I did a lot of work in healthcare IT and have also obsessed about voter privacy (protecting the secret ballot).
I've seen de-anonymization in practice. I also know there's a huge chasm between best available science (and practices) vs the real world. (Dumb example: mis-redacting PDFs with opaque boxes instead of removing the text.)
#1 At best, like crypto, differential privacy may offer temporary protection, to data re-used (shared, in transit), if given assumptions are preserved.
#2 Also, like crypto, I have no confidence that anyone, any where will implement DP correctly, or even be able to prove they've done it correctly.
#3 The original data is stored somewhere. There is no DP story for mitigating leaks.
Given my disappointment, I believe (but cannot prove) there's two worthwhile strategies worth exploring.
First, contracts to use case box and time box the data, stating how and when shared data may be used, and then a drop dead time when shared data must be destroyed. Part of this contract could be expanded to include parameters for differential privacy. One org I work with has these policies. Alas, Thatcherite "trust, but verify" is tough. We add fake data (honeypot-esque) and have caught cheaters.
Second, I'm keen to further explore translucent databases, where data in situ (at rest) is encrypted.
Lastly, I'm always looking to see who is working in this space, and what they're doing. I'd like to believe that someone will crack this nut.
I did a lot of work in healthcare IT and have also obsessed about voter privacy (protecting the secret ballot).
I've seen de-anonymization in practice. I also know there's a huge chasm between best available science (and practices) vs the real world. (Dumb example: mis-redacting PDFs with opaque boxes instead of removing the text.)
#1 At best, like crypto, differential privacy may offer temporary protection, to data re-used (shared, in transit), if given assumptions are preserved.
#2 Also, like crypto, I have no confidence that anyone, any where will implement DP correctly, or even be able to prove they've done it correctly.
#3 The original data is stored somewhere. There is no DP story for mitigating leaks.
Given my disappointment, I believe (but cannot prove) there's two worthwhile strategies worth exploring.
First, contracts to use case box and time box the data, stating how and when shared data may be used, and then a drop dead time when shared data must be destroyed. Part of this contract could be expanded to include parameters for differential privacy. One org I work with has these policies. Alas, Thatcherite "trust, but verify" is tough. We add fake data (honeypot-esque) and have caught cheaters.
Second, I'm keen to further explore translucent databases, where data in situ (at rest) is encrypted.
Lastly, I'm always looking to see who is working in this space, and what they're doing. I'd like to believe that someone will crack this nut.