New Directions in Anonymization: Permutation Paradigm, Verifiability by Subjects and Intruders, Transparency to Users
55 mins 53 secs,
213.74 MB,
iPod Video
480x270,
29.97 fps,
44100 Hz,
522.2 kbits/sec
Share this media item:
Embed this media item:
Embed this media item:
About this item
Description: |
Domingo-Ferrer, J
Thursday 7th July 2016 - 11:30 to 12:30 |
---|
Created: | 2016-07-18 16:11 |
---|---|
Collection: | Data Linkage and Anonymisation |
Publisher: | Isaac Newton Institute |
Copyright: | Domingo-Ferrer, J |
Language: | eng (English) |
Distribution: | World (downloadable) |
Explicit content: | No |
Aspect Ratio: | 16:9 |
Screencast: | No |
Bumper: | UCS Default |
Trailer: | UCS Default |
Abstract: | Co-author: Krishnamurty Muralidhar (University of Oklahoma)
There are currently two approaches to anonymization: "utility first" (use an anonymization method with suitable utility features, then empirically evaluate the disclosure risk and, if necessary, reduce the risk by possibly sacrificing some utility) or "privacy first" (enforce a target privacy level via a privacy model, e.g., k-anonymity or differential privacy, without regard to utility). To get formal privacy guarantees, the second approach must be followed, but then data releases with no utility guarantees are obtained. Also, in general it is unclear how verifiable is anonymization by the data subject (how safely released is the record she has contributed?), what type of intruder is being considered (what does he know and want?) and how transparent is anonymization towards the data user (what is the user told about methods and parameters used?). We show that, using a generally applicable reverse mapping transformation, any anonymization for microdata can be viewed as a permutation plus (perhaps) a small amount of noise; permutation is thus shown to be the essential principle underlying any anonymization of microdata, which allows giving simple utility and privacy metrics. From this permutation paradigm, a new privacy model naturally follows, which we call (d,v,f)-permuted privacy. The privacy ensured by this method can be verified via record linkage by each subject contributing an original record (subject-verifiability) and also at the data set level by the data protector. We then proceed to define a maximum-knowledge intruder model, which we argue should be the one considered in anonymization. Finally, we make the case for anonymization transparent to the data user, that is, compliant with Kerckhoff's assumption (only the randomness used, if any, must stay secret). |
---|
Available Formats
Format | Quality | Bitrate | Size | |||
---|---|---|---|---|---|---|
MPEG-4 Video | 640x360 | 1.94 Mbits/sec | 813.82 MB | View | Download | |
WebM | 640x360 | 716.55 kbits/sec | 293.38 MB | View | Download | |
iPod Video * | 480x270 | 522.2 kbits/sec | 213.74 MB | View | Download | |
MP3 | 44100 Hz | 249.79 kbits/sec | 102.33 MB | Listen | Download | |
Auto | (Allows browser to choose a format it supports) |