Boundary Between Pseudonymity and Anonymity
0 likes1,075 views
This document analyzes the boundary between pseudonymity and anonymity in relation to Japan's Personal Information Protection Act (PIPA) and the implications of data pseudonymization. It discusses how frequent updates of pseudonyms can reduce identifiability, yet may diminish data value, particularly in medical contexts. The complexities of pseudonymization and the risks of re-identification through non-updated data are highlighted, stressing the balance between data utility and privacy protection.
Boundary Between Pseudonymity and Anonymity
- 1. Boundary Between Pseudonymity and Anonymity -Case Study about Japanese Personal Information Protection Act - Hiroshi Nakagawa The Univeristy of Toktyo
- 2. Updated Personal Information Protection Act in Japan – The EU General Data Protection Regulation is finally agreed in 2016 • Japan: Personal Information Protection Act (PIPA): Sep.2015 • De-identified Information is introduced. This should meet the following condition: – Processed to be unidentifiable to said person – Prohibited from restoring said personal information • Informally , the intention of this type of information means: – Anonymized enough not to de-anonymized easily – Freely used without the consent of data subject. – Pseudonymized is not regarded as De-identified Information • Boarder line between pseudonymity and anonymity which is intended by De-identified Information is a critical issue.
- 4. Variations of Pseudonymization in terms of frequency of pseudonym update pseu weight A123 60.0 A123 65.5 A123 70.8 A123 68.5 A123 69.0 pseu weight A123 60.0 A123 65.5 B432 70.8 B432 68.5 C789 69.0 pseu weight A123 60.0 B234 65.5 C567 70.8 X321 68.5 Y654 69.0 weight 60.0 65.5 70.8 68.5 69.0 Same Info. • No pseudonym update • Highly identifiable • Needed in med., farm. Update pseud. Frequent update • pseudonym update • Divide k subsets with different pseudonyms • Freq. update lowers both identifiability and data value • Update pseudonym data by data • Regarded as distinct person’s data. No identifiability obscurity The same individual’s personal data
- 5. • Pseudonymization without updating for accumulated time sequence personal data – Accumulation makes it be easily identified – Then reasonable to prohibit it to transfer the third party – PIPA sentence reads pseudonymized personal data without updating is not De-identified Information. – In practice • Unless non Quasi ID data such as a location log do not used as Quasi ID, we do not easily identify the person corresponding to pseudonymized personal data without updating. • Obscurity, in which every data of the same person has distinct pseudonyms, certainly is De-identified Information because there are no clue to aggregate the same person’s data. Pseudonymization with updating is not De-identified Information (of new Japanese PIPA)?
- 6. Record Length pseu Loc. 1 Loc.2 Loc.3 … A123 Minato Sibuya Asabu … A123 Odaiba Toyosu Sinbasi … A123 … … …. …. A123 xy yz zw … A123 • No pseudonym update • High identifiability by long location sequence • Even if pseudonym is deleted, long location sequence makes it easy to identify the specific data subject. transform obscurity Loc. 1 Loc.2 Loc.3 … Minato Sibuya Asabu … Odaiba Toyosu Sinbas i … … … …. …. xy yz zw …
- 7. Shuffling Loc. 1 Loc.2 Loc.3 … Minato yz zw … Odaiba Toyosu Asabu … … … …. …. xy Sibuya Sinbasi … • Obscurity shuffle Loc. 1 Loc.2 Loc.3 … Minato Sibuya Asabu … Odaiba Toyosu Sinbasi … … … …. …. xy yz zw … Almost no clue to identify same individual’s record. But data value is reduced.
- 8. obscurity DI No update update for ever data frequency of pseudonym update Pseudonymize w.o. update Not DI De-identified Information Not De-identified Information Somewhere here is the boundary. The boundary between De-identified Information (DI) and no API
- 9. Continuously observed personal data has high value in medicine • Frequent updating of pseudonym enhances anonymity, • But reduces data value – Especially in medicine. – Physicians do not require “no update of pseudonym.” – For instance, it seems to be enough to keep the same pseudonym for one illness as I heard from a researcher in medicine.
- 10. Updating frequency vs Data value • see the figure below: Data value Update frequency No update low high update data by y data location log purchasing log medical log
- 11. category Frequency of pseudonym updating Usage Medical No update Able to analyze an individual patient’s log ,especially history of chronic disease and lifestyle update Not able to pursue an individual patient’s history. Able to recognize short term epidemic Driving record No update If a data subject consents to use it with Personal ID, the automobile manufacture can get the current status of his/her own car, and give some advice such as parts being in need to repair. If no consent, nothing can be done.
- 12. category Frequency of pseudonym updating Usage Driving record Low frequency Long range trend of traffic, which can be used to urban design, or road traffic regulation for day, i.e. Sunday. High frequency We can only get a traffic in short period. Purchasing record No update If a data subject consents to use it with Personal ID, then it can be used for targeted advertisement. If no consent, we can only use to extract sales statistics of ordinary goods. Low frequency We can mine the long range trend of individual’s purchasing behavior. High frequency We can mine the short range trend of individual’s purchasing behavior. Every data We only investigate sales statistics of specific goods
- 13. Summary: What usage is possible by pseudonymization with/without updating • As stated so far, almost all psedonymized data do are statistical processing • No targeted advertisement, nor profiling of individual person – Learning the classifier of profile (only with consented data) and use it to targeted advertise to new users, is possible but gray. • Pseudonymized data are hard to trace if it is transferred to many organizations such as IT companies.