Despite the success of Contextual Integrity (see project "Operationalizing Contextual Integrity"), its uptake by computer scientists has been limited due to the philosophical framework not meeting them on their terms. In this project we will both refine Contextual Integrity (CI) to better fit the problems computer scientists face and to express it in the mathematical terms they expect.

According to the theory of CI, informational norms are specific to social contexts (e.g., healthcare, education, commercial marketplace, political citizenship, etc.). Increasing interest in context as a factor in computer science research marks important progress toward a more nuanced interpretation of privacy. It is clear, however, that context takes on many meanings across these research projects. As noted above, Contextual Integrity is committed to context as social domain, or sphere, while some works have used the term to mean situation, physical surroundings, or even technical platform. In this project, we will disentangle the many meanings of context and expand the CI framework using formal models to show how these meanings are logically linked. We are exploring how precisely differentiating between situation and sphere can make CI more actionable. For example, this differentiation will help disentangle cases where a single situation participates in more than one sphere, or when information flows inappropriately from one situation to another. To make the de-conflated notions of context crisp, we are developing formal models for each notion of contexts with clear explanations of which applies in which setting. We are attempting to model the central notion of concept found in CI using Markov Decision Processes to capture that most contexts are organized around some goal (e.g., healthcare).

Privacy skeptics have cited variations across nations, cultures, and even individuals as proof that privacy is not a fundamental, but more like a preference. The lesson for designers, for example, is to assess preferences in order to succeed within the marketplace of their targeted users. The explanation CI offers is that differences in privacy norms are due to differences in societal structures and the function of values of specific contexts within those structures. But, because societies change over time, sometimes radically through revolutionary shifts, a theory of privacy must allow for changes in privacy norms. In the present time, revolutionary shifts are being forced by computer science and technology. Take, for example, a social platform such as a classroom discussion board and assume one has implemented Contextual Integrity, preventing flows from taking place that conflict with educational privacy norms. Assume, also, that norms change over time due to changes in technical practices and the educational system itself (e.g., the introduction of MOOCs). How might such systems adapt? We are laying the groundwork for understanding this problem by developing formal models of context and norm drift over time. We will augment the formal models of context mentioned above with with notions of change drawing inspiration from temporal logics.

CI and differential privacy (DP) both claim to define privacy as it applies to data flow. The former, as we have seen, offers a systematic account for what people mean when protesting that privacy is under threat, or is violated by systems that collect, accumulate, and analyze data; the latter offers a mathematical property of operations that process data as a definition of privacy that is robust, meaningful, and mathematically rigorous. For this project, another driving question is the relationship between CI and DP. For example, DP may be understood as one kind of transmission principle, but DP does not capture other socially meaningful transmission principles, such as reciprocity, confidentiality, and notice. Thus, we are also cataloging the wide range of transmission principles relevant to privacy and showing where DP is a useful mathematical expression. This will allow us to derive other mathematically rigorous specifications for other transmission principles.

Machine-learning algorithms, especially classifiers, are becoming prevalent in safety and security-critical applications. The susceptibility of some types of classifiers to being evaded by adversarial input data has been explored in domains such as

spam filtering, but with the rapid growth in adoption of machine learning in multiple application domains amplifies the extent and severity of this vulnerability landscape. We propose to (1) develop predictive metrics that characterize the degree to which a

neural-network-based image classifier used in domains such as face recognition (say, for surveillance and authentication) can be evaded through attacks that are both practically realizable and inconspicuous, and (2) develop methods that make these classifiers, and the applications that incorporate them, robust to such interference. We will examine how to manipulate images to fool classifiers in various ways, and how to do so in a way that escapes the suspicion of even human onlookers. Armed with this

understanding of the weaknesses of popular classifiers and their modes of use, we will develop explanations of model behavior to help identify the presence of a likely attack; and generalize these explanations to harden models against future attacks.