Decentralising Data Collection and Anonymisation

A frequent approach for anonymising datasets is for individuals to submit sensitive data records to a central authority. The central authority then is responsible for safely storing and sharing the data, for example by aggregating or perturbing records. However, this approach introduces the risk that the central authority may be compromised, whether this from an externally originated hacking attempt or as a result of an insider attack. As a result, central authorities responsible for handling sensitive data records must be well protected, often at great expense, and even then the risk of compromise will not be eliminated.

In this talk I will discuss an alternative anonymisation approach, where sensitive data records have identifiable information removed before being submitted to the central authority. In order for this approach to work, not only must this first-stage anonymisation prevent the data from disclosing the identity of the submitter, but also the data records must be submitted in such a way as to prevent the central authority from being able to establish the identity of the submitter from submission metadata. I will show how advances in network metadata anonymisation can be applied to facilitate this approach, including techniques to preserve validity of data despite not knowing the identity of contributors.