Catuscia Palamidessi: "Improving the security of personal data without destroying their utility"

Changed on 03/01/2020
Catuscia Palamidessi, head of the COMETE team at the Inria Saclay - Île-de-France research center, has been awarded an ERC (European Research Council ) Advanced Grant at the end of March for her "HYPATIA - Privacy and Utility Allied" project. Her goal: to optimize the security and usefulness of personal digital data.

What is the goal of your “Hypatia” project and why this name?

Portrait de Catuscia Palamidessi
© Inria / Photo S. Erôme - Signatures

Hypatia of Alexandria (c. 370 CE - March 415 CE) was a female philosopher, astronomer and mathematician, who was killed by a mob of religious zealots. Through the centuries she has become the symbol of the ideal of science against intolerance and obscurantism. She’s been my inspiration for many years so it’s kind of an homage.

As you know, Big Data are very valuable for industry, research and society in general. But these data are often originated from people and it is essential to make sure that the sensitive information about these people is protected. If we collect several location traces generated by an individual, for example, it is possible to infer from them where this individual lives and works, what are his hobbies, what kind of illness he may have, etc.  All these informations could led to actions that harm people, which is why privacy should be protected.

One of the very important issue in privacy is to protect the data without destroying their utility . All methods for privacy protection involve a loss of information, and consequently the data can become less useful for the intended purpose. There are actually two main kinds of utility: the “quality of service” and the “statistical precision” . These are interconnected, because usually a user releases his data in exchange of some service (for instance, his location in exchange of a list of points of interest), while the entity that provides the service does it in exchange of the users’ data, whose legitimate use is typically the extraction of statistical information. There’s a lot of research trying to optimize either the trade-off between QoS and privacy, or between the statistical utility and privacy. But the main idea of Hypatia is to optimize the trade-off between these three goals simultaneously, which is of course very difficult. This tree-way optimization was never attempted before, and it is probably the reason why the project has been selected for an ERC grant.

How do you intend to tackle this challenge?

It is well known that data anonymization, by removing the name and other identifiers (age, gender, postal code…) from the data, is not enough to guarantee privacy. This has been proved by several attacks, for instance in 2006 when the internet provider AOL released detailed search logs, two journalists showed that they could re-identify the anonymous customers. Researchers have proposed then different approaches, and the most successful one is differential privacy . It’s a probabilistic method for statistical databases, based on adding controlled noise to the result of a query, in such a way that it is difficult for a potential attacker to retrieve the value of individual records.

Recently a variant called “local differential privacy” (LPD) emerged. The principle is the same, add noise to the true value, but in LPD it is done directly on the individual record at the user side. The advantage is that, in contrast to differential privacy, it does not rely on a trusted third party (the entity that collects and store the true data, and applies the noise).

Local differential privacy has now become very popular in big companies and is at the core of my proposal. What I’m planning to do is to combine it with new techniques that have been developed in the field of machine learning. One of the methods I want to use is based on the so-called Generative Adversarial Networks (GANs). It consists of two machines fighting against each other: one generates the noise, while taking into account the utility constraint, and the other simulates an attack and tries to de-obfuscate the data. They interact with each other until they reach an equilibrium point which should represents the best possible obfuscation mechanism (respecting the utility constraint) for the best possible adversary.

What does this grant represents for you?

It’s of course a personal satisfaction to see that my research is recognized and appreciated by other people. But it also represents a lot of freedom in the sense that I’ve been for a long time wishing to hire research engineers to develop tools based on my theories. It’s essential to have a good interface that make them suitable and intuitive not only for researchers but also for companies and non-researchers.

In my field, ERC grant is mainly salary money. The 2,2M€ will help recruit about seven people: PhDs, post docs, an assistant researcher, a research engineer… There is also a budget to organize a workshop on the project in a couple of years and invite collaborators and future partners, and disseminate the results, also to industrials that could be interested in them. It is very important for my research to have contacts with industrials because they can provide real field experience and clarify industrial and societal needs.

The European Research Council's advanced grants in 6 questions

• Where do they come from? They are part of the "Scientific Excellence" pillar of the Horizon 2020 European Program for Research and Innovation.
• What is their purpose? To support leading researchers across Europe and empower them to conduct risky exploratory research for five years, outside any established scientific program.
• Who can claim it? Researchers of all nationalities and ages who are recognized as leaders in their field.
• What are the selection criteria? Projects are chosen for their potential to push the boundaries of science and answer some of the most pressing questions in our society. The host organization must be in a European country or program partner.
• How many project are awarded? For this edition, 2,052 research proposals were submitted. Nearly 11% were selected with grants of up to € 2.5 million.
• When to apply ? Applications for the next funding cycle must be submitted between May the 21th and August the 29th 2019.

Catuscia Palamidessi’s research in brief

Catuscia Palamidessi’s is the head of the project team Comete (Concurrency, Mobility and Transactions) which is studying privacy, security, and how information circulates on social network and the risks related to that. At the moment the team consists of  2 permanent members, 2 postdocs, 3 Ph.D. students, 1 research engineer and 3 to 4 interns. Among the team’s lines of research, Palamidessi focuses on privacy protection and security, and especially on information leakage and the protection of sensitive information while preserving utility. Her research has led to the production of different tools like Location Guard, an obfuscation mechanism that takes the form of a browser extension and helps protect your location, by adding controlled noise to the data sent to location-based service providers. This work on location privacy has led to some collaborations with industrials such as Renault and to numerous academic collaborations all over the world.