Hassan Jameel Asghar,Paul Tyler,Mohamed Ali Kaafar

DOI: https://doi.org/10.48550/arXiv.1705.05957

2017-05-17

Abstract:This document describes the application of a differentially private algorithm to release public transport usage data from Transport for New South Wales (TfNSW), Australia. The data consists of two separate weeks of "tap-on/tap-off" data of individuals who used any of the four different modes of public transport from TfNSW: buses, light rail, train and ferries. These taps are recorded through the smart ticketing system, known as Opal, available in the state of New South Wales, Australia.

Cryptography and Security

Dr. Chris Culnane,A/Prof. Benjamin I. P. Rubinstein,A/Prof. Vanessa Teague

DOI: https://doi.org/10.48550/arXiv.1908.05004

2019-08-14

Cryptography and Security

Abstract:The subject of this report is the re-identification of individuals in the Myki public transport dataset released as part of the Melbourne Datathon 2018. We demonstrate the ease with which we were able to re-identify ourselves, our co-travellers, and complete strangers; our analysis raises concerns about the nature and granularity of the data released, in particular the ability to identify vulnerable or sensitive groups.

David Ory,Stephen Granger-Bevan

DOI: https://doi.org/10.48550/arXiv.1609.08757

2016-09-28

Abstract:The deployment of smart-card-based public transit fare payment systems provides government the opportunity to create a valuable derivative data product. Companies such as Urban Engines have demonstrated an ability to add value to the data derived from transit fare transactions. The challenge for the public sector is to, for the societal good, leverage private sector interest by giving access to useful fare transaction data in a manner that protects customer privacy. This challenge is particularly acute in California, where privacy laws make sharing data in a manner that supports the public interest difficult. This paper presents the Metropolitan Transportation Commission's (MTC's) proposed solution to the problem. MTC operates the Clipper(r) transit fare payment system for the San Francisco Bay Area. In an effort to share usable data that protects customer privacy, MTC developed an anonymizing scheme that is the subject of the present paper. We seek feedback on our approach from the Data for Good Exchange community, asking: in seeking a balance between customer privacy and usability, does the scheme go too far in either direction? And, should we take a different anonymizing approach?

Computers and Society

Chenxi Chen,Xianbiao Hu,Yang Li,Qing Tang

DOI: https://doi.org/10.1109/tits.2023.3309783

IF: 8.5

2023-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Trajectory datasets have been widely used in transportation research, but the risk of privacy breach comes with data sharing. Privacy budget allocation is a key step of the differential privacy (DP)-based privacy-preserving data publishing (PPDP) algorithm development, as it directly impacts the data utility of the released dataset. Most prior research used simple logic to allocate privacy budgets, such as evenly distributing them among different tree levels, without theoretical support to reach optimality. This manuscript presents the development of an optimal privacy budget allocation algorithm for transit smart card data, with the goal of publishing non-interactive sanitized trajectory data under a differential privacy definition. To this end, the smart card trajectory data are first stored in a prefix tree structure, and a query probability model is developed to quantitatively measure the probability of a trajectory location pair being queried. Next, the privacy budget is optimized for each prefix tree node to minimize the query error, while satisfying the differential privacy definition. The Lagrangian relaxation method is adopted to derive the optimal privacy budget values, and several propositions on the solution property are proposed and proved. Real-life metro smart card data from Shenzhen, China that include a total of 2.8 million individual travelers and over 220 million records are used in the case study section. The developed algorithm is demonstrated to output a sanitized dataset with the highest utilities when compared with three benchmark algorithms. Sensitivity analysis shows that the resulting data utility remains stable when the privacy budget changes. The runtime of the proposed algorithm is less than 160 seconds in all experiments, exhibiting good computational efficiency.

engineering, electrical & electronic,transportation science & technology, civil

Alexandra Kapp,Saskia Nuñez von Voigt,Helena Mihaljević,Florian Tschorsch

DOI: https://doi.org/10.1080/17489725.2022.2148008

2022-09-19

Abstract:The importance of human mobility analyses is growing in both research and practice, especially as applications for urban planning and mobility rely on them. Aggregate statistics and visualizations play an essential role as building blocks of data explorations and summary reports, the latter being increasingly released to third parties such as municipal administrations or in the context of citizen participation. However, such explorations already pose a threat to privacy as they reveal potentially sensitive location information, and thus should not be shared without further privacy measures. There is a substantial gap between state-of-the-art research on privacy methods and their utilization in practice. We thus conceptualize a standardized mobility report with differential privacy guarantees and implement it as open-source software to enable a privacy-preserving exploration of key aspects of mobility data in an easily accessible way. Moreover, we evaluate the benefits of limiting user contributions using three data sets relevant to research and practice. Our results show that even a strong limit on user contribution alters the original geospatial distribution only within a comparatively small range, while significantly reducing the error introduced by adding noise to achieve privacy guarantees.

Cryptography and Security,Other Computer Science

John Abowd,Lorenzo Alvisi,Cynthia Dwork,Sampath Kannan,Ashwin Machanavajjhala,Jerome Reiter

DOI: https://doi.org/10.48550/arXiv.1701.00752

2017-01-03

Computers and Society

Abstract:Government statistical agencies collect enormously valuable data on the nation's population and business activities. Wide access to these data enables evidence-based policy making, supports new research that improves society, facilitates training for students in data science, and provides resources for the public to better understand and participate in their society. These data also affect the private sector. For example, the Employment Situation in the United States, published by the Bureau of Labor Statistics, moves markets. Nonetheless, government agencies are under increasing pressure to limit access to data because of a growing understanding of the threats to data privacy and confidentiality. "De-identification" - stripping obvious identifiers like names, addresses, and identification numbers - has been found inadequate in the face of modern computational and informational resources. Unfortunately, the problem extends even to the release of aggregate data statistics. This counter-intuitive phenomenon has come to be known as the Fundamental Law of Information Recovery. It says that overly accurate estimates of too many statistics can completely destroy privacy. One may think of this as death by a thousand cuts. Every statistic computed from a data set leaks a small amount of information about each member of the data set - a tiny cut. This is true even if the exact value of the statistic is distorted a bit in order to preserve privacy. But while each statistical release is an almost harmless little cut in terms of privacy risk for any individual, the cumulative effect can be to completely compromise the privacy of some individuals.

Chris Culnane,Benjamin I. P. Rubinstein,Vanessa Teague

DOI: https://doi.org/10.48550/arXiv.1712.00871

2017-12-04

Abstract:In the course of a survey of privacy-preserving record linkage, we reviewed the approach taken by the UK Office for National Statistics (ONS) as described in their series of reports "Beyond 2011". Our review identifies a number of matters of concern. Some of the issues discovered are sufficiently severe to present a risk to privacy.

Cryptography and Security

Srishti Gupta,Ponnurangam Kumaraguru

DOI: https://doi.org/10.48550/arXiv.1312.2784

2013-12-10

Computers and Society

Abstract:The awareness and sense of privacy has increased in the minds of people over the past few years. Earlier, people were not very restrictive in sharing their personal information, but now they are more cautious in sharing it with strangers, either in person or online. With such privacy expectations and attitude of people, it is difficult to embrace the fact that a lot of information is publicly available on the web. Information portals in the form of the e-governance websites run by Delhi Government in India provide access to such PII without any anonymization. Several databases e.g., Voterrolls, Driving Licence number, MTNL phone directory, PAN card serve as repositories of personal information of Delhi residents. This large amount of available personal information can be exploited due to the absence of proper written law on privacy in India. PII can also be collected from various social networking sites like Facebook, Twitter, GooglePlus etc. where the users share some information about them. Since users themselves put this information, it may not be considered as a privacy breach, but if the information is aggregated, it may give out much more information resulting in a bigger threat. To bring such issues to public notice, we developed Open-source Collation of eGovernment data And Networks (OCEAN), a system where the user enters little information (e.g. Name) about a person and gets large amount of personal information about him / her like name, age, address, date of birth, mother's name, father's name, voter ID, driving licence number, PAN.

Alexandra Kapp

DOI: https://doi.org/10.56553/popets-2022-0117

2024-07-04

Abstract:Human mobility data is a crucial resource for urban mobility management, but it does not come without personal reference. The implementation of security measures such as anonymization is thus needed to protect individuals' privacy. Often, a trade-off arises as such techniques potentially decrease the utility of the data and limit its use. While much research on anonymization techniques exists, there is little information on the actual implementations by practitioners, especially outside the big tech context. Within our study, we conducted expert interviews to gain insights into practices in the field. We categorize purposes, data sources, analysis, and modeling tasks to provide a profound understanding of the context such data is used in. We survey privacy-enhancing methods in use, which generally do not comply with state-of-the-art standards of differential privacy. We provide groundwork for further research on practice-oriented research by identifying privacy needs of practitioners and extracting relevant mobility characteristics for future standardized evaluations of privacy-enhancing methods.

Cryptography and Security

Jeffrey Murray,Afra Mashhadi,Brent Lagesse,Michael Stiber,Jeffrey Murray Jr

DOI: https://doi.org/10.48550/arXiv.2101.09834

2021-01-25

Cryptography and Security

Abstract:With mobile phone penetration rates reaching 90%, Consumer Proprietary Network Information (CPNI) can offer extremely valuable information to different sectors, including policymakers. Indeed, as part of CPNI, Call Detail Records have been successfully used to provide real-time traffic information, to improve our understanding of the dynamics of people's mobility and so to allow prevention and measures in fighting infectious diseases, and to offer population statistics. While there is no doubt of the usefulness of CPNI data, privacy concerns regarding sharing individuals' data have prevented it from being used to its full potential. Traditional de-anonymization measures, such as pseudonymization and standard de-identification, have been shown to be insufficient to protect privacy. This has been specifically shown on mobile phone datasets. As an example, researchers have shown that with only four data points of approximate place and time information of a user, 95% of users could be re-identified in a dataset of 1.5 million mobile phone users. In this landscape paper, we will discuss the state-of-the-art anonymization techniques and their shortcomings.

Aryelly Rodriguez,Steff C Lewis,Sandra Eldridge,Tracy Jackson,Christopher J Weir

DOI: https://doi.org/10.1177/17407745241259086

2024-06-21

Clinical Trials

Abstract:Clinical Trials, Ahead of Print. Background:There are increasing pressures for anonymised datasets from clinical trials to be shared across the scientific community. However, there is no standardised set of recommendations on how to anonymise and prepare clinical trial datasets for sharing, while an ever-increasing number of anonymised datasets are becoming available for secondary research. Our aim was to explore the current views and experiences of researchers in the United Kingdom about de-identification, anonymisation, release methods and re-identification risk estimation for clinical trial datasets.Methods:We used an online exploratory cross-sectional descriptive survey that consisted of both open-ended and closed questions.Results:We had 38 responses to invitation from June 2022 to October 2022. However, 35 participants (92%) used internal documentation and published guidance to de-identify/anonymise clinical trial datasets. De-identification, followed by anonymisation and then fulfilling data holders' requirements before access was granted (controlled access), was the most common process for releasing the datasets as reported by 18 (47%) participants. However, 11 participants (29%) had previous knowledge of re-identification risk estimation, but they did not use any of the methodologies. Experiences in the process of de-identifying/anonymising the datasets and maintaining such datasets were mostly negative, and the main reported issues were lack of resources, guidance, and training.Conclusion:The majority of responders reported using documented processes for de-identification and anonymisation. However, our survey results clearly indicate that there are still gaps in the areas of guidance, resources and training to fulfil sharing requests of de-identified/anonymised datasets, and that re-identification risk estimation is an underdeveloped area.

medicine, research & experimental

Feiyang Tang

DOI: https://doi.org/10.1109/SmartWorld-UIC-ATC-ScalCom-DigitalTwin-PriComp-Metaverse56740.2022.00327

2022-12-21

Abstract:Biometric data privacy is becoming a major concern for many organizations in the age of big data, particularly in the ICT sector, because it may be easily exploited in apps. Most apps utilize biometrics by accessing common application programming interfaces (APIs); hence, we aim to categorize their usage. The categorization based on behavior may be closely correlated with the sensitive processing of a user's biometric data, hence highlighting crucial biometric data privacy assessment concerns. We propose PABAU, Privacy Analysis of Biometric API Usage. PABAU learns semantic features of methods in biometric APIs and uses them to detect and categorize the usage of biometric API implementation in the software according to their privacy-related behaviors. This technique bridges the communication and background knowledge gap between technical and non-technical individuals in organizations by providing an automated method for both parties to acquire a rapid understanding of the essential behaviors of biometric API in apps, as well as future support to data protection officers (DPO) with legal documentation, such as conducting a Data Protection Impact Assessment (DPIA).

Cryptography and Security,Machine Learning,Software Engineering

Fengli Xu,Zhen Tu,Yong Li

DOI: https://doi.org/10.1109/tnsm.2019.2926488

2020-01-01

IEEE Transactions on Network and Service Management

Abstract:Large scale cellular network accessing records are generated by mobile users on daily basis, which leave fine-grained footprints that have potential to compromise the privacy of user mobility. Abundant previous researches have demonstrated that simple anonymization has limited effect in preserving user’s privacy due to prevalence of re-identification attacks. As a result, the mobile operators and application vendors usually turn to a more aggressive solution that is removing the identifier (ID) of each entry in the records. Cellular data sets owners believe that such procedure is sufficient for preserving user’s privacy, since the attackers cannot directly put together the cellular records that belong to one individual, let alone recover user’s identity. However, in this paper, we argue and prove that simply removing the IDs is not sufficient for preserving mobile users’ privacy. We develop a mechanism that is able to extract the mobility patterns of users from cellular records and associate ID-removed records belonging to same individuals. Extensive experiments show that 70%~80% records of each user on average can be accurately recovered for two data sets collected from both mobile application and mobile operator side at the scale of several thousands to tens of thousands users. We find that the number of users released, the temporal and spatial granularity, and the speed of user movement are key factors that determine the privacy leakage in the ID-removed cellular data sets.

Jonathan Reades,Chen Zhong,ED Manley,Richard Milton,Michael Batty

DOI: https://doi.org/10.2148/benv.42.3.365

2016-10-01

Built Environment

Abstract:Public transport is perhaps the most significant component of the contemporary smart city currently being automated using sensor technologies that generate data about human behaviour. This is largely due to the fact that the travel associated with such transport is highly ordered. Travellers move collectively in closed vehicles between fixed stops and their entry into and from the system is unambiguous and easy to automate using smart cards. Flows can thus be easily calculated at specific station locations and bus stops and within fine temporal intervals. Here we outline work we have been doing using a remarkable big data set for public transport in Greater London generated from the Oyster Card, the smart card which has been in use for over 13 years. We explore the generic properties of the Tube and Overground rail system focusing first on the scale and distribution of the flow volumes at stations, then engaging in an analysis of temporal flows that can be decomposed into various patterns using principal components analysis (PCA) which smoothes out normal fluctuations and leaves a residual in which significant deviations can be tracked and explained. We then explore the heterogeneity in the data set with respect to how travel behaviour varies over diff erent time intervals and suggest how we can use these ideas to detect and manage disruptions in the system.

English Else

Kaustav Bhattacharjee,Akm Islam,Jaideep Vaidya,Aritra Dasgupta

DOI: https://doi.org/10.1109/VizSec56996.2022.9941431

2022-08-13

Abstract:Open data sets that contain personal information are susceptible to adversarial attacks even when anonymized. By performing low-cost joins on multiple datasets with shared attributes, malicious users of open data portals might get access to information that violates individuals' privacy. However, open data sets are primarily published using a release-and-forget model, whereby data owners and custodians have little to no cognizance of these privacy risks. We address this critical gap by developing a visual analytic solution that enables data defenders to gain awareness about the disclosure risks in local, joinable data neighborhoods. The solution is derived through a design study with data privacy researchers, where we initially play the role of a red team and engage in an ethical data hacking exercise based on privacy attack scenarios. We use this problem and domain characterization to develop a set of visual analytic interventions as a defense mechanism and realize them in PRIVEE, a visual risk inspection workflow that acts as a proactive monitor for data defenders. PRIVEE uses a combination of risk scores and associated interactive visualizations to let data defenders explore vulnerable joins and interpret risks at multiple levels of data granularity. We demonstrate how PRIVEE can help emulate the attack strategies and diagnose disclosure risks through two case studies with data privacy experts.

Cryptography and Security,Computers and Society

Deborah Lupton

DOI: https://doi.org/10.3389/fdgth.2021.649275

2021-02-23

Frontiers in Digital Health

Abstract:Self-tracking technologies and practices offer ways of generating vast reams of personal details, raising questions about how these data are revealed or exposed to others. In this article, I report on findings from an interview-based study of long-term Australian self-trackers who were collecting and reviewing personal information about their bodies and other aspects of their everyday lives. The discussion focuses on the participants' understandings and practices related to sharing their personal data and to data privacy. The contextual elements of self-tracked sharing and privacy concerns were evident in the participants' accounts and were strongly related to ideas about why and how these details should be accessed by others. Sharing personal information from self-tracking was largely viewed as an intimate social experience. The value of self-tracked data to contribute to close face-to-face relationships was recognized and related aspects of social privacy were identified. However, most participants did not consider the possibilities that their personal information could be distributed well-beyond these relationships by third parties for commercial purposes (or what has been termed “institutional privacy”). These findings contribute to a more-than-digital approach to personal data sharing and privacy practices that recognizes the interplay between digital and non-digital practices and contexts. They also highlight the relational and social dimensions of self-tracking and concepts of data privacy.

G. Stilo,Gian Luca Scoccia,Marco Autili,P. Inverardi

DOI: https://doi.org/10.1145/3524613.3527813

2022-05-01

Abstract:Privacy labels provide an easy and recognizable overview of data collection practices adopted by mobile apps developers. Specifically, on the Apple App Store, privacy labels are displayed on each mobile app's page and summarize what data is collected by the app, how it is used, and for what purposes it is needed. Starting from the release of iOS version 14.3 developers are required to provide privacy labels for their applications. We conducted a large-scale empirical study, collecting and analyzing the privacy labels of 17, 312 apps published on the App Store, to understand and characterize how sensitive data is collected and shared. The results of our analysis highlight important criticalities about the collection and sharing of personal data for tracking purposes. In particular, on average free applications collect more sensitive data, the majority of data is collected in an unanonimyzed form, and a wide range of sensitive information are collected for tracking purposes. The analysis provides also evidence to support the decision-making of users, platform maintainers, and regulators. Furthermore, we repeated the data collection and analysis after seven months, following the introduction of additional run-time tracking controls by Apple. Comparing the two datasets, we observed that the newly introduced measures resulted in a statistically significant decrease in the number of apps that collect data for tracking purposes. At the same time, we observed a growth in overall data collection.

Computer Science

Robert McMillan,Maggie Reeves

DOI: https://doi.org/10.23889/ijpds.v4i3.1266

2019-11-21

International Journal of Population Data Science

Abstract:Background with rationaleThe Georgia Policy Labs’ mission is to improve outcomes for children and families by producing rigorous research with long-term government partners. A key component of this model is having secure access to research-ready, individual level data from multiple sources to answer government agencies’ questions within policy windows. Obtaining sensitive data from our partners requires significant relationship building, demonstrations of value, and assurances of our ability to mitigate all security and privacy concerns. Objectives Securely transfer and de-identify disparate individual level datasets with personally identifiable information from public entities. Clean data and store in a pristine data lake, made available for fast turn-around research. Ensure individual records can be matched across disparate organizations’ datasets. ApproachOur practices, infrastructure, data sharing agreements and security are built to support the intersection of data availability for researchers and security standards that give our partners ease. We highlight two solutions addressing security concerns while supporting our researchers, which can be used by other researchers using sensitive data. First, we discuss our multiple tiers of transfer and access that remove risk from identifiable data. Second, we share the double hash solution created for a partner who was not willing to share PII. We share the source code for our SHA3-512 double hash solution, which allows for matching of records across disparate datasets without receiving PII sensitive elements. ResultsWe created reliable matching values without the need for the actual social security numbers or other PII values on our side, enabling a large school district to share its student-level data with us. ConclusionThe balance of security and easy access for researchers is a common area of friction. Our security set-up and hashing solution allows others to remove this barrier for applied policy research.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Raheem Beyah

2014-01-01

Abstract:When people utilize social applications and services, their privacy suffers potential serious threat. In this paper, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from on-going de-anonymization results. By analyzing the measurement on real data sets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large scale data without the knowledge on the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well known mobility traces: St Andrews, Infocom06, and Smallblue, and three social data sets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. For instance, utilizing the knowledge of one seed mapping merely, 93.2% of the data in Smallblue can be successfully de-anonymized; utilizing the knowledge of ten seed mappings, August 13, 2014 DRAFT

Christopher Bian,Albert Cheu,Yannis Guzman,Marco Gruteser,Peter Kairouz,Ryan McKenna,Edo Roth

2024-07-04

Abstract:Environmental Insights Explorer (EIE) is a Google product that reports aggregate statistics about human mobility, including various methods of transit used by people across roughly 50,000 regions globally. These statistics are used to estimate carbon emissions and provided to policymakers to inform their decisions on transportation policy and infrastructure. Due to the inherent sensitivity of this type of user data, it is crucial that the statistics derived and released from it are computed with appropriate privacy protections. In this work, we use a combination of federated analytics and differential privacy to release these required statistics, while operating under strict error constraints to ensure utility for downstream stakeholders. In this work, we propose a new mechanism that achieves $ \epsilon \approx 2 $-DP while satisfying these strict utility constraints, greatly improving over natural baselines. We believe this mechanism may be of more general interest for the broad class of group-by-sum workloads.

Cryptography and Security,Databases