Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy TOOLS FOR SHARING RESEARCH DATA

Published bySamantha Scott Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy TOOLS FOR SHARING RESEARCH DATA"— Presentation transcript:

1 Privacy TOOLS FOR SHARING RESEARCH DATA
NSF Secure & Trustworthy Cyberspace PI Meeting January 9, 2017 Salil Vadhan Harvard University

2 Computational Social Science
The potential: massive new sources of data and ease of sharing will revolutionize social science. The problem: protecting the privacy of individual subjects The context for our project is the exciting transformation that is happening in social science, due to the immense variety and volume of new sources of data on human behavior. Instead of being limited to surveys of a few thousand people, researchers can carry out studies on the scale of hundreds of thousands by using data from new sources such as cell phone GPS readings, web searches, political blog posts, and social network activity. Moreover, the internet and data repositories such as the Dataverse Network (which I’ll talk about later) have made it much easier to share such data with other researchers enable replication and new analyses. However, a major obstacle for realizing the full potential of this vision is Privacy. Most of these datasets contain sensitive personal information about individuals, and currently social scientists do not have the tools to ensure that the privacy of those individuals is protected when the data is analyzed or shared. The result is that researchers are refusing to share their data, clashing with the growing movement towards open sharing of data being pushed by the research community and funding agencies. What do about this? The traditional approach is to try and anonymize data by removing so-called “personally identifying information”. However, it is now well-known that this technique does not work, because moderate amounts of seemingly innocuous information can already uniquely isolate individuals, and this information can often be linked with other publicly available data to re-identify the individuals in supposedly anonymized datasets. This problem was demonstrated in work by my co-PI Latanya Sweeney a number of years ago linking anonymized medical claims data with public voter registration rolls to uniquely identify the record of Massachusetts governer William Weld, and has become much more acute with the vast amounts of data that is publicly available on the internet. Indeed, there have been many more examples of reidentifications since then. Thus, this traditional approach presents us with a stark choice between privacy and data utility. If you remove only obviously identifying information, then the privacy is very weak – you’ve just made it slightly harder to identify individuals. If you aggressively de-identify, then the resulting dataset may have very little utliity left – you may have removed exactly the information you are interested in studying. utility traditional approaches (e.g. “stripping PII”) privacy open data privacy e.g. NYT 5/21/12 “Troves of Personal Data, Forbidden to Researchers”

3 Our Goal Achieve: & Via: social science computer science data science
utility Achieve: privacy & open data Program on Information Science MIT Libraries Nissim (Georgetown) privacy Via: Altman social science Honaker Chong King Vadhan Crosas computer science data science Airoldi Gasser Sweeney Gaboardi (Buffalo) law & policy O’Brien

4 Target: Data Repositories
Dataverse Repositories around the world: 21 installations Harvard Dataverse Repository: 1274 dataverses with 59,265 datasets and 1,415,241 downloads Largest social science repository in the world Stress = wide use of datavsrse. 10 repositories around the world, ¾ million files. Harvard dataverse has served 1m+ downloads. NEED TO UPDATE SCREENSHOT.

5 Datasets are restricted due to privacy concerns
Goal: enable wider sharing while protecting privacy

6 Challenges for Sharing Sensitive Data
Complexity of Law Thousands of privacy laws in the US alone, at federal, state and local level, usually context-specific: HIPAA, FERPA, CIPSEA, Privacy Act, PPRA, ESRA, …. Difficulty of Deidentification Stripping “PII” usually provides weak protections and/or poor utility Inefficient Process for Obtaining Restricted Data Can involve months of negotiation between institutions, original researchers Vision: array of computational, legal, policy tools that make privacy-protective data-sharing easier for researchers without expertise in privacy law/cs/stats. This is the challenge. General-purpose environment. Sweeney `97

7 Approach: Integrated Privacy Tools
RestrictedAccess Data Set w/DUA Robot Lawyers Deposit in repository Sensitive Data Set DataTags Interview Sensitive Data Set Stress that while this is a focusing vision, our work in each area also stands alone. PSI: Differential Privacy Public Access Statistics Tools we are working on

8 DataTags Tools RestrictedAccess Data Set w/DUA Robot Lawyers Deposit in repository Sensitive Data Set DataTags Interview Sensitive Data Set Stress that while this is a focusing vision, our work in each area also stands alone. PSI: Differential Privacy Help generate policies for how to transfer, store, access, and use a sensitive dataset. Public Access Statistics

9 Basic DataTags Levels

10 Basic DataTags Levels social science computer science data science
Crosas computer science data science Sweeney Bar-Sinai law & policy

11 DataTags Interviews

12 Robot Lawyers Sensitive Data Set

13 Robot Lawyers

14 Robot Lawyers Team social science computer science data science
Program on Information Science MIT Libraries Altman social science Chong & students Shaw, Bembenek, Wang computer science data science law & policy Wood

15 Approach: Integrated Privacy Tools
RestrictedAccess Data Set w/DUA Robot Lawyers Deposit in repository Sensitive Data Set DataTags Interview Sensitive Data Set Stress that while this is a focusing vision, our work in each area also stands alone. PSI: Differential Privacy Public Access Statistics Tools we are working on

16 Approach: Integrated Privacy Tools
RestrictedAccess Data Set w/DUA Robot Lawyers Deposit in repository Sensitive Data Set DataTags Interview Sensitive Data Set Stress that while this is a focusing vision, our work in each area also stands alone. PSI: Differential Privacy Public Access Statistics Tools we are working on

17 PSI: a Private data-Sharing Interface
Sex Blood HIV? F B Y M A N O q1 a1 q2 Ψ a2 q3 a3 interface data analysts Provides differential privacy: hides effect of each individual [Dinur-Nissim ’03+Dwork, Dwork-Nissim ’04, Blum-Dwork-McSherry-Nissim ’05, Dwork-McSherry-Nissim-Smith ’06]

18 Goals of PSI General-purpose: applicable to most datasets in repository. Automated: no differential privacy expert optimizing algorithms for a particular dataset or application Tiered access: DP interface for wide access to rough statistical information, helping users decide whether to apply for access to raw data (cf. Census PUMS vs RDCs)

19 Privacy Budgeting Interface

20 Integration with Statistical Tools for Social Science

21 Ullman (Northeastern)
PSI Team Leadership Ullman (Northeastern) Nissim (Georgetown) privacy social science Honaker King Vadhan computer science data science Gaboardi (Buffalo) Murtagh law & policy

22 Bridging Law and CS Definitions of Privacy
Argue that Differential Privacy Satisfies FERPA and other privacy laws via two arguments: 1.The FERPA privacy standard is relevant for analyses computed with DP A legal argument supported by a technical argument 2.Differential privacy satisfies the FERPA privacy standard A technical argument supported by a legal argument FERPA allows dissemination of de-identified information ⇒ sufficient to show that DP analyses result in outcome that is not identifiable Extract a mathematical definition of privacy from FERPA and provide a mathematical proof that DP satisfies this definition K. Nissim, A. Bembenek, A. Wood, M. Bun, M .Gaboardi, U. Gasser, D. O'Brien, T Steinke, and S. Vadhan “Bridging the Gap between Computer Science and Legal Approaches to Privacy.” In Privacy Law Scholars Conference (PLSC), 2016.

23 Bridging Law and CS Definitions of Privacy
Nissim (Georgetown) Bun Steinke social science Chong Vadhan computer science data science Bembenek Gaboardi (Buffalo) law & policy O’Brien Wood Gasser

24 Broader Impacts: Overarching Goals
Exposing a multidisciplinary understanding of data privacy to a wide range of audiences (students, policymakers, public) Bringing integrated solutions to data privacy problems to practice (focusing on data repositories and computational social science)

25 Broader Impacts Infrastructure for research in social science and other human subjects research fields Training in multidisciplinary research: ≈100 students, postdocs, interns from law, computer science, social science, stats Policy impact: White House Big Data Privacy Study, National Privacy Research Strategy, NIST Deidentifying Government Datasets, …

26 Broader Impacts Numerous workshops and symposia including public symposium with registrants. New journal “Technology Science” utilizing DataTags Open-access pedagogical materials on data privacy for many audiences

27 Other Accomplishments
Many theoretical results illuminating the limits of differential privacy (lower bounds, algorithms, hardness results, attacks). Bridging differential privacy & statistical inference (confidence intervals, hypothesis testing, Bayesian sampling) Framework for modern privacy analysis: catalogue privacy controls, identify information uses, threats, and vulnerabilities, and design data programs that align these over data lifecycle.

28 What’s Next Rest of Frontier project (next 9 months):
Transition to Practice: several tools deployed for sharing of sensitive datasets in the Harvard Dataverse Dissemination: write, publish, and present our work for all of the relevant communities (including potential users) Beyond the Frontier project: “Computing over Distributed Sensitive Data” (NSF SaTC Large) “Applying Theoretical Advances in Privacy to Computational Social Science Practice” (Sloan Foundation) “Formal Privacy Models and Title 13” (Census) Production-level Tools for long-term, wide use (in planning) For more info: Tuesday poster session (46-B-R) and

Download ppt "Privacy TOOLS FOR SHARING RESEARCH DATA"

Similar presentations

Throwing Open the Doors: Strategies and Implications for Open Access Heather Joseph Executive Director, SPARC October 23, 2009 Educause Live 1.

Throwing Open the Doors: Strategies and Implications for Open Access Heather Joseph Executive Director, SPARC October 23, 2009 Educause Live 1.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.

Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
An Electronic Journal Impact Study: The Factors that Change when an Academic Library Migrates from Print Carol Hansen Montgomery, Ph.D. Dean of Libraries,

An Electronic Journal Impact Study: The Factors that Change when an Academic Library Migrates from Print Carol Hansen Montgomery, Ph.D. Dean of Libraries,
Current Developments in Differential Privacy Salil Vadhan Center for Research on Computation & Society School of Engineering & Applied Sciences Harvard.

Current Developments in Differential Privacy Salil Vadhan Center for Research on Computation & Society School of Engineering & Applied Sciences Harvard.
26th WATCH: Differential Privacy: Theoretical and Practical Challenges Salil Vadhan Harvard University THURSDAY Jan. 15, Noon, Room 110 W ashington A rea.

26th WATCH: Differential Privacy: Theoretical and Practical Challenges Salil Vadhan Harvard University THURSDAY Jan. 15, Noon, Room 110 W ashington A rea.
DATAVERSE FOR JOURNALS Mercè Crosas, Ph.D. Director of Data Science IQSS, Harvard Society for Scholarly Publishing 37 th Meeting,

DATAVERSE FOR JOURNALS Mercè Crosas, Ph.D. Director of Data Science IQSS, Harvard Society for Scholarly Publishing 37 th Meeting,
Track 1 – Part 1 What can we do to prepare the library of the future for researchers ? The Europeana Library Conference Madrid, December 2012.

Track 1 – Part 1 What can we do to prepare the library of the future for researchers ? The Europeana Library Conference Madrid, December 2012.
Scholarly communications Discussion group Linked Data Workshop 27-28 May 2010.

Scholarly communications Discussion group Linked Data Workshop May 2010.
 Day 59 Computer Science and Industry Exploring The Intersection Between CS and Other Fields.

 Day 59 Computer Science and Industry Exploring The Intersection Between CS and Other Fields.
National Science Foundation Directorate for Computer & Information Science & Engineering (CISE) Trustworthy Computing and Transition to Practice Secure.

National Science Foundation Directorate for Computer & Information Science & Engineering (CISE) Trustworthy Computing and Transition to Practice Secure.
Cryptography and Network Security (CS435) Part One (Introduction)

Cryptography and Network Security (CS435) Part One (Introduction)
A Few IQSS Quasi-Research Projects Gary King Institute for Quantitative Social Science Harvard University (talk at the Harvard Academic Computing Committee,

A Few IQSS Quasi-Research Projects Gary King Institute for Quantitative Social Science Harvard University (talk at the Harvard Academic Computing Committee,
Bridging Notions of Privacy Bridging Notions of Privacy (a.k.a. de-identification WG) Kobbi Nissim (BGU and Privacy Tools for Sharing Research.

Bridging Notions of Privacy Bridging Notions of Privacy (a.k.a. de-identification WG) Kobbi Nissim (BGU and Privacy Tools for Sharing Research.
EDUCATION & OUTREACH NSF site visit October 19, 2015 Salil Vadhan and Urs Gasser Supported by the NSF Secure & Trustworthy Cyberspace (SaTC) program, the.

EDUCATION & OUTREACH NSF site visit October 19, 2015 Salil Vadhan and Urs Gasser Supported by the NSF Secure & Trustworthy Cyberspace (SaTC) program, the.
Three Critical Matters in Big Data Projects for e- Science Kerk F. Kee, Ph.D. Assistant Professor, Chapman University Orange, California www.ekerk.com.

Three Critical Matters in Big Data Projects for e- Science Kerk F. Kee, Ph.D. Assistant Professor, Chapman University Orange, California
Differential Privacy: Theoretical & Practical Challenges Salil Vadhan Center for Research on Computation & Society John A. Paulson School of Engineering.

Differential Privacy: Theoretical & Practical Challenges Salil Vadhan Center for Research on Computation & Society John A. Paulson School of Engineering.
PRIVACY TOOLS FOR SHARING RESEARCH DATA NSF site visit October 19, 2015 Salil Vadhan Supported by the NSF Secure & Trustworthy Cyberspace (SaTC) program,

PRIVACY TOOLS FOR SHARING RESEARCH DATA NSF site visit October 19, 2015 Salil Vadhan Supported by the NSF Secure & Trustworthy Cyberspace (SaTC) program,
Transition to Practice. We define “Transition to Practice” as making privacy tools and systems operational.

Transition to Practice. We define “Transition to Practice” as making privacy tools and systems operational.
Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.

Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.
Bridging the Gap Between Computer Science and Legal Approaches to Privacy Second Census-MIT Big Data Workshop Nov 30-Dec 1, 2015 CS LAW Kobbi Nissim Ben-Gurion.

Bridging the Gap Between Computer Science and Legal Approaches to Privacy Second Census-MIT Big Data Workshop Nov 30-Dec 1, 2015 CS LAW Kobbi Nissim Ben-Gurion.

Similar presentations

Ads by Google