A Case Study: Privacy Preserving Release of Spa9o- temporal Density in Paris

Transcription

1 A Case Study: Privacy Preserving Release of Spa9o- temporal Density in Paris Gergely Acs (INRIA) Claude Castelluccia (INRIA)

2 Outline 2! Dataset descrip9on! XData Project! Privacy model! Sani4za4on algorithm! Performance evalua4on! Conclusions 2

3 Mo9va9on: XData project 3 Postal data Call Data Record (CDR) Electricity consumption data Demographical data Water management data 3

4 4 Problem: European Data Protec9on law (Direc9ve 95/46/EC)! all datasets have to be anonymized such that data subjects are no longer identifiable! Who is identifiable?! account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person è Anonymization must be done before cross-processing datasets! In practice, CNIL (French Data Protection Office) checks if 4 data releases are compliant with the rule

5 Privacy Model 5! Differential privacy e " apple Pr(M(D) =D ) Pr(M(D 0 )=D ) apple e"! composes securely: retain privacy guarantees in the presence of independent releases [1]! even with arbitrary external knowledge! 5 [1] S.R. Ganta, S. Kasiviswanathan, A. Smith. Composition Attacks and Auxiliary Information in Data Privacy. KDD 08

6 ε 6! 1-bit information: e.g., Is Alice s record inside dataset D? Inference advantage: Pr( Alice in D ε-diff. private D AND D \ {Alice}) Pr( Alice in D D \ {Alice}) Max inference advantage ε =0.1 ε =0.3 ε =0.5 ε =1.0 Global Maximum Prior Global Maximum ε

7 Focus: Spa9o- temporal density from 7 CDR Postal data Call Data Record (CDR) Electricity consumption data Demographical data Water management data 7

8 (Simplified) Call Data Record 8 Rec # Phone Lat Lon Time Event :34:12 01/09/ :31:02 02/09/2007 Incoming SMS Outgoing Call! 4 types of events:! Incoming SMS/Call! Outgoing SMS/Call! Phone numbers are scrambled (No Personal Data in the 8 dataset)

9 Paris CDR (provided by Orange ) 9! 1,992,846 users! 1303 towers! 10/09/ /09/2007! Mean trace length: (std.dev: 18)! Max. trace length: 732 9

10 Goal: Release spa9o- temporal 10 density (and not CDR)! Number of individuals at a given hour at any IRIS cell in Paris IRIS cells , Total visits: (Mean: 87) Original Visits Mo Tu Wed Thu Fri Sat Sun , Total visits: (Mean: 81) Original Visits ! Challenge: Large dimensional data 0 Mo Tu Wed Thu Fri Sat 10 Sun

11 Overview of our approach Sample x ( 30) visits per user uniformly at random (to decrease sensi4vity) 2. Create 4me- series: map tower cell counts to IRIS cell counts 3. Perturb these 4me- series to guarantee differen4al privacy 11

12 From CDR to Spa9o- temporal Density Create the Voronoi- tessela4on of the towers 2. Map each Voronoi cell to Iris cells 3. Compute the IRIS cell count at any 4me from the count of the overlapping voronoi cells Tower cells IRIS cells 12

13 Overview of our approach Sample x ( 30) visits per user uniformly at random 2. Create 4me- series: map tower cell counts to IRIS cell counts 3. Perturb these 4me- series to guarantee differen4al privacy 13

14 Perturba9on of 9me series 14! Naïve solu9on: add properly calibrated Laplace noise to each count of the IRIS cell (one count per hour over 1 week) Naïve approach (ε=0.3) Original Private (MRE: 0.73, PC: 0.59) Problem: Counts are much smaller than the noise!! Our approach: Visit count Mo Tu Wed Thu Fri Sat Sun 1. cluster nearby less populated cells un4l their aggregated counts become sufficiently large to resist noise. 2. perturb the aggregated 4me series by adding noise to their largest Fourier coefficients Visit count Our approach (ε=0.3) Original Private (MRE: 0.16, PC: 0.99) 3. scale back with the (noisy) total number of visits of individual cells to get the individual 4me series 50 0 Mo Tu Wed Thu Fri Sat Sun

15 Performance evalua9on 1: 15 Mean Rela9ve Error MRE(X, ˆX) =(1/168) X168 i=1 ˆX i X i max(,x i ) Naïve approach (ε=0.3) MRE Our scheme (ε=0.3) MRE Average MRE: Average MRE:

16 Performance evalua9on 2: 16 Pearson Correla9on PC(X, ˆX) = P 168 i=1 (X i q P168 i=1 (X i Pi X i/168)( ˆX P ˆX i i i /168) q Pi X P168 i/168) 2 i=1 ( ˆX P ˆX i i i /168) 2 Naive approach (ε=0.3) PC 1.0 Our scheme (ε=0.3) PC Average PC: 0.47 Average PC:

17 Conclusions 1. 17! secure composability is an implicit requirement! this favours randomization-based notions of privacy (such as differential privacy)! we obtained accurate results for large dimensional data within the differen4al privacy model! there are no universal anonymization solutions that fit all applications! in order to get the best accuracy, they have to be customized to the application and the public characteristics of the dataset 17

18 Conclusions 2. 18! Differential Privacy might be overkilling! A simpler scheme (with aggregation, or k- anonymity) with a realistic privacy risk analysis is probably enough from a Legal point of you!! But how to perform a Privacy Risk Analysis??? 18

19 Conclusions 3. 19! Privacy Risk Analysis is required before any anonymization process! Otherwise we might not solve the correct problem! Different from Security Risk Analysis! Assumptions are different! Not black or white! Inference is hard to model and quantify 19

20 Performance evalua9on 3: 20 Error depending on 9me Relative error (ε=0.3) Earth Mover s Distance Meters of errors (ε=0.3) Our approach Our approach (Average: 188 meters) LPA (Average: 341 meters) EMD (meters) Mo Tu Wed Thu Fri Sat Sun 0 Mo Tu Wed Thu Fri Sat Sun Average: 0.18 Average: 188 meters 20

21 European Data Protec9on law 21! personal data is any information relating to an identified or identifiable individual! can be used to identify him or her, and to know his/her habits! account must be taken of all the means available [ ] to determine whether a person is identifiable! any processing of any personal data must be (1) transparent (to the individual), (2) for specified explicit purpose(s), (3) relevant and not excessive in relation to these purposes! Legally nonbinding: all member states have enacted their own data protection legislation! Anonymized data is considered to be non-personal data, and 21 as such, the directive does not apply to that

22 New Law: General Data Protec4on 22 Regula4on (under discussion)! personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an address, bank details, posts on social networking websites, medical information, or a computer s IP address."! applies if personal data of EU residents are processed (even by non-eu companies)! Risk assessment and mitigation is required (checked by a Single Data Protection Authority)! a single set of rules applies to all EU member states 22

23 American vs. European Data 23 Protec9on Direc9ve (95/46/EC )! US has no single data protection law comparable to the EU's Data Protection law! ad-hoc legalisation: certain sectors partially satisfy the EU Directive, however most do not! this is probably due to the American lassiez-faire economics! HIPAA s Privacy Rule mainly regulates the use of medical data (PHI), which is (in theory) similarly strict as EU s current data protection law 23