Sanitization’s slippery slope: the design and study of a content revision assistant


Chow, R.; Oberst, I.; Staddon, J. Sanitization’s slippery slope: the design and study of a content revision assistant. Symposium on Usable Privacy and Security (SOUPS 2009); 2009 July 15-17; Mountain View, CA.


For privacy reasons, sensitive content may be revised before it is released. The revision often consists of redaction, that is, the “blacking out” of sensitive words and phrases. Redaction has the side effect of reducing the utility of the content, often so much that the content is no longer useful. Consequently, government agencies and others are increasingly exploring the revision of sensitive content as an alternative to redaction that preserves more content utility. We call this practice sanitization. In a sanitized document, names might be replaced with pseudonyms and sensitive attributes might be replaced with hypernyms. Sanitization adds to redaction the challenge of determining what words and phrases reduce the sensitivity of content. We have designed and developed a tool to assist users in sanitizing sensitive content. Our tool leverages the Web to automatically identify sensitive words and phrases and quickly evaluates revisions for sensitivity. The tool, however, does not identify all sensitive terms and mistakenly marks some innocuous terms as sensitive. This is unavoidable because of the difficulty of the underlying inference problem and is the main reason we have designed a sanitization assistant as opposed to a fully-automated tool. We have conducted a small study of our tool in which users sanitize biographies of celebrities to hide the celebrity’s identity both both with and without our tool. The user study suggests that while the tool is very valuable in encouraging users to preserve content utility and can preserve privacy, this usefulness and apparent authoritativeness may lead to a “slippery slope” in which users neglect their own judgment in favor of the tool’s.

Read more from SRI