Eric D. Ragan
ABSTRACT
Effective use of data involving personal or sensitive information often requires different people to have access to personal information, which significantly reduces the personal privacy of those whose data is stored and increases risk of identity theft, data leaks, or social engineering attacks. Our research studies the tradeoffs between privacy and utility of personal information for human decision making. Using a record-linkage scenario, this paper presents a controlled study of how varying degrees of information availability influences the ability to effectively use personal information. We compared the quality of human decision-making using a visual interface that controls the amount of personal information available using visual markup to highlight data discrepancies. With this interface, study participants who viewed only 30% of data content had decision quality similar to those who had full 100% access. The results demonstrate that it is possible to greatly limit the amount of personal information available to human decision makers without negatively affecting utility or human effectiveness. However, the findings also show there is a limit to how much data can be hidden before negatively influencing the quality of judgment in decisions involving person-level data. Despite the reduced accuracy with extreme data hiding, the study demonstrates that with proper interface designs, many correct decisions can be made with even legally de-identified data that is fully masked (74.5% accuracy with fully-masked data compared to 84.1% with full access). Thus, when legal requirements only allow for de-identified data access, use of well-designed interface can significantly improve data utility.
Supplemental Material
- Martha Bailey, Connor Cole, Morgan Henderson, and Catherine Massey. 2017. How Well Do Automated Linking Methods Perform in Historical Samples? Evidence from New Ground Truth. Technical Report.Google Scholar
- Francis P Boscoe, Deborah Schrag, Kun Chen, Patrick J Roohan, and Maria J Schymura. 2011. Building capacity to assess cancer care in the Medicaid population in New York State. Health services research 46, 3 (2011), 805--820.Google Scholar
- Nadia Boukhelifa, Marc-Emmanuel Perrin, Samuel Huron, and James Eagan. 2017. How Data Workers Cope with Uncertainty: A Task Characterisation Study. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM, 3645--3656. Google ScholarDigital Library
- Cathy J Bradley, Charles W Given, Zhehui Luo, Caralee Roberts, Glenn Copeland, and Beth A Virnig. 2007. Medicaid, Medicare, and the Michigan Tumor Registry: a linkage strategy. Medical Decision Making 27, 4 (2007), 352--363.Google ScholarCross Ref
- Janet M Bronstein, Charles T Lomatsch, David Fletcher, Terri Wooten, Tsai Mei Lin, Richard Nugent, and Curtis L Lowery. 2009. Issues and biases in matching medicaid pregnancy episodes to vital records data: the Arkansas experience. Maternal and child health journal 13, 2 (2009), 250--259.Google Scholar
- Kelly Caine and Rima Hanania. 2012. Patients want granular privacy control over health information in electronic medical records. Journal of the American Medical Informatics Association 20, 1 (2012), 7--15.Google ScholarCross Ref
- Kelly E Caine, Marita O'Brien, Sung Park, Wendy A Rogers, Arthur D Fisk, Koert Van Ittersum, Muge Capar, and Leonard J Parsons. 2006. Understanding acceptance of high technology products: 50 years of research. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 50. SAGE Publications Sage CA: Los Angeles, CA, 2148--2152.Google ScholarCross Ref
- Daphne Chang, Erin L Krupka, Eytan Adar, and Alessandro Acquisti. 2016. Engineering Information Disclosure: Norm Shaping Designs. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 587--597. Google ScholarDigital Library
- Jia-Kai Chou, Yang Wang, and Kwan-Liu Ma. 2016. Privacy preserving event sequence data visualization using a Sankey diagram-like representation. In SIGGRAPH ASIA Symposium on Visualization. ACM. Google ScholarDigital Library
- Serdar C ¸ iftc ¸i, Pavel Korshunov, Ahmet Oguz Akyuz, and Touradj Ebrahimi. 2015. Using false colors to protect visual privacy of sensitive content. In Human Vision And Electronic Imaging Xx, Vol. 9394. Spie-Int Soc Optical Engineering, 93941L.Google Scholar
- Federal Trade Commission and others. 2008. Innovations in health care delivery. (2008).Google Scholar
- Gordon Darroch. 2002. Semi-Automated Record Linkage with Surname Samples: a Regional Study of Case LawLinkage, Ontario 1861--1871. History and Computing 14, 1--2 (2002), 153--183.Google ScholarCross Ref
- Aritra Dasgupta, Min Chen, and Robert Kosara. 2013. Measuring Privacy and Utility in Privacy-Preserving Visualization. In Computer Graphics Forum, Vol. 32. Wiley Online Library, 35--47.Google Scholar
- Aritra Dasgupta and Robert Kosara. 2011. Adaptive privacy-preserving visualization using parallel coordinates. IEEE Transactions on Visualization and Computer Graphics 17, 12 (2011), 2241--2248. Google ScholarDigital Library
- Aritra Dasgupta, Eamonn Maguire, Alfie Abdul-Rahman, and Min Chen. 2014. Opportunities and challenges for privacy-preserving visualization of electronic health record data. In Proc. of IEEE VIS 2014 Workshop on Visualization of Electronic Health Records.Google Scholar
- Fan Du, Catherine Plaisant, Neil Spring, and Ben Shneiderman. 2017. Finding similar people to guide life choices: Challenge, design, and evaluation. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. ACM, 5498--5544. Google ScholarDigital Library
- Stephen E Fienberg. 2005. Confidentiality and disclosure limitation. Encyclopedia of Social Measurement 1 (2005), 463--69.Google ScholarCross Ref
- Daniel J Gilman and James C Cooper. 2009. There is a Time to Keep Silent and a Time to Speak, The Hard Part is Knowing Which is Which: Striking the Balance Between Privacy Protection and the Flow of Health Care Information. (2009).Google Scholar
- Rob Hall and Stephen E Fienberg. 2010. Privacy-Preserving Record Linkage.. In Privacy in statistical databases, Vol. 6344. Springer, 269--283. Google ScholarDigital Library
- Sean Kandel, Jeffrey Heer, Catherine Plaisant, Jessie Kennedy, Frank van Ham, Nathalie Henry Riche, Chris Weaver, Bongshin Lee, Dominique Brodbeck, and Paolo Buono. 2011. Research directions in data wrangling: Visualizations and transformations for usable and credible data. Information Visualization 10, 4 (2011), 271--288. Google ScholarDigital Library
- Sean Kandel, Ravi Parikh, Andreas Paepcke, Joseph M Hellerstein, and Jeffrey Heer. 2012. Profiler: Integrated statistical analysis and visualization for data quality assessment. In Proceedings of the International Working Conference on Advanced Visual Interfaces. ACM, 547--554. Google ScholarDigital Library
- Hyunmo Kang, Lise Getoor, Ben Shneiderman, Mustafa Bilgic, and Louis Licamele. 2008. Interactive entity resolution in relational data: A visual analytic tool and its evaluation. IEEE transactions on visualization and computer graphics 14, 5 (2008), 999--1014. Google ScholarDigital Library
- Hanna K¨ opcke, Andreas Thor, and Erhard Rahm. 2010. Evaluation of entity resolution approaches on real-world match problems. Proceedings of the VLDB Endowment 3, 1--2 (2010), 484--493. Google ScholarDigital Library
- Hye-Chung Kum, Stanley Ahalt, and Darshana Pathak. 2013. Privacy-preserving data integration using decoupled data. In Security and Privacy in Social Networks. Springer, 225--253.Google Scholar
- Hye-Chung Kum, Ashok Krishnamurthy, Ashwin Machanavajjhala, and Stanley C Ahalt. 2014a. Social genome: Putting big data to work for population informatics. Computer 47, 1 (2014), 56--63. Google ScholarDigital Library
- Hye-Chung Kum, Ashok Krishnamurthy, Ashwin Machanavajjhala, Michael K Reiter, and Stanley Ahalt. 2014b. Privacy preserving interactive record linkage (PPIRL). Journal of the American Medical Informatics Association 21, 2 (2014), 212--220.Google ScholarCross Ref
- Pin Luarn and Hsin-Hui Lin. 2005. Toward an understanding of the behavioral intention to use mobile banking. Computers in human behavior 21, 6 (2005), 873--891.Google Scholar
- National Cancer Institute NIH. 2017. SEER Research Data Use Agreement -- Surveillance, Epidemiology and End Results Program. (2017).Google Scholar
- E.C. O'Brien, A.M. Rodriguez, H.-C. Kum, L. Schanberg, S.M. O'Brien, and S. Setoguchi. 2017. Patient perspectives on the linkage of health data for clinical research: insights from a survey in the United States. Presentation abstract at the 2017 World Congress of Epidemiology. (2017).Google Scholar
- Vaishali Patel, Penelope Hughes, Wesley Barker, and Lisa Moon. 2016. Trends in Individuals Perceptions regarding Privacy and Security of Medical Records and Exchange of Health Information: 2012--2014. Technical Report. ONC Data Brief, no.33. Office of the National Coordinator for Health Information Technology: Washington DC.Google Scholar
- George G Robertson, Mary P Czerwinski, and John E Churchill. 2005. Visualization of mappings between schemas. In Proceedings of the SIGCHI conference on Human factors in computing systems. ACM, 431--439. Google ScholarDigital Library
- Hans-J¨ org Schulz, Thomas Nocke, Magnus Heitzler, and Heidrun Schumann. 2017. A systematic view on data descriptors for the visual analysis of tabular data. Information Visualization 16, 3 (2017), 232--256.Google ScholarCross Ref
- Qiaomu Shen, Tongshuang Wu, Haiyan Yang, Yanhong Wu, Huamin Qu, and Weiwei Cui. 2017. NameClarifier: a visual analytics system for author name disambiguation. IEEE transactions on visualization and computer graphics 23, 1 (2017), 141--150. Google ScholarDigital Library
- Dinusha Vatsalan, Peter Christen, and Vassilios S Verykios. 2013. A taxonomy of privacy-preserving record linkage techniques. Information Systems 38, 6 (2013), 946--969. Google ScholarDigital Library
- Joan L Warren, Carrie N Klabunde, Deborah Schrag, Peter B Bach, and Gerald F Riley. 2002. Overview of the SEER-Medicare data: content, research applications, and generalizability to the United States elderly population. Medical care 40, 8 (2002), IV--3.Google Scholar
- Daniel J Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman. 2008. Information accountability. Commun. ACM 51, 6 (2008), 82--87. Google ScholarDigital Library
Index Terms
- Balancing Privacy and Information Disclosure in Interactive Record Linkage with Visual Masking
Recommendations
Protecting Privacy Against Record Linkage Disclosure: A Bounded Swapping Approach for Numeric Data
Record linkage techniques have been widely used in areas such as antiterrorism, crime analysis, epidemiologic research, and database marketing. On the other hand, such techniques are also being increasingly used for identity matching that leads to the ...
The effects of different personal data categories on information privacy concern and disclosure
AbstractThe potential threats of exposing personal data associated with online services have been a reason for concern, and individuals as customers may decline to disclose their data due to trust issues. Literature has shown evidence that ...
Privacy-preserving record linkage
It has been recognized that sharing data between organizations can be of great benefit, since it can help discover novel and valuable information that is not available in individual databases. However, as organizations are under pressure to better ...
Comments