Get startedGet started for free

Privacy in Training Data: De-identification techniques

1. Privacy in Training Data: De-identification techniques

Lets examine privacy in training data in our context of privacy in ML, data security is the protection of sensitive data used in AI systems. Keep in mind that you want to minimize the use of sensitive data as much as possible, preferably at the data collection phase, such as when collecting aggregated data rather than, for example, during data processing or collecting individual interactions. We recommend two different, not exclusive, approaches to de identify your data through de identification techniques such as redaction, replacement, masking, tokenization, bucketing, and shifting. Randomize your data through methods such as data perturbation and differential privacy, De-identification approaches can be evaluated by two factors, if an approach is reversible, can you re-identify the data? Referential integrity is the relationship between records maintained after de-identification, whether these factors are a positive aspect or a potential risk depends on the specific use case, and data privacy requirements. For example, reversibility is great for audibility, and recovery, but it can easily lead to data leakage, otherwise known as reidentification, even though it is less likely. The same risks exist with referential integrity, but referential integrity has the added benefits of improving ML performance, and consistency when guaranteed. First de-identification technique redaction is the process of deleting all or parts of a sensitive value, this approach is not reversible and it does not maintain referential integrity. We will follow this example for all the de-identification techniques, let's say you have a transactional table with ID, date, time, amount in dollars, email and product. If you want to redact the column email, you can simply delete it from the view, redaction removes data, which can lead to a loss of information that could be valuable for machine learning models. This can affect the accuracy, generalizability, and overall effectiveness of the model, for example, if we redact locations from a dataset, this action might hinder the model's ability to learn geospatial patterns. The second de-identification technique is replacement, this means replacing a sensitive value with a surrogate value that you specify, it can be only one value or a value randomly selected from a list of values. The approach is irreversible and it does not maintain referential integrity, note that replacement can have the same negative effect as redaction does on the model's ability to learn due to data loss. For example, let's say you want to apply for a replacement on the email column, then you can replace all emails with its info type, such as email address. In this example, its worth mentioning that it has the same effect as redaction, thus, we need to be aware of the same limitations here about data loss, masking is the third deed identification technique. Masking replaces some or all characters of a sensitive value with a surrogate, this surrogate value can be selected randomly from a list if desired, but the approach is not reversible, and it does not maintain referential integrity. For example, lets say you want to apply masking on the email column to keep the email domain but not keep the exact handle, in this case, you can replace all values in the email column with hashes. While replacement, and masking may sound similar, masking covers a portion or all of the existing data depending on the parameters you set, whereas replacement removes the data completely, and replaces it with a value. Tokenization is the last de-identification technique we will explore for categoricals, tokenization replaces a sensitive value with randomly generated tokens, each unique to the value it de-identifies. This approach is reversible and also maintains referential integrity where ML models can still leverage information from the tokenized features. However, the data can be vulnerable to malicious attacks that attempt to reverse the data to the original information, for example, if you apply tokenization on the email column, then you get new random tokens which uniquely identify that value. With tokenization, ML models can still leverage the information of tokenized features, but be careful as it can be vulnerable to malicious attacks that reverse it to the original information. The next de-identification approach, bucketing is for numerical values, Bucketing generalizes a sensitive value by replacing it with a range of values. This approach is not reversible and it does not maintain referential integrity, for example, lets say you want to apply bucketing to the amount in dollars column and you want to bucket intends. Then the procedure would replace each entry with its correct bucket, for example 56 is replaced with 50 to 60, depending on how broadly the buckets are defined, the deed identified data may be less useful for machine learning purposes or may affect the model performance. Be careful about the size and granularity of brackets so that you can find a good balance between the model performance and privacy lastly, shifting, which is a technique for date-time values, this method shifts a sensitive date and time value by a random amount of time. This transformation is reversible and it keeps referential integrity because sequence and duration are kept for example, if you apply shifting to the date time column, then the procedure could randomly select one day as shift, resulting in one day added to each entry. Similar to tokenization, shifting can also be vulnerable to malicious attacks if the random shifting factor is identified. Now, what are the risks of re-identification? None of these approaches guarantee 100% that data cannot be re-identified even the non-reversible approaches instead, what these approaches do is strive towards minimizing the risk. Re-identification risk analysis can help us identify the risk of re-identification after performing a de-identification technique. Identify the most effective de identification strategy before de identification there are two classic techniques that support this risk analysis. K-anonymity a dataset is k anonymous. If every combination of values for sensitive features in the data set appears for at least k different records, this tells us something important. Features can be correlated, and even if you de-identify a sensitive value, it can still be re-identified given its relationship to other features. L diversity l diversity is an extension of k-anonymity that ensures that each anonymized group contains at least l distinctive values for each sensitive attribute. L diversity is a measurement of the diversity of sensitive data, you can apply de-identification as well as data perturbation techniques to achieve k-anonymity at a specific k and or l diversity at a specific l. The combination of k-anonymity and l diversity provides a more comprehensive understanding of privacy, especially in scenarios where datasets contain mixed data types.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.