Giuseppe D'Acquisto

Milton Nicolás Plasencia Palacios, Alexander Boudewijn, Sebastiano Saccani et al.

Synthetic data generation is gaining traction as a privacy enhancing technology (PET). When properly generated, synthetic data preserve the analytic utility of real data while avoiding the retention of information that would allow the identification of specific individuals. However, the concept of data privacy remains elusive, making it challenging for practitioners to evaluate and benchmark the degree of privacy protection offered by synthetic data. In this paper, we propose a framework to empirically assess the efficacy of tabular synthetic data privacy quantification methods through controlled, deliberate risk insertion. To demonstrate this framework, we survey existing approaches to synthetic data privacy quantification and the related legal theory. We then apply the framework to the main privacy quantification methods with no-box threat models on publicly available datasets.

Giuseppe D'Acquisto, Maurizio Naldi

An anonymization technique for databases is proposed that employs Principal Component Analysis. The technique aims at releasing the least possible amount of information, while preserving the utility of the data released in response to queries. The general scheme is described, and alternative metrics are proposed to assess utility, based respectively on matrix norms; correlation coefficients; divergence measures, and quality indices of database images. This approach allows to properly measure the utility of output data and incorporate that measure in the anonymization method.

Maurizio Naldi, Giuseppe D'Acquisto

A marketplace is defined where the private data of suppliers (e.g., prosumers) are protected, so that neither their identity nor their level of stock is made known to end customers, while they can sell their products at a reduced price. A broker acts as an intermediary, which takes care of providing the items missing to meet the customers' demand and allows end customers to take advantages of reduced prices through the subscription of option contracts. Formulas are provided for the option price under three different probability models for the availability of items. Option pricing allows the broker to partially transfer its risk on end customers.

Giuseppe D'Acquisto, Josep Domingo-Ferrer, Panayiotis Kikiras et al.

The extensive collection and processing of personal information in big data analytics has given rise to serious privacy concerns, related to wide scale electronic surveillance, profiling, and disclosure of private data. To reap the benefits of analytics without invading the individuals' private sphere, it is essential to draw the limits of big data processing and integrate data protection safeguards in the analytics value chain. ENISA, with the current report, supports this approach and the position that the challenges of technology (for big data) should be addressed by the opportunities of technology (for privacy). We first explain the need to shift from "big data versus privacy" to "big data with privacy". In this respect, the concept of privacy by design is key to identify the privacy requirements early in the big data analytics value chain and in subsequently implementing the necessary technical and organizational measures. After an analysis of the proposed privacy by design strategies in the different phases of the big data value chain, we review privacy enhancing technologies of special interest for the current and future big data landscape. In particular, we discuss anonymization, the "traditional" analytics technique, the emerging area of encrypted search and privacy preserving computations, granular access control mechanisms, policy enforcement and accountability, as well as data provenance issues. Moreover, new transparency and access tools in big data are explored, together with techniques for user empowerment and control. Achieving "big data with privacy" is no easy task and a lot of research and implementation is still needed. Yet, it remains a possible task, as long as all the involved stakeholders take the necessary steps to integrate privacy and data protection safeguards in the heart of big data, by design and by default.

Maurizio Naldi, Giuseppe D'Acquisto

Differential privacy is achieved by the introduction of Laplacian noise in the response to a query, establishing a precise trade-off between the level of differential privacy and the accuracy of the database response (via the amount of noise introduced). However, the amount of noise to add is typically defined through the scale parameter of the Laplace distribution, whose use may not be so intuitive. In this paper we propose to use two parameters instead, related to the notion of interval estimation, which provide a more intuitive picture of how precisely the true output of a counting query may be gauged from the noise-polluted one (hence, how much the individual's privacy is protected).

Maurizio Naldi, Giuseppe D'Acquisto

Suppliers (including companies and individual prosumers) may wish to protect their private information when selling items they have in stock. A market is envisaged where private information can be protected through the use of differential privacy and option contracts, while privacy-aware suppliers deliver their stock at a reduced price. In such a marketplace a broker acts as intermediary between privacy-aware suppliers and end customers, providing the extra items possibly needed to fully meet the customers' demand, while end customers book the items they need through an option contract. All stakeholders may benefit from such a marketplace. A formula is provided for the option price, and a budget equation is set for the mechanism to be profitable for the broker/producer.

Maurizio Naldi, Giuseppe D'Acquisto

Differential privacy is achieved by the introduction of Laplacian noise in the response to a query, establishing a precise trade-off between the level of differential privacy and the accuracy of the database response (via the amount of noise introduced). Multiple queries may improve the accuracy but erode the privacy budget. We examine the case where we submit just a single counting query. We show that even in that case a Bayesian approach may be used to improve the accuracy for the same amount of noise injected, if we know the size of the database and the probability of a positive response to the query.

Giuseppe D'Acquisto, Maurizio Naldi, Giuseppe F. Italiano

Every time the customer (individual or company) has to release personal information to its service provider (e.g., an online store or a cloud computing provider), it faces a trade-off between the benefits gained (enhanced or cheaper services) and the risks it incurs (identity theft and fraudulent uses). The amount of personal information released is the major decision variable in that trade-off problem, and has a proxy in the maximum loss the customer may incur. We find the conditions for a unique optimal solution to exist for that problem as that maximizing the customer's surplus. We also show that the optimal amount of personal information is influenced most by the immediate benefits the customer gets, i.e., the price and the quantity of service offered by the service provider, rather than by maximum loss it may incur. Easy spenders take larger risks with respect to low-spenders, but an increase in price drives customers towards a more careful risk-taking attitude anyway. A major role is also played by the privacy level, which the service provider employs to regulate the benefits released to the customers. We also provide a closed form solution for the limit case of a perfectly secure provider, showing that the results do not differ significantly from those obtained in the general case. The trade-off analysis may be employed by the customer to determine its level of exposure in the relationship with its service provider.