Large Scale Threatsto Data Anonymity

Arvind NarayananJoint work with

Vitaly ShmatikovKamalika Chaudhuri

Anonymity is not cryptography

• Small “keyspace” – random guessing succeeds with probability 1/N Natural upper bound on N – the race is over! Guess-and-verify paradigm

• Even quadratic algorithms sometimes feasible!

• Conventional wisdom relied on computational infeasibility

The curse of dimensionality

• Too much entropy per record

• How high is high? Try 35,540!

• k-anonymity breaks down

• Nearest neigbhor too far Cinematch beats baseline by 1%!

• Projection to low dimensions loses most of the info

Auxiliary information

• Auxiliary information about people very easy to obtain

• Unlinkability of user traces – unaffordable luxury

• Yet linking across databases often disastrous

• Future privacy – linkage of “profile” to identify makes virtual identities impossible

Two fallacies

• Identifying vs. non-identifying attributes All attributes are quasi-identifiers! Simply removing record labels is not sufficient

• Perturbation makes attacker’s task harder Note superficial similarity with LPN But non-cryptographic! Reality: re-identification algorithms easily made

noise resilient

Interactive protocols

• Severe computational limits Query-execute-analyze cycle

• Utility required may be non-statistical Database may even be non-relational

• Privacy for queries

• Data aggregator not trusted Algorithms in distributed setting not well

developed yet

Sad realization #2

• Privacy usually an afterthought (not important until it affects you) Video privacy act example

• Privacy vs. utility: Collect/release the data, ask questions later

Sweeney – linking (exact match)

(Anonymous) (Non-anonymous)

Hardly secret

Probably not secret

Collaborative filtering: profiles

• Each of N users has a preference vector, or a preference profile

• One attribute for each item

• Goal: mine this database to predict preferences for new items

• Can we release an anonymized database of preference vectors?

Movielens – fuzzy match

• Hypothetical investigation

• Frankowski, Cosley, Sen, Terveen, Riedl.

• Anonymized database of movie ratings

• Attacker knows small number of approximate preferences

• Nearest neighbor stats confirmed

Netflix – fuzzy match with noise

• Nearest neighbor graph

• Real attack, Narayanan & Shmatikov

• ~ 4 movies → unique re-identification know either ratings or dates approximately one of the data points can be completely wrong

• Found a couple of our friends

• Found a couple of users from IMDb

Distance to nearest neighbor

Netflix’s take on privacy

Even if, for example, you knew all your own ratings and their dates you probably couldn’t identify them reliably in the data because only a small sample was included (less

than one-tenth of our complete dataset) and that data was subject to perturbation. Of course, since you know all

your own ratings that really isn’t a privacy problem is it?

-- Netflix Prize FAQ

Example of deanonymization

Netflix – contributions

• Scoring tolerates large amount of noise ∑i Є M ∩M’ [ e-α|ri - ri‘| + c e-β|di - di‘| + Γ ] / log #i

• Verifying deanonymization in absence of oracle [score(max) – score(max2)] / std.dev(score)

• Extract user relationships

Netflix customers with distance < 0.15

•Could edges reflect real-life relationships?

•Ratings and dates were ignored

Recommenders: stronger attacks

• Do recommendation systems inherently leak profile? No data release!

• Theoretical attacks known Textbook systems Deployed, complex systems

Social networks

• Graph of interactions between people Think of phone call graphs

• Different type of profile Non – relational data

Backstrom, Dwork, Kleinberg

• Active and passive attacks

• Re-identify nodes touched by malicious edges

• Easy to find graph-structured patterns in large database

Narayanan, Chaudhuri

• Tolerates noise

• Several attacks where a user can re-identify own node

• Subgraph isomorphism with several hundred nodes Heuristics involving node labels

• User knows own degree exactly Modern phones store all calls Who deletes email anymore?

Finding yourself

• N instances of graph isomorphism• Use isomorphism-invariant signatures

Propagation of node re-identification

• Surprisingly small number of seeds (6-12)• Large fraction of nodes compromised• Works even when large fraction (say 80%) of

nodes are honest

Propagation – implementation

• Social phishing

• Buddy zoo

• Skype worm

• Online addressbook service

• Competing social network

Author identification

• Basically, a solved problem However, most studies use a small set of

authors Not clear how well sample size required scales

• Combine with typing pattern profiling Possibly deanonymize among millions/billions

of users

• Example: oppressive country

Genome anonymity

• Rich social network

• ~10^8 bits entropy per record

• Labeled sample compromises privacy of blood relatives

• Crossover happens in precise, elegant way Work on admixing populations

• Story of deanonymization of sperm donor

• Ease of obtaining auxiliary data or anonymous samples

Genome and DNA databases

• Hapmap – entire genome

• “Family tree” services

• 1/800 births from “anonymous” sperm donor

Hapmap’s take on privacy

The samples are anonymous with regard to individual identity. Samples cannot be connected to individuals, and no personal information is linked to any sample.

As an additional safeguard, more samples were collected from each population than were used, so no

one knows whether any particular person's DNA is included in the study.

Trait                   Genes        Chromosome location• Hair/iris color             ASIP                20 q11.2• Hair/iris color             DCT                13 q32• Green/blue iris            EYCL1            19 p13.1-q13.11• Brown/blue iris           EYCL3            15 q11-q15 *• Height                          GH1                17 q22-q24• Height (Laron)             GHR                  5 p13-p12• Brown/blond hair        HCL1              19 p13.1-q13.11• Brown/blond hair        HCL3              15 q11-q15  *• Brown/red hair            HCL2               4 q28-q31• Hair/iris color             HPS1               10 q23.1-23.3• Hair/iris color             HPS2               10 q24.32• Skin&hair color          MC1R             16 q24.3• Height (Marfan)          MFS                15 q21.1• Hair/iris color             MITF                 3 p12.3-14.1• Hair/iris color             MYO5A          15 q21• Ocular albinism           OA1                X p22.3  • Ocular albinism           OA2                X p11.4-p11.23• OcculoCut.Albinism    OCA2              15 q11.2-q12  • Hair/iris color             PMOC               2 p23.3• Hair/iris color             RAB27A         15 q15-21.1• Hair/iris color             SILV                12 q13-q14 • Skin color                    SLC24A5        15 q21.1 A111T dark to light skin• Short Stature                SS                    X&Y p• Hair/iris color             TYR                11 q14-q21• Hair/iris color             TYRP1              9 p23

Genotype – phenotype mappings

• The medical community finds genotype → phenotype mappings Mappings being generated “at an explosive

rate”

• But also: [Sweeney02]: Inferring genotype from clinical

phenotype through a knowledge based algorithm

o focuses on pathological phenotypes

Underlying social network

Big picture

• Attacks against a wide spectrum of rich, high-dimensional datasets

• Can we win the battle? Using technology alone? What if we don’t? Is part of it already lost?

Thanks for coming.

Current work

• Sweeney – exact match• Movielens – fuzzy match• Netflix – fuzzy match with noise• AOL• BDK07 – match on non-relational data• NC07 – non-relational data with noise• Amazon – fuzzy match with noise on utility oracle• Genome – match based on multiple databases• Genome – phenotype/genotype mapping

Future work

• Author identification Combine with typing pattern profiling Oppressive country example

• Genome reidentification based on observables

• Underlying social network

• SAT solver – generic matching