Your search keyword '"Domingo-Ferrer, Josep"' showing total 25 results

1. Decentralized k-anonymization of trajectories via privacy-preserving tit-for-tat

Author

Domingo-Ferrer, Josep, Martínez, Sergio, and Sánchez, David

Subjects

Computer Networks and Communications

Published

2022

2. Bistochastic privacy

Author

Ruiz, Nicolas and Domingo-Ferrer, Josep

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR)

Abstract

We introduce a new privacy model relying on bistochastic matrices, that is, matrices whose components are nonnegative and sum to 1 both row-wise and column-wise. This class of matrices is used to both define privacy guarantees and a tool to apply protection on a data set. The bistochasticity assumption happens to connect several fields of the privacy literature, including the two most popular models, k-anonymity and differential privacy. Moreover, it establishes a bridge with information theory, which simplifies the thorny issue of evaluating the utility of a protected data set. Bistochastic privacy also clarifies the trade-off between protection and utility by using bits, which can be viewed as a natural currency to comprehend and operationalize this trade-off, in the same way than bits are used in information theory to capture uncertainty. A discussion on the suitable parameterization of bistochastic matrices to achieve the privacy guarantees of this new model is also provided., Comment: To be published in Lecture Notes in Artificial Intelligence vol 13408, Modeling Decisions for Artificial Intelligence 19th International Conference MDAI 2022, Sant Cugat, Catalonia, August 30 - 2 September 2022

Published

2022

3. GRAIMATTER Green Paper: Recommendations for disclosure control of trained Machine Learning (ML) models from Trusted Research Environments (TREs)

Author

Jefferson, Emily, Liley, James, Malone, Maeve, Reel, Smarti, Crespi-Boixader, Alba, Kerasidou, Xaroula, Tava, Francesco, McCarthy, Andrew, Preen, Richard, Blanco-Justicia, Alberto, Mansouri-Benssassi, Esma, Domingo-Ferrer, Josep, Beggs, Jillian, Chuter, Antony, Cole, Christian, Ritchie, Felix, Daly, Angela, Rogers, Simon, and Smith, Jim

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Artificial Intelligence (cs.AI), Computer Science - Artificial Intelligence, Cryptography and Security (cs.CR), Machine Learning (cs.LG)

Abstract

TREs are widely, and increasingly used to support statistical analysis of sensitive data across a range of sectors (e.g., health, police, tax and education) as they enable secure and transparent research whilst protecting data confidentiality. There is an increasing desire from academia and industry to train AI models in TREs. The field of AI is developing quickly with applications including spotting human errors, streamlining processes, task automation and decision support. These complex AI models require more information to describe and reproduce, increasing the possibility that sensitive personal data can be inferred from such descriptions. TREs do not have mature processes and controls against these risks. This is a complex topic, and it is unreasonable to expect all TREs to be aware of all risks or that TRE researchers have addressed these risks in AI-specific training. GRAIMATTER has developed a draft set of usable recommendations for TREs to guard against the additional risks when disclosing trained AI models from TREs. The development of these recommendations has been funded by the GRAIMATTER UKRI DARE UK sprint research project. This version of our recommendations was published at the end of the project in September 2022. During the course of the project, we have identified many areas for future investigations to expand and test these recommendations in practice. Therefore, we expect that this document will evolve over time.

Published

2022

4. Opinion and Action Plan on Data Protection and Privacy - Ethics&Society, Human Brain Project

Author

Salles, Arleen, Stahl, Bernd, Bjaalie, Jan, Domingo-Ferrer, Josep, Rose, Nikolas, Rainey, Stephen, Spranger, Tade, Evers, Kathinka, Bitsch, Lise, Christen, Markus, and Farisco, Michele

Subjects

data protection, data privacy, society, Human Brain Project, action plan, ComputingMilieux_LEGALASPECTSOFCOMPUTING, ethics

Abstract

A fuller understanding of the human brain, better diagnoses and treatment of brain disorders, as well as the development of new brain-like technologies are all goals of the Human Brain Project (HBP). Realizing these goals requires the collection, storage, curation, and analysis of data of various sorts over extended periods of time. Securing privacy interests and advancing data protection measures are key concerns of the HBP. The HBP needs to comply with national and European data protection legislation and must go beyond existing legal protections and show ethical sensitivity to privacy concerns, even when such concerns fall outside regulatory frameworks. Recommendations made, in this opinion and action plan, includes measures to ensure data protection in data governance structures, adopting a privacy model when anonymizing data, privacy by design in systems development, exploring ICO tools for privacy management and data protection and the promotion of trust and transparency.

Published

2021

5. How to Avoid Reidentification with Proper Anonymization

Author

Sánchez, David, Martínez, Sergio, and Domingo-Ferrer, Josep

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR), K.4.1

Abstract

De Montjoye et al. claimed that most individuals can be reidentified from a deidentified transaction database and that anonymization mechanisms are not effective against reidentification. We demonstrate that anonymization can be performed by techniques well established in the literature., Comment: 5 pages

Published

2018

6. Connecting Randomized Response, Post-Randomization, Differential Privacy and t-Closeness via Deniability and Permutation

Author

Domingo-Ferrer, Josep and Soria-Comas, Jordi

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, H.2.7, K.4.1, 68P99, Cryptography and Security (cs.CR), Computer Science::Cryptography and Security

Abstract

We explore some novel connections between the main privacy models in use and we recall a few known ones. We show these models to be more related than commonly understood, around two main principles: deniability and permutation. In particular, randomized response turns out to be very modern in spite of it having been introduced over 50 years ago: it is a local anonymization method and it allows understanding the protection offered by $\epsilon$-differential privacy when $\epsilon$ is increased to improve utility. A similar understanding on the effect of large $\epsilon$ in terms of deniability is obtained from the connection between $\epsilon$-differential privacy and t-closeness. Finally, the post-randomization method (PRAM) is shown to be viewable as permutation and to be connected with randomized response and differential privacy. Since the latter is also connected with t-closeness, it follows that the permutation principle can explain the guarantees offered by all those models. Thus, calibrating permutation is very relevant in anonymization, and we conclude by sketching two ways of doing it., Comment: Submitted manuscript

Published

2018

7. Privacy by design in big data: An overview of privacy enhancing technologies in the era of big data analytics

Author

D'Acquisto, Giuseppe, Domingo-Ferrer, Josep, Kikiras, Panayiotis, Torra, Vicenç, de Montjoye, Yves-Alexandre, and Bourka, Athena

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, D.4.6, K.4.1, H.2.0, Cryptography and Security (cs.CR), 94A60

Abstract

The extensive collection and processing of personal information in big data analytics has given rise to serious privacy concerns, related to wide scale electronic surveillance, profiling, and disclosure of private data. To reap the benefits of analytics without invading the individuals' private sphere, it is essential to draw the limits of big data processing and integrate data protection safeguards in the analytics value chain. ENISA, with the current report, supports this approach and the position that the challenges of technology (for big data) should be addressed by the opportunities of technology (for privacy). We first explain the need to shift from "big data versus privacy" to "big data with privacy". In this respect, the concept of privacy by design is key to identify the privacy requirements early in the big data analytics value chain and in subsequently implementing the necessary technical and organizational measures. After an analysis of the proposed privacy by design strategies in the different phases of the big data value chain, we review privacy enhancing technologies of special interest for the current and future big data landscape. In particular, we discuss anonymization, the "traditional" analytics technique, the emerging area of encrypted search and privacy preserving computations, granular access control mechanisms, policy enforcement and accountability, as well as data provenance issues. Moreover, new transparency and access tools in big data are explored, together with techniques for user empowerment and control. Achieving "big data with privacy" is no easy task and a lot of research and implementation is still needed. Yet, it remains a possible task, as long as all the involved stakeholders take the necessary steps to integrate privacy and data protection safeguards in the heart of big data, by design and by default., Comment: 80 pages. European Union Agency for Network and Information Security (ENISA) report, December 2015, ISBN 978-92-9204-160-1. https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/big-data-protection/

Published

2015

8. On the Security of MTA-OTIBASs (Multiple-TA One-Time Identity-Based Aggregate Signatures)

Author

Zhang, Lei, Wu, Qianhong, Domingo-Ferrer, Josep, Qin, Bo, and Hu, Chuanyan

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR)

Abstract

In [3] the authors proposed a new aggregate signature scheme referred to as multiple-TA (trusted authority) one-time identity-based aggregate signature (MTA-OTIBAS). Further, they gave a concrete MTA-OTIBAS scheme. We recall here the definition of MTA-OTIBAS and the concrete proposed scheme. Then we prove that our MTA-OTIBAS concrete scheme is existentially unforgeable against adaptively chosen-message attacks in the random oracle model under the co-CDH problem assumption., Comment: 4 pages

Published

2015

9. Privacy and Data Protection by Design - from policy to engineering

Author

Danezis, George, Domingo-Ferrer, Josep, Hansen, Marit, Hoepman, Jaap-Henk, Metayer, Daniel Le, Tirtea, Rodica, and Schiffner, Stefan

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, D.4.6, K.4.1, H.2.0, Cryptography and Security (cs.CR), 94A60

Abstract

Privacy and data protection constitute core values of individuals and of democratic societies. There have been decades of debate on how those values -and legal obligations- can be embedded into systems, preferably from the very beginning of the design process. One important element in this endeavour are technical mechanisms, known as privacy-enhancing technologies (PETs). Their effectiveness has been demonstrated by researchers and in pilot implementations. However, apart from a few exceptions, e.g., encryption became widely used, PETs have not become a standard and widely used component in system design. Furthermore, for unfolding their full benefit for privacy and data protection, PETs need to be rooted in a data governance strategy to be applied in practice. This report contributes to bridging the gap between the legal framework and the available technological implementation measures by providing an inventory of existing approaches, privacy design strategies, and technical building blocks of various degrees of maturity from research and development. Starting from the privacy principles of the legislation, important elements are presented as a first step towards a design process for privacy-friendly systems and services. The report sketches a method to map legal obligations to design strategies, which allow the system designer to select appropriate techniques for implementing the identified privacy requirements. Furthermore, the report reflects limitations of the approach. It concludes with recommendations on how to overcome and mitigate these limits., Comment: 79 pages in European Union Agency for Network and Information Security (ENISA) report, December 2014, ISBN 978-92-9204-108-3

Published

2015

10. Supplementary Materials for 'How to Avoid Reidentification with Proper Anonymization'- Comment on 'Unique in the shopping mall: on the reidentifiability of credit card metadata'

Author

Sánchez, David, Martínez, Sergio, and Domingo-Ferrer, Josep

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR), K.4.1

Abstract

The study by De Montjoye et al. ("Science", 30 January 2015, p. 536) claimed that most individuals can be reidentified from a deidentified credit card transaction database and that anonymization mechanisms are not effective against reidentification. Such claims deserve detailed quantitative scrutiny, as they might seriously undermine the willingness of data owners and subjects to share data for research. In a recent Technical Comment published in "Science" (18 March 2016, p. 1274), we demonstrate that the reidentification risk reported by De Montjoye et al. was significantly overestimated (due to a misunderstanding of the reidentification attack) and that the alleged ineffectiveness of anonymization is due to the choice of poor and undocumented methods and to a general disregard of 40 years of anonymization literature. The technical comment also shows how to properly anonymize data, in order to reduce unequivocal reidentifications to zero while retaining even more analytical utility than with the poor anonymization mechanisms employed by De Montjoye et al. In conclusion, data owners, subjects and users can be reassured that sound privacy models and anonymization methods exist to produce safe and useful anonymized data. Supplementary materials detailing the data sets, algorithms and extended results of our study are available here. Moreover, unlike the De Montjoye et al.'s data set, which was never made available, our data, anonymized results, and anonymization algorithms can be freely downloaded from http://crises-deim.urv.cat/opendata/SPD_Science.zip

Published

2015

11. Privacy-Preserving Trust Management Mechanisms from Private Matching Schemes

Author

Farràs, Oriol, Domingo-Ferrer, Josep, and Blanco-Justicia, Alberto

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cryptography and Security (cs.CR)

Abstract

Cryptographic primitives are essential for constructing privacy-preserving communication mechanisms. There are situations in which two parties that do not know each other need to exchange sensitive information on the Internet. Trust management mechanisms make use of digital credentials and certificates in order to establish trust among these strangers. We address the problem of choosing which credentials are exchanged. During this process, each party should learn no information about the preferences of the other party other than strictly required for trust establishment. We present a method to reach an agreement on the credentials to be exchanged that preserves the privacy of the parties. Our method is based on secure two-party computation protocols for set intersection. Namely, it is constructed from private matching schemes., Comment: The material in this paper will be presented in part at the 8th DPM International Workshop on Data Privacy Management (DPM 2013)

Published

2013

12. On the security of a privacy-preserving key management scheme for location based services in VANETs

Author

Domingo-Ferrer, Josep

Published

2013

13. Feature Selection and Outliers Detection with Genetic Algorithms and Neural Networks

Author

Solanas, Agusti, Romero, Enrique, Gomez, Sergio, Sopena, Josep M., Alquezar, Rene, Domingo-Ferrer, Josep, and Universitat Rovira i Virgili

Subjects

Medicina ii, Comunicació i informació, Artificial intelligence, General o multidisciplinar, Feature selection, Información y documentación, Ciências agrárias i, Interdisciplinar, Genetic algorithms, Engenharias iv, Neural networks, Engenharias iii

Abstract

This paper presents a new feature selection method and an outliers detection algorithm The presented method is based on using a genetic algorithm combined with a problem specific designed neural network The dimensional reduction and the outliers detection makes the resulting dataset more suitable for training neural networks A comparative analysis between different kind of proposed criteria to select the features is reported A number of experimental results have been carried out to demonstrate the usefulness of the presented technique

Published

2005

14. Disclosure risk assessment in statistical microdata protection via advanced record linkage

Author

Domingo-Ferrer, Josep, Torra, Vicenç, and European Commission

Subjects

Record linkage, Reidentification, ComputingMilieux_COMPUTERSANDSOCIETY, Statistical disclosure control, Disclosure risk for microdata

Abstract

The performance of Statistical Disclosure Control (SDC) methods for microdata (also called masking methods) is measured in terms of the utility and the disclosure risk associated to the protected microdata set. Empirical disclosure risk assessment based on record linkage stands out as a realistic and practical disclosure risk assessment methodology which is applicable to every conceivable masking method. The intruder is assumed to know an external data set, whose records are to be linked to those in the protected data set; the percent of correctly linked record pairs is a measure of disclosure risk. This paper reviews conventional record linkage, which assumes shared variables between the external and the protected data sets, and then shows that record linkage - and thus disclosure - is still possible without shared variables., This work has been partially supported by the European Commission under project no. IST-2000-25069 “CASC”.

Published

2003

15. Esquemas de fingerprinting para la protección de derechos de distribución

Author

Fernández Muñoz, Marcel|||0000-0001-7655-135X, Soriano Ibáñez, Miguel|||0000-0003-0457-8531, Domingo Ferrer, Josep, Sebé Feixas, Francesc, Universitat Politècnica de Catalunya. Departament d'Enginyeria Telemàtica, and Universitat Politècnica de Catalunya. ISG - Grup de Seguretat de la Informació

Subjects

códigos correctores de erro­res, Informàtica::Seguretat informàtica [Àrees temàtiques de la UPC], Computer security, detección de copia, protección de los derechos de distribución, Propietat intel·lectual -- Innovacions tecnològiques, Seguretat informàtica, fingerprinring, protección de la propiedad inte­lectual, confabulación

Published

2002

16. Towards decentralized and privacy-preserving data marketplaces to unlock data for AI: An examination of Ocean Protocol

Author

Schwill, Frederic Christopher and Domingo Ferrer, Josep

Subjects

Enginyeria informàtica, Computer engineering, Ingeniería informática

Published

2021

17. Utility-Preserving Anonymization of Textual Documents

Author

Hassan, FadiAbdulfattah Mohammed, Departament d'Enginyeria Informàtica i Matemàtiques, Universitat Rovira i Virgili., Domingo Ferrer, Josep, Sánchez Ruenes, David, and Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques

Subjects

Artificial intelligence, Datos textuales, Privacidad de datos, Intel·ligència Artificial, Enginyeria i arquitectura, Textual data, Inteligencia Artificial, Dades textuals, Data privacy, Privacitat de dades

Abstract

Cada dia els éssers humans afegim una gran quantitat de dades a Internet, tals com piulades, opinions, fotos i vídeos. Les organitzacions que recullen aquestes dades tan diverses n'extreuen informació per tal de millorar llurs serveis o bé per a propòsits comercials. Tanmateix, si les dades recollides contenen informació personal sensible, hom no les pot compartir amb tercers ni les pot publicar sense el consentiment o una protecció adequada dels subjectes de les dades. Els mecanismes de preservació de la privadesa forneixen maneres de sanejar les dades per tal que no revelin identitats o atributs confidencials. S'ha proposat una gran varietat de mecanismes per anonimitzar bases de dades estructurades amb atributs numèrics i categòrics; en canvi, la protecció automàtica de dades textuals no estructurades ha rebut molta menys atenció. En general, l'anonimització de dades textuals exigeix, primer, detectar trossos del text que poden revelar informació sensible i, després, emmascarar aquests trossos mitjançant supressió o generalització. En aquesta tesi fem servir diverses tecnologies per anonimitzar documents textuals. De primer, millorem les tècniques existents basades en etiquetatge de seqüències. Després, estenem aquestes tècniques per alinear-les millor amb el risc de revelació i amb les exigències de privadesa. Finalment, proposem un marc complet basat en models d'immersió de paraules que captura un concepte més ampli de protecció de dades i que forneix una protecció flexible guiada per les exigències de privadesa. També recorrem a les ontologies per preservar la utilitat del text emmascarat, és a dir, la seva semàntica i la seva llegibilitat. La nostra experimentació extensa i detallada mostra que els nostres mètodes superen els mètodes existents a l'hora de proporcionar anonimització robusta tot preservant raonablement la utilitat del text protegit. Cada día las personas añadimos una gran cantidad de datos a Internet, tales como tweets, opiniones, fotos y vídeos. Las organizaciones que recogen dichos datos los usan para extraer información para mejorar sus servicios o para propósitos comerciales. Sin embargo, si los datos recogidos contienen información personal sensible, no pueden compartirse ni publicarse sin el consentimiento o una protección adecuada de los sujetos de los datos. Los mecanismos de protección de la privacidad proporcionan maneras de sanear los datos de forma que no revelen identidades ni atributos confidenciales. Se ha propuesto una gran variedad de mecanismos para anonimizar bases de datos estructuradas con atributos numéricos y categóricos; en cambio, la protección automática de datos textuales no estructurados ha recibido mucha menos atención. En general, la anonimización de datos textuales requiere, primero, detectar trozos de texto que puedan revelar información sensible, para luego enmascarar dichos trozos mediante supresión o generalización. En este trabajo empleamos varias tecnologías para anonimizar documentos textuales. Primero mejoramos las técnicas existentes basadas en etiquetaje de secuencias. Posteriormente las extendmos para alinearlas mejor con la noción de riesgo de revelación y con los requisitos de privacidad. Finalmente, proponemos un marco completo basado en modelos de inmersión de palabras que captura una noción más amplia de protección de datos y ofrece protección flexible guiada por los requisitos de privacidad. También recurrimos a las ontologías para preservar la utilidad del texto enmascarado, es decir, su semantica y legibilidad. Nuestra experimentación extensa y detallada muestra que nuestros métodos superan a los existentes a la hora de proporcionar una anonimización más robusta al tiempo que se preserva razonablemente la utilidad del texto protegido. Every day, people post a significant amount of data on the Internet, such as tweets, reviews, photos, and videos. Organizations collecting these types of data use them to extract information in order to improve their services or for commercial purposes. Yet, if the collected data contain sensitive personal information, they cannot be shared with third parties or released publicly without consent or adequate protection of the data subjects. Privacy-preserving mechanisms provide ways to sanitize data so that identities and/or confidential attributes are not disclosed. A great variety of mechanisms have been proposed to anonymize structured databases with numerical and categorical attributes; however, automatically protecting unstructured textual data has received much less attention. In general, textual data anonymization requires, first, to detect pieces of text that may disclose sensitive information and, then, to mask those pieces via suppression or generalization. In this work, we leverage several technologies to anonymize textual documents. We first improve state-of-the-art techniques based on sequence labeling. After that, we extend them to make them more aligned with the notion of privacy risk and the privacy requirements. Finally, we propose a complete framework based on word embedding models that captures a broader notion of data protection and provides flexible protection driven by privacy requirements. We also leverage ontologies to preserve the utility of the masked text, that is, its semantics and readability. Extensive experimental results show that our methods outperform the state of the art by providing more robust anonymization while reasonably preserving the utility of the protected outcomes

Published

2021

18. Toward a universal privacy and information-preserving framework for individual data exchange

Author

Ruiz, Nicolas, Departament d'Enginyeria Informàtica i Matemàtiques, Universitat Rovira i Virgili., Domingo-Ferrer, Josep, Muralidhar, Krishnamurthy, and Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques

Subjects

privadesa, privacidad, datos individuales, Ciències, individual data, dades individuals, privacy, information, información, informació

Abstract

Data on individual subjects, which are increasingly gathered and exchanged, provide a rich amount of information that can inform statistical and policy analysis in a meaningful way. However, due to the legal obligations surrounding such data, this wealth of information is often not fully exploited in order to protect the confidentiality of respondents. The issue is thus the following: how to ensure a sufficient level of data protection to meet releasers’ concerns in terms of legal and ethical requirements, while still offering users a reasonable level of information. This question has raised a range concerns about the privacy/information trade-off and has driven a quest for best practices that can be both useful to users but also respectful of individuals’ privacy. Statistical disclosure control research has historically provided the analytical apparatus through which the privacy/information trade-off can be assessed and implemented. In recent years, the literature has burgeoned in many directions. In particular, techniques applicable to micro data offer a wide variety of tools to protect the confidentiality of respondents while maximizing the information content of the data released, for the benefit of society at large. Such diversity is undoubtedly useful but has several major drawbacks. In fact, there is currently a clear lack of agreement and clarity as to the appropriate choice of tools in a given context, and as a consequence, there is no comprehensive view (or at best an incomplete one) of the relative performances of the techniques available. The practical scope of current micro data protection methods is not fully exploited precisely because there is no overarching framework: all methods generally carry their own analytical environment, underlying approaches and definitions of privacy and information. Moreover, the evaluation of utility and privacy for each method is metric and data-dependent, meaning that comparisons across different methods and datasets is a daunting task. Against this backdrop, this thesis focuses on establishing some common grounds for individual data anonymization by developing a new, universal approach. Recent contributions to the literature point to the fact that permutations happen to be the essential principle upon which individual data anonymization can be based. In this thesis, we demonstrate that this principle allows for the proposal of a universal analytical environment for data anonymization. The first contribution of this thesis takes an ex-post approach by proposing some universal measures of disclosure risk and information loss that can be computed in a simple fashion and used for the evaluation of any anonymization method, independently of the context under which they operate. In particular, they exhibit distributional independence. These measures establish a common language for comparing different mechanisms, all with potentially varying parametrizations applied to the same data set or to different data sets. The second contribution of this thesis takes an ex-ante approach by developing a new approach to data anonymization. Bringing data anonymization closer to cryptography, it formulates a general cipher based on permutation keys which appears to be equivalent to a general form of rank swapping. Beyond all the existing methods that this cipher can universally reproduce, it also offers a new way to practice data anonymization based on the ex-ante exploration of different permutation structures. The subsequent study of the cipher’s properties additionally reveals new insights as to the nature of the task of anonymization taken at a general level of functioning. The final two contributions of this thesis aim at exploring two specific areas using the above results. The first area is longitudinal data anonymization. Despite the fact that the SDC literature offers a wide variety of tools suited to different contexts and data types, there have been very few attempts to deal with the challenges posed by longitudinal data. This thesis thus develops a general framework and some associated metrics of disclosure risk and information loss, tailored to the specific challenges posed by longitudinal data anonymization. Notably, it builds on a permutation approach where the effect of time on time-variant attributes can be seen as an anonymization method that can be captured by temporal permutations. The second area considered is synthetic data. By challenging the information and privacy guarantees of synthetic data, it is shown that any synthetic data set can always be expressed as a permutation of the original data, in a way similar to non-synthetic SDC techniques. In fact, releasing synthetic data sets with the same privacy properties but with an improved level of information appears to be invariably possible as the marginal distributions can always be preserved without increasing risk. On the privacy front, this leads to the consequence that the distinction drawn in the literature between non-synthetic and synthetic data is not so clear-cut. Indeed, it is shown that the practice of releasing several synthetic data sets for a single original data set entails privacy issues that do not arise in non-synthetic anonymization.

Published

2019

19. Outsourcing Computation on Non-Encrypted SensitiveData to Untrusted Clouds

Author

Ricci, Sara, Departament d'Enginyeria Informàtica i Matemàtiques, Universitat Rovira i Virgili., Domingo-Ferrer, Josep, Soria Comas, Jorge, and Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques

Subjects

divisió de dades, división de datos, Ciències, cloud computing, evaluació de riscos-utilitat, evaluación de riesgos-utilidad, computació en núvol, data splitting, computación en la nube, risk-utility assessment

Abstract

L’emmagatzematge i el processat de grans dades en entorns locals presenta certs inconvenients, però l’ús del núvol per emmagatzemar i processar les dades pot donar lloc a problemes de privadesa i seguretat. En aquesta tesi tractem la problemàtica associada a l’ús de núvols no confiables. En particular, volem que el núvol pugui fer dos operacions amb dades sensibles no xifrades de manera pràctica i que preservi la privadesa: productes escalars i productes de matrius. Aquestes operacions són útils per fer diferents tipus d’anàlisis de dades com ara el càlcul de correlacions entre atributs i el càlcul de taules de contingència. Els nostres protocols ens permeten usar el núvol no només per emmagatzemar dades sensibles no xifrades sinó també per processar-les. Les avaluacions experimentals amb dades categòriques fetes sobre el serveis de núvol d’Amazon mostren que, amb els nostres protocols, l’administrador de les dades pot reduir el temps d’execució de les computacions més exigents en més del 99.999%. També presentem una metodologia per comparar mètodes de control estadstic de la revelació (SDC, l’acrònim anglès) per microdades en termes del equilibri entre risc i utilitat resultant. Els estudis comparatius anteriors comencen habitualment per seleccionar alguns valors dels paràmetres per un conjunt de mètodes SDC i avaluen el risc de revelació i la pèrdua d’informació que produeixen aquests paràmetres. Aqu comencem per seleccionar un nivell de risc i busquem els valors dels paràmetres necessaris per obtenir aquest nivell de risc amb cadascun dels mètodes SDC s’avaluen. Finalment, avaluem la utilitat, cosa que permet ordenar els mètodes d’acord a la utilitat. El almacenamiento i el procesado de grandes datos en entornos local presenta algunos inconvenientes, pero el uso de la nube para almacenar i procesar estos datos puede dar lugar a problemas de privacidad i de seguridad. En esta tesis tratamos la problemática asociada a el uso de nubes no confiables. En particular, queremos que la nube pueda hacer dos operaciones con datos sensibles no cifrados de forma práctica i que preserve la privacidad: productos escalares i productos de matrices. Nuestros protocolos nos permiten usar la nube no solo para almacenar datos sensibles no cifrados sino también para procesarlos. Las evaluaciones experimentales con datos categóricos que se han realizado sobre los servicios de nube de Amazon muestran que, con nuestros protocolos, el administrador de los datos puede reducir el tiempo de ejecución de las computaciones más exigentes en más del 99.999%. También presentamos una metodologa para comparar métodos de control estadstico de la revelación (SDC, acrónimo inglés) para microdatos en términos del equilibrio entre riesgo y utilidad que resulta. Los estudios comparativos anteriores empiezan habitualmente por seleccionar algunos valores de los parámetros para un conjunto de métodos SDC i evalúan el riesgo de revelación i perdida de información que producen estos parámetros. Aqu comenzamos por seleccionar un nivel de riesgo i buscamos los valores de los parámetros necesarios para obtener dicho nivel de riesgo con cada uno de los métodos SDC que se evalúan. Finalmente, una vez ja hemos conseguido un nivel de riesgo equivalente en los diferentes métodos SDC, evaluamos la utilidad, cosa que permite ordenar los métodos con respecto a la utilidad. Storing and processing big data in local premises is increasingly inconvenient, but resorting to cloud storage and processing raises security and privacy issues. We tackle here the problem of outsourcing to untrusted clouds in a practical and privacy-preserving manner two basic operations on non-encrypted sensitive data: scalar products and matrix products. These operations are useful to perform data analyses such as correlations between attributes or contingency tables, among others. Our protocols allow using the cloud not only to store sensitive non-encrypted data, but also to process them. In addition to analyzing the security of the proposed protocols, we also evaluate their performance against a baseline consisting of downloading plus local computation. The experiments on categorical data that we report on the Amazon cloud service show that, with our protocols, the data controller can save more than 99.999% runtime for the most demanding computations. We also present here a methodology to compare statistical disclosure control (SDC) methods for microdata in terms of how they perform regarding the risk-utility trade-off. Previous comparative studies usually start by selecting some parameter values for a set of SDC methods and evaluate the disclosure risk and the information loss yielded by the methods for those parameterizations. In contrast, here we start by setting a certain risk level and then we find which parameter values are needed to attain that risk under different SDC methods. Finally, we evaluate the utility provided by each method, in order to rank methods according to their utility preservation.

Published

2018

20. Co-Utility in the Digital Economy: Conciliating Individual Freedom and Common Good in the Information Society

Author

Turi, Abeba Nigussie, Sánchez Ruenes, David, Domingo-Ferrer, Josep, Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques, Departament d'Enginyeria Informàtica i Matemàtiques, and Universitat Rovira i Virgili.

Subjects

Economia colaborativa, Reputacio digital, Enginyeria i arquitectura, Collaborative Economy, Economia col.laborativa, co-utilitat, co-utilidad, Reputacion digital, Co-utility, Digital Reputation

Abstract

L'economia col·laborativa fa referència a l'economia digital del segle XXI, que es basa en la tecnologia de la informació com a principal catalitzador. Aquest sistema econòmic es caracteritza per l'eliminació d’intermediaris en la cadena de subministrament del sistema econòmic centralitzat tradicional. Les plataformes digitals que faciliten les transaccions entre iguals permeten que funcioni el sistema de negoci de xarxes d’igual a igual que estan subjectes a aquest model. A mesura que aquesta forma col·laborativa de creació de valor emergeix i el sistema econòmic esdevé més complex, apareixen problemes que en redueixen l’eficiència. Alguns dels nous reptes i incerteses que es presenten actualment en l’economia col·laborativa inclouen riscos en la privadesa i en la seguretat, riscos operatius, fallada de la plataforma, manca de confiança entre els usuaris participants en la transacció fruit de l'asimetria informativa, risc d'impagament, usura, risc financer sistèmic a causa de la liquiditat, i risc creditici causat per la incertesa en el cicle de negoci. A banda de les seves externalitats per als models de negoci tradicionals i per als seus actors històrics, l’economia col·laborativa també planteja un repte al govern pel que fa a la promulgació de noves regles i lleis que regeixin els nous models de negoci , amb la qual cosa interromp els ingressos fiscals durant la seva etapa de creixement. En aquest treball, l'objectiu és acostar-nos al sistema econòmic col·laboratiu i abordar alguns dels problemes esmentats anteriorment mitjançant la introducció del concepte de coutilitat, que té a veure amb el principi d’autoregulació. Hem considerat casos d'ús específics del model col·laboratiu i hem identificat problemes concrets; a partir d’aquí, hem desenvolupat protocols coútils proveïts de mecanismes d’incentivació per tal d’abordar els problemes subjacents. En resum, el treball que presentem contribueix a l'escassa literatura sobre economia col·laborativa i permet de millorar els mètodes convencionals en ús., La economía colaborativa hace referencia a la economía digital del siglo XXI que se basa en la tecnología de la información como principal catalizador. Este sistema económico está dando forma a las tendencias actuales en consumo, producción, distribución y uso de recursos limitados. Se caracteriza por la desintermediación del sistema económico centralizado tradicional. Las plataformas digitales que facilitan las transacciones entre pares permiten que funcionen los modelos de negocio de redes de pares. A medida que esta forma colaborativa de creación de valor emerge y el sistema económico se vuelve más complejo, van apareciendo problemas que dificultan su eficiencia. Algunos de los nuevos desafíos e incertidumbres que se presentan actualmente en la economía colaborativa incluyen riesgos de privacidad y seguridad, riesgos operativos, fallo de la plataforma, falta de confianza entre los pares participantes en la transacción como resultado de la asimetría informativa, riesgo de impago, usura, riesgo financiero sistémico debido a la liquidez, y riesgo crediticio dado por la incertidumbre en el ciclo empresarial. Aparte de las externalidades para los modelos de negocio tradicionales y sus actores históricos, este sistema económico también plantea un reto al gobierno en lo tocante a la promulgación de nuevas reglas y leyes que rijan los nuevos modelos de negocio. En el presente trabajo, el objetivo es acercarnos al sistema económico colaborativo y abordar algunos de los problemas mencionados anteriormente mediante la introducción del concepto de coutilidad, que está relacionado con el principio de autoregulación. Hemos considerado casos de uso específicos de los modelos de negocio colaborativos y hemos identificado problemas concretos; a partir de aquí, hemos desarrollado protocolos coútiles mediante mecanismos de incentivación que puedan abordar los problemas subyacentes. En resumen, el trabajo aquí presentado contribuye a la escasa literatura sobre la economía colaborativa y permite mejorar los métodos convencionales en uso., The collaborative economy refers to the digital economy of the millennial era which relies on the information technology as the main catalyst. Mesh, peer or sharing economy are the other terms that are interchangeably used to refer to the hybrid market models of this economy. Financial technologies, including the business lines of peer-to-peer transactions, the crowdfunding and crowdsourcing, innovation and educational marketplaces, are some of the common structures of this economy. It is mainly characterized by the disintermediation of the traditional centralized form of economic system. The peer-to-peer business models underlying this economic system are enabled by the digital platforms that facilitate direct peer-to-peer transactions. As this collaborative form of value creation emerges and the economic system gets more complicated, the system becomes prone to many serious problems that hamper its efficiency. Some of the new challenges and uncertainties currently arising in this economic system include privacy risks, security and operational risks (dangers of fraud, cybercrime and operational outages), platform failure, lack of trust between the transacting peers resulting from the information asymmetry, risk of default, usury and systemic financial risks due to liquidity, and credit risks with the business cycle uncertainties. Apart from its externalities to the traditional business models and incumbent players, this economic system also poses a challenge to the government in enacting new rules and regulations that govern the new businesses models and hence disrupts the government revenues at its current stage of growth. In this work, we aim at approaching this economic system and tackle some of the aforementioned problems associated with it by introducing the notion of co-utility, which adheres to the self-governance principle. By considering specific use cases of the collaborative economy business models and identifying the case-specific problems, we design co-utile protocols through incentive mechanisms that can tackle the underlying problems.

Published

2017

21. Random Walk with Restart over Dynamic Graphs

Author

Weiren Yu, Julie A. McCann, Bonchi, Francesco, Domingo-Ferrer, Josep, Baeza-Yates, Ricardo, et al, NEC Corporation, and NEC Research Institute Inc

Subjects

Discrete mathematics, Stochastic matrix, Outer product, 02 engineering and technology, Random walk, LU decomposition, Matrix multiplication, law.invention, Matrix decomposition, law, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Symmetric matrix, 020201 artificial intelligence & image processing, QA, Algorithm, Commutative property, Mathematics

Abstract

Random Walk with Restart (RWR) is an appealing measure of proximity between nodes based on graph structures. Since real graphs are often large and subject to minor changes, it is prohibitively expensive to recompute proximities from scratch. Previous methods use LU decomposition and degree reordering heuristics, entailing O(|ν| 3 ) time and O(|ν| 2 ) memory to compute all (|ν| 2 ) pairs of node proximities in a static graph. In this paper, a dynamic scheme to assess RWR proximities is proposed: (1) For unit update, we characterize the changes to all-pairs proximities as the outer product of two vectors. We notice that the multiplication of an RWR matrix and its transition matrix, unlike traditional matrix multiplications, is commutative. This can greatly reduce the computation of all-pairs proximities from O(|ν| 3 ) to O(|Δ|) time for each update without loss of accuracy, where |Δ| (≪|V| 2 ) is the number of affected proximities. (2) To avoid O(|V| 2 ) memory for all pairs of outputs, we also devise efficient partitioning techniques for our dynamic model, which can compute all pairs of proximities segment-wisely within O(I|V|) memory and O([|V|/l]) I/O costs, where 1 ≤ I ≤ |V| is a user-controlled trade-off between memory and I/O costs. (3) For bulk updates, we also devise aggregation and hashing methods, which can discard many unnecessary updates further and handle chunks of unit updates simultaneously. Our experimental results on various datasets demonstrate that our methods can be 1-2 orders of magnitude faster than other competitors while securing scalability and exactness.\ud

Published

2016

22. Improving data utility in differential privacy and k-anony mity

Author

Soria Comas, Jorge, Domingo-Ferrer, Josep, 1965, and Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques

Subjects

K-anonymity, data privacy, Differential privacy, ComputingMilieux_COMPUTERSANDSOCIETY

Abstract

We deal with SDC from the computer science community perspective. The focus lies on two mainstream privacy models: k-anonymity and differential privacy. Once a privacy model has been selected, the goal is to enforce it while preserving as much data utility as possible. The main objective of this thesis is to improve the data utility in k-anonymous and differentially private data releases. k-Anonymity has several drawbacks. On the disclosure limitation side, there is a lack of protection against attribute disclosure and against informed intruders. On the data utility side, dealing with a large number of quasi-identifier attributes is problematic. We propose a relaxation of k-anonymity that deals with these issues. Differential privacy limits disclosure risk through noise addition. The Laplace distribution is commonly used for the random noise. We show that the Laplace distribution is not optimal: the same disclosure limitation guarantee can be attained by adding less noise. Optimal univariate and multivariate noises are characterized and constructed. Common mechanisms to attain differential privacy do not take into account the users’ prior knowledge; they implicitly assume zero initial knowledge about the query response. We propose a mechanism that focuses on limiting the knowledge gain over the prior knowledge. Microaggregation-based k-anonymity and differential privacy can be combined to produce microdata releases with the strong privacy guarantees of differential privacy and improved data accuracy., Aquesta tesi adopta el punt de vista de la comunitat informàtica. Ens centrem en dos models de privadesa àmpliament acceptats: el k-anonimat i la privadesa diferencial. Un cop triat el model de privadesa, l’objectiu passa a ser complir-ne els requisits, alhora que preservar la màxima utilitat possible en les dades resultants. L’objectiu principal d’aquesta tesi és la millora de la utilitat en la publicació de dades k-anònimes i diferencialment privades. El k-anonimat presenta alguns problemes. Pel que fa al risc de revelació, no protegeix contra la revelació d’atributs ni contra intrusos informats. Pel que fa a la utilitat de les dades, tractar amb fitxers amb un nombre elevat d’atributs quasiidentificadors pot ser problemàtic. Proposem una relaxació del k-anonimat que tracta aquests problemas. La privadesa diferencial limita el risc de revelació afegint un soroll aleatori al resultat de les consultes. Mostrem que la distribució de Laplace no és òptima: es poden complir els requeriments de la privadesa diferencial afegint sorolls més petits. A més, caracteritzem i construïm les distribucions òptimes (univariant i multivariant). Els mecanismes habituals per obtener privadesa diferencial no tenen en compte el possible coneixement previ dels usuaris; implícitament, se’ls suposa un coneixement nul. Proposem un mecanismo basat a limitar el guany de coneixement de l’usuari respecte del seu coneixement inicial. El k-anonimat i la privadesa diferencial es presenten sovint com a models contraposats. La privadesa diferencial i el k-anonimat no són conceptes completament inconnexos: si es pren com a punt de partida per obtenir privadesa diferencial un conjunt de dades k-anònim (obtingut mitjançant un cert tipus de microagregació), la quantitat de soroll necessari es veu reduïda significativament., Adoptamos aquí el proceder de la comunidad informática y nos ocupamos de dos de los principales modelos de privacidad: k-anonimato y privacidad diferencial. Una vez seleccionado un modelo de privacidad, el objetivo pasa a ser cumplir con sus requisitos, a la vez que se trata de preservar la máxima utilidad posible para los datos El k-anonimato presenta algunos problemas. En relación a la limitación del riesgo de revelación, no protege contra la revelación de atributos, ni contra intrusos informados. En relación a la utilidad de los datos, tratar con ficheros que tienen un número elevado de atributos cuasi-identificadores es problemático. Proponemos un nuevo modelo basado en la relajación del requisito de indistinguibilidad que establece el k-anonimato. La privacidad diferencial limita el riesgo de revelación añadiendo un ruido aleatorio al resultado de las consultas. Habitualmente se utiliza la distribución de Laplace para generar dicho ruido. En esta tesis mostramos que la distribución de Laplace no es óptima. Asimismo, caracterizamos y construimos las distribuciones óptimas (univariante y multivariante). Los mecanismos usuales para obtener privacidad diferencial no tienen en cuenta este conocimiento previo; implícitamente, se supone un conocimiento nulo. Proponemos un mecanismo para obtener privacidad diferencial orientado a limitar la ganancia de conocimiento del usuario con respecto a su conocimiento previo. El k-anonimato y la privacidad diferencial son a menudo presentados como nociones de privacidad contrapuestas. Mostramos que tomando como datos de partida para obtener privacidad diferencial un conjunto de datos k-anónimo (construido mediante un cierto tipo de microagregación) se reduce la cantidad de ruido necesaria y se mejora la utilidad de la información.

Published

2013

23. Privacy in rfid and mobile objects

Author

Trujillo Rasua, Rolando, Solanas Gómez, Agustí, Domingo-Ferrer, Josep, 1965, and Universitat Rovira i Virgili. Departament d'Enginyeria Informàtica i Matemàtiques

Subjects

Computer science [C05] [Engineering, computing & technology], RFID, Trajectory anonymization, Privacy, Distance-bounding protocols, Security, Scalability, Sciences informatiques [C05] [Ingénierie, informatique & technologie], Spatio-temporal data

Abstract

Los sistemas RFID permiten la identificación rápida y automática de etiquetas RFID a través de un canal de comunicación inalámbrico. Dichas etiquetas son dispositivos con cierto poder de cómputo y capacidad de almacenamiento de información. Es por ello que los objetos que contienen una etiqueta RFID adherida permiten la lectura de una cantidad rica y variada de datos que los describen y caracterizan, por ejemplo, un código único de identificación, el nombre, el modelo o la fecha de expiración. Además, esta información puede ser leída sin la necesidad de un contacto visual entre el lector y la etiqueta, lo cual agiliza considerablemente los procesos de inventariado, identificación, o control automático. Para que el uso de la tecnología RFID se generalice con éxito, es conveniente cumplir con varios objetivos: eficiencia, seguridad y protección de la privacidad. Sin embargo, el diseño de protocolos de identificación seguros, privados, y escalables es un reto difícil de abordar dada las restricciones computacionales de las etiquetas RFID y su naturaleza inalámbrica. Es por ello que, en la presente tesis, partimos de protocolos de identificación seguros y privados, y mostramos cómo se puede lograr escalabilidad mediante una arquitectura distribuida y colaborativa. De este modo, la seguridad y la privacidad se alcanzan mediante el propio protocolo de identificación, mientras que la escalabilidad se logra por medio de novedosos métodos colaborativos que consideran la posición espacial y temporal de las etiquetas RFID. Independientemente de los avances en protocolos inalámbricos de identificación, existen ataques que pueden superar exitosamente cualquiera de estos protocolos sin necesidad de conocer o descubrir claves secretas válidas ni de encontrar vulnerabilidades en sus implementaciones criptográficas. La idea de estos ataques, conocidos como ataques de “relay”, consiste en crear inadvertidamente un puente de comunicación entre una etiqueta legítima y un lector legítimo. De este modo, el adversario usa los derechos de la etiqueta legítima para pasar el protocolo de autenticación usado por el lector. Nótese que, dada la naturaleza inalámbrica de los protocolos RFID, este tipo de ataques representa una amenaza importante a la seguridad en sistemas RFID. En esta tesis proponemos un nuevo protocolo que además de autenticación realiza un chequeo de la distancia a la cual se encuentran el lector y la etiqueta. Este tipo de protocolos se conocen como protocolos de acotación de distancia, los cuales no impiden este tipo de ataques, pero sí pueden frustrarlos con alta probabilidad. Por último, afrontamos los problemas de privacidad asociados con la publicación de información recogida a través de sistemas RFID. En particular, nos concentramos en datos de movilidad que también pueden ser proporcionados por otros sistemas ampliamente usados tales como el sistema de posicionamiento global (GPS) y el sistema global de comunicaciones móviles. Nuestra solución se basa en la conocida noción de k-anonimato, alcanzada mediante permutaciones y microagregación. Para este fin, definimos una novedosa función de distancia entre trayectorias con la cual desarrollamos dos métodos diferentes de anonimización de trayectorias., Els sistemes RFID permeten la identificació ràpida i automàtica d’etiquetes RFID a través d’un canal de comunicació sense fils. Aquestes etiquetes són dispositius amb cert poder de còmput i amb capacitat d’emmagatzematge de informació. Es per això que els objectes que porten una etiqueta RFID adherida permeten la lectura d’una quantitat rica i variada de dades que els descriuen i caracteritzen, com per exemple un codi únic d’identificació, el nom, el model o la data d’expiració. A més, aquesta informació pot ser llegida sense la necessitat d’un contacte visual entre el lector i l’etiqueta, la qual cosa agilitza considerablement els processos d’inventariat, identificació o control automàtic. Per a que l’ús de la tecnologia RFID es generalitzi amb èxit, es convenient complir amb diversos objectius: eficiència, seguretat i protecció de la privacitat. No obstant això, el disseny de protocols d’identificació segurs, privats i escalables, es un repte difícil d’abordar dades les restriccions computacionals de les etiquetes RFID i la seva naturalesa sense fils. Es per això que, en la present tesi, partim de protocols d’identificació segurs i privats, i mostrem com es pot aconseguir escalabilitat mitjançant una arquitectura distribuïda i col•laborativa. D’aquesta manera, la seguretat i la privacitat s’aconsegueixen mitjançant el propi protocol d’identificació, mentre que l’escalabilitat s’aconsegueix per mitjà de nous protocols col•laboratius que consideren la posició espacial i temporal de les etiquetes RFID. Independentment dels avenços en protocols d’identificació sense fils, existeixen atacs que poden passar exitosament qualsevol d’aquests protocols sense necessitat de conèixer o descobrir claus secretes vàlides, ni de trobar vulnerabilitats a les seves implantacions criptogràfiques. La idea d’aquestos atacs, coneguts com atacs de “relay”, consisteix en crear inadvertidament un pont de comunicació entre una etiqueta legítima i un lector legítim. D’aquesta manera, l’adversari utilitza els drets de l’etiqueta legítima per passar el protocol d’autentificació utilitzat pel lector. Es important tindre en compte que, dada la naturalesa sense fils dels protocols RFID, aquests tipus d’atacs representen una amenaça important a la seguretat en sistemes RFID. En aquesta dissertació proposem un nou protocol que, a més d’autentificació, realitza una revisió de la distància a la qual es troben el lector i l’etiqueta. Aquests tipus de protocols es coneixen com a “distance-boulding protocols”, els quals no prevenen aquests tipus d’atacs, però si que poden frustrar-los amb alta probabilitat. Per últim, afrontem els problemes de privacitat associats amb la publicació de informació recol•lectada a través de sistemes RFID. En concret, ens concentrem en dades de mobilitat, que també poden ser proveïdes per altres sistemes àmpliament utilitzats tals com el sistema de posicionament global (GPS) i el sistema global de comunicacions mòbils. La nostra solució es basa en la coneguda noció de privacitat “k-anonymity” i parcialment en micro-agregació. Per a aquesta finalitat, definim una nova funció de distància entre trajectòries amb la qual desenvolupen dos mètodes diferents d’anonimització de trajectòries., Radio Frequency Identification (RFID) is a technology aimed at efficiently identifying and tracking goods and assets. Such identification may be performed without requiring line-of-sight alignment or physical contact between the RFID tag and the RFID reader, whilst tracking is naturally achieved due to the short interrogation field of RFID readers. That is why the reduction in price of the RFID tags has been accompanied with an increasing attention paid to this technology. However, since tags are resource-constrained devices sending identification data wirelessly, designing secure and private RFID identification protocols is a challenging task. This scenario is even more complex when scalability must be met by those protocols. Assuming the existence of a lightweight, secure, private and scalable RFID identification protocol, there exist other concerns surrounding the RFID technology. Some of them arise from the technology itself, such as distance checking, but others are related to the potential of RFID systems to gather huge amount of tracking data. Publishing and mining such moving objects data is essential to improve efficiency of supervisory control, assets management and localisation, transportation, etc. However, obvious privacy threats arise if an individual can be linked with some of those published trajectories. The present dissertation contributes to the design of algorithms and protocols aimed at dealing with the issues explained above. First, we propose a set of protocols and heuristics based on a distributed architecture that improve the efficiency of the identification process without compromising privacy or security. Moreover, we present a novel distance-bounding protocol based on graphs that is extremely low-resource consuming. Finally, we present two trajectory anonymisation methods aimed at preserving the individuals' privacy when their trajectories are released.

Published

2012

24. Contributions to Mental Poker

Author

Castellà Roca, Jordi, Sebé Feixas, Francesc, Domingo-Ferrer, Josep, 1965, Borrell i Viader, Joan, and Universitat Autònoma de Barcelona. Departament de Telecomunicació i Enginyeria de Sistemes

Subjects

Multiparty computation, Tecnologies, Cryptography, Mental Poker

Abstract

Les xarxes d'ordinadors i especialment Internet han permès que algunes activitats comuns com per exemple comprar o jugar es puguin fer de forma remota (e-shopping i e-gambling). El joc del poker a través d'una xarxa de computadors es coneix com mental poker. Mantenir la operativa del joc al mateix temps que es garanteixes els mateixos estàndards de seguretat, imparcialitat i auditoria que ofereixen els casinos en el poker tradicional és un problema complex. Els aspectes més importants a tenir en compte quan es dissenya un protocol de mental poker són els següents: la funcionalitat del joc, la seguretat, i els costos computacionals y de comunicació. Les propostes en la literatura normalment es centren únicament en els dos primers punts. Això fa difícil saber quina de les propostes és més eficient garantitzant la mateixa funcionalitat i seguretat. La tesi comença amb un anàlisi formal dels costos de les principals propostes en la literatura. El anàlisi no es limita als costos, sinó que estudia la seguretat de cada proposta, de fet, el nostre estudi va detectar una debilitat important en un dels protocols comparats. L'atac es presenta en un capítol separat desprès de l'anàlisi comparatiu global. Els tres capítols següents de la tesi presenten tres nous protocols que milloren les propostes de la literatura en diferents aspectes. La primera proposta pertany a la família de protocols sense TTP i que no preserven la confidencialitat de l'estratègia dels jugadors. La segona proposta és unprotocol sense TTP que preserva la confidencialitat de l'estratègia dels jugadors. El protocolredueix el cost computacional de manera que els jugadors realitzen menys operacionsmatemàtiques. La tercera proposta presenta una nova funcionalitat que normalment no ofereixen els protocols en la literatura, que és la tolerància a l'abandó de jugadors. És a dir, els jugadors poden continuar jugant malgrat alguns jugadors abandonin el jocal mig de la partida., Las redes de ordenadores y especialmente Internet han permitido que algunas actividades comunes como por ejemplo comprar o jugar se puedan hacer de forma remota (e-shopping y e-gamgling). El juego del poker a través de una red de ordenador es conocido como mental poker. Mantener la operativa del juego al mismo tiempo que se garantizan los mismos estándares de seguridad, imparcialidad y auditoria que ofrecen los casinos para el pokertradicional es un problema complejo. Los aspectos más importantes a tener en cuenta cuando se diseña un protocolo de mental poker son los siguientes: la funcionalidad del juego, la seguridad, y los costes computacionales y de comunicación. Las propuestas en la literatura normalmente se centran únicamente en los dos primeros puntos. Esto hace difícil saber cual de las propuestas es más eficiente garantizando la misma funcionalidad y seguridad. La tesis empieza con un análisis formal de los costes de las principales propuestas en la literatura. El análisis no se limita a los costes, sino que analiza la seguridad de cada propuesta, de hecho, nuestro estudio detectó una importante debilidad en uno de los protocolos comparados. El ataque es presentado en un capítulo separado después del análisis comparativo global. Los tres capítulos siguientes de la tesis presentan tres nuevos protocolos que mejoran las propuestas en la literatura en diferentes aspectos. La primera propuesta pertenece a la familia de protocolos sin TTP y que no preservan la confidencialidad de la estrategia de los jugadores. La segunda propuesta es un protocolo sin TTP que preserva la confidencialidad de la estrategia de los jugadores. El protocolo reduce el coste computacional de manera que los jugadores realizan menos operaciones matemáticas. La tercera propuesta presenta una nueva funcionalidad que normalmente no ofrecen los protocolos en la literatura, que es la tolerancia al abandono de los jugadores. Es decir, los jugadores pueden continuar jugando aunque algunos jugadores abandonen el juego en medio de la partida., Computer networks and especially the Internet have allowed some common activities such as shopping or gambling to become remote (e-shopping and e-gambling). The poker game played over a network is known as mental poker. The problem with mental poker is the difficulty of keeping it practical while guaranteeing the same standards of security, fairness and auditability offered by standard casinos for physical poker. The important aspects to take into account when designing mental poker protocols are: functionality, security, and computational and communication cost. Proposals in the literature usually focus on the first two items only. This makes comparisons difficult. This thesis starts with a formal cost analysis of the main proposals in the literature. The analysis is not limited to costs, though; security is also analyzed and, in fact, our study detected a fundamental weakness in one of the compared mental poker protocols. The attack is presented in a separate chapter after the global comparative analysis. The three following chapters of this thesis present three new protocols that enhance the proposals in the literature in different ways. The first proposal belongs to the family of TTP-free protocols and does not preserve the confidentiality of player strategies; it reduces the computational cost by avoiding the use of zeroknowledge proofs. The second proposal is TTP-free, preserves the confidentiality of player strategies and reduces the computational cost by requiring players to perform less mathematical operations. The third proposal addresses a novel functionality usually not offered in the literature, namely player dropout tolerance, i.e. the ability to continue the game even if some players leave it.

Published

2005

25. Individual differential privacy: A utility-preserving formulation of differential privacy guarantees

Author

Soria Comas, J., Domingo Ferrer, Josep, Sanchez, D., and Megías Jiménez, David

Abstract

Differential privacy is a popular privacy model within the research community because of the strong privacy guarantee it offers, namely that the presence or absence of any individual in a data set does not significantly influence the results of analyses on the data set. However, enforcing this strict guarantee in practice significantly distorts data and/or limits data uses, thus diminishing the analytical utility of the differentially private results. In an attempt to address this shortcoming, several relaxations of differential privacy have been proposed that trade off privacy guarantees for improved data utility. In this paper, we argue that the standard formalization of differential privacy is stricter than required by the intuitive privacy guarantee it seeks. In particular, the standard formalization requires indistinguishability of results between any pair of neighbor data sets, while indistinguishability between the actual data set and its neighbor data sets should be enough. This limits the data controller's ability to adjust the level of protection to the actual data, hence resulting in significant accuracy loss. In this respect, we propose individual differential privacy, an alternative differential privacy notion that offers the same privacy guarantees as standard differential privacy to individuals (even though not to groups of individuals). This new notion allows the data controller to adjust the distortion to the actual data set, which results in less distortion and more analytical accuracy. We propose several mechanisms to attain individual differential privacy and we compare the new notion against standard differential privacy in terms of the accuracy of the analytical results. © 2017 IEEE.