Measuring and predicting anonymity - 8: Conclusions and future work

UvA-DARE is a service provided by the library of the University of Amsterdam (https://dare.uva.nl)

UvA-DARE (Digital Academic Repository)

Measuring and predicting anonymity

Koot, M.R.

Publication date

2012

Link to publication

Citation for published version (APA):

Koot, M. R. (2012). Measuring and predicting anonymity.

General rights

It is not permitted to download or to forward/distribute the text or part of it without the consent of the author(s) and/or copyright holder(s), other than for strictly personal, individual use, unless the work is under an open content license (like Creative Commons).

Disclaimer/Complaints regulations

If you believe that digital publication of certain material infringes any of your rights or (privacy) interests, please let the Library know, stating your reasons. In case of a legitimate complaint, the Library will make the material inaccessible and/or remove it from the website. Please Ask the Library: https://uba.uva.nl/en/contact, or a letter to: Library of the University of Amsterdam, Secretariat, Singel 425, 1012 WP Amsterdam, The Netherlands. You will be contacted as soon as possible.

8

Conclusions and future

work

In our increasingly computer-networked world, more and more personal data is collected, linked and shared. This raises questions about privacy — i.e. about the feeling and reality of enjoying a private life in terms of being able to exercise control over the disclosure of information about oneself. In attempt to provide privacy, databases containing personal data are sometimes de-identified, mean-ing that obvious identifiers such as Social Security Numbers, names, addresses and phone numbers are removed. In microdata, where each record maps to a single individual, de-identification might however leave variables that, com-bined, can be used to re-identify the de-identified data.

To establish the case for quantified privacy analysis, we first performed an empirical study on the identifiability of nameless hospital intake data and welfare fraud data about Dutch citizens, using large amounts of personal data collected from municipal registry offices. We showed, through quantifications, the possibility of large di↵erences in actual privacy of citizens depending on the municipality where they live.

We developed a range of novel techniques for predicting aspects of anonymity, building on probability theory, and specifically birthday problem theory and large deviations theory. We empirically validated our formulas using public data insofar possible, and using our privately collected data insofar necessary to ensure coherence of research.

In the final Chapter we gave preliminary ideas for applying our techniques 101

102 CHAPTER 8. CONCLUSIONS AND FUTURE WORK

in real life. We feel these are suitable and useful input to the privacy debate; practical application will depend on competence and willingness of data holders and policy makers to correctly identify quasi-identifiers. In the end, it remains a matter of policy what value of k can be considered sufficiently strong anonymity for particular personal information.

We propose three directions for future research:

• Our formulas may have uses outside the context of data anonymity, such as in the context of communication anonymity. KL-distance based pre-diction, for example, might show to be useful in contexts handling distri-butions related to aspects of packets or network flows that are relevant to anonymity of communication. We do not know whether this is the case for onion routing (e.g. Tor), garlic routing, Crowds, MUTE, I2P or any other existing system for anonymous communication. Possibly, our methods allow creation of a new system, or have a function under envi-ronmental assumptions di↵erent from those under which existing systems are designed, operated and used;

• Our formulas may have uses outside the context of privacy altogether: notably, forensics and marketing. In forensics, for example, the question might be raised how probable it is that some piece of evidence is unique to a person. Similarly, a marketeer might wonder how probable it is that some piece of information is unique to a person. Especially the formulas developed in Chapter 4 and Chapter 5 may be relevant to those contexts. Whether this is true, and whether other parts of our work have application outside privacy, needs further research;

• Study is needed to show what sort of background information is easy to obtain, and what the impact is on re-identifiability. What possibilities do various types of adversaries — corporate, government, individual — have to obtain information? How does this vary between adversaries targeting specific individuals and adversaries targeting anyone who’s data they are able to obtain?

We hope others will be inspired to build forth on our work, as we too built forth on the work of others.