Assessing data intrusion threats--response.

Abstract

Barth-Jones et al. claim that our findings “reflect unrealistic data intrusion threats.” We strongly disagree and argue that Barth-Jones et al. 's Letter is instead a superb illustration of why deidentification is not “a useful basis for policy” ([ 1 ][1]). A simple and real example of our attack model is a bank sharing metadata for its 1.1 million customers in anonymized form with a third party for analysis. If the third party is able to obtain additional information—such as loyalty program data if the third party is a retailer—that data could be used to reidentify an individual and all the rest of his or her purchases. Barth-Jones et al. 's Letter exemplifies the intrinsic issue with deidentification. One can always, as Barth-Jones et al. have, artificially lower the estimated likelihood of reidentification through the use of arbitrary and debatable assumptions. First, Barth-Jones et al. have consistently considered an intrusion to be a breach of privacy only if “all targeted customers” are reidentified ([ 2 ][2]). This is an unrealistic definition of breach of privacy. Second, Barth-Jones et al. assume that it is “very unlikely” for an attacker to be able to collect geolocalized information about an individual. At best, this is a striking underestimation of the current availability of identified data. Possible sources would include manually collected clues about an individual we know (e.g., receipts or branded shopping bags) ([ 3 ][3]); having access or collecting from public profiles people's check-ins at shops or restaurants on Yelp, Foursquare, or Facebook ([ 4 ][4]); or having access to a retailer's database or to a database of geolocalized information such as the one collected by smartphone applications ([ 5 ][5]), WiFicompanies, and virtually any carriers in the world. Third, Barth-Jones et al. assume that an attacker cannot know whether an individual is a client of a bank and is therefore in the data set. This is again an assumption that artificially lowers the estimated, and thus perceived, risks of reidentification without changing at all the actual risk for people in the release data set. Fourth, the fact that an individual might occasionally pay cash only means that an attacker would need a few more points. Estimated probabilities of reidentification are not a useful basis for policy, and we stand by our comment that “the open sharing of raw [deidentified metadata] data sets is not the future” ([ 6 ][6]). 1. [↵][7] President's Council of Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective (PCAST, Washington, DC, 2014), pp. 38–39. 2. [↵][8] D. C. Barth-Jones, “Press and Reporting Considerations for Recent Re-Identification Demonstration Attacks: Part 2” ( ). 3. [↵][9] 1. L. Sweeney , Int. J. Uncertainty, Fuzziness Knowledge-Based Syst. 10.05, 557 (2002). [OpenUrl][10] 4. [↵][11] Wallaby, “Is anonymous financial data anonymous?” ([www.walla.by/blog/110651700144/is-anonymous-financial-data-anonymous][12]). 5. [↵][13] CNIL, “Mobilitics, season 2: Smartphones and their apps under the microscope” ([www.cnil.fr/english/news-and-events/news/article/mobilitics-season-2-smartphones-and-their-apps-under-the-microscope/][14]). 6. [↵][15] 1. J. Bohannon , Science 347, 468 (2015). [OpenUrl][16][Abstract/FREE Full Text][17] [1]: #ref-1 [2]: #ref-2 [3]: #ref-3 [4]: #ref-4 [5]: #ref-5 [6]: #ref-6 [7]: #xref-ref-1-1 View reference 1 in text [8]: #xref-ref-2-1 View reference 2 in text [9]: #xref-ref-3-1 View reference 3 in text [10]: {openurl}?query=rft.jtitle%253DInt.%2BJ.%2BUncertainty%252C%2BFuzziness%2BKnowledge-Based%2BSyst.%26rft.volume%253D1005%26rft.spage%253D557%26rft.genre%253Darticle%26rft_val_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Ajournal%26ctx_ver%253DZ39.88-2004%26url_ver%253DZ39.88-2004%26url_ctx_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Actx [11]: #xref-ref-4-1 View reference 4 in text [12]: http://www.walla.by/blog/110651700144/is-anonymous-financial-data-anonymous [13]: #xref-ref-5-1 View reference 5 in text [14]: http://www.cnil.fr/english/news-and-events/news/article/mobilitics-season-2-smartphones-and-their-apps-under-the-microscope/ [15]: #xref-ref-6-1 View reference 6 in text [16]: {openurl}?query=rft.jtitle%253DScience%26rft.stitle%253DScience%26rft.issn%253D0036-8075%26rft.aulast%253DBohannon%26rft.auinit1%253DJ.%26rft.volume%253D347%26rft.issue%253D6221%26rft.spage%253D468%26rft.epage%253D468%26rft.atitle%253DCredit%2Bcard%2Bstudy%2Bblows%2Bholes%2Bin%2Banonymity%26rft_id%253Dinfo%253Adoi%252F10.1126%252Fscience.347.6221.468%26rft_id%253Dinfo%253Apmid%252F25635068%26rft.genre%253Darticle%26rft_val_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Ajournal%26ctx_ver%253DZ39.88-2004%26url_ver%253DZ39.88-2004%26url_ctx_fmt%253Dinfo%253Aofi%252Ffmt%253Akev%253Amtx%253Actx [17]: /lookup/ijlink/YTozOntzOjQ6InBhdGgiO3M6MTQ6Ii9sb29rdXAvaWpsaW5rIjtzOjU6InF1ZXJ5IjthOjQ6e3M6ODoibGlua1R5cGUiO3M6NDoiQUJTVCI7czoxMToiam91cm5hbENvZGUiO3M6Mzoic2NpIjtzOjU6InJlc2lkIjtzOjEyOiIzNDcvNjIyMS80NjgiO3M6NDoiYXRvbSI7czoyNDoiL3NjaS8zNDgvNjIzMS8xOTUuMS5hdG9tIjt9czo4OiJmcmFnbWVudCI7czowOiIiO30=