heading towards a national electronic medical record system. And in a recent story published in the LA Times it is reported that decentralization of medical records systems is the privacy protection policy that is being adopted. Kudos to the policy architects for foresight and forethought. Personally, I agree that decentralized control and access of patient medical records helps protect from a direct privacy invasion based on curiosity and nosiness.

However, I offer congratulations with reserve and trepidation. There is still much to do and policy only gets us part of the way there. A decentralization policy alone is not sufficient to prevent true concerted privacy attacks, many of which are nontrivial and difficult to legally achieve. I encourage the continued efforts of the government to embed privacy in their solutions and encourage them to open up the design to public review, evaluation, and subsequent comments.

Then again, who knows? Until we see the architecture of the protection, I can only speculate.

Hiser Wedding (June 25, 2006)

It finally happened! Matt Hiser and Susan Tate are now... Susan and Matt Hiser! Matt may have injured, and then reinjured, his achilles in the time leading up to the big day - but nothing was going to keep him from this terrific woman. What a wonderful and perfect wedding.

Pictures are up in my Photos section.

The highlight of the evening was when Susan’s dad surprised her with a polka and the two of them performed for the attendees. Too much fun!

Back to the 'burgh (June 16, 2006)

One thing I’ve learned through my recent travels - I’m not a big fan of Southwest Airlines. The lineup-wait-wait-wait process is just not fun and personally I find it to be a bit stressful. I can’t believe that people stand in line for over 20 minutes before boarding (actually, I’ve seen people in line for over an hour, but it’s only now when the queue has become quite long) - there isn’t even a plane here yet! (The photo doesn’t quite due the line justice, but I’m still figuring out how best to position the iSee camera)

Nonetheless, I write from the airport because after an eventful 10 days in Nashville, I return to Pittsburgh. During my first full Nashvillian-experience, I achieved more than I ever expected. I set up my Vanderbilt accounts (email, accounting, etc.), had several meetings, set up a mentoring committee, reviewed some papers, and had my first business trip on a private chartered jet. And in the midst of it all, I was even able to sit down and continue some research projects.

And to top it all off, Sara and I found and bought a house in one day of searching: 2 hours of house hunting and several offers/negotiations. Now how’s that for efficiency!

Anyway, it’s been hectic (especially with the World Cup taking place right now - come on USA!), but now its time to take some time back in the ‘burgh before heading out on June 26 to Cambridge, England for a week to attend and present at the Privacy Enhancing Technologies Workshop.

A Nashville Start (June 15, 2006)

It’s been almost 2 weeks since I began my new position at Vanderbilt University. And what a whirlwind adventure is has turned to be. I’ll update this entry soon.

The Return of the King... I mean Blog

Ok, the VPN between my new Macbook and Vanderbilt's system is buggy. Thus, my web page edits are difficult. As a consequence, I am returning to this blog! I'll migrate my blogs over the past month to here in a jif. So watch out!