The Role of the Observatory

The GeoPKDD project investigates and develops technical advances that are needed to embed privacy into data mining tools. Yet, we recognize that technology must be disseminated, and be informed of the social context in which it resides. Thus, in addition to its technical endeavors, GeoPKDD has organized aprivacy regula-tion observatorythat brings together GeoPKDD technologists, representatives of the national and European privacy authorities, as well nongovernmental privacy-related

4 Privacy Protection 117 associations. In summary, the aim of the GeoPKDD privacy observatory is to assist authorities as technical consultant in the field of privacy-preserving data mining.

More specifically, we believe that regulations and laws will be enacted as a response to existing and future privacy-preserving methods, including those devel-oped within the GeoPKDD project. The goal of the observatory is to harmonize the resulting regulations with the activities of technologists and the GeoPKDD project.

The activities of the observatory will include the creation, and maintenance, of rela-tionships with the European Commission authority and the national authorities of the countries that are partners of the consortium. Such relationships are aimed to properly implement the resulting regulations into our methods and tools and to pro-vide refinements of the technical regulations regarding privacy-preserving analysis methods.

A first step toward GeoPKDD’s goal to establish relationships beyond tech-nologists is the establishment of a relationship with the Italian Data Protection Commission (Garante per la Protezione dei Dati Personali¹⁴). Italy implemented the main European directive, Directive 95/46, in 1996 as law no. 675/96. Italian Data Protection Commission is endowed with the power to establish sanctions when they discover the violation of regulations in cases that are brought before them. The direc-tives, both at the European level and at national Italian implementation, are subject to interpretation and thus cases of potential privacy infractions are addressed in a case-by-case manner.

Another important aspect of the GeoPKDD project is its potential to interact with, and inform, organizations that recognize the need for location privacy standards. For example, one such organization is Geopriv,¹⁵which is an Internet Engineering Task Force (IETF) working group that examines risks associated with location-based ser-vices. The IETF has proposed several requirements for location privacy, including limited identifiability and customizable rules for controlling data flows. A second example organization is Privacy International,¹⁶ which is a human rights group formed in 1990 as a “watchdog” on surveillance projects that are run by govern-ments and corporations. We anticipate that dissemination of GeoPKDD research results will include an annual GeoPKDD workshop devoted to the presentation of location-based privacy technology, as well as policy, achievements. The workshop will also serve as an international forum for spatiotemporal privacy-preserving data mining.

4.5 Conclusions

There is an increasing fear that the growing collection and dissemination of per-sonal mobility data will weaken the privacy rights of individuals. In part, this is due to the fact that detective-like investigations have revealed that privacy threats

14http://www.garanteprivacy.it

15http://www.ietf.org/html.charters/geopriv-charter.html

16http://www.privacyinternational.org/

abound in the collection and dissemination of data derived from ICTs. Specifically, the dissemination of human mobility data, devoid of identifying information, such as pseudonymized traces, is not sufficient to prevent privacy breaches. Despite the threats to personal privacy, a service provider has the right to analyze data collected from mobility services to discover socially useful knowledge that benefits the indi-viduals, community, and law enforcement. Nonetheless, journalists and regulators, in Europe and beyond, increasingly claim that the defense of an individual’s right to privacy must come before the sharing of personal mobility data.

Despite the apparent opposition, the right to personal privacy does not necessarily preclude the right of a service provider to learn knowledge from collected mobility data and vice versa. Computer scientists have unearthed a fascinating array of prob-lems related to privacy and mobility data. Research on these probprob-lems has led to the production of foundations, as well as basic applications, of privacy-preserving technologies. As research in this field progresses, the goal is to reach a win–win situation for privacy advocates and service providers: obtain the advantages of col-lective mobility knowledge without inadvertently divulging any individual mobility knowledge.

We believe that this research on privacy for mobile data collection and analysis must be tackled in a multidisciplinary way. The opportunities and risks are shared by technologists, social scientists, jurists, policy makers, and general citizens. Research will need to be informed by, as well as helps to inform, those that design laws and oversee jurisprudence. If this goal is achieved, the results will have an impact on the social acceptance, as well as the dissemination of, ubiquitous technologies.

References

1. A. Acquisti. Privacy in electronic commerce and the economics of immediate gratification.

InProceedings of Electronic Commerce Conference (EC’04), pp. 21–29. ACM, New York, 2004.

2. R. Agrawal. Privacy and data mining. InProceedings of the 15th European Conference on Machine Learning and the 8th European Conference on Principles and Practice of Knowledge Discovery in Databases (ECML/PKDD’04), 2004. Invited Talk.

3. R. Agrawal and C. Johnson. Securing electronic health records without impeding the flow of information.International Journal of Medical Informatics, 76(5–6):471–479, 2007.

4. R. Agrawal and R. Srikant. Privacy-preserving data mining. InProceedings of the Interna-tional Conference on Management of Data (SIGMOD’00), 2000.

5. M. Atzori, F. Bonchi, F. Giannotti, and D. Pedreschi.k-anonymous patterns. InProceedings of 9th European Conference on Principles and Practice of Knowledge Discovery in Databases (PKDD’05), 2005.

6. C. Bettini, X.S. Wang, and S. Jajodia. Protecting privacy against location-based personal iden-tification. InProceedings of Second VLDB Workshop on Secure Data Management, Vol. 3674.

Lecture Notes in Computer Science. Springer, Berlin Heidelberg New York, 2005.

7. C. Clifton. What is privacy: critical steps for privacy preserving data mining. InProceedings of the IEEE Workshop on Privacy and Security of Aspects of Data Mining, pp. 1–7, 2005.

8. C. Clifton, M. Kantarcioglu, and J. Vaidya. Defining privacy for data mining. InProceedings of National Science Foundation Workshop on Next Generation Data Mining, pp. 126–133, 2002.

4 Privacy Protection 119 9. C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M.Y. Zhu. Tools for privacy preserving

distributed data mining.SIGKDD Exploration Newsletter, 4(2):28–34, 2002.

10. T. Dalenius. Finding a needle in a haystack – or identifying anonymous census records.

Journal of Official Statistics, 2:329–336, 1986.

11. T. Dalenius and S. Reiss. Data-swapping: A technique for disclosure control (extended abstract). InProceedings of the Section on Survey Research Methods, American Statistical Association, pp. 191–194, 1978.

12. T. Dalenius and S. Reiss. Data-swapping: A technique for disclosure control. Journal of Statistical Planning and Inference, 6:73–85, 1982.

13. V. Estivill-Castro and L. Brankovic. Data swapping: Balancing privacy against precision in mining for logic rules. In Proceedings of the 1st International Conference on Data Warehousing and Knowledge Discovery (DaWaK’99), 1999.

14. A. Evfimievski. Randomization in privacy preserving data mining. SIGKDD Exploration Newsletter, 4(2):43–48, 2002.

15. J. Feigenbaum, M. Freedman, T. Sander, and A. Shostack. Economic barriers to the deploy-ment of existing privacy technologies (position paper). InProceedings of the Workshop on Economics of Information Security, 2002.

16. S. Fienberg and J. McIntyre.Data Swapping: Variations on a Theme by Dalenius and Reiss, Vol. 3050.Lecture Notes in Computer Science, pp. 14–29. Springer, Berlin Heidelberg New York, 2004.

17. J. Gouweleeuw, P. Kooiman, L. Willenborg, and P. de Wolf. Post randomisation for statistical disclosure control: Theory and implementation.Journal of Official Statistics, 14:463–478, 1998.

18. B. Hoh and M. Gruteser. Location privacy through path confusion. In Proceedings of IEEE Conference on Security and Privacy for Emerging Areas in Communication Networks (SecurCOMM’05), 2005.

19. B. Malin. Betrayed by my shadow: learning data identity via trail matching.Journal of Privacy Technology, (20050609001), 2005.

20. B. Malin and E. Airoldi. The effects of location access behavior on re-identification risk in a distributed environment. InProceedings of 6th International Workshop on Privacy Enhancing Technologies, Vol. 4258.Lecture Notes in Computer Science, pp. 413–429. Springer, Berlin Heidelberg New York, 2006.

21. B. Malin and L. Sweeney. How (not) to protect genomic data privacy in a distributed network:

using trail re-identification to evaluate and design anonymity protection systems.Journal of Biomedical Informatics, 34:179–192, 2004.

22. B. Pinkas. Cryptographic techniques for privacy-preserving data mining.SIGKDD Explo-ration Newsletter, 4(2):12–19, 2002.

23. A. Serjantov and G. Danezis. Towards an information-theoretic metric for anonymity. In Pro-ceedings of the Second Workshop Privacy Enhancing Technologies, Vol. 2482.Lecture Notes in Computer Science, pp. 41–53. Springer, Berlin Heidelberg New York, 2002.

24. L. Sweeney. Uniqueness of simple demographics in the U.S. population. Technical Report LIDAP-WP4, Laboratory for International Data Privacy, Carnegie Mellon University, Pitts-burgh, PA, 2000.

25. L. Sweeney.Computational Disclosure Control: Theory and Practice. Ph.D. Thesis, Mas-sachusetts Institute of Technology, Cambridge, MA, 2001.

26. U.S. Department of Health and Human Services. Standards for privacy of individually identi-fiable health information; Final Rule,Federal Registrar45 CFR, Parts 160 and 164, 14 August 2002.

27. U.S. Federal Trade Commission. Privacy of consumer financial information; Final Rule, Federal Registrar16 CFR, Part 313, 24 May 2000.

28. U.S. Video Privacy Protection Act, 1988. 18 USC 2710, PL 100618.

29. V.S. Verykios, E. Bertino, I.N. Fovino, L.P. Provenza, Y. Saygin, and Y. Theodoridis. State-of-the-art in privacy preserving data mining.SIGMOD Record, 33(1):50–57, 2004.