Computational Disclosure Control - A Primer on Data Privacy Protection

Computational Disclosure Control - A Primer on Data Privacy Protection (2001)

Cached

Download Links

by Latanya Sweeney

Venue:	Massachusetts Institute of Technology
Citations:	23 - 2 self

BibTeX

@TECHREPORT{Sweeney01computationaldisclosure,
    author = {Latanya Sweeney},
    title = {Computational Disclosure Control - A Primer on Data Privacy Protection},
    institution = {Massachusetts Institute of Technology},
    year = {2001}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

Today's globally networked society places great demand on the dissemination and sharing of person-specific data for many new and exciting uses. Even situations where aggregate statistical information was once the reporting norm now rely heavily on the transfer of microscopically detailed transaction and encounter information. This happens at a time when more and more historically public information is also electronically available. When these data are linked together, they provide an electronic shadow of a person or organization that is as identifying and personal as a fingerprint even when the information contains no explicit identifiers, such as name and phone number. Other distinctive data, such as birth date and ZIP code, often combine uniquely and can be linked to publicly available information to re-identify individuals. Producing anonymous data that remains specific enough to be useful is often a very difficult task and practice today tends to either incorrectly believe confidentiality is maintained when it is not or produces data that are practically useless. The goal of the work presented in this book is to explore computational techniques for releasing useful information in such a way that the identity of any individual or entity contained in data cannot be recognized while the data remain practically useful. I begin by demonstrating ways to learn information about entities from publicly available information. I then provide a formal framework for reasoning about disclosure control and the ability to infer the identities of entities contained within the data. I formally define and present null-map, k-map and wrong-map as models of protection. Each model provides protection by ensuring that released information maps to no, k or incorrect entities, respectively. The book ends by examining four computational systems that attempt to maintain privacy while releasing electronic information. These systems are: (1) my Scrub System, which locates personally-identifying information in letters between doctors and notes written by clinicians; (2) my Datafly II System, which generalizes and suppresses values in field-structured data sets; (3) Statistics Netherlands' m-Argus System, which is becoming a European standard for producing public-use data; and, (4) my k-Similar algorithm, which finds optimal solutions such that data are minimally distorted while still providing adequate protection. By introducing anonymity and quality metrics, I show that Datafly II can overprotect data, Scrub and m-Argus can fail to provide adequate protection, but k-similar finds optimal results.

Citations

6517	Elements of Information Theory - Cover, Thomas - 1991
3339	Pattern Classification and Scene Analysis - Duda, Hart - 1973
2960	Artificial Intelligence: A Modern Approach. 2nd edn - Russell, Norvig - 2003
688	Nearest neighbor pattern classification - Cover, Hart - 1967
462	Cryptographyand Data Security - Denning - 1982
370	Locally weighted learning - ATKESON, MOORE, et al. - 1997
192	Principles of Database and Knowledge Base Systems - Ullman - 1989
117	M.S.: Efficient algorithms for minimizing cross validation error - Moore, Lee - 1994
58	A Method for Limiting Disclosure in Microdata Based on Random Noise and Transformation - Kim - 1986
44	On the question of statistical confidentiality - Fellegi - 1972
44	The tracker: a threat to statistical database security - Denning, Denning - 1979
39	A multilevel relational data model - Denning, Lunt, et al. - 1987
37	The risk of disclosure for microdata - Duncan, Lambert - 1989
34	Security and inference in multilevel database and knowledge-base systems - Morgenstern - 1987
34	Inference aggregation detection in database management systems - Hinke - 1988
32	Detection and elimination of inference channels in multilevel relational databases - Qian, Stickel, et al. - 1993
26	Aggregation and inference: Facts and fallacies - Lunt - 1989
22	µ- and τ-Argus: Software for statistical disclosure control - Hundepool, Willenborg - 1996
22	Controlling FD and MVD inferences in multilevel relational database systems - Su, Ozsoyoglu - 1991
20	Obtaining information while preserving privacy: A Markov perturbation method for tabular data - Duncan, Fienberg - 1998
18	Modeling security-relevant data semantics - Smith - 1990
12	Abductive and approximate reasoning models for characterizing inference channels - Garvey, Lunt, et al. - 1991
10	Microdata disclosure limitation in statistical databases: Query size and random sample query control - Duncan, Mukherjee - 1991
10	Modelling population uniqueness - Skinner, Holmes - 1993
5	Regression methodology based disclosure of a statistical database - Palley, Siminoff - 1986
5	Getting the data in: three-year experience with a pediatric electronic medical record system - Kohane - 1994
3	Privacy: the workplace issue of the '90s - Linowes, Spencer - 1990
3	Hospital Files as Open Book - Grady - 1997
2	et al., “An evaluation of Machine-Learning Methods for Predicting Pneumonia Mortality - Cooper - 1997
2	Patient Privacy in a Computerized World - Woodward - 1997
2	Voters List Database. City of - Cambridge - 1997
2	Multiple hashed binary storage of words -- tiny, fast and almost perfect - Sweeney - 1996
1	Gostin et al., “Privacy and Security of Personal Information in a New Health Care System - See - 1993
1	Harris and Associates, The Equifax-Harris Consumer Privacy Survey (Atlanta: Equifax - Louis - 1994
1	Address at the National - See, Shalala - 1997
1	Census Data, Database C90STF3B. U.S. Bureau of the Census. Available at http://venus.census.gov and http://www.census.gov - S - 1990
1	Voters List Database. City of Cambridge - Cambridge - 1997
1	as Invited Paper with Discussion - Science, May - 1991
1	Catalytic inference analysis: detecting threats due to knowledge discovery - Hale, Shenoi - 1997
1	Scout: discovering the structure of a database - Sweeney - 1995
1	Database inference controller. Database Security, III: Status and Prospects, D.L. Spooner and C.E - Buczkowski - 1990
1	Artificial intelligence and link analysis - Jensen, Goldberg - 1998
1	supra page 43 De-identification 57 See supra page 56 Suppression 58 See supra page 57 Query restriction 59 See supra page 54 Summary data Computational Disclosure Control 01/08/01 8:22 AM 60 T. Dalenius. Finding a needle in a haystack – or identifying ano - See - 1986
1	supra page 60 Swapping 63 See supra page 52 Relational database 64 See supra page 62 Quasi-identifier 65 See infra page 92 Precision metric 66 See infra page 107 Datafly 67 See infra page 125 μ-Argus 68 See infra page 165 k-Similar 69 See supra page 78 k- - See - 1990
1	41) No. 8. 88 See supra page 68 Formal protection models. 89 See supra page 60 Disclosure limitation techniques. 90 See supra page 80 k-anonymity requirement. 91 See supra note 16 Cambridge Voter List - Bulletin - 1978
1	infra page 165 k-Similar 104 A. Hundepool and - See - 1996
1	Inferences from unusual values in statistical - Sweeney
1	Privacy & Confidentiality: Is It a Privilege of the Past - Anon - 1997
1	note 137 Sweeney, Multiple hashed binary storage 140 See supra page 107 Datafly System 141 See note 92 - See - 1994