Sarah Jamie Lewis
On the subject of "privacy preserving" analytics/advertisement.
Deidentification and Aggregation are necessary, but not sufficient, steps towards Anonymization.
You also have to Isolate a derived dataset from any past or future context.
Otherwise privacy can be attacked through correlations/differentiations etc.
A party tasked with performing both Aggregation and Deidentification defacto cannot provide Isolation.
Sarah Jamie Lewis
Honestly, I feel as if this "neglection of isolation" is a common theme in advertised "privacy-preserving" systems.
It pops up everywhere and relies on people focusing too much on the technical and not enough on the political.
Sarah Jamie Lewis
But PPA implementations in various browsers *do* make this claim. And they strictly, fundamentally should not.
They are the parties collecting, deidentifying and aggregating this data - regardless of the technical controls in place - there is no real, tangible political isolation - the kind that is actually needed to be able to invoke the true meaning of "privacy" the one that people actually want.
Sarah Jamie Lewis
They may be keeping that data private from advertisers, and maybe even themselves - I've read the specs, they do a good job and going through the motions - these systems are certainly, mostly *secure* - but the potential to access that data is still there.
It's that potential that is the privacy.
Sarah Jamie Lewis
I've used the example before of the mixnets used in the Swiss and Aus e-voting systems, where all the Mixnet nodes were operated by the same people - completely subverting the purpose of the mixnet - that is, the point of the mixnet is isolation.
When all nodes are run by the same people, or people who are all connected in some way, then the *potential* to undo the isolation exists - and thus the privacy provided by the mixnet ceases to exist.
Regardless of technical sophistication.
Sarah Jamie Lewis
This can technically be made to work in cases where privacy/anonymity from the collating party isn't strictly required e.g. a government department providing differentially private census information to the public at large.
Government statistics bodies don't (and cannot) claim that your filled out census forms are private from them (or from the future) - but they can claim that they won't immediately reveal your information to the highest bidder.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.