Sumathie Sundaresan Advisor : Dr. Huiping Guo Survey of Privacy Protection for Medical Data

Abstract Expanded scientific knowledge, combined with the development of the net and widespread use of computers have increased the need for strong privacy protection for medical records. We have all heard stories of harassment that has resulted because of the lack of adequate privacy protection of medical records. "...medical information is routinely shared with and viewed by third parties who are not involved in patient care.... The American Medical Records Association has identified twelve categories of information seekers outside of the health care industry who have access to health care files, including employers, government agencies, credit bureaus, insurers, educational institutions, and the media."

Methods Generalization k-anonymity l-diversity t-closeness m-invariance Personalized Privacy Preservation Anatomy

Privacy preserving data publishing Microdata NameAgeZipcodeDisease Bob dyspepsia Alice bronchitis Andy flu David gastritis Gary flu Helen gastritis Jane dyspepsia Ken flu Linda gastritis Paul dyspepsia Steve gastritis

Classification of Attributes Key Attribute: Name, Address, Cell Phone which can uniquely identify an individual directly Always removed before release. Quasi-Identifier: 5-digit ZIP code,Birth date, gender A set of attributes that can be potentially linked with external information to re-identify entities 87% of the population in U.S. can be uniquely identified based on these attributes, according to the Census summary data in Suppressed or generalized

Classification of Attributes(Cont ’ d) Sensitive Attribute: Medical record, wage,etc. Always released directly. These attributes is what the researchers need. It depends on the requirement.

Inference attack AgeZipcodeDisease dyspepsia bronchitis flu gastritis flu gastritis dyspepsia flu gastritis dyspepsia gastritis Published table An adversary Quasi-identifier (QI) attributes NameAgeZipcode Bob

Generalization Transform the QI values into less specific forms generalize AgeZipcodeDisease dyspepsia bronchitis flu gastritis flu gastritis dyspepsia flu gastritis dyspepsia gastritis AgeZipcodeDisease [21, 22][12k, 14k]dyspepsia [21, 22][12k, 14k]bronchitis [23, 24][18k, 25k]flu [23, 24][18k, 25k]gastritis [36, 41][20k, 27k]flu [36, 41][20k, 27k]gastritis [37, 43][26k, 35k]dyspepsia [37, 43][26k, 35k]flu [37, 43][26k, 35k]gastritis [52, 56][33k, 34k]dyspepsia [52, 56][33k, 34k]gastritis

Generalization Transform each QI value into a less specific form A generalized table An adversary NameAgeZipcode Bob AgeZipcodeDisease [21, 22][12k, 14k]dyspepsia [21, 22][12k, 14k]bronchitis [23, 24][18k, 25k]flu [23, 24][18k, 25k]gastritis [36, 41][20k, 27k]flu [36, 41][20k, 27k]gastritis [37, 43][26k, 35k]dyspepsia [37, 43][26k, 35k]flu [37, 43][26k, 35k]gastritis [52, 56][33k, 34k]dyspepsia [52, 56][33k, 34k]gastritis

K-Anonymity Sweeny came up with a formal protection model named k- anonymity What is K-Anonymity? If the information for each person contained in the release cannot be distinguished from at least k-1 individuals whose information also appears in the release. Example. If you try to identify a man from a release, but the only information you have is his birth date and gender. There are k people meet the requirement. This is k-Anonymity.

Attacks Against K-Anonymity Unsorted Matching Attack This attack is based on the order in which tuples appear in the released table. Solution: Randomly sort the tuples before releasing.

Attacks Against K-Anonymity(Cont’d) ZipcodeAgeDisease 476**2*Heart Disease 476**2*Heart Disease 476**2*Heart Disease 4790*≥40Flu 4790*≥40Heart Disease 4790*≥40Cancer 476**3*Heart Disease 476**3*Cancer 476**3*Cancer Bob ZipcodeAge A 3-anonymous patient table Carl ZipcodeAge k-Anonymity does not provide privacy if: Sensitive values in an equivalence class lack diversity The attacker has background knowledge Homogeneity Attack Background Knowledge Attack A. Machanavajjhala et al. l-Diversity: Privacy Beyond k-Anonymity. ICDE 2006

l-Diversity Distinct l-diversity Each equivalence class has at least l well-represented sensitive values Limitation: Example. In one equivalent class, there are ten tuples. In the “Disease” area, one of them is “Cancer”, one is “Heart Disease” and the remaining eight are “Flu”. This satisfies 3-diversity, but the attacker can still affirm that the target person’s disease is “Flu” with the accuracy of 70%. A. Machanavajjhala et al. l-Diversity: Privacy Beyond k-Anonymity. ICDE 2006

l-Diversity(Cont’d) Entropy l-diversity Each equivalence class not only must have enough different sensitive values, but also the different sensitive values must be distributed evenly enough. Sometimes this maybe too restrictive. When some values are very common, the entropy of the entire table may be very low. This leads to the less conservative notion of l-diversity. Recursive (c,l)-diversity The most frequent value does not appear too frequently A. Machanavajjhala et al. l-Diversity: Privacy Beyond k-Anonymity. ICDE 2006

Limitations of l-Diversity l-diversity may be difficult and unnecessary to achieve. A single sensitive attribute Two values: HIV positive (1%) and HIV negative (99%) Very different degrees of sensitivity l-diversity is unnecessary to achieve 2-diversity is unnecessary for an equivalence class that contains only negative records l-diversity is difficult to achieve Suppose there are records in total To have distinct 2-diversity, there can be at most 10000*1%=100 equivalence classes

Limitations of l-Diversity(Cont’d) l-diversity is insufficient to prevent attribute disclosure. Skewness Attack l-diversity does not consider the overall distribution of sensitive values Two sensitive values HIV positive (1%) and HIV negative (99%) Serious privacy risk Consider an equivalence class that contains an equal number of positive records and negative records l-diversity does not differentiate: Equivalence class 1: 49 positive + 1 negative Equivalence class 2: 1 positive + 49 negative

Limitations of l-Diversity(Cont’d) Bob ZipAge ZipcodeAgeSalaryDisease 476**2*3KGastric Ulcer 476**2*4KGastritis 476**2*5KStomach Cancer 4790*≥406KGastritis 4790*≥4011KFlu 4790*≥408KBronchitis 476**3*7KBronchitis 476**3*9KPneumonia 476**3*10KStomach Cancer A 3-diverse patient table Conclusion 1.Bob’s salary is in [3k,5k], which is relative low. 2.Bob has some stomach-related disease. l-diversity does not consider semantic meanings of sensitive values l-diversity is insufficient to prevent attribute disclosure. Similarity Attack

t-Closeness: A New Privacy Measure Rationale AgeZipcode……GenderDisease **……*Flu **……*Heart Disease **……*Cancer …… ** *Gastritis External Knowledge Overall distribution Q of sensitive values BeliefKnowledge B0B0 B1B1 A completely generalized table

t-Closeness: A New Privacy Measure Rationale External Knowledge AgeZipcode……GenderDisease 2*479**……MaleFlu 2*479**……MaleHeart Disease 2*479**……MaleCancer …… ≥504766*……*Gastritis Overall distribution Q of sensitive values Distribution P i of sensitive values in each equi-class BeliefKnowledge B0B0 B1B1 B2B2 A released table

t-Closeness: A New Privacy Measure Rationale External Knowledge Overall distribution Q of sensitive values Distribution P i of sensitive values in each equi-class BeliefKnowledge B0B0 B1B1 B2B2 Observations Q should be public Knowledge gain in two parts: Whole population (from B 0 to B 1 ) Specific individuals (from B 1 to B 2 ) We bound knowledge gain between B 1 and B 2 instead Principle The distance between Q and P i should be bounded by a threshold t.

How to calculate EMD EMD for numerical attributes Ordered-distance is a metric  Non-negative, symmetry, triangle inequality Let r i =p i -q i, then D[P,Q] is calculated as:

Earth Mover’s Distance Example {3k,4k,5k} and {3k,4k,5k,6k,7k,8k,9k,10k,11k} Move 1/9 probability for each of the following pairs 3k->5k,3k->4k cost: 1/9*(2+1)/8 4k->8k,4k->7k,4k->6k cost: 1/9*(4+3+2)/8 5k->11k,5k->10k,5k->9k cost: 1/9*(5+6+4)/8 Total cost: 1/9*27/8=0.375 With P2={6k,8k,11k}, we can get the total cost is < This make more sense than the other two distance calculation method.

Motivating Example A hospital keeps track of the medical records collected in the last three months. The microdata table T(1), and its generalization T*(1), published in Apr NameAgeZipcodeDisease Bob dyspepsia Alice bronchitis Andy flu David gastritis Gary flu Helen gastritis Jane dyspepsia Ken flu Linda gastritis Paul dyspepsia Steve gastritis Microdata T(1) G. IDAgeZipcodeDisease 1[21, 22][12k, 14k]dyspepsia 1[21, 22][12k, 14k]bronchitis 2[23, 24][18k, 25k]flu 2[23, 24][18k, 25k]gastritis 3[36, 41][20k, 27k]flu 3[36, 41][20k, 27k]gastritis 4[37, 43][26k, 35k]dyspepsia 4[37, 43][26k, 35k]flu 4[37, 43][26k, 35k]gastritis 5[52, 56][33k, 34k]dyspepsia 5[52, 56][33k, 34k]gastritis 2-diverse Generalization T*(1)

Motivating Example Bob was hospitalized in Mar NameAgeZipcode Bob G. IDAgeZipcodeDisease 1[21, 22][12k, 14k]dyspepsia 1[21, 22][12k, 14k]bronchitis 2[23, 24][18k, 25k]flu 2[23, 24][18k, 25k]gastritis 3[36, 41][20k, 27k]flu 3[36, 41][20k, 27k]gastritis 4[37, 43][26k, 35k]dyspepsia 4[37, 43][26k, 35k]flu 4[37, 43][26k, 35k]gastritis 5[52, 56][33k, 34k]dyspepsia 5[52, 56][33k, 34k]gastritis 2-diverse Generalization T*(1)

Motivating Example One month later, in May 2007 NameAgeZipcodeDisease Bob dyspepsia Alice bronchitis Andy flu David gastritis Gary flu Helen gastritis Jane dyspepsia Ken flu Linda gastritis Paul dyspepsia Steve gastritis Microdata T(1)

Motivating Example One month later, in May 2007 Some obsolete tuples are deleted from the microdata. Microdata T(1) NameAgeZipcodeDisease Bob dyspepsia Alice bronchitis Andy flu David gastritis Gary flu Helen gastritis Jane dyspepsia Ken flu Linda gastritis Paul dyspepsia Steve gastritis

Motivating Example Bob’s tuple stays. Microdata T(1) NameAgeZipcodeDisease Bob dyspepsia David gastritis Gary flu Jane dyspepsia Linda gastritis Steve gastritis

Motivating Example Some new records are inserted. Microdata T(2) NameAgeZipcodeDisease Bob dyspepsia David gastritis Emily flu Jane dyspepsia Linda gastritis Gary flu Mary gastritis Ray dyspepsia Steve gastritis Tom gastritis Vince flu

Motivating Example The hospital published T*(2). NameAgeZipcodeDisease Bob dyspepsia David gastritis Emily flu Jane dyspepsia Linda gastritis Gary flu Mary gastritis Ray dyspepsia Steve gastritis Tom gastritis Vince flu Microdata T(2) G. IDAgeZipcodeDisease 1[21, 23][12k, 25k]dyspepsia 1[21, 23][12k, 25k]gastritis 2[25, 43][21k, 33k]flu 2[25, 43][21k, 33k]dyspepsia 3[25, 43][21k, 33k]gastritis 3[41, 46][20k, 30k]flu 4[41, 46][20k, 30k]gastritis 4[54, 56][31k, 34k]dyspepsia 4[54, 56][31k, 34k]gastritis 5[60, 65][36k, 44k]gastritis 5[60, 65][36k, 44k]flu 2-diverse Generalization T*(2)

Motivating Example Consider the previous adversary. NameAgeZipcode Bob G. IDAgeZipcodeDisease 1[21, 23][12k, 25k]dyspepsia 1[21, 23][12k, 25k]gastritis 2[25, 43][21k, 33k]flu 2[25, 43][21k, 33k]dyspepsia 3[25, 43][21k, 33k]gastritis 3[41, 46][20k, 30k]flu 4[41, 46][20k, 30k]gastritis 4[54, 56][31k, 34k]dyspepsia 4[54, 56][31k, 34k]gastritis 5[60, 65][36k, 44k]gastritis 5[60, 65][36k, 44k]flu 2-diverse Generalization T*(2)

Motivating Example What the adversary learns from T*(1). What the adversary learns from T*(2). So Bob must have contracted dyspepsia! A new generalization principle is needed. NameAgeZipcode Bob G. IDAgeZipcodeDisease 1[21, 22][12k, 14k]dyspepsia 1[21, 22][12k, 14k]bronchitis …… NameAgeZipcode Bob G. IDAgeZipcodeDisease 1[21, 23][12k, 25k]dyspepsia 1[21, 23][12k, 25k]gastritis ……

The critical absence phenomenon We refer to such phenomenon as the critical absence phenomenon A new generalization method is needed. NameAgeZipcodeDisease Bob dyspepsia David gastritis Emily flu Jane dyspepsia Linda gastritis Gary flu Mary gastritis Ray dyspepsia Steve gastritis Tom gastritis Vince flu Microdata T(2) NameAgeZipcode Bob G. IDAgeZipcodeDisease 1[21, 22][12k, 14k]dyspepsia 1[21, 22][12k, 14k]bronchitis …… What the adversary learns from T*(1)

NameGroup-IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia c1c11[21, 22][12k, 14k]bronchitis David2[23, 25][21k, 25k]gastritis Emily2[23, 25][21k, 25k]flu Jane3[37, 43][26k, 33k]dyspepsia c2c23[37, 43][26k, 33k]flu Linda3[37, 43][26k, 33k]gastritis Gary4[41, 46][20k, 30k]flu Mary4[41, 46][20k, 30k]gastritis Ray5[54, 56][31k, 34k]dyspepsia Steve5[54, 56][31k, 34k]gastritis Tom6[60, 65][36k, 44k]gastritis Vince6[60, 65][36k, 44k]flu Counterfeited generalization T*(2) Group-IDCount The auxiliary relation R(2) for T*(2) NameAgeZipcodeDisease Bob dyspepsia David gastritis Emily flu Jane dyspepsia Linda gastritis Gary flu Mary gastritis Ray dyspepsia Steve gastritis Tom gastritis Vince flu Microdata T(2)

NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia c1c11[21, 22][12k, 14k]bronchitis David2[23, 25][21k, 25k]gastritis Emily2[23, 25][21k, 25k]flu Jane3[37, 43][26k, 33k]dyspepsia c2c23[37, 43][26k, 33k]flu Linda3[37, 43][26k, 33k]gastritis Gary4[41, 46][20k, 30k]flu Mary4[41, 46][20k, 30k]gastritis Ray5[54, 56][31k, 34k]dyspepsia Steve5[54, 56][31k, 34k]gastritis Tom6[60, 65][36k, 44k]gastritis Vince6[60, 65][36k, 44k]flu Counterfeited Generalization T*(2) Group-IDCount The auxiliary relation R(2) for T*(2) NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia Alice1[21, 22][12k, 14k]bronchitis Andy2[23, 24][18k, 25k]flu David2[23, 24][18k, 25k]gastritis Gary3[36, 41][20k, 27k]flu Helen3[36, 41][20k, 27k]gastritis Jane4[37, 43][26k, 35k]dyspepsia Ken4[37, 43][26k, 35k]flu Linda4[37, 43][26k, 35k]gastritis Paul5[52, 56][33k, 34k]dyspepsia Steve5[52, 56][33k, 34k]gastritis Generalization T*(1) NameAgeZipcode Bob

m-uniqueness A generalized table T*(j) is m-unique, if and only if each QI-group in T*(j) contains at least m tuples all tuples in the same QI-group have different sensitive values. G. IDAgeZipcodeDisease 1[21, 22][12k, 14k]dyspepsia 1[21, 22][12k, 14k]bronchitis 2[23, 24][18k, 25k]flu 2[23, 24][18k, 25k]gastritis 3[36, 41][20k, 27k]flu 3[36, 41][20k, 27k]gastritis 4[37, 43][26k, 35k]dyspepsia 4[37, 43][26k, 35k]flu 4[37, 43][26k, 35k]gastritis 5[52, 56][33k, 34k]dyspepsia 5[52, 56][33k, 34k]gastritis A 2-unique generalized table

Signature The signature of Bob in T*(1) is {dyspepsia, bronchitis} The signature of Jane in T*(1) is {dyspepsia, flu, gastritis} NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia Alice1[21, 22][12k, 14k]bronchitis …………… Jane4[37, 43][26k, 35k]dyspepsia Ken4[37, 43][26k, 35k]flu Linda4[37, 43][26k, 35k]gastritis …………… T*(1)

The m-invariance principle A sequence of generalized tables T*(1), …, T*(n) is m- invariant, if and only if T*(1), …, T*(n) are m-unique, and each individual has the same signature in every generalized table s/he is involved.

NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia c1c11[21, 22][12k, 14k]bronchitis David2[23, 25][21k, 25k]gastritis Emily2[23, 25][21k, 25k]flu Jane3[37, 43][26k, 33k]dyspepsia c2c23[37, 43][26k, 33k]flu Linda3[37, 43][26k, 33k]gastritis Gary4[41, 46][20k, 30k]flu Mary4[41, 46][20k, 30k]gastritis Ray5[54, 56][31k, 34k]dyspepsia Steve5[54, 56][31k, 34k]gastritis Tom6[60, 65][36k, 44k]gastritis Vince6[60, 65][36k, 44k]flu Generalization T*(2) NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia Alice1[21, 22][12k, 14k]bronchitis Andy2[23, 24][18k, 25k]flu David2[23, 24][18k, 25k]gastritis Gary3[36, 41][20k, 27k]flu Helen3[36, 41][20k, 27k]gastritis Jane4[37, 43][26k, 35k]dyspepsia Ken4[37, 43][26k, 35k]flu Linda4[37, 43][26k, 35k]gastritis Paul5[52, 56][33k, 34k]dyspepsia Steve5[52, 56][33k, 34k]gastritis Generalization T*(1) A sequence of generalized tables T*(1), …, T*(n) is m-invariant, if and only if T*(1), …, T*(n) are m-unique, and each individual has the same signature in every generalized table s/he is involved.

NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia c1c11[21, 22][12k, 14k]bronchitis David2[23, 25][21k, 25k]gastritis Emily2[23, 25][21k, 25k]flu Jane3[37, 43][26k, 33k]dyspepsia c2c23[37, 43][26k, 33k]flu Linda3[37, 43][26k, 33k]gastritis Gary4[41, 46][20k, 30k]flu Mary4[41, 46][20k, 30k]gastritis Ray5[54, 56][31k, 34k]dyspepsia Steve5[54, 56][31k, 34k]gastritis Tom6[60, 65][36k, 44k]gastritis Vince6[60, 65][36k, 44k]flu Generalization T*(2) NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia Alice1[21, 22][12k, 14k]bronchitis Andy2[23, 24][18k, 25k]flu David2[23, 24][18k, 25k]gastritis Gary3[36, 41][20k, 27k]flu Helen3[36, 41][20k, 27k]gastritis Jane4[37, 43][26k, 35k]dyspepsia Ken4[37, 43][26k, 35k]flu Linda4[37, 43][26k, 35k]gastritis Paul5[52, 56][33k, 34k]dyspepsia Steve5[52, 56][33k, 34k]gastritis Generalization T*(1) A sequence of generalized tables T*(1), …, T*(n) is m-invariant, if and only if T*(1), …, T*(n) are m-unique, and each individual has the same signature in every generalized table s/he is involved.

NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia c1c11[21, 22][12k, 14k]bronchitis David2[23, 25][21k, 25k]gastritis Emily2[23, 25][21k, 25k]flu Jane3[37, 43][26k, 33k]dyspepsia c2c23[37, 43][26k, 33k]flu Linda3[37, 43][26k, 33k]gastritis Gary4[41, 46][20k, 30k]flu Mary4[41, 46][20k, 30k]gastritis Ray5[54, 56][31k, 34k]dyspepsia Steve5[54, 56][31k, 34k]gastritis Tom6[60, 65][36k, 44k]gastritis Vince6[60, 65][36k, 44k]flu Generalization T*(2) NameG.IDAgeZipcodeDisease Bob1[21, 22][12k, 14k]dyspepsia Alice1[21, 22][12k, 14k]bronchitis Andy2[23, 24][18k, 25k]flu David2[23, 24][18k, 25k]gastritis Gary3[36, 41][20k, 27k]flu Helen3[36, 41][20k, 27k]gastritis Jane4[37, 43][26k, 35k]dyspepsia Ken4[37, 43][26k, 35k]flu Linda4[37, 43][26k, 35k]gastritis Paul5[52, 56][33k, 34k]dyspepsia Steve5[52, 56][33k, 34k]gastritis Generalization T*(1) A sequence of generalized tables T*(1), …, T*(n) is m-invariant, if and only if T*(1), …, T*(n) are m-unique, and each individual has the same signature in every generalized table s/he is involved.

Motivation 1: Personalization Andy does not want anyone to know that he had a stomach problem Sarah does not mind at all if others find out that she had flu NameAgeSexZipcode Andy4M12000 Bill5M14000 Ken6M18000 Nash9M19000 Mike7M17000 Alice12F22000 Betty19F24000 Linda21F33000 Jane25F34000 Sarah28F37000 Mary56F58000 AgeSexZipcodeDisease [1, 5]M[10001, 15000]gastric ulcer [1, 5]M[10001, 15000]dyspepsia [6, 10]M[15001, 20000]pneumonia [6, 10]M[15001, 20000]bronchitis [11, 20]F[20001, 25000]flu [11, 20]F[20001, 25000]pneumonia [21, 60]F[30001, 60000]gastritis [21, 60]F[30001, 60000]gastritis [21, 60]F[30001, 60000]flu [21, 60]F[30001, 60000]flu A 2-diverse tableAn external database

Motivation 2: SA generalization How many female patients are there with age above 30? 4 ∙ (60 – 30 ) / (60 – 20 ) = 3 Real answer: 1 AgeSexZipcodeDisease [1, 5]M[10001, 15000]gastric ulcer [1, 5]M[10001, 15000]dyspepsia [6, 10]M[15001, 20000]pneumonia [6, 10]M[15001, 20000]bronchitis [11, 20]F[20001, 25000]flu [11, 20]F[20001, 25000]pneumonia [21, 60]F[30001, 60000]gastritis [21, 60]F[30001, 60000]gastritis [21, 60]F[30001, 60000]flu [21, 60]F[30001, 60000]flu A generalized table NameAgeSexZipcode Andy4M12000 Bill5M14000 Ken6M18000 Nash9M19000 Mike7M17000 Alice12F22000 Betty19F24000 Linda21F33000 Jane25F34000 Sarah28F37000 Mary56F58000 An external database

Motivation 2: SA generalization (cont.) Generalization of the sensitive attribute is beneficial in this case AgeSexZipcodeDisease [1, 5]M[10001, 15000]gastric ulcer [1, 5]M[10001, 15000]dyspepsia [6, 10]M[15001, 20000]pneumonia [6, 10]M[15001, 20000]bronchitis [11, 20]F[20001, 25000]flu [11, 20]F[20001, 25000]pneumonia [21, 30]F[30001, 40000]gastritis [21, 30]F[30001, 40000]gastritis [21, 30]F[30001, 40000]flu 56F58000 respiratory infection A better generalized table NameAgeSexZipcode Andy4M12000 Bill5M14000 Ken6M18000 Nash9M19000 Mike7M17000 Alice12F22000 Betty19F24000 Linda21F33000 Jane25F34000 Sarah28F37000 Mary56F58000 An external database

Personalized anonymity We propose a mechanism to capture personalized privacy requirements criteria for measuring the degree of security provided by a generalized table

Guarding node Andy does not want anyone to know that he had a stomach problem He can specify “stomach disease” as the guarding node for his tuple The data publisher should prevent an adversary from associating Andy with “stomach disease” NameAgeSexZipcodeDiseaseguarding node Andy4M12000gastric ulcerstomach disease

Guarding node Sarah is willing to disclose her exact symptom She can specify Ø as the guarding node for her tuple NameAgeSexZipcodeDiseaseguarding node Sarah28F37000flu Ø

Guarding node Bill does not have any special preference He can specify the guarding node for his tuple as the same with his sensitive value NameAgeSexZipcodeDiseaseguarding node Bill5M14000dyspepsia

A personalized approach NameAgeSexZipcodeDiseaseguarding node Andy4M12000gastric ulcerstomach disease Bill5M14000dyspepsia Ken6M18000pneumoniarespiratory infection Nash9M19000bronchitis Alice12F22000flu Betty19F24000pneumonia Linda21F33000gastritis Jane25F34000gastritis Ø Sarah28F37000flu Ø Mary56F58000flu

Personalized anonymity A table satisfies personalized anonymity with a parameter p breach Iff no adversary can breach the privacy requirement of any tuple with a probability above p breach If p breach = 0.3, then any adversary should have no more than 30% probability to find out that: Andy had a stomach disease Bill had dyspepsia etc NameAgeSexZipcodeDiseaseguarding node Andy4M12000gastric ulcerstomach disease Bill5M14000dyspepsia Ken6M18000pneumoniarespiratory infection Nash9M19000bronchitis Alice12F22000flu Betty19F24000pneumonia Linda21F33000gastritis Jane25F34000gastritis Ø Sarah28F37000flu Ø Mary56F58000flu

Personalized anonymity Personalized anonymity with respect to a predefined parameter p breach an adversary can breach the privacy requirement of any tuple with a probability at most p breach AgeSexZipcodeDisease [1, 10]M[10001, 20000]gastric ulcer [1, 10]M[10001, 20000]dyspepsia [1, 10]M[10001, 20000]pneumonia [1, 10]M[10001, 20000]bronchitis [11, 20]F[20001, 25000]flu [11, 20]F[20001, 25000]pneumonia 21F33000stomach disease 25F34000gastritis 28F37000flu 56F58000respiratory infection We need a method for calculating the breach probabilities What is the probability that Andy had some stomach problem?

Combinatorial reconstruction Assumptions the adversary has no prior knowledge about each individual every individual involved in the microdata also appears in the external database

Combinatorial reconstruction Andy does not want anyone to know that he had some stomach problem What is the probability that the adversary can find out that “Andy had a stomach disease”? NameAgeSexZipcode Andy4M12000 Bill5M14000 Ken6M18000 Nash9M19000 Mike7M17000 Alice12F22000 Betty19F24000 Linda21F33000 Jane25F34000 Sarah28F37000 Mary56F58000 AgeSexZipcodeDisease [1, 10]M[10001, 20000]gastric ulcer [1, 10]M[10001, 20000]dyspepsia [1, 10]M[10001, 20000]pneumonia [1, 10]M[10001, 20000]bronchitis [11, 20]F[20001, 25000]flu [11, 20]F[20001, 25000]pneumonia 21F33000stomach disease 25F34000gastritis 28F37000flu 56F58000respiratory infection

Combinatorial reconstruction (cont.) Can each individual appear more than once? No = the primary case Yes = the non-primary case Some possible reconstructions: Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis the primary case Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis the non-primary case

Combinatorial reconstruction (cont.) Can each individual appear more than once? No = the primary case Yes = the non-primary case Some possible reconstructions: Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis the primary case Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis the non-primary case

Breach probability (primary) Totally 120 possible reconstructions If Andy is associated with a stomach disease in n b reconstructions The probability that the adversary should associate Andy with some stomach problem is n b / 120 Andy is associated with gastric ulcer in 24 reconstructions dyspepsia in 24 reconstructions gastritis in 0 reconstructions n b = 48 The breach probability for Andy’s tuple is 48 / 120 = 2 / 5 Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis

Breach probability (non-primary) Totally 625 possible reconstructions Andy is associated with gastric ulcer or dyspepsia or gastritis in 225 reconstructions n b = 225 The breach probability for Andy’s tuple is 225 / 625 = 9 / 25 Andy Bill Ken Nash Mike gastric ulcer dyspepsia pneumonia bronchitis

Defect of generalization Query A: SELECT COUNT(*) from Unknown-Microdata WHERE Disease = ‘pneumonia’ AND Age in [0, 30] AND Zipcode in [10001, 20000] AgeSexZipcodeDisease [21, 60]M[10001, 60000]pneumonia [21, 60]M[10001, 60000]dyspepsia [21, 60]M[10001, 60000]dyspepsia [21, 60]M[10001, 60000]pneumonia [61, 70]F[10001, 60000]flu [61, 70]F[10001, 60000]gastritis [61, 70]F[10001, 60000]flu [61, 70]F[10001, 60000]bronchitis Estimated answer: 2 * p, where p is the probability that each of the two tuples satisfies the query conditions

Defect of generalization (cont.) Query A: SELECT COUNT(*) from Unknown-Microdata WHERE Disease = ‘pneumonia’ AND Age in [0, 30] AND Zipcode in [10001, 20000] p = Area( R 1 ∩ Q ) / Area( R 1 ) = 0.05 Estimated answer for query A: 2 * p = 0.1 AgeSexZipcodeDisease [21, 60]M[10001, 60000]pneumonia [21, 60]M[10001, 60000]pneumonia

Defect of generalization (cont.) Query A:SELECT COUNT(*) from Unknown-Microdata WHERE Disease = ‘pneumonia’ AND Age in [0, 30] AND Zipcode in [10001, 20000] Estimated answer from the generalized table: 0.1 NameAgeSexZipcodeDisease Bob23M11000pneumonia Ken27M13000dyspepsia Peter35M59000dyspepsia Sam59M12000pneumonia Jane61F54000flu Linda65F25000gastritis Alice65F25000flu Mandy70F30000bronchitis The exact answer should be: 1

Basic Idea of Anatomy For a given microdata table, Anatomy releases a quasi-identifier table (QIT) and a sensitive table (ST) Group-IDDiseaseCount 1dyspepsia2 1pneumonia2 2bronchitis1 2flu2 2gastritis1 AgeSexZipcodeGroup-ID 23M M M M F F F F Quasi-identifier Table (QIT) Sensitive Table (ST) AgeSexZipcodeDisease 23M11000pneumonia 27M13000dyspepsia 35M59000dyspepsia 59M12000pneumonia 61F54000flu 65F25000gastritis 65F25000flu 70F30000bronchitis microdata

Basic Idea of Anatomy (cont.) 1. Select a partition of the tuples AgeSexZipcodeDisease 23M11000pneumonia 27M13000dyspepsia 35M59000dyspepsia 59M12000pneumonia 61F54000flu 65F25000gastritis 65F25000flu 70F30000bronchitis QI group 1 QI group 2 a 2-diverse partition

Basic Idea of Anatomy (cont.) 2. Generate a quasi-idnetifier table (QIT) and a sensitive table (ST) based on the selected partition Disease pneumonia dyspepsia pneumonia flu gastritis flu bronchitis AgeSexZipcode 23M M M M F F F F30000 group 1 group 2 quasi-identifier table (QIT)sensitive table (ST)

Basic Idea of Anatomy (cont.) 2. Generate a quasi-idnetifier table (QIT) and a sensitive table (ST) based on the selected partition Group-IDDisease 1pneumonia 1dyspepsia 1 1pneumonia 2flu 2gastritis 2flu 2bronchitis AgeSexZipcodeGroup-ID 23M M M M F F F F quasi-identifier table (QIT)sensitive table (ST)

Basic Idea of Anatomy (cont.) 2. Generate a quasi-idnetifier table (QIT) and a sensitive table (ST) based on the selected partition Group-IDDiseaseCount 1dyspepsia2 1pneumonia2 2bronchitis1 2flu2 2gastritis1 AgeSexZipcodeGroup-ID 23M M M M F F F F quasi-identifier table (QIT) sensitive table (ST)

Privacy Preservation From a pair of QIT and ST generated from an l-diverse partition, the adversary can infer the sensitive value of each individual with confidence at most 1/l NameAgeSexZipcode Bob23M11000 Group-IDDiseaseCount 1dyspepsia2 1pneumonia2 2bronchitis1 2flu2 2gastritis1 AgeSexZipcodeGroup-ID 23M M M M F F F F quasi-identifier table (QIT) sensitive table (ST)

Accuracy of Data Analysis Query A: SELECT COUNT(*) from Unknown-Microdata WHERE Disease = ‘pneumonia’ AND Age in [0, 30] AND Zipcode in [10001, 20000] Group-IDDiseaseCount 1dyspepsia2 1pneumonia2 2bronchitis1 2flu2 2gastritis1 AgeSexZipcodeGroup-ID 23M M M M F F F F quasi-identifier table (QIT) sensitive table (ST)

Accuracy of Data Analysis (cont.) Query A:SELECT COUNT(*) from Unknown-Microdata WHERE Disease = ‘pneumonia’ AND Age in [0, 30] AND Zipcode in [10001, 20000] 2 patients have contracted pneumonia 2 out of 4 patients satisfies the query condition on Age and Zipcode Estimated answer for query A: 2 * 2 / 4 = 1, which is also the actual result from the original microdata AgeSexZipcodeGroup-ID 23M M M M t1t2t3t4t1t2t3t4

Conclusion Limitations of l-diversity l-diversity is difficult and unnecessary to achieve l-diversity is insufficient in preventing attribute disclosure t-Closeness as a new privacy measure The overall distribution of sensitive values should be public information The separation of the knowledge gain EMD to measure distance EMD captures semantic distance well Simple formulas for three ground distances

Conclusions m-invariant table support republication of dynamic datasets Guarding nodes allow individuals to describe their privacy requirements better Anatomy outperforms generalization by allowing much more accurate data analysis on the published data.

Thank you! Questions?