anonos.com

1

Submitted via overnight delivery / email to draft-nistir-deidentify@nist.gov May 15, 2015 National Institute of Standards and Technology (NIST) Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

Re: Draft NISTIR 8053 De-Identification of Personally Identifiable Information

We appreciate the opportunity to submit comments to the National Institute of Standards and Technology (NIST) in the context of the draft publication entitled Draft NISTIR 8053 De-Identification of Personally Identifiable Information (NIST Draft Report). This letter is separated into the following three sections:

I. Proposal to Include Dynamic Data Obscurity in NIST Draft Report; II. History of the term Dynamic Data Obscurity; and III. The Anonos Just-In-Time-Identity (JITI) Approach to Dynamic Data Obscurity.

I. Proposal to Include Dynamic Data Obscurity in NIST Draft Report

We propose that the NIST Draft Report include Dynamic Data Obscurity temporally dynamic data obscuring technology that actively limits the risk of re-identification. As noted in the NIST Draft Report, static de-identification techniques suffer from numerous shortcomings; however, dynamic obscuring technology helps maintain data privacy and security while reducing risks involved in collecting, storing, processing, and analyzing data.

Dynamic Data Obscurity turns data into business intelligence (BI)1 by transforming static access controls into technologically enforced dynamic permissions applied per-element instead of across entire records or applications. This maximizes the utility of underlying data by allowing intelligent, adaptable, and compliant permissions while fundamentally enforcing core protections for personally identifiable and sensitive information.

1 Business intelligence (BI) is an umbrella term that includes the applications, infrastructure and tools, and best practices that enable access to and analysis of information to improve and optimize decisions and performance. See http://www.gartner.com/it-glossary/business-intelligence-bi

anonos.com

2

Technologically enforced Dynamic Data Obscurity rules can account for access, use, display, time, and location restrictions, across any industry or regulatory standard, thereby helping to overcome shortcomings of static de-identification such as the following:

a) Re-Identification. With static de-identification, as long as any utility remains in the data, there exists the possibility that some information might result in re-identification of original identities.2

b) Lost Data Value. Generally, privacy protection improves as more aggressive static de-identification techniques are employed, but less utility remains in the resulting data set3 due to the fact that static de-identification techniques remove identifying information from data.4

c) Security Breach Exposure. The scope and frequency of data security breaches have changed the privacy paradigm. Some view theft of personal data by cybercriminals as the number one threat to privacy.5 However, static de-identification techniques are not designed to improve data security.

d) International Acceptance. Compliance with privacy laws in one jurisdiction by relying on click-through terms and conditions and/or static de-identification may provide insufficient grounds to legally use data in other jurisdictions. For example, General Data Protection Regulations, currently under negotiation between the European Parliament and the Council of the EU, are expected to allow EU citizens to seek redress with their national regulators over a companys handling of their data, rather than being subject to laws in the country where the company has its headquarters.6

Existing technology does not effectively address shortcomings of static de-identification nor does it adequately reconcile conflicts between protecting personal data and enabling commerce. Because of this, companies can be placed in the uncomfortable position of choosing between delivering products and services to consumers or complying with data privacy laws in:

a) Jurisdictions that require unambiguous consent to use personal data like in the EU;

b) Industries subject to specific regulatory restrictions on data use like healthcare, education and finance in the United States; and

c) Other data use scenarios subject to uncertain future.

2 NIST Draft Report at line 151. 3 NIST Draft Report at line 150. 4 NIST Draft Report at line 76. 5 Robinson, Teri. Privacy Matters. SC Magazine. May 1, 2015. http://www.scmagazine.com/privacy-matters/article/409041/ 6 Meyer, David. Belgium Targets Facebook Tracking. Politico. May 15, 2015. http://www.politico.eu/article/belgium-targets-facebook-tracking/

anonos.com

3

Dynamic Data Obscurity is a new technological approach to protecting personal data, while at the same time bridging the gap between commerce and regulations. Instead of yet another application layer on top of legacy data sources, Dynamic Data Obscurity can limit the ability to infer, single out, or link to personally identifiable or sensitive information.

Current approaches to protecting data are binary in nature data is either valuable or private for example:

Encrypted data is either protected but unusable or usable but unprotected when decrypted; and

With digital information, data is generally not de-identified but available to customize offerings for the benefit of consumers, or is de-identified but unavailable to fully benefit consumers, companies, and society at large.

In a report submitted to President Obama in May 2014 entitled Big Data and Privacy: A Technological Perspective,7 a working group of the President's Council of Advisors on Science and Technology (PCAST) noted:

The beneficial uses of near-ubiquitous data collection are large, and they fuel an increasingly important set of economic activities. Taken together, these considerations suggest that a policy focus on limiting data collection will not be a broadly applicable or scalable strategy nor one likely to achieve the right balance between beneficial results and unintended negative consequences (such as inhibiting economic growth).

More broadly, PCAST believes that it is the use of data (including born-digital or born-analog data and the products of data fusion and analysis) that is the locus where consequences are produced. This locus is the technically most feasible place to protect privacy. Technologies are emerging, both in the research community and in the commercial world,

7 https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf

anonos.com

4

to describe privacy policies, to record the origins (provenance) of data, their access, and their further use by programs, including analytics, and to determine whether those uses conform to privacy policies. Some approaches are already in practical use.

Dynamic Data Obscurity can help provide flexible technology-enforced controls necessary to support economic growth requiring sophisticated handling of various data privacy requirements. For example, the ability to deliver on the many promises of health big data is predicated on the ability to support differing privacy requirements depending on the source of health-related data:

Consumer health data collected using personal health record tools, mobile health applications, and social networking sites are subject to privacy policies / terms and conditions of applicable websites, devices and applications;

Protected health information (PHI) is subject to privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA); and

Health data from federally funded research is subject to separate privacy requirements of The Federal Policy for the Protection of Human Subjects or Common Rule.

Each of the above categories of privacy and security requirements can be supported via Dynamic Data Obscurity despite differences in requirements therefore opening up new opportunities for economic growth and advances in research and healthcare.

Dynamic Data Obscurity could even be helpful in resolving the future of Europe's Safe Harbor Agreement with the U.S. as well as data protection practices of global, internet-based companies operating in Europe like Apple, Google, Yahoo, Skype and Microsoft by facilitating sharing of personal data only under authorized conditions in compliance with both "lead" and "concerned" Data Protection Authorities thereby accommodating differing requirements in multiple EU jurisdictions.

II. History of the term Dynamic Data Obscurity

One of the earliest mentions of the power of obscuring data was in a 2013 California Law Review article entitled The Case for Online Obscurity8 by Woodrow Hartzog and Frederic Stutzman, in which they stated:

On the Internet, obscure information has a minimal risk of being discovered or understood by unintended recipients. Empirical research demonstrates that Internet users rely on obscurity perhaps more than anything else to protect their privacy. Yet, online obscurity has been

8 http://www.californialawreview.org/wp-content/uploads/2014/10/01-HartzogStutzman.pdf

anonos.com

5

largely ignored by courts and lawmakers. In this Article, we argue that obscurity is a critical component of online privacy, but it has not been embraced by courts and lawmakers because it has never been adequately defined or conceptualized.

The term Dynamic Data Obscurity was coined in an October 15, 2014 blog by Martin Abrams, the Executive Director of the Information Accountability Foundation, which stated:

The fact is that we data protection professionals cannot accept the status quo. We need to be able to demonstrate our trustworthiness, and effective tools are part of that.

The Information Accountability Foundations mission is research and education on policy solutions that facilitate innovation while protecting individuals from inappropriate processing. As we have worked through big data ethics, it has reinforced our view that outside of the box technology solutions must be available. Data needs to be visible when it is being used within bounds, and obscured when it is not. Technology does not replace policy enforcement; it makes the enforcement possible and actionable.

A number of us have been thinking about the dilemma for the past six months and looking for solutions. We believe the solutions are part of a field we have begun to call Dynamic Data Obscurity. Dynamic data obscurity involves obscuring data down to the element level when that level of security is necessary and making sure that rules which control when elements can be seen are real and enforced. Dynamic data obscurity is also about making the technology controls harder to break but still allowing for appropriate uses. It requires both new technologies combined with effective internal monitoring and enforcement.9

The next public use of the term Dynamic Data Obscurity took place in an October 20, 2014 International Association of Privacy Professionals (IAPP) Privacy Perspectives article10 written by Gary LaFever, Co-Founder and Chief Executive Officer of Anonos - a pioneer in developing practical applications of Dynamic Data Obscurity technology, in which he stated:

Were not discounting the value of anonymization; it powered the growth of the Internet. But today, technology, markets, applications and threats have evolved while the protocols to keep personally identifiable data

9 http://informationaccountability.org/taking-accountability-controls-to-the-next-level-dynamic-data-obscurity/ 10 https://privacyassociation.org/news/a/what-anonymization-and-the-tsa-have-in-common/

anonos.com

6

anonymous have not. If we are to mine the vast potential of data analytics to create high-value products and services that improve and even save lives while meeting the privacy expectations of the public and regulators, we need new tools and thinking.

Dynamic data obscurity improves upon static anonymity by moving beyond protecting data at the data record level to enable data protection at the data element level. Dynamic data obscurity empowers privacy officers to improve the optics of data protection for data subjects, regulators and the news media while deploying next-generation technology solutions that deliver more effective data privacy controls while maximizing data value. Vibrant and growing areas of economic activitythe trust economy, life sciences research, personalized medicine/education, the Internet of Things, personalization of goods and servicesare based on individuals trusting that their data is private, protected and used only for authorized purposes that bring them maximum value. This trust cannot be maintained using static anonymity. We must embrace new approaches like dynamic data obscurity to both maintain and earn trust and more effectively serve businesses, researchers, healthcare providers and anyone who relies on the integrity of data.

The Information Accountability Foundation held a framing discussion in January 2015 in Washington DC at which invited government, education and business leaders discussed that:

Early analytics, dating from the 1980s, were dependent on anonymization and de-identification to ensure compliance and individual protection. For example, information used for credit marketing needed to be de-identified to comply with the Federal Fair Credit Reporting Act. Technology provided the tools to de-identify, and the assurance came from the requirements of the FCRA. Effective de-identification and anonymization tools have always rested on this marriage of policy and technology. Todays analytics, driven by observation, makes the mandate for the belt and suspenders of policy and technology even more compelling. The technologies are challenged internally by organizations need for knowledge and externally by very smart cyber criminals. Even with the belt of policy, the suspenders of technology need upgrading to match todays challenges. If we do not meet that challenge, we could see real

anonos.com

7

resistance to the information ages dual mandates for innovation and fairness. The policy community needs to explore Dynamic Data Obscurity (DDO) to see if it will enhance data security and privacy to facilitate increased data value and protection compared to legacy approaches.11

The term Dynamic Data Obscurity has since been used at international conferences,12 in comment letters submitted to international data privacy regulators,13 and in White Papers14 on the subject of Dynamic Data Obscurity.

III. The Anonos15 Just-In-Time-Identity (JITI) Approach to Dynamic Data Obscurity

Anonos has been working on Just-In-Time-Identity (JITI) technology the Anonos approach to implementing Dynamic Data Obscurity since 2012. Anonos is currently engaged in a Proof of Concept with an international Data Protection Authority together with multinational companies to show that Anonos Just-In-Time-Identity (JITI) technologies, layered on top of an underlying information platform, can deliver three interlinked benefits:

a) Role-based technical and organizational measures to enforce policies for use of personal data;

b) Functional separation between low- and high-risk data uses for re-identification; and

c) Secure storage of underlying data.

All three benefits increase the utility of the information platform while at the same time increasing the privacy and security controls available to protect personal data.

Anonos Just-In-Time-Identity (JITI) is an architecturally enforced private-by-default technology that retains utility under authorized conditions, and supports all queries and actions with centralized audit logging. Policies and rules can be customized to limit or eliminate re-identification via inference, singling out, or linking of personal data.

11 http://informationaccountability.org/iaf-will-convene-ddo-discussion-in-2015/ 12 http://informationaccountability.org/video-of-panel-on-dynamic-data-obscurity/ 13 http://www.anonos.com/anonos-enabling-bigdata/ 14 http://www.anonos.com/anonos-dynamic-data-obscurity/ 15 Anonos, Just-In-Time-Identity, JITI, Dynamic De-Identifier, DDID, and other marks are trademarks of Anonos Inc. protected under U.S. and international trademark laws and treaties. Anonos Just-In-Time-Identity technology is protected under U.S. and international copyright and patent laws and treaties. Other marks that appear in this letter and not owned by Anonos are the property of their respective owners. Anonos makes no claim of relationship to, or affiliation with, owners of marks not owned by us Anonos.

anonos.com

8

Anonos data stores are obscured by default, and reveal original or perturbed data values only in accordance with technically enforced rules in response to authorized queries. Improper use of data is architecturally prevented.

There is little incentive to steal Anonos-enabled data stores since data is obscured at all times. Without access to Just-In-Time-Identify (JITI) dynamic de-identification (DDID) keys the data is minimally valuable.

In the event of an Anonos-enabled data store breach, data is unreadable and unusable to unauthorized parties.

Anonos data stores can be created from scratch or derived from existing data stores on standard platforms.

Anonos data store controls can reflect regulatory standards that will indicate to companies what flow-through protections are required in order for them to remain compliant when crafting internal rules and policies.

Complying with regulations using current approaches to de-identification, data privacy and security can be complicated and expensive. Anonos anonymizing capabilities retain full data value and utility with support for various use cases all while minimizing risk of data misuse, abuse or compromise Anonos refers to this as annosizing data.

Anonos data store level architectural controls facilitate both internal audits and external regulator reviews.

Anonos enables sharing of portable data stores with multiple parties having differing authorization privileges by providing unique JITI DDID key combinations to each party, any of which may be revoked manually or via an automatic trigger at any time.

Anonos facilitates compliance with data privacy laws, rules and regulations by companies of all sizes without requiring them to have large in-house data privacy / security teams.

anonos.com

9

anonos.com

10

Potential Applications of Anonos Just-In-Time-Identity (JITI) Dynamic Data Obscurity Technology

Example #1: Internal Data Misuse

Walt Disney offers visitors to its parks MagicBands wrist-worn authentication devices, providing access to hotels, rides, transportation, as well as an ability to pay for food, beverages, and souvenirs via a linked payment card. Within a single park, there might be hundreds of different uses for a MagicBand, each of which might have distinct access rules. For example, a ride might need to know the height of the patron; a bar might only allow children in during lunch; and payments of certain types might require both the childs and parents MagicBand. Finally, a lost child with a MagicBand can be easily reunited with trusted

family. The danger in this system comes from trusted insiders, because customers demand full utility while the park has a duty to manage the risk of exposing too much personal information to employees. From a staff management perspective, the incentive is to have fewer roles with greater access and authority, but that enables employees with the right access to aggregate the required data from different MagicBand uses and track the movement of guests, know when theyre not in their hotel rooms, or even manipulate parameters to create dangerous authorizations for small children to go on adult-sized rides. Anonos-enabled data stores for each of these use cases would eliminate such risks, because employee roles would be defined on a per-use-case context basis, and casual browsing of the wider family records would be prevented.

Example #2: Re-identification

The January 2015 Science journal includes a 3 month study of credit card records for 1.1 million people that shows four spatiotemporal points are enough to uniquely re-identify 90% of credit card customers. Anonos de-identifiers (DDIDs) de-identify credit card customers for each transaction providing a Just-In-Time-Identity (JITI) for each transaction. As a result, customers cannot be re-identified by means of correlating static anonymous identifiers. The Anonos approach makes limiting the ability to single out, link or infer a data subject a policy choice instead of a statistical risk.

See http://www.anonos.com/unicity for interactive version of this example

anonos.com

11

Example #3: Data Breach

Firms like health insurer Anthem suffer when their facilities are breached (as do their millions of subscribers / customers whose identities are hacked) and data is kept in unencrypted form to enable use of the data. As a result, attackers can gain unauthorized access to personal data in cleartext form i.e., unencrypted information that is in the clear and understandable. In contrast to standard encryption, which is generally fully on or "off," or traditional data masking techniques which do not

protect data at the data store level, Anonos Just-In-Time-Identity (JITI) can protect against data loss from external breaches without losing use of data for authorized purposes within the company. With JITI, an attacker may gain access to data but would not gain access to JITI keys (kept securely in separate virtual or physical locations) necessary to reveal personal information.

_______________

Anonos appreciates the opportunity to submit this letter to the National Institute of Standards and Technology. Respectfully Submitted, M. Gary LaFever Ted Myerson Co-Founder Co-Founder