Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Privacy Vitaly Shmatikov CS 6431. slide 2 uHealth-care datasets Clinical studies, hospital discharge databases … uGenetic datasets $1000 genome,

Published byHarvey Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Privacy Vitaly Shmatikov CS 6431. slide 2 uHealth-care datasets Clinical studies, hospital discharge databases … uGenetic datasets $1000 genome,"— Presentation transcript:

1 Data Privacy Vitaly Shmatikov CS 6431

2 slide 2 uHealth-care datasets Clinical studies, hospital discharge databases … uGenetic datasets $1000 genome, HapMap, DeCODE … uDemographic datasets U.S. Census Bureau, sociology studies … uSearch logs, recommender systems, social networks, blogs … AOL search data, online social networks, Netflix movie ratings, Amazon … Public Data Conundrum

3 Basic Setting xnxn x n-1  x3x3 x2x2 x1x1 San Users (government, researchers, marketers, …) query 1 answer 1 query T answer T  DB= random coins ¢¢¢ slide 3

4 Examples of Sanitization Methods uInput perturbation Add random noise to database, release uSummary statistics Means, variances Marginal totals Regression coefficients uOutput perturbation Summary statistics with noise uInteractive versions of the above methods Auditor decides which queries are OK, type of noise slide 4

5 slide 5 uHow? uRemove “personally identifying information” (PII) Name, Social Security number, phone number, email, address… what else? uProblem: PII has no technical meaning Defined in disclosure notification laws –If certain information is lost, consumer must be notified In privacy breaches, any information can be personally identifying –Examples: AOL dataset, Netflix Prize dataset Data “Anonymization”

6 slide 6 Latanya Sweeney’s Attack (1997) Massachusetts hospital discharge dataset Public voter dataset

7 slide 7 Observation #1: Dataset Joins uAttacker learns sensitive data by joining two datasets on common attributes Anonymized dataset with sensitive attributes –Example: age, race, symptoms “Harmless” dataset with individual identifiers –Example: name, address, age, race uDemographic attributes (age, ZIP code, race, etc.) are very common in datasets with information about individuals

8 slide 8 Observation #2: Quasi-Identifiers uSweeney’s observation: (birthdate, ZIP code, gender) uniquely identifies 87% of US population Side note: actually, only 63% [Golle, WPES ‘06] uPublishing a record with a quasi-identifier is as bad as publishing it with an explicit identity uEliminating quasi-identifiers is not desirable For example, users of the dataset may want to study distribution of diseases by age and ZIP code

9 slide 9 k-Anonymity uProposed by Samarati and/or Sweeney (1998) uHundreds of papers since then Extremely popular in the database and data mining communities (SIGMOD, ICDE, KDD, VLDB) uNP-hard in general, but there are many practically efficient k-anonymization algorithms uMost based on generalization and suppression

10 slide 10 Anonymization in a Nutshell uDataset is a relational table uAttributes (columns) are divided into quasi-identifiers and sensitive attributes uGeneralize/suppress quasi-identifiers, don’t touch sensitive attributes (keep them “truthful”) RaceAgeSymptomsBlood type Medical history …………… …………… quasi-identifiers sensitive attributes

11 slide 11 k-Anonymity: Definition uAny (transformed) quasi-identifier must appear in at least k records in the anonymized dataset k is chosen by the data owner (how?) Example: any age-race combination from original DB must appear at least 10 times in anonymized DB uGuarantees that any join on quasi-identifiers with the anonymized dataset will contain at least k records for each quasi-identifier

12 uMembership disclosure: Attacker cannot tell that a given person in the dataset uSensitive attribute disclosure: Attacker cannot tell that a given person has a certain sensitive attribute uIdentity disclosure: Attacker cannot tell which record corresponds to a given person This interpretation is correct, assuming the attacker does not know anything other than quasi-identifiers But this does not imply any privacy! Example: k clinical records, all HIV+ This interpretation is correct, assuming the attacker does not know anything other than quasi-identifiers But this does not imply any privacy! Example: k clinical records, all HIV+ slide 12 Two (and a Half) Interpretations

13 slide 13 Achieving k-Anonymity uGeneralization Replace specific quasi-identifiers with more general values until get k identical values –Example: area code instead of phone number Partition ordered-value domains into intervals uSuppression When generalization causes too much information loss –This is common with “outliers” (come back to this later) uLots of algorithms in the literature Aim to produce “useful” anonymizations … usually without any clear notion of utility

14 slide 14 Generalization in Action

15 slide 15 Curse of Dimensionality uGeneralization fundamentally relies on spatial locality Each record must have k close neighbors uReal-world datasets are very sparse Many attributes (dimensions) –Netflix Prize dataset: 17,000 dimensions –Amazon customer records: several million dimensions “Nearest neighbor” is very far uProjection to low dimensions loses all info  k-anonymized datasets are useless [Aggarwal VLDB ‘05]

16 uAny (transformed) quasi-identifier must appear in at least k records in the anonymized dataset k is chosen by the data owner (how?) Example: any age-race combination from original DB must appear at least 10 times in anonymized DB uGuarantees that any join on quasi-identifiers with the anonymized dataset will contain at least k records for each quasi-identifier slide 16 k-Anonymity: Definition This definition does not mention sensitive attributes at all! Assumes that attacker will be able to join only on quasi-identifiers Does not say anything about the computations that are to be done on the data

17 Membership Disclosure uWith large probability, quasi-identifier is unique in the population uBut generalizing/suppressing quasi-identifiers in the dataset does not affect their distribution in the population (obviously)! Suppose anonymized dataset contains 10 records with a certain quasi-identifier … … and there are 10 people in the population who match this quasi-identifier uk-anonymity may not hide whether a given person is in the dataset slide 17

18 Sensitive Attribute Disclosure Intuitive reasoning: uk-anonymity prevents attacker from telling which record corresponds to which person uTherefore, attacker cannot tell that a certain person has a particular value of a sensitive attribute This reasoning is fallacious! slide 18

19 slide 19 3-Anonymization Caucas78712Flu Asian78705Shingles Caucas78754Flu Asian78705Acne AfrAm78705Acne Caucas78705Flu Caucas787XXFlu Asian/AfrAm 78705Shingles Caucas787XXFlu Asian/AfrAm 78705Acne Asian/AfrAm 78705Acne Caucas787XXFlu This is 3-anonymous, right?

20 slide 20 Joining With External Database ……… Rusty Shackleford Caucas78705 ……… Caucas787XXFlu Asian/AfrAm 78705Shingles Caucas787XXFlu Asian/AfrAm 78705Acne Asian/AfrAm 78705Acne Caucas787XXFlu Problem: sensitive attributes are not “diverse” within each quasi-identifier group

21 slide 21 Another Attempt: l-Diversity Caucas787XXFlu Caucas787XXShingles Caucas787XXAcne Caucas787XXFlu Caucas787XXAcne Caucas787XXFlu Asian/AfrAm 78XXXFlu Asian/AfrAm 78XXXFlu Asian/AfrAm 78XXXAcne Asian/AfrAm 78XXXShingles Asian/AfrAm 78XXXAcne Asian/AfrAm 78XXXFlu Entropy of sensitive attributes within each quasi-identifier group must be at least L [Machanavajjhala et al. ICDE ‘06]

22 slide 22 Still Does Not Work …Cancer … … …Flu …Cancer … … … … … …Flu … Original database Q1Flu Q1Cancer Q1Cancer Q1Cancer Q1Cancer Q1Cancer Q2Cancer Q2Cancer Q2Cancer Q2Cancer Q2Flu Q2Flu Anonymization B Q1Flu Q1Flu Q1Cancer Q1Flu Q1Cancer Q1Cancer Q2Cancer Q2Cancer Q2Cancer Q2Cancer Q2Cancer Q2Cancer Anonymization A 99% have cancer 50% cancer  quasi-identifier group is “diverse” This leaks a ton of information 50% cancer  quasi-identifier group is “diverse” This leaks a ton of information 99% cancer  quasi-identifier group is not “diverse” …yet anonymized database does not leak anything 99% cancer  quasi-identifier group is not “diverse” …yet anonymized database does not leak anything

23 slide 23 Try Again: t-Closeness Caucas787XXFlu Caucas787XXShingles Caucas787XXAcne Caucas787XXFlu Caucas787XXAcne Caucas787XXFlu Asian/AfrAm 78XXXFlu Asian/AfrAm 78XXXFlu Asian/AfrAm 78XXXAcne Asian/AfrAm 78XXXShingles Asian/AfrAm 78XXXAcne Asian/AfrAm 78XXXFlu [Li et al. ICDE ‘07] Distribution of sensitive attributes within each quasi-identifier group should be “close” to their distribution in the entire original database Trick question: Why publish quasi-identifiers at all?? Trick question: Why publish quasi-identifiers at all??

24 slide 24 Anonymized “t-Close” Database Caucas 787XX HIV+ Flu Asian/AfrAm 787XX HIV- Flu Asian/AfrAm 787XX HIV+ Shingles Caucas 787XX HIV- Acne Caucas 787XX HIV- Shingles Caucas 787XX HIV- Acne This is k-anonymous, l-diverse and t-close… …so secure, right?

25 slide 25 What Does Attacker Know? Caucas 787XX HIV+ Flu Asian/AfrAm 787XX HIV- Flu Asian/AfrAm 787XX HIV+ Shingles Caucas 787XX HIV- Acne Caucas 787XX HIV- Shingles Caucas 787XX HIV- Acne Bob is white and I heard he was admitted to hospital with flu… This is against the rules! “flu” is not a quasi-identifier This is against the rules! “flu” is not a quasi-identifier Yes… and this is yet another problem with k-anonymity Yes… and this is yet another problem with k-anonymity

26 Issues with Syntactic Definitions uWhat adversary do they apply to? Do not consider adversaries with side information Do not consider probability Do not consider adversarial algorithms for making decisions (inference) uAny attribute is a potential quasi-identifier External / auxiliary / background information about people is very easy to obtain slide 26

27 Classical Intution for Privacy uDalenius (1977): “If the release of statistics S makes it possible to determine the value [of private information] more accurately than is possible without access to S, a disclosure has taken place” Privacy means that anything that can be learned about a respondent from the statistical database can be learned without access to the database uSimilar to semantic security of encryption Anything about the plaintext that can be learned from a ciphertext can be learned without the ciphertext slide 27

28 Problems with Classic Intuition uPopular interpretation: prior and posterior views about an individual shouldn’t change “too much” What if my (incorrect) prior is that every Cornell graduate student has three arms? uHow much is “too much?” Can’t achieve cryptographically small levels of disclosure and keep the data useful Adversarial user is supposed to learn unpredictable things about the database slide 28

29 Absolute Guarantee Unachievable uPrivacy: for some definition of “privacy breach,”  distribution on databases,  adversaries A,  A’ such that Pr(A(San)=breach) – Pr(A’()=breach) ≤  For reasonable “breach”, if San(DB) contains information about DB, then some adversary breaks this definition uExample I know that you are 2 inches taller than the average Russian DB allows computing average height of a Russian This DB breaks your privacy according to this definition… even if your record is not in the database! slide 29 [Dwork]

30 Differential Privacy xnxn x n-1  x3x3 x2x2 x1x1 San query 1 answer 1 query T answer T  DB= random coins ¢¢¢ slide 30 uAbsolute guarantees are problematic Your privacy can be “breached” (per absolute definition of privacy) even if your data is not in the database uRelative guarantee: “Whatever is learned would be learned regardless of whether or not you participate” Dual: Whatever is already known, situation won’t get worse Adversary A [Dwork]

31 Indistinguishability xnxn x n-1  x3x3 x2x2 x1x1 San query 1 answer 1 query T answer T  DB= random coins ¢¢¢ slide 31 transcript S xnxn x n-1  y3y3 x2x2 x1x1 San query 1 answer 1 query T answer T  DB’= random coins ¢¢¢ transcript S’ Differ in 1 row Distance between distributions is at most 

32 Which Distance to Use? uProblem:  must be large Any two databases induce transcripts at distance ≤ n  To get utility, need  > 1/n uStatistical difference 1/n is not meaningful! Example: release a random point from the database –San(x 1,…,x n ) = ( j, x j ) for random j For every i, changing x i induces statistical difference 1/n But some x i is revealed with probability 1 –Definition is satisfied, but privacy is broken! slide 32

33 ? Definition: San is  -indistinguishable if  A,  DB, DB’ which differ in 1 row,  sets of transcripts S Adversary A query 1 answer 1 transcript S query 1 answer 1 transcript S’ Equivalently,  S: p( San(DB) = S ) p( San(DB’)= S )  1 ±  p( San(DB)  S )  (1 ±  ) p( San(DB’)  S ) Formalizing Indistinguishability slide 33

34 Laplacian Mechanism uIntuition: f(x) can be released accurately when f is insensitive to individual entries x 1, … x n uGlobal sensitivity GS f = max neighbors x,x’ ||f(x) – f(x’)|| 1 Example: GS average = 1/n for sets of bits uTheorem: f(x) + Lap(GS f /  ) is  -indistinguishable Noise generated from Laplace distribution slide 34 Tell me f(x) f(x)+noise x1…xnx1…xn Database User Lipschitz constant of f

35 Sensitivity with Laplace Noise slide 35

36 Differential Privacy: Summary uSan gives  -differential privacy if for all values of DB and Me and all transcripts t: slide 36 Pr [t] Pr[ San (DB - Me) = t] Pr[ San (DB + Me) = t] ≤ e   1 

37 Intuition uNo perceptible risk is incurred by joining DB uAnything adversary can do to me, it could do without me (my data) Bad Responses: XXX Pr [response] slide 37

Download ppt "Data Privacy Vitaly Shmatikov CS 6431. slide 2 uHealth-care datasets Clinical studies, hospital discharge databases … uGenetic datasets $1000 genome,"

Similar presentations

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.

Cipher Techniques to Protect Anonymized Mobility Traces from Privacy Attacks Chris Y. T. Ma, David K. Y. Yau, Nung Kwan Yip and Nageswara S. V. Rao.
Differentially Private Recommendation Systems Jeremiah Blocki Fall 2009 18739A: Foundations of Security and Privacy.

Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Simulatability “The enemy knows the system”, Claude Shannon CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 6 : 590.03 Fall 12.

Simulatability “The enemy knows the system”, Claude Shannon CompSci Instructor: Ashwin Machanavajjhala 1Lecture 6 : Fall 12.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 8 04/04/2011 Security and Privacy in Cloud Computing.
The End of Anonymity Vitaly Shmatikov. Tastes and Purchases slide 2.

The End of Anonymity Vitaly Shmatikov. Tastes and Purchases slide 2.
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, 2013 © Ravi Sandhu.

1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.

1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.

Seminar in Foundations of Privacy 1.Adding Consistency to Differential Privacy 2.Attacks on Anonymized Social Networks Inbal Talgam March 2008.
Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.

Differential Privacy 18739A: Foundations of Security and Privacy Anupam Datta Fall 2009.
Privacy Research Overview

Privacy Research Overview
Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.

Finding Personally Identifying Information Mark Shaneck CSCI 5707 May 6, 2004.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
1 Pinning Down “Privacy” Defining Privacy in Statistical Databases Adam Smith Weizmann Institute of Science

1 Pinning Down “Privacy” Defining Privacy in Statistical Databases Adam Smith Weizmann Institute of Science
Malicious parties may employ (a) structure-based or (b) label-based attacks to re-identify users and thus learn sensitive information about their rating.

Malicious parties may employ (a) structure-based or (b) label-based attacks to re-identify users and thus learn sensitive information about their rating.
Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.

Privacy without Noise Yitao Duan NetEase Youdao R&D Beijing China CIKM 2009.
Preserving Privacy in Clickstreams Isabelle Stanton.

Preserving Privacy in Clickstreams Isabelle Stanton.
k-Anonymity and Other Cluster-Based Methods

k-Anonymity and Other Cluster-Based Methods
R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

Similar presentations

Ads by Google