While PostgreSQL offers state of the art features and capabilities in security, there are privacy breaches that typically escape the security lens, notably through re-identification attacks. Up until recently, encryption was the only approach available to PostgreSQL developers and DBAs but not anymore. This talk will identify typical patterns for privacy preservation and will showcase how they are implemented in PostgreSQL through native features, third party extensions and specific techniques utilizing non-traditional encryption, data programming, differential privacy, and foreign data wrappers. This talk will dive into three types of approaches and their implementation in PostgreSQL employed to preserve PII (personally identifiable information). This includes best practices in encryption and masking, federated query via foreign data wrappers and differential privacy. The talk is targeted at DBAs, developers and architects to provide support for GDPR, NDB, CCA, and related compliance and regulatory requirements.

1. Patterns and Packages
in PostgreSQL for
Privacy Preservation
mantaq10
www.2019.pgdu.org
Atif Rahman
15 November 2019, Sydney
PostgreSQL, Planning, PostGIS, Partitioning, PaaS, Permissions and now….

3. I was like her
According to Pearson-R
We were both outliers
• Data Engineering
• ML Pipelines
• Herding Cats

4. NDB Breach Notifications
April 2018 – March 2019 964
mantaq10
Attack
Error
Others
60%35%
OAIC Report 2019
55%
41%
Healthcare
Financial
Human Error
www.2019.pgdu.org

5. mantaq10www.2019.pgdu.org
OAIC Report 2019

6. mantaq10www.2019.pgdu.org
You can have security
but not necessarily privacy

7. mantaq10www.2019.pgdu.org
Security Protection
Privacy Usage
ISO/IEC 29100:2011: Privacy Framework
Binary
Contextual

8. mantaq10www.2019.pgdu.org
Privacy Guarantees
1
2
De-Identification (Record Keys (PK, FK, SK))
Re-Identification (Brute Force & Decryption)
Re-Identification (Record Linkage * Math)3
Ethical Computing (Permissibility & Compliance)4
“Homomorphic encryption schemes are often
repackaging vulnerabilities (practical chosen-
ciphertext attacks) as features.” – The Internet
x f(x)
𝐹−1
𝐹
Loss-less Functions
vs
Lossy Functions
PII and Attribute
Augmentation

9. mantaq10www.2019.pgdu.org
Record Linkage
"87% of the U.S. population is uniquely identified by date of birth,
gender, postal code.” Latanya Sweeney (k-anonymity)
“Decreasing the precision of the data, or perturbing it
statistically, makes re-identification gradually harder at a
substantial cost to utility”. Chris Culnane, Benjamin Rubinstein,
Vanessa Teague @UniMelb

10. mantaq10www.2019.pgdu.org
Privacy vs Utility Trade-off
SM: Secure Multiparty Computing
SM
DP: Differential Privacy HE: Homomorphic Encryption AN: Anonymisation
DP HE AN
Privacy
Guarantee
Better
Utility
Bleeding Edge
Cutting Edge
Established

11. mantaq10www.2019.pgdu.org
1. AN: (Pseudo)Anonymisation
REPLACEMENT
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 SARAH CONNOR 12-06-1962 JB Vet 63456 12
112 PAMELA LANDY 18-10-1971 FBI 54367 45
SUPRESSION
PERTURBATION
GENERALISATION
REPLACEMENT
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 MIKE OBAMA 13-07-1982 JB Vet 63456 12
112 BRUCE LEE 19-11-1991 FBI 54367 45
(reversible or random) (PG String Functions)
(PGAnonymizer)

12. mantaq10www.2019.pgdu.org
1. AN: (Pseudo) Anonymisation
REPLACEMENT
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 SARAH CONNOR 12-06-1962 JB Vet 63456 12
112 PAMELA LANDY 18-10-1971 FBI 54367 45
SUPRESSION
PERTURBATION
GENERALISATION
ID NAME EMPLOYER ZIPCODE FK_SHOP
101 M*** ****A JB Vet 63456 12
112 B**** **E FBI 54367 45
(Wildcard or Removal)
- 18 PII Attributes
(PG String Functions)
(PGAnonymizer)
SUPRESSION

13. mantaq10www.2019.pgdu.org
1. AN: (Pseudo) Anonymisation
REPLACEMENT
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 SARAH CONNOR 12-06-1962 JB Vet 63456 12
112 PAMELA LANDY 18-10-1971 FBI 54367 45
SUPRESSION
PERTURBATION
GENERALISATION
(Additive Noise)
(PDF)
(Data Imputation)
(PGAnonymizer)
(Google DP)
(Uber DP)
PERTURBATION
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 SARAH CONNOR 12-07-1958 JB Vet 64532 12
112 PAMELA LANDY 18-11-1973 FBI 57843 45

14. mantaq10www.2019.pgdu.org
1. AN: (Pseudo)Anonymisation
REPLACEMENT
ID NAME DOB EMPLOYER ZIPCODE FK_SHOP
101 SARAH CONNOR 12-06-1962 JB Vet 63456 12
112 PAMELA LANDY 18-10-1971 FBI 54367 45
SUPRESSION
PERTURBATION
GENERALISATION
(K-Anonymity or Masking)
(PGAnonymizer)
(PG Aggregate Functions)
GENERALISATION
ID NAME DOB EMPLOYER 𝝈_ZIPCODE FK_SHOP
101 SARAH CONNOR 1960s JB Vet 0.37 12
112 PAMELA LANDY 1970s FBI -0.99 45

15. mantaq10www.2019.pgdu.org
Privacy vs Utility Trade-off
SM: Secure Multiparty Computing
SM
DP: Differential Privacy HE: Homomorphic Encryption AN: Anonymisation
DP HE AN
Privacy
Guarantee
Better
Utility
Bleeding Edge
Cutting Edge
Established

16. mantaq10www.2019.pgdu.org
Differential Privacy
Statistical
Properties
The Oracle
Perturbations
(Noise)
Database with
Ned in it
Private
Database.
Not sure if
Ned is there
anymore
?
• Works on the Data itself, not on the management environment
• Considerably fast compared to encryption techniques.
• Quantum Safe (ish)

17. mantaq10www.2019.pgdu.org
Differential Privacy on PostgreSQL
https://github.com/google/differential-privacy
Count
Sum
Mean
Variance
Standard deviation
Order statistics (including min, max,
and median)
Laplace Functions for UDFs
Privacy Loss
- Epsilon & Delta
- Risk Score for every attribute
used for a particular person
- Risk Score for total number of
records with similar values
- (rule of thumb) k = 11

18. mantaq10www.2019.pgdu.org
HE: Homomorphic Encryption
Ability to apply
computations
on encrypted
data!
Malleable
Performance
Operators
Trade-Offs Schemes
BFV
BGV
CKKS
Full
HE
Partial
HE
Categories
Microsoft SEAL
PALISADE
HELib
HEAAN
TFHE
Libraries

19. mantaq10www.2019.pgdu.org
Privacy vs Utility Trade-off
SM: Secure Multiparty Computing
SM
DP: Differential Privacy HE: Homomorphic Encryption AN: Anonymisation
DP HE AN
Privacy
Guarantee
Better
Utility
Bleeding Edge
Cutting Edge
Established

20. mantaq10www.2019.pgdu.org
Secure Multi-party Computing
A
B
C
D
X1 = A_pay + 876532
X2 = B_pay + X1X3 = C_pay + X2
X4 = D_pay + X3
X4/4 = Avg_pay
K-Anonymity

21. mantaq10www.2019.pgdu.org
Privacy Guarantees
1
2
De-Identification (Record Keys (PK, FK, SK))
Re-Identification (Brute Force & Decryption)
Re-Identification (Record Linkage & Math)3
Ethical Computing (Permissibility & Compliance)4
“Homomorphic encryption schemes are often
repackaging vulnerabilities (practical chosen-
ciphertext attacks) as features.” – The Internet
x f(x)
𝐹−1
𝐹
Loss-less Functions
vs
Lossy Functions
PII and Attribute
Augmentation

22. mantaq10www.2019.pgdu.org
Sources Landing
1
2
Unified Key
Management System
Processing Serving
De-Identification (Record Keys (PK, FK, SK)) Re-Identification (Brute Force & Decryption) Re-Identification (Record Linkage)
EthicalComputing (Permissibility &
Compliance)
1
1
3
2
4
2
………Privacy Gates
Typical Data Pipelines

23. mantaq10www.2019.pgdu.org
Sources
Unified Key
Management System
Processing & Serving Persistence
De-Identification (Record Keys (PK, FK, SK)) Re-Identification (Brute Force & Decryption) Re-Identification (Record Linkage)
EthicalComputing (Permissibility &
Compliance)
Emerging Data Architecture (Data Fabrics) [HTAP = OLTP + OLAP]
*Gaps to Close:
• Encryption
Performance
• Developer UX
• Admin Tooling
• Extensions!

24. mantaq10www.2019.pgdu.org
Key Takeaways
Securing your database doesn’t guarantee data privacy.
There are trade-offs between privacy and utility
You can provision privacy controls within PostgreSQL
PostgreSQL fits emerging (data) architecture patterns
Atif is pledging to build an extension, he needs my help!

25. Questions
25