Managing Confidential Information – Trends and Approaches

Prepared for
MIT Libraries Program on Information Research
Brown Bag Talk
September 2013

Managing Confidential Information –
Trends and Approaches
Dr. Micah Altman
<escience@mit.edu>
Director of Research, MIT Libraries

Standard Disclaimer
These opinions are my own, they are not the opinions
of MIT, Brookings, any of the project funders, nor (with
the exception of co-authored previously published
work) my collaborators
Secondary disclaimer:

“It’s tough to make predictions, especially about the
future!”
-- Attributed to Woody Allen, Yogi Berra, Niels Bohr, Vint Cerf, Winston Churchill,

Confucius, Disreali [sic], Freeman Dyson, Cecil B. Demille, Albert Einstein, Enrico Fermi,
Edgar R. Fiedler, Bob Fourer, Sam Goldwyn, Allan Lamport, Groucho Marx, Dan Quayle,
George Bernard Shaw, Casey Stengel, Will Rogers, M. Taub, Mark Twain, Kerr L. White,
etc.

Information Privacy Across the Research Lifecycle

Collaborators & Co-Conspirators
• Privacy Tools for Sharing Research Data
Team
(Salil Vadhan, P.I.)
http://privacytools.seas.harvard.edu/peopl
e
• Research Support
Supported in part by NSF grant CNS-1237235


Related Work
Main Project:
• Privacy Tools for Sharing Research Data
http://privacytools.seas.harvard.edu/
.

Related publications:
• Novak, K., Altman, M., Broch, E., Carroll, J. M., Clemins, P. J., Fournier, D.,
Laevart, C., et al. (2011). Communicating Science and Engineering Data in the
Information Age. Computer Science and Telecommunications. National
Academies Press
• Vadhan, S. , et al. 2010. “Re: Advance Notice of Proposed Rulemaking: Human
Subjects Research Protections”. Available from:
http://dataprivacylab.org/projects/irb/Vadhan.pdf
• Altman, M. (2012). “Mitigating Threats To Data Quality Throughout the Curation
Lifecycle. In G. Marciano, C. Lee, & H. Bowden (Eds.), Curating For Quality.
datacuration.web.unc.edu

These slides & Privacy Across the Research Lifecycle from:
most reprints available
Information
informatics.mit.edu

Level Setting


Identifying Information Is Common
•

Includes information from a variety of sources,
such as…
– Research data, even if you aren’t the original
collector
– Student “records” such as e-mail, grades
– Logs from web-servers, other systems

•

Lots of things are potentially identifying:
– Under some federal laws: IP addresses, dates,
zipcodes, …
– Birth date + zipcode + gender uniquely identify ~87%
of people in the U.S.
[Sweeney 2002]
Try it: http://aboutmyinfo.org/index.html
– With date and place of birth, can guess first five
digits of social security number (SSN) > 60% of the
time. (Can guess the whole thing in under 10 tries,
for a significant minority of people.) [Aquisti & Gross
2009]
– Analysis of writing style or eclectic tastes has been
used to identify individuals

•

Tables, graphs and maps can also reveal
identifiable information

Brownstein, et al., 2006 , NEJM 355(16),


Some Sources of Confidentiality Restrictions for
University Held Research and Education Information

• Overlapping laws
• Different laws
apply to different
cases
• Additional data
usage agreements
and license terms
apply


Different Requirements and Definitions
FERPA

HIPAA

Common Rule

MA 201 CMR 17

Coverage

Students in
Educational
Institutions

Medical Information
in “Covered Entities”

Living persons in
research by
funded
institutions

Mass. Residents

Identification
Criteria

-Direct
-Indirect
-Linked
-Bad intent (!)

-Direct
-Indirect
-Linked

-Direct
-Indirect
-Linked

-Direct

Sensitivity
Criteria

Any non-directory
information

Any medical
information

Private
information –
based on harm

Financial, State,
Federal Identifiers

Management
Requirements

- Directory opt-out
- [Implied] good
practice

- Consent
- Specific technical
safeguards
- Breach notification

- Consent
- [Implied] risk
minimization

- Specific
technical
safeguards
- Breach
notification


*

* 2010

Recognized Benefits of Data Sharing
• Pioneering NRC report [Fienberg, et. al 1985] on
data sharing recommended:
– Sharing data should be a regular practice.
– Investigators should share their data by the time of
publication of initial major results of analyses of the
data except in compelling circumstances.
– Data relevant to public policy should be shared as
quickly and widely as possible.
– Plans for data sharing should be an integral part of a
research plan whenever data sharing is feasible.

• Numerous subsequent reports recommend data
sharing.

Private Information & Information Services
• Recommendations
• Annotations & Tagging
• Class discussion forum

• Social Highlighting

Access Control Model
Access Control

Resource
Auditing

Client

Authorization

Credentials

Authentication

Request/Respo
nse

Log

Resource Control Model
External Auditor


Disclosure Limitation
Data InputOutput Model
Contingency table
“The correlation between X and
Y was large and statistically
significant”

Summary statistics

DATA

Information Visualization

DATA

* Jones

*

* 1961

021*

* Jones

*

* 1961

021*

* Jones

*

* 1972

9404*

* Jones

*

* 1972

9404*

* Jones

*

* 1972

9404*

Public use sample microdata

Published Outputs

Example


Exemplar: Social Media Analysis
Attribute Type

Examples

Data: Structure

-

network

Data: Attribute Types

-

Continuous/Discrete/
Scale: ratio/interval/ordinal/nominal

Data: Performance
Characteristics

-

10M-1B observations
Sample from stream of continuously
updated corpus
Dozens of dimensions/measures

Measurement: Unit of
Observation

-

Individuals; Interactions

Measurement: Measurement
type

-

Observational

Measurement: Performance
characteristic

-

High volume
Complex network structure
Sparsity
Systematic and sparse metadata

Management Constraints

-

License; Replication

Analysis methods

-

Bespoke algorithms (clustering);
nonlinear optimization; Bayesian
methods

Desired Outputs

-

Summary scalars (model coefficients)
Summary table
Static /interactive visualization

More Information
•
•
•


Grimmer, Justin, and Gary King. "General purpose computerassisted clustering and conceptualization." Proceedings of the
National Academy of Sciences 108.7 (2011): 2643-2650.
King, Gary, Jennifer Pan, and Molly Roberts. "How censorship in
China allows government criticism but silences collective
expression." APSA 2012 Annual Meeting Paper. 2012.
Lazer, David, et al. "Life in the network: the coming age of
computational social science." Science (New York, NY) 323.5915
(2009): 721.

What’s wrong with this picture?
Name

SSN

Birthdate

Zipcode

Gender

Favorite
Ice Cream

# of crimes
committed

A. Jones

12341

01011961

02145

M

Raspberry

0

B. Jones

12342

02021961

02138

M

Pistachio

0

C. Jones

12343

11111972

94043

M

Chocolate

0

D. Jones

12344

12121972

94043

M

Hazelnut

0

E. Jones

12345

03251972

94041

F

Lemon

0

F. Jones

12346

03251972

02127

F

Lemon

1

G. Jones

12347

08081989

02138

F

Peach

1

H. Smith

12348

01011973

63200

F

Lime

2

I. Smith

12349

02021973

63300

M

Mango

4

J. Smith

12350

02021973

63400

M

Coconut

16

K. Smith

12351

03031974

64500

M

Frog

32

L. Smith

12352

04041974

64600

M

Vanilla

64

M. Smith

12353

04041974

64700

F

Pumpkin

128

N. SmithJones

12354

04041974

64800

F

Allergic

256


What’s wrong with this picture?
HIPPA &
MA
Identifier

Identifier
&
Sensitibe

HIPAA
dentifier

HIPAA
Identifier

Sensitive

IndirectI
Identifier

Name

SSN

Birthdate

Zipcode

Gender

Favorite
Ice Cream

# of crimes
committed

A. Jones

12341

01011961

02145

M

Raspberry

0

B. Jones

12342

02021961

02138

M

Pistachio

0

C. Jones

12343

11111972

94043

M

Chocolate

0

D. Jones

12344

12121972

94043

M

Hazelnut

0

E. Jones

12345

03251972

94041

F

Lemon

0

F. Jones

12346

03251972

02127

F

Lemon

1

G. Jones

12347

08081989

02138

F

Peach

1

H. Smith

12348

01011973

63200

F

Lime

2

I. Smith

12349

02021973

63300

M

Mango

4

J. Smith

12350

02021973

63400

M

Coconut

16

K. Smith

12351

03031974

64500

M

Frog

32

L. Smith

12352

04041974

64600

M

Vanilla

64

M. Smith

12353

04041974

64700

F

Pumpkin

128

N. Smith

12354

04041974

64800

F

Allergic

256

v. 23 (7/18/2013)

Managing Confidential Data

Mass resident

Californian

Twins, separated at birth?
FERPA too?

Unexpected Response?
17

Help, help, I’m being suppressed…
Synthetic

Var

Global Recode

Local Suppression

Aggregation
+
Perturbation

Name

SSN

Birthdate

Zipcode

Gender

Favorite
Ice Cream

# of crimes
committed

[Name 1]

12341

*1961

021*

M

Raspberry

.1

[Name 2]

12342

*1961

021*

M

Pistachio

-.1

[Name 3]

12343

*1972

940*

M

Chocolate

0

[Name 4]

12344

*1972

940*

M

Hazelnut

0

[Name 5]

12345

*1972

940*

F

Lemon

.6

[Name 6]

12346

*1972

021*

F

Lemon

.6

[Name 7]

12347

*1989

021*

*

Peach

64.6

[Name 8]

12348

*1973

632*

F

Lime

3

[Name 9]

12349

*1973

633*

M

Mango

3

[Name 10]

12350

*1973

634*

M

Coconut

37.2

[Name 11]

12351

*1974

645*

M

*

37.2

[Name 12]

12352

*1974

646*

M

Vanilla

37.2

[Name 13]

12353

*1974

647*

F

*

64.4

[Name 14]

12354

*1974

648*

F

Allergic

256


Row

k-anonymous – but not
protected
Additional
background

Sort Order/
Structure
Name

SSN

Birthdate

Zipcode

Gender

Favorite
Ice Cream

*

* 1961

021*

M

Raspberry

*

* 1961

021*

M

Pistachio

*

* 1972

9404*

*

Chocolate

0

* Jones

*

* 1972

9404*

*

Hazelnut

0

* Jones

*

* 1972

9404*

*

Lemon

0

* Jones

*

*

021*

F

Lemon

1

* Jones

*

*

021*

F

Peach

1

* Smith

*

* 1973

63*

*

Lime

2

* Smith

*

* 1973

63*

*

Mango

4

* Smith

*

* 1973

63*

*

Coconut

16

* Smith

*

* 1974

64*

M

Frog

32

* Smith

*

* 1974

64*

M

Vanilla

64

* Smith

*

04041974

64*

F

Pumpkin

128

* Smith

*

04041974

64*

F

Allergic

256

Disclosure
limitation

0

* Jones

Information security

0

* Jones

Research design …

# of crimes
committed

* Jones

Law, policy, ethics


Homogeneity

Climate


Commercial Data Breaches
• Data from 100 million
individuals exposed
this year…
• Only a portion of
breaches are reported
• Difficult to trace
impacts… but
estimated 8.3M
identity thefts in 2005

Source:
http://www.informationisbeau
tiful.net/visualizations/worldsbiggest-data-breaches-hacks/

Cloud computing risks
• Cloud computing decouples
physical and computing
infrastructure
• Increasingly used for core-IT,
research computing, data
collection, storage, and
analysis
• Confidentiality issues
– Auditing and compliance
– Access and commingling of
data
– Location of data and services
and legal jurisdiction
– Vulnerabilities of network
communication using single
well-known key
– Vulnerability of key storage

Legal & Cultural Challenges
• EU right to be forgotten;
French “le droit à l'oubli”;
California social media privacy act
• Consumer privacy bill of rights;
Do not track;
Privacy Icons
• Evolving case law on locational privacy
• Public records, mug shots, and revenge porn
• State-level action on privacy regulation
• Attitudes towards sharing; surveillance

New Data – New Challenges
• How to limit disclosure without
completely destroying utility?
– The “Netflix Problem”: large, sparse datasets that
overlap can be probabilistically linked [Narayan
and Shmatikov 2008]
– The “GIS”: fine geo-spatial-temporal data
impossible mask, when correlated with external
data [Zimmerman 2008]
– The “Facebook Problem”: Possible to identify
masked network data, if only a few nodes
controlled. [Backstrom, et. al 2007]
– The “Blog problem” : Pseudononymous
communication can be linked through textual
analysis [Tomkins et. al 2004]
[For more examples see Vadhan, et al 2010]

Source: [Calberese 2008; Real Time
Rome Project 2007]

Weather


Possible Legal/Regulatory
Changes for 2013-15

Law, policy, ethics
Research design …
Disclosure
limitation

• Likely
– New information privacy laws in selected states
– Increased open data requirements
from federal funders
– Adoption of data availability
requirements by increasing numbers of journals


Research


Traditional approaches are failing
• Modal traditional approach:
–
–
–
–

removing subjects’ names
storing descriptive information in a locked filing cabinet
publishing summary tables
(sometimes) release a public use version that suppressed
and recoded descriptive information

• Problems
– law is changing – requirements are becoming more
complex
– research computing is moving towards the cloud, other
distributed storage
– researchers are using new forms of data that create new
privacy issues
– advances in the formal analysis of disclosure risk imply the
impracticality of “de-identification” as required by law

Privacy Tools for Sharing Research Data
A National Science Foundation Secure and Trustworthy Cyberspace Project
Supported by award #1237235

Differentially Private Algorithms
Shield Individuals in Databases

The Dataverse Network will Distribute
and Manage Confidential Databases

Policy tools Guide Information
Management Across the Research Lifecycle

Approaches
•

Policy
–
–
–
–

Legal Reforms
Information Accountability
Economic rights
Information transparency

–
–

Privacy Nudges
Privacy Icons

•

•

Cryptography
–
–
–
–

•

Multiparty computation
Zero knowledge protocols
Functional encryption
Homomorphic encryption

Statistics
–
–
–
–

•

Aboutmydata.com

Synthetic data
Reidentification risk
K-anonymity; homogeneity
Differential privacy

Information Lifecycle & Infrastructure
–
–
–
–

Open consent
Metadata frameworks
Information accountability
Policy aware filesystems

–

Data Vaults

–
–

Secure data enclave
Standardized Data Use Agreements

•
•

IRODs
Project VRM


Recent Work –
Economics & Public Policy Research/Outreach
•
•
•
•
•
•
•

March 2013 – Dwork & Vadhan lead roundtable in Differential Privacy and Law
and Policy (conference), Cardozo Law School
March 2013 – Altman provided oral comments (recorded) on Public Workshop on
Revisions to the Common Rule, National Academies, on limits of HIPAA approach to
privacy.
May 2013 – Altman & Crosas submitted written testimony to Public Access to
Federally-Supported Research and Development Data, National Academies;
including approaches to management of privacy for data sharing.
June 2013 – Dwork, Sweeney, & Vadhan invited & participated in Privacy Law
Scholars Conference, George Washington Law School/Berkeley Law School
June 2013 -- Yiling Chen, Stephen Chong, Ian Kash, Tal Moran, and Salil Vadhan.
“Truthful Mechanisms for Agents that Value Privacy”, Proceedings of the 14th ACM
Conference on Electronic Commerce (EC), June 2013.
September - Integrating Approaches to Privacy across the Research Lifecycle
Workshop
In Progress – Rewrite and expansion of, Vadhan, S. , et al. 2010. “Re: Advance
Notice of Proposed Rulemaking: Human Subjects Research Protections”, proposing
framework for integrating modern privacy concepts in to Human Subjects
protections.

Information Life Cycle Model
Long-term
access

Creation/Colle
ction

Re-use
•
•
•
•

Scientometric
Education
Scientific
Policy

Storage/I
ngest

Research
methods

Statistical /
Computational
Frameworks
Data Management
Systems

External
dissemination/publica
tion

Analysis

Legal / Policy
Frameworks∂
∂

Processing

Internal Sharing


Example: Stakeholder Concerns Across Lifecycle
Legal Issues

Stakeholder

Concerns

Research Consumers
- Readers
- Secondary researcher

Replicate and extend
Secondary analysis
Link research

Research Publishers
- Print publishers
- Research archives

Replicable research
Promote use of their publications
Protect publisher IP
Avoid third party IP/Privacy Issues

Copyright
Licensing

Project Personnel:
- Investigators
- Research Staff

Replicable Research
Publish
Promote use of Publications
Track use

Copyright

Research sponsors:
- Home institution
- Funding sources

Replicable Research
Policy Relevance
Accessibility of Research
Protect IP
Avoid third party IP/Privacy Issues

Privacy
Research sources:
Confidentiality
- Research Subjects.
Intellectual Property
- Owners of subject material
- Owners of supplementary data

Information
Transfer

Fair Use

Licensing
Freedom of Information
Copyright

Licensing
Copyright
DMCA
Informed Consent
Privacy
Trade secrets

Modeling Features
Features

Characteristics

Data

-

Structure; Source; Unit of observation; Attribute
types; Dimensionality; Number of observations;
homogeneity; frequency of updates; quality
characteristics

Analytic Results

-

Form of output; analysis methodology;
analysis/inferential goal; utility/loss/quality

Disclosure scenario

-

- Source of threat; areas of vulnerability; attacker
objectives, background knowledge, capability;
Breach criteria/disclosure concept

Stakeholders

-

Stakeholder types; capacities; trust relationships;
budgets

Lifecycle characteristics

-

Lifecycle stages controlled/in scope; policies used;
stakeholders involved at each stage

Current privacy management approach

-

Regulation/policy; legal controls;
statistical/computational disclosure methods;
information security controls


Legal/Policy Frameworks
Intellectual Property

Contract
Trade Secret

Contract

Intellectual
Attribution
Moral Rights

Patent

Click-Wrap
TOU

License

Database Rights
Journal
Replication
Requirements

FOIA
State FOI
Laws

Funder Open
Access

Fair Use

DMCA

Trademark

Common Rule
45 CFR 26

Copyright

Rights of
Publicity

HIPAA
EU Privacy Directive

FERPA

(Invasion,
Defamation)

CIPSEA

Potentially
Harmful

State
Privacy Laws
Classified

Access
Rights

Sensitive but
Unclassified

Privacy
Torts

Export
Restrictions

(Archeological
Sites,
Endangered
Species, Animal
Testing, …)

EAR

ITAR

Confidentiality

Law, policy, ethics
Research design …

Risk Assessment

Disclosure limitation

• [NIST 800-100, simplification of NIST 800-30]
Threat Modeling

Analysis
- likelihood
- impact
- mitigating controls

System Analysis

Vulnerability
Identification

Institute
Selected Controls

Testing and
Auditing

Information Security Control Selection Process


Systems Policy Research questions deriving from
Information Lifecycle Analysis
•

Infrastructure requirements analysis
– Data acquisition, storage, dissemination
– Identification, authorization, authentication
– Metadata, protocols

•

System design: potential implementation cost of interactive privacy:
– Information security -- hardening
– Information security – certification & auditing
– Model server development, provisioning, maintenance, reliability, availability

•

System design: information security tradeoffs of Interactive privacy mechanisms:
–
–
–
–

•

Availability risks: denial of service attack
Availability/integrity risks: privacy budget exhaustion attacks
Integrity risks: modification of delivered results (e.g. man-in-the-middle attacks)
Secrecy/privacy: breach of authentication/authorization layer

System design: optimizing privacy & utility across lifecycle
– When does limiting disclosive data collection dominate methods at the data analysis stage
– When does restricted virtual data enclaves + public synthetic data dominate interactive mechanisms

•

System design: Information use/reuse

– Support of scientific analysis use cases (model diagnostics, exploratory data analysis, integration of externa
data) within interactive privacy systems.
– Align informational assumptions across stages & incorporating informative priors?
– Requirements for scientific replication/verification of results produced by model servers?

Legal Policy Research questions deriving from
Information Lifecycle Analysis
• Legal requirements across lifecycle stages
• Legal instruments
-- capturing scientific privacy concepts in legal
instruments consistently across lifecycle
– service level agreements
– consent terms
– deposit agreement
– data usage agreements
– Regulatory language

Public Policy Research Questions
• Where does market fail for sharing confidential research
data?
– What market conditions are theoretically violated?
– What is the empirical evidence of the degree of violation?
– How do degree of violation vary by policy context & use case?

• Policy equlibria
– What are contribution and privacy equilibria for data sharing
under different privacy concepts?

• Interventions
– How do proposed interventions (e.g. advise & consent;
“privacy icons”, uniform regulations, breach notification,
information accountability, anonymization ) correspond to
sources of market failures?

Beyond Legal Research -- Market Theory
• Condition on Markets •
– No political/legal
distortions

[See, e.g., Posner 1978]

– Common knowledge
– No barriers to entry

Conditions on exchange

[See e.g., Benisch, Kelley, Sadeh,
& Cranor 2011; McDonald &
Cranor 2010]

– No transaction costs
– No information
asymmetries

• Conditions on agents • Conditions on
[See e.g. Acquisti 2010; Tsai,
equilibrium valuation
Egelman, Cranor & Aquisti 2010]
– Perfect rationality
– Self-interested
– Infinitely many
agents
– Stable preferences

– Pareto optimality vs.
economic surplus
– Ignorability of
distributional
concern

• Conditions on goods
– Consumptive goods
– Excludable goods
– Decreasing returns
to scale
– Transferability
– No externalities

Bibliography (Selected)

• L. Willenborg and T. D. Waal. Elements of Statistical Disclosure Control,
volume 155 of Lecture Notes in Statistics. Springer Verlag, New York, NY,
2001.
• Higgins, Sarah. "The DCC curation lifecycle model." International Journal of
Digital Curation 3.1 (2008): 134-140.www.dcc.ac.uk/resources/curationlifecycle-model
• ESSNET, Handbook on Statistical Disclosure Control. 2011.
neon.vb.cbs.nl/casc/SDC_Handbook.pdf
• Fung, Benjamin, et al. "Privacy-preserving data publishing: A survey of recent
developments." ACM Computing Surveys (CSUR) 42.4 (2010): 14.
• Altman, M. (2012). “Mitigating Threats To Data Quality Throughout the
Curation Lifecycle. In G. Marciano, C. Lee, & H. Bowden (Eds.), Curating For
Quality. datacuration.web.unc.edu
Information Privacy Across the Research
Lifecycle

Managing Confidential Information – Trends and Approaches

Managing Confidential Information – Trends and Approaches

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Managing Confidential Information – Trends and Approaches

Similar to Managing Confidential Information – Trends and Approaches (20)

More from Micah Altman

More from Micah Altman (20)

Recently uploaded

Recently uploaded (20)

Managing Confidential Information – Trends and Approaches

Editor's Notes