=Paper= {{Paper |id=Vol-1225/short3 |storemode=property |title= Increased Information Leakage from Text |pdfUrl=https://ceur-ws.org/Vol-1225/pir2014_submission_15.pdf |volume=Vol-1225 |dblpUrl=https://dblp.org/rec/conf/sigir/ZhangYS14 }} == Increased Information Leakage from Text== https://ceur-ws.org/Vol-1225/pir2014_submission_15.pdf
                      Increased Information Leakage from Text
                                             Sicong Zhang, Hui Yang, Lisa Singh
                                                 Department of Computer Science
                                                     Georgetown University
                                          37th and O Street, NW, Washington, DC, 20057
                         sz303@georgetown.edu, {huiyang,singh}@cs.georgetown.edu
ABSTRACT                                                                 and quantify the level of leakage that exists for a large number of
The enormous data sharing and data availability on the Internet pro-     individuals across the OSNs. Existing research uses a number of
vides opportunities for new services tailored to extract, search, ag-    different attributes to map individuals from one site to another, in-
gregate, and mine data in meaningful ways, At the same time, it          cluding account names, geo-location, post timestamp, social net-
poses challenges with regards to data privacy. This paper offers in-     work connections, and structured demographic attributes to names
sight into this problem, focusing on current relevant research and       a few. This form of record-linkage can be viewed as a search prob-
potential areas of synergy between the information retrieval com-        lem. Further, to date, studies are not incorporating knowledge from
munity and the privacy community. We then analyze example pub-           text in these analyses. Determining how to integrate textual knowl-
licly shared data and discuss the types of data that can be extracted,   edge into this process is another opportunity for researchers in the
the methods used for extracting them, and the implications for in-       IR community.
dividuals who share personal information.                                   Re-identification: Many companies and government agencies
                                                                         are either required by law or wish to release anonymized versions
                                                                         of their data. Unfortunately, given the amount of public data avail-
1.    MOTIVATION                                                         able, sometimes it is possible to un-anonymize the anonymized
   We are living in an era of enormous data sharing and data avail-      data. The goal of re-identification is to match or link anonymized
ability on the Internet. This data pervasiveness has resulted in the     personal data to publicly available data in order to determine sen-
emergence of services tailored to extract, search, aggregate, and        sitive data values of users in the anonymized data. In this threat
mine data in meaningful ways. On the one hand, this is a boon for        model, the adversary has access to an anonymized data set and
information retrieval researchers. The flow of large volumes of tex-     one or more public data sources containing a large sample of user
tual data offers the perfect playground for developing new search        data. The anonymized data usually contains sensitive data fields
and retrieval algorithms. On the other hand, the sharing of large        that if matched to an individual, would result in a significant privacy
amounts of data, some of which are sensitive, presents challenges        breach. The public data source generally contains benign data, i.e.
with regards to data privacy. First, because of privacy laws, these      fields that are not considered sensitive. Researchers have success-
data are not always available to researchers. Second, even if the        fully shown that re-identification is possible with voting records,
data are readily available, what are the ethics of using data without    with data from OSNs, and with released medical data [1, 4, 6].
explicit consent from the data owner? We understand the need for            Data Publishing: When sensitive data needs to be released or
consent for private data, but what about public data? While legal, is    published, companies must consider different approaches for main-
it ethical? It is unclear about how the public feels about the sharing   taining confidentiality. Standard approaches include anonymiza-
of their search results and it is even more unclear what researchers     tion, adding noise to the data, binning data, and suppressing parts of
should do to mitigate potential concerns. What techniques exist to       the data. While many approaches have been proposed for relational
efficiently and effectively anonymize the data so that researchers       data [8] and graph data [10], very few studies have investigated
can still work on traditional information retrieval tasks using per-     ways to anonymize textual data. The lack of research in this area is
sonalized information? This dilemma leads us to the main question        not surprising since text data has been readily available for years.
discussed in this paper. How do we protect the privacy of individu-      Only in the last five to ten years have companies begun limiting
als while accessing and gathering this data to improve information       access to their weblogs, search data, etc. These limitations, while
retrieval algorithms and methods?                                        understandable, limit the progress of research by limiting access
                                                                         to large, corporate data sets. Therefore, developing anonymization
2.    PRIVACY RESEARCH AND DIRECTIONS                                    strategies that are optimized for text corpora is an important area of
   There are a number of privacy models that have been proposed          research.
in the literature and are relevant to our community. Here we present        Differential Privacy: Government agencies like the Census Bu-
some of the most relevant.                                               reau maintain statistical databases that by law need to be accessible
   Leakage Across Social Network Sites: Understanding the data           to the public. In the case of the Census Bureau, their databases con-
that users are willing to share and the level of sensitivity associ-     tain survey data results. These results need to be shared with the
ated with it is a growing area of research. More specifically, a         public without violating the privacy of the individuals who took the
number of researchers are investigating how easy it is to link an        survey. While the Census Bureau uses many different techniques to
individual across online social networks (OSNs) [3, 7]. In this          maintain the privacy of individuals, many companies are develop-
problem, a user has accounts on multiple social networks. An ad-         ing techniques that follow the principles of differential privacy [2],
versary generally begins with a particular user’s account informa-       a protocol that when used can provide the user with a clear proba-
tion on one social network, i.e. the user’s account id. The ad-          bility of leakage when a single user is added or removed from the
versary then uses public data available on different OSNs to map         data set. Specifically, the protocol states that if an individual in the
profiles on these OSNs, exploiting the user’s privacy with the ad-       data set changes his/her data value ai to any other allowable value
ditional knowledge gained. The research objective is to determine        aj , then the difference between the privacy functions is smaller than
a parameter . The strength of this approach is the provable privacy            of Science in “public relations". These relations extracted by the
guarantees that many ad hoc methods lack. Examples and algo-                    aspect-specific patterns can then be put into a relational database.
rithms related to using differential privacy for sparse textual data            Available techniques on data re-identification can be applied to find
sets is lacking and would be an important direction of research.                out the potential information leakage in the text.

3.    INFORMATION LEAKAGE IN TEXT                                               4.    FUTURE INFORMATION RETRIEVAL RE-
   As a proof of concept, for the types of information that can be                    SEARCH DIRECTIONS
extracted using natural language processing (NLP) methods, we                      Given the volume of blogs, tweets, and other textual personal
analyze a single LinkedIn profile. Before analyzing text fields, we             data shared by users, it is time for our community to consider how
mention that we can obtain up to 18 different types of data from                data privacy will affect our field. We need to develop protocols for
each user including first name, last name, occupation, picture, ed-             useful anonymized data sets that are non-invasive in terms of indi-
ucation, location, skill, and company. These fields can be fairly               vidual privacy. We need to understand what types of data can be
unique if a single user shares all of them. Even more important                 learned by adversaries using textual data and better understand the
is that once text analysis is conducted on the summary that many                sensitivity of learning these data. This is a time for the IR commu-
LinkedIn users provide, the amount of additional information that               nity to get involved in privacy research.
can be learned about the user can really increase. As an example,
let us consider the following LinkedIn summary. Note that identi-               5.    ACKNOWLEDGMENT
fying attributes of this text passage have been replaced with dummy
values to maintain privacy.                                                        This research was supported by NSF grant CNS-1223825. Any
                                                                                opinions, findings, conclusions, or recommendations expressed in
    ... at A Company, i support our clients by developing marketing and         this paper are of the authors, and do not necessarily reflect those of
media plans, implementing social media campaigns, overseeing inbound            the sponsor.
marketing initiatives, and crafting the perfect pitches and press releases to
secure news coverage. before joining the agency, i was involved in pub-
lic relations, promotions and event planning for health care, government        References
and education organizations. i assisted in planning and promoting fund
raising events for a regional hospital foundation, and developed communi-        [1] L. Backstrom, C. Dwork, and J. Kleinberg. Wherefore Art
cation materials for various hospital programs. while in graduate school, i          Thou r3579x?: Anonymized Social Networks, Hidden Pat-
conducted research for B university on topics including nonprofits and cri-          terns, and Structural Steganography. In ACM World Wide Web
sis communication, public relations theory, and social media usage among             Conference (WWW), 2007.
nonprofits. i earned a ba in communication studies with a concentration
in journalism from the C university, and a ms in public relations from D         [2] C. Dwork. Differential privacy. Lecture Notes in Computer
university. i wrote my masters thesis on corporate health diplomacy, where           Science, 4052:1–12, 2006.
i reviewed the corporate social responsibility and business development ef-
forts of pharmaceutical companies examined by international public rela-         [3] O. Goga, H. Lei, S. H. K. Parthasarathi, G. Friedland, R. Som-
tions literature ...                                                                 mer, and R. Teixeira. Exploiting innocuous activity for corre-
   For this user produced introduction paragraph in LinkedIn, some                   lating users across sites. In ACM International Conference on
sensitive information can be extracted by the following procedure.                   World Wide Web (WWW), 2013.
First, we can apply part-of-speech tagging, shallow parsing, and                 [4] R. Gross and A. Acquisti. Information revelation and privacy
named entity tagging on the paragraph. We obtain a list of noun                      in online social networks. In ACM Workshop on Privacy in
phrases, such as “marketing and media plans", “social media cam-                     the Electronic Society (WPES), 2005.
paigns", and “public relations". We also obtain a list of named
entities, such as “A company", “C university", and “D university".               [5] D. Guan and H. Yang. Increasing stability of result organiza-
Next, we compare the members in the noun phrase list as well as                      tion for session search. In ECIR, pages 471–482, 2013.
the members in the named entity list with a general ontology main-
                                                                                 [6] A. Narayanan and V. Shmatikov. De-anonymizing social net-
tained by us. The ontology keeps a dictionary of terms that indi-
                                                                                     works. In IEEE Symposium on Security and Privacy, 2009.
cates various important aspects for a person. For instance, terms
that indicate a person’s professional degree could be “ba", “ma",                [7] A. Ramachandran, L. Singh, E. Porter, and F. Nagle. Explor-
“phd", “mba", etc. Terms that indicate a person’s profession could                   ing Re-identification Risks in Public Domains. In IEEE In-
be “sde", “accountant", ‘cpa", etc. The ontology is created by ex-                   ternational Conference on Privacy, Security and Trust (PST),
tracting terms and relations from Wikipedia hierarchies via an au-                   2012.
tomatic approach [5]. Each major aspect of a person will have its
own list of key terms. These aspects include profession, location,               [8] P. Samarati and L. Sweeney. Protecting privacy when disclos-
home address, gender, birthday, hobby, etc.                                          ing information: k-anonymity and its enforcement through
   Then, if a free text paragraph contains many terms from the key-                  generalization and suppression. In Proceedings of the IEEE
word term list for a certain aspect, we will determine whether the                   Symposium on Research in Security and Privacy, 1998.
paragraph should be classified into one or more aspects. The cat-                [9] Y. Yang. An evaluation of statistical approaches to text
egory of the paragraph can thus be detected by text classification                   categorization. Inf. Retr., 1(1-2):69–90, May 1999. ISSN
techniques [9]. The name of the resulting category can then be                       1386-4564. doi: 10.1023/A:1009982220290. URL http:
used to trigger the corresponding set of lexico-syntactic patterns.                  //dx.doi.org/10.1023/A:1009982220290.
The purpose is to extract detailed information for a category. For
instance, using the pattern “ms in NP from NE_university", we can               [10] B. Zhou, J. Pei, , and W. Luk. A brief survey on anonymiza-
obtain the Master of Science degree of a person in a university, if                  tion techniques for privacy preserving publishing of social
we keep NP in this example as a place holder. We can also obtain                     network data. ACM SIGKDD Explorations Newsletter, 10(2),
the name of the university where a person went to study Master                       December 2008.