Pascal Berrang

A comparative analysis of decentralized power grid stabilization strategies

This paper reports on formal behavioral models of power grids with a substantial share of photovoltaic microgeneration. Simulation studies show that the current legislatory framework in Germany can induce frequency oscillations. This phenomenon is indeed recognized by the German Federal Network Agency responsible for overseeing the national power grids, and new regulations are currently being identified to counter this phenomenon. We study the currently valid proposal, and compare it with a set of alternative approaches that take up and combine ideas from communication protocol design, such as additive-increase/multiplicative-decrease known from TCP, and exponential backoff used in CSMA variations. We classify these alternatives with respect to their availability and goodput. The models are specified in the modeling language Modest, and simulated with the help of the modes simulator.

Membership Privacy in MicroRNA-based Studies

The continuous decrease in cost of molecular profiling tests is revolutionizing medical research and practice, but it also raises new privacy concerns. One of the first attacks against privacy of biological data, proposed by Homer et al. in 2008, showed that, by knowing parts of the genome of a given individual and summary statistics of a genome-based study, it is possible to detect if this individual participated in the study. Since then, a lot of work has been carried out to further study the theoretical limits and to counter the genome-based membership inference attack. However, genomic data are by no means the only or the most influential biological data threatening personal privacy. For instance, whereas the genome informs us about the risk of developing some diseases in the future, epigenetic biomarkers, such as microRNAs, are directly and deterministically affected by our health condition including most common severe diseases. In this paper, we show that the membership inference attack also threatens the privacy of individuals contributing their microRNA expressions to scientific studies. Our results on real and public microRNA expression data demonstrate that disease-specific datasets are especially prone to membership detection, offering a true-positive rate of up to 77% at a false-negative rate of less than 1%. We present two attacks: one relying on the L_1 distance and the other based on the likelihood-ratio test. We show that the likelihood-ratio test provides the highest adversarial success and we derive a theoretical limit on this success. In order to mitigate the membership inference, we propose and evaluate both a differentially private mechanism and a hiding mechanism. We also consider two types of adversarial prior knowledge for the differentially private mechanism and show that, for relatively large datasets, this mechanism can protect the privacy of participants in miRNA-based studies against strong adversaries without degrading the data utility too much. Based on our findings and given the current number of miRNAs, we recommend to only release summary statistics of datasets containing at least a couple of hundred individuals.

On Profile Linkability despite Anonymity in Social Media Systems

A number of works have recently shown that the privacy offered by pseudonymous identities on social media systems like Twitter or Reddit is threatened by cross-site identity linking attacks. Such attacks link the identities of the same user across websites. Therefore, assessing linkability, i.e., the risk that identities are linked across different websites, remains an important open problem. In this work, we analyze whether anonymity within a single social media site can protect a user from being linked across sites. To this end, we first introduce a relative linkability measure ranking identities within a social media site by their anonymity. We show that anonymity alone is not sufficient to assess linkability risks, by evaluating this measure on a data set comprising 15 million comments gathered from the Reddit social media system. Second, we mitigate this insufficiency and present our absolute linkability measure, which in addition utilizes information about matching identities. Then, we confirm the validity of this measure on our data set. The measure is able to accurately assess the linkability risk in almost 75% of the cases and, more importantly, is shown to never underestimate the linkability risk.

Identifying Personal DNA Methylation Profiles by Genotype Inference

Since the first whole-genome sequencing, the biomedical research community has made significant steps towards a more precise, predictive and personalized medicine. Genomic data is nowadays widely considered privacy-sensitive and consequently protected by strict regulations and released only after careful consideration. Various additional types of biomedical data, however, are not shielded by any dedicated legal means and consequently disseminated much less thoughtfully. This in particular holds true for DNA methylation data as one of the most important and well-understood epigenetic element influencing human health. In this paper, we show that, in contrast to the aforementioned belief, releasing ones DNA methylation data causes privacy issues akin to releasing ones actual genome. We show that already a small subset of methylation regions influenced by genomic variants are sufficient to infer parts of someones genome, and to further map this DNA methylation profile to the corresponding genome. Notably, we show that such re-identification is possible with 97.5% accuracy, relying on a dataset of more than 2500 genomes, and that we can reject all wrongly matched genomes using an appropriate statistical test. We provide means for countering this threat by proposing a novel cryptographic scheme for privately classifying tumors that enables a privacy-respecting medical diagnosis in a common clinical setting. The scheme relies on a combination of random forests and homomorphic encryption, and it is proven secure in the honest-but-curious model. We evaluate this scheme on real DNA methylation data, and show that we can keep the computational overhead to acceptable values for our application scenario.

Anonymisierungsverfahren für genetische Daten

ZusammenfassungPrivacy-Enhancing Technologies (PETs) wie Differential Privacy und anderen Anonymisierungsverfahren kommen im Hinblick auf hochsensible Gesundheitsdaten besondere Bedeutung zu. Der vorliegende Beitrag zeigt neue Datenschutzrisiken bei epigenetischen Daten auf, entwickelt und analysiert geeignete Gegenmaßnahmen durch PETs und diskutiert die rechtliche Bewertung von deren Einsatz in der medizinischen Forschung.

From Zoos to Safaris--From Closed-World Enforcement to Open-World Assessment of Privacy

In this paper, we develop a user-centric privacy framework for quantitatively assessing the exposure of personal information in open settings. Our formalization addresses key-challenges posed by such open settings, such as the unstructured dissemination of heterogeneous information and the necessity of user- and context-dependent privacy requirements. We propose a new definition of information sensitivity derived from our formalization of privacy requirements, and, as a sanity check, show that hard non-disclosure guarantees are impossible to achieve in open settings. After that, we provide an instantiation of our framework to address the identity disclosure problem, leading to the novel notion of d-convergence. d-convergence is based on indistinguishability of entities and it bounds the likelihood with which an adversary successfully links two profiles of the same user across online communities. Finally, we provide a large-scale evaluation of our framework on a collection of 15 million comments collected from the Online Social Network Reddit. Our evaluation validates the notion of d-convergence for assessing the linkability of entities in our data set and provides deeper insights into the data sets structure.