A Game Theoretic Framework for Analyzing Re-Identification Risk

item.page.doi

Abstract

Given the potential wealth of insights in personal data the big databases can provide, many organizations aim to share data while protecting privacy by sharing de-identified data, but are concerned because various demonstrations show such data can be re-identified. Yet these investigations focus on how attacks can be perpetrated, not the likelihood they will be realized. This paper introduces a game theoretic framework that enables a publisher to balance re-identification risk with the value of sharing data, leveraging a natural assumption that a recipient only attempts re-identification if its potential gains outweigh the costs. We apply the framework to a real case study, where the value of the data to the publisher is the actual grant funding dollar amounts from a national sponsor and the re-identification gain of the recipient is the fine paid to a regulator for violation of federal privacy rules. There are three notable findings: 1) it is possible to achieve zero risk, in that the recipient never gains from re-identification, while sharing almost as much data as the optimal solution that allows for a small amount of risk; 2) the zero-risk solution enables sharing much more data than a commonly invoked de-identification policy of the U.S. Health Insurance Portability and Accountability Act (HIPAA); and 3) a sensitivity analysis demonstrates these findings are robust to order-of-magnitude changes in player losses and gains. In combination, these findings provide support that such a framework can enable pragmatic policy decisions about de-identified data sharing.

Description

Keywords

Computer security, Game theory, Online identities, Database security, Risk assessment

item.page.sponsorship

"This research was funded by grants R01HG006844 and U01HG006385 from the National Human Genome Research Institute (http://www.genome.gov), grant R01LM009989 from National Library of Medicine (http://www.nlm.nih.gov), and grant CCF-0424422 from National Science Foundation (http://www.nsf.gov). "

Rights

CC-BY 4.0 (Attribution), ©2015 The Authors

Citation