Understanding the maths is crucial for protecting privacy

Publishing data can bring benefits, but it also can be a great risk to privacy

By Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague, Department of Computing and Information Systems, University of Melbourne

Using only publicly available information, we have been able to decrypt the service provider ID numbers in the 10% sample of Medicare Benefits Schedule (MBS) published recently at the Federal Government’s data.gov.au website. We did not decrypt Patient ID numbers.

This research work is aimed at understanding mathematical facts about encryption and anonymization, in order to ensure that the security of government data is preserved in the face of the inevitable efforts of external parties who may be prepared to break the law and attempt to re-identify the data. There are numerous benefits to open government data, but it’s important to understand the mathematical techniques for protecting that data, so that the benefits can be derived with a clear understanding that individual privacy is not breached.

The department of health has made their own announcement about this work today. We notified them on 12 September, 2016 about the problem. The Department of Health then immediately removed the dataset from the website, opened lines of communication with us to further understand the issue and conducted their own careful investigation of the problem.

The MBS 10% sample dataset does not include names or addresses, but the implications of exposing individual provider IDs are still serious.

The encryption algorithm was described online at data.gov.au. That was the right thing to do, because it made it possible for us to identify weaknesses in the encryption method. Leaving out some of the algorithmic details didn’t keep the data secure – if we can reverse-engineer the details in a few days, then there is a risk that others could do so too.

Security through obscurity doesn’t work – keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem. It is much better for such problems to be found and addressed than to remain unnoticed.

Background on the dataset

The MBS 10% sample was constructed by choosing a random 10% of Medicare patients. For each person selected, almost all Medicare claiming activities from 1984 to 2014 were included in the data. A separate dataset lists Pharmaceutical Benefits Schedule (PBS) claims for the same patients.

A woman walks past a Medicare office in Sydney. Picture: Rob Elliott/AFP/Getty Images

Most of the data are not encrypted, including Medicare item codes for tests and doctors’ visits, pharmaceutical benefits (PBS) item codes, and other information such as pricing and location. The codes describe what medical activity occurred, for example a particular kind of test, a particular prescription, or a visit to a GP or specialist. The ID numbers describing who received or provided the service are encrypted.

The dataset does not include names or addresses of patients or doctors – the MBS dataset includes an encrypted patient ID number and provider ID for each activity. Note that the patient’s ID number is not the number written on their Medicare card, and that the PBS dataset does not include the prescribing doctor’s ID.

The website states that: “A suite of confidentiality measures including encryption, perturbation and exclusion of rare events has been applied to safeguard personal health information and ensure that patients and providers cannot be re-identified.’’

Strictly speaking, the method of obscuring patient and provider ID numbers is not encryption, though we will use that term to refer to it for consistency.

Recovering information

There are two main ways of trying to identify individuals in this kind of dataset:

Linkage attacks use the unencrypted data to identify people by linking the record with other known information; and

Cryptographic attacks reverse the encryption algorithm to recover encrypted data.

This article concentrates on successful cryptographic attacks.

Linkage attacks have been demonstrated on other datasets, for example location data, social network data and US health data, but we have not attempted them here.

Partial details about the linkable encryption algorithm were described online at data.gov.au, but were later removed at the same time as the dataset. Although neither the exact algorithm nor the details of subsequent processing were described in detail, we could guess those details for provider IDs and use the dataset to check our hypothesis. We were able to decrypt every service provider ID in the MBS dataset.

The details for patient ID numbers are different. We have not decrypted them.

It’s challenging to understand whether an algorithm encrypts data or not. Picture: Pexels

Conclusion

Publishing data can bring great benefits to research but also great risks to privacy. The mathematical details matter: it’s a technically challenging task to understand whether a particular algorithm securely encrypts data or not. Datasets containing sensitive information about individuals clearly deserve more caution than others, and may not always be suitable for open public release.

The Australian Government’s open data program provides numerous benefits, allowing better decisions to be made based on evidence, careful analysis, and widespread access to accurate information.

Decisions about data publication itself should follow the same philosophy.

We have some important decisions to make about what personal data to publish and how it should be anonymised, encrypted or linked. Making good decisions requires accurate technical information about the security of the system and the secrecy of the data.

Details about the privacy protections should be published long in advance.

They can then be subject to empirical testing, scientific analysis, and open public review, before they are used on real data. Then we can make sound, evidence-based decisions about how to benefit from open data without sacrificing individual privacy.

Banner image: AAP Image/Joel Carrett

Since notifying the Department of Health of this issue, the authors have been in discussions about potentially being contracted to research the extent of the problem and possible mitigations and solutions for the future.

Engineering & Technology

Featured

Republish this article

We believe in the free flow of information. This work is licensed under a Creative Commons Attribution-No Derivatives 3.0 Australia (CC BY-ND 3.0 AU), so you can republish our articles for free, online or in print.

All republished articles must be attributed in the following way and contain links to both the site and original article: “This article was first published on Pursuit. Read the original article.”

<header><h1>Understanding the maths is crucial for protecting privacy</h1><a rel="author" href="https://pursuit.unimelb.edu.au/individuals/associate-professor-benjamin-rubinstein">Associate Professor Benjamin Rubinstein</a>, <a rel="author" href="https://pursuit.unimelb.edu.au/individuals/associate-professor-vanessa-teague">Associate Professor Vanessa Teague</a> and <a rel="author" href="https://pursuit.unimelb.edu.au/individuals/dr-chris-culnane">Dr Chris Culnane</a></header>Using only publicly available information, we have been able to decrypt the service provider ID numbers in the 10% sample of Medicare Benefits Schedule (MBS) published recently at the Federal Government’s <a href="http://data.gov.au/">data.gov.au</a> website. We did not decrypt Patient ID numbers.This research work is aimed at understanding mathematical facts about encryption and anonymization, in order to ensure that the security of government data is preserved in the face of the inevitable efforts of external parties who may be prepared to break the law and attempt to re-identify the data. There are numerous benefits to open government data, but it’s important to understand the mathematical techniques for protecting that data, so that the benefits can be derived with a clear understanding that individual privacy is not breached.The department of health has made their own <a href="http://www.health.gov.au/internet/main/publishing.nsf/Content/mr-yr16-dept-dept005.htm">announcement</a> about this work today. We notified them on 12 September, 2016 about the problem. The Department of Health then immediately removed the dataset from the website, opened lines of communication with us to further understand the issue and conducted their own careful investigation of the problem.The MBS 10% sample dataset does not include names or addresses, but the implications of exposing individual provider IDs are still serious.The encryption algorithm was <a href="https://data.gov.au/dataset/a8e3c0bc-44ac-4e9a-8b3c-b779438ddb10">described online at data.gov.au</a>. That was the right thing to do, because it made it possible for us to identify weaknesses in the encryption method. Leaving out some of the algorithmic details didn’t keep the data secure – if we can reverse-engineer the details in a few days, then there is a risk that others could do so too. Security through obscurity doesn’t work – keeping the algorithm secret wouldn’t have made the encryption secure, it just would have taken longer for security researchers to identify the problem. It is much better for such problems to be found and addressed than to remain unnoticed.<h2>Background on the dataset</h2>The MBS 10% sample was constructed by choosing a random 10% of Medicare patients. For each person selected, almost all Medicare claiming activities from 1984 to 2014 were included in the data. A separate dataset lists Pharmaceutical Benefits Schedule (PBS) claims for the same patients. <figure class="inset-right"><img alt="" itemprop="image" sizes="(min-width: 769px) 420px, (min-width: 481px) 50vw, 100vw" src="https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--IfQnVHcH--/c_limit,f_auto,q_75,w_420/v1/pursuit-uploads/7fb/48a/f19/7fb48af1932b707550a3bc1efa30e6bbc25fe1059a8d4bd3ffaf589dd69d.jpg" srcset="https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--IfQnVHcH--/c_limit,f_auto,q_75,w_420/v1/pursuit-uploads/7fb/48a/f19/7fb48af1932b707550a3bc1efa30e6bbc25fe1059a8d4bd3ffaf589dd69d.jpg 420w, https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--gpOAjRq4--/c_limit,f_auto,q_75,w_840/v1/pursuit-uploads/7fb/48a/f19/7fb48af1932b707550a3bc1efa30e6bbc25fe1059a8d4bd3ffaf589dd69d.jpg 840w" /><figcaption>A woman walks past a Medicare office in Sydney. Picture: Rob Elliott/AFP/Getty Images</figcaption></figure>Most of the data are not encrypted, including Medicare item codes for tests and doctors’ visits, pharmaceutical benefits (PBS) item codes, and other information such as pricing and location. The codes describe what medical activity occurred, for example a particular kind of test, a particular prescription, or a visit to a GP or specialist. The ID numbers describing who received or provided the service are encrypted.The dataset does not include names or addresses of patients or doctors – the MBS dataset includes an encrypted patient ID number and provider ID for each activity. Note that the patient’s ID number is not the number written on their Medicare card, and that the PBS dataset does not include the prescribing doctor’s ID.The website states that: “A suite of confidentiality measures including encryption, perturbation and exclusion of rare events has been applied to safeguard personal health information and ensure that patients and providers cannot be re-identified.’’Strictly speaking, the method of obscuring patient and provider ID numbers is not encryption, though we will use that term to refer to it for consistency. <figure class="related inset-right" role="complementary"><a class="single" data-bound="true" href="https://pursuit.unimelb.edu.au/articles/paper-audits-crucial-for-automated-counting"><img alt="" itemprop="image" src="https://res-1.cloudinary.com/the-university-of-melbourne/image/fetch/s--2WERodts--/c_fill,f_jpg,q_70,w_435/https://res-1.cloudinary.com/the-university-of-melbourne/image/upload/s--8CK7ppBE--/c_fill%2Cf_auto%2Ch_630%2Cq_75%2Cw_1200/v1/pursuit-uploads/315/49e/cee/31549ecee31157c6a8d9b8e33e109036235f3765605e2aa954cedf3c9bc4.jpg" /><h3>Paper audits crucial for automated counting</h3><div class="readmore">Read more</div></a></figure><h2>Recovering information</h2>There are two main ways of trying to identify individuals in this kind of dataset: Linkage attacks use the unencrypted data to identify people by linking the record with other known information; andCryptographic attacks reverse the encryption algorithm to recover encrypted data.This article concentrates on successful cryptographic attacks. Linkage attacks have been demonstrated on other datasets, for example <a href="http://www.nature.com/articles/srep01376">location data</a>, <a href="http://blog.kaggle.com/2011/01/15/how-we-did-it-the-winners-of-the-ijcnn-social-network-challenge/">social network data</a> and <a href="http://dataprivacylab.org/projects/wa/index.html">US health data</a>, but we have not attempted them here. Partial details about the linkable encryption algorithm were described online at data.gov.au, but were later removed at the same time as the dataset. Although neither the exact algorithm nor the details of subsequent processing were described in detail, we could guess those details for provider IDs and use the dataset to check our hypothesis. We were able to decrypt every service provider ID in the MBS dataset. The details for patient ID numbers are different. We have not decrypted them.<figure class="full-width"><img alt="" itemprop="image" sizes="(min-width: 1300px) 892px, (min-width: 1099px) 860px, (min-width: 769px) 700px, 100vw" src="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--LN5wBozm--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/7a8/b94/0fc/7a8b940fc7da1e068f740415c4958240f518a0a7727558f641a8eb452e56.jpg" srcset="https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--sGfHebpu--/c_limit,f_auto,q_75,w_446/v1/pursuit-uploads/7a8/b94/0fc/7a8b940fc7da1e068f740415c4958240f518a0a7727558f641a8eb452e56.jpg 446w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--c7-vwfTd--/c_limit,f_auto,q_75,w_669/v1/pursuit-uploads/7a8/b94/0fc/7a8b940fc7da1e068f740415c4958240f518a0a7727558f641a8eb452e56.jpg 669w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--LN5wBozm--/c_limit,f_auto,q_75,w_892/v1/pursuit-uploads/7a8/b94/0fc/7a8b940fc7da1e068f740415c4958240f518a0a7727558f641a8eb452e56.jpg 892w, https://res-3.cloudinary.com/the-university-of-melbourne/image/upload/s--MYVpkBv0--/c_limit,f_auto,q_75,w_1784/v1/pursuit-uploads/7a8/b94/0fc/7a8b940fc7da1e068f740415c4958240f518a0a7727558f641a8eb452e56.jpg 1784w" /><figcaption>It’s challenging to understand whether an algorithm encrypts data or not. Picture: Pexels</figcaption></figure><h2>Conclusion</h2>Publishing data can bring great benefits to research but also great risks to privacy. The mathematical details matter: it’s a technically challenging task to understand whether a particular algorithm securely encrypts data or not. Datasets containing sensitive information about individuals clearly deserve more caution than others, and may not always be suitable for open public release.The Australian Government’s open data program provides numerous benefits, allowing better decisions to be made based on evidence, careful analysis, and widespread access to accurate information. Decisions about data publication itself should follow the same philosophy. We have some important decisions to make about what personal data to publish and how it should be anonymised, encrypted or linked. Making good decisions requires accurate technical information about the security of the system and the secrecy of the data. Details about the privacy protections should be published long in advance.They can then be subject to empirical testing, scientific analysis, and open public review, before they are used on real data. Then we can make sound, evidence-based decisions about how to benefit from open data without sacrificing individual privacy.Banner image: AAP Image/Joel Carrett Since notifying the Department of Health of this issue, the authors have been in discussions about potentially being contracted to research the extent of the problem and possible mitigations and solutions for the future.<img alt="" height="1" style="display:none" width="1" src="//track.web.unimelb.edu.au/pursuit/pageview.png?location=https%3A%2F%2Fpursuit.unimelb.edu.au%2Farticles%2Funderstanding-the-maths-is-crucial-for-protecting-privacy&title=Understanding+the+maths+is+crucial+for+protecting+privacy&path=%2Farticles%2Funderstanding-the-maths-is-crucial-for-protecting-privacy&campaign_name=Pursuit+republishing&campaign_medium=republish&campaign_content=Understanding+the+maths+is+crucial+for+protecting+privacy" />

Media enquiries

Phone: +61 3 8344 4123
Email: news@media.unimelb.edu.au

The Media Office is staffed from 8am–5pm Monday to Friday.

The University has a television and radio studio to facilitate live and prerecorded broadcast quality interviews with media. You can also Find an expert for commentary.