Database Privacy Research @Stanford --- An Overview Krishnaram Kenthapadi kngk@cs.stanford.edu Hector Garcia-Molina, Rajeev Motwani G. Aggarwal, M. Bawa, C. Dwork, P. Ganesan, E-J. Goh, N. Mishra, S. Nabar, U. Srivastava, D. Thomas, Y. Xu
Private Information Management � Individual centric privacy � Search over access-controlled data � Aggregates on vertically-partitioned databases � Approximations for k-anonymity Krishnaram Kent hapadi 2 DI MACS Working Group, 17 Mar 2004
Private Information Management � Individual centric privacy � Search over access-controlled data � Aggregates on vertically-partitioned databases � Approximations for k-anonymity � Secure indexes � Secure quantile computation � … Krishnaram Kent hapadi 3 DI MACS Working Group, 17 Mar 2004
Individual Centric Privacy (P4P: Paranoid Platform for Privacy Preferences) [ABG+04] Krishnaram Kent hapadi 4 DI MACS Working Group, 17 Mar 2004
Managing Personal Information � Status � P3P: organization declares privacy policies � Hippocratic DB: organization’s datastore implements policies � Critique � Individual must trust each organization � Ex of misuse: Acxiom, JetBlue, Northwest,… Krishnaram Kent hapadi 5 DI MACS Working Group, 17 Mar 2004
Managing Personal Information � Thesis � Enable an individual to retain “control” over his/her information, even after it has been released to an organization � Plan � Design models and mechanisms for release, acquisition, use and update of personal information ( the P4P framework ) Krishnaram Kent hapadi 6 DI MACS Working Group, 17 Mar 2004
Example: Managing Credit Card Credit Card Number CafeDay George Control: [a] Permission, [b] No copies, [c] No Integration, … Krishnaram Kent hapadi 7 DI MACS Working Group, 17 Mar 2004
Information Types � Ownership � Individual, Organization � Function � Identifier, Service Handle, Input to Predicate, Copy � Control � Complete Privacy, Limited Use, No Predicate Input, No Integration, Accountable, Sharable Goal: Mechanisms for each information type to enforce desired properties Krishnaram Kent hapadi 8 DI MACS Working Group, 17 Mar 2004
Search over access-controlled data (PPI: Privacy-Preserving Indexing) [BBA03] Krishnaram Kent hapadi 9 DI MACS Working Group, 17 Mar 2004
Provider � Shares documents � Enforces access policy P1 P2 P3 P32 P2026 Alzheimer’s Disease (Alice, Bob) AIDS (Alice) … P1 Small-Pox (Alice, Bob, Lisa) Krishnaram Kent hapadi 10 DI MACS Working Group, 17 Mar 2004
Searcher � Has an identity � Wants documents P1 P2 P3 � That match a keyword query Q; and � With appropriate access- P32 P2026 rights Q = “AIDS” Alice Krishnaram Kent hapadi 11 DI MACS Working Group, 17 Mar 2004
Search Engine � Engine not trusted by providers: � Providers do not want to P1 P2 P3 send documents to search engine P32 P2026 � Providers do not want to reveal access-lists to search engine Search Engine How do we enable Q = “AIDS” search? Alice Krishnaram Kent hapadi 12 DI MACS Working Group, 17 Mar 2004
Aggregates on vertically-partitioned databases [AST04] Krishnaram Kent hapadi 13 DI MACS Working Group, 17 Mar 2004
Vertically-Partitioned Databases Name State Sex Name Salary Age John NJ M John 120K 35 Alice NJ F Alice 80K 22 Mary CA F Mary 100K 26 Tom CA M Tom 200K 72 Census Bureau Dept. of HRD A: Q: Select State, Avg(Salary) State Salary Where Census.Name = HRD.Name NJ 100K From Census, HRD Groupby State CA 150K Krishnaram Kent hapadi 14 DI MACS Working Group, 17 Mar 2004
Vertically-Partitioned Databases � Privacy concerns � Databases cannot be released as-is � Databases can be released after data has been perturbed Goal: Return high precision aggregate answers Krishnaram Kent hapadi 15 DI MACS Working Group, 17 Mar 2004
Approximations for k-anonymity [AFK+04] Krishnaram Kent hapadi 16 DI MACS Working Group, 17 Mar 2004
k-anonymity SSN Name Age Sex Zip Symptom 614 Joe 23 M 94305 Flu 615 Alice 32 F 94301 Flu 629 Jen 18 F 95102 Cold 710 Kate 22 F 95103 Rashes 840 Eve 20 F 95103 Cold Krishnaram Kent hapadi 17 DI MACS Working Group, 17 Mar 2004
k-anonymity: suppress keys Age Sex Zip Symptom 23 M 94305 Flu 32 F 94301 Flu 18 F 95102 Cold 22 F 95103 Rashes 20 F 95103 Cold Krishnaram Kent hapadi 18 DI MACS Working Group, 17 Mar 2004
k-anonymity: generalize attributes Age Sex Zip Symptom [20-35] * 9430* Flu [20-35] * 9430* Flu k = 2 [15-25] F 9510* * [15-25] F 9510* * [15-25] F 9510* * Krishnaram Kent hapadi 19 DI MACS Working Group, 17 Mar 2004
k-anonymity – work in progress � [MW04] � NP-hardness � O(k log k) - approximation algorithm � O(k) - approximation algorithm Krishnaram Kent hapadi 20 DI MACS Working Group, 17 Mar 2004
References http://theory.stanford.edu/~rajeev/privacy.html � [ABG+04]: Stanford Database Privacy Group . Enabling privacy for the paranoids. � [BBA03]: Bawa, Bayardo Jr., Agrawal . Privacy-preserving indexing of documents on the network. � [AST04]: Agrawal, Srikant, Thomas . Privacy preserving OLAP. � [AFK+04]: Aggarwal, Feder, Kenthapadi, Motwani, Panigrahy, Thomas, Zhu . k-anonymity: Hardness and approximation results. � [AMP04]: Aggarwal, Mishra, Pinkas. Privacy-preserving computation of the k th -ranked element. � [Goh03]: Goh . Secure indexes. Krishnaram Kent hapadi 21 DI MACS Working Group, 17 Mar 2004
Recommend
More recommend