Privacy Research Overview

18739A: Foundations of Security and Privacy

Anupam Datta

Fall 2007-08

Privacy Research Space

What is Privacy?[Philosophy, Law, Public Policy]

Formal Model, Policy Language,Compliance-check Algorithms

[Programming Languages, Logic]

Implementation-level Compliance[Software Engg, Formal Methods]

Data Privacy[Databases, Cryptography]

TODAY

TODAY

Next 3 lectures

Philosophical studies on privacy

Reading• Overview article in Stanford Encyclopedia of

Philosophy http://plato.stanford.edu/entries/privacy/

Alan Westin, Privacy and Freedom, 1967 Ruth Gavison, Privacy and the Limits of Law,

1980 Helen Nissenbaum, Privacy as Contextual

Integrity, 2004 (more on Nov 8)

Westin 1967

Privacy and control over information

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”

Relevant when you give personal information to a web site; agree to privacy policy posted on web site

May not apply to your personal health information

Gavison 1980

Privacy as limited access to self

“A loss of privacy occurs as others obtain information about an individual, pay attention to him, or gain access to him. These three elements of secrecy, anonymity, and solitude are distinct and independent, but interrelated, and the complex concept of privacy is richer than any definition centered around only one of them.”

Basis for database privacy definition discussed later

Gavison 1980

On utility

“We start from the obvious fact that both perfect privacy and total loss of privacy are undesirable. Individuals must be in some intermediate state – a balance between privacy and interaction …Privacy thus cannot be said to be a value in the sense that the more people have of it, the better.”

This balance between privacy and utility will show up in data privacy as well as in privacy policy languages, e.g. health data could be shared with medical researchers

Privacy Laws in the US

HIPAA (Health Insurance Portability and Accountability Act, 1996)• Protecting personal health information

GLBA (Gramm-Leach-Bliley-Act, 1999)• Protecting personal information held by financial service

institutions

COPPA (Children‘s Online Privacy Protection Act, 1998)• Protecting information posted online by children under 13

More details in lecture on Nov 8.

Data Privacy

Releasing sanitized databases• k-anonymity• (c,t)-isolation• Differential privacy

Privacy preserving data mining

Sanitization of Databases

Real Database (RDB)

Sanitized Database (SDB)

• Health records

• Census data

Add noise, delete names,

etc.

• Protect privacy

• Provide useful information (utility)

Re-identification by linking• Linking two sets of data on shared attributes may

uniquely identify some individuals:

• Example [Sweeney] : De-identified medical data was released,

purchased Voter Registration List of MA, re-identified Governor • 87 % of US population uniquely identifiable by 5-digit ZIP, sex, dob

K-anonymity (1)

Quasi-identifier: Set of attributes (e.g. ZIP, sex, dob) that can be linked with external data to uniquely identify individuals in the population

Make every record in the table indistinguishable from at least k-1 other records with respect to

quasi-identifiers

Linking on quasi-identifiers yields at least k records for each possible value of the quasi-identifier

K-anonymity and beyond

• Provides some protection: linking on ZIP, age, nationality yields 4 records• Limitations: lack of diversity in sensitive attributes, background knowledge, subsequent releases on the same data set • Utility: less suppression implies better utility

(c,t)-isolation (2)

Mathematical definition motivated by Gavison’s idea that privacy is protected to the extent that an individual blends into a crowd.

Image courtesy of WaldoWiki: http://images.wikia.com/waldo/images/a/ae/LandofWaldos.jpg

Definition of (c,t)-isolation Let y be any RDB point, and let δy=║q-y║2. We say that q (c,t)-isolates y iff

B(q,cδy) contains fewer than t points in the RDB, that is, |B(q,c δy) ∩ RDB| < t.

A database is represented by n points in high dimensional space (one dimension per column)

q

yδy

cδy

x2

x1

xt-2

Definition of (c,t)-isolation (contd)

Differential Privacy: Motivation (3)

Guaranteeing that a sanitized database does not imply any private information is too hard• Auxiliary info: Terry is an inch taller than average• Sanitized database: The average height is 6 feet• Sanitized database only provided non-private

data, but resulted in private info being learned All surveyors really need is for people to be

comfortable supplying their private data People will be comfortable if providing data does

not change the sanitized database enough to be noticed

Differential Privacy: Formalization

Want a sanitization function K that maps two databases D1 and D2 that differ by one person to about the same sanitized databases K(D1) and K(D2)

Make a disclosure S about as likely with K(D1) as K(D2)

A randomized function K give ε-differential privacy if for all data sets D1 and D2 differing in at most one element and all subset S of Range(K),

Pr[K(D1) in S] ≤ exp(ε) × Pr[K(D2) in S]

Privacy Preserving Data Mining

Reference• Y. Lindell and B. Pinkas. Privacy Preserving Data

Mining, Journal of Cryptology, 15(3):177-206, 2002. Problem:

• Compute some function of two confidential databases without revealing unnecessary information

Example: Govt. database of suspected terrorists intersection with airline passengers database

Approach:• Cryptographic techniques for secure multiparty

computation

The Security Definition (Slide: Lindell)

IDEALREAL

Trusted party

Protocolinteraction

For every real adversary A

there exists anadversary S

Computational Indistinguishability: every probabilistic

polynomial-time observer that receives the input/output distribution of the honest parties and the adversary, outputs 1 upon receiving the distribution

generated in IDEAL with negligibly close probability to when it is generated in REAL.