Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Measuring anonymity

As we head towards 2014, de-identification of personal data sets is going to be a hot issue. I saw several things at last week's Constellation Connected Enterprise conference (CCE) that will make sure of this!

First, recall that in Australia a new definition of Personal Information (PI or "PII") means that anonymous data that can potentially be re-identified in future may have to be classified as PII today. I recently discussed how security and risk practitioners can deal with the uncertainty in re-identifiability.

And there's a barrage of new tracking, profiling and interior geo-location technologies (like Apple's iBeacon) which typically come with a promise of anonymity. See for example Tesco's announcement of face scanning for targeting adverts at their UK petrol stations.

The promise of anonymity is crucial, but it is increasingly hard to keep. Big Data techniques that join de-identified information to other data sets are able to ind correlations and reverse the anonymisation process. The science of re-identification started with the work of Dr Latanya Sweeny who famously identified a former governor and his medical records using zip codes and electoral roll data; more recently we've seen DNA "hackers" who can unmask anonymous DNA donors by joining genomic databases to public family tree information.

At CCE we saw many exciting Big Data developments, which I'll explore in more detail in coming weeks. Business Intelligence as-a-service is expanding rapidly, and is being flipped my innovative vendors to align (whether consciously or not) with customer centric Vendor Relationship Management models of doing business. And there are amazing new tools for enriching unstructured data, like newly launched Paxata's Adaptive Data Preparation Platform. More to come.

With the ability to re-identify data comes Big Responsibilities. I believe that to help businesses meet their privacy promises, we're going to need new tools to measure de-identification and hence gauge the risk of re-identification. It seems that some new generation data analytics products will allow us to run what-if scenarios to help understand the risks.

Just before CCE I also came across some excellent awareness raising materials from Voltage Security in Cupertino. Voltage CTO Terence Spies shared with me his "Deidentification Taxonomy" reproduced here with his kind permission. Voltage are leaders in Format Preserving Encryption and Tokenization -- typically used to hide credit card numbers from thieves in payment systems -- and they're showing how the tools may be used more broadly for de-identifying databases. I like the way Terence has characterised the reversibility (or not) of de-identification approaches, and further broken out various tokenization technologies.

Deidentification core Terence Spies Voltage Oct2013



Reference: Voltage Security. Reproduced with permission.

These are the foundations of the important new science of de-identification. Privacy engineers need to work hard at re-identification, so that consumers do not lose faith in the important promises made that so much data collected from their daily movements through cyber space are indeed anonymous.

Posted in Security, Privacy, Constellation Research, Big Data

WEBINAR

The Consumerization of Identity: A collision of Worlds

US: Nov 13 1:00-1:30PM Pacific
Aus: Nov 14 8:00-8:30AM AEDST

Consumerization ID pic Webinar (0 8 1)



Register here.

ABSTRACT

What happens when the irresistible force of Social Logon hits the immoveable object of enterprise risk management?

People love Social Logon! Twitter, Facebook and Google handles are used everyday to access countless digital services. But they are not yet "business grade". No enterprise should dilute its risk management by accepting social identities willy nilly.

This webinar will unpack what Social Logons tell us about users, compare and contrast Facebook and LinkedIn identities, and try to foresee how they should evolve if they are going to meet business needs.

CONTENTS

The webinar will cover:


  • What is the Consumerization of IT?
  • What is Federated Identity?
  • The State of the "identity ecosystem"
  • Pros and Cons of Federation
  • The Two Dimensions of Social Identities
  • What needs to happen for Social Logon to become "Business Grade"?

THE BOTTOM LINE

Consumers’ understanding of their digital identities is evolving fast, while the social Identity Providers (IDPs) continue to explore how to monetize the privileged information that they have about their users. Online consumers have a keen sense of digital reputation and they appreciate how to build a powerful social graph; this awareness will soon inform business-grade identities. But even more importantly, social IDPs must prvide businesses precise information about users to help businesses manage transaction risk. Consumerization opens up exciting new possibilities, but it must not dilute the way businesses know their customers, parts, staff and users.