KnowingOur Identity and Anonymity

Link to the YouTube Video and Spotify Channel

Episode Description:

Latest News (~10min):
HIPAA wall of shame (3 that stick out to us)

  1. Managed Care of North America (1st)
  2. PharMerica Corporation (2nd)

New State Privacy Laws:
Texas (HB 4)

  1. No revenue threshold
  2. No processing threshold
  3. No sell/sharing threshold
  4. Not be a small business
    Oregon (SB 619) – To be signed into law soon
  5. No monetary threshold
  6. 100,000 consumer processing threshold
  7. 25% of more revenue from the sale of PI and processing 25,000 or more

Chapter 4: Identity & Anonymity:
What is Identity?

Identity: A combination of codes or strings of text used to represent an individual, device, or browser.

Identity is the link between an individual and the data about them.

Representation Examples of identity:

  1. Name
  2. Unique ID/login name
  3. Email address
  4. Biometrics

Authentication:
Ensures an individual performing an action matches the expected identity of the individual.

4 categories of authentication
1) What you know (password)
2) What you are (biometrics)
3) What you have (smart card)
4) Where you are (geolocation)
5) When you are (access is only available during a period of the day)

Encrypting passwords at rest and in transit is the best method of preventing nefarious actions, such as MITM attacks or data theft. Enabling account lockout after a specific number of invalid attempts will help prevent brute-force attempts on passwords.

Location-based authentication is typically done in the corporate network and computers physically in the corporate office, and not from an individual’s own home.

Identity Issues:
Determining if pseudonymous or anonymous data can be linked to an individual because “individually identifiable” differs from “individually identified.” One is while the other requires professional judgment.

Up for interpretation and a reasonable person would have to ID the individual

European Community Article 29 Working Party (WP29) suggests no individual should be ID’d, but knowing this is in the regulation and what it specifies

A comprehensive collection of info, such as audit logs, may reveal a person’s device and username, and thus, their identity.

Anonymization:
Anonymity: The ability to be unknown in a crowd or to be unknown while participating in an event.

An individual’s data is altered so that it is no longer possible to relate the information back to a specific person.

K-Anonymity – All records in the microdata set be a part of K records having identical quasi-identifiers

  1. Example: Age and address may be consistent across micro data sets or all records in the data set have the same age and address values.

L-Diversity – Requires that there are L distinct values in each group of K records

  1. Example: An anonymized data set has 3 distinct values for an occupation (Employed, Un-employed, Not seeking employment)

t-closeness – Ensures the distribution of values in a group of k records is sufficiently close to the overall distribution.

  1. Example: Each microdata set has the same distribution as the population data set. 10 locations of records, all with 3-year age ranges. The population age range goes from 10 – 30.

Differential Privacy:
Adding a sufficient amount of “noise” to a dataset to hide the impact of any one individual and conceal their identity.

This noise should hide the impact of any one individual. Adding one person to the data set won’t egregiously affect the current metadata about the set.

A complex mathematical equation is to determine if the added noise will be enough to ensure the data isn’t impacted by one individual.

Perfect privacy exists when the answer to the equation is 0 and the databases differ by at least one element

  1. Example: Releasing the total payroll of a company, and the total

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.