The more data we generate about a target population, the harder to protect the privacy of the individuals surveyed. Sensitive information can be inferred most of the time if we have multiple data points or collection procedures for the same individual. For example, Greveler et al. showed how electricity smar
t meter readings can be used to identify the TV shows and movies being watched in a target household. Coull et al. designed a method for identifying the webpages viewed by users from metadata about network flows, even when server IP addresses are replaced with pseudonyms. Goljan and Fridrich showed how cameras can be identified from noise in the images they produce.
All these shortcomings of privacy protections, detailed in Designing Statistical Privacy for Your Data | March 2015 | Communications of the ACM, can only worry privacy advocates. The authors propose, however, a possible approach to deal with the problem, which combines Kerckhoffs’s principle, self-composition, convexity, and closure under post-processing. An example framework, Blowfish, is proposed.