1.07k likes | 1.08k Views
Explore the importance of privacy in data management and discuss techniques such as k-anonymity and privacy-preserving data mining. Learn about privacy regulations and their impact on various industries, including e-commerce and healthcare.
E N D
Reference • Kristen LeFevre, David J. DeWitt, Raghu Ramakrishnan, Incognito: Efficient Full-Domain K-Anonymity, SIGMOD 2005 • Ashwin Machanavajjhala, Johannes Gehrke, Daniel Kifer, l-Diversity: Privacy Beyond k-Anonymity, ICDE’06 • Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu, Hippocratic Databasees, VLDB 2002 • Kristen LeFevrey, Rakesh Agrawal, Vuk Ercegovac, Raghu Ramakrishnan, Yirong Xu, David DeWitt, Limiting Disclosure in Hippocratic Databases, VLDB 2004
Background • Privacy has become an important issue in many area • E-Commerce • Healthcare data management • Personal information management • … • Research topics • Privacy in data management • K-anonymity • Privacy preserving data mining
Privacy Regulations • United States Privacy Act (1974) • Fair Information Practices • Applies to federal agencies • Requirements • Permit an individual to determine what personal records are collected, maintained, used, or disseminated • Permit an individual to prevent personal records collected for one purpose from being used for another purpose (without consent) • Permit an individual to access records about him, and to correct these records • Collect personal information in a lawful way, and incorporate safeguards preventing misuse • Make exceptions only when there is a public policy need • Be subject to civil suit for violating this Act
Privacy Regulations • Recent privacy documents • 1996 Health Insurance Portability and Accountability Act (HIPAA) • 1999 Gramm-Leach-Bliley Financial Services Modernization Act • 2000 Personal Information Protection and Electronic Documents Act (PIPEDA) • 2003 Personal Information Protection Act (PIPA)
Privacy in data management • Task • Preventing disclosure of private information while database query • Privacy vs access control • Privacy • Application purpose oriented • Users requirement • Access control & security database • Data oriented • Hippocratic Databases • A prototype database system from the Intelligent Information Systems Group of IBM Almaden Research Center
Hippocratic Databases • Background • The Hippocratic Oath has guided the conduct of physicians for centuries. Inspired by its tenet of preserving privacy, we argue that future database systems must include responsibility for the privacy of data. • Propose a strawman design for Hippocratic databases, identify the technical challenges and problems in designing such databases, will serve to catalyze a fruitful and exciting direction for future database research.
Ten Principles of Privacy • Purpose Specification • The purposes for which the information has been collected shall be associated with that information. • Questions like “why specific data is being collected?” must be answered.
Ten Principles of Privacy • Consent • The donor of the information must provide his consent for usage of the data they have provided for the specific purpose. • Example: A user can give consent for his information to be released for research purposes.
Ten Principles of Privacy • Limited Collection • The personal information collected shall be limited to the minimum necessary for accomplishing the specified purposes. • Example: For medical records, requirement of information like which car the patient drives is absurd, and not required.
Ten Principles of Privacy • Limited Use • The database shall run only those queries that are consistent with the purposes for which the information has been collected. • Example : If data was collected for purpose of treatment then a query asking for the data for a purpose like drug marketing will not be entertained.
Ten Principles of Privacy • Limited Disclosure • The personal information stored in the database shall not be communicated outside the database for purposes other than those for which there is consent from the donor of the information. • Example: A donor can give consent for releasing his medical information for research purposes but not for marketing purposes.
Ten Principles of Privacy • Limited Retention • Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it has been collected. • Example: The medical history of a patient can only be retained for a period of 2 months after the patient has been treated unless the patient has given consent to release his information for research.
Ten Principles of Privacy • Accuracy • Personal information stored in the database shall be accurate and up-to-date. • Example: Consider a scenario when a physician gives wrong medication to a patient due to outdated medical information about the patient stored in the database…Not a good idea
Ten Principles of Privacy • Safety • Personal information shall be protected by security safeguards against theft and other misappropriations. • Example: A person must not be able to masquerade as a company employee and steal all the user data, for his own organization.
Ten Principles of Privacy • Openness • A donor shall be able to access all information about the donor stored in the database.
Ten Principles of Privacy • Compliance • A donor shall be able to verify compliance with the above principles. Similarly, the database shall be able to address a challenge concerning compliance. • Example: A patient should be able to see that all the privacy policies that have been specified with respect to his data are actually being enforced. This will also help in gaining the trust of the donor.
Hippocratic Databases User Preferences & Data Collection Application Data Retrieval Privacy Policy Creation Negotiation User Preferences & Policy Matching Installation EPAL Policy Parser Privacy Enforcement JDBC Driver DATABASE Installed Policy User Data
Hippocratic Databases NetCare Healthcare Business Scenario • John Cane, Chief Privacy Officer, NetCare Healthcare • Jane Smith, New Patient, NetCare Healthcare • Dr. Young, Physician, NetCare Healthcare • Christine Jones, Lab Technician, NetCare Healthcare • Phil Crew, Drug Researcher, Innovative Drug Research
Jane submits her personal information Jane visits NetCare’s website to setup patient account Jane, a new patient, defines her privacy preferences John Cane, CPO installs corporate privacy policy Installation Negotiation - Name, Address, SSN#, Email - Opt-in to sharing data for research - Opt-out of sharing full medical records to lab technicians Corporate Policy Hippocratic DatabasesNetCare Healthcare Business Scenario DATABASE Jane’s Data (Personal/Medical Records)
This is the main page of NetCare Healthcare’s website.
John Cane, Chief Privacy Officer, NetCare Healthcare John will install NetCare’s corporate privacy policy, which he wrote.
John Cane, Chief Privacy Officer of NetCare, logs in to install privacy policy.
Let’s first view the text version of the NetCare’s privacy policy.
Now let’s view the XML format of the same privacy policy to be installed.
NetCare’s privacy policy is saved into the database to be used for systematic privacy enforcement.
Jane Smith, New Prospective Patient, NetCare Healthcare Jane will first define her own privacy preferences. Then she later creates a new patient account with NetCare Healthcare.
Jane specifies her own privacy preferences for her sensitive information. Jane specifies her own privacy preferences
Jane selects her privacy preference by selecting the medium level of privacy protection.
The matching process reveals that one of Jane’s privacy preferences conflicts with NetCare’s corporate privacy policy.
Jane decides to review her privacy preferences. Jane modifies her preferences
Jane now selects the setting for the low level of privacy, removing the preference that was previously in conflict.
Jane now creates her patient account and selects to share her medical information for research but not for lab work.
Jane’s patient account is created. Her personal information and privacy choices are saved to the database.
Christine Jones, Lab Technician Three months later, Jane’s visits the doctor who prescribes a lab exam for Jane. When Jane goes to lab exam room, Christine, the lab technician, retrieves Jane’s patient information from the database.
Christine Jones, the lab technician logs in from the main website.
Let’s demonstrate Christine’s data retrieval for Jane’s record WITHOUT Hippocratic Database privacy enforcement.
WITHOUT the Hippocratic Database privacy enforcement, Jane’s entire record appears. This does not respect her privacy choices.
Now let’s demonstrate Christine’s data retrieval for Jane’s record WITH Hippocratic Database privacy enforcement.
Now WITH the Hippocratic Database privacy enforcement, only the relevant data for the lab technician and for the purpose of lab work appears.
Phil Crew, Drug Researcher, Innovative Drug Research Phil will retrieve patient records from the database to find those people who may benefit from the company’s drug research.
Phil Crew, the drug researcher, logs in to retrieve data from the database.
Let’s demonstrate Phil’s data retrieval for all patient records WITHOUT Hippocratic Database privacy enforcement.
WITHOUT the Hippocratic Database privacy enforcement, full patient records for all patients appear without respecting privacy preferences or the corporate privacy policy.
Let’s demonstrate Phil’s data retrieval for all patient records WITH Hippocratic Database privacy enforcement.
Now WITH the Hippocratic Database privacy enforcement, only the data of those who agreed to share information for drug research purposes appears. Also, privacy enforcement is performed at a granular, cell level.
Another Use Scenario • Mississippi is an on-line bookseller who needs to obtain certain minimum personal information to complete a purchase transaction • Alice does not want Mississippi to retain any information once her purchase transaction is complete • Bob, likes the convenience of providing his email and shipping address only once by registering . And does not mind Mississippi using his purchase transaction to suggest new recommendations. However, he does not want Mississippi to use his transactions for purchase circles
Privacy Metadata (purpose,recipient,retention) • Use purpose as the central concept around which we build privacy protection. • The privacy metadata tables define for each purpose, and for each piece of information (attribute) collected for that purpose • The external-recipients: whom the information can be given out to • The retention-period: how long the information is stored, • The authorized-users: the set of users (applications) who can access this information.