"New Kind of Attack Called 'Downcoding' Demonstrates Flaws in Anonymizing Data"

When data sets containing personal information are shared for the purposes of research or business use, researchers attempt to disguise the data by removing the final one or two digits of a zip code, for example, while retaining its utility for insight. However, while deidentification is often used to meet legal requirements for data privacy, the most commonly used methods are technically unstable. In a new paper, Aloni Cohen, a computer scientist at the University of Chicago, delivers the latest decisive blow against the most popular deidentification methods. Cohen warns that these data transformations should not be considered sufficient to protect individuals' privacy by describing a new type of attack called "downcoding" and demonstrating the vulnerability of a deidentified data set from an online education platform. For years, computer science security and privacy researchers have raised concerns about the methods most commonly used to deidentify data, discovering new attacks that can reidentify seemingly anonymized data points and proposing fixes. These methods are still widely used and regarded as legally sufficient for complying with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). The most widely used deidentification methods are based on a technique known as k-anonymity, which transforms data just enough to make each individual indistinguishable from a certain number of other individuals in the data set. According to Cohen, the very nature of this deidentification method made it vulnerable to attack. This article continues to discuss the downcoding attack described by Cohen that demonstrates the vulnerability of a deidentified data set and sends a warning that these data transformations should not be considered sufficient to protect individuals' privacy. 

UChicago reports "New Kind of Attack Called 'Downcoding' Demonstrates Flaws in Anonymizing Data"

 

Submitted by Anonymous on