Depersonalization

Context: Sally authorizes access to a "depersonalized" version of her Road Warrior travel data.

For example, the data given to London Transport

Unclassified, available data

1. Space-time travel data, speed, time
2. Compliance with speeding / traffic restrictions
3. Hours/day

Should have:

1. Average distance traveled
2. Average # of stops/starts
3. Vehicle classification for congestion charge (permit/fee status)
4. Segment by segment travel

Should not have:

1. Obvious PII
   1. Name
   2. Driver's License #
   3. Addresses
      1. home
      2. work
   4. d. end-to-end travel

Open Questions

• Difference between Sally and the vehicle?
• How are other drivers accounted for?

Types of Anonymization (as a verb)

1. Scrubbing (removing PII)
2. Aggregate to ambiguity (increase the # of people that could be confused with Sally)
   1. number of replaceable entities
   2. number of queries

Depersonalization verses Anonymization

• Process. Steps taken.
• Not an endpoint. (Anonymization seems like an endpoint.)