Remote processing of firm microdata at the Bank of Italy

Providing the possibility to run personalised econometric/statistical analyses on the appropriate data sets by remote processing allows greater flexibility in the production of economic information. Binding confidentiality requirements are required with business survey data. The Bank of Italy's infrastructure allows its business survey data to be exploited, while preserving anonymity of individual data. The system is based on the LISSY platform and has been already adopted by the Luxembourg Income Study (LIS) and other research centres. Firms' privacy is safeguarded by forbidding potentially confidentiality-breaking programme statements and by denying the visualisation of individual data. Data confidentiality is protected by removing key identifiers from the database and by trimming data in the right tail of the distribution. The platform provides its services through plain-text e-mails. The authorised user sends an e-mail containing an identifying header followed by a statistical programme to a predetermined address. The system checks the validity of the header, strips out the code and submits it in a batch to one of the econometric/statistical packages available (SAS and Stata). The outputs are mailed back to the user after passing an array of automatic and manual checks.microdata, confidentiality, remote access

Contributions to Context-Aware Smart Healthcare: A Security and Privacy Perspective

Les tecnologies de la informació i la comunicació han canviat les nostres vides de manera irreversible. La indústria sanitària, una de les indústries més grans i de major creixement, està dedicant molts esforços per adoptar les últimes tecnologies en la pràctica mèdica diària. Per tant, no és sorprenent que els paradigmes sanitaris estiguin en constant evolució cercant serveis més eficients, eficaços i sostenibles. En aquest context, el potencial de la computació ubiqua mitjançant telèfons intel·ligents, rellotges intel·ligents i altres dispositius IoT ha esdevingut fonamental per recopilar grans volums de dades, especialment relacionats amb l'estat de salut i la ubicació de les persones. Les millores en les capacitats de detecció juntament amb l'aparició de xarxes de telecomunicacions d'alta velocitat han facilitat la implementació d'entorns sensibles al context, com les cases i les ciutats intel·ligents, capaços d'adaptar-se a les necessitats dels ciutadans. La interacció entre la computació ubiqua i els entorns sensibles al context va obrir la porta al paradigma de la salut intel·ligent, centrat en la prestació de serveis de salut personalitzats i de valor afegit mitjançant l'explotació de grans quantitats de dades sanitàries, de mobilitat i contextuals. No obstant, la gestió de dades sanitàries, des de la seva recollida fins a la seva anàlisi, planteja una sèrie de problemes desafiants a causa del seu caràcter altament confidencial. Aquesta tesi té per objectiu abordar diversos reptes de seguretat i privadesa dins del paradigma de la salut intel·ligent. Els resultats d'aquesta tesi pretenen ajudar a la comunitat científica a millorar la seguretat dels entorns intel·ligents del futur, així com la privadesa dels ciutadans respecte a les seves dades personals i sanitàries.Las tecnologías de la información y la comunicación han cambiado nuestras vidas de forma irreversible. La industria sanitaria, una de las industrias más grandes y de mayor crecimiento, está dedicando muchos esfuerzos por adoptar las últimas tecnologías en la práctica médica diaria. Por tanto, no es sorprendente que los paradigmas sanitarios estén en constante evolución en busca de servicios más eficientes, eficaces y sostenibles. En este contexto, el potencial de la computación ubicua mediante teléfonos inteligentes, relojes inteligentes, dispositivos wearables y otros dispositivos IoT ha sido fundamental para recopilar grandes volúmenes de datos, especialmente relacionados con el estado de salud y la localización de las personas. Las mejoras en las capacidades de detección junto con la aparición de redes de telecomunicaciones de alta velocidad han facilitado la implementación de entornos sensibles al contexto, como las casas y las ciudades inteligentes, capaces de adaptarse a las necesidades de los ciudadanos. La interacción entre la computación ubicua y los entornos sensibles al contexto abrió la puerta al paradigma de la salud inteligente, centrado en la prestación de servicios de salud personalizados y de valor añadido mediante la explotación significativa de grandes cantidades de datos sanitarios, de movilidad y contextuales. No obstante, la gestión de datos sanitarios, desde su recogida hasta su análisis, plantea una serie de cuestiones desafiantes debido a su naturaleza altamente confidencial. Esta tesis tiene por objetivo abordar varios retos de seguridad y privacidad dentro del paradigma de la salud inteligente. Los resultados de esta tesis pretenden ayudar a la comunidad científica a mejorar la seguridad de los entornos inteligentes del futuro, así como la privacidad de los ciudadanos con respecto a sus datos personales y sanitarios.Information and communication technologies have irreversibly changed our lives. The healthcare industry, one of the world’s largest and fastest-growing industries, is dedicating many efforts in adopting the latest technologies into daily medical practice. It is not therefore surprising that healthcare paradigms are constantly evolving seeking for more efficient, effective and sustainable services. In this context, the potential of ubiquitous computing through smartphones, smartwatches, wearables and IoT devices has become fundamental to collect large volumes of data, including people's health status and people’s location. The enhanced sensing capabilities together with the emergence of high-speed telecommunication networks have facilitated the implementation of context-aware environments, such as smart homes and smart cities, able to adapt themselves to the citizens needs. The interplay between ubiquitous computing and context-aware environments opened the door to the so-called smart health paradigm, focused on the provision of added-value personalised health services by meaningfully exploiting vast amounts of health, mobility and contextual data. However, the management of health data, from their gathering to their analysis, arises a number of challenging issues due to their highly confidential nature. In particular, this dissertation addresses several security and privacy challenges within the smart health paradigm. The results of this dissertation are intended to help the research community to enhance the security of the intelligent environments of the future as well as the privacy of the citizens regarding their personal and health data

Identification, data combination and the risk of disclosure

Businesses routinely rely on econometric models to analyze and predict consumer behavior. Estimation of such models may require combining a firm's internal data with external datasets to take into account sample selection, missing observations, omitted variables and errors in measurement within the existing data source. In this paper we point out that these data problems can be addressed when estimating econometric models from combined data using the data mining techniques under mild assumptions regarding the data distribution. However, data combination leads to serious threats to security of consumer data: we demonstrate that point identification of an econometric model from combined data is incompatible with restrictions on the risk of individual disclosure. Consequently, if a consumer model is point identified, the firm would (implicitly or explicitly) reveal the identity of at least some of consumers in its internal data. More importantly, we provide an argument that unless the firm places a restriction on the individual disclosure risk when combining data, even if the raw combined dataset is not shared with a third party, an adversary or a competitor can gather confidential information regarding some individuals from the estimated model.

Usability heuristics for fast crime data anonymization in resource-constrained contexts

This thesis considers the case of mobile crime-reporting systems that have emerged as an effective and efficient data collection method in low and middle-income countries. Analyzing the data, can be helpful in addressing crime. Since law enforcement agencies in resource-constrained context typically do not have the expertise to handle these tasks, a cost-effective strategy is to outsource the data analytics tasks to third-party service providers. However, because of the sensitivity of the data, it is expedient to consider the issue of privacy. More specifically, this thesis considers the issue of finding low-intensive computational solutions to protecting the data even from an "honest-but-curious" service provider, while at the same time generating datasets that can be queried efficiently and reliably. This thesis offers a three-pronged solution approach. Firstly, the creation of a mobile application to facilitate crime reporting in a usable, secure and privacy-preserving manner. The second step proposes a streaming data anonymization algorithm, which analyses reported data based on occurrence rate rather than at a preset time on a static repository. Finally, in the third step the concept of using privacy preferences in creating anonymized datasets was considered. By taking into account user preferences the efficiency of the anonymization process is improved upon, which is beneficial in enabling fast data anonymization. Results from the prototype implementation and usability tests indicate that having a usable and covet crime-reporting application encourages users to declare crime occurrences. Anonymizing streaming data contributes to faster crime resolution times, and user privacy preferences are helpful in relaxing privacy constraints, which makes for more usable data from the querying perspective. This research presents considerable evidence that the concept of a three-pronged solution to addressing the issue of anonymity during crime reporting in a resource-constrained environment is promising. This solution can further assist the law enforcement agencies to partner with third party in deriving useful crime pattern knowledge without infringing on users' privacy. In the future, this research can be extended to more than one low-income or middle-income countries

Data utility and privacy protection in data publishing

Data about individuals is being increasingly collected and disseminated for purposes such as business analysis and medical research. This has raised some privacy concerns. In response, a number of techniques have been proposed which attempt to transform data prior to its release so that sensitive information about the individuals contained within it is protected. A:-Anonymisation is one such technique that has attracted much recent attention from the database research community. A:-Anonymisation works by transforming data in such a way that each record is made identical to at least A: 1 other records with respect to those attributes that are likely to be used to identify individuals. This helps prevent sensitive information associated with individuals from being disclosed, as each individual is represented by at least A: records in the dataset. Ideally, a /c-anonymised dataset should maximise both data utility and privacy protection, i.e. it should allow intended data analytic tasks to be carried out without loss of accuracy while preventing sensitive information disclosure, but these two notions are conflicting and only a trade-off between them can be achieved in practice. The existing works, however, focus on how either utility or protection requirement may be satisfied, which often result in anonymised data with an unnecessarily and/or unacceptably low level of utility or protection. In this thesis, we study how to construct /-anonymous data that satisfies both data utility and privacy protection requirements. We propose new criteria to capture utility and protection requirements, and new algorithms that allow A:-anonymisations with required utility/protection trade-off or guarantees to be generated. Our extensive experiments using both benchmarking and synthetic datasets show that our methods are efficient, can produce A:-anonymised data with desired properties, and outperform the state of the art methods in retaining data utility and providing privacy protection

A risk model for privacy in trajectory data

Time sequence data relating to users, such as medical histories and mobility data, are good candidates for data mining, but often contain highly sensitive information. Different methods in privacy-preserving data publishing are utilised to release such private data so that individual records in the released data cannot be re-linked to specific users with a high degree of certainty. These methods provide theoretical worst-case privacy risks as measures of the privacy protection that they offer. However, often with many real-world data the worst-case scenario is too pessimistic and does not provide a realistic view of the privacy risks: the real probability of re-identification is often much lower than the theoretical worst-case risk. In this paper, we propose a novel empirical risk model for privacy which, in relation to the cost of privacy attacks, demonstrates better the practical risks associated with a privacy preserving data release. We show detailed evaluation of the proposed risk model by using k-anonymised real-world mobility data and then, we show how the empirical evaluation of the privacy risk has a different trend in synthetic data describing random movements