Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card...
Transcript of Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card...
![Page 1: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/1.jpg)
Privacy-preserving Smart Cities ¿utopia or reality?
Carmela Troncoso(IMDEA Software Institute)
Smart City Expo World Congress18th November 2015
![Page 2: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/2.jpg)
(Big) data
![Page 3: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/3.jpg)
(Big) data
Data processing & analytics
![Page 4: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/4.jpg)
(Big) data
Data processing & analytics
![Page 5: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/5.jpg)
(Big) Personal data
✔ Whereabouts✔ Shopping✔ Religion✔ Restaurants
✔ Relationships✔ Friends✔ Professional
✔ Habits at home✔ ...
Data processing & analytics
![Page 6: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/6.jpg)
(Big) Personal data
✔ Whereabouts✔ Shopping✔ Religion✔ Restaurants
✔ Relationships✔ Friends✔ Professional
✔ Habits at home✔ ...
Data processing & analytics
![Page 7: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/7.jpg)
(Big) Personal data
Data processing & analytics
![Page 8: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/8.jpg)
1) Ethical issues, public opinion2) Legal framework – Data Protection:
consent proportionality purpose limitation
(Big) Personal data
Data processing & analytics
![Page 9: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/9.jpg)
1) Ethical issues, public opinion2) Legal framework – Data Protection:
consent proportionality purpose limitation
Value or privacy?
(Big) Personal data
Data processing & analytics
![Page 10: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/10.jpg)
1) Ethical issues, public opinion2) Legal framework – Data Protection:
consent proportionality purpose limitation
Value or privacy?
Two technological paths to reconciliation● Data anonymization● Advanced cryptography (processing in the encrypted domain)
(Big) Personal data
Data processing & analytics
![Page 11: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/11.jpg)
AnonymizationEU legislation evolves to harder constraints Art. 29 WP’s opinion on anonymization techniques
3 criteria for anonymization
1- No singling out of individualsMetadata are unique!
- Location: ● “the median size of the individual's anonymity set in the U.S. working
population is 1, 21 and 34,980, for granularity of a census block, census track and county”
● “if the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
- Browser: “83,6 % of browsers have unique fingerprints”- Demographic: “It was found that 87 % (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}”-Credit card transactions: “need four purchases to identify an individual on the anonymizied credit card records, or three purchases if the prices are known” [3 months 1.1 million people]
![Page 12: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/12.jpg)
AnonymizationEU legislation evolves to harder constraints Art. 29 WP’s opinion on anonymization techniques
3 criteria for anonymization
1- No singling out of individualsMetadata are unique!
- Location: ● “the median size of the individual's anonymity set in the U.S. working
population is 1, 21 and 34,980, for granularity of a census block, census track and county”
● “if the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
- Browser: “83,6 % of browsers have unique fingerprints”- Demographic: “It was found that 87 % (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}”-Credit card transactions: “need four purchases to identify an individual on the anonymizied credit card records, or three purchases if the prices are known” [3 months 1.1 million people]
2- No linking data from one individual
- Social network data: take two graphs representing social networks and map the nodes to each other based on the graph structure alone—no usernames, no nothing (Netflix Prize, Kaggle contest)
● Techniques to do this automatically
![Page 13: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/13.jpg)
AnonymizationEU legislation evolves to harder constraints Art. 29 WP’s opinion on anonymization techniques
3 criteria for anonymization
1- No singling out of individualsMetadata are unique!
- Location: ● “the median size of the individual's anonymity set in the U.S. working
population is 1, 21 and 34,980, for granularity of a census block, census track and county”
● “if the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
- Browser: “83,6 % of browsers have unique fingerprints”- Demographic: “It was found that 87 % (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}”-Credit card transactions: “need four purchases to identify an individual on the anonymizied credit card records, or three purchases if the prices are known” [3 months 1.1 million people]
2- No linking data from one individual
- Social network data: take two graphs representing social networks and map the nodes to each other based on the graph structure alone—no usernames, no nothing (Netflix Prize, Kaggle contest)
● Techniques to do this automatically
3- No inference about individuals
- Location: infer workplace, home, religion,...- Energy: infer concrete appliances, home habits
…
What is data analytics about?
![Page 14: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/14.jpg)
AnonymizationEU legislation evolves to harder constraints Art. 29 WP’s opinion on anonymization techniques
3 criteria for anonymization
1- No singling out of individualsMetadata are unique!
- Location: ● “the median size of the individual's anonymity set in the U.S. working
population is 1, 21 and 34,980, for granularity of a census block, census track and county”
● “if the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
- Browser: “83,6 % of browsers have unique fingerprints”- Demographic: “It was found that 87 % (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}”-Credit card transactions: “need four purchases to identify an individual on the anonymizied credit card records, or three purchases if the prices are known” [3 months 1.1 million people]
2- No linking data from one individual
- Social network data: take two graphs representing social networks and map the nodes to each other based on the graph structure alone—no usernames, no nothing (Netflix Prize, Kaggle contest)
● Techniques to do this automatically
3- No inference about individuals
- Location: infer workplace, home, religion,...- Energy: infer concrete appliances, home habits
…
What is data analytics about?
IMPOSSIBLE?????
![Page 15: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/15.jpg)
AnonymizationEU legislation evolves to harder constraints Art. 29 WP’s opinion on anonymization techniques
3 criteria for anonymization
1- No singling out of individualsMetadata are unique!
- Location: ● “the median size of the individual's anonymity set in the U.S. working
population is 1, 21 and 34,980, for granularity of a census block, census track and county”
● “if the location of an individual is specified hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people]”
- Browser: “83,6 % of browsers have unique fingerprints”- Demographic: “It was found that 87 % (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}”-Credit card transactions: “need four purchases to identify an individual on the anonymizied credit card records, or three purchases if the prices are known” [3 months 1.1 million people]
2- No linking data from one individual
- Social network data: take two graphs representing social networks and map the nodes to each other based on the graph structure alone—no usernames, no nothing (Netflix Prize, Kaggle contest)
● Techniques to do this automatically
3- No inference about individuals
OH WAIT! What was big data analytics about....3- No inference about individuals
- Location: infer workplace, home, religion,...- Energy: infer concrete appliances, home habits
…
What is data analytics about?
IMPOSSIBLE IS NOTHING
Art 29 – Risk of de-anonymization
● Traditional identification suppression methods will not do the trick (hash, encryption, random noise...)
● But...● We can evaluate anonymity degree and remaining information● General anonymization ← little utility● Targeted (application dependent) anonymization ← better utility
![Page 16: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/16.jpg)
Advanced cryptographyProcessing in the encrypted domain
![Page 17: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/17.jpg)
41.373925, 2.149896
Fira de Barcelona
Advanced cryptographyProcessing in the encrypted domain
![Page 18: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/18.jpg)
41.373925, 2.149896
Advanced cryptographyProcessing in the encrypted domain
![Page 19: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/19.jpg)
41.373925, 2.149896
&_/D#$ª\
Advanced cryptographyProcessing in the encrypted domain
![Page 20: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/20.jpg)
41.373925, 2.149896
&_/D#$ª\
)&$%_XY
Advanced cryptographyProcessing in the encrypted domain
![Page 21: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/21.jpg)
41.373925, 2.149896
&_/D#$ª\
)&$%_XYFira de
Barcelona
Advanced cryptographyProcessing in the encrypted domain
![Page 22: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/22.jpg)
41.373925, 2.149896
&_/D#$ª\
)&$%_XYFira de
Barcelona
Advanced cryptographyProcessing in the encrypted domain
Data encrypted at the user side
(local key management)
Provider cannot readBut can process!!
![Page 23: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/23.jpg)
41.373925, 2.149896
&_/D#$ª\
)&$%_XYFira de
Barcelona
Advanced cryptographyProcessing in the encrypted domain
Data encrypted at the user side
(local key management)
Provider cannot readBut can process!!
Best of both worlds: service AND privacy!
![Page 24: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/24.jpg)
What “magic”is possible?– Private searches– Private billing– Private comparison– Private sharing– Private statistics computation
Advanced cryptographyProcessing in the encrypted domain
![Page 25: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/25.jpg)
Privacy-preserving Smart Cities ¿utopia or reality?
Carmela [email protected]
www.software.imdea.org
No personal data involved: is a reality!
Personal data: not yet guaranteed, but there is a path!● Anonymization and privacy evaluation● Advanced cryptography
![Page 26: Privacy-preserving Smart Cities - IMDEA Softwarecarmela.troncoso/talks/20151118_Smart...-Credit card transactions: ... the graph structure alone—no usernames, no nothing (Netflix](https://reader031.fdocuments.us/reader031/viewer/2022022501/5aa79da17f8b9a54748c4c5b/html5/thumbnails/26.jpg)
Privacy-preserving Smart Cities ¿utopia or reality?
Carmela [email protected]
www.software.imdea.org
No personal data involved: is a reality!
Personal data: not yet guaranteed, but there is a path!● Anonymization and privacy evaluation● Advanced cryptography
We need to work together to walk this path!