SHARING SENSITIVE DATA WITH CONFIDENCE: THE DATATAGS SYSTEM · SHARING SENSITIVE DATA WITH CONFIDENCE: THE DATATAGS SYSTEM ... , Bar-Sinai M. Sharing Sensitive Data with Confidence:

SHARINGSENSITIVEDATAWITHCONFIDENCE:THEDATATAGSSYSTEM

MercèCrosas,Ph.D.ChiefDataScienceandTechnologyOfficerIQSSHarvardUniversity

MichaelBar-SinaiPhDcandidateinComputerScienceattheBen-GurionUniversityoftheNegev,IsraelFellowattheInstituteforQuantitativeSocialScienceatHarvardUniversity.

LatanyaSweeneyProfessorofGovernmentandTechnologyinResidenceDirectorofDataPrivacyLabHarvardUniversity

Datasharing: goodforyouandgoodfortheworld


ResearchersGetcreditfortheirdata



PublishersandJournals

Verifypublishedwork




Verifypublishedwork

Federalfundingagencies

Makepublicassets

accessible




Verifypublishedwork

Federalfundingagencies

Makepublicassets

accessible

ScienceValidate,reuseandextend

previouswork

dataverse.org

Open-sourcesoftwaredevelopedatHarvard’sIQSSsince2006Usedtoshare,publish,citeandarchiveresearchdata

Installedin12sitesworldwideServing100sofuniversitiesandorganizations

HarvardDataverse:dataverse.harvard.eduStartedasacommunityrepositoryforSocialScienceNowopentoallresearchfieldsandallresearchers

Morethan1300dataversesMorethan59,000datasets

Morethan1,500,000downloads

DataRepositoriesvs RepositorySoftware




But,existingcommunityrepositoriesdonotsupportsensitivedata

“UserUploadsmustbevoidofallidentifiableinformation,suchthatre-identificationofanysubjectsfromtheamalgamationoftheinformationavailablefromallofthematerials(acrossdatasetsanddataverses)uploadedunderanyoneauthorand/orusershouldnotbepossible.”

“SubmitterrepresentsandwarrantsthattheContentdoesnotcontainanyinformation(i)whichidentifies,orwhichcanbeusedinconjunctionwithotherpubliclyavailableinformationtopersonallyidentify,anyindividual;”

“IfyouaresubmittinghumansequencestoGenBank,donotincludeanydatathatcouldrevealthepersonalidentityofthesource.Itisourassumptionthatyouhavereceivedanynecessaryinformedconsentauthorizationsthatyourorganizationsrequirepriortosubmittingyoursequences.”

GenBank

HOWCANWEMAXIMIZESHARINGSENSITIVEDATAWHILEBEINGMINDFULOFPRIVACY?

SweeneyL,CrosasM,Bar-SinaiM.SharingSensitiveDatawithConfidence:TheDataTagsSystem.TechnologyScience.2015101601.October16,2015.http://techscience.org/a/2015101601

Adatatagisasetofsecurityfeaturesandaccessrequirementsforfilehandling

Adatatagisasetofsecurityfeaturesandaccessrequirementsforfilehandling

Adatatagsrepositoryisonethatstoresandsharesdatafilesinaccordancewithastandardizedandorderedlevelsofsecurityandaccessrequirements.

ADataTagsRepositorymustsatisfythefollowingconditions:


1. Supportsmorethanonedatatag



2. Eachfileintherepositorymusthaveoneandonlyonedatatag




a. additionalrequirementscannotweakenthefilesecurity





b. andcannotrequiredthesameormoresecuritythanamore

restrictivedatatag






restrictivedatatag3. Arecipientofafilefromtherepositorymust:







a. satisfyfile’saccessrequirements,








b. producesufficientcredentialsasrequested,









c. andagreetoanytermsofuserequiredtoacquirethefile.









c. andagreetoanytermsofuserequiredtoacquirethefile.4. Providestechnologicalguaranteesforrequirements1,2and3.

DatatagsLevelsTagType Description SecurityFeatures AccessRequirements

Blue Public ClearstorageCleartransmission Open

Green Controlledpublic

ClearstorageCleartransmission

Email,OAuthverifiedregistration

Yellow Accountable ClearstorageEncryptedtransmit

Password,Registered,Approval,ClickDUA

Orange Moreaccountable

EncryptedstorageEncryptedtransmit

Password,Registered,Approval,SignedDUA

Red Fullyaccountable

EncryptedstorageEncryptedtransmit

Two-factorauthentication,Approval,SignedDUA

Crimson Maximallyrestricted

MultiEncryptstoreEncryptedtransmit

Two-factorauthentication,Approval,SignedDUA

DATATAGSWITHHARVARDDATAVERSE

Level1:Nosensitivedata;opendata

Level1:De-identifieddata

Level2:ConfidentialinformationbyUniversitystandards;nomaterialharm

Level3:Confidentialinformationthatcouldcausematerialharm(non-level4FERPA)

Level4:Highriskconfidentialinformation(SSN)

Level5Informationthatwouldcausesevereharm

DataTagsvsHarvardSecurityLevels

Dataverses,Datasets,DataFilesandDataTags

ADatatagisassignedtoeachDataFile(nottotheDataset)

DataTagsWorkflowwithDataverse

http://datatags.orghttp://privacytools.seas.harvard.edu


DataFileIngestion



DataFileIngestion


AutomaticInterview

ReviewBoardApproval


DataFileIngestion


AutomaticInterview

ReviewBoardApproval


DataFileIngestion

SensitiveDataset


AutomaticInterview

ReviewBoardApproval


DataFileIngestion

SensitiveDataset

DirectAccess


AuthorizedSignedDUA

AutomaticInterview

ReviewBoardApproval


DataFileIngestion

SensitiveDataset

DirectAccess

PrivacyPreservingAccess


AuthorizedSignedDUA

AutomaticInterview

ReviewBoardApproval

ACuratorModelforPrivacy-PreservingAnalysis

Acknowledgement:Honaker,J.andNissim,K.,DataPrivacyToolsProject

DifferentiallyPrivatestatistics(summaries,causalinference,regression,interactivequeries)

CredentialsandRetrievalinDataverse

DataFilenotrestrictedGuestbook–Emailtoaccess

DataFilerestricted;Dataverse/InCommonaccount;Requestaccess;ClickDUA

DataFilerestricted;Dataverse/InCommonaccount;Requestaccess;SignDUA

DataFilerestricted;InCommonaccount;Requestaccess;Two-FactorauthenticationSignDUA

OTHERTYPEOFDATATAGSREPOSITORIES

Betty:SoleResearcher

• Receivedconsentfromparticipants• Repositoryforsharinghighly

sensitivedata(notnecessarilyHarvardDataverse)

Betty:GlobalResearchRepositoryIngestion and

Decision-making Knowledge

IRB determination or an interview system.

Codification and Infrastructure

Blue, Green, Yellow, Orange, Red, Crimson.

Credentials and Retrieval

Different files may additionally require specific terms of use based on legal or regulatory requirements or adopted best practices.

(SameusecaseasDataverse)

Adam:LargeMedicalResearchGroup

• Repositoryforsharinglocaldata• Repositoryforpublisheddata• Repositoryforsharingwith

collaborators

Adam:LargeMedicalResearchGroup

Diane:MultinationalCorporation

• Cloudcontainsdatafromallovertheworld,collectedunderavarietyofterms,subjecttodifferentlaws

• Repositorythatenforcesrequirementsonemployeeaccess

Diane:MultinationalCorporation

Charles:InstitutionalReviewBoard

• Documentcommitteedecisions• Recommendhandlingbasedon

priordecisions

Charles:InstitutionalReviewBoard

Howtechnologyimpactshumans.

DATA


DATA


DATA

DirectDepositDirectTagging

KhannaA.Facebook'sPrivacyIncidentResponse:astudyofgeolocationsharingonFacebookMessenger.TechnologyScience.2015081101.August11,2015.http://techscience.org/a/2015081101

techscience.org

KhannaA.Facebook'sPrivacyIncidentResponse:astudyofgeolocationsharingonFacebookMessenger.TechnologyScience.2015081101.August11,2015.http://techscience.org/a/2015081101

techscience.org

Published2015-09-29

SweeneyL,YooJ.De-anonymizingSouthKoreanResidentRegistrationNumbersSharedinPrescriptionData.TechnologyScience.2015092901.September29,2015.http://techscience.org/a/2015092901

techscience.org

DATATAGGINGTOOLS

ADatataggingtoolneeds:

• FormaldescriptionofaDatatag– Capturethedatahandlingpolicyofthetag– Capturethe“stricter-than”ordering

• Interviewcreationtool– Supportuser-friendlyinterviews– Decideonthedatatagbasedontheanswersonly

FormalDescriptionofaDatatag

• Modeldatahandlingpoliciesasasetoforthogonalaspects– Storageencryption,accessrequirements…

• Describeimplementationoptionsforeachaspect;orderimplementationsfromlenienttostrict– Clear<Encrypted<MultiEncrypt

DataHandlingPolicySpace

DataHandlingPolicySpace

Tags:TagsSpacefile(.ts)

• Describeatagspace

• Conveniencefeatures:hierarchy,“slots”ofdifferenttypes,top-downdesignsupport,comments…

ScreenshotfromactualAtompackage:GalMaman,MatanToledano,BGU

ComprehensionAid:Visualization



FindingtheRightTag–DecisionGraph

• Directed,AcyclicGraph

• NodeTypes:– Ask– Set– Convenience:Call,End,Reject,Todo

FindingtheRightTag–DecisionGraph

ScreenshotfromactualAtompackage:GalMaman,MatanToledano,BGU

InterviewVisualization

Interviewcredit:TheDataPrivacyLab@Harvard(LatanyaSweeney,SeanHooley),BerkmanCtr.forInternetandSociety(AlexandraWood,DavidO'Brien,clinicalstudents),IQSS(MercèCrosas,MichaelBar-Sinai).PartofthePrivacytoolsforsharingresearchdataproject





InterviewontheWeb

InterviewontheWeb

InterviewontheWeb

InterviewontheWeb

InterviewontheWeb

Interviewavailableatdatatags.org

DecisionGraphPoints

DecisionGraphPoints

• Familiar“interviewwithaspecialist”metaphor

DecisionGraphPoints


• Implicitlydescribelogicinference

DecisionGraphPoints


• Implicitlydescribelogicinference

DecisionGraphPoints

• Analysis:DetectionofIndependentparts

DecisionGraphPoints


DecisionGraphPoints


• Queries,suchas“whatseriesofanswerswillcreateadatatagsthatallowsclearstorage?”

DecisionGraphPoints

• Optimizations

ExamplecreatedbyEyalBen-Simon,BGU

DecisionGraphPoints

• Optimizations


DecisionGraphPoints

• Optimizations


StateoftheTagsTool• Open-sourceprojectat

GitHub• Languagegettingmoretools

andfeature– ProjectwithBGUstudents

• LanguageToolsinprogress– Inspectors,Visualizers,CLIdevelopmenttool

• Tutorialsandreferencedatatagginglibrary.readthedocs.org

• Collaborationvia,e.g.GitHub



































































FutureoftheTagsTool

• Updatewebinterviewapplication– Includeuploadandinspectionfeatures

• On-linecollaborationenvironment– A-laGoogledocs?

THANKSMercèCrosas,MichaelBar-Sinai,LatanyaSweeney

Documents

SHARING SENSITIVE DATA WITH CONFIDENCE: THE DATATAGS SYSTEM · SHARING SENSITIVE DATA WITH CONFIDENCE: THE DATATAGS SYSTEM ... , Bar-Sinai M. Sharing Sensitive Data with Confidence: