data privacy an overview vicen c torra december 2019
play

Data privacy: an overview Vicen c Torra December, 2019 Hamilton - PowerPoint PPT Presentation

Oct 29, 2022 •120 likes •2.02k views

Data privacy: an overview Vicen c Torra December, 2019 Hamilton Institute, Maynooth University, Ireland Overview Outline Overview What is data privacy? Why is it necessary and why it is challenging/difficult? Some definitions

  1. Introduction Outline Introduction • A personal view of core and boundaries of data privacy: boundaries ◦ Database in a computer or in a removable device ⇒ access control to avoid unauthorized access = ⇒ Access to address (admissions), Access to blood test (admissions?) ◦ Data is transmitted ⇒ security technology to avoid unauthorized access ⇒ Data from blood glucose meter sent to hospital. Network sniffers = Transmission is sensitive: Near miss/hit report to car manufacturers security Privacy access control Vicen¸ c Torra; Data privacy: an overview 10 / 130

  2. Introduction Outline Motivation Motivation I • Legislation ◦ Privacy a fundamental right. (Ch. 1.1) ⋆ Universal Declaration of Human Rights (UN). European Convention on Human Rights (Council of Europe). General Data Protection Regulation - GDPR (EU). National regulations. ◦ Enforcement (GDPR) ⋆ Obligations with respect to data processing ⋆ Requirement to report personal data breaches ⋆ Grant individual rights (to be informed, to access, to rectification, to erasure, ...) Vicen¸ c Torra; Data privacy: an overview 11 / 130

  3. Introduction Outline Motivation Motivation II • Companies own interest. ◦ Competitors can take advantage of information. ◦ Privacy-friendly (e.g. https://secuso.aifb.kit.edu/english/105.php ) ⇒ Socially responsible company • Avoiding privacy breaches. ◦ Several well known cases. ⇒ Corporate image Vicen¸ c Torra; Data privacy: an overview 12 / 130

  4. Introduction Outline Motivation • Privacy and society ◦ Not only a computer science/technical problem ⋆ Social roots of privacy ⋆ Multidisciplinary problem ◦ Social, legal, philosophical questions Vicen¸ c Torra; Data privacy: an overview 13 / 130

  5. Introduction Outline Motivation • Privacy and society ◦ Not only a computer science/technical problem ⋆ Social roots of privacy ⋆ Multidisciplinary problem ◦ Social, legal, philosophical questions ◦ Culturally relative? I.e., the importance of privacy is the same among all people ? Vicen¸ c Torra; Data privacy: an overview 13 / 130

  6. Introduction Outline Motivation • Privacy and society ◦ Not only a computer science/technical problem ⋆ Social roots of privacy ⋆ Multidisciplinary problem ◦ Social, legal, philosophical questions ◦ Culturally relative? I.e., the importance of privacy is the same among all people ? ◦ Are there aspects of life which are inherently private or just conventionally so? Vicen¸ c Torra; Data privacy: an overview 13 / 130

  7. Introduction Outline Motivation • Privacy and society ◦ Not only a computer science/technical problem ⋆ Social roots of privacy ⋆ Multidisciplinary problem ◦ Social, legal, philosophical questions ◦ Culturally relative? I.e., the importance of privacy is the same among all people ? ◦ Are there aspects of life which are inherently private or just conventionally so? • This has implications: e.g. tension between privacy and security. Different perspectives lead ◦ to different solutions and privacy levels ◦ and to different variables to protect. Vicen¸ c Torra; Data privacy: an overview 13 / 130

  8. Introduction Outline Motivation • Privacy and society. Is this a new problem? Yes and not Vicen¸ c Torra; Data privacy: an overview 14 / 130

  9. Introduction Outline Motivation • Privacy and society. Is this a new problem? Yes and not ◦ No side. See the following: Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ”what is whispered in the closet shall be proclaimed from the house-tops.” (...) Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery (...) To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle. (S. D. Warren and L. D. Brandeis, 1890) Vicen¸ c Torra; Data privacy: an overview 14 / 130

  10. Introduction Outline Motivation • Privacy and society. Is this a new problem? Yes and not ◦ No side. See the following: Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ”what is whispered in the closet shall be proclaimed from the house-tops.” (...) Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery (...) To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle. (S. D. Warren and L. D. Brandeis, 1890) ◦ Yes side. Big data, storage, mobile, surveillance/CCTV, RFID, IoT ⇒ pervasive tracking Vicen¸ c Torra; Data privacy: an overview 14 / 130

  11. Introduction Outline Motivation • Technical solutions for data privacy (details later) ◦ Statistical disclosure control (SDC) ◦ Privacy enhancing technologies (PET) ◦ Privacy preserving data mining (PPDM) • Socio-technical aspects ◦ Technical solutions are not enough ◦ Implementation/management of solutions for achieving data privacy need to have a holistic perspective of information systems ◦ E.g., employees and customers: how technology is applied Vicen¸ c Torra; Data privacy: an overview 15 / 130

  12. Introduction Outline Motivation • Technical solutions for data privacy (details later) ◦ Statistical disclosure control (SDC) ◦ Privacy enhancing technologies (PET) ◦ Privacy preserving data mining (PPDM) • Socio-technical aspects ◦ Technical solutions are not enough ◦ Implementation/management of solutions for achieving data privacy need to have a holistic perspective of information systems ◦ E.g., employees and customers: how technology is applied ⇒ we can implement access control and data privacy, but if a printed copy of a confidential transaction is left in the printer . . . , or captured with a camera . . . Vicen¸ c Torra; Data privacy: an overview 15 / 130

  13. Introduction Outline Motivation • Technical solutions for data privacy from ◦ Statistical disclosure control (SDC) ⋆ Protection for statistical surveys and census ⋆ National statistical offices ⋆ (Dalenius, 1977) Vicen¸ c Torra; Data privacy: an overview 16 / 130

  14. Introduction Outline Motivation • Technical solutions for data privacy from ◦ Statistical disclosure control (SDC) ⋆ Protection for statistical surveys and census ⋆ National statistical offices ⋆ (Dalenius, 1977) ◦ Privacy enhancing technologies (PET) ⋆ Protection for communications / data transmission ⋆ E.g., anonymous communications (Chaum 1981) Vicen¸ c Torra; Data privacy: an overview 16 / 130

  15. Introduction Outline Motivation • Technical solutions for data privacy from ◦ Statistical disclosure control (SDC) ⋆ Protection for statistical surveys and census ⋆ National statistical offices ⋆ (Dalenius, 1977) ◦ Privacy enhancing technologies (PET) ⋆ Protection for communications / data transmission ⋆ E.g., anonymous communications (Chaum 1981) ◦ Privacy preserving data mining (PPDM) ⋆ Data mining for databases ⋆ Data from banks, hospitals, and economic transactions (late 1990s) Vicen¸ c Torra; Data privacy: an overview 16 / 130

  16. Difficulties Outline Difficulties Vicen¸ c Torra; Data privacy: an overview 17 / 130

  17. Difficulties Outline Difficulties • Difficulties: Naive anonymization does not work Passenger manifest for the Missouri, arriving February 15, 1882; Port of Boston 2 Names, Age, Sex, Occupation, Place of birth, Last place of residence, Yes/No, condition (healthy?) 2 https://www.sec.state.ma.us/arc/arcgen/genidx.htm Vicen¸ c Torra; Data privacy: an overview 18 / 130

  18. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ (Sweeney, 1997) on USA population ⋆ 87.1% (216 million/248 million) were likely made them unique based on 5-digit ZIP, gender, date of birth, Vicen¸ c Torra; Data privacy: an overview 19 / 130

  19. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ (Sweeney, 1997) on USA population ⋆ 87.1% (216 million/248 million) were likely made them unique based on 5-digit ZIP, gender, date of birth, ⋆ 3.7% (9.1 million) had characteristics that were likely made them unique based on 5-digit ZIP, gender, Month and year of birth. Vicen¸ c Torra; Data privacy: an overview 19 / 130

  20. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ (Sweeney, 1997) on USA population ⋆ 87.1% (216 million/248 million) were likely made them unique based on 5-digit ZIP, gender, date of birth, ⋆ 3.7% (9.1 million) had characteristics that were likely made them unique based on 5-digit ZIP, gender, Month and year of birth. • A few variables suffice for identifying someone. They are not “personal” Vicen¸ c Torra; Data privacy: an overview 19 / 130

  21. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ An only record (25 years old, town) all other records with (age > 35, town) • A few variables suffice for identifying someone. They are not “personal” Vicen¸ c Torra; Data privacy: an overview 20 / 130

  22. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ Data from mobile devices: ⇒ two positions can make you unique (home and working place) Vicen¸ c Torra; Data privacy: an overview 21 / 130

  23. Difficulties Outline Difficulties • Difficulties: highly identifiable data ◦ Data from mobile devices: ⇒ two positions can make you unique (home and working place) • A few variables suffice for identifying someone. They may be “personal” but one alone is not unique, the combination is Vicen¸ c Torra; Data privacy: an overview 21 / 130

  24. Difficulties Outline Difficulties • Difficulties: high dimensional data ◦ AOL 3 case ⇒ User No. 4417749, hundreds of searches over a three-month period including queries ’landscapers in Lilburn, Ga’ − → Thelma Arnold identified! 3 http://www.nytimes.com/2006/08/09/technology/09aol.html Vicen¸ c Torra; Data privacy: an overview 22 / 130

  25. Difficulties Outline Difficulties • Difficulties: high dimensional data ◦ AOL 3 case ⇒ User No. 4417749, hundreds of searches over a three-month period including queries ’landscapers in Lilburn, Ga’ − → Thelma Arnold identified! ◦ Netflix (search logs and movie ratings) case ⇒ individual users matched with film ratings on the Internet Movie Database. 3 http://www.nytimes.com/2006/08/09/technology/09aol.html Vicen¸ c Torra; Data privacy: an overview 22 / 130

  26. Difficulties Outline Difficulties • Difficulties: high dimensional data ◦ AOL 3 case ⇒ User No. 4417749, hundreds of searches over a three-month period including queries ’landscapers in Lilburn, Ga’ − → Thelma Arnold identified! ◦ Netflix (search logs and movie ratings) case ⇒ individual users matched with film ratings on the Internet Movie Database. ◦ Similar with credit card payments, shopping carts, ... 3 http://www.nytimes.com/2006/08/09/technology/09aol.html Vicen¸ c Torra; Data privacy: an overview 22 / 130

  27. Difficulties Outline Difficulties • Difficulties: high dimensional data ◦ AOL 3 case ⇒ User No. 4417749, hundreds of searches over a three-month period including queries ’landscapers in Lilburn, Ga’ − → Thelma Arnold identified! ◦ Netflix (search logs and movie ratings) case ⇒ individual users matched with film ratings on the Internet Movie Database. ◦ Similar with credit card payments, shopping carts, ... • A large number of variables are needed for identifying someone. The combination of them is identifying 3 http://www.nytimes.com/2006/08/09/technology/09aol.html Vicen¸ c Torra; Data privacy: an overview 22 / 130

  28. Difficulties Outline Difficulties • Data breaches. ◦ See e.g. https://en.wikipedia.org/wiki/Data_breach Vicen¸ c Torra; Data privacy: an overview 23 / 130

  29. Difficulties Outline Difficulties • Summary of difficulties: highly identifiable data and high dimensional data ◦ Ex1: Sickness influenced by studies and commuting distance ? Problem: original data + reidentification + inference (few highly identifiable variables) (similar with high dimensional variable) Vicen¸ c Torra; Data privacy: an overview 24 / 130

  30. Difficulties Outline Difficulties • Summary of difficulties: highly identifiable data and high dimensional data ◦ Ex1: Sickness influenced by studies and commuting distance ? Problem: original data + reidentification + inference (few highly identifiable variables) (similar with high dimensional variable) ◦ Ex2: Mean income of admitted to hospital unit (e.g., psychiatric unit) for a given Town? Problem: inference from outcome (outcome can allow inference on a sensitive variable) Vicen¸ c Torra; Data privacy: an overview 24 / 130

  31. Difficulties Outline Difficulties • Summary of difficulties: highly identifiable data and high dimensional data ◦ Ex3: Driving behavior in the morning ⋆ Automobile manufacturer uses (data from vehicles) ⋆ Data: First drive after 6:00am (GPS origin + destination, time) × 30 days ⋆ No “personal data”, is this ok?: NO!!!: ⋆ How many cars from your home to your work? Are you exceeding the speed limit? Are you visiting a psychiatric clinic every tuesday? Vicen¸ c Torra; Data privacy: an overview 25 / 130

  32. Difficulties Outline Difficulties • Summary of difficulties: highly identifiable data and high dimensional data ◦ Ex3: Driving behavior in the morning ⋆ Automobile manufacturer uses (data from vehicles) ⋆ Data: First drive after 6:00am (GPS origin + destination, time) × 30 days ⋆ No “personal data”, is this ok?: NO!!!: ⋆ How many cars from your home to your work? Are you exceeding the speed limit? Are you visiting a psychiatric clinic every tuesday? Problem: original data + reidentification + inference + legal implications of acquired knowledge (?) Vicen¸ c Torra; Data privacy: an overview 25 / 130

  33. Difficulties Outline Difficulties • Data privacy is “impossible”, or not? challenging ◦ Privacy vs. utility ◦ Privacy vs. security ◦ Computationally feasible Vicen¸ c Torra; Data privacy: an overview 26 / 130

  34. Terminology Outline Terminology Vicen¸ c Torra; Data privacy: an overview 27 / 130

  35. Terminology Outline Terminology • Attacker, adversary, intruder ◦ the set of entities working against some protection goal ◦ increase their knowledge (e.g., facts, probabilities, . . . ) on the items of interest (IoI) (senders, receivers, messages, actions) In a communication network with senders (actors) and receivers (actees) senders recipients messages communication network Vicen¸ c Torra; Data privacy: an overview 28 / 130

  36. Terminology Outline Terminology • Anonymity set. Anonymity of a subject means that the subject is not identifiable within a set of subjects, the anonymity set. That is, not distinguishable! Vicen¸ c Torra; Data privacy: an overview 29 / 130

  37. Terminology Outline Terminology • Anonymity set. Anonymity of a subject means that the subject is not identifiable within a set of subjects, the anonymity set. That is, not distinguishable! • Unlinkability. Unlinkability of two or more IoI, the attacker cannot sufficiently distinguish whether these IoIs are related or not. ⇒ Unlinkability with the sender implies anonymity of the sender. ◦ Linkability but anonymity. E.g., an attacker links all messages of a transaction, due to timing, but all are encrypted and no information can be obtained about the subjects in the transactions: anonymity not compromised. (region of the anonymity box outside unlinkability box) Vicen¸ c Torra; Data privacy: an overview 29 / 130

  38. Terminology Outline Terminology • Concepts: ◦ Unlinkability implies anonymity Attribute Disclosure Identity Disclosure Anonymity Unlinkability Vicen¸ c Torra; Data privacy: an overview 30 / 130

  39. Terminology Outline Terminology • Disclosure. Attackers take advantage of observations to improve their knowledge on some confidential information about an IoI. ⇒ SDC/PPDM: Observe DB, ∆ knowledge of a particular subject (the respondent in a database) Vicen¸ c Torra; Data privacy: an overview 31 / 130

  40. Terminology Outline Terminology • Disclosure. Attackers take advantage of observations to improve their knowledge on some confidential information about an IoI. ⇒ SDC/PPDM: Observe DB, ∆ knowledge of a particular subject (the respondent in a database) ◦ Identity disclosure (entity disclosure). Linkability. Finding Mary in the database. ◦ Attribute disclosure. Increase knowledge on Mary’s salary. also: learning that someone is in the database, although not found. Vicen¸ c Torra; Data privacy: an overview 31 / 130

  41. Terminology Outline Terminology • Disclosure. Discussion. ◦ Identity disclosure. Avoid. ◦ Attribute disclosure. A more complex case. Some attribute disclosure is expected in data mining. At the other extreme, any improvement in our knowledge about an individual could be considered an intrusion. The latter is particularly likely to cause a problem for data mining, as the goal is to improve our knowledge. (J. Vaidya et al., 2006, p. 7. Vicen¸ c Torra; Data privacy: an overview 32 / 130

  42. Terminology Outline Terminology • Identity disclosure vs. attribute disclosure ◦ identity disclosure implies attribute disclosure (usual case) Find record ( HY U, Tarragona, 58) , learn variable ( Heart Attack ) Respondent City Age Illness ABD Barcelona 30 Cancer COL Barcelona 30 Cancer GHE Tarragona 60 AIDS CIO Tarragona 60 AIDS HYU Tarragona 58 Heart attack ◦ Identity disclosure without attribute disclosure. Use all attributes ◦ Attribute disclosure without identity disclosure. k-anonymity ( ABD, Barcelona, 30) not reidentified but learn Cancer Respondent City Age Illness ABD Barcelona 30 Cancer COL Barcelona 30 Cancer GHE Tarragona 60 AIDS CIO Tarragona 60 AIDS Vicen¸ c Torra; Data privacy: an overview 33 / 130

  43. Terminology Outline Terminology • Identity disclosure and anonymity are exclusive. ◦ Identity disclosure implies non-anonymity ◦ Anonymity implies no identity disclosure. Attribute Disclosure Identity Disclosure Anonymity Unlinkability Vicen¸ c Torra; Data privacy: an overview 34 / 130

  44. Terminology Outline Terminology • Undetectability and unobservability ◦ Undetectability of an IoI. The attacker cannot sufficiently distinguish whether IoI exists or not. E.g. Intruders cannot distinguish messages from random noise ⇒ Steganography (embed undetectable messages) Vicen¸ c Torra; Data privacy: an overview 35 / 130

  45. Terminology Outline Terminology • Undetectability and unobservability ◦ Undetectability of an IoI. The attacker cannot sufficiently distinguish whether IoI exists or not. E.g. Intruders cannot distinguish messages from random noise ⇒ Steganography (embed undetectable messages) ◦ Unobservability of an IoI means ⋆ undetectability of the IoI against all subjects uninvolved in it and ⋆ anonymity of the subject(s) involved in the IoI even against the other subject(s) involved in that IoI. Unobservability pressumes undetectability but at the same time it also pressumes anonymity in case the items are detected by the subjects involved in the system. From this definition, it is clear that unobservability implies anonymity and undetectability. Vicen¸ c Torra; Data privacy: an overview 35 / 130

  46. Transparency Outline Transparency Vicen¸ c Torra; Data privacy: an overview 36 / 130

  47. Terminology > Transparency Outline Transparency • Transparency ◦ DB is published: give details on how data has been produced. Description of any data protection process and parameters ◦ Positive effect on data utility. Use information in data analysis. ◦ Negative effect on risk. Intruders use the information to attack. Example. DB masking using additive noise: X ′ = X + ǫ with ǫ s.t. E ( ǫ ) = 0 and V ar ( ǫ ) = kV ar ( X ) for a given constant k then, V ar ( X ′ ) = V ar ( X ) + kV ar ( X ) = (1 + k ) V ar ( X ) Vicen¸ c Torra; Data privacy: an overview 37 / 130

  48. Terminology > Transparency Outline Transparency • The transparency principle in data privacy 4 Given a privacy model, a masking method should be compliant with this privacy model even if everything about the method is public knowledge. (Torra, 2017, p17) 4 Similar to the Kerckhoffs’s principle (Kerckhoffs, 1883) in cryptography: a cryptosystem should be secure even if everything about the system is public knowledge, except the key Vicen¸ c Torra; Data privacy: an overview 38 / 130

  49. Terminology > Transparency Outline Transparency • The transparency principle in data privacy 4 Given a privacy model, a masking method should be compliant with this privacy model even if everything about the method is public knowledge. (Torra, 2017, p17) • Transparency a requirement of Trustworthy AI. Related to three elements: traceability, explicability (why decisions are made), and comunication (distinguish AI systems from humans). Transparency in data privacy relates to traceability. 4 Similar to the Kerckhoffs’s principle (Kerckhoffs, 1883) in cryptography: a cryptosystem should be secure even if everything about the system is public knowledge, except the key Vicen¸ c Torra; Data privacy: an overview 38 / 130

  50. Privacy by design Outline Privacy by design Vicen¸ c Torra; Data privacy: an overview 39 / 130

  51. Terminology > Privacy by design Outline Privacy by design • Privacy by design (Cavoukian, 2011) ◦ Privacy “must ideally become an organization’s default mode of operation” (Cavoukian, 2011) and thus, not something to be considered a posteriori. In this way, privacy requirements need to be specified, and then software and systems need to be engineered from the beginning taking these requirements into account. ◦ In the context of developing IT systems, this implies that privacy protection is a system requirement that must be treated like any other functional requirement. In particular, privacy protection (together with all other requirements) will determine the design and implementation of the system (Hoepman, 2014) Vicen¸ c Torra; Data privacy: an overview 40 / 130

  52. Terminology > Privacy by design Outline Privacy by design • Privacy by design principles (Cavoukian, 2011) 1. Proactive not reactive; Preventative not remedial. 2. Privacy as the default setting. 3. Privacy embedded into design. 4. Full functionality – positive-sum, not zero-sum. 5. End-to-end security – full lifecycle protection. 6. Visibility and transparency – keep it open. 7. Respect for user privacy – keep it user-centric. Vicen¸ c Torra; Data privacy: an overview 41 / 130

  53. Privacy models Outline Privacy models Vicen¸ c Torra; Data privacy: an overview 42 / 130

  54. Data privacy > Privacy models Outline Privacy models ? Vicen¸ c Torra; Data privacy: an overview 43 / 130

  55. Data privacy > Privacy models Outline Privacy models Privacy models. A computational definition for privacy. Examples. Vicen¸ c Torra; Data privacy: an overview 44 / 130

  56. Data privacy > Privacy models Outline Privacy models Privacy models. A computational definition for privacy. Examples. • Reidentification privacy. Avoid finding a record in a database. • k-Anonymity. A record indistinguishable with k − 1 other records. • Secure multiparty computation. Several parties want to compute a function of their databases, but only sharing the result. • Differential privacy. The output of a query to a database should not depend (much) on whether a record is in the database or not. • Result privacy. We want to avoid some results when an algorithm is applied to a database. • Integral privacy. Inference on the databases. E.g., changes have been applied to a database. Vicen¸ c Torra; Data privacy: an overview 44 / 130

  57. Data privacy > Privacy models Outline Privacy models Privacy models. A computational definition for privacy. Examples. • Reidentification privacy. Avoid finding a record in a database. • k-Anonymity. A record indistinguishable with k − 1 other records. • Result privacy. We want to avoid some results when an algorithm is applied to a database. ? X X’ Vicen¸ c Torra; Data privacy: an overview 45 / 130

  58. Data privacy > Privacy models Outline Privacy models • Difficulties: naive anonymization does not work ◦ (Sweeney, 1997; 2000 5 ) on USA population ⋆ 87.1% (216 /248 million) is likely to be uniquely identified by 5-digit ZIP, gender, date of birth, ⋆ 3.7% (9.1 /248 million) is likely to be uniquely identified by 5-digit ZIP, gender, Month and year of birth. • Difficulties: highly identifiable data and high dimensional data ◦ Data from mobile devices: ⋆ two positions can make you unique (home and working place) ◦ AOL and Netflix cases (search logs and movie ratings) ◦ Similar with credit card payments, shopping carts, search logs, ... (i.e., high dimensional data) 5 L. Sweeney, Simple Demographics Often Identify People Uniquely, CMU 2000 Vicen¸ c Torra; Data privacy: an overview 46 / 130

  59. Data privacy > Privacy models Outline Privacy models • Difficulties: Example 1. ◦ Q: sickness influenced by studies & commuting distance? ◦ Records: (where students live, what they study, if they got sick) Vicen¸ c Torra; Data privacy: an overview 47 / 130

  60. Data privacy > Privacy models Outline Privacy models • Difficulties: Example 1. ◦ Q: sickness influenced by studies & commuting distance? ◦ Records: (where students live, what they study, if they got sick) ◦ No “personal data”, DB = { (Dublin, CS, No), ( Dublin, CS, No), ( Dublin, CS, Yes), ( Maynooth, CS, No), . . . , ( Dublin, BA MEDIA STUDIES, No) ( Dublin, BA MEDIA STUDIES, Yes), . . . } is this ok ? Vicen¸ c Torra; Data privacy: an overview 47 / 130

  61. Data privacy > Privacy models Outline Privacy models • Difficulties: Example 1. ◦ Q: sickness influenced by studies & commuting distance? ◦ Records: (where students live, what they study, if they got sick) ◦ No “personal data”, DB = { (Dublin, CS, No), ( Dublin, CS, No), ( Dublin, CS, Yes), ( Maynooth, CS, No), . . . , ( Dublin, BA MEDIA STUDIES, No) ( Dublin, BA MEDIA STUDIES, Yes), . . . } is this ok ? NO!!: ◦ E.g., there is only one student of anthropology living in Enfield. (Enfield, Anthropology, Yes) Vicen¸ c Torra; Data privacy: an overview 47 / 130

  62. Data privacy > Privacy models Outline Privacy models Privacy models. A computational definition for privacy. Examples. • Secure multiparty computation. Several parties want to compute a function of their databases, but only sharing the result. ? Vicen¸ c Torra; Data privacy: an overview 48 / 130

  63. Data privacy > Privacy models Outline Privacy models Privacy models. A computational definition for privacy. Examples. • Differential privacy. The output of a query to a database should not depend (much) on whether a record is in the database or not. • Integral privacy. Inference on the databases. E.g., changes have been applied to a database. ? X f(X) g(X) Vicen¸ c Torra; Data privacy: an overview 49 / 130

  64. Data privacy > Privacy models Outline Privacy models • Difficulties. Output of a function can be sensitive. Example 2 ◦ Mean income of admitted to hospital unit (e.g., psychiatric unit) ◦ Mean salary of participants in Alcoholics Anonymous by town Is this ok? NO!! ◦ disclosure of a rich person in the database Vicen¸ c Torra; Data privacy: an overview 50 / 130

  65. Data privacy mechanisms Outline Data privacy mechanisms Vicen¸ c Torra; Data privacy: an overview 51 / 130

  66. Data privacy > Privacy models Outline Privacy models Data privacy mechanisms. Classification w.r.t. our knowledge on the computation • Data-driven or general purpose ( analysis not known ) → anonymization / masking methods • Computation-driven or specific purpose ( analysis known ) → cryptographic protocols, differential privacy, integral privacy • Result-driven ( analysis known: protection of its results ) ? Vicen¸ c Torra; Data privacy: an overview 52 / 130

  67. Data privacy > Data-driven Outline Data privacy mechanisms Data-driven and general purpose Masking methods Vicen¸ c Torra; Data privacy: an overview 53 / 130

  68. Data privacy > Data-driven Outline Masking methods Data-driven or general purpose ( analysis not known ) • Privacy model: Reidentification / k-anonymity. • Privacy mechanisms: Anonymization / masking methods: Given a data file X compute a file X ′ with data of less quality . ? X X’ Vicen¸ c Torra; Data privacy: an overview 54 / 130

  69. Data privacy > Data-driven Outline Masking methods Data-driven or general purpose ( analysis not known ) • Privacy model: reidentification / k-anonymity • Privacy mechanisms: Anonymization / masking methods: Given a data file X compute a file X ′ with data of less quality . ? f(X) X X X’ / A masking f(X’) disclosure risk B Vicen¸ c Torra; Data privacy: an overview 55 / 130

  70. Data privacy > Data-driven Outline Masking methods Approach valid for different types of data • Databases, documents, search logs, social networks, . . . (also masking taking into account semantics: wordnet, ODP) ? f(X) X X X’ / A masking f(X’) disclosure risk B Vicen¸ c Torra; Data privacy: an overview 56 / 130

  71. Data privacy > Data-driven Outline Masking methods Original Masking Protected microdata (X) method microdata (X’) Disclosure Risk Measure Data Data analysis analysis Result(X) Result(X’) Information Loss Measure Vicen¸ c Torra; Data privacy: an overview 57 / 130

  72. Data privacy > Data-driven Outline Research questions: (i) masking methods Masking methods. (anonymization methods) X ′ = ρ ( X ) • Privacy models ◦ k-anonymity. Single-objective optimization: utility ◦ Privacy from re-identification. Multi-objective: trade-off U/Risk • Families of methods ◦ Perturbative. (less quality=erroneous data) E.g. noise addition/multiplication, microaggregation, rank swapping ◦ Non-perturbative. (less quality=less detail) E.g. generalization, suppression ◦ Synthetic data generators. (less quality=not real data) E.g. (i) model from the data; (ii) generate data from model Vicen¸ c Torra; Data privacy: an overview 58 / 130

  73. Data privacy > Data-driven Outline Research questions: (i) masking methods Masking methods. X ′ = ρ ( X ) . Microaggregation ( k records clusters) • Formalization. ( u ij = 1 iff x j in i th cluster; v i centroid) SSE = � g � n j =1 u ij ( d ( x j , v i )) 2 Minimize i =1 Subject to � g i =1 u ij = 1 for all j = 1 , . . . , n 2 k ≥ � n j =1 u ij ≥ k for all i = 1 , . . . , g u ij ∈ { 0 , 1 } Vicen¸ c Torra; Data privacy: an overview 59 / 130

  74. Data privacy > Data-driven Outline Research questions: (i) masking methods Masking methods. X ′ = ρ ( X ) . Additive Noise • Description. Add noise into the original file. That is, X ′ = X + ǫ, where ǫ is the noise. • The simplest approach is to require ǫ to be such that E ( ǫ ) = 0 and V ar ( ǫ ) = kV ar ( X ) for a given constant k . Vicen¸ c Torra; Data privacy: an overview 60 / 130

  75. Data privacy > Data-driven Outline Research questions: (i) masking methods Masking methods. X ′ = ρ ( X ) . Additive Noise • Description. Add noise into the original file. That is, X ′ = X + ǫ, where ǫ is the noise. • The simplest approach is to require ǫ to be such that E ( ǫ ) = 0 and V ar ( ǫ ) = kV ar ( X ) for a given constant k . Properties: • It makes no assumptions about the range of possible values for V i (which may be infinite). • The noise added is typically continuous and with mean zero, which suits continuous original data well. • No exact matching is possible with external files. Vicen¸ c Torra; Data privacy: an overview 60 / 130

  76. Data privacy > Data-driven Outline Research questions: (i) masking methods Masking methods. X ′ = ρ ( X ) . PRAM: Post-Randomization Method • Description. ◦ The scores on some categorical variables for certain records in the original file are changed to a different score. ⋆ according to a transition (Markov) matrix • Properties: ◦ PRAM is very general: it encompasses noise addition, data suppression and data recoding. ◦ PRAM information loss and disclosure risk largely depend on the choice of the transition matrix. Vicen¸ c Torra; Data privacy: an overview 61 / 130

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Data privacy: introduction Vicen c Torra January 15, 2018 Privacy, Information and

Data privacy: introduction Vicen c Torra January 15, 2018 Privacy, Information and

Oslo, 2018 Data privacy: introduction Vicen c Torra January 15, 2018 Privacy, Information and Cyber-Security Center SAIL, School of Informatics, University of Sk ovde, Sweden Outline Outline 1. Motivation 2. Privacy models and

1.14k views • 57 slides
Data privacy: Introduction Vicen c Torra March, 2019 Hamilton Institute, Maynooth University,

Data privacy: Introduction Vicen c Torra March, 2019 Hamilton Institute, Maynooth University,

Data privacy: Introduction Vicen c Torra March, 2019 Hamilton Institute, Maynooth University, Ireland Outline Outline 1. Motivation 2. Difficulties 3. Terminology 4. Disclosure 5. Transparency 6. Privacy by design 7. Summary 1 / 37

510 views • 38 slides
Data privacy. Introduction Vicen c Torra February, 2018 Introduction Outline Introduction

Data privacy. Introduction Vicen c Torra February, 2018 Introduction Outline Introduction

Data privacy. Introduction Vicen c Torra February, 2018 Introduction Outline Introduction Goals: / Topics Privacy from three different perspectives: anonymous communications/privacy enhancing technologies, privacy preserving data

197 views • 6 slides
Data privacy: Privacy models Vicen c Torra March, 2019 Hamilton Institute, Maynooth

Data privacy: Privacy models Vicen c Torra March, 2019 Hamilton Institute, Maynooth

Data privacy: Privacy models Vicen c Torra March, 2019 Hamilton Institute, Maynooth University, Ireland Outline Outline Privacy models 1 / 11 Data privacy > Privacy models Outline Privacy models ? 2 / 11 Data privacy > Privacy

695 views • 12 slides
Data privacy. A briefer. Vicen c Torra (vtorra@ieee.org) May 31st, 2018 Privacy, Information

Data privacy. A briefer. Vicen c Torra (vtorra@ieee.org) May 31st, 2018 Privacy, Information

IEEE Chapter Meeting, Sk ovde Data privacy. A briefer. Vicen c Torra (vtorra@ieee.org) May 31st, 2018 Privacy, Information and Cyber-Security Center SAIL, School of Informatics, University of Sk ovde, Sweden Outline Outline 1.

841 views • 35 slides
On machine learning for data privacy Vicen c Torra Dec. 7, 2016 School of Informatics,

On machine learning for data privacy Vicen c Torra Dec. 7, 2016 School of Informatics,

Link oping 2016 On machine learning for data privacy Vicen c Torra Dec. 7, 2016 School of Informatics, University of Sk ovde, Sweden Outline Outline Outline Disclosure risk. A quantitative measures: record linkage The worst-case

1.29k views • 101 slides
Data privacy: an introduction (part II) Vicen c Torra February, 2017 School of Informatics,

Data privacy: an introduction (part II) Vicen c Torra February, 2017 School of Informatics,

Sk ovde 2017 Data privacy: an introduction (part II) Vicen c Torra February, 2017 School of Informatics, University of Sk ovde, Sweden Outline Outline 1. Basics 2. A classification Dimensions 3. Masking methods 4. Privacy

449 views • 41 slides
Transparency and disclosure risk in data privacy c Torra 1 Vicen March, 2015 1 School of

Transparency and disclosure risk in data privacy c Torra 1 Vicen March, 2015 1 School of

PAIS 2015 Transparency and disclosure risk in data privacy c Torra 1 Vicen March, 2015 1 School of Informatics, University of Sk ovde, Sweden Outline Outline Outline Quantitative measures of risk: record linkage Transparency principle:

1.35k views • 91 slides
Noise Graph Addition: A New Perspective for Graph Anonymization Vicen Torra, Julin Salas

Noise Graph Addition: A New Perspective for Graph Anonymization Vicen Torra, Julin Salas

Graph Perturbation as Noise Graph Addition: A New Perspective for Graph Anonymization Vicen Torra, Julin Salas Data Privacy Management Luxembourg, 26 September 2019 Outline 1. Introduction Motivations and objectives Random graph

355 views • 20 slides
User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of

User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of

User privacy Vicen c Torra February, 2018 SAIL + PICS, School of Informatics, University of Sk ovde, Sweden Outline Outline 1. User privacy 1 / 25 Outline User privacy 2 / 25 DP > Dimensions Outline Data Privacy Classification

836 views • 37 slides
Choquet integral in decision making and metric learning Vicen c Torra Hamilton Institute,

Choquet integral in decision making and metric learning Vicen c Torra Hamilton Institute,

IUKM 2019 - Nara, Japan Choquet integral in decision making and metric learning Vicen c Torra Hamilton Institute, Maynooth University Ireland March 27, 2018 Outline Overview Basics and objectives: Using Choquet integral in two types

1.37k views • 88 slides
Classification of procedures Vicen c Torra March, 2019 Hamilton Institute, Maynooth

Classification of procedures Vicen c Torra March, 2019 Hamilton Institute, Maynooth

Classification of procedures Vicen c Torra March, 2019 Hamilton Institute, Maynooth University, Ireland Outline Outline 1. Dimensions 1st dimension 2nd dimension 3rd dimension Other dimensions 2. Roadmap of data protection

805 views • 34 slides
Choquet integral: distributions and decisions Vicen c Torra School of Informatics, University

Choquet integral: distributions and decisions Vicen c Torra School of Informatics, University

83rd EWG-MCDA 2016 Choquet integral: distributions and decisions Vicen c Torra School of Informatics, University of Sk ovde Sk ovde, Sweden March 31-32 , 2016 Overview > Example Outline Overview Basics and objectives:

1.24k views • 101 slides
On some extensions and applications of non-additive measures Vicen c Torra September, 2013

On some extensions and applications of non-additive measures Vicen c Torra September, 2013

LFSC 2013 On some extensions and applications of non-additive measures Vicen c Torra September, 2013 Joint Work: Y. Narukawa, K. Stokes, G. Navarro-Arribas, D. Abril Institut dInvestigaci o en Intel lig` encia Artificial

1.5k views • 122 slides
Funciones de agregaci c Torra 1 Vicen Octubre, 2014 1 Institut dInvestigaci o en Intel

Funciones de agregaci c Torra 1 Vicen Octubre, 2014 1 Institut dInvestigaci o en Intel

Ja en on para la toma de decisiones multicriterio Funciones de agregaci c Torra 1 Vicen Octubre, 2014 1 Institut dInvestigaci o en Intel lig` encia Artificial (IIIA-CSIC); Universidad de Sk ovde (HiS, Suecia) - a partir de

1.3k views • 128 slides
Decisi o: agregaci o i consens Vicen c Torra Universitat de Sk ovde (HiS, Su` ecia)

Decisi o: agregaci o i consens Vicen c Torra Universitat de Sk ovde (HiS, Su` ecia)

Decisi o: agregaci o i consens Vicen c Torra Universitat de Sk ovde (HiS, Su` ecia) Novembre, 2015 Bibliografia (i/o spam) Bibliografia Gilboa, I., Theory of decision under uncertainty, Cambridge University Press, 2009.

1.77k views • 134 slides
CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out:

CS400 Problem Seminar Fall 2000 Assignment 3: Distributed Calendar Management Handed out: Sept. 29, 2000 Due: Oct. 13, 2000 TA: Luke Deqing Chen ( lukechen@cs ) 1 Introduction This fortnights assignment is mainly in systems,

388 views • 14 slides
Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce

Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce

Thank you for joining us! The webinar will begin promptly at 10 am PT. Feel free to introduce yourself in the chat window! Changing Developmental Math from a Gatekeeper to a Bridge: The Promise of New Math Pathways Wednesday, May 18, 2016

867 views • 40 slides
DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation)

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation)

DNS Privacy dnsprivacy.org Sara Dickinson Sinodun (Salesforce, NLnet Foundation) sara@sinodun.com AFNIC JCSA Paris, France (July 2017) Overview The problem: Why Internet privacy and DNS Privacy are important (DNS

1.02k views • 86 slides
WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all

WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all

WELCOME Governors Advisory Council on Veterans Services AUGUST 19, 2020 Please ensure all microphones remain muted. --We will begin shortly-- > community > commonwealth > country COMMITTEE UPDATES > community >

911 views • 70 slides
TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation

TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation

Presented By: Ankur Sharma (EE) Tamal Das (CSE) Slides By: Nishant Khadria (Siemens, Germany) TO ACT OR BE ACTED UPON - Aligning with Principles Overview Recap Motivation Principles of personal vision Freedom to choose

828 views • 39 slides
Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in

Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in

Europe PMC Funders Group Author Manuscript Clin Toxicol (Phila) . Author manuscript; available in PMC 2006 January 25. Published in final edited form as: Clin Toxicol (Phila) . 2005 ; 43(2): 129130. The revised position papers on gastric

36 views • 3 slides
I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich,

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich,

I nternet Privacy and P3 P WWW10 Tutorial May 1, 2001 Marc Langheinrich ETH Zurich, Switzerland www.inf.ethz.ch/~langhein/ Outline Part I WWW10 Tutorial May 1, 2001 ! What is Privacy? ! Solutions Definitions Privacy

1.59k views • 143 slides
Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt

Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt

Putting the H into Elf and Safety; Permanently BHSEA: 10 th Sept 2018: Dr Jennifer Lunt Objectives Why occupational health plays second fiddle to safety What this means for behaviour change in the workplace, and Think work

626 views • 24 slides

More recommend