When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS

Transcript

1. BAY AREA

2. When Data Collaboration Meets Privacy: Privacy-enhancing Technologies on AWS Richard

   Fan | 12 April 2024

3. Who am I? Richard Fan AWS Security Hero Security Engineer

   AWS Nitro Enclaves contributor

4. Story time!

5. Facebook Disaster Map

6. Facebook Disaster Map https://research.facebook.com/blog/2017/6/facebook-disaster-maps-methodology/

7. Kerala Flooding, 2018 https://www.bbc.com/news/uk-northern-ireland-foyle-west-45251062 https://www.mobilityindia.com/kerala-disaster-management-donation-efforts-facebook/

8. Government surveillance – Jelani Henry’s case https://www.theverge.com/2014/12/10/7341077/nypd-harlem-crews-social-media-rikers-prison

9. Privacy-enhancing Technologies (PETs) Data Collaboration + Data Privacy

10. Privacy-enhancing Technologies (PETs) • Homomorphic encryption (HE) • Trusted Execution

    Environments (TEE) • Secure multi-party computation (SMPC) • Differential Privacy (DP) • Federated learning (FL)

11. AWS Nitro Enclaves Trusted Execution Environment (TEE)

12. Trusted Execution Environment (TEE) Secured area of a processor Isolated

    from the rest of the system Cannot accessed/modified by system admins or OS E.g. AWS Nitro Enclaves, Intel SGX, AMD SEV-SNP, Apple Secure Enclave, Arm TrustZone, NVIDIA Confidential Computing

13. AWS Nitro Enclaves Isolated virtual machine Communication over a secure

    channel No admin access No persistent storage No external networking https://aws.amazon.com/blogs/aws/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data/

14. AWS Nitro Enclaves Prevent unauthorized access Protect data in use

    Ensure application integrity

15. Attestation Document Describe the running enclave Signed by AWS Provide

    root of trust from AWS

16. Amazon SageMaker Federated Learning (FL)

17. Federated Learning Machine Learning Training data stay locally Central node

    aggregate models https://royalsociety.org/-/media/policy/projects/privacy-enhancing-technologies/From-Privacy-to-Partnership.pdf

18. Federated Learning – Use cases Medical ML models COINSTAC –

    FL tools on Neuroimages Estimate brain age from MRIs Accuracy is similar to tradition models https://www.biorxiv.org/content/10.1101/2021.05.10.443469v2.full.pdf

19. Amazon SageMaker Fully-managed ML service Prepare data Build, train, deploy

    ML models

20. Amazon SageMaker – Distributed Training Run training jobs in parallel

    Scale across instances Make training fast https://aws.amazon.com/campaigns/sagemaker/

21. Amazon SageMaker – Federated Learning Connect accounts via VPC Peering

    Federated Learning Libraries: • FedML • OpenFL • Flower • TensorFlow Federated https://aws.amazon.com/blogs/machine-learning/machine-learning-with-decentralized-training-data-using-federated-learning-on-amazon-sagemaker/ https://aws.amazon.com/blogs/machine-learning/part-1-federated-learning-on-aws-with-fedml-health-analytics-without-sharing-sensitive-data/ https://aws.amazon.com/blogs/machine-learning/enable-data-sharing-through-federated-learning-a-policy-approach-for-chief-digital-officers/

22. Story time!

23. Revealing medical records of Governor, 1997 Ethnicity Visit date Diagnosis

    Procedure Medication Total charge Birth date Gender ZIP Name Address Date registered Affiliation Date last vote Voter registry Medical record https://epic.org/wp-content/uploads/privacy/reidentification/Sweeney_Article.pdf

24. Birth date Gender ZIP Revealing medical records of Governor, 1997

    Ethnicity Visit date Diagnosis Procedure Medication Total charge 6 people Medical record Voter registry Name Address Date registered Affiliation Date last vote https://epic.org/wp-content/uploads/privacy/reidentification/Sweeney_Article.pdf

25. Revealing medical records of Governor, 1997 Ethnicity Visit date Diagnosis

    Procedure Medication Total charge 3 people Medical record Voter registry Birth date Gender ZIP Name Address Date registered Affiliation Date last vote https://epic.org/wp-content/uploads/privacy/reidentification/Sweeney_Article.pdf

26. Revealing medical records of Governor, 1997 Ethnicity Visit date Diagnosis

    Procedure Medication Total charge 1 person Medical record Voter registry Birth date Gender ZIP Name Address Date registered Affiliation Date last vote https://epic.org/wp-content/uploads/privacy/reidentification/Sweeney_Article.pdf

27. De-anonymization on Netflix Prize Dataset, 2006 https://arxiv.org/pdf/cs/0610105.pdf

28. De-anonymization on Netflix Prize Dataset, 2006 Subscribe #12345 Catch Me

    If You Can Forrest Gump Fahrenheit 9/11 Jesus of Nazareth John Catch Me If You Can Forrest Gump https://arxiv.org/pdf/cs/0610105.pdf

29. De-anonymization on Netflix Prize Dataset, 2006 John Catch Me If

    You Can Forrest Gump Fahrenheit 9/11 Jesus of Nazareth John Catch Me If You Can Forrest Gump Fahrenheit 9/11 Jesus of Nazareth https://arxiv.org/pdf/cs/0610105.pdf

30. No person is exactly the same as the others All

    data is potential PII

31. AWS Clean Rooms Differential Privacy (DP)

32. Differential Privacy (DP) A statistical measure How much an individual

    impact a dataset Important concepts: • Privacy Budget (ε) • Noise

33. Lower ε (Leak less privacy) Name Country City Alice US

    LA … … … Bob US Chicago Peter UK London Privacy Budget (ε) – How best John can hide from my question? How many people live in US? Name Country City John US Monterey Alice US LA … … … Bob US Chicago Peter UK London 100 99

34. Higher ε (Leak more privacy) Name Country City Alice US

    LA … … … Bob US Chicago Peter UK London Privacy Budget (ε) – How best John can hide from my question? How many people live in Monterey? Name Country City John US Monterey Alice US LA … … … Bob US Chicago Peter UK London 1 0

35. Name Country City John US Monterey Alice US LA Bob

    US Chicago … … Peter UK London Noise – Helping John hide How many people live in Monterey? 0? 1? 2? 10?

36. Differential Privacy (DP) Lower ε → More privacy preserved Higher

    noise → Lower ε → More privacy preserved Higher noise → Lower accuracy → Lower usability

37. AWS Clean Rooms Sharing Glue Tables across accounts Analysis Rules

    limit query capability Differential Privacy (In Preview)

38. AWS Clean Rooms – Demo Member ID City Gender Education

    … … … … 123456 Charlottetown Male Doctor … … … … … … … … Loyalty member database

39. AWS Clean Rooms – Demo Without Differential Privacy Minimum distinct

    value threshold

40. AWS Clean Rooms – Demo Without Differential Privacy Attacker is

    not stupid!

41. AWS Clean Rooms – Demo With Differential Privacy Added noise

42. AWS Clean Rooms – Demo With Differential Privacy Privacy Budget

    cap

43. Recap Trusted Execution Environment (TEE) → AWS Nitro Enclaves Federated

    Learning (FL) → Amazon SageMaker Differential Privacy (DP) → AWS Clean Rooms

44. This Speaker Deck Links Blog post Series richardfan1126