Méthodes formelles pour le respect de la vie privée par construction / Formal methods for privacy by design

Antignac, Thibaud

25 February 2015

Le respect de la vie privée par construction est de plus en plus mentionné comme une étape essentielle vers une meilleure protection de la vie privée. Les nouvelles technologies de l'information et de la communication donnent naissance à de nouveaux modèles d'affaires et de services. Ces services reposent souvent sur l'exploitation de données personnelles à des fins de personnalisation. Alors que les exigences de respect de la vie privée sont de plus en plus sous tension, il apparaît que les technologies elles-mêmes devraient être utilisées pour proposer des solutions davantage satisfaisantes. Les technologies améliorant le respect de la vie privée ont fait l'objet de recherches approfondies et diverses techniques ont été développées telles que des anonymiseurs ou des mécanismes de chiffrement évolués. Cependant, le respect de la vie privée par construction va plus loin que les technologies améliorant simplement son respect. En effet, les exigences en terme de protection des données à caractère personnel doivent être prises en compte au plus tôt lors du développement d’un système car elles peuvent avoir un impact important sur l'ensemble de l'architecture de la solution. Cette approche peut donc être résumée comme « prévenir plutôt que guérir ». Des principes généraux ont été proposés pour définir des critères réglementaires de respect de la vie privée. Ils impliquent des notions telles que la minimisation des données, le contrôle par le sujet des données personnelles, la transparence des traitements ou encore la redevabilité. Ces principes ne sont cependant pas suffisamment précis pour être directement traduits en fonctionnalités techniques. De plus, aucune méthode n’a été proposée jusqu’ici pour aider à la conception et à la vérification de systèmes respectueux de la vie privée. Cette thèse propose une démarche de spécification, de conception et de vérification au niveau architectural. Cette démarche aide les concepteurs à explorer l'espace de conception d'un système de manière systématique. Elle est complétée par un cadre formel prenant en compte les exigences de confidentialité et d’intégrité des données. Enfin, un outil d’aide à la conception permet aux concepteurs non-experts de vérifier formellement les architectures. Une étude de cas illustre l’ensemble de la démarche et montre comment ces différentes contributions se complètent pour être utilisées en pratique. / Privacy by Design (PbD) is increasingly praised as a key approach to improving privacy protection. New information and communication technologies give rise to new business models and services. These services often rely on the exploitation of personal data for the purpose of customization. While privacy is more and more at risk, the growing view is that technologies themselves should be used to propose more privacy-friendly solutions. Privacy Enhancing Technologies (PETs) have been extensively studied, and many techniques have been proposed such as anonymizers or encryption mechanisms. However, PbD goes beyond the use of PETs. Indeed, the privacy requirements of a system should be taken into account from the early stages of the design because they can have a large impact on the overall architecture of the solution. The PbD approach can be summed up as ``prevent rather than cure''. A number of principles related to the protection of personal data and privacy have been enshrined in law and soft regulations. They involve notions such as data minimization, control of personal data by the subject, transparency of the data processing, or accountability. However, it is not clear how to translate these principles into technical features, and no method exists so far to support the design and verification of privacy compliant systems. This thesis proposes a systematic process to specify, design, and verify system architectures. This process helps designers to explore the design space in a systematic way. It is complemented by a formal framework in which confidentiality and integrity requirements can be expressed. Finally, a computer-aided engineering tool enables non-expert designers to perform formal verifications of the architectures. A case study illustrates the whole approach showing how these contributions complement each other and can be used in practice.

Informatique

Génie logiciel

Architecture

Respect de la vie privée

Méthode formelle

Vérification

Information Technology

Software engineering

Architecture

Privacy protection

Formal methods

Verification

005.110 72

Informační chování žáků 8. a 9. tříd ve vztahu k ochraně vlastního soukromí na sociálních sítích / Information behavior of 8th and 9th grade pupils in relation to the protection of their own privacy on social networks

Filipová, Helena

January 2021

i Abstract This diploma thesis deals with the information behavior of the pupils in the 8th and 9th grades of primary schools in relation to the protection of their own privacy on the social networks Facebook and Instagram. The aim of the work is to find out: - how pupils are interested in the issue of protecting their privacy on these networks and where they get this information from (parents, school), - if they are aware of the associated risks and how they take them into account in their behavior, - whether they know the tools available to them on these networks, - how the above affects their manners on selected social networks in terms of content and form of shared information. The theoretical part of the thesis deals mainly with the characteristics of selected social networks Facebook and Instagram in terms of privacy protection against possible threats. The practical part presents the results of quantitative research, which was carried out in the form of a questionnaire among 8th and 9th grade elementary school students.

Local differentially private mechanisms for text privacy protection

Mo, Fengran

08 1900

Dans les applications de traitement du langage naturel (NLP), la formation d’un modèle efficace nécessite souvent une quantité massive de données. Cependant, les données textuelles dans le monde réel sont dispersées dans différentes institutions ou appareils d’utilisateurs. Leur partage direct avec le fournisseur de services NLP entraîne d’énormes risques pour la confidentialité, car les données textuelles contiennent souvent des informations sensibles, entraînant une fuite potentielle de la confidentialité. Un moyen typique de protéger la confidentialité consiste à privatiser directement le texte brut et à tirer parti de la confidentialité différentielle (DP) pour protéger le texte à un niveau de protection de la confidentialité quantifiable. Par ailleurs, la protection des résultats de calcul intermédiaires via un mécanisme de privatisation de texte aléatoire est une autre solution disponible. Cependant, les mécanismes existants de privatisation des textes ne permettent pas d’obtenir un bon compromis entre confidentialité et utilité en raison de la difficulté intrinsèque de la protection de la confidentialité des textes. Leurs limitations incluent principalement les aspects suivants: (1) ces mécanismes qui privatisent le texte en appliquant la notion de dχ-privacy ne sont pas applicables à toutes les métriques de similarité en raison des exigences strictes; (2) ils privatisent chaque jeton (mot) dans le texte de manière égale en fournissant le même ensemble de sorties excessivement grand, ce qui entraîne une surprotection; (3) les méthodes actuelles ne peuvent garantir la confidentialité que pour une seule étape d’entraînement/ d’inférence en raison du manque de composition DP et de techniques d’amplification DP. Le manque du compromis utilité-confidentialité empêche l’adoption des mécanismes actuels de privatisation du texte dans les applications du monde réel. Dans ce mémoire, nous proposons deux méthodes à partir de perspectives différentes pour les étapes d’apprentissage et d’inférence tout en ne requérant aucune confiance de sécurité au serveur. La première approche est un mécanisme de privatisation de texte privé différentiel personnalisé (CusText) qui attribue à chaque jeton d’entrée un ensemble de sortie personnalisé pour fournir une protection de confidentialité adaptative plus avancée au niveau du jeton. Il surmonte également la limitation des métriques de similarité causée par la notion de dχ-privacy, en adaptant le mécanisme pour satisfaire ϵ-DP. En outre, nous proposons deux nouvelles stratégies de 5 privatisation de texte pour renforcer l’utilité du texte privatisé sans compromettre la confidentialité. La deuxième approche est un modèle Gaussien privé différentiel local (GauDP) qui réduit considérablement le volume de bruit calibrée sur la base d’un cadre avancé de comptabilité de confidentialité et améliore ainsi la précision du modèle en incorporant plusieurs composants. Le modèle se compose d’une couche LDP, d’algorithmes d’amplification DP de sous-échantillonnage et de sur-échantillonnage pour l’apprentissage et l’inférence, et d’algorithmes de composition DP pour l’étalonnage du bruit. Cette nouvelle solution garantit pour la première fois la confidentialité de l’ensemble des données d’entraînement/d’inférence. Pour évaluer nos mécanismes de privatisation de texte proposés, nous menons des expériences étendues sur plusieurs ensembles de données de différents types. Les résultats expérimentaux démontrent que nos mécanismes proposés peuvent atteindre un meilleur compromis confidentialité-utilité et une meilleure valeur d’application pratique que les méthodes existantes. En outre, nous menons également une série d’études d’analyse pour explorer les facteurs cruciaux de chaque composant qui pourront fournir plus d’informations sur la protection des textes et généraliser d’autres explorations pour la NLP préservant la confidentialité. / In Natural Language Processing (NLP) applications, training an effective model often requires a massive amount of data. However, text data in the real world are scattered in different institutions or user devices. Directly sharing them with the NLP service provider brings huge privacy risks, as text data often contains sensitive information, leading to potential privacy leakage. A typical way to protect privacy is to directly privatize raw text and leverage Differential Privacy (DP) to protect the text at a quantifiable privacy protection level. Besides, protecting the intermediate computation results via a randomized text privatization mechanism is another available solution. However, existing text privatization mechanisms fail to achieve a good privacy-utility trade-off due to the intrinsic difficulty of text privacy protection. The limitations of them mainly include the following aspects: (1) those mechanisms that privatize text by applying dχ-privacy notion are not applicable for all similarity metrics because of the strict requirements; (2) they privatize each token in the text equally by providing the same and excessively large output set which results in over-protection; (3) current methods can only guarantee privacy for either the training/inference step, but not both, because of the lack of DP composition and DP amplification techniques. Bad utility-privacy trade-off performance impedes the adoption of current text privatization mechanisms in real-world applications. In this thesis, we propose two methods from different perspectives for both training and inference stages while requiring no server security trust. The first approach is a Customized differentially private Text privatization mechanism (CusText) that assigns each input token a customized output set to provide more advanced adaptive privacy protection at the token-level. It also overcomes the limitation for the similarity metrics caused by dχ-privacy notion, by turning the mechanism to satisfy ϵ-DP. Furthermore, we provide two new text privatization strategies to boost the utility of privatized text without compromising privacy. The second approach is a Gaussian-based local Differentially Private (GauDP) model that significantly reduces calibrated noise power adding to the intermediate text representations based on an advanced privacy accounting framework and thus improves model accuracy by incorporating several components. The model consists of an LDP-layer, sub-sampling and up-sampling DP amplification algorithms 7 for training and inference, and DP composition algorithms for noise calibration. This novel solution guarantees privacy for both training and inference data. To evaluate our proposed text privatization mechanisms, we conduct extensive experiments on several datasets of different types. The experimental results demonstrate that our proposed mechanisms can achieve a better privacy-utility trade-off and better practical application value than the existing methods. In addition, we also carry out a series of analyses to explore the crucial factors for each component which will be able to provide more insights in text protection and generalize further explorations for privacy-preserving NLP.

Traitement du langue naturelle

Confidentialité différentielle

Natural language processing

Differential privacy

Text privacy protection

Privacy-Preserving method

Deep Neural Networks for Inverse De-Identification of Medical Case Narratives in Reports of Suspected Adverse Drug Reactions / Djupa neuronnät för omvänd avidentifiering av medicinska fallbeskrivningar i biverkningsrapporter

Meldau, Eva-Lisa

January 2018

Medical research requires detailed and accurate information on individual patients. This is especially so in the context of pharmacovigilance which amongst others seeks to identify previously unknown adverse drug reactions. Here, the clinical stories are often the starting point for assessing whether there is a causal relationship between the drug and the suspected adverse reaction. Reliable automatic de-identification of medical case narratives could allow to share this patient data without compromising the patient’s privacy. Current research on de-identification focused on solving the task of labelling the tokens in a narrative with the class of sensitive information they belong to. In this Master’s thesis project, we explore an inverse approach to the task of de-identification. This means that de-identification of medical case narratives is instead understood as identifying tokens which do not need to be removed from the text in order to ensure patient confidentiality. Our results show that this approach can lead to a more reliable method in terms of higher recall. We achieve a recall of sensitive information of 99.1% while the precision is kept above 51% for the 2014-i2b2 benchmark data set. The model was also fine-tuned on case narratives from reports of suspected adverse drug reactions, where a recall of sensitive information of more than 99% was achieved. Although the precision was only at a level of 55%, which is lower than in comparable systems, an expert could still identify information which would be useful for causality assessment in pharmacovigilance in most of the case narratives which were de-identified with our method. In more than 50% of the case narratives no information useful for causality assessment was missing at all. / Tillgång till detaljerade kliniska data är en förutsättning för att bedriva medicinsk forskning och i förlängningen hjälpa patienter. Säker avidentifiering av medicinska fallbeskrivningar kan göra det möjligt att dela sådan information utan att äventyra patienters skydd av personliga data. Tidigare forskning inom området har sökt angripa problemet genom att märka ord i en text med vilken typ av känslig information de förmedlar. I detta examensarbete utforskar vi möjligheten att angripa problemet på omvänt vis genom att identifiera de ord som inte behöver avlägsnas för att säkerställa skydd av känslig patientinformation. Våra resultat visar att detta kan avidentifiera en större andel av den känsliga informationen: 99,1% av all känslig information avidentifieras med vår metod, samtidigt som 51% av alla uteslutna ord verkligen förmedlar känslig information, vilket undersökts för 2014-i2b2 jämförelse datamängden. Algoritmen anpassades även till fallbeskrivningar från biverkningsrapporter, och i detta fall avidentifierades 99,1% av all känslig information medan 55% av alla uteslutna ord förmedlar känslig information. Även om denna senare andel är lägre än för jämförbara system så kunde en expert hitta information som är användbar för kausalitetsvärdering i flertalet av de avidentifierade rapporterna; i mer än hälften av de avidentifierade fallbeskrivningarna saknades ingen information med värde för kausalitetsvärdering.

De-Identification

Deep Learning

Recurrent Neural Networks

Natural Language Processing

Pharmacovigilance

Medical Language Processing

Privacy Protection

Adverse Drug Reactions

Computer Sciences

Datavetenskap (datalogi)

Beyond Privacy Concerns: Examining Individual Interest in Privacy in the Machine Learning Era

Brown, Nicholas James

12 June 2023

The deployment of human-augmented machine learning (ML) systems has become a recommended organizational best practice. ML systems use algorithms that rely on training data labeled by human annotators. However, human involvement in reviewing and labeling consumers' voice data to train speech recognition systems for Amazon Alexa, Microsoft Cortana, and the like has raised privacy concerns among consumers and privacy advocates. We use the enhanced APCO model as the theoretical lens to investigate how the disclosure of human involvement during the supervised machine learning process affects consumers' privacy decision making. In a scenario-based experiment with 499 participants, we present various company privacy policies to participants to examine their trust and privacy considerations, then ask them to share reasons why they would or would not opt in to share their voice data to train a companies' voice recognition software. We find that the perception of human involvement in the ML training process significantly influences participants' privacy-related concerns, which thereby mediate their decisions to share their voice data. Furthermore, we manipulate four factors of a privacy policy to operationalize various cognitive biases actively present in the minds of consumers and find that default trust and salience biases significantly affect participants' privacy decision making. Our results provide a deeper contextualized understanding of privacy-related concerns that may arise in human-augmented ML system configurations and highlight the managerial importance of considering the role of human involvement in supervised machine learning settings. Importantly, we introduce perceived human involvement as a new construct to the information privacy discourse. Although ubiquitous data collection and increased privacy breaches have elevated the reported concerns of consumers, consumers' behaviors do not always match their stated privacy concerns. Researchers refer to this as the privacy paradox, and decades of information privacy research have identified a myriad of explanations why this paradox occurs. Yet the underlying crux of the explanations presumes privacy concern to be the appropriate proxy to measure privacy attitude and compare with actual privacy behavior. Often, privacy concerns are situational and can be elicited through the setup of boundary conditions and the framing of different privacy scenarios. Drawing on the cognitive model of empowerment and interest, we propose a multidimensional privacy interest construct that captures consumers' situational and dispositional attitudes toward privacy, which can serve as a more robust measure in conditions leading to the privacy paradox. We define privacy interest as a consumer's general feeling toward reengaging particular behaviors that increase their information privacy. This construct comprises four dimensions—impact, awareness, meaningfulness, and competence—and is conceptualized as a consumer's assessment of contextual factors affecting their privacy perceptions and their global predisposition to respond to those factors. Importantly, interest was originally included in the privacy calculus but is largely absent in privacy studies and theoretical conceptualizations. Following MacKenzie et al. (2011), we developed and empirically validated a privacy interest scale. This study contributes to privacy research and practice by reconceptualizing a construct in the original privacy calculus theory and offering a renewed theoretical lens through which to view consumers' privacy attitudes and behaviors. / Doctor of Philosophy / The deployment of human-augmented machine learning (ML) systems has become a recommended organizational best practice. ML systems use algorithms that rely on training data labeled by human annotators. However, human involvement in reviewing and labeling consumers' voice data to train speech recognition systems for Amazon Alexa, Microsoft Cortana, and the like has raised privacy concerns among consumers and privacy advocates. We investigate how the disclosure of human involvement during the supervised machine learning process affects consumers' privacy decision making and find that the perception of human involvement in the ML training process significantly influences participants' privacy-related concerns. This thereby influences their decisions to share their voice data. Our results highlight the importance of understanding consumers' willingness to contribute their data to generate complete and diverse data sets to help companies reduce algorithmic biases and systematic unfairness in the decisions and outputs rendered by ML systems. Although ubiquitous data collection and increased privacy breaches have elevated the reported concerns of consumers, consumers' behaviors do not always match their stated privacy concerns. This is referred to as the privacy paradox, and decades of information privacy research have identified a myriad of explanations why this paradox occurs. Yet the underlying crux of the explanations presumes privacy concern to be the appropriate proxy to measure privacy attitude and compare with actual privacy behavior. We propose privacy interest as an alternative to privacy concern and assert that it can serve as a more robust measure in conditions leading to the privacy paradox. We define privacy interest as a consumer's general feeling toward reengaging particular behaviors that increase their information privacy. We found that privacy interest was more effective than privacy concern in predicting consumers' mobilization behaviors, such as publicly complaining about privacy issues to companies and third-party organizations, requesting to remove their information from company databases, and reducing their self-disclosure behaviors. By contrast, privacy concern was more effective than privacy interest in predicting consumers' behaviors to misrepresent their identity. By developing and empirically validating the privacy interest scale, we offer interest in privacy as a renewed theoretical lens through which to view consumers' privacy attitudes and behaviors.

human involvement

data annotation

enhanced APCO

explainable AI

ML

privacy concerns

privacy interest

privacy protection behaviors

privacy paradox

privacy calculus

scale development

Ochrana obětí trestných činů a média: zveřejňování informací o týraných dětech před a po přijetí novely trestního řádu v roce 2009 / Protection of Crime Victims and the Media: Publishing of Mistreatrd Chidren Information before and after Passing the Law of Criminal Procedure Amendment in 2009

Hosenseidlová, Petra

January 2013

The thesis Protection of Crime Victims and the Media: Publishing of Mistreated Children Information before and after Passing the Law of Criminal Procedure Amendment in 2009 deals with the problem of secondary victimization caused by the media. More specifically, it focuses on the mistreated children and publishing that kind of information about them which enable their identification. It is concerned with the nationwide daily press and compares the situation before and after passing the Law of Criminal Procedure Amendment in 2009. This amendment introduced measures towards better privacy protection of crime victims with a special respect to underage victims and victims of some exceptionally serious crimes. The thesis compares the occurrence of information which enable identification of mistreated children in 2008 and 2011 in the three most popular nationwide dailies - Mlada fronta Dnes, Pravo and Blesk. It is interested in the following information: names and surnames of the victims and their family members, residence location, photos of the victims, their family members and their residence location. Apart from that it also examines where journalists get those information and photos from. The main aim is to find out what was the impact of the amendment, it means whether there are less information...

安全多方計算協定描述語言之設計與實作 / A Protocol Description Language for Secure Multi-Party Computation

黃文楷, Huang, Wen Kai

Unknown Date

安全多方計算的研究主要是針對在分散環境下的兩造(或多方)之間，如何在不透露彼此私有的資料的情況下，計算一個約定函數的問題，並要確保除了計算結果及其可能推導出的資訊，不會洩漏額外的私有資料。依此設計出來的函數算法，稱為安全的多方計算協定(protocol)。 過去兩年本實驗室根據一套基於向量內積運算(scalar product)發展出的安全多方計算方法，設計了一個雛型的分散式系統框架，開發了一套符合其安全要求的常用算數運算函數庫。 但目前個別的應用問題在此系統上發展安全協定的程式時，使用者必須相當熟悉其架構與程式庫細節，才能開發所需程式，造成推廣上的障礙。有鑑於此，本論文採用領域專屬語言(domain-specific language)的方法與技術，針對一般安全多方協定程式的特徵來進行歸納與分析，找出協助其表達計算步驟的適當抽象機制，並在設計上訂定了以下目標： 1. 設計一高階語言用以描述多方安全計算，以提供使用者撰寫安全多方計算程式。 2. 檢查並確保使用者撰寫的程式不會有資訊洩漏。 3. 多方安全運算執行上能保持一定的效率。 4. 建立多方安全計算的運算流程，讓PDL與現有的運作環境配合，達到各伺服器合作運行多方安全計算的目的。 朝向這四個目標發展出一套協定描述語言與其編譯器。以便與SMC-Protocol以及其環境合作，協助領域專家以更簡便的方式來設計與實驗更多的安全多方協定。我們稱此語言為多方安全計算協定描述語言(Protocol Description Language, PDL)。 / Protocols for secure multi-party computation (SMC) allow participants to share a computation while each party learns only what can be inferred from their own inputs and the output of the computation. In the past two years, we developed an SMC implementation framework for both integers and floating numbers which comprises a set of arithmetic operations that manipulate secret values among involved parties using the scalar product protocol as the basis. Such a library of arithmetic operations is call building blocks. But using this library is not easy. To solve individual SMC problem, programmer should knowing the given framework and protocol detail very well. This difficulty makes them won't consider this framework while facing the need of SMC. To ease the writing of more complex user-defined protocols, using the technique of domain-specific language, this thesis analysis the general needs of SMC, develop a domain-specific language of SMC, and implement a compiler that coverts this language to SMC code, which is executable code composed of the protocols of given framework. We called this language Protocol Description Language, PDL.

安全多方計算

隱私保護

領域專屬語言

靜態分析

Secure multi-party computation

privacy protection

domain-specific language

static analysis

Towards better privacy preservation by detecting personal events in photos shared within online social networks / Vers une meilleure protection de la vie privée par la détection d'événements dans les photos partagées sur les réseaux sociaux

Raad, Eliana

04 December 2015

De nos jours, les réseaux sociaux ont considérablement changé la façon dont les personnes prennent des photos qu’importe le lieu, le moment, le contexte. Plus que 500 millions de photos sont partagées chaque jour sur les réseaux sociaux, auxquelles on peut ajouter les 200 millions de vidéos échangées en ligne chaque minute. Plus particulièrement, avec la démocratisation des smartphones, les utilisateurs de réseaux sociaux partagent instantanément les photos qu’ils prennent lors des divers événements de leur vie, leurs voyages, leurs aventures, etc. Partager ce type de données présente un danger pour la vie privée des utilisateurs et les expose ensuite à une surveillance grandissante. Ajouté à cela, aujourd’hui de nouvelles techniques permettent de combiner les données provenant de plusieurs sources entre elles de façon jamais possible auparavant. Cependant, la plupart des utilisateurs des réseaux sociaux ne se rendent même pas compte de la quantité incroyable de données très personnelles que les photos peuvent renfermer sur eux et sur leurs activités (par exemple, le cas du cyberharcèlement). Cela peut encore rendre plus difficile la possibilité de garder l’anonymat sur Internet dans de nombreuses situations où une certaine discrétion est essentielle (politique, lutte contre la fraude, critiques diverses, etc.).Ainsi, le but de ce travail est de fournir une mesure de protection de la vie privée, visant à identifier la quantité d’information qui permettrait de ré-identifier une personne en utilisant ses informations personnelles accessibles en ligne. Premièrement, nous fournissons un framework capable de mesurer le risque éventuel de ré-identification des personnes et d’assainir les documents multimédias destinés à être publiés et partagés. Deuxièmement, nous proposons une nouvelle approche pour enrichir le profil de l’utilisateur dont on souhaite préserver l’anonymat. Pour cela, nous exploitons les évènements personnels à partir des publications des utilisateurs et celles partagées par leurs contacts sur leur réseau social. Plus précisément, notre approche permet de détecter et lier les évènements élémentaires des personnes en utilisant les photos (et leurs métadonnées) partagées au sein de leur réseau social. Nous décrivons les expérimentations que nous avons menées sur des jeux de données réelles et synthétiques. Les résultats montrent l’efficacité de nos différentes contributions. / Today, social networking has considerably changed why people are taking pictures all the time everywhere they go. More than 500 million photos are uploaded and shared every day, along with more than 200 hours of videos every minute. More particularly, with the ubiquity of smartphones, social network users are now taking photos of events in their lives, travels, experiences, etc. and instantly uploading them online. Such public data sharing puts at risk the users’ privacy and expose them to a surveillance that is growing at a very rapid rate. Furthermore, new techniques are used today to extract publicly shared data and combine it with other data in ways never before thought possible. However, social networks users do not realize the wealth of information gathered from image data and which could be used to track all their activities at every moment (e.g., the case of cyberstalking). Therefore, in many situations (such as politics, fraud fighting and cultural critics, etc.), it becomes extremely hard to maintain individuals’ anonymity when the authors of the published data need to remain anonymous.Thus, the aim of this work is to provide a privacy-preserving constraint (de-linkability) to bound the amount of information that can be used to re-identify individuals using online profile information. Firstly, we provide a framework able to quantify the re-identification threat and sanitize multimedia documents to be published and shared. Secondly, we propose a new approach to enrich the profile information of the individuals to protect. Therefore, we exploit personal events in the individuals’ own posts as well as those shared by their friends/contacts. Specifically, our approach is able to detect and link users’ elementary events using photos (and related metadata) shared within their online social networks. A prototype has been implemented and several experiments have been conducted in this work to validate our different contributions.

Cyber sécurité

Protection de la vie privée

Anonymisation

Réseaux sociaux

Détection d’évènements

Regroupement d’images

Identité numérique

Relations entre les évènements

Métadonnées

Analyse de données

Cybersecurity

Privacy protection

Anonymization

Online social networks

Event detection

Image clustering

Online identity

Event relations

Metadata

Data analysis

005.1

Privacy-preserving spectrum sharing / Un partage de spectre préservant la confidentialité

Ben-Mosbah, Azza

24 May 2017

Les bandes des fréquences, telles qu'elles sont aménagées aujourd'hui, sont statiquement allouées. Afin d'améliorer la productivité et l'efficacité de l'utilisation du spectre, une nouvelle approche a été proposée : le "partage dynamique du spectre". Les régulateurs, les industriels et les scientifiques ont examiné le partage des bandes fédérales entre les détenteurs de licences (utilisateurs primaires) et les nouveaux entrants (utilisateurs secondaires). La nature d'un tel partage peut faciliter les attaques d'inférence et mettre en péril les paramètres opérationnels des utilisateurs primaires. Par conséquent, le but de cette thèse est d'améliorer la confidentialité des utilisateurs primaires tout en permettant un accès secondaire au spectre. Premièrement, nous présentons une brève description des règles de partage et des exigences en termes de confidentialité dans les bandes fédérales. Nous étudions également les techniques de conservation de confidentialité (obscurcissement) proposées dans les domaines d'exploration et d'édition de données pour contrecarrer les attaques d'inférence. Ensuite, nous proposons et mettons en œuvre notre approche pour protéger la fréquence et la localisation opérationnelles contre les attaques d'inférence. La première partie étudie la protection de la fréquence opérationnelle en utilisant un obscurcissement inhérent et explicite pour préserver la confidentialité. La deuxième partie traite la protection de la localisation opérationnelle en utilisant la confiance comme principale contre-mesure pour identifier et atténuer un risque d'inférence. Enfin, nous présentons un cadre axé sur les risques qui résume notre travail et s'adapte à d'autres approches de protection de la confidentialité. Ce travail est soutenu par des modèles, des simulations et des résultats qui focalisent sur l'importance de quantifier les techniques de préservation de la confidentialité et d'analyser le compromis entre la protection de la confidentialité et l'efficacité du partage du spectre / Radio frequencies, as currently allocated, are statically managed. Spectrum sharing between commercial users and incumbent users in the Federal bands has been considered by regulators, industry, and academia as a great way to enhance productivity and effectiveness in spectrum use. However, allowing secondary users to share frequency bands with sensitive government incumbent users creates new privacy threats in the form of inference attacks. Therefore, the aim of this thesis is to enhance the privacy of the incumbent while allowing secondary access to the spectrum. First, we present a brief description of different sharing regulations and privacy requirements in Federal bands. We also survey the privacy-preserving techniques (i.e., obfuscation) proposed in data mining and publishing to thwart inference attacks. Next, we propose and implement our approach to protect the operational frequency and location of the incumbent operations from inferences. We follow with research on frequency protection using inherent and explicit obfuscation to preserve the incumbent's privacy. Then, we address location protection using trust as the main countermeasure to identify and mitigate an inference risk. Finally, we present a risk-based framework that integrates our work and accommodates other privacy-preserving approaches. This work is supported with models, simulations and results that showcase our work and quantify the importance of evaluating privacy-preserving techniques and analyzing the trade-off between privacy protection and spectrum efficiency

Partage du spectre

Détenteur de licence fédéral

Utilisateurs secondaires commerciaux

Attaque d'inférence

Sécurité opérationnelle

Protection de la confidentialité

Offuscation

Gestion de confiance

Efficacité du spectre

Spectrum sharing

Federal incumbent

Commercial secondary users

Inference attack

Operational security

Privacy protection

Obfuscation

Trust management

Spectrum efficiency

Kodanonymisering vid integration med ChatGPT : Säkrare ChatGPT-användning med en kodanonymiseringsapplikation / Code anonymization when integrating with ChatGPT : Safer ChatGPT usage with a code anonymization application

Azizi, Faruk

January 2023

Denna avhandling studerar området av kodanonymisering inom programvaruutveckling, med fokus på att skydda känslig källkod i en alltmer digitaliserad och AI-integrerad värld. Huvudproblemen som avhandlingen adresserar är de tekniska och säkerhetsmässiga utmaningarna som uppstår när källkod behöver skyddas, samtidigt som den ska vara tillgänglig för AI-baserade analysverktyg som ChatGPT. I denna avhandling presenteras utvecklingen av en applikation vars mål är att anonymisera källkod, för att skydda känslig information samtidigt som den möjliggör säker interaktion med AI. För att lösa dessa utmaningar har Roslyn API använts i kombination med anpassade identifieringsalgoritmer för att analysera och bearbeta C#-källkod, vilket säkerställer en balans mellan anonymisering och bevarande av kodens funktionalitet. Roslyn API är en del av Microsofts .NET-kompilatorplattform som tillhandahåller rika funktioner för kodanalys och transformation, vilket möjliggör omvandling av C#-källkod till ett detaljerat syntaxträd för inspektion och manipulering av kodstrukturer. Resultaten av projektet visar att den utvecklade applikationen framgångsrikt anonymiserar variabel-, klass- och metodnamn, samtidigt som den bibehåller källkodens logiska struktur. Dess integration med ChatGPT förbättrar användarupplevelsen genom att erbjuda interaktiva dialoger för analys och assistans, vilket gör den till en värdefull resurs för utvecklare. Framtida arbete inkluderar utvidgning av applikationen för att stödja fler programmeringsspråk och utveckling av användaranpassade konfigurationer för att ytterligare förbättra användarvänligheten och effektiviteten. / This thesis addresses the area of code anonymization in software development, with a focus on protecting sensitive source code in an increasingly digitized and AI-integrated world. The main problems that the thesis addresses are the technical and security challenges that arise when source code needs to be protected, while being accessible to AI-based analysis tools such as ChatGPT. This thesis presents the development of an application whose goal is to anonymize source code, in order to protect sensitive information while enabling safe interaction with AI. To solve these challenges, the Roslyn API has been used in combination with customized identification algorithms to analyze and process C# source code, ensuring a balance between anonymization and preservation of the code's functionality. The Roslyn API is part of Microsoft's .NET compiler platform that provides rich code analysis and transformation capabilities, enabling the transformation of C# source code into a detailed syntax tree for code structure inspection and manipulation.The results of the project show that the developed application successfully anonymizes variable, class, and method names, while maintaining the logical structure of the source code. Its integration with ChatGPT enhances the user experience by providing interactive dialogues for analysis and assistance, making it a valuable resource for developers. Future work includes extending the application to support more programming languages and developing customized configurations to further improve ease of use and efficiency.

Code anonymization

Data anonymization

ChatGPT

AI

Anonymization

information sanitization

privacy protection

Kodanonymisering

Dataanonymisering

ChatGPT

AI

Anonymisering

informationssanering

integritetsskydd

Computer Sciences

Datavetenskap (datalogi)

Computer Engineering

Datorteknik

Software Engineering

Programvaruteknik

Computer Engineering

Datorteknik