An Economic Analysis of Privacy Protection and Statistical Accuracy as Social Choices

Statistical agencies face a dual mandate to publish accurate statistics while protecting respondent privacy. Increasing privacy protection requires decreased accuracy. Recognizing this as a resource allocation problem, we propose an economic solution: operate where the marginal cost of increasing privacy equals the marginal benefit. Our model of production, from computer science, assumes data are published using an efficient differentially private algorithm. Optimal choice weighs the demand for accurate statistics against the demand for privacy. Examples from U.S. statistical programs show how our framework can guide decision-making. Further progress requires a better understanding of willingness-to-pay for privacy and statistical accuracy

Security strategies in genomic files

There are new mechanisms to sequence and process the genomic code, discovering thus diagnostic tools and treatments. The file for a sequenced genome can reach hundreds of gigabytes. Thus, for further studies, we need new means to compress the information and a standardized representation to simplify the development of new tools. The ISO standardization group MPEG has used its expertise in compressing multimedia content to compress genomic information and develop its ´MPEG-G standard’. Given the sensitivity of the data, security is a major identified requirement. This thesis proposes novel technologies that assure the security of both the sequenced data and its metadata. We define a container-based file format to group data, metadata, and security information at the syntactical level. It includes new features like grouping multiple results in a same file to simplify the transport of whole studies. We use the granularity of the encoder’s output to enhance security. The information is represented in units, each dedicated to a specific region of the genome, which allows to provide encryption and signature features on a region base. We analyze the trade-off between security and an even more fine-grained approach and prove that apparently secure settings can be insecure: if the file creator may encrypt only specific elements of a unit, cross-checking unencrypted information permits to infer encrypted content. Most of the proposals for MPEG-G coming from other research groups and companies focused on data compression and representation. However, the need was recognized to find a solution for metadata encoding. Our proposal was included in the standard: an XML-based solution, separated in a core specification and extensions. It permits to adapt the metadata schema to the different genomic repositories' frameworks, without importing requirements from one framework to another. To simplify the handling of the resulting metadata, we define profiles, i.e. lists of extensions that must be present in a given framework. We use XML signature and XML encryption for metadata security. The MPEG requirements also concern access rules. Our privacy solutions limit the range of persons with access and we propose access rules represented with XACML to convey under which circumstances a user is granted access to a specific action among the ones specified in MPEG-G's API, e.g. filtering data by attributes. We also specify algorithms to combine multiple rules by defining default behaviors and exceptions. The standard’s security mechanisms protect the information only during transport and access. Once the data is obtained, the user could publish it. In order to identify leakers, we propose an algorithm that generates unique, virtually undetectable variations. Our solution is novel as the marking can be undone (and the utility of the data preserved) if the corresponding secret key is revealed. We also show how to combine multiple secret keys to avoid collusion. The API retained for MPEG-G considers search criteria not present in the indexing tables, which highlights shortcomings. Based on the proposed MPEG-G API we have developed a solution. It is based on a collaboration framework where the different users' needs and the patient's privacy settings result in a purpose-built file format that optimizes query times and provides privacy and authenticity on the patient-defined genomic regions. The encrypted output units are created and indexed to optimize query times and avoid rarely used indexing fields. Our approach resolves the shortcomings of MPEG-G's indexing strategy. We have submitted our technologies to the MPEG standardization committee. Many have been included in the final standard, via merging with other proposals (e.g. file format), discussion (e.g. security mechanisms), or direct acceptance (e.g. privacy rules).Hi han nous mètodes per la seqüenciació i el processament del codi genòmic, permetent descobrir eines de diagnòstic i tractaments en l’àmbit mèdic. El resultat de la seqüenciació d’un genoma es representa en un fitxer, que pot ocupar centenars de gigabytes. Degut a això, hi ha una necessitat d’una representació estandarditzada on la informació és comprimida. Dins de la ISO, el grup MPEG ha fet servir la seva experiència en compressió de dades multimèdia per comprimir dades genòmiques i desenvolupar l'estàndard MPEG-G, sent la seguretat un dels requeriments principals. L'objectiu de la tesi és garantir aquesta seguretat (encriptant, firmant i definint regles d¿ accés) tan per les dades seqüenciades com per les seves metadades. El primer pas és definir com transportar les dades, metadades i paràmetres de seguretat. Especifiquem un format de fitxer basat en contenidors per tal d'agrupar aquets elements a nivell sintàctic. La nostra solució proposa noves funcionalitats com agrupar múltiples resultats en un mateix fitxer. Pel que fa la seguretat de dades, la nostra proposta utilitza les propietats de la sortida del codificador. Aquesta sortida és estructurada en unitats, cadascuna dedicada a una regió concreta del genoma, permetent una encriptació i firma de dades específica a la unitat. Analitzem el compromís entre seguretat i un enfocament de gra més fi demostrant que configuracions aparentment vàlides poden no ser-ho: si es permet encriptar sols certes sub-unitats d'informació, creuant els continguts no encriptats, podem inferir el contingut encriptat. Quant a metadades, proposem una solució basada en XML separada en una especificació bàsica i en extensions. Podem adaptar l'esquema de metadades als diferents marcs de repositoris genòmics, sense imposar requeriments d’un marc a un altre. Per simplificar l'ús, plantegem la definició de perfils, és a dir, una llista de les extensions que han de ser present per un marc concret. Fem servir firmes XML i encriptació XML per implementar la seguretat de les metadades. Les nostres solucions per la privacitat limiten qui té accés a les dades, però no en limita l’ús. Proposem regles d’accés representades amb XACML per indicar en quines circumstàncies un usuari té dret d'executar una de les accions especificades a l'API de MPEG-G (per exemple, filtrar les dades per atributs). Presentem algoritmes per combinar regles, per tal de poder definir casos per defecte i excepcions. Els mecanismes de seguretat de MPEG-G protegeixen la informació durant el transport i l'accés. Una vegada l’usuari ha accedit a les dades, les podria publicar. Per tal d'identificar qui és l'origen del filtratge de dades, proposem un algoritme que genera modificacions úniques i virtualment no detectables. La nostra solució és pionera, ja que els canvis es poden desfer si el secret corresponent és publicat. Per tant, la utilitat de les dades és mantinguda. Demostrem que combinant varis secrets, podem evitar col·lusions. L'API seleccionada per MPEG-G, considera criteris de cerca que no són presents en les taules d’indexació. Basant-nos en aquesta API, hem desenvolupat una solució. És basada en un marc de col·laboració, on la combinació de les necessitats dels diferents usuaris i els requeriments de privacitat del pacient, es combinen en una representació ad-hoc que optimitza temps d’accessos tot i garantint la privacitat i autenticitat de les dades. La majoria de les nostres propostes s’han inclòs a la versió final de l'estàndard, fusionant-les amb altres proposes (com amb el format del fitxer), demostrant la seva superioritat (com amb els mecanismes de seguretat), i fins i tot sent acceptades directament (com amb les regles de privacitat)

Security strategies in genomic files

There are new mechanisms to sequence and process the genomic code, discovering thus diagnostic tools and treatments. The file for a sequenced genome can reach hundreds of gigabytes. Thus, for further studies, we need new means to compress the information and a standardized representation to simplify the development of new tools. The ISO standardization group MPEG has used its expertise in compressing multimedia content to compress genomic information and develop its ´MPEG-G standard’. Given the sensitivity of the data, security is a major identified requirement. This thesis proposes novel technologies that assure the security of both the sequenced data and its metadata. We define a container-based file format to group data, metadata, and security information at the syntactical level. It includes new features like grouping multiple results in a same file to simplify the transport of whole studies. We use the granularity of the encoder’s output to enhance security. The information is represented in units, each dedicated to a specific region of the genome, which allows to provide encryption and signature features on a region base. We analyze the trade-off between security and an even more fine-grained approach and prove that apparently secure settings can be insecure: if the file creator may encrypt only specific elements of a unit, cross-checking unencrypted information permits to infer encrypted content. Most of the proposals for MPEG-G coming from other research groups and companies focused on data compression and representation. However, the need was recognized to find a solution for metadata encoding. Our proposal was included in the standard: an XML-based solution, separated in a core specification and extensions. It permits to adapt the metadata schema to the different genomic repositories' frameworks, without importing requirements from one framework to another. To simplify the handling of the resulting metadata, we define profiles, i.e. lists of extensions that must be present in a given framework. We use XML signature and XML encryption for metadata security. The MPEG requirements also concern access rules. Our privacy solutions limit the range of persons with access and we propose access rules represented with XACML to convey under which circumstances a user is granted access to a specific action among the ones specified in MPEG-G's API, e.g. filtering data by attributes. We also specify algorithms to combine multiple rules by defining default behaviors and exceptions. The standard’s security mechanisms protect the information only during transport and access. Once the data is obtained, the user could publish it. In order to identify leakers, we propose an algorithm that generates unique, virtually undetectable variations. Our solution is novel as the marking can be undone (and the utility of the data preserved) if the corresponding secret key is revealed. We also show how to combine multiple secret keys to avoid collusion. The API retained for MPEG-G considers search criteria not present in the indexing tables, which highlights shortcomings. Based on the proposed MPEG-G API we have developed a solution. It is based on a collaboration framework where the different users' needs and the patient's privacy settings result in a purpose-built file format that optimizes query times and provides privacy and authenticity on the patient-defined genomic regions. The encrypted output units are created and indexed to optimize query times and avoid rarely used indexing fields. Our approach resolves the shortcomings of MPEG-G's indexing strategy. We have submitted our technologies to the MPEG standardization committee. Many have been included in the final standard, via merging with other proposals (e.g. file format), discussion (e.g. security mechanisms), or direct acceptance (e.g. privacy rules).Hi han nous mètodes per la seqüenciació i el processament del codi genòmic, permetent descobrir eines de diagnòstic i tractaments en l’àmbit mèdic. El resultat de la seqüenciació d’un genoma es representa en un fitxer, que pot ocupar centenars de gigabytes. Degut a això, hi ha una necessitat d’una representació estandarditzada on la informació és comprimida. Dins de la ISO, el grup MPEG ha fet servir la seva experiència en compressió de dades multimèdia per comprimir dades genòmiques i desenvolupar l'estàndard MPEG-G, sent la seguretat un dels requeriments principals. L'objectiu de la tesi és garantir aquesta seguretat (encriptant, firmant i definint regles d¿ accés) tan per les dades seqüenciades com per les seves metadades. El primer pas és definir com transportar les dades, metadades i paràmetres de seguretat. Especifiquem un format de fitxer basat en contenidors per tal d'agrupar aquets elements a nivell sintàctic. La nostra solució proposa noves funcionalitats com agrupar múltiples resultats en un mateix fitxer. Pel que fa la seguretat de dades, la nostra proposta utilitza les propietats de la sortida del codificador. Aquesta sortida és estructurada en unitats, cadascuna dedicada a una regió concreta del genoma, permetent una encriptació i firma de dades específica a la unitat. Analitzem el compromís entre seguretat i un enfocament de gra més fi demostrant que configuracions aparentment vàlides poden no ser-ho: si es permet encriptar sols certes sub-unitats d'informació, creuant els continguts no encriptats, podem inferir el contingut encriptat. Quant a metadades, proposem una solució basada en XML separada en una especificació bàsica i en extensions. Podem adaptar l'esquema de metadades als diferents marcs de repositoris genòmics, sense imposar requeriments d’un marc a un altre. Per simplificar l'ús, plantegem la definició de perfils, és a dir, una llista de les extensions que han de ser present per un marc concret. Fem servir firmes XML i encriptació XML per implementar la seguretat de les metadades. Les nostres solucions per la privacitat limiten qui té accés a les dades, però no en limita l’ús. Proposem regles d’accés representades amb XACML per indicar en quines circumstàncies un usuari té dret d'executar una de les accions especificades a l'API de MPEG-G (per exemple, filtrar les dades per atributs). Presentem algoritmes per combinar regles, per tal de poder definir casos per defecte i excepcions. Els mecanismes de seguretat de MPEG-G protegeixen la informació durant el transport i l'accés. Una vegada l’usuari ha accedit a les dades, les podria publicar. Per tal d'identificar qui és l'origen del filtratge de dades, proposem un algoritme que genera modificacions úniques i virtualment no detectables. La nostra solució és pionera, ja que els canvis es poden desfer si el secret corresponent és publicat. Per tant, la utilitat de les dades és mantinguda. Demostrem que combinant varis secrets, podem evitar col·lusions. L'API seleccionada per MPEG-G, considera criteris de cerca que no són presents en les taules d’indexació. Basant-nos en aquesta API, hem desenvolupat una solució. És basada en un marc de col·laboració, on la combinació de les necessitats dels diferents usuaris i els requeriments de privacitat del pacient, es combinen en una representació ad-hoc que optimitza temps d’accessos tot i garantint la privacitat i autenticitat de les dades. La majoria de les nostres propostes s’han inclòs a la versió final de l'estàndard, fusionant-les amb altres proposes (com amb el format del fitxer), demostrant la seva superioritat (com amb els mecanismes de seguretat), i fins i tot sent acceptades directament (com amb les regles de privacitat)

Security strategies in genomic files

There are new mechanisms to sequence and process the genomic code, discovering thus diagnostic tools and treatments. The file for a sequenced genome can reach hundreds of gigabytes. Thus, for further studies, we need new means to compress the information and a standardized representation to simplify the development of new tools. The ISO standardization group MPEG has used its expertise in compressing multimedia content to compress genomic information and develop its ´MPEG-G standard’. Given the sensitivity of the data, security is a major identified requirement. This thesis proposes novel technologies that assure the security of both the sequenced data and its metadata. We define a container-based file format to group data, metadata, and security information at the syntactical level. It includes new features like grouping multiple results in a same file to simplify the transport of whole studies. We use the granularity of the encoder’s output to enhance security. The information is represented in units, each dedicated to a specific region of the genome, which allows to provide encryption and signature features on a region base. We analyze the trade-off between security and an even more fine-grained approach and prove that apparently secure settings can be insecure: if the file creator may encrypt only specific elements of a unit, cross-checking unencrypted information permits to infer encrypted content. Most of the proposals for MPEG-G coming from other research groups and companies focused on data compression and representation. However, the need was recognized to find a solution for metadata encoding. Our proposal was included in the standard: an XML-based solution, separated in a core specification and extensions. It permits to adapt the metadata schema to the different genomic repositories' frameworks, without importing requirements from one framework to another. To simplify the handling of the resulting metadata, we define profiles, i.e. lists of extensions that must be present in a given framework. We use XML signature and XML encryption for metadata security. The MPEG requirements also concern access rules. Our privacy solutions limit the range of persons with access and we propose access rules represented with XACML to convey under which circumstances a user is granted access to a specific action among the ones specified in MPEG-G's API, e.g. filtering data by attributes. We also specify algorithms to combine multiple rules by defining default behaviors and exceptions. The standard’s security mechanisms protect the information only during transport and access. Once the data is obtained, the user could publish it. In order to identify leakers, we propose an algorithm that generates unique, virtually undetectable variations. Our solution is novel as the marking can be undone (and the utility of the data preserved) if the corresponding secret key is revealed. We also show how to combine multiple secret keys to avoid collusion. The API retained for MPEG-G considers search criteria not present in the indexing tables, which highlights shortcomings. Based on the proposed MPEG-G API we have developed a solution. It is based on a collaboration framework where the different users' needs and the patient's privacy settings result in a purpose-built file format that optimizes query times and provides privacy and authenticity on the patient-defined genomic regions. The encrypted output units are created and indexed to optimize query times and avoid rarely used indexing fields. Our approach resolves the shortcomings of MPEG-G's indexing strategy. We have submitted our technologies to the MPEG standardization committee. Many have been included in the final standard, via merging with other proposals (e.g. file format), discussion (e.g. security mechanisms), or direct acceptance (e.g. privacy rules).Hi han nous mètodes per la seqüenciació i el processament del codi genòmic, permetent descobrir eines de diagnòstic i tractaments en l’àmbit mèdic. El resultat de la seqüenciació d’un genoma es representa en un fitxer, que pot ocupar centenars de gigabytes. Degut a això, hi ha una necessitat d’una representació estandarditzada on la informació és comprimida. Dins de la ISO, el grup MPEG ha fet servir la seva experiència en compressió de dades multimèdia per comprimir dades genòmiques i desenvolupar l'estàndard MPEG-G, sent la seguretat un dels requeriments principals. L'objectiu de la tesi és garantir aquesta seguretat (encriptant, firmant i definint regles d¿ accés) tan per les dades seqüenciades com per les seves metadades. El primer pas és definir com transportar les dades, metadades i paràmetres de seguretat. Especifiquem un format de fitxer basat en contenidors per tal d'agrupar aquets elements a nivell sintàctic. La nostra solució proposa noves funcionalitats com agrupar múltiples resultats en un mateix fitxer. Pel que fa la seguretat de dades, la nostra proposta utilitza les propietats de la sortida del codificador. Aquesta sortida és estructurada en unitats, cadascuna dedicada a una regió concreta del genoma, permetent una encriptació i firma de dades específica a la unitat. Analitzem el compromís entre seguretat i un enfocament de gra més fi demostrant que configuracions aparentment vàlides poden no ser-ho: si es permet encriptar sols certes sub-unitats d'informació, creuant els continguts no encriptats, podem inferir el contingut encriptat. Quant a metadades, proposem una solució basada en XML separada en una especificació bàsica i en extensions. Podem adaptar l'esquema de metadades als diferents marcs de repositoris genòmics, sense imposar requeriments d’un marc a un altre. Per simplificar l'ús, plantegem la definició de perfils, és a dir, una llista de les extensions que han de ser present per un marc concret. Fem servir firmes XML i encriptació XML per implementar la seguretat de les metadades. Les nostres solucions per la privacitat limiten qui té accés a les dades, però no en limita l’ús. Proposem regles d’accés representades amb XACML per indicar en quines circumstàncies un usuari té dret d'executar una de les accions especificades a l'API de MPEG-G (per exemple, filtrar les dades per atributs). Presentem algoritmes per combinar regles, per tal de poder definir casos per defecte i excepcions. Els mecanismes de seguretat de MPEG-G protegeixen la informació durant el transport i l'accés. Una vegada l’usuari ha accedit a les dades, les podria publicar. Per tal d'identificar qui és l'origen del filtratge de dades, proposem un algoritme que genera modificacions úniques i virtualment no detectables. La nostra solució és pionera, ja que els canvis es poden desfer si el secret corresponent és publicat. Per tant, la utilitat de les dades és mantinguda. Demostrem que combinant varis secrets, podem evitar col·lusions. L'API seleccionada per MPEG-G, considera criteris de cerca que no són presents en les taules d’indexació. Basant-nos en aquesta API, hem desenvolupat una solució. És basada en un marc de col·laboració, on la combinació de les necessitats dels diferents usuaris i els requeriments de privacitat del pacient, es combinen en una representació ad-hoc que optimitza temps d’accessos tot i garantint la privacitat i autenticitat de les dades. La majoria de les nostres propostes s’han inclòs a la versió final de l'estàndard, fusionant-les amb altres proposes (com amb el format del fitxer), demostrant la seva superioritat (com amb els mecanismes de seguretat), i fins i tot sent acceptades directament (com amb les regles de privacitat).Postprint (published version

Critical analysis and comparison of data protection techniques for genomics data sets

This work reviews the current literature on protecting genomic information. The goal is to provide insight on how to define a secure file format for such data. We compare the published ideas to the requirements defined by MPEG. We also propose new ideas to secure such data

An Introduction to MPEG-G: The First Open ISO/IEC Standard for the Compression and Exchange of Genomic Sequencing Data

The development and progress of high-throughput sequencing technologies have transformed the sequencing of DNA from a scientific research challenge to practice. With the release of the latest generation of sequencing machines, the cost of sequencing a whole human genome has dropped to less than 600. Such achievements open the door to personalized medicine, where it is expected that genomic information of patients will be analyzed as a standard practice. However, the associated costs, related to storing, transmitting, and processing the large volumes of data, are already comparable to the costs of sequencing. To support the design of new and interoperable solutions for the representation, compression, and management of genomic sequencing data, the Moving Picture Experts Group (MPEG) jointly with working group 5 of ISO/TC276 'Biotechnology' has started to produce the ISO/IEC 23092 series, known as MPEG-G. MPEG-G does not only offer higher levels of compression compared with the state of the art but it also provides new functionalities, such as built-in support for random access in the compressed domain, support for data protection mechanisms, flexible storage, and streaming capabilities. MPEG-G only specifies the decoding syntax of compressed bitstreams, as well as a file format and a transport format. This allows for the development of new encoding solutions with higher degrees of optimization while maintaining compatibility with any existing MPEG-G decoder

FlexFHE: A System for Homomorphically Encrypting DNA and Operating on Encrypted Data Securely in Untrusted Environments

DNA data contains sensitive health information and personally identifiable data. Currently, even if DNA data is stored in encrypted databases, it must be decrypted for health professionals and researchers to analyze, which means that DNA data exists in plaintext on unsecured, untrusted servers and machines during analysis. This thesis describes a complete system for homomorphically encrypting DNA data in a trusted context and then running analytic operations on the encrypted DNA data in an untrusted context, thus allowing healthcare professionals and researchers to run both high volume analytics on many individuals’ sequenced DNA and run complex analytics on a single individual’s sequenced DNA without ever handling plaintext data. Symmetric encryption is used as a mechanism for controlling which queries are made on the data. The threat model addressed by this system allows an authorized party to run only authorized queries on a genome, while restricting any additional access. The system implemented achieves substring search, substring search with wildcards representing mutations, and percent match between two nucleotide sequences by converting genomic data into one-hot binary matrixes and encrypting each bit individually using OpenFHE’s LWE Encryption implemented using the CGGI scheme. While runtime for each operation is O(nm), each operation is maximally parallelized using OpenMP, thus allowing for accelerated performance on machines with multiple CPUs without the need for batching

Evaluating Methods for Privacy-Preserving Data Sharing in Genomics

The availability of genomic data is often essential to progress in biomedical re- search, personalized medicine, drug development, etc. However, its extreme sensitivity makes it problematic, if not outright impossible, to publish or share it. In this dissertation, we study and build systems that are geared towards privacy preserving genomic data sharing. We first look at the Matchmaker Exchange, a platform that connects multiple distributed databases through an API and allows researchers to query for genetic variants in other databases through the network. However, queries are broadcast to all researchers that made a similar query in any of the connected databases, which can lead to a reluctance to use the platform, due to loss of privacy or competitive advantage. In order to overcome this reluctance, we propose a framework to support anonymous querying on the platform. Since genomic data’s sensitivity does not degrade over time, we analyze the real-world guarantees provided by the only tool available for long term genomic data storage. We find that the system offers low security when the adversary has access to side information, and we support our claims by empirical evidence. We also study the viability of synthetic data for privacy preserving data sharing. Since for genomic data research, the utility of the data provided is of the utmost importance, we first perform a utility evaluation on generative models for different types of datasets (i.e., financial data, images, and locations). Then, we propose a privacy evaluation framework for synthetic data. We then perform a measurement study assessing state-of-the-art generative models specifically geared for human genomic data, looking at both utility and privacy perspectives. Overall, we find that there is no single approach for generating synthetic data that performs well across the board from both utility and privacy perspectives