-
anonos.com
1
Submitted via overnight delivery / email to
[email protected] May 15, 2015 National Institute of
Standards and Technology (NIST) Attn: Computer Security Division,
Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD 20899-8930
Re: Draft NISTIR 8053 De-Identification of Personally
Identifiable Information
We appreciate the opportunity to submit comments to the National
Institute of Standards and Technology (NIST) in the context of the
draft publication entitled Draft NISTIR 8053 De-Identification of
Personally Identifiable Information (NIST Draft Report). This
letter is separated into the following three sections:
I. Proposal to Include Dynamic Data Obscurity in NIST Draft
Report; II. History of the term Dynamic Data Obscurity; and III.
The Anonos Just-In-Time-Identity (JITI) Approach to Dynamic Data
Obscurity.
I. Proposal to Include Dynamic Data Obscurity in NIST Draft
Report
We propose that the NIST Draft Report include Dynamic Data
Obscurity temporally dynamic data obscuring technology that
actively limits the risk of re-identification. As noted in the NIST
Draft Report, static de-identification techniques suffer from
numerous shortcomings; however, dynamic obscuring technology helps
maintain data privacy and security while reducing risks involved in
collecting, storing, processing, and analyzing data.
Dynamic Data Obscurity turns data into business intelligence
(BI)1 by transforming static access controls into technologically
enforced dynamic permissions applied per-element instead of across
entire records or applications. This maximizes the utility of
underlying data by allowing intelligent, adaptable, and compliant
permissions while fundamentally enforcing core protections for
personally identifiable and sensitive information.
1 Business intelligence (BI) is an umbrella term that includes
the applications, infrastructure and tools, and best practices that
enable access to and analysis of information to improve and
optimize decisions and performance. See
http://www.gartner.com/it-glossary/business-intelligence-bi
-
anonos.com
2
Technologically enforced Dynamic Data Obscurity rules can
account for access, use, display, time, and location restrictions,
across any industry or regulatory standard, thereby helping to
overcome shortcomings of static de-identification such as the
following:
a) Re-Identification. With static de-identification, as long as
any utility remains in the data, there exists the possibility that
some information might result in re-identification of original
identities.2
b) Lost Data Value. Generally, privacy protection improves as
more aggressive static de-identification techniques are employed,
but less utility remains in the resulting data set3 due to the fact
that static de-identification techniques remove identifying
information from data.4
c) Security Breach Exposure. The scope and frequency of data
security breaches have changed the privacy paradigm. Some view
theft of personal data by cybercriminals as the number one threat
to privacy.5 However, static de-identification techniques are not
designed to improve data security.
d) International Acceptance. Compliance with privacy laws in one
jurisdiction by relying on click-through terms and conditions
and/or static de-identification may provide insufficient grounds to
legally use data in other jurisdictions. For example, General Data
Protection Regulations, currently under negotiation between the
European Parliament and the Council of the EU, are expected to
allow EU citizens to seek redress with their national regulators
over a companys handling of their data, rather than being subject
to laws in the country where the company has its headquarters.6
Existing technology does not effectively address shortcomings of
static de-identification nor does it adequately reconcile conflicts
between protecting personal data and enabling commerce. Because of
this, companies can be placed in the uncomfortable position of
choosing between delivering products and services to consumers or
complying with data privacy laws in:
a) Jurisdictions that require unambiguous consent to use
personal data like in the EU;
b) Industries subject to specific regulatory restrictions on
data use like healthcare, education and finance in the United
States; and
c) Other data use scenarios subject to uncertain future.
2 NIST Draft Report at line 151. 3 NIST Draft Report at line
150. 4 NIST Draft Report at line 76. 5 Robinson, Teri. Privacy
Matters. SC Magazine. May 1, 2015.
http://www.scmagazine.com/privacy-matters/article/409041/ 6 Meyer,
David. Belgium Targets Facebook Tracking. Politico. May 15, 2015.
http://www.politico.eu/article/belgium-targets-facebook-tracking/
-
anonos.com
3
Dynamic Data Obscurity is a new technological approach to
protecting personal data, while at the same time bridging the gap
between commerce and regulations. Instead of yet another
application layer on top of legacy data sources, Dynamic Data
Obscurity can limit the ability to infer, single out, or link to
personally identifiable or sensitive information.
Current approaches to protecting data are binary in nature data
is either valuable or private for example:
Encrypted data is either protected but unusable or usable but
unprotected when decrypted; and
With digital information, data is generally not de-identified
but available to customize offerings for the benefit of consumers,
or is de-identified but unavailable to fully benefit consumers,
companies, and society at large.
In a report submitted to President Obama in May 2014 entitled
Big Data and Privacy: A Technological Perspective,7 a working group
of the President's Council of Advisors on Science and Technology
(PCAST) noted:
The beneficial uses of near-ubiquitous data collection are
large, and they fuel an increasingly important set of economic
activities. Taken together, these considerations suggest that a
policy focus on limiting data collection will not be a broadly
applicable or scalable strategy nor one likely to achieve the right
balance between beneficial results and unintended negative
consequences (such as inhibiting economic growth).
More broadly, PCAST believes that it is the use of data
(including born-digital or born-analog data and the products of
data fusion and analysis) that is the locus where consequences are
produced. This locus is the technically most feasible place to
protect privacy. Technologies are emerging, both in the research
community and in the commercial world,
7
https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf
-
anonos.com
4
to describe privacy policies, to record the origins (provenance)
of data, their access, and their further use by programs, including
analytics, and to determine whether those uses conform to privacy
policies. Some approaches are already in practical use.
Dynamic Data Obscurity can help provide flexible
technology-enforced controls necessary to support economic growth
requiring sophisticated handling of various data privacy
requirements. For example, the ability to deliver on the many
promises of health big data is predicated on the ability to support
differing privacy requirements depending on the source of
health-related data:
Consumer health data collected using personal health record
tools, mobile health applications, and social networking sites are
subject to privacy policies / terms and conditions of applicable
websites, devices and applications;
Protected health information (PHI) is subject to privacy and
security requirements under the Health Insurance Portability and
Accountability Act (HIPAA); and
Health data from federally funded research is subject to
separate privacy requirements of The Federal Policy for the
Protection of Human Subjects or Common Rule.
Each of the above categories of privacy and security
requirements can be supported via Dynamic Data Obscurity despite
differences in requirements therefore opening up new opportunities
for economic growth and advances in research and healthcare.
Dynamic Data Obscurity could even be helpful in resolving the
future of Europe's Safe Harbor Agreement with the U.S. as well as
data protection practices of global, internet-based companies
operating in Europe like Apple, Google, Yahoo, Skype and Microsoft
by facilitating sharing of personal data only under authorized
conditions in compliance with both "lead" and "concerned" Data
Protection Authorities thereby accommodating differing requirements
in multiple EU jurisdictions.
II. History of the term Dynamic Data Obscurity
One of the earliest mentions of the power of obscuring data was
in a 2013 California Law Review article entitled The Case for
Online Obscurity8 by Woodrow Hartzog and Frederic Stutzman, in
which they stated:
On the Internet, obscure information has a minimal risk of being
discovered or understood by unintended recipients. Empirical
research demonstrates that Internet users rely on obscurity perhaps
more than anything else to protect their privacy. Yet, online
obscurity has been
8
http://www.californialawreview.org/wp-content/uploads/2014/10/01-HartzogStutzman.pdf
-
anonos.com
5
largely ignored by courts and lawmakers. In this Article, we
argue that obscurity is a critical component of online privacy, but
it has not been embraced by courts and lawmakers because it has
never been adequately defined or conceptualized.
The term Dynamic Data Obscurity was coined in an October 15,
2014 blog by Martin Abrams, the Executive Director of the
Information Accountability Foundation, which stated:
The fact is that we data protection professionals cannot accept
the status quo. We need to be able to demonstrate our
trustworthiness, and effective tools are part of that.
The Information Accountability Foundations mission is research
and education on policy solutions that facilitate innovation while
protecting individuals from inappropriate processing. As we have
worked through big data ethics, it has reinforced our view that
outside of the box technology solutions must be available. Data
needs to be visible when it is being used within bounds, and
obscured when it is not. Technology does not replace policy
enforcement; it makes the enforcement possible and actionable.
A number of us have been thinking about the dilemma for the past
six months and looking for solutions. We believe the solutions are
part of a field we have begun to call Dynamic Data Obscurity.
Dynamic data obscurity involves obscuring data down to the element
level when that level of security is necessary and making sure that
rules which control when elements can be seen are real and
enforced. Dynamic data obscurity is also about making the
technology controls harder to break but still allowing for
appropriate uses. It requires both new technologies combined with
effective internal monitoring and enforcement.9
The next public use of the term Dynamic Data Obscurity took
place in an October 20, 2014 International Association of Privacy
Professionals (IAPP) Privacy Perspectives article10 written by Gary
LaFever, Co-Founder and Chief Executive Officer of Anonos - a
pioneer in developing practical applications of Dynamic Data
Obscurity technology, in which he stated:
Were not discounting the value of anonymization; it powered the
growth of the Internet. But today, technology, markets,
applications and threats have evolved while the protocols to keep
personally identifiable data
9
http://informationaccountability.org/taking-accountability-controls-to-the-next-level-dynamic-data-obscurity/
10
https://privacyassociation.org/news/a/what-anonymization-and-the-tsa-have-in-common/
-
anonos.com
6
anonymous have not. If we are to mine the vast potential of data
analytics to create high-value products and services that improve
and even save lives while meeting the privacy expectations of the
public and regulators, we need new tools and thinking.
Dynamic data obscurity improves upon static anonymity by moving
beyond protecting data at the data record level to enable data
protection at the data element level. Dynamic data obscurity
empowers privacy officers to improve the optics of data protection
for data subjects, regulators and the news media while deploying
next-generation technology solutions that deliver more effective
data privacy controls while maximizing data value. Vibrant and
growing areas of economic activitythe trust economy, life sciences
research, personalized medicine/education, the Internet of Things,
personalization of goods and servicesare based on individuals
trusting that their data is private, protected and used only for
authorized purposes that bring them maximum value. This trust
cannot be maintained using static anonymity. We must embrace new
approaches like dynamic data obscurity to both maintain and earn
trust and more effectively serve businesses, researchers,
healthcare providers and anyone who relies on the integrity of
data.
The Information Accountability Foundation held a framing
discussion in January 2015 in Washington DC at which invited
government, education and business leaders discussed that:
Early analytics, dating from the 1980s, were dependent on
anonymization and de-identification to ensure compliance and
individual protection. For example, information used for credit
marketing needed to be de-identified to comply with the Federal
Fair Credit Reporting Act. Technology provided the tools to
de-identify, and the assurance came from the requirements of the
FCRA. Effective de-identification and anonymization tools have
always rested on this marriage of policy and technology. Todays
analytics, driven by observation, makes the mandate for the belt
and suspenders of policy and technology even more compelling. The
technologies are challenged internally by organizations need for
knowledge and externally by very smart cyber criminals. Even with
the belt of policy, the suspenders of technology need upgrading to
match todays challenges. If we do not meet that challenge, we could
see real
-
anonos.com
7
resistance to the information ages dual mandates for innovation
and fairness. The policy community needs to explore Dynamic Data
Obscurity (DDO) to see if it will enhance data security and privacy
to facilitate increased data value and protection compared to
legacy approaches.11
The term Dynamic Data Obscurity has since been used at
international conferences,12 in comment letters submitted to
international data privacy regulators,13 and in White Papers14 on
the subject of Dynamic Data Obscurity.
III. The Anonos15 Just-In-Time-Identity (JITI) Approach to
Dynamic Data Obscurity
Anonos has been working on Just-In-Time-Identity (JITI)
technology the Anonos approach to implementing Dynamic Data
Obscurity since 2012. Anonos is currently engaged in a Proof of
Concept with an international Data Protection Authority together
with multinational companies to show that Anonos
Just-In-Time-Identity (JITI) technologies, layered on top of an
underlying information platform, can deliver three interlinked
benefits:
a) Role-based technical and organizational measures to enforce
policies for use of personal data;
b) Functional separation between low- and high-risk data uses
for re-identification; and
c) Secure storage of underlying data.
All three benefits increase the utility of the information
platform while at the same time increasing the privacy and security
controls available to protect personal data.
Anonos Just-In-Time-Identity (JITI) is an architecturally
enforced private-by-default technology that retains utility under
authorized conditions, and supports all queries and actions with
centralized audit logging. Policies and rules can be customized to
limit or eliminate re-identification via inference, singling out,
or linking of personal data.
11
http://informationaccountability.org/iaf-will-convene-ddo-discussion-in-2015/
12
http://informationaccountability.org/video-of-panel-on-dynamic-data-obscurity/
13 http://www.anonos.com/anonos-enabling-bigdata/ 14
http://www.anonos.com/anonos-dynamic-data-obscurity/ 15 Anonos,
Just-In-Time-Identity, JITI, Dynamic De-Identifier, DDID, and other
marks are trademarks of Anonos Inc. protected under U.S. and
international trademark laws and treaties. Anonos
Just-In-Time-Identity technology is protected under U.S. and
international copyright and patent laws and treaties. Other marks
that appear in this letter and not owned by Anonos are the property
of their respective owners. Anonos makes no claim of relationship
to, or affiliation with, owners of marks not owned by us
Anonos.
-
anonos.com
8
Anonos data stores are obscured by default, and reveal original
or perturbed data values only in accordance with technically
enforced rules in response to authorized queries. Improper use of
data is architecturally prevented.
There is little incentive to steal Anonos-enabled data stores
since data is obscured at all times. Without access to
Just-In-Time-Identify (JITI) dynamic de-identification (DDID) keys
the data is minimally valuable.
In the event of an Anonos-enabled data store breach, data is
unreadable and unusable to unauthorized parties.
Anonos data stores can be created from scratch or derived from
existing data stores on standard platforms.
Anonos data store controls can reflect regulatory standards that
will indicate to companies what flow-through protections are
required in order for them to remain compliant when crafting
internal rules and policies.
Complying with regulations using current approaches to
de-identification, data privacy and security can be complicated and
expensive. Anonos anonymizing capabilities retain full data value
and utility with support for various use cases all while minimizing
risk of data misuse, abuse or compromise Anonos refers to this as
annosizing data.
Anonos data store level architectural controls facilitate both
internal audits and external regulator reviews.
Anonos enables sharing of portable data stores with multiple
parties having differing authorization privileges by providing
unique JITI DDID key combinations to each party, any of which may
be revoked manually or via an automatic trigger at any time.
Anonos facilitates compliance with data privacy laws, rules and
regulations by companies of all sizes without requiring them to
have large in-house data privacy / security teams.
-
anonos.com
9
-
anonos.com
10
Potential Applications of Anonos Just-In-Time-Identity (JITI)
Dynamic Data Obscurity Technology
Example #1: Internal Data Misuse
Walt Disney offers visitors to its parks MagicBands wrist-worn
authentication devices, providing access to hotels, rides,
transportation, as well as an ability to pay for food, beverages,
and souvenirs via a linked payment card. Within a single park,
there might be hundreds of different uses for a MagicBand, each of
which might have distinct access rules. For example, a ride might
need to know the height of the patron; a bar might only allow
children in during lunch; and payments of certain types might
require both the childs and parents MagicBand. Finally, a lost
child with a MagicBand can be easily reunited with trusted
family. The danger in this system comes from trusted insiders,
because customers demand full utility while the park has a duty to
manage the risk of exposing too much personal information to
employees. From a staff management perspective, the incentive is to
have fewer roles with greater access and authority, but that
enables employees with the right access to aggregate the required
data from different MagicBand uses and track the movement of
guests, know when theyre not in their hotel rooms, or even
manipulate parameters to create dangerous authorizations for small
children to go on adult-sized rides. Anonos-enabled data stores for
each of these use cases would eliminate such risks, because
employee roles would be defined on a per-use-case context basis,
and casual browsing of the wider family records would be
prevented.
Example #2: Re-identification
The January 2015 Science journal includes a 3 month study of
credit card records for 1.1 million people that shows four
spatiotemporal points are enough to uniquely re-identify 90% of
credit card customers. Anonos de-identifiers (DDIDs) de-identify
credit card customers for each transaction providing a
Just-In-Time-Identity (JITI) for each transaction. As a result,
customers cannot be re-identified by means of correlating static
anonymous identifiers. The Anonos approach makes limiting the
ability to single out, link or infer a data subject a policy choice
instead of a statistical risk.
See http://www.anonos.com/unicity for interactive version of
this example
-
anonos.com
11
Example #3: Data Breach
Firms like health insurer Anthem suffer when their facilities
are breached (as do their millions of subscribers / customers whose
identities are hacked) and data is kept in unencrypted form to
enable use of the data. As a result, attackers can gain
unauthorized access to personal data in cleartext form i.e.,
unencrypted information that is in the clear and understandable. In
contrast to standard encryption, which is generally fully on or
"off," or traditional data masking techniques which do not
protect data at the data store level, Anonos
Just-In-Time-Identity (JITI) can protect against data loss from
external breaches without losing use of data for authorized
purposes within the company. With JITI, an attacker may gain access
to data but would not gain access to JITI keys (kept securely in
separate virtual or physical locations) necessary to reveal
personal information.
_______________
Anonos appreciates the opportunity to submit this letter to the
National Institute of Standards and Technology. Respectfully
Submitted, M. Gary LaFever Ted Myerson Co-Founder Co-Founder