Pseudonymization risk analysis in distributed systems

In an era of big data, online services are becoming increasingly data-centric; they collect, process, analyze and anonymously disclose growing amounts of personal data in the form of pseudonymized data sets. It is crucial that such systems are engineered to both protect individual user (data subject) privacy and give back control of personal data to the user. In terms of pseudonymized data this means that unwanted individuals should not be able to deduce sensitive information about the user. However, the plethora of pseudonymization algorithms and tuneable parameters that currently exist make it difficult for a non expert developer (data controller) to understand and realise strong privacy guarantees. In this paper we propose a principled Model-Driven Engineering (MDE) framework to model data services in terms of their pseudonymization strategies and identify the risks to breaches of user privacy. A developer can explore alternative pseudonymization strategies to determine the effectiveness of their pseudonymization strategy in terms of quantifiable metrics: i) violations of privacy requirements for every user in the current data set; ii) the trade-off between conforming to these requirements and the usefulness of the data for its intended purposes. We demonstrate through an experimental evaluation that the information provided by the framework is useful, particularly in complex situations where privacy requirements are different for different users, and can inform decisions to optimize a chosen strategy in comparison to applying an off-the-shelf algorithm

Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization

Logs are one of the most fundamental resources to any security professional. It is widely recognized by the government and industry that it is both beneficial and desirable to share logs for the purpose of security research. However, the sharing is not happening or not to the degree or magnitude that is desired. Organizations are reluctant to share logs because of the risk of exposing sensitive information to potential attackers. We believe this reluctance remains high because current anonymization techniques are weak and one-size-fits-all--or better put, one size tries to fit all. We must develop standards and make anonymization available at varying levels, striking a balance between privacy and utility. Organizations have different needs and trust other organizations to different degrees. They must be able to map multiple anonymization levels with defined risks to the trust levels they share with (would-be) receivers. It is not until there are industry standards for multiple levels of anonymization that we will be able to move forward and achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur

FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs

FLAIM (Framework for Log Anonymization and Information Management) addresses two important needs not well addressed by current log anonymizers. First, it is extremely modular and not tied to the specific log being anonymized. Second, it supports multi-level anonymization, allowing system administrators to make fine-grained trade-offs between information loss and privacy/security concerns. In this paper, we examine anonymization solutions to date and note the above limitations in each. We further describe how FLAIM addresses these problems, and we describe FLAIM's architecture and features in detail.Comment: 16 pages, 4 figures, in submission to USENIX Lis

Service for the pseudonymization of electronic healthcare records based on ISO/EN 13606 for the secondary use of information

The availability of electronic health data favors scientific advance through the creation of repositories for secondary use. Data anonymization is a mandatory step to comply with current legislation. A service for the pseudonymization of electronic healthcare record (EHR) extracts aimed at facilitating the exchange of clinical information for secondary use in compliance with legislation on data protection is presented. According to ISO/TS 25237, pseudonymization is a particular type of anonymization. This tool performs the anonymizations by maintaining three quasi-identifiers (gender, date of birth and place of residence) with a degree of specification selected by the user. The developed system is based on the ISO/EN 13606 norm using its characteristics specifically favorable for anonymization. The service is made up of two independent modules: the demographic server and the pseudonymizing module. The demographic server supports the permanent storage of the demographic entities and the management of the identifiers. The pseudonymizing module anonymizes the ISO/EN 13606 extracts. The pseudonymizing process consists of four phases: the storage of the demographic information included in the extract, the substitution of the identifiers, the elimination of the demographic information of the extract and the elimination of key data in free-text fields. The described pseudonymizing system was used in three Telemedicine research projects with satisfactory results. A problem was detected with the type of data in a demographic data field and a proposal for modification was prepared for the group in charge of the drawing up and revision of the ISO/EN 13606 norm

Balancing Privacy and Progress in Artificial Intelligence: Anonymization in Histopathology for Biomedical Research and Education

The advancement of biomedical research heavily relies on access to large amounts of medical data. In the case of histopathology, Whole Slide Images (WSI) and clinicopathological information are valuable for developing Artificial Intelligence (AI) algorithms for Digital Pathology (DP). Transferring medical data "as open as possible" enhances the usability of the data for secondary purposes but poses a risk to patient privacy. At the same time, existing regulations push towards keeping medical data "as closed as necessary" to avoid re-identification risks. Generally, these legal regulations require the removal of sensitive data but do not consider the possibility of data linkage attacks due to modern image-matching algorithms. In addition, the lack of standardization in DP makes it harder to establish a single solution for all formats of WSIs. These challenges raise problems for bio-informatics researchers in balancing privacy and progress while developing AI algorithms. This paper explores the legal regulations and terminologies for medical data-sharing. We review existing approaches and highlight challenges from the histopathological perspective. We also present a data-sharing guideline for histological data to foster multidisciplinary research and education.Comment: Accepted to FAIEMA 202

Reconciliation of anti-money laundering instruments and European data protection requirements in permissionless blockchain spaces

Artykuł ten zmierza do pogodzenia wymagań unijnego rozporządzenia o ochronie danych osobowych (RODO) i instrumentów przeciwdziałania praniu brudnych pieniędzy i finansowania terroryzmu (AML/CFT) wykorzystywanych w dostępnych publicznie ekosystemach permissionless bazujących na technologi rozproszonych rejestrów (DLT). Dotychczasowe analizy skupiają się zazwyczaj jedynie na jednej z tych regulacji. Natomiast poddanie analizie ich wzajemnych oddziaływań ujawnia brak ich koherencji w sieciach permissionless DLT. RODO zmusza członków społeczności blockchain do wykorzystywania technologii anonimizujących dane albo przynajmniej zapewniających silną pseudonimizację, aby zapewnić zgodność przetwarzania danych z wymogami RODO. Jednocześnie instrumenty globalnej polityki AML/CFT, które są obecnie implementowane w wielu państwach stosowanie do wymogów ustanawianych przez Financial Action Task Force (FATF), przeciwdziałają wykorzystywaniu technologii anonimizacyjnych wbudowanych w protokoły sieci blockchain. Rozwiązania proponowane w tym artykule mają na celu spowodowanie kształtowania sieci blockchain w taki sposób, aby jednocześnie zabezpieczały one dane osobowe użytkowników zgodnie z wysokimi wymogami RODO, jednocześnie adresując ryzyka AML/CFT kreowane przez transakcje w takiej anonimowej lub silnie pseudonimowej przestrzeni. Poszukiwanie nowych instrumentów polityki państw jest konieczne aby zapewnić że państwa nie będą zwalczać rozwoju wszystkich anonimowych sieci blockchian, gdyż jest to konieczne do zapewnienia ich zdolność do realizacji wysokich wymogów RODO w zakresie ochrony danych przetwarzanych na blockchain. Ten artykuł wskazuje narzędzia AML/CFT, które mogą być pomocne do tworzenia blockchainów wspierających prywatność przy jednoczesnym zapewnieniu wykonalności tych narzędzi AML/CFT. Pierwszym z tych narzędzi jest wyjątkowy dostęp państwa do danych transakcyjnych zapisanych na zasadniczo nie-trantsparentnym rejestrze, chronionych technologiami anonimizacyjnymi. Takie narzędzie powinno być jedynie opcjonalne dla danej sieci (finansowej platformy), jak długo inne narzędzia AML/CFT są wykonalne i są zapewniane przez sieć. Jeżeli żadne takie narzędzie nie jest dostępne, a dana sieć nie zapewni wyjątkowego dostępu państwu (państwom), wówczas regulacje powinny pozwalać danemu państwu na zwalczanie danej sieci (platformy finansowej) jako całości. Efektywne narzędzia w tym zakresie powinny obejmować uderzenie przez państwo (państwa) w wartość natywnej kryptowaluty, a nie ściganie indywidualnych jej użytkowników. Takie narzędzia mogą obejmować atak (cyberatak) państwa lub państw który podważy zaufanie użytkowników do danej sieci.This article is an attempt to reconcile the requirements of the EU General Data Protection Regulation (GDPR) and anti-money laundering and combat terrorist financing (AML/CFT) instruments used in permissionless ecosystems based on distributed ledger technology (DLT). Usually, analysis is focused only on one of these regulations. Covering by this research the interplay between both regulations reveals their incoherencies in relation to permissionless DLT. The GDPR requirements force permissionless blockchain communities to use anonymization or, at the very least, strong pseudonymization technologies to ensure compliance of data processing with the GDPR. At the same time, instruments of global AML/CFT policy that are presently being implemented in many countries following the recommendations of the Financial Action Task Force, counteract the anonymity-enhanced technologies built into blockchain protocols. Solutions suggested in this article aim to induce the shaping of permissionless DLT-based networks in ways that at the same time would secure the protection of personal data according to the GDPR rules, while also addressing the money laundering and terrorist financing risks created by transactions in anonymous blockchain spaces or those with strong pseudonyms. Searching for new policy instruments is necessary to ensure that governments do not combat the development of all privacy-blockchains so as to enable a high level of privacy protection and GDPR-compliant data processing. This article indicates two AML/CFT tools which may be helpful for shaping privacy-blockchains that can enable the feasibility of such tools. The first tool is exceptional government access to transactional data written on non-transparent ledgers, obfuscated by advanced anonymization cryptography. The tool should be optional for networks as long as another effective AML/CFT measures are accessible for the intermediaries or for the government in relation to a given network. If these other measures are not available and the network does not grant exceptional access, the regulations should allow governments to combat the development of those networks. Effective tools in that scope should target the value of privacy-cryptocurrency, not its users. Such tools could include, as a tool of last resort, state attacks which would undermine the trust of the community in a specific network

GDPR Compliant Data Processing and Privacy Preserving Technologies: A Literature Review on Notable Horizon 2020 Projects

This paper presents a practical literature review focusing on privacy preserving technologies and organizational measures developed and proposed for GDPR-compliant data processing. Based on the selected Horizon 2020 projects, it identifies the substantial data processing and big data challenges relevant to data protection and privacy. Then, it visits the prominent privacy preserving technologies and organizational measures addressing these challenges. Finally, it analyzes the focus areas of the selected projects, identifies the solution they propose, draws quantitative conclusions, and asserts recommendations for future projects