Siv L. Steffensen will give a talk about her work on How Attacker Knowledge Affects Privacy Risks: An Analysis Using Probabilistic Programming. This is a dry-run of the upcoming presentation of this paper at the IWSPA on April 27. Feedback is very welcome! Details below.
Siv L. Steffensen, MSc, ITU.
How Attacker Knowledge Affects Privacy Risks: An Analysis Using Probabilistic Programming
Governments and businesses routinely disclose large amounts of private data on individuals, for data analytics. However, despite attempts by data controllers to anonymise data, attackers frequently deanonymise disclosed data by matching it with their prior knowledge. When is a chosen anonymisation method adequate? For this, a data controller must consider attackers befitting their scenario; how does attacker knowledge affect disclosure risk?
We present a multi-dimensional conceptual framework for assessing privacy risks given prior knowledge about data. The framework defines three dimensions: distinctness (of input records), informedness (of attacker), and granularity (of anonymisation program output). We model three well-known types of disclosure risk: identity disclosure, attribute disclosure, and quantitative attribute disclosure. We demonstrate how to apply this framework in a health record privacy scenario: We analyse how informing the attacker with COVID-19 infection rates affects privacy risks. We perform this analysis using Privug, a method that uses probabilistic programming to do standard statistical analysis with Bayesian Inference.