Addressing Beacon re-identification attacks: quantification and mitigation of privacy risks

Raisaro, Jean Louis; Tramèr, Florian; Ji, Zhanglong; Bu, Diyue; Zhao, Yongan; Carey, Knox; Lloyd, David; Sofia, Heidi J.; Baker, Dixie B.; Flicek, Paul; Shringarpure, Suyash; Bustamante, Carlos D.; Wang, Shuang; Jiang, Xiaoqian; Ohno-Machado, Lucila; Tang, Haixu; Wang, Xiaofeng; Hubaux, Jean-Pierre

doi:10.1093/jamia/ocw167

Cited by 75 publications

(130 citation statements)

References 17 publications

Supporting

Mentioning

126

Contrasting

Order By: Relevance

“…In our previous work, 35 three different mitigation models were proposed: (S1) Beacon alteration strategy; (S2) Random flipping strategy; and (S3) query budget per individual strategy. However, we only include the results of the S2 models as our baseline performance for the 0.2 and 0.18 flip probabilities.…”

Section: Track 1: Practical Protection Of Gds Through Beacon Servicesmentioning

confidence: 99%

“…S3 was not chosen as a baseline in Track 2 because we assumed the beacon service does not keep track of the queries per individual. The performance of our baseline 35 and performance of the top two teams, the first from Vanderbilt University 36 and the second from the University of Manitoba, 37 are depicted in the Fig. 1.…”

Section: Track 1: Practical Protection Of Gds Through Beacon Servicesmentioning

confidence: 99%

See 1 more Smart Citation

A Community Effort to Protect Genomic Data Sharing, Collaboration and Outsourcing

et al. 2017

Self Cite

View full text Add to dashboard Cite

The human genome can reveal sensitive information and is potentially re-identifiable, which raises privacy and security concerns about sharing such data on wide scales. In 2016, we organized the third Critical Assessment of Data Privacy and Protection competition as a community effort to bring together biomedical informaticists, computer privacy and security researchers, and scholars in ethical, legal, and social implications (ELSI) to assess the latest advances on privacy-preserving techniques for protecting human genomic data. Teams were asked to develop novel protection methods for emerging genome privacy challenges in three scenarios: Track (1) data sharing through the Beacon service of the Global Alliance for Genomics and Health. Track (2) collaborative discovery of similar genomes between two institutions; and Track (3) data outsourcing to public cloud services. The latter two tracks represent continuing themes from our 2015 competition, while the former was new and a response to a recently established vulnerability. The winning strategy for Track 1 mitigated the privacy risk by hiding approximately 11% of the variation in the database while permitting around 160,000 queries, a significant improvement over the baseline. The winning strategies in Tracks 2 and 3 showed significant progress over the previous competition by achieving multiple orders of magnitude performance improvement in terms of computational runtime and memory requirements. The outcomes suggest that applying highly optimized privacy-preserving and secure computation techniques to safeguard genomic data sharing and analysis is useful. However, the results also indicate that further efforts are needed to refine these techniques into practical solutions.

show abstract

Section: Track 1: Practical Protection Of Gds Through Beacon Servicesmentioning

confidence: 99%

Section: Track 1: Practical Protection Of Gds Through Beacon Servicesmentioning

confidence: 99%

A Community Effort to Protect Genomic Data Sharing, Collaboration and Outsourcing

et al. 2017

Self Cite

View full text Add to dashboard Cite

show abstract

“…Yet despite the limited scope of allowed queries and the fact that only aggregate-level information is shared, query-answering systems can still leak sensitive information about the underlying individuals [8][9][10][11]. One could, for example, ask for the number of 25-year-old females on a certain medication who do not have a particular disease.…”

Section: Introductionmentioning

confidence: 99%

“…If the answer returned is zero, we know that any 25-year-old female patient in the database who is on that medication has that disease, a fact the patients might wish to keep private. Moreover, given access to an individual's genotype, a small number of queries to a beacon server would be sufficient to reveal whether the individual is included in the database [10,11]. This information could potentially be detrimental to the individual if the underlying cohort represents a group of individuals with sensitive characteristics (e.g.…”

Section: Introductionmentioning

confidence: 99%

Privacy-preserving biomedical database queries with optimal privacy-utility trade-offs

Cho

Simmons

Kim

et al. 2020

Preprint

View full text Add to dashboard Cite

AbstractSharing data across research groups is an essential driver of biomedical research. In particular, biomedical databases with interactive query-answering systems allow users to retrieve information from the database using restricted types of queries (e.g. number of subjects satisfying certain criteria). While these systems aim to facilitate the sharing of aggregate biomedical insights without divulging sensitive individual-level data, they can still leak private information about the individuals in the database through the query answers. Existing strategies to mitigate such risks either provide insufficient levels of privacy or greatly diminish the usefulness of the database. Here, we draw upon recent advances in differential privacy to introduce privacy-preserving query-answering mechanisms for biomedical databases that provably maximize the expected utility of the system while achieving formal privacy guarantees. We demonstrate the accuracy improvement of our methods over existing approaches for a range of use cases, including count, membership, and association queries. Notably, our new theoretical results extend the proof of optimality of the underlying mechanism, previously known only for count queries with symmetric utility functions, to asymmetric utility functions needed for count queries in cohort discovery workflows as well as membership queries—a core functionality of the Beacon Project recently launched by the Global Alliance for Genomics and Health (GA4GH). Our work presents a path towards biomedical query-answering systems that achieve the best privacy-utility trade-offs permitted by the theory of differential privacy.

show abstract

“…For instance, such attacks have already been developed for summary statistics about the frequency of single nucleotide polymorphisms (SNPs) [2,5,15]. Membership inference attacks have also been developed for the case where a person is allowed to repeatedly query a database to learn if at least one individual contains a particular SNP [13,14,16]. These kinds of aggregate statistics about the frequency or presence/absence of a particular SNP might be useful to release to the broader research community, but it is not an essential output of the research process.…”

Section: Introductionmentioning

confidence: 99%

Reconstructing Genotypes in Private Genomic Databases from Genetic Risk Scores

Paige

Bell

Bellet

et al. 2020

Preprint

View full text Add to dashboard Cite

Some organisations like 23andMe and the UK Biobank have large genomic databases that they re-use for multiple different genomewide association studies (GWAS). Even research studies that compile smaller genomic databases often utilise these databases to investigate many related traits. It is common for the study to report a genetic risk score (GRS) model for each trait within the publication. Here we show that under some circumstances, these GRS models can be used to recover the genetic variants of individuals in these genomic databases-a reconstruction attack. In particular, if two GRS models are trained using a largely overlapping set of participants, then it is often possible to determine the genotype for each of the individuals who were used to train one GRS model, but not the other. We demonstrate this theoretically and experimentally by analysing the Cornell Dog Genome database. The accuracy of our reconstruction attack depends on how accurately we can estimate the rate of co-occurrence of pairs of SNPs within the private database, so if this aggregate information is ever released, it would drastically reduce the security of a private genomic database. Caution should be applied when using the same database for multiple analysis, especially when a small number of individuals are included or excluded from one part of the study.

show abstract

Addressing Beacon re-identification attacks: quantification and mitigation of privacy risks

Cited by 75 publications

References 17 publications

A Community Effort to Protect Genomic Data Sharing, Collaboration and Outsourcing

A Community Effort to Protect Genomic Data Sharing, Collaboration and Outsourcing

Privacy-preserving biomedical database queries with optimal privacy-utility trade-offs

Reconstructing Genotypes in Private Genomic Databases from Genetic Risk Scores

Contact Info

Product

Resources

About