BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:New Directions in Anonymization: Permutation Paradigm\, Verifiabil
 ity by Subjects and Intruders\, Transparency to Users - Josep Domingo-Ferr
 er ()
DTSTART:20160707T103000Z
DTEND:20160707T113000Z
UID:TALK66679@talks.cam.ac.uk
CONTACT:INI IT
DESCRIPTION:<span>Co-author: Krishnamurty Muralidhar (University of Oklaho
 ma)<br></span><span><br>There are currently two approaches to anonymizatio
 n: "utility first" (use an anonymization method with suitable utility feat
 ures\, then empirically evaluate the disclosure risk and\, if necessary\, 
 reduce the risk by possibly sacrificing some utility) or "privacy first" (
 enforce a target privacy level via a privacy model\, e.g.\, k-anonymity or
  differential privacy\, without regard to utility). To get formal privacy 
 guarantees\, the second approach must be followed\, but then data releases
  with no utility guarantees are obtained. Also\, in general it is unclear 
 how verifiable is anonymization by the data subject (how safely released i
 s the record she has contributed?)\, what type of intruder is being consid
 ered (what does he know and want?) and how transparent is anonymization to
 wards the data user (what is the user told about methods and parameters us
 ed?).<br><span><br>We show that\, using a generally applicable reverse map
 ping transformation\, any anonymization for microdata can be viewed as a p
 ermutation plus (perhaps) a small amount of noise\; permutation is thus sh
 own to be the essential principle underlying any anonymization of microdat
 a\, which allows giving simple utility and privacy metrics. From this perm
 utation paradigm\, a new privacy model naturally follows\, which we call (
 d\,v\,f)-permuted privacy. The privacy ensured by this method can be verif
 ied via record linkage by each subject contributing an original record (su
 bject-verifiability) and also at the data set level by the data protector.
  We then proceed to define a maximum-knowledge intruder model\, which we a
 rgue should be the one considered in anonymization. Finally\, we make the 
 case for anonymization transparent to the data user\, that is\, compliant 
 with Kerckhoff&#39\;s assumption (only the randomness used\, if any\, must
  stay secret).</span></span>
LOCATION:Seminar Room 1\, Newton Institute
END:VEVENT
END:VCALENDAR