NCC Group, profile picture
Uploaded byNCC Group
PPTX, PDF1,081 views

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0

The document discusses anonymization and pseudonymization of data, including the risks of re-identification. It provides examples of when anonymization failed, such as a case where a governor's medical records were re-identified. The presentation recommends a risk-based approach to anonymization and provides tips to mitigate risks, such as consulting experts and protecting metadata. It emphasizes that anonymization is not an exact science and re-identification is still possible if the right data is available.

Embed presentation

Downloaded 22 times
Technical Aspects of Data Anonymisation & Pseudonymisation Risks, Challenges & Mitigations Matt Lewis Principal Consultant
Agenda NCC Group – who we are and what we do Anonymisation, Pseudonymisation & Re-identification – overview of concepts Examples – when anonymisation goes wrong Pitfalls of image anonymisation and other information leakage through meta-data A risk-based approach to anonymisation Summary and advice Questions 7/15/2013 © NCC Group 2
NCC Group 7/15/2013 © NCC Group 3 Global information assurance specialist 15,000 customers worldwide across all sectors The Group has two complementary divisions - escrow and assurance Independence from hardware and software providers ensures we provide unbiased and impartial advice Largest penetration testing team in the world, with approximately 250 consultants
Me: Brief Bio 7/15/2013 © NCC Group 4 Over 12 years working in Information Security Previous Employers: • CESG – The Information Assurance arm of GCHQ • Information Risk Management (IRM) plc – penetration testing • KPMG – Executive Advisor in the Information Protection division of IT Advisory • NCC Group – Principal Consultant, providing penetration testing and consultancy around all aspects of Information Security
Anonymisation – Overview 7/15/2013 © NCC Group 5 Anonymised data should be information that does not identify any individuals, either in isolation or when cross-referenced with other data already in the public domain A careful balance is required around the level of anonymisation versus the usefulness of the resultant data Quantitative versus Qualitative – the latter is harder to anonymise in a consistent way, and requires more rigour on a „per record‟ basis – e.g. meeting minutes
Pseudonymisation – Overview 7/15/2013 © NCC Group 6 Information is anonymous to the receiver (e.g. researchers), but contains codes or identifiers to allow others to re-identify individuals from the pseudonymised data Universally protecting pseudonymised data whilst allowing general analysis of it is difficult – requires careful management of the „codes‟ or „keys‟ that uniquely identify individuals Quantitative versus Qualitative – again, the latter is harder to pseudonymise in a consistent way, and requires more rigour on a „per record‟ basis – e.g. meeting minutes
Anonymisation – Techniques and Methods 7/15/2013 © NCC Group 7 There are four main operations available for anonymising data Suppression, Substitution/Distortion, Generalisation, Aggregation Consider the following dataset: Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
Anonymisation – Techniques and Methods 7/15/2013 © NCC Group 8 Suppression - deleting or omitting data fields entirely Sex Complaint Male Pain in left eye Male Chest pains Female Chest pains Female Back pains Male Headaches
Anonymisation – Techniques and Methods 7/15/2013 © NCC Group 9 Substitution/Distortion – e.g. replace a person‟s name with a unique number – this is also an example of pseudonymisation Name Sex Birth Date Post Code Complaint 0000001 Male 02/12/1954 SE24 6TY Pain in left eye 0000002 Male 05/01/1984 NW1 6XD Chest pains 0000003 Female 04/08/1978 E17 7WE Chest pains 0000004 Female 03/10/1960 WC1 7RA Back pains 0000005 Male 09/09/1990 NW7 5LK Headaches
Anonymisation – Techniques and Methods 7/15/2013 © NCC Group 10 Generalisation - alter rather than delete identifier values to increase privacy while preserving utility Name Sex Birth Year Post Code Complaint John Male 1954 SE24 Pain in left eye Daniel Male 1984 NW1 Chest pains Sarah Female 1978 E17 Chest pains Samantha Female 1960 WC1 Back pains James Male 1990 NW7 Headaches
Anonymisation – Techniques and Methods 7/15/2013 © NCC Group 11 Aggregation - produce summary statistics across a dataset instead of an anonymised dataset 40% of patients complain of chest pains 60% of patients are male etc. Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
Anonymisation of Qualitative Data 7/15/2013 © NCC Group 12
Anonymisation of Qualitative Data 7/15/2013 © NCC Group 13 Pseudonymisation in qualitative data can be much more difficult The content/themes in this meeting for example might allow for re-identification of any pseudonymised individuals
Re-identification – What is it? 7/15/2013 © NCC Group 14 Re-identification is the act of cross-referencing anonymised data with other data sources, and using inference, deduction and correlation to identify individuals Depending on the nature of data re-identified, this might raise data protection concerns
Re-identification – Who does this and Why? 7/15/2013 © NCC Group 15 Researchers – e.g. computer scientists, genuinely interested in the challenges of re-identification Malicious individuals use re-identification information to discriminate, harass or discredit a victim Investigative journalists Organised crime – re-identification can facilitate creation of fake identities, or be used to extort victims (if data is personal/sensitive in nature) Competitors – seeking to re-identify and publish to discredit State sponsored data mining and correlation The Internet is essentially a vast, ever-growing cross-correlation database; access to most of which is open and free to anyone…
Re-identification 7/15/2013 © NCC Group 16
Inference as a Starting Point Recall our example: 7/15/2013 © NCC Group 17 Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
Inference as a Starting Point Suppose the following anonymised aggregations are published: 60% of patients complain of chest pains 60% of patients are male 100% of Back pain sufferers live in WC1 100% of patients are over 21 years of age 100% of females suffer from chest or back pains 20% of patients suffer from Pain in the left eye From this we can infer the following table fields: Sex, Age, Condition, Post Code 7/15/2013 © NCC Group 18
Inference as a Starting Point Suppose we know the sample size (i.e. 5), and the time of data publication 60% of patients are male 7/15/2013 © NCC Group 19 Sex Birth Date Complaint Post Code Male Male Male Female Female
Inference as a Starting Point 100% of patients are over 21 years of age 7/15/2013 © NCC Group 20 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Female <= 1992
Inference as a Starting Point 100% of females suffer from chest or back pains 7/15/2013 © NCC Group 21 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains
Inference as a Starting Point 100% of Back pain sufferers live in WC1 7/15/2013 © NCC Group 22 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
Inference as a Starting Point 20% of patients suffer from Pain in the left eye 7/15/2013 © NCC Group 23 Sex Birth Date Complaint Post Code Male <= 1992 Pain in left eye Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
Inference as a Starting Point 60% of patients complain of chest pains The next step would be to correlate/cross-reference with other sources 7/15/2013 © NCC Group 24 Sex Birth Date Complaint Post Code Male <= 1992 Pain in left eye Male <= 1992 Chest Pains Male <= 1992 Chest Pains Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
An Example: Massachusetts Group Insurance Company 7/15/2013 © NCC Group 25 In the mid-1990s GIC released anonymised data on state employees that showed every single hospital visit The goal was to help researchers; the state spent time removing all obvious identifiers such as name, address, and Social Security number William Weld, then Governor of Massachusetts, assured the public that GIC had protected patient privacy by deleting identifiers Computer Science graduate Dr. Latanya Sweeney requested a copy of the data and performed re-identification research on the dataset Main anonymisation technique used: Suppression
An Example: Massachusetts Group Insurance Company 7/15/2013 © NCC Group 26 Governor Weld lived in Cambridge MA 54,000 Residents 7 Post Codes Electoral Roll Purchase for $20: Contained name, address, post code, birth date, sex etc. GIC Anonymised Data Only 6 people in Cambridge shared Weld‟s birthday Only 3 of these were men Only 1 lived in Weld‟s Post Code Dr. Sweeney sent the Governor‟s health records (which included diagnoses and prescriptions) to his office
Another Example: America Online (AOL) Data Release 7/15/2013 © NCC Group 27 In 2006, AOL publicly released twenty million search queries for 650,000 users of AOL‟s search engine summarising three months of activity AOL suppressed username and IP address, but replaced these with unique numbers that allowed researchers to correlate different searches with a specific user (pseudonymisation) New York Times reporters Michael Barbaro and Tom Zeller performed some research around User 4417749‟s identity. His/her searches had included: • “landscapers in Lilburn, Ga” • “several people with the last name Arnold” • “homes sold in shadow lake subdivision gwinnett county georgia”
Another Example: America Online (AOL) Data Release 7/15/2013 © NCC Group 28 The reporters tracked down Thelma Arnold, a sixty-two-year-old widow from Lilburn, Georgia who acknowledged that she had authored the searches, including queries such as • “numb fingers”, “60 single men” and “dog that urinates on everything” Main anonymisation technique used: Suppression and Substitution
Anonymisation of non-textual data and Metadata 7/15/2013 © NCC Group 29 Anonymisation might be required of non-textual data. E.g. images and videos (obfuscating faces) This might require release of hundreds or thousands of anonymised files, rather than one large dataset Often, hidden meta-data within those files is forgotten, and can be a valuable source for individuals attempting re-identification
Anonymisation of non-textual data and Metadata 7/15/2013 © NCC Group 30 A simple example – a picture of a heron visiting my garden Suppose I obfuscate the heron to protect its identity
GPS/Meta-Data in Image Files 7/15/2013 © NCC Group 31
Meta-Data Extraction 7/15/2013 © NCC Group 32
A Risk-Based Approach 7/15/2013 © NCC Group 33 There is anonymisation guidance, but there is no anonymisation formula Anonymisation is not an exact science Each data set presents a unique instance, and the choice of anonymisation operation(s) must be carefully considered in order to maintain anonymity and utility A risk-based approach is therefore the only option…
Risk Mitigation Advice 7/15/2013 © NCC Group 34 Consult with experts before embarking on anonymisation, on the proposed approach and potential risks If there is no business case or perceived benefit in going through the process, then don‟t Consider release to limited audiences – only go public if strictly required Protect the anonymisation method/formula Qualitative anonymisation can typically be automated, Quantitative anonymisation will require more manual efforts Always vet anonymisations of Quantitative and Qualitative data before release, don‟t just fire and forget
Risk Mitigation Advice 7/15/2013 © NCC Group 35 Perform your own rudimentary Google searches and correlation attempts with other public data sources before publishing If in doubt, engage again with experts on the likelihood of re- identification given the derived anonymised data set Consider the quantity of released anonymised data - in practically all re-identification studies performed, researchers have been more successful with larger databases Try and remove one or more of the top 3 culprits: Post Code, Birthdate and Sex. • In 2000 Dr. Latanya Sweeney showed that 87% of all Americans could be uniquely identified using only these three bits of information Metadata – prior to release, ensure all meta-data in documents is removed – A number of tools exist for this, depending on the document type (e.g. Adobe Acrobat, Microsoft Office, JPEGs etc.)
Risk Mitigation Advice - Pseudonymisation 7/15/2013 © NCC Group 36 Don‟t chose reversible identifiers – for example, names replaced with identifiers that are based on record data John Smith, 05/01/1978 -> JS05011978 Be aware of potential inferences from sorted data (e.g. alphabetical ordering might provide clues for re-identification) Keep the pseudonymisation formula secret – protect it with the same controls as for encryption keys and passwords Perform pseudonymisation functions on segregated, secure environments, only copy/migrate the pseudonymised data (keep them separate) Remove all meta-data from pseudonymised data files – make sure the individual(s) performing the pseudonymisation are not referenced in the meta-data Any cryptographic hashing used as identifiers/keys should always be salted
References 7/15/2013 © NCC Group 37 ICO guidance on anonymisation: http://www.ico.org.uk/for_organisations/data_protection/topic_guides/anon ymisation Paper on the failures of anonymisation, Paul Ohm http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 Research/Blog on anonymisation http://33bits.org/
Questions? Matt Lewis matt.lewis@nccgroup.com UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

More Related Content

PPT
More On Listings
byLaw Firm
 
PPT
The Mental Health Care Professional's Role in the SS Disability Determination...
byLaw Firm
 
PDF
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
byNCC Group
 
PDF
How we breach small and medium enterprises (SMEs)
byNCC Group
 
PPTX
Practical SME Security on a Shoestring
byNCC Group
 
PDF
Pki 202 Architechture Models and CRLs
byNCC Group
 
PPTX
Mobile App Security: Enterprise Checklist
byJignesh Solanki
 
PPTX
Exploiting appliances presentation v1.1-vids-removed
byNCC Group
 
More On Listings
byLaw Firm
 
The Mental Health Care Professional's Role in the SS Disability Determination...
byLaw Firm
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
byNCC Group
 
How we breach small and medium enterprises (SMEs)
byNCC Group
 
Practical SME Security on a Shoestring
byNCC Group
 
Pki 202 Architechture Models and CRLs
byNCC Group
 
Mobile App Security: Enterprise Checklist
byJignesh Solanki
 
Exploiting appliances presentation v1.1-vids-removed
byNCC Group
 

Viewers also liked

PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
PDF
Cryptography101
byNCC Group
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
PPTX
Cryptography - 101
byn|u - The Open Security Community
 
PDF
Current & Emerging Cyber Security Threats
byNCC Group
 
PDF
USB: Undermining Security Barriers
byNCC Group
 
PDF
2012 12-04 --ncc_group_-_mobile_threat_war_room
byNCC Group
 
PDF
Pki 201 Key Management
byNCC Group
 
PDF
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
byNCC Group
 
PDF
Docking stations andy_davis_ncc_group_slides
byNCC Group
 
PPTX
The Mobile Internet of Things and Cyber Security
byNCC Group
 
PDF
Real World Application Threat Modelling By Example
byNCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
Cryptography101
byNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
Cryptography - 101
byn|u - The Open Security Community
 
Current & Emerging Cyber Security Threats
byNCC Group
 
USB: Undermining Security Barriers
byNCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
byNCC Group
 
Pki 201 Key Management
byNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
byNCC Group
 
Docking stations andy_davis_ncc_group_slides
byNCC Group
 
The Mobile Internet of Things and Cyber Security
byNCC Group
 
Real World Application Threat Modelling By Example
byNCC Group
 

Similar to 2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0

PPTX
Data explosion
byPrachi Gulihar
 
PPTX
Data security refers to the practices, technologies, and policies designed to...
byAlmabrukSultan1
 
PDF
G0953643
byIOSR Journals
 
PDF
Altman - Perfectly Anonymous Data is Perfectly Useless Data
byNational Information Standards Organization (NISO)
 
PDF
A SURVEY ON DATA ANONYMIZATION FOR BIG DATA SECURITY
byJournal For Research
 
PDF
Privacy Preserving for Mobile Health Data
byIRJET Journal
 
PDF
DATA & PRIVACY PROTECTION Anna Monreale Università di Pisa
byLaboratorio di Cultura Digitale, labcd.humnet.unipi.it
 
PDF
张振杰:大数据时代的隐私保护的挑战和机遇
byhdhappy001
 
PDF
Cp34550555
byIJERA Editor
 
PDF
Privacy Preserving by Anonymization Approach
byrahulmonikasharma
 
PPTX
Anonymising quantative data
byISSDA
 
PDF
Data Anonymization Process Challenges and Context Missions
byijdmsjournal
 
PDF
Data Anonymization Process Challenges and Context Missions
byIJDMS
 
PDF
Enabling Use of Dynamic Anonymization for Enhanced Security in Cloud
byIOSR Journals
 
PPTX
Micah Altman NISO privacy in library systems
byNational Information Standards Organization (NISO)
 
PPTX
From Re-Identification Risk to Compliance: A Guide to Data Anonymization
byInnovative Routines International
 
PPTX
Distinct l diversity anonymization of set valued data
byRohan Khude
 
PPTX
Anonymisation and Social Research
byISSDA
 
PDF
A review on anonymization techniques for privacy preserving data publishing
byeSAT Journals
 
PDF
Facilitating Analytics while Protecting Privacy
byKhaled El Emam
 
Data explosion
byPrachi Gulihar
 
Data security refers to the practices, technologies, and policies designed to...
byAlmabrukSultan1
 
G0953643
byIOSR Journals
 
Altman - Perfectly Anonymous Data is Perfectly Useless Data
byNational Information Standards Organization (NISO)
 
A SURVEY ON DATA ANONYMIZATION FOR BIG DATA SECURITY
byJournal For Research
 
Privacy Preserving for Mobile Health Data
byIRJET Journal
 
DATA & PRIVACY PROTECTION Anna Monreale Università di Pisa
byLaboratorio di Cultura Digitale, labcd.humnet.unipi.it
 
张振杰:大数据时代的隐私保护的挑战和机遇
byhdhappy001
 
Cp34550555
byIJERA Editor
 
Privacy Preserving by Anonymization Approach
byrahulmonikasharma
 
Anonymising quantative data
byISSDA
 
Data Anonymization Process Challenges and Context Missions
byijdmsjournal
 
Data Anonymization Process Challenges and Context Missions
byIJDMS
 
Enabling Use of Dynamic Anonymization for Enhanced Security in Cloud
byIOSR Journals
 
Micah Altman NISO privacy in library systems
byNational Information Standards Organization (NISO)
 
From Re-Identification Risk to Compliance: A Guide to Data Anonymization
byInnovative Routines International
 
Distinct l diversity anonymization of set valued data
byRohan Khude
 
Anonymisation and Social Research
byISSDA
 
A review on anonymization techniques for privacy preserving data publishing
byeSAT Journals
 
Facilitating Analytics while Protecting Privacy
byKhaled El Emam
 

Recently uploaded

PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
The year in review - MarvelClient in 2025
bypanagenda
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
AI Technology important knowledge ......
byutkarshj2007
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0

  • 1.
    Technical Aspects ofData Anonymisation & Pseudonymisation Risks, Challenges & Mitigations Matt Lewis Principal Consultant
  • 2.
    Agenda NCC Group –who we are and what we do Anonymisation, Pseudonymisation & Re-identification – overview of concepts Examples – when anonymisation goes wrong Pitfalls of image anonymisation and other information leakage through meta-data A risk-based approach to anonymisation Summary and advice Questions 7/15/2013 © NCC Group 2
  • 3.
    NCC Group 7/15/2013 ©NCC Group 3 Global information assurance specialist 15,000 customers worldwide across all sectors The Group has two complementary divisions - escrow and assurance Independence from hardware and software providers ensures we provide unbiased and impartial advice Largest penetration testing team in the world, with approximately 250 consultants
  • 4.
    Me: Brief Bio 7/15/2013© NCC Group 4 Over 12 years working in Information Security Previous Employers: • CESG – The Information Assurance arm of GCHQ • Information Risk Management (IRM) plc – penetration testing • KPMG – Executive Advisor in the Information Protection division of IT Advisory • NCC Group – Principal Consultant, providing penetration testing and consultancy around all aspects of Information Security
  • 5.
    Anonymisation – Overview 7/15/2013© NCC Group 5 Anonymised data should be information that does not identify any individuals, either in isolation or when cross-referenced with other data already in the public domain A careful balance is required around the level of anonymisation versus the usefulness of the resultant data Quantitative versus Qualitative – the latter is harder to anonymise in a consistent way, and requires more rigour on a „per record‟ basis – e.g. meeting minutes
  • 6.
    Pseudonymisation – Overview 7/15/2013© NCC Group 6 Information is anonymous to the receiver (e.g. researchers), but contains codes or identifiers to allow others to re-identify individuals from the pseudonymised data Universally protecting pseudonymised data whilst allowing general analysis of it is difficult – requires careful management of the „codes‟ or „keys‟ that uniquely identify individuals Quantitative versus Qualitative – again, the latter is harder to pseudonymise in a consistent way, and requires more rigour on a „per record‟ basis – e.g. meeting minutes
  • 7.
    Anonymisation – Techniquesand Methods 7/15/2013 © NCC Group 7 There are four main operations available for anonymising data Suppression, Substitution/Distortion, Generalisation, Aggregation Consider the following dataset: Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
  • 8.
    Anonymisation – Techniquesand Methods 7/15/2013 © NCC Group 8 Suppression - deleting or omitting data fields entirely Sex Complaint Male Pain in left eye Male Chest pains Female Chest pains Female Back pains Male Headaches
  • 9.
    Anonymisation – Techniquesand Methods 7/15/2013 © NCC Group 9 Substitution/Distortion – e.g. replace a person‟s name with a unique number – this is also an example of pseudonymisation Name Sex Birth Date Post Code Complaint 0000001 Male 02/12/1954 SE24 6TY Pain in left eye 0000002 Male 05/01/1984 NW1 6XD Chest pains 0000003 Female 04/08/1978 E17 7WE Chest pains 0000004 Female 03/10/1960 WC1 7RA Back pains 0000005 Male 09/09/1990 NW7 5LK Headaches
  • 10.
    Anonymisation – Techniquesand Methods 7/15/2013 © NCC Group 10 Generalisation - alter rather than delete identifier values to increase privacy while preserving utility Name Sex Birth Year Post Code Complaint John Male 1954 SE24 Pain in left eye Daniel Male 1984 NW1 Chest pains Sarah Female 1978 E17 Chest pains Samantha Female 1960 WC1 Back pains James Male 1990 NW7 Headaches
  • 11.
    Anonymisation – Techniquesand Methods 7/15/2013 © NCC Group 11 Aggregation - produce summary statistics across a dataset instead of an anonymised dataset 40% of patients complain of chest pains 60% of patients are male etc. Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
  • 12.
    Anonymisation of QualitativeData 7/15/2013 © NCC Group 12
  • 13.
    Anonymisation of QualitativeData 7/15/2013 © NCC Group 13 Pseudonymisation in qualitative data can be much more difficult The content/themes in this meeting for example might allow for re-identification of any pseudonymised individuals
  • 14.
    Re-identification – Whatis it? 7/15/2013 © NCC Group 14 Re-identification is the act of cross-referencing anonymised data with other data sources, and using inference, deduction and correlation to identify individuals Depending on the nature of data re-identified, this might raise data protection concerns
  • 15.
    Re-identification – Whodoes this and Why? 7/15/2013 © NCC Group 15 Researchers – e.g. computer scientists, genuinely interested in the challenges of re-identification Malicious individuals use re-identification information to discriminate, harass or discredit a victim Investigative journalists Organised crime – re-identification can facilitate creation of fake identities, or be used to extort victims (if data is personal/sensitive in nature) Competitors – seeking to re-identify and publish to discredit State sponsored data mining and correlation The Internet is essentially a vast, ever-growing cross-correlation database; access to most of which is open and free to anyone…
  • 16.
  • 17.
    Inference as aStarting Point Recall our example: 7/15/2013 © NCC Group 17 Name Sex Birth Date Post Code Complaint John Male 02/12/1954 SE24 6TY Pain in left eye Daniel Male 05/01/1984 NW1 6XD Chest pains Sarah Female 04/08/1978 E17 7WE Chest pains Samantha Female 03/10/1960 WC1 7RA Back pains James Male 09/09/1990 NW7 5LK Headaches
  • 18.
    Inference as aStarting Point Suppose the following anonymised aggregations are published: 60% of patients complain of chest pains 60% of patients are male 100% of Back pain sufferers live in WC1 100% of patients are over 21 years of age 100% of females suffer from chest or back pains 20% of patients suffer from Pain in the left eye From this we can infer the following table fields: Sex, Age, Condition, Post Code 7/15/2013 © NCC Group 18
  • 19.
    Inference as aStarting Point Suppose we know the sample size (i.e. 5), and the time of data publication 60% of patients are male 7/15/2013 © NCC Group 19 Sex Birth Date Complaint Post Code Male Male Male Female Female
  • 20.
    Inference as aStarting Point 100% of patients are over 21 years of age 7/15/2013 © NCC Group 20 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Female <= 1992
  • 21.
    Inference as aStarting Point 100% of females suffer from chest or back pains 7/15/2013 © NCC Group 21 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains
  • 22.
    Inference as aStarting Point 100% of Back pain sufferers live in WC1 7/15/2013 © NCC Group 22 Sex Birth Date Complaint Post Code Male <= 1992 Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
  • 23.
    Inference as aStarting Point 20% of patients suffer from Pain in the left eye 7/15/2013 © NCC Group 23 Sex Birth Date Complaint Post Code Male <= 1992 Pain in left eye Male <= 1992 Male <= 1992 Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
  • 24.
    Inference as aStarting Point 60% of patients complain of chest pains The next step would be to correlate/cross-reference with other sources 7/15/2013 © NCC Group 24 Sex Birth Date Complaint Post Code Male <= 1992 Pain in left eye Male <= 1992 Chest Pains Male <= 1992 Chest Pains Female <= 1992 Chest Pains Female <= 1992 Back Pains WC1
  • 25.
    An Example: MassachusettsGroup Insurance Company 7/15/2013 © NCC Group 25 In the mid-1990s GIC released anonymised data on state employees that showed every single hospital visit The goal was to help researchers; the state spent time removing all obvious identifiers such as name, address, and Social Security number William Weld, then Governor of Massachusetts, assured the public that GIC had protected patient privacy by deleting identifiers Computer Science graduate Dr. Latanya Sweeney requested a copy of the data and performed re-identification research on the dataset Main anonymisation technique used: Suppression
  • 26.
    An Example: MassachusettsGroup Insurance Company 7/15/2013 © NCC Group 26 Governor Weld lived in Cambridge MA 54,000 Residents 7 Post Codes Electoral Roll Purchase for $20: Contained name, address, post code, birth date, sex etc. GIC Anonymised Data Only 6 people in Cambridge shared Weld‟s birthday Only 3 of these were men Only 1 lived in Weld‟s Post Code Dr. Sweeney sent the Governor‟s health records (which included diagnoses and prescriptions) to his office
  • 27.
    Another Example: AmericaOnline (AOL) Data Release 7/15/2013 © NCC Group 27 In 2006, AOL publicly released twenty million search queries for 650,000 users of AOL‟s search engine summarising three months of activity AOL suppressed username and IP address, but replaced these with unique numbers that allowed researchers to correlate different searches with a specific user (pseudonymisation) New York Times reporters Michael Barbaro and Tom Zeller performed some research around User 4417749‟s identity. His/her searches had included: • “landscapers in Lilburn, Ga” • “several people with the last name Arnold” • “homes sold in shadow lake subdivision gwinnett county georgia”
  • 28.
    Another Example: AmericaOnline (AOL) Data Release 7/15/2013 © NCC Group 28 The reporters tracked down Thelma Arnold, a sixty-two-year-old widow from Lilburn, Georgia who acknowledged that she had authored the searches, including queries such as • “numb fingers”, “60 single men” and “dog that urinates on everything” Main anonymisation technique used: Suppression and Substitution
  • 29.
    Anonymisation of non-textualdata and Metadata 7/15/2013 © NCC Group 29 Anonymisation might be required of non-textual data. E.g. images and videos (obfuscating faces) This might require release of hundreds or thousands of anonymised files, rather than one large dataset Often, hidden meta-data within those files is forgotten, and can be a valuable source for individuals attempting re-identification
  • 30.
    Anonymisation of non-textualdata and Metadata 7/15/2013 © NCC Group 30 A simple example – a picture of a heron visiting my garden Suppose I obfuscate the heron to protect its identity
  • 31.
    GPS/Meta-Data in ImageFiles 7/15/2013 © NCC Group 31
  • 32.
  • 33.
    A Risk-Based Approach 7/15/2013© NCC Group 33 There is anonymisation guidance, but there is no anonymisation formula Anonymisation is not an exact science Each data set presents a unique instance, and the choice of anonymisation operation(s) must be carefully considered in order to maintain anonymity and utility A risk-based approach is therefore the only option…
  • 34.
    Risk Mitigation Advice 7/15/2013© NCC Group 34 Consult with experts before embarking on anonymisation, on the proposed approach and potential risks If there is no business case or perceived benefit in going through the process, then don‟t Consider release to limited audiences – only go public if strictly required Protect the anonymisation method/formula Qualitative anonymisation can typically be automated, Quantitative anonymisation will require more manual efforts Always vet anonymisations of Quantitative and Qualitative data before release, don‟t just fire and forget
  • 35.
    Risk Mitigation Advice 7/15/2013© NCC Group 35 Perform your own rudimentary Google searches and correlation attempts with other public data sources before publishing If in doubt, engage again with experts on the likelihood of re- identification given the derived anonymised data set Consider the quantity of released anonymised data - in practically all re-identification studies performed, researchers have been more successful with larger databases Try and remove one or more of the top 3 culprits: Post Code, Birthdate and Sex. • In 2000 Dr. Latanya Sweeney showed that 87% of all Americans could be uniquely identified using only these three bits of information Metadata – prior to release, ensure all meta-data in documents is removed – A number of tools exist for this, depending on the document type (e.g. Adobe Acrobat, Microsoft Office, JPEGs etc.)
  • 36.
    Risk Mitigation Advice- Pseudonymisation 7/15/2013 © NCC Group 36 Don‟t chose reversible identifiers – for example, names replaced with identifiers that are based on record data John Smith, 05/01/1978 -> JS05011978 Be aware of potential inferences from sorted data (e.g. alphabetical ordering might provide clues for re-identification) Keep the pseudonymisation formula secret – protect it with the same controls as for encryption keys and passwords Perform pseudonymisation functions on segregated, secure environments, only copy/migrate the pseudonymised data (keep them separate) Remove all meta-data from pseudonymised data files – make sure the individual(s) performing the pseudonymisation are not referenced in the meta-data Any cryptographic hashing used as identifiers/keys should always be salted
  • 37.
    References 7/15/2013 © NCCGroup 37 ICO guidance on anonymisation: http://www.ico.org.uk/for_organisations/data_protection/topic_guides/anon ymisation Paper on the failures of anonymisation, Paul Ohm http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 Research/Blog on anonymisation http://33bits.org/
  • 38.
    Questions? Matt Lewis matt.lewis@nccgroup.com UK Offices Manchester- Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland