has there been a failure of anonymization
play

Has there been a failure of anonymization ? Khaled El Emam - PDF document

Mar 15, 2023 •443 likes •607 views

Has there been a failure of anonymization ? Khaled El Emam www.ehealthinformation.ca www.ehealthinformation.ca/ knowledgebase 1 The Claim Contents Computer scientists have undermined C t i ti t h d i d Backgrd our faith

  1. Has there been a failure of anonymization ? Khaled El Emam www.ehealthinformation.ca www.ehealthinformation.ca/ knowledgebase 1

  2. The Claim Contents • “Computer scientists have undermined “C t i ti t h d i d Backgrd our faith in the privacy-protecting Defs power of anonymization” (Ohm 2009) • “These advances should trigger a sea Examples of change in the law” (Ohm 2009) • “Irrefutable empirical evidence” that “ f bl l d ” h anonymization is broken (Dwork 2010) Lessons • Policy makers are concerned – is this End true ? Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca The Argument Contents • The evidence presented consists of Th id t d i t f Backgrd actual examples of successful re- Defs identification attacks • Because these re-identification attacks Examples exist then anonymization must not work work Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 2

  3. The Problem with the Argument Contents • The evidence often cited does not Th id ft it d d t Backgrd actually show that: Defs – Re-identification was successful, or – That the data that was attacked was Examples anonymized • Therefore there is actually no • Therefore, there is actually no empirical evidence that anonymized data can be re-identified Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca This Presentation Contents • We will examine 21 empirical studies W ill i 21 i i l t di Backgrd that looked at re-identification on Defs actual data sets or in real world examples (i.e., not theoretical attacks) Examples to see what we can learn about them • Focus mostly on demographics that Focus mostly on demographics that can appear in clinical data (i.e., no genetic re-identification studies) Lessons • Some subset of these 21 studies is End often (mis-)cited as evidence Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 3

  4. Variable Distinctions Contents • Directly identifying Di tl id tif i Backgrd – Can uniquely identify an individual by itself Defs or in conjunction with other readily available information Examples • Quasi-identifiers – Can identify an individual by itself or in – Can identify an individual by itself or in conjunction with other information • Sensitive variables Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Five Levels of I dentifiability greater risk of re-identification Aggregate Data Level 5 not personal information identifiability below threshold Managed Data Level 4 identifiability above threshold personal information Exposed Data greater Level 3 effort, cost, effort cost irreversibly masked data time & skill Masked Data Level 2 to re-identify reversibly masked data Readily Identifiable Data Level 1 4

  5. Evaluation Criteria - I Contents • Risk or re-identification: Ri k id tifi ti Backgrd – Some studies evaluate (estimate or Defs measure) the risk of re-identification but do not actually attempt to re-identify a Examples data set – Therefore, risk evaluation studies would , not be considered successful re- identification attacks Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Evaluation Criteria - I I Contents • Was the data de-identified: W th d t d id tifi d Backgrd – This would be a question whether the Defs study was a risk assessment or a re- identification Examples – Was the data properly de-identified in a measurable way or was it only “masked y y data” ? – Masked data is not anonymized data – re- Lessons identifying masked data is trivial End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 5

  6. Evaluation Criteria - I I I Contents • Was a re-identification verified: W id tifi ti ifi d Backgrd – Verifying a re-identification match is Defs necessary to ensure that the match was correct (i.e., confirming that the match of Examples the record to the identity is correct) – If a match is not verified then it is not possible to know if the match was a correct one or not Lessons – The only exception would be a match to a population registry (e.g., voter list) End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Example - I Contents Backgrd Defs Examples Lessons End Governor William Weld of MA Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 6

  7. GI C Case Contents • The Group Insurance Commission is • The Group Insurance Commission is Backgrd responsible for purchasing health Defs insurance for state employees in Massachusetts Examples • Insurance data on 135,000 state employees and their families was employees and their families was released after being “anonymized” • Database was matched with the voter Lessons list for Cambridge, Massachusetts End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca William Weld Contents • Six people in the database have the • Six people in the database have the Backgrd same DoB Defs • Three are men • One in his 5 digit zip code Examples • His insurance record was re-identified • William Weld was the governor of Massachusetts Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 7

  8. Evaluation of Example I Contents • This was a successful re identification • This was a successful re-identification Backgrd attack Defs • The match was not verified but it was a match to a population registry Examples • The data that was disclosed by GIC was Masked data and not properly de- was Masked data and not properly de identified Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Example 2 - AOL Case Contents • In the Summer of 2006 AOL released • In the Summer of 2006 AOL released Backgrd “anonymized” data on ~20 million discrete Defs search queries for >650,000 individuals on a public web site for researchers to use Examples • The records include date and time of the query and the web site clicked on, as well as query and the web site clicked on as well as a unique identifier for each user so records can be linked to get a user profile Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 8

  9. AOL Users Contents • #2178: “foods to avoid when breast feeding” • #2178: foods to avoid when breast feeding Backgrd • #3482401: “calorie counting” Defs • #3505202: “depression and medical leave” Examples Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca User # 4417749 Contents • “tea for good health” • tea for good health Backgrd • “numb fingers”, “hand tremors” Defs • “dry mouth” • “60 single men” Examples • “dog that urinates on everything” g y g • “landscapers in Lilburn, Ga” • “homes sold in shadow lake subdivision Lessons gwinnett county georgia” End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 9

  10. Thelma Arnold Contents • 62 year old widow 62 ld id Backgrd living in Lilburn Ga Defs re-identified by the New York Times Examples • She has three dogs Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca Evaluation of Example 2 Contents • This was a successful re identification • This was a successful re-identification Backgrd attack Defs • The match was verified (we have a picture) Examples • The data that was disclosed by AOL was Masked data and not properly de- was Masked data and not properly de identified Lessons End Electronic Health Information Laboratory, CHEO Research Institute, 401 Smyth Road, Ottawa K1H 8L1, Ontario; www.ehealthinformation.ca 10

Recommend

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Recap/Taxonomy of Anonymization Microdata anonymization Microaggregation based anonymization Taxonomy of Anonymization Problem

620 views • 59 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Clustering based anonymization (cont) Permutation based anonymization Other privacy principles Microaggregation/Clustering Two steps:

879 views • 52 slides
Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies

Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies

Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies PostgreSQL Anonymizer The Future 2 3 My Story 4 LETS DO THIS ! jailer pgantomizer ARX pgsync anomyze-it anonymizer mat2 Talend open

1.12k views • 77 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Permutation based anonymization methods (cont.) Other privacy principles for microdata publishing publishing Statistical databases

986 views • 51 slides
Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference control Anonymization problem Anonymization notions and approaches (and how they fail to work!) k-anonymity l-diversity t-closeness

741 views • 51 slides
Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

DataCamp Data Privacy and Anonymization in R DATA PRIVACY AND ANONYMIZATION IN R Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos National Laboratory DataCamp Data Privacy and Anonymization in R

609 views • 26 slides
Towards Plausible Graph Anonymization Yang Zhang, Mathias Humbert, Bartlomiej Surma, Praveen

Towards Plausible Graph Anonymization Yang Zhang, Mathias Humbert, Bartlomiej Surma, Praveen

Towards Plausible Graph Anonymization Yang Zhang, Mathias Humbert, Bartlomiej Surma, Praveen Manoharan, Jilles Vreeken, Michael Backes Graph sharing 2 Graph anonymization 3 Graph anonymization id 3 id 7 id 1 id 6 id 4 id 2 id 8 id 5

622 views • 36 slides
An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2 November 3, 2014 Workshop on Privacy in the Electronic Society, Scottsdale, Arizona, USA This Talk 1 The Art of Data Anonymization 2 The D4D Challenge 3

527 views • 51 slides
Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

1 Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science & Technology 2 Outline Data Anonymization Mechanism Plays an

543 views • 27 slides
Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October, Luxembourg Giuseppe DAcquisto Garante per la protezione dei dati personali 1 The concept of anonymization My data 1 D.O.F Any person Empty

334 views • 12 slides
Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573

Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573

Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573 Data Privacy and Anonymity So far k-anonymity (protect identity disclosure) Anonymization algorithms Generalization and suppression

549 views • 34 slides
CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics and Computer Science Emory University Today Cont. Anonymization notions and approaches l-diversity t-closeness Takeaways Attacks on

192 views • 15 slides
MULTILINGUAL AUTOMATED TEXT ANONYMIZATION Francisco Dias francisco.m.c.dias@tecnico.ulisboa.pt

MULTILINGUAL AUTOMATED TEXT ANONYMIZATION Francisco Dias francisco.m.c.dias@tecnico.ulisboa.pt

MULTILINGUAL AUTOMATED TEXT ANONYMIZATION Francisco Dias francisco.m.c.dias@tecnico.ulisboa.pt 03/06/2016 Instituto Superior Tcnico Slide 1 of 52 INTRODUCTION RELATED WORK ARCHITECTURE INTRODUCTION ANONYMIZATION METHODS

694 views • 52 slides
Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and Anonymity Anonymization using Microaggregation or Clustering Practical Data-Oriented Microaggregation for Statistical Disclosure Control,

902 views • 55 slides
Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest

Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest

Encryption and Anonymization in Hadoop Current and Future needs Sept-28-2015 ApacheCon, Budapest Page 1 Agenda Need for data protection Encryption and Anonymization Current State of Encryption in Hadoop Demo Future focus

259 views • 25 slides
Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure

Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure

Health Failure Telehealth Final Report Sarah Briggs Heart Failure Specialist Nurse Heart Failure Heart failure is a life limiting condition with outcomes worse than most cancers Heart failure is manifested by severe symptoms and the

775 views • 22 slides
Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE

Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE

Failure is a four-letter word Andreas Zeller Thomas Zimmermann Christian Bird PROMISE 2011, Banff, Canada Software failures 2 Defect distributions 3 Failure causes 4 Failure causes 5 Failure causes 6 Failure causes 7 Failure

1.16k views • 76 slides
Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo

Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo

Anonymization Beyond GDPR 1 WHO I AM Damien Clochard PostgreSQL DBA & Co-founder at Dalibo President of PostgreSQLFr Association 2 WHO I AM NOT I Am Not A Lawyer I Am Not A Privacy Expert Dont take my word for it / Check the links

1.24k views • 74 slides
Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis,

Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis,

Management of Co- morbidities in Heart Failure (COPD, Renal failure, Anemia) Dr John Parissis, Heart Failure Unit, Attikon University Hospital, Athens, Greece Prevalence of Non-cardiac Comorbidity In Chronic Heart Failure Braunstein et al

718 views • 70 slides
PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure

PALLIATIVE CARE Advanced heart failure Heart failure has a poor prognosis Heart failure mortality remains unacceptably high. 30-40% of patients die within the first year of diagnosis(Cowie et al, 2000; Hobbs et al, 2007). 1 year

381 views • 17 slides
HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N

HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N

ACUTE DECOMPENSATING HEART FAILURE S Y M P T O M S A N D T R E A T M E N T B Y K E R R Y M O R T O N H F S N ACUTE HEART FAILURE DEFINITION The new onset or recurrence of symptoms and signs of heart failure requiring urgent or

1.01k views • 22 slides
Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to

Take the Top Spot by Transforming IT 157 157 Failure itself is not fatal, but failure to change might be. Legendary basketball coach John Wooden Transformation is the only way to take the top spot Transformed organizations:

387 views • 17 slides
Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D

Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D

Heart Failure with Preserved Ejection Fraction Advances in Heart Failure CME Course Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant Clinical Professor | Division of Cardiology Zuckerberg San Francisco General Hospital

595 views • 26 slides
De-anonymization of Insurance Applicants' Sensitive Information Team 3: Jay Lee, Maxim Castaneda,

De-anonymization of Insurance Applicants' Sensitive Information Team 3: Jay Lee, Maxim Castaneda,

De-anonymization of Insurance Applicants' Sensitive Information Team 3: Jay Lee, Maxim Castaneda, Rosalie Dolor To enhance insurance Goal companies best practices Benefits to Stakeholders by ensuring the clients privacy rights in the

136 views • 10 slides

More recommend