The first step to privacy-protecting your data is to understand privacy attributes

The first step to privacy-protecting your data is to understand privacy attributes

To effectively privacy-protect people’s data, businesses need a risk metric to evaluate privacy exposure and the effectiveness of protection actions.  And, while many factors contribute to the overall privacy risk metric, the privacy risk of each dataset is the most important one.

Calculating privacy risk requires understanding that each value in the dataset has a specific privacy attribute dependent on how unique the value is and its relationship to other values in the dataset. For example, an email address is unique, while gender is not, however, by combining gender, age, and zip code, the risk of re-identification becomes very high.

There are three privacy attributes that any value in a dataset can have:

Direct identifiers: Are highly unique, representing close to a 100% risk of re-identification. Examples of values categorized as direct identifiers are name, social security number, credit card number, email address, etc.

Quasi-identifiers: They are not unique; thus, their privacy risk is low; however, when combined with other quasi-identifiers, the risk increases considerably.  In a well-known re-identification case, an MIT student was able to identify the governor of Massachusetts by using only gender, zip code, and birthday. 

Sensitive attributes: While the uniqueness of these values can vary, their main characteristic is that disclosing them could harm the individual related to it. For example, disclosing health diagnosis could lead to discrimination. 

In general, businesses have a clear understanding of direct identifiers and how to deal with them. Unfortunately, in many cases, quasi-identifiers and sensitive attributes are not considered, leaving the business exposed to high privacy risks. 

Now you know how to classify the different values in your dataset using privacy attributes. Using a software, like CN-Protect, can help you streamline this task through its smart classification algorithm that leverages AI to learn from your specific requirements and use cases.

Join our newsletter
Facebook collecting healthcare data

Facebook collecting healthcare data

As many of our previous blogs have highlighted, COVID-19 is severely impacting the tech world. Privacy regulations have been a hot topic for debate between governments, Big tech, and its users. 

 Facebook has joined the top companies taking advantage of user data in COVID-19 research. As well, Brazil’ LGPD sees pushback in its enforcing because of COVID-19. Opposite to Brazil, US senators are introducing a new privacy bill to ensure American’s data privacy remains protected.

 

Facebook collecting symptom data

 In the current pandemic climate, tech companies of all sizes have stepped up to provide solutions and aid to governments and citizens struggling to cope with COVID-19. As we’ve highlighted in our previous blog posts, Google and Apple have been at the frontlines of introducing systems to protect their user privacy, while inflicting change in how communities track the virus.

 Following closely behind, Facebook has introduced its attempt to work with user data for the greater good of COVID-19 research. 

 Facebook announced its partnerships with different American universities to begin collecting symptom data in different countries. Facebooks CEO and founder told the Verge that the information could work to highlight COVID hotspots across the globe, especially in places where governments have neglected to address the virus’s severity.

Facebook has been working throughout this pandemic to demonstrated how aggregated & anonymized data can be used for good. 

However, not everyone is taking to Facebook’s sudden praise for user data control. One article highlighted how the company is still being investigated by the FTC over privacy issues

Facebook’s long list of privacy invasions for its users is raising some concerns over not how the data is currently being used, but how it will be handled after the pandemic has subsided. 

 

Brazil pushes back privacy legislation.

At the beginning of this year, we wrote an article outlining Brazil’s first data protection act, LGPD. This privacy legislation follows closely to that of the EU’s GDPR and will unify 40 current privacy laws the country has. 

Before COVID-19s effect on countries like Brazil, many tech companies were already pressuring the Brazilian government to change LGPD’s effective date.

On April 29th, the Brazilian president delayed the applicability date of the LGPD to May 3rd, 2021. By issuing this Provisional measure, the Brazilian Congress has been given 16 days to approve the new LGPD implementation. 

If Congress does not approve of this new date by May 15th, the Brazillian Congress must vote on the new LGPD date. If they do not, the LGPD will come into effect on August 14th, 2020. 

Brazil’s senate has now voted to move its introduction in January 2021, with sanctions coming to action in August 2021. Meaning all lawsuits and complaints can be proposed as of January 1st, and all action will be taken on August 1st (source).

 

America introduces new privacy law.

Much like Brazil’s privacy legislation being affected by COVID-19, some US senators have stepped up to ensure the privacy of American citizens data.

The few senators proposing this bill have said they are working to “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”

This bill does not target contact tracing apps like those proposed by Apple and Google. However, it does ensure that these companies are effectively using data and protecting it. 

The bill requires companies to gain consent from users in order to collect any health or location data. As well, it forces companies to ensure that the information they collect is properly anonymized and cannot be re-identified. The bill requires that these tech companies will have to delete all identifiable information once COVID-19 has subsided, and tracking apps are no longer necessary. 

The bill has wide acceptance across the congressional floor and will be enforced by the state attorney generals. This privacy bill is being considered a big win for Americans’ privacy rights, especially with past privacy trust issues between big tech companies and its users. 

Join our newsletter


Location data and your privacy

Location data and your privacy

As technology grows to surround the entirety of our lives, it comes as no surprise that each and every move is tracked and stored by the very apps we trust with our information. With the current COVID-19 pandemic, the consequences of inviting these big techs into our every movement are being revealed. 

At this point, most of the technology-users understand the information they do give to companies, such as their birthdays, access to pictures, or other sensitive information. However, some may be unknowing of the amount of location data that companies collect and how that affects their data privacy. 

Location data volume expected to grow

We have created over 90% of the world’s data since 2017. As wearable technology continues to grow in trend, the amount of data a person creates each day is on a steady incline. 

One study reported that by 2025, the installation of worldwide IoT-enabled devices is expected to hit 75 billion. This astronomical number highlights how intertwined technology is into our lives, but also how welcoming we are to that technology; technology that people may be unaware of the ways their data is collected. 

Marketers, companies and advertisers will increasingly look to using location-based information as its volume grows. A recent study found that more than 84% of marketers use location data for their 

The last few years have seen a boost in big tech companies giving their users more control over how their data is used. One example is in 2019 when Apple introduced pop-ups to remind users when apps are using their location data.

Location data is saved and stored for the benefit of companies to easily direct personalized ads and products to your viewing. Understanding what your devices collect from you, and how to eliminate data sharing on your devices is crucial as we move forward in the technological age. 

Click here to read our past article on location data in the form of wearable devices. 

COVID-19 threatens location privacy

Risking the privacy of thousands of people or saving thousands of lives seems to be the question throughout this pandemic; a question that is running out of time for debate. Companies across the big 100 have stepped up to volunteer its anonymized data, including SAS, Google and Apple. 

One of the largest concerns is not how this data is being used in this pandemic, but how it could be abused in the future. 

One Forbes article brought up a comparison of the regret many are faced with after sharing DNA with sites like 23andMe, leading to health insurance issues or run-ins with criminal activity. 

As companies like Google, Apple and Facebook step-up to the COVID-19 technology race, many are expressing their concerns as these companies have not been deemed reliable for user data anonymization. 

In addition to the data-collecting concern, governments and big tech companies are looking into contact-tracking applications. Civilian location data being used for surveillance purposes, while alluded for the greater good of health and safety, raises multiple red flags into how our phones can be used to survey our every movement. To read more about this involvement in contact tracing apps, read our latest article

Each company has released that it anonymizes its collected data. However, in this pandemic age, anonymized information can still be exploited, especially at the hands of government intervention. 

With all this said, big tech holds power over our information and are playing a vital role in the COVID-19 response. Paying close attention to how user data is managed post-pandemic will be valuable in exposing how these companies handle user information.

 

Join our newsletter


IoT and everyday life; how interconnected are we?

IoT and everyday life; how interconnected are we?

The Internet of Things (IoT) is a term spanning a variety of ‘smart’ applications. This ranges from things like smart fridges, to smart cities. This idea of ‘smart’ or IoT is the connectedness between everything and the internet. 

It’s hard to grasp the amount of data one person creates each day and understanding where IoT fits into that. And with this new era of ‘smart’ everything, the realm of knowledge is pushed even farther away. 

To understand just how much our smart technologies follow our everyday behaviours, let’s focus on only one person’s use of a smartwatch. 

But first, what are the implications of a smartwatch? This wearable technology gained its popularity starting in 2012, giving users the ability to track their health and set fitness goals at the tap of their wrist. Since then, smartwatches have infiltrated all sorts of markets, from the ability to pay using the watch, take phone calls, or update a Facebook status.

The technology in our lives has become so interconnected, de-identifying our data, while achievable, on a grand scale, is seemingly complicated. Take the smartwatch, our unique footprints, recreated each day are logged and monitored through the small screen on our wrist. While the data created is anonymized to an extent, it’s not sufficient

But why not? After all, technology has moved mountains in the last decade. To better understand this connectedness of our data, let’s follow one person’s day through the point of view of just their smartwatch. 

Imagine Tom is a 30-year-old man in excellent health who, like the rest of us, follows a pretty general routine during his workweek. Outside of the many technologies that collect Tom’s data, what might just his smartwatch collect? 

Let’s take a look. 

Every morning, Tom’s smartwatch alerts him at 7:30 am to wake up and start his day. After a few days of logging Tom’s breathing patterns and heart rate, and monitoring his previous alarm settings, Tom’s smartwatch has learned the average time Tom should be awake and alerts Tom to set a 7:30 alarm each night before bed. 

Before ever having to tell his watch which time he gets up in the morning, his watch already knows. 

Similar to his smartwatches alarm system, this watch knows and labels the locations of 6 specific places that Tom spends most time in the week. Tom didn’t have to tell his watch where he was and why; based on the hours of the day Tom spends at this location, with his sleeping patterns and other movements, his watch already knows. 

Not only are these places determined from his geographical location, but from the other information, his watch creates. 

When Tom is at the gym, his sped-up heart rate and lost calories are logged. When Tom goes to his local grocery store or coffee shop, Tom uses his smartwatch to pay. At his workplace, Tom’s watch records the amount of time spent at the location and is able to determine the two main places Tom spends his time is between his home location and his work. 

Based on a collection of spatial-temporal data, transactional data, health data and repeated behaviour, it is easy to create a very accurate picture of who Tom is.

Let’s keep in mind that this is all created without Tom having to explicitly tell his smartwatch where he is or what he is doing at each minute. Tom’s smartwatch operates on learned behaviours based on the unique pattern Tom creates each day.

This small peak into Tom’s life, according to his watch, isn’t even much of a “peak” at all. We could analyze the data retained by his smartwatch with each purchase, each movement of location or only by the data pertaining to his health. 

This technology is seen in our cars, fridges, phones and TVs. Thus, understanding how just one device collects and understands so much about your person is critical to how we interact with these technologies. What’s essential to understand next is how this data is dealt with, protected and shared. 

The more advanced our technology gets, the easier it is to connect a person based on the data the technology collects. It’s important more than ever to understand the impacts of our technology use, what of our data is being collected, and where it is going. 

At CryptoNumerics we have been developing a solution that can de-identify this data without destroying its analytical value. 

If your company has transactional and/or spatio-temporal data that needs to be privacy-protected, contact us to learn more about our solution.

Join our newsletter


What does COVID-19 mean for patient privacy?

What does COVID-19 mean for patient privacy?

The rapid spread of the Coronavirus (COVID-19) has sent the world into mass shock, halting the movement in the economy, companies, schools and regular life. 

In situations of mass panic such as this, maintaining privacy and legislation compliance is the last thing on the publics’ minds. However, for companies and hospitals, this should not be the case. In this weekly news, we will go through how proper data sharing is beneficial, how governments are reacting to privacy concerns, and how employers should be handling their employees’ information.

Data Sharing and COVID-19

According to one Wired article released last week, Genomic data and data marketplaces across countries are being utilized for better understanding the virus and its unique spreading. 

NextStrain, an open-source application tracking bacteria evolution, is helping researchers release and share bacteria strains as close to 48hours after the bacteria is located.  

The article explains that NextStrain is an open-source application, and therefore allows research facilities to create their versions or use the application as a starting ground for other models of open research. 

By participating in this cross-platform data sharing, researchers “creates new opportunities to bridge the gap between public health and academia, and to enable novice users to explore the data as well.”

While this data sharing is proving helpful in moving quickly to understand and stop the growth of this virus, there are issues presented with sharing data. 

An issue with open-source data sharing, as one researcher shared with Wired, is that non-professionals can misinterpret the information, as one Twitter user published false information last week. This twitter thread not only stresses the importance of incorrect information but also how data can spread across platforms—thus emphasizing the importance of anonymizing the influx of COVID-19 patient data.

Last month, we released a short article involving genomic data and marketplaces, as well as the process of de-identifying its information. Click here to read more about what that entails. 

Crisis Communication 

Last week, we released an article about the lack of privacy in South Korea, as every detail of patients’ lives are disclosed to the public, in fear that regular people made contact with the infected individual.

As the virus moves toward Western countries, this handling of privacy must be prevented. However in unprecedented situations such as this, the “every-man-for-himself” mindset takes over for much of the public, as the concern of connection with an infected person spreads. 

One senior risk manager told Modern HealthCare, “It’s a slippery slope—if you let people know where the cases are, they may be more cautious and stay away from certain events,” she said. “If you say nothing, they get a false sense of security.” 

When looking to release information to the public or between researchers, hospitals need to ensure their data is de-identified and compliant with legislation like the Health Insurance Portability and Accountability Act (HIPAA). Not doing so leaves organizations liable to penalties ranging from $100 to $50,000 per violation.

In a newly released Advis survey, only 39% of surveyed U.S hospitals reported that they were prepared for an outbreak like COVID-19. This level of unpreparedness is where cracks in patient privacy can open up, and sensitive data is put at risk of the general public.  

COVID-19 and personal privacy 

Last month, the U.S Department of Health and Human Services released a bulletin outlining HIPAA and privacy factors in response to the outbreak. 

Highlighted in this bulletin is the minimum required disclosures of employers and workplaces as well as the implications versus necessary action of sharing patient data. This bulletin serves as a reminder to the general public of understanding the importance of privacy protection, especially in scenarios as drastic as the current situation.

Because of the panic this virus causes, the mass fear that is created has to be dealt with by authority positions properly. Employers and companies must ensure they are approaching the handling of this pandemic with consideration of patient privacy and legislation compliance. 

One U.S law firm, Sidley, created and released an elaborate list of questions companies should be reflecting on while dealing with the COVID-19 virus. In terms of privacy, some items include; 

  • What information can companies collect from third parties and open sources about employees’ and others’ health and risk of exposure?
  • Are there statutory, regulatory or contractual restrictions on any data collection, processing or dissemination contemplated to address COVID-19 risks? What are the risks of these activities?
  • Are existing privacy disclosures and international data transfer mechanisms adequate to address any new data collection and analyses?
  • Is a privacy impact assessment, or a security risk assessment, required or advisable for any new data-related activities?

(Source)

The main struggle for companies right now is ensuring that their employee information is dealt with in compliance with privacy legislation, while still keeping in mind the safety of the other workers.

Join our newsletter


Data sharing is an issue across industries

Data sharing is an issue across industries

Privacy, as many of our previous blogs have enforced, is essential not only on a business-customer relationship but also on a moral level. The recent Fitbit acquisition by Google has created big waves in the privacy sphere, as the customer’s health data is at risk, due to Google’s past dealings with personal information. On the topic of healthcare data, the recent Coronavirus panic has thrown patient privacy out the window, as the fear of the spreading virus rises. Finally, data sharing continues to raise eyes as a popular social media app, TikTok scrambles to protect its privacy reputation.  

Fitbit acquisition causing major privacy concerns

From its in-house command system to being the world’s most used search engine, Google has infiltrated most aspects of regular life. There are seemingly no corners left untouched by the search engine. 

In 2014, Google released its Wear OS, a watch technology for monitoring health, as well as for use compatible with phone technology. While wearable technology has soared to the top of technology chart, as a popular way to track and manage your health and lifestyle, Google’s Wear OS has not gained the popularity necessary to maintain itself as a strong tech competitor.  

In November of last year, Google announced its acquisition of Fitbit for $2.1 billion. Fitbit has sold over 100 million devices and is worn by over 28 million people, 24 hours a day, 7 days a week. Many are calling this Google’s attempt to recover from its failing project.

But there is more to this acquisition than staying on top of the market; personal data. 

Google’s terrible privacy reputation is falling onto Fitbit, as fears that the personal information FitBit holds, like sleep patterns or heart rate, will fall into the hands of third parties and advertisers.  

Healthcare is a large market, one of which Google has been silently buying into for years. Accessing personal health information gives Google an edge in the healthcare partnerships it’s been looking for. 

Fitbit has come under immense scrutiny after its announced partnership with Google, seeing sales drop 5% in 2019. Many are urging Fitbit consumers to ditch their products amidst the acquisition.

However, Fitbit still maintains that users will be in full control of their data and that the company will not see personal information to Google. 

The partnership will be followed with a close eye going forward, as government authorities such as the Australian Competition and Consumer Commission open inquiries into the companies intentions.

TikTok scrambling to fix privacy reputation

TikTok is a social media app that has taken over video streaming services. With over 37 million users in the U.S. last year, TikTok has been downloaded over 1 billion times. And that number is expected to rise 22% this year

While the app is reporting these drastically high numbers for downloading, the app has been continuously reprimanded for its terrible privacy policy and its inability to protect its user’s information. After already being banned from companies across the U.S, one Republican Senator, Josh Hawley, is introducing legislation to prohibit federal workers from using the app. This comes from several security flaws reported against the app in January, addressing user location and access to user information. 

The CEO of Reddit recently criticized TikTok, saying he tells people, “don’t install that spyware on your phone.”

These privacy concerns stem from the app’s connection with the Chinese government. In 2017, viral app Musical.ly was acquired and merged with TikTok by Beijing company, ByteDance, for $1 billion. Chinese law requires companies to comply with government intelligence operations if asked, meaning apps like TikTok would have no authority to decline government access to their data.

In response to their privacy backlash, the company made a statement last year saying all their data centers are located entirely outside of China. However, their privacy policy does state that they share a variety of user data with third parties. 

In new attempts to combat all privacy concerns, ex-APD, Roland Cloutier has been hired as Chief Information Security Officer to oversee privacy information issues within the popular app.

With Cloutier’s long history in cybersecurity, there is hope that the most popular app among will soon gain a better privacy reputation.

Coronavirus raising concerns over person information 

The Coronavirus is a deadly, fast-spreading respiratory illness that has moved quickly throughout China and now reported in 33 countries across the world. 

Because of this, China has been thrown into a rightful panic and has gone to all lengths to combat and protect its spreading. However, in working to protect the continuous spread of the virus, many are saying that patient privacy is being thrown out the window.

Last month China put out a ‘close contact’ app, testing people to see if they’ve been around people who have or contracted the virus. The app assigns a colour code to users; green for safe, yellow for required 7day quarantine, and red is a 14day quarantine. 

Not only is the app required to enter public places like subways or malls, but the data is also shared with police. 

The New York Times released that the app sends a person’s location, city name and an identifying code number to the authorities. China’s already high-tech surveillance has reached new limits, as the times reports that surveillance cameras placed around neighborhoods are being strictly monitored, watching residents who present yellow or red cards.

South Korea has also thrown patient privacy to the wind, as text messages are sent out, highlighting every movement of individuals who contracted the virus. One individual’s extra-marital affair was exposed through the string of messages, revealing his every move before contracting the virus, according to the Guardian.

The question on everyone’s mind now is, what happens to privacy when the greater good is at risk?

For more privacy blogs, click here

Join our newsletter