51³Ô¹ÏÍø

Experts show current mechanisms of hiding patient information are inadequate, highlighting a need for more thorough testing of privacy systems.

In a new short paper published inMatthieu Meeus, Shubham Jain and Dr Yves-Alexandre de Montjoye from the analysed the use of digital masks to safeguard patient privacy in medical research.

The 51³Ô¹ÏÍø team showed that current methods of digital masking leave patients vulnerable to re-identification. 

“While sharing data for medical diagnosis is highly important, it should not come at the expense of patient privacy and therefore any anonymization methods need to be extensively and, if possible, adversarially tested to ensure privacy is preserved before the method is deployed and data is shared.” Matthieu Meeus First Author

By replicating the setup used by the , they showed the risk of re-identification was at least 100 times higher than initially reported and that patients are re-identifiable 52.1% of the time.

According to First Author Matthieu Meeus: “This work highlights the importance of thorough evaluation when it comes to ensuring privacy.”

“While sharing data for medical diagnosis is highly important, it should not come at the expense of patient privacy and therefore any anonymization methods need to be extensively and, if possible, adversarially tested to ensure privacy is preserved before the method is deployed and data is shared.”

What is a digital mask?

A digital mask is a method proposed to protect patient privacy in medical research. The idea behind it involves applying a mask to a patient's face in a video to allow a doctor to make a diagnosis whilst withholding the patient's identity.

In theory, the mask retains information relevant for medical diagnosis while withholding any identifiable features, making the data anonymous.

In the evaluation setup used by the original authors, the method is shown to evade AI-powered facial recognition systems which underpins the claim that it preserves privacy. However, according to the 51³Ô¹ÏÍø team, these claims do not hold true.

The setup used by the original authors assumes that an attacker attempting to re-identify a patient will try and match a mask to a database of original faces using a readily available facial recognition algorithm.

However, the 51³Ô¹ÏÍø team demonstrated that an attacker can re-identify a patient by implementing a simple change to the setup, allowing them to mask the face before matching it to the "anonymous" database, making re-identification possible. 

Ensuring privacy-preserving claims are robust

As digital technologies are increasingly more embedded throughout society in the upcoming years, more and more new methods of preserving privacy are likely to be proposed.

The evaluation of these methods to ensure their privacy-preserving claims hold true is a crucial step in their development. According to Senior Author Dr Yves-Alexandre de Montjoye, this can be achieved through proper adversarial testing.

Some large companies are already doing this, building privacy ‘red teams’ to test the privacy of their systems. Similar to their security counterparts, these red teams are a group of ethical engineers employed by a company to attack the system to extract information about the data it is meant to protect in order to understand whether the system is solid or not. 

The Computational Privacy Group are also researching how AI can help red teams automatically discover vulnerabilities in their systems. Find out more in this 51³Ô¹ÏÍø News Story.

-

‘ by Meeus, Jain and de Montjoye, published in Nature Medicine on 18 July 2023.

Photo by Matthew Yohe, edited by Meeus et al.