Presentation is loading. Please wait.

Presentation is loading. Please wait.

The State of the Art Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A AAA.

Published byKatherine Sims Modified over 9 years ago

Similar presentations

Presentation on theme: "The State of the Art Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A AAA."— Presentation transcript:

1 The State of the Art Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A AAA

2 Pre-Modern Cryptography Propose Break

3 Modern Cryptography Propose Definition Break Definition Propose STRONGER Definition Break Definition algorithms satisfying definition Algs Propose STRONGER [GoldwasserMicali82,GoldwasserMicaliRivest85]

4 Modern Cryptography Propose Definition Break Definition Propose STRONGER Definition Break Definition algorithms satisfying definition Algs Propose STRONGER [GoldwasserMicali82,GoldwasserMicaliRivest85]

5 No Algorithm? Propose Definition ? Why?

6 Provably No Algorithm? Bad Definition Propose Definition ? Propose WEAKER/DIFF Definition Alg / ?

7 The Privacy Dream Original DatabaseSanitized data set ? C  Census, financial, medical data; OTC drug purchases; social networks; MOOCs data; call and text records; energy consumption; loan, advertising, and applicant data; ad clicks product correlations, query logs,…

8 Fundamental Law of Info Recovery “Overly accurate” estimates of “too many” statistics is blatantly non-private DinurNissim03; DworkMcSherryTalwar07; DworkYekhanin08, De12, MuthukrishnanNikolov12,…

9 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history …

10 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history …

11 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history …

12 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history … ?

13 William Weld’s Medical Records ZIP birth date sex name address date reg. party affiliation last voted ethnicity visit date diagnosis procedure medication total charge voter registration data HMO data Sweeney97

14 William Weld’s Medical Records ZIP birth date sex name address date reg. party affiliation last voted ethnicity visit date diagnosis procedure medication total charge voter registration data HMO data Sweeney97

15 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history … ??

16 Anonymization (aka De-Identification)  Remove “personally identifying information” Name sex DOB zip symptoms previous admissions medications family history … ??

17 NarayananShmatikov08

18

19 Re-ID Not the Only Worry k- anonymity Break Definition l - diversity Break Definition algorithms satisfying definition Algs m,t m-invariance t-closeness SamaratiSweeney98, MakanvajjhalaGehrkeKiferVenkitasubramaniam06,XiaoTao07,LiLiVenkatasubmraminan07

20 Culprit: Diverse Background Info 2014 2013 2012 Voter Weld: M, DOB, zip IMDb

21 Billing for Targeted Advertisements + + [Korolova12]

22 Product Recommendations  X’s preferences influence Y’s experience  Combining evolving similar items lists with a little knowledge (from your blog) of what you bought, an adversary can infer purchases you did not choose to publicize CalandrinoKilzerNarayananFeltenShmatikov11 People who bought this also bought… Blog

23 SNP: Single Nucleotide (A,C,G,T) polymorphism CT TT … … … … SNP statistics of Case Group “Can” Test Case Group Membership using target’s DNA and HapMap GWAS Statistics Homer+08

24 Culprit: Diverse Background Info 2014 2013 2012 Voter Weld: M, DOB, zip IMDb People who bought this… Blog Billing

25 HapMap Culprit: Diverse Background Info 2014 2013 2012 Voter Weld: M, DOB, zip IMDb People who bought this… Blog Billing

26 How Should We Approach Privacy?  “Computer science got us into this mess, can computer science get us out of it?” (Sweeney, 2012)

27 How Should We Approach Privacy?  “Computer science got us into this mess, can computer science get us out of it?” (Sweeney, 2012)  Complexity of this type requires a mathematically rigorous theory of privacy and its loss.

28 How Should We Approach Privacy?  “Computer science got us into this mess, can computer science get us out of it?” (Sweeney, 2012)  Complexity of this type requires a mathematically rigorous theory of privacy and its loss.  We cannot discuss tradeoffs between privacy and statistical utility without a measure that captures cumulative harm over multiple uses.  Other fields -- economics, ethics, policy -- cannot be brought to bear without a “currency,” or measure of privacy, with which to work.

29 Useful Databases that Teach  Database teaches that smoking causes cancer.  Smoker S’s insurance premiums rise.  Premiums rise even if S not in database!  Learning that smoking causes cancer is the whole point.  Smoker S enrolls in a smoking cessation program.  Differential privacy: limit harms to the teachings, not participation The outcome of any analysis is essentially equally likely, independent of whether any individual joins, or refrains from joining, the database.

30 Useful Databases that Teach  Database teaches that smoking causes cancer.  Smoker S’s insurance premiums rise.  Premiums rise even if S not in database!  Learning that smoking causes cancer is the whole point.  Smoker S enrolls in a smoking cessation program.  Differential privacy: limit harms to the teachings, not participation The likelihood of any possible harm to ME is essentially independent of whether I join, or refrain from joining, the database.

31 Useful Databases that Teach  Database teaches that smoking causes cancer.  Smoker S’s insurance premiums rise.  Premiums rise even if S not in database!  Learning that smoking causes cancer is the whole point.  Smoker S enrolls in a smoking cessation program.  Differential privacy: limit harms to the teachings, not participation High premiums, busted, purchases revealed to co-worker… Essentially equally likely when I’m in as when I’m out

32 Differential Privacy [D.,McSherry,Nissim,Smith ‘06]

33

34 Impossible to know the actual probabilities of bad events. Can still control change in risk due to joining the database.

35 Differential Privacy [D.,McSherry,Nissim,Smith ‘06] “Privacy Loss” Impossible to know the actual probabilities of bad events. Can still control change in risk due to joining the database.

36 Differential Privacy [D.,McSherry,Nissim,Smith ‘06] “Privacy Loss”

37 Differential Privacy  Nuanced measure of privacy loss  Captures cumulative harm over multiple uses, multiple databases  Adversary’s background knowledge is irrelevant  Immune to re-identification attacks, etc.  “Programmable”  Construct complicated private analyses from simple private building blocks

38 Recall: Fundamental Law “Overly accurate” estimates of “too many” statistics is blatantly non-private DinurNissim03; DworkMcSherryTalwar07; DworkYekhanin08, De12, MuthukrishnanNikolov12,…

39 Answer Only Questions Asked q1q1 a1a1 Database curator data analysts C q2q2 a2a2 q3q3 a3a3

40 Intuition

41 Algorithms, geometry, learning theory, complexity theory, cryptography, statistics, machine learning, programming languages, verification, databases, economics,…

42 Not a Panacea  Fundamental Law of Information Recovery still holds

43 Challenge: The Meaning of Loss  Sometimes the theory gives exactly the right answer  Large loss in differential privacy translates to “obvious” real life privacy breach, under circumstances known to be plausible  Other times?  Do all large losses translate to such realizable privacy breaches, or is the theory too pessimistic?

44 Policy Recommendation DworkMulligan14

45 “Just a Few”? Randomly choose a few rows; Publish in entirety. OK?

46 Fundamental Law  There is a (LARGE) set of statistics, S  An analyst having even a remotely accurate estimate of EVERY statistic in S can completely violate any reasonable notion of privacy  There is a very simple way of designing small sets of statistics, T  An analyst having estimates of 80% of the statistics in T that beat the sampling error can completely violate any reasonable notion of privacy Must be very inaccurate on some statistic in S “Overly accurate” estimates of “too many” statistics is blatantly non-private DinurNissim03; DworkMcSherryTalwar07; DworkYekhanin08, De12, MuthukrishnanNikolov12,…

Download ppt "The State of the Art Cynthia Dwork, Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA A AAA."

Similar presentations

Survey design. What is a survey?? Asking questions – questionnaires Finding out things about people Simple things – lots of people What things? What people?

Survey design. What is a survey?? Asking questions – questionnaires Finding out things about people Simple things – lots of people What things? What people?
Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Differentially Private Recommendation Systems Jeremiah Blocki Fall 2009 18739A: Foundations of Security and Privacy.

Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.

Raef Bassily Adam Smith Abhradeep Thakurta Penn State Yahoo! Labs Private Empirical Risk Minimization: Efficient Algorithms and Tight Error Bounds Penn.
“Mortgages, Privacy, and Deidentified Data” Professor Peter Swire Ohio State University Center for American Progress Consumer Financial Protection Bureau.

“Mortgages, Privacy, and Deidentified Data” Professor Peter Swire Ohio State University Center for American Progress Consumer Financial Protection Bureau.
Privacy Enhancing Technologies

Privacy Enhancing Technologies
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
Kunal Talwar MSR SVC [Dwork, McSherry, Talwar, STOC 2007] TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AA A.

Kunal Talwar MSR SVC [Dwork, McSherry, Talwar, STOC 2007] TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AA A.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.

Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.
. Bayesian Networks Lecture 9 Edited from Nir Friedman’s slides by Dan Geiger from Nir Friedman’s slides.

. Bayesian Networks Lecture 9 Edited from Nir Friedman’s slides by Dan Geiger from Nir Friedman’s slides.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
Frank McSherry Researcher Microsoft Research, Silicon Valley.

Frank McSherry Researcher Microsoft Research, Silicon Valley.
Privacy: Challenges and Opportunities Tadayoshi Kohno Department of Computer Science and Engineering University of Washington.

Privacy: Challenges and Opportunities Tadayoshi Kohno Department of Computer Science and Engineering University of Washington.
Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.

Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.

Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Current Developments in Differential Privacy Salil Vadhan Center for Research on Computation & Society School of Engineering & Applied Sciences Harvard.

Current Developments in Differential Privacy Salil Vadhan Center for Research on Computation & Society School of Engineering & Applied Sciences Harvard.
Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.

Chapter 1 Database Systems. Good decisions require good information derived from raw facts Data is managed most efficiently when stored in a database.
R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

Similar presentations

Ads by Google