BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//talks.cam.ac.uk//v3//EN
BEGIN:VTIMEZONE
TZID:Europe/London
BEGIN:DAYLIGHT
TZOFFSETFROM:+0000
TZOFFSETTO:+0100
TZNAME:BST
DTSTART:19700329T010000
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:+0100
TZOFFSETTO:+0000
TZNAME:GMT
DTSTART:19701025T020000
RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
CATEGORIES:Isaac Newton Institute Seminar Series
SUMMARY:New Directions in Anonymization: Permutation Parad
igm\, Verifiability by Subjects and Intruders\, Tr
ansparency to Users - Josep Domingo-Ferrer ()
DTSTART;TZID=Europe/London:20160707T113000
DTEND;TZID=Europe/London:20160707T123000
UID:TALK66679AThttp://talks.cam.ac.uk
URL:http://talks.cam.ac.uk/talk/index/66679
DESCRIPTION:Co-author: Krishnamurty Muralidhar (Universi
ty of Oklahoma)
There are curr
ently two approaches to anonymization: "utility fi
rst" (use an anonymization method with suitable ut
ility features\, then empirically evaluate the dis
closure risk and\, if necessary\, reduce the risk
by possibly sacrificing some utility) or "privacy
first" (enforce a target privacy level via a priva
cy model\, e.g.\, k-anonymity or differential priv
acy\, without regard to utility). To get formal pr
ivacy guarantees\, the second approach must be fol
lowed\, but then data releases with no utility gua
rantees are obtained. Also\, in general it is uncl
ear how verifiable is anonymization by the data su
bject (how safely released is the record she has c
ontributed?)\, what type of intruder is being cons
idered (what does he know and want?) and how trans
parent is anonymization towards the data user (wha
t is the user told about methods and parameters us
ed?).
We show that\, using a generall
y applicable reverse mapping transformation\, any
anonymization for microdata can be viewed as a per
mutation plus (perhaps) a small amount of noise\;
permutation is thus shown to be the essential prin
ciple underlying any anonymization of microdata\,
which allows giving simple utility and privacy met
rics. From this permutation paradigm\, a new priva
cy model naturally follows\, which we call (d\,v\,
f)-permuted privacy. The privacy ensured by this m
ethod can be verified via record linkage by each s
ubject contributing an original record (subject-ve
rifiability) and also at the data set level by the
data protector. We then proceed to define a maxim
um-knowledge intruder model\, which we argue shoul
d be the one considered in anonymization. Finally\
, we make the case for anonymization transparent t
o the data user\, that is\, compliant with Kerckho
ff'\;s assumption (only the randomness used\, i
f any\, must stay secret).
LOCATION:Seminar Room 1\, Newton Institute
CONTACT:INI IT
END:VEVENT
END:VCALENDAR