Quantitative Methods to Measure the Risk of Re-identification: - - PowerPoint PPT Presentation

quantitative methods to measure the risk of re
SMART_READER_LITE
LIVE PREVIEW

Quantitative Methods to Measure the Risk of Re-identification: - - PowerPoint PPT Presentation

Oct 31, 2022 125 likes •495 views

Quantitative Methods to Measure the Risk of Re-identification: Methodology Review Bradley Malin, Ph.D. November 30, 2017 Vanderbilt University, Professor (Biomedical Informatics, Biostatistics, & Computer Science) A Very Simplified View on

slide-1
SLIDE 1

Bradley Malin, Ph.D. November 30, 2017 Vanderbilt University, Professor (Biomedical Informatics, Biostatistics, & Computer Science)

Quantitative Methods to Measure the Risk of Re-identification: Methodology Review

slide-2
SLIDE 2

A Very Simplified View on Risk

P(reid) ≈

  • Distinguishability
  • Replicability
  • Availability

Data

2

slide-3
SLIDE 3

Risk is Contextual

3

Sample

Brad Mike Bill

slide-4
SLIDE 4

Population (Multiple clinical trials) Risk is Contextual

4

Sample

Brad Mike Bill Mitch Will Abe

slide-5
SLIDE 5

Population (All Eligible People) Risk is Contextual

5

Sample

Brad Mike Bill Mitch Will Abe

slide-6
SLIDE 6

Risk Measures

  • Worst Case Risk Measures
  • Prosecutor: Most risky record in the sample
  • Journalist: Most risky record in the population
  • Amortized (or Average) Measure
  • Marketer: Expected risk of an arbitrary record

6

slide-7
SLIDE 7

A Very Simplified View on Risk

P(reid) ≈ P(knowledge) * P(reid | knowledge)

  • Neighbor (friend)
  • Prosecutor
  • Journalist
  • … pick a framework

Prior

  • Distinguishability
  • Replicability
  • Availability

Data

7

slide-8
SLIDE 8

Prosecutor Risk

8

Sample

Brad Mike Bill

1 (Because of Mike)

slide-9
SLIDE 9

Population Journalist Risk

9

Sample

Brad Mike Bill Mitch Will Abe

½ = 0.5 (Because of Bill & Brad)

slide-10
SLIDE 10

Marketer Risk (Sample)

10

Sample

½ + ½ + 1

  • ------------ = 2/3

3

Sample

Brad Mike Bill

½ 1 ½

slide-11
SLIDE 11

Marketer Risk (Population)

11

Sample

.5 + .5 + .33

  • ------------ = .44

3 3

Population

Brad Mike Bill

1/2 1/3 1/2

Will Abe

slide-12
SLIDE 12

Central Dogma of Re-identification

Anonymised Data Identified Data Necessary Condition Necessary Condition Necessary Condition Linking Mechanism

Malin, Benitez, Loukides, & Clayton. Human Genetics. 2011.

12

slide-13
SLIDE 13

A Famous Linkage Attack

ZIP Code Birthdate Gender Name Address Date registered Party affiliation Date last voted

U.S. Voter List

Ethnicity Visit date Diagnosis Procedure Medication Total charge

U.S. Hospital Discharge Data

High Profile Re-identification

Sweeney, JLME. 1997

13

slide-14
SLIDE 14

But availability of Demographics Varies…

IL MN TN WA WI WHO Registered Political Committees (ANYONE – In Person) MN Voters Anyone Anyone Anyone Format Disk Disk Disk Disk Disk Cost $500 $46; “use ONLY for elections, political activities, or law enforcement” $2500 $30 $12,500 Name      Address      Date of Birth     Sex    Race  Phone Number  

Benitez & Malin. JAMIA. 2010.

14

slide-15
SLIDE 15

Adversaries are Not All Knowing

  • Research subject demographics
  • Unique (potential)
  • Replicable
  • Available
  • Series of drug doses administered
  • Unique (potential)
  • Not replicable
  • Not available

15

slide-16
SLIDE 16

Adversaries are Not All Knowing

(Assume knowledge between x and y features)

16

Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes

Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes

slide-17
SLIDE 17

… Which Means No Single Risk Score

17 Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes Feature Observation Date of Birth 1/1/1970 Gender Male Race White Country France Death Yes Occupation Teacher Married Yes

Frequency Re-identification Risk

slide-18
SLIDE 18

You May Not See Everything

  • Field structured databases – you can issue exact queries!
  • Semi-structured reports and narratives – you must rely on a mix
  • f
  • Artificial intelligence
  • Human review
  • Sampling
  • Problem has become a bit more tricky because leaks can now

include explicitly identifying values

18

slide-19
SLIDE 19

A Natural Language Setting

  • Create a Gold Standard Dataset
  • Ask X humans to read and label a selection of records
  • Ensure concordance between human annotations

(e.g., via a Cohen’s Kappa)

  • Apply (manual or automated) identifier detection

strategy

  • Compute performance in terms of:
  • (R)ecall – rate at which real identifier instances were

detected

  • (P)recision – rate at which claimed identifiers are in

fact real

  • F-measure – weighted average of R and P

19 Smith, 61 yo ... daughter, Lynn, to ...

  • ncologist Dr. White ...

5/13/10 to consider ... SWOG protocol 1811, ... was randomized 5/10 ... to call Mr. Smith on ... PLAN:Dr White and I ...

Original PHI

slide-20
SLIDE 20

A Natural Language Setting

Smith, 61 yo ... **pt_name<A>, **age<60s> yo ... daughter, Lynn, to ... daughter, Lynn, to ...

  • ncologist Dr. White ...
  • ncologist Dr. **MD_name<C> ...

5/13/10 to consider ... **date<5/28/10> to consider ... SWOG protocol 1811, ... SWOG protocol **other_id, ... was randomized 5/10 ... was randomized 5/10 ... to call Mr. Smith on ... to call Mr. **pt_name<A> on ... PLAN:Dr White and I ... PLAN:Dr White and I ...

Original PHI **Redacted PHI & Leaked PHI

20

  • A leak is not necessarily a

re-identification

  • Need to assess the

potential given the leak rates

  • Can assess on a per

research subject level (if labels are person specific)

  • Alternatively, may assume

each feature leaks at random

P(date of birth leak, date of death leak) ≈ P(date of birth leak) * P(date of death leak)

slide-21
SLIDE 21

Hiding in Plain Sight (Carrell et al, 2013)

  • Must be careful – this is a relatively new technique
  • Also evidence to suggest a computer may mimic the initial detection

strategy… and redact the fakes situated in a pattern (Li et al, 2016)

  • In this case, we would need two risk measures
  • Human recognition risk
  • Computer-assisted recognition risk
  • Recent approach to prevent this problem, but comes at a massive loss in

precision (Li et al, 2017)

21 Smith, 61 yo ... **pt_name<A>, **age<60s> yo ... Jones, a 64 yo ... daughter, Lynn, to ... daughter, Lynn, to ... daughter, Lynn, for ...

  • ncologist Dr. White ...
  • ncologist Dr. **MD_name<C> ...
  • ncologist Dr. Howe ...

5/13/10 to consider ... **date<5/28/10> to consider ... 5/28/10 to consider ... SWOG protocol 1811, ... SWOG protocol **other_id, ... SWOG protocol 1798, ... was randomized 5/10 ... was randomized 5/10 ... was randomized 5/10 ... to call Mr. Smith on ... to call Mr. **pt_name<A> on ... to call Mr. Jones on ... PLAN:Dr White and I ... PLAN:Dr White and I ... PLAN:Dr White and I ...

Original PHI **Redacted PHI & Leaked PHI Surrogate PHI & Hidden PHI

slide-22
SLIDE 22

If Time Permits…

22

If Not…

slide-23
SLIDE 23

Latest Development

  • Methods presented model data sharer and adversary separately
  • New approaches use game theory to consider their interactions

(Wan et al 2015)

  • Game theory requires robust estimates of many parameters,

such as

  • benefit the sharer gets in providing data
  • benefit the attacker gets in re-identifying the data

23

slide-24
SLIDE 24

Stackelberg Game

Publisher Recipient

Sharing Strategy 1 Utility 1 Risk ??? Attack Strategy A Utility A Risk A Attack Strategy B Utility B Risk B Attack Strategy C Utility C Risk C

Strategies:

  • Generalize Age
  • Suppress Dates

  • Perturb Geography

24

slide-25
SLIDE 25

Stackelberg Game

Publisher Recipient

Sharing Strategy 1 Utility 1 Risk ??? Attack Strategy A Utility A Risk A Attack Strategy B Utility B Risk B Attack Strategy C Utility C Risk C Recipient’s Best Strategy

25

slide-26
SLIDE 26

Stackelberg Game

Publisher Recipient

Sharing Strategy 1 Utility 1 Risk B Attack Strategy A Utility A Risk A Attack Strategy B Utility B Risk B Attack Strategy C Utility C Risk C Recipient’s Best Strategy

26

slide-27
SLIDE 27

Stackelberg Game

Publisher Recipient

Sharing Strategy 1 Utility 1 Risk B Attack Strategy A Utility A Risk A Attack Strategy B Utility B Risk B Attack Strategy C Utility C Risk C Sharing Strategy 2 Utility 2 Risk ???

27

slide-28
SLIDE 28

Stackelberg Game

Publisher Recipient

Sharing Strategy 1 Utility 1 Risk B Attack Strategy A Utility A Risk A Attack Strategy B Utility B Risk B Attack Strategy C Utility C Risk C Sharing Strategy 2 Utility 2 Risk A Recipient’s Best Strategy

28

slide-29
SLIDE 29

Stackelberg Game

Publisher

Sharing Strategy 1 Utility 1 Risk B Sharing Strategy 2 Utility 2 Risk A Sharing Strategy Z Utility Z Risk Z

29

slide-30
SLIDE 30

Stackelberg Game

Publisher

Sharing Strategy 1 Utility 1 Risk B Sharing Strategy 2 Utility 2 Risk A Sharing Strategy Z Utility Z Risk Z

Choose strategy that maximizes

  • verall benefit

Optimizes the Risk-Utility tradeoff

30

slide-31
SLIDE 31

Demographic Case Study

$0.00 $0.50 $1.00 $1.50 $2.00 $2.50 $3.00 $0.00 $500.00 $1,000.00 $1,500.00 Attacker Publisher

US Safe Harbor

  • ~30,000 Census records
  • Average Payoff Per Record
  • $1200: Benefit per record
  • $300: Cost per violation
  • $4: Access cost per record

31

slide-32
SLIDE 32

Demographic Case Study

$0.00 $0.50 $1.00 $1.50 $2.00 $2.50 $3.00 $0.00 $500.00 $1,000.00 $1,500.00 Attacker Publisher

Basic

  • ~30,000 Census records
  • Average Payoff Per Record
  • $1200: Benefit per record
  • $300: Cost per violation
  • $4: Access cost per record

32

US Safe Harbor

slide-33
SLIDE 33

Demographic Case Study

$0.00 $0.50 $1.00 $1.50 $2.00 $2.50 $3.00 $0.00 $500.00 $1,000.00 $1,500.00 Attacker Publisher

Basic US Safe Harbor - Friendly

  • ~30,000 Census records
  • Average Payoff Per Record
  • $1200: Benefit per record
  • $300: Cost per violation
  • $4: Access cost per record

33

US Safe Harbor

slide-34
SLIDE 34

Demographic Case Study

$0.00 $0.50 $1.00 $1.50 $2.00 $2.50 $3.00 $0.00 $500.00 $1,000.00 $1,500.00 Attacker Publisher

Basic No Attack

  • ~30,000 Census records
  • Average Payoff Per Record
  • $1200: Benefit per record
  • $300: Cost per violation
  • $4: Access cost per record

34

US Safe Harbor - Friendly US Safe Harbor

slide-35
SLIDE 35

Some Relevant References

  • Benitez K, Malin B. Evaluating re-identification risks with respect to the HIPAA Privacy Rule.

Journal of the American Medical Informatics Association. 2010; 17: 169-177.

  • Carrell D, et al. Hiding in plain sight: use of realistic surrogates to reduce exposure of protected

health information in clinical text. Journal of the American Medical Informatics Association. 2013; 20: 342-348.

  • El Emam, Malin B. Concepts and methods for de-identifying clinical trial data. In: Committee on

Strategies for Responsible Sharing of Clinical Trial Data; Board on Health Sciences Policy; Institute of Medicine. Sharing Clinical Trial Data: Maximizing Benefits, Minimizing Risk. National Academies Press. 2015.

  • Li B, et al. Scalable iterative classification for sanitizing large-scale datasets. IEEE Transactions on

Knowledge and Data Engineering. 2017; 29: 698-711.

  • Li M, et al. Optimizing annotation resources for natural language de-identification via a game

theoretic framework. Journal of Biomedical Informatics. 2016; 61: 97-109.

  • Wan Z, et al. A game theoretic technique for analyzing re-identification risk. PLoS One. 2015; 10:

e0120592.

35