Conversation

Notices

1. Embed this notice
   Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:45 JST Sarah Jamie Lewis

   On the subject of "privacy preserving" analytics/advertisement.

   Deidentification and Aggregation are necessary, but not sufficient, steps towards Anonymization.

   You also have to Isolate a derived dataset from any past or future context.

   Otherwise privacy can be attacked through correlations/differentiations etc.

   A party tasked with performing both Aggregation and Deidentification defacto cannot provide Isolation.

   • Embed this notice
     Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:43 JST Sarah Jamie Lewis

     in reply to

     Honestly, I feel as if this "neglection of isolation" is a common theme in advertised "privacy-preserving" systems.

     It pops up everywhere and relies on people focusing too much on the technical and not enough on the political.

   • Embed this notice
     Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:44 JST Sarah Jamie Lewis

     in reply to

     But PPA implementations in various browsers *do* make this claim. And they strictly, fundamentally should not.

     They are the parties collecting, deidentifying and aggregating this data - regardless of the technical controls in place - there is no real, tangible political isolation - the kind that is actually needed to be able to invoke the true meaning of "privacy" the one that people actually want.

   • Embed this notice
     Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:44 JST Sarah Jamie Lewis

     in reply to

     They may be keeping that data private from advertisers, and maybe even themselves - I've read the specs, they do a good job and going through the motions - these systems are certainly, mostly *secure* - but the potential to access that data is still there.

     It's that potential that is the privacy.

   • Embed this notice
     Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:44 JST Sarah Jamie Lewis

     in reply to

     I've used the example before of the mixnets used in the Swiss and Aus e-voting systems, where all the Mixnet nodes were operated by the same people - completely subverting the purpose of the mixnet - that is, the point of the mixnet is isolation.

     When all nodes are run by the same people, or people who are all connected in some way, then the *potential* to undo the isolation exists - and thus the privacy provided by the mixnet ceases to exist.

     Regardless of technical sophistication.

     Blaise Pabón - controlpl4n3 repeated this.
   • Embed this notice
     Sarah Jamie Lewis (sarahjamielewis@mastodon.social)'s status on Thursday, 26-Sep-2024 09:48:45 JST Sarah Jamie Lewis

     in reply to

     This can technically be made to work in cases where privacy/anonymity from the collating party isn't strictly required e.g. a government department providing differentially private census information to the public at large.

     Government statistics bodies don't (and cannot) claim that your filled out census forms are private from them (or from the future) - but they can claim that they won't immediately reveal your information to the highest bidder.