6 research outputs found
Towards Standardized Mobility Reports with User-Level Privacy
The importance of human mobility analyses is growing in both research and
practice, especially as applications for urban planning and mobility rely on
them. Aggregate statistics and visualizations play an essential role as
building blocks of data explorations and summary reports, the latter being
increasingly released to third parties such as municipal administrations or in
the context of citizen participation. However, such explorations already pose a
threat to privacy as they reveal potentially sensitive location information,
and thus should not be shared without further privacy measures.
There is a substantial gap between state-of-the-art research on privacy
methods and their utilization in practice. We thus conceptualize a standardized
mobility report with differential privacy guarantees and implement it as
open-source software to enable a privacy-preserving exploration of key aspects
of mobility data in an easily accessible way. Moreover, we evaluate the
benefits of limiting user contributions using three data sets relevant to
research and practice. Our results show that even a strong limit on user
contribution alters the original geospatial distribution only within a
comparatively small range, while significantly reducing the error introduced by
adding noise to achieve privacy guarantees
Towards Explaining Epsilon: A Worst-Case Study of Differential Privacy Risks
Differential privacy is a concept to quantify the disclosure of private information that is controlled by the privacy parameter~. However, an intuitive interpretation of is needed to explain the privacy loss to data engineers and data subjects. In this paper, we conduct a worst-case study of differential privacy risks. We generalize an existing model and reduce complexity to provide more understandable statements on the privacy loss. To this end, we analyze the impact of parameters and introduce the notion of a global privacy risk and global privacy leak
"Am I Private and If So, how Many?" - Communicating Privacy Guarantees of Differential Privacy with Risk Communication Formats
Decisions about sharing personal information are not trivial, since there are
many legitimate and important purposes for such data collection, but often the
collected data can reveal sensitive information about individuals.
Privacy-preserving technologies, such as differential privacy (DP), can be
employed to protect the privacy of individuals and, furthermore, provide
mathematically sound guarantees on the maximum privacy risk. However, they can
only support informed privacy decisions, if individuals understand the provided
privacy guarantees. This article proposes a novel approach for communicating
privacy guarantees to support individuals in their privacy decisions when
sharing data. For this, we adopt risk communication formats from the medical
domain in conjunction with a model for privacy guarantees of DP to create
quantitative privacy risk notifications. We conducted a crowd-sourced study
with 343 participants to evaluate how well our notifications conveyed the
privacy risk information and how confident participants were about their own
understanding of the privacy risk. Our findings suggest that these new
notifications can communicate the objective information similarly well to
currently used qualitative notifications, but left individuals less confident
in their understanding. We also discovered that several of our notifications
and the currently used qualitative notification disadvantage individuals with
low numeracy: these individuals appear overconfident compared to their actual
understanding of the associated privacy risks and are, therefore, less likely
to seek the needed additional information before an informed decision. The
promising results allow for multiple directions in future research, for
example, adding visual aids or tailoring privacy risk communication to
characteristics of the individuals.Comment: Accepted to ACM CCS 2022. arXiv admin note: substantial text overlap
with arXiv:2204.0406
"Am I Private and If So, how Many?" -- Using Risk Communication Formats for Making Differential Privacy Understandable
Mobility data is essential for cities and communities to identify areas for
necessary improvement. Data collected by mobility providers already contains
all the information necessary, but privacy of the individuals needs to be
preserved. Differential privacy (DP) defines a mathematical property which
guarantees that certain limits of privacy are preserved while sharing such
data, but its functionality and privacy protection are difficult to explain to
laypeople. In this paper, we adapt risk communication formats in conjunction
with a model for the privacy risks of DP. The result are privacy notifications
which explain the risk to an individual's privacy when using DP, rather than
DP's functionality. We evaluate these novel privacy communication formats in a
crowdsourced study. We find that they perform similarly to the best performing
DP communications used currently in terms of objective understanding, but did
not make our participants as confident in their understanding. We also
discovered an influence, similar to the Dunning-Kruger effect, of the
statistical numeracy on the effectiveness of some of our privacy communication
formats and the DP communication format used currently. These results generate
hypotheses in multiple directions, for example, toward the use of risk
visualization to improve the understandability of our formats or toward
adaptive user interfaces which tailor the risk communication to the
characteristics of the reader
Privacy and Confidentiality in Process Mining: Threats and Research Challenges
Privacy and confidentiality are very important prerequisites for applying process mining to comply with regulations and keep company secrets. This article provides a foundation for future research on privacy-preserving and confidential process mining techniques. Main threats are identified and related to a motivation application scenario in a hospital context as well as to the current body of work on privacy and confidentiality in process mining. A newly developed conceptual model structures the discussion that existing techniques leave room for improvement. This results in a number of important research challenges that should be addressed by future process mining research