Privacy-Preserving Data Sharing Michael Siegenthaler Ken Birman Cornell University
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Privacy-PreservingData Sharing
Michael SiegenthalerKen Birman
Cornell University
Introduction
• Today, personal data is typically stored electronically
• But systems at distinct organizations have no way to communicate with each other
ID
ID
ID
SSN Name …
123-45-6789 Alice
111-22-3333 Bob
PatientID Name …
X1234 John
X7890 Bob
SSN Name …
12-34-5555 Cathy
111-22-3333 Robert
General Hospital
Acme Food and Drug
Special Treatment Clinic, Inc.Legacy databases
System Model
(Each stored at at a data owner)
Example Query
• Drug interaction check at pharmacy– A pharmacist is dispensing a drug, doesn’t
know what else the patient may be taking– Patient’s medical record is stored at primary
care provider and various specialists
• Is it safe for the patientto take this drug?
Guarantees
• Data privacy– E.g. pharmacist receives yes/no answer, not
the underlying data
• Query privacy– E.g. hospital does not learn which drug is
currently being dispensed
• Anonymous communication– E.g. hospital and pharmacy do not
learn each other’s identities
Anonymous Communication
• Onion skin routing– Providers Pi– Encryption function E
– Public keys KPi
• Example:– Reference to patient 34 at Provider 2 routed
through provider Provider 1
34,,,,21 21 PP KEPKEP 34,,22 PKEP
Requirements
• “Locate” remote records– Translate a real-world identifier (name, SSN,
DOB...) into a data handle, an onion skin route that can be used to communicate with the providers where the data owners
• Execute the desired query– Use data handles to perform
a privacy-preserving query
Global Search Mechanism
P1 P2
Level 3 (root) Level 2 Level 1
P3 P4 P5 P6 P7 P8
Search for user with SSN 343-56-7878• Hierarchy of provider groups
– Each group has a designated contact who tracks its membership
Bloom Filters
SSN1 = 987-65-4321
hash1(SSN1) = 2
hash2(SSN1) = 4
hash3(SSN1) = 8
0 0 0 0 0 0 0 0 0 0 0 0
0 1 2 3 4 5 6 7 8 9 10 111
1
1
M = 12K = 3
SSN2 = 112-33-4455
hash1(SSN2) = 3
hash2(SSN2) = 10
hash3(SSN2) = 8
1
1
1
SSN3 = 444-88-2222
hash1(SSN3) = 4
hash2(SSN3) = 3
hash3(SSN3) = 8
?
?
?
11 1
SSN3 = 444-88-2222
hash1(SSN3) = 4
hash2(SSN3) = 3
hash3(SSN3) = 8
?
?
?
0 1 1
Insert SSN1
Does a record for SSN3 exist?No!
Insert SSN2
Yes. (false positive!)
Using False Positives
P1 P2
Level 3 (root) Level 2 Level 1
P3 P4 P5 P6 P7 P8
Using False Positives
• Adjust Bloom filter parameters for desired trade-off between privacy and performance
General Hospital Acme Food and DrugRandom
Intermediary
Query Execution
Prescription record with name/address stripped
Record access request
Yes/no answer
Drug interaction query
•All messages are sent anonymously using a MIX•The hospital does not learn the nature of the query•The pharmacy does not learn which other drugs the patient is taking•The random intermediary cannot do anything nefarious with the data it has received, since that data is out of context
Example: A pharmacy checking for drug interactions
SELECT EXISTS ( SELECT * FROM conflicts CROSS JOIN nonces INNER JOIN remote(drug_history) ON nonces.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug);
query_table
drug nonce
A____ Ω(34)
A____ Ω(56)
B____ Ω(34)
B____ Ω(56)
Query to find drug interactions
Query formulated at the pharmacy:
nonces
nonce
Ω(34)
Ω(56)
conflicts
drug
A____
B____
conflicts nonces
cross join remote(drug_history)
inner join
select
mix_host
Split query: data gathering
drug_history
nonce drug
34 A____
SEND ( SELECT nonce,drug FROM drug_history WHERE drug_history.nonce = Ω(34));
Query sent to the data owner(s):
drug_history
select
send
SELECT EXISTS ( SELECT * FROM query_table INNER JOIN drug_history ON query_table.nonce = drug_history.nonce WHERE conflicts.drug = drug_history.drug);
Split query: joining
Query executed at the third-party MIX host:
result
exists
1
query_table
select
drug_history
inner join
drug_history
nonce drug
34 A____
query_table
drug nonce
A____ Ω(34)
A____ Ω(56)
B____ Ω(34)
B____ Ω(56)
Pharmacy
mix_host_1
(on hospital’s behalf)
mix_host_2
(on other pharmacy’s behalf)
Answering the query
(no conflict here)
YESIs there a conflict?
result
exists
1
result
exists
0
(conflict found)
Conclusion and Future Work
• Selective sharing of personal information across distributed databases– Data privacy– Query privacy– Anonymous communication
• Working on: how to enforce a policy on which data may be revealed to whom
• Also: how to prevent data mining attacks?
Related Documents
