Internet Security

Privacy researchers devise a noise-exploitation attack that defeats dynamic anonymity

Privacy researchers in Europe believe they have the first proof that a long-theorised vulnerability in systems designed to protect privacy by aggregating and adding noise to data to mask individual identities is no longer just a theory. The research has implications for the immediate field of differential privacy and beyond — raising wide-ranging questions about…


Privacy researchers in Europe believe they have the first proof that a long-theorised vulnerability in systems designed to protect privacy by aggregating and adding noise to data to mask individual identities is no longer just a theory.

The research has implications for the immediate field of differential privacy and beyond — raising wide-ranging questions about how privacy is regulated if anonymization only works until a determined attacker figures out how to reverse the method that’s being used to dynamically fuzz the data.

Current EU law doesn’t recognise anonymous data as personal data. Although it does treat pseudoanonymized data as personal data because of the risk of re-identification.

Yet a growing body of research suggests the risk of de-anonymization on high dimension data sets is persistent. Even — per this latest research — when a database system has been very carefully designed with privacy protection in mind.

It suggests the entire business of protecting privacy needs to get a whole lot more dynamic to respond to the risk of perpetually evolving attacks.

Academics from Imperial College London and Université Catholique de Louvain are behind the new research.

This week, at the 28th USENIX Security Symposium, they presented a paper detailing a new class of noise-exploitation attacks on a query-based database that uses aggregation and noise injection to dynamically mask personal data.

The product they were looking at is a database querying framework, called Diffix — jointly developed by a German startup called Aircloak andtheMax Planck Institute for Software Systems.

On its website Aircloak bills the technology as “the first GDPR-grade anonymization” — aka Europe’s General Data Protection Regulation, which began being applied last year, raising the bar for privacy compliance by introducing a data protection regime that includes fines that can scale up to 4% of a data processor’s global annual turnover.

What Aircloak is essentially offering is to manage GDPR risk by providing anonymity as a commercial service — allowing queries to be run on a data-set that let analysts gain valuable insights without accessing the data itself.The promise being it’s privacy (and GDPR) ‘safe’ because it’s designed to mask individual identities by returning anonymized results.

The problem is personal data that’s re-identifiable isn’t anonymous data. And the researchers were able to craft attacks that undo Diffix’s dynamic anonymity — although Aircloak is confident it has already prevented this attack.

“What we did here is we studied the system and we showed that actually there is a vulnerability that exists in their system that allows us to use their system and to send carefully created queries that allow us to extract — to exfiltrate — information from the data-set that the system is supposed to protect,” explains Imperial College’s Yves-Alexandre de Montjoye, one of five co-authors of the research paper.

“Differential privacy really shows that every time you answer one of my questions you’re giving me information and at some point — to the extreme — if you keep answering every single one of my questions I will ask you so many questions that at some point I will have figured out every single thing that exists in the database because every time you give me a bit more information,” he says of the pre

Read More

Be the first to write a comment.

Leave a Reply

Internet Security

Hackers to stress-test Facebook Portal at hacking contest

Hackers will soon be able to stress-test the Facebook Portal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year. Pwn2Own is one of the largest hacking contests in the world, where security researchers descend to find and demonstrate their exploits for vulnerabilities in a range…


Hackers will soon be able to stress-test the FacebookPortal at the annual Pwn2Own hacking contest, following the introduction of the social media giant’s debut hardware device last year.

Pwn2Own is one of the largest hacking contests in the world, where security researchers descend to find and demonstrate their exploits for vulnerabilities in a range of consumer electronics and technologies, including appliances and automobiles.

It’s not unusual for companies to allow hackers put their products through their paces. Tesla earlier this year entered its new Model 3 sedan into the contest. A pair of researchers later scooped up $375,000 — and the car

Read More

Continue Reading
Internet Security

Binance launches Venus, which it calls an “independent, regional version” of Facebook’s Libra

Binance, the world’s largest cryptocurrency exchange, announced today that it will launch an open blockchain project called Venus to develop regional stablecoins pegged to fiat currencies (or traditional currencies usually issued and backed by a government). Based in Malta, Binance launched its decentralized trading service, Binance Chain, earlier this year, and since then has issued…


Binance,the world’s largest cryptocurrency exchange, announced today that it will launch an open blockchain project called Venus to develop regional stablecoins pegged to fiat currencies (or traditional currencies usually issued and backed by a government).

Based in Malta, Binance launched its decentralized trading service, Binance Chain, earlier this year, and since then has issued stablecoins pegged to Bitcoin and the British pound.

In its English-language announcement, Binance said Venus’ goal is “to empower developed and developing countries to spur new currencies,” but did not mention Libra, Facebook’s cryptocurrency pr

Read More

Continue Reading
Internet Security

Meet the TC Top Picks for Disrupt SF 2019

Honestly, the creativity and quality of early-stage startups and their founders never ceases to amaze us. When we issued the call for applications to our TC Top Picks program for Disrupt San Francisco 2019, the response was overwhelming — and the competition was off the hook. Our editors dug in and managed to narrow the…


Honestly, the creativity and quality of early-stage startups and their founders never ceases to amaze us. When we issued the call for applications to our TC Top Picks program for Disrupt San Francisco 2019, the response was overwhelming — and the competition was off the hook. Our editors dug in and managed to narrow the field to the startups they felt best represent their specific category. It wasn’t easy, but we’re thrilled with the results and we think you will be, too.

The TC Top Picks program showcases outstanding early-stage startups across these categories: AI/Machine Learning, Biotech/Healthtech, Blockchain, Fintech, Mobility, Privacy/Security, Retail/E-commerce, Robotics/IoT/Hardware, SaaS and Social Impact & Education.

Top Picks founders receive a free Startup Alley exhibitor package, a featured location on the exhibition floor, three free Founder passes and VIP treatment — including invitations to the investor reception. They also receive an interview on the Showcase Stage with a TechCrunch editor — and we’ll promote that video across our social media platforms.

It’s time to announce the early-stage startups we chose as TC Top Picks for Disrupt SF ’19. Can we get a drum roll, please?

AI/Machine Learning

  • Greyparrot: AI-based computer vision solutions to power next generation robotics and smart systems for the waste management industry.
  • Halos: AI-driven, zero-touch, fully digital home maintenance platform to build deep and profitable relationships with homeowners.
  • Moodbit: People Analytics Technology that analyzes employee emotions and delivers predictive and prescriptive analytics to improve performance.
  • OneClick.ai: Automated Deep Learning AI technology to enable businesses with advanced predictive analysis and decision making.
  • Voxel51: AI for Video: video analytics platform in the cloud and on-premises enabling fast, rich insights from image

Read More

Continue Reading
Internet Security

Facebook contractors said to have collected and transcribed users’ audio without permission

“The future is private.” Clearly, Facebook still has a way to go. Facebook has become the latest tech giant to face scrutiny over its handling of users’ data, following a report that said the social media giant collected audio data and recordings from its users and transcribed it using third-party contractors. The report came from…


“The future is private.” Clearly, Facebookstill has a way to go.

Facebook has become the latest tech giant to face scrutiny over its handling of users’ data, following a report that said the social media giant collected audio data and recordings from its users and transcribed it using third-party contractors.

The report came from Bloomberg, citing the contractors who requested anonymity for fear of losing their jobs.

According to the report, the audio came from its Messenger app. The audio conversations were matched against transcriptions to see if they were properly interpreted by the company’s artificial intelligence.

There are several ways that Facebook collects voice and audio data. But the social media giant’s privacy policy makes no clear mention or explanation what it uses audio data for. Bloomberg also noted that contra

Read More

Continue Reading