数据假名化：先进技术和使用案例

TABLEOFCONTENTS

1.INTRODUCTION7

1.1BACKGROUND7

1.2OBJECTIVES8

1.3OUTLINE9

2.PSEUDONYMISATIONBASICS10

2.1PSEUDONYMISATIONSCENARIOS10

2.2PSEUDONYMISATIONTECHNIQUESANDPOLICIES12

3.ADVANCEDPSEUDONYMISATIONTECHNIQUES14

3.1ASYMMETRICENCRYPTION14

3.2RINGSIGNATURESANDGROUPPSEUDONYMS16

3.3CHAININGMODE18

3.4PSEUDONYMSBASEDONMULTIPLEIDENTIFIERSORATTRIBUTES19

3.5PSEUDONYMSWITHPROOFOFOWNERSHIP21

35.1Zero-KnowledgeProof22

3.6SECUREMULTIPARTYCOMPUTATION23

3.7SECRETSHARINGSCHEMES25

3.8CONCLUSION26

4.PSEUDONYMISATIONUSECASESINHEALTHCARE27

4.1EXAMPLESCENARIO27

4.2PSEUDONYMISATIONUSECASES28

42.1Patientrecordcomparisonuse-case28

422Medicalresearchinstitutionuse-case30

423Distributedstorageuse-case31

4.3ADVANCEDPSEUDONYMISATIONSCENARIO:THEDATACUSTODIANSHIP32

43.1Notionofdatacustodianship32

432PersonalInformationManagementSystem(PIMS)asdatacustodian34

43.3Datacustodianasapartofthehospital34

43.4Datacustodianasanindependentorganisation35

43.5Interconnecteddatacustodiannetwork36

5.PSEUDONYMISATIONUSECASESINCYBERSECURITY38

5.1THEROLEANDSCOPEOFSECURITYTELEMETRY38

5.2AUSECASEONREPUTATIONSYSTEMTRAININGANDUSER-TAILOREDPROTECTION39

521Entitiesandroles39

522FileReputation40

523URLReputation42

5.3USECASESONSECURITYOPERATIONSANDCUSTOMERSUPPORTCENTRES43

53.1SecurityOperationsCenters43

532Consumercustomersupport44

53.3Protectiongapandreal-timeprotection46

5.4ADDITIONALCYBERSECURITYUSECASES46

6.CONCLUSIONSANDRECOMMENDATIONS47

7.REFERENCES50

EXECUTIVESUMMARY

Pseudonymisationisanestablishedandaccepteddataprotectionmeasurethathasgained

additionalattentionfollowingtheadoptionoftheGeneralDataProtectionRegulation(GDPR)1

whereitisbothspecificallydefinedandmanytimesreferencedasasafeguard.

ENISA,initspriorworkonthisfield,hasexploredthenotionandscopeofdata

pseudonymisation,whilepresentingsomebasictechnicalmethodsandexamplestoachieve

pseudonymisationinpractice.Inthisnewreport,ENISAcomplementsitspastworkby

discussingadvancedpseudonymisationtechniques,aswellasspecificusecasesfromthe

specificsectorsofhealthcareandcybersecurity.Inparticular,thereport,buildingonthebasic

pseudonymisationtechniques,examinesadvancedsolutionsformorecomplexscenariosthat

canbebasedonasymmetricencryption,ringsignaturesandgrouppseudonyms,chaining

mode,pseudonymsbasedonmultipleidentifiers,pseudonymswithproofofknowledgeand

securemulti-partycomputation.Itthenappliessomeofthesetechniquesintheareaof

healthcaretodiscusspossiblepseudonymisationoptionsindifferentexamplecases,whilealso

exploringthepossibleapplicationofthedatacustodianshipmodel.Lastly,itexaminesthe

applicationofbasicpseudonymisationtechniquesincommoncybersecurityusecases,suchas

theuseoftelemetryandreputationsystems.

Basedontheanalysisprovidedinthereport,thefollowingbasicconclusionsand

recommendationsforallrelevantstakeholdersareprovided.

Definingthebestpossibletechnique

AsithasbeenstressedalsoinpastENISA'sreports,thereisnofit-for-allpseudonymisation

techniqueandadetailedanalysisofthecaseinquestionisnecessaryinordertodefinethebest

possibleoption.Todoso,itisessentialtotakeacriticaltolookintothesemantics(the"full

picture”)beforeconductingdatapseudonymisation.Inaddition,pseudonymisationisonlyone

possibletechniqueandmustbecombinedwithathoroughsecurityriskassessmentforthe

protectionofpersonaldata.

Datacontrollersandprocessorsshouldengageindatapseudonymisation,basedonasecurity

anddataprotectionriskassessmentandtakingdueaccountoftheoverallcontextand

characteristicsofpersonaldataprocessing.Thismayalsocomprisemethodsfordatasubjectsto

pseudonymisepersonaldataontheirside(e.g.beforedeliveringdatatothecontroller/processor)

toincreasecontroloftheirownpersonaldata.

Regulators(e.g.DataProtectionAuthoritiesandtheEuropeanDataProtectionBoard)should

promoterisk-baseddatapseudonymisationthroughtheprovisionofrelevantguidanceand

examples.

1Regulation(EU)2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersons

withregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(General

DataProtectionRegulation)https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Advancedtechniquesforadvancedscenarios

Whilethetechnicalsolutionisacriticalelementforachievingproperpseudonymisation,one

mustnotforgetthattheorganisationalmodelanditsunderlyingstructuralarchitecturearealso

veryimportantparametersofsuccess.Advancedtechniquesgotogetherwithadvanced

scenarios,suchasthecaseofthedatacustodianshipmodel.

Datacontrollersandprocessorsshouldconsiderpossiblescenariosthatcansupportadvanced

pseudonymisationtechniques,based-amongother-ontheprincipleofdataminimisation.

Theresearchcommunityshouldsupportdatacontrollersandprocessorsinidentifyingthe

necessarytrustelementsandguaranteesfortheadvancedscenarios(e.g.datacustodianship)

tobefunctionalinpractice.

Regulators(e.g.DataProtectionAuthoritiesandtheEuropeanDataProtectionBoard)should

ensurethatregulatoryapproaches,e.g.asregardsnewtechnologiesandapplicationsectors,

takeintoaccountallpossibleentitiesandrolesfromthestandpointofdataprotection,while

remainingtechnologicallyneutral.

Establishingthestate-of-the-art

Althoughalotofworkisalreadyinplace,thereiscertainlymoretobedoneindefiningthestate-

of-the-artindatapseudonymisation.Tothisend,researchandapplicationscenariosmustgo

hand-in-hand,involvingallrelevantparties(researchers,industry,andregulators)todiscuss

joinedapproaches.

TheEuropeanCommission,therelevantEUinstitutions,aswellasRegulators(e.g.Data

ProtectionAuthoritiesandtheEuropeanDataProtectionBoard)shouldsupporttheestablishment

andmaintenanceofthestate-of-the-artinpseudonymisation,bringingtogetherallrelevant

stakeholdersinthefield(regulators,researchcommunity,andindustry).

Theresearchcommunityshouldcontinueitseffortsonadvancingtheexistingworkondata

pseudonymisation,addressingspecialchallengesappearingfromemergingtechnologies,such

asArtificialIntelligence.TheEuropeanCommissionandtherelevantEUinstitutionsshould

supportanddisseminatetheseefforts.

Towardsthebroaderadoptionofdatapseudonymisation

Recentdevelopments,e.g.ininternationalpersonaldatatransfers,showclearlytheneedto

furtheradvanceappropriatesafeguardsforpersonaldataprotection.Thiswillonlybeintensified

inthefuturebytheuseofemergingtechnologiesandtheneedforopendataaccess.Itis,thus,

importanttostarttodaythediscussiononthebroaderadoptionofpseudonymisationindifferent

applicationscenarios.

Regulators(e.g.DataProtectionAuthoritiesandtheEuropeanDataProtectionBoard),the

EuropeanCommissionandtherelevantEUinstitutionsshoulddisseminatethebenefitsofdata

pseudonymisationandprovideforbestpracticesinthefield.

1.INTRODUCTION

Pseudonymisationisanestablishedandaccepteddataprotectionmeasurethathasgained

additionalattentionfollowingtheadoptionoftheGeneralDataProtectionRegulation(GDPR),

whereitisbothspecificallydefined(Article4(5)GDPR)2andmanytimesreferencedasa

safeguard.Technicalandorganisationalmeasures,inparticularforsecurityanddataprotection

bydesign,comprisepseudonymisation.Theapplicationofpseudonymisationtopersonaldata

canreducetheriskstothedatasubjectsconcernedandhelpcontrollersandprocessorsmeet

theirdataprotectionobligations.Nevertheless,noteveryso-calledpseudonymisation

mechanismfulfilsthedefinitionoftheGDPR,andpseudonymisationtechniquesthatmaywork

inonespecificcasetoachievedataprotection,maynotbesufficientinothercases3.Still,the

basicconceptofsubstitutingidentifyingdatawithpseudonymscancontributetoreducingdata

protectionrisks.

1.1BACKGROUND

Giventhegrowingimportanceofpseudonymisationforbothdatacontrollersanddatasubjects,

ENISAhasbeenworkingoverthepastyearsonthistopic,inco-operationwithexpertsand

nationalregulatoryauthorities.Indeed,ENISAissueditsfirstrelevantreportinJanuary2019

(ENISA,2019-1)presentinganoverviewofthenotionandmaintechniquesof

pseudonymisationincorrelationwithitsnewroleundertheGDPR.AsecondENISAreport

followedinNovember2019(ENISA,2019-2)withamoredetailedanalysisofthetechnical

methodsandspecificexamplesandbestpracticesforparticulardatasets,i.e.emailaddresses,

IPaddressesandmorecomplexdatasets.Inaddition,adedicatedworkshopon

pseudonymisation4wasco-organisedbyENISAandtheDataProtectionAuthorityofthe

GermanFederalStateofSchleswig-Holstein(ULD)inNovember2019inordertoexchange

informationandexperienceamongkeystakeholders5.

Whileworkandregulatoryguidanceinthefieldisgrowing6,itisapparentthatfurthereffortis

needed,especiallyaddressingspecificapplicationscenariosanddifferenttypesofdatasets.

BothENISA'sreportsandtheconclusionsoftheULD-ENISAworkshopleadtowardsthis

direction,whichcouldeventuallysupportthedevelopmentofMacatalogueoftechniques"ora

,,cookbookntowardsapplyingpseudonymisationinpracticeindifferentapplicationscenarios.

2IIhastobenotedthatpersonaldatathathasbeenpseudonymisedisstillregardedas"personaldata"pursuanttoArticle4(1)

GDPRandmustnotbeconfusedwith"anonymiseddata"whereitisnolongerpossibleforanyonetoreferbacktoindividualdata

subjects,seeRecital28GDPR.

3Inordertofullyunderstandtheroleofpseudonymisationfortheprocessingofpersonaldata,afullanalysisofthelegalsituation

inthespecificcasewouldalsoberequired.

Fortheassessmentofconcreteprocessingoperations,controllersandprocessorsmusttakeaccountofallfactorsplayingarole

fortherisktothefundamentalrightsofindividualsinducedbytheprocessingassuchandbypotentialbreachesofsecurity,also

goingbeyondtechnicalandorganisationalmeasuresconsideredinthisstudy.

https://www.enisa.europa.eu/events/uld-enisa-workshop/uld-enisa-workshop-pseudonymization-and-relevant-security-

technologies

https://www.enisa.europa.eu/events/uld-enisa-workshop/uld-enisa-workshop-notes/view

6SeealsoEDPSandSpanishDPAjointpaperontheintroductionofhashaspseudonymisationtechnique,

https://edps.europa.eu/data-protection/our-workypublications/papers/introduction-hash-function-personal-data.en

Shouldthisbeachieved,itwouldbeasignificantsteptowardsthedefinitionofthestate-of-the-

artforpseudonymisationtechniques.

AgainstthisbackgroundandfollowingpreviousrelevantENISA'swork7,theAgencydecided

underits2020work-programmetoelaboratefurtheronthepracticalapplicationofdata

pseudonymisationtechniques.

1.2OBJECTIVES

TheoverallscopeofthisreportistocontinuepastENISA'sworkbyproviding(onthebasisof

thepreviousanalysis)specificusecasesforpseudonymisation,alongwithmoreadvanced

techniquesandscenariosthatcansupportitspracticalimplementationbydatacontrollersor

processors.

Morespecifically,theobjectivesofthereportareasfollows:

•Explorefurtheradvancedpseudonymisationtechniqueswhichwerenotcoveredin

priorENISA*swork,basedoncryptographicalgorithmsandprivacyenhancing

technologies.

•Discussspecificapplicationusecaseswherepseudonymisationcanbeapplied,

analysingtheparticularscenarios,rolesandtechniquesthatcouldbeofinterestineach

case.Inparticular,forthescopeofthereport,usecasesarepresentedintwodifferent

sectors:(a)healthcareinformationexchange;(b)cybersecurityinformationexchange

withtheuseofinnovativetechnologies(e.g.machinelearningtechnologies).

Itshouldbenotedthattheselectionoftheusecaseswasbasedonthefactthatthespecific

sectors(healthcare,cybersecurity)representquitecommoncasesfortheapplicationof

pseudonymisationinseveralreal-lifesituations.Atthesametime,theselectedusecasesalso

reflectdiverserequirementswithregardtopseudonymisation,e.g.intermsofthe

scenarios/rolesinvolved,aswellasintermsofthetechniquesthatcouldbeappliedinpractice.

Thetargetaudienceofthereportconsistsofdatacontrollers,dataprocessorsand

manufacturers/producersofproducts,servicesandapplications,DataProtectionAuthorities

(DPAs),aswellasanyotherinterestedpartyindatapseudonymisation.

Thedocumentassumesabasiclevelofunderstandingofpersonaldataprotectionprinciplesand

therole/processofpseudonymisation.ForanoverviewofdatapseudonymisationunderGDPR,

pleasealsorefertorelevantENISA'sworkinthefield(ENISA,2019-1)&(ENISA,2019

-2).

Thediscussionandexamplespresentedinthereportareonlyfocusedontechnicalsolutions

thatcouldpromoteprivacyanddataprotection;theyshouldbynomeansbeinterpretedasa

legalopinionontherelevantcases.

https://www.enisa.europa.eu/topics/data-protection/privacy-by-design

1.3OUTLINE

Theoutlineoftheremainingpartofthereportisasfollows:

•Chapter2providesanoverviewofthebasicscenarios,pseudonymisationtechniques

andpoliciesdiscussedunder(ENISA,2019-2).

•Chapter3presentsanumberofadvancedpseudonymisationtechniques,including

asymmetricencryption,ringsignatures,chainingmode,Merkletrees,pseudonymswith

prooforownership,securemultipartycomputationandsecretsharingschemes.

•Chapter4analysespseudonymisationtechniquesandapplicationscenariosinthe

areaofhealthcare.Itparticularlyfocusesontheuseofthetree-basedpseudonyms

approachandthedatacustodianshipmodel.

•Chapter5discussestheapplicationofpseudonymisationinthebroaderareaof

cybersecuritytechnologies.

•Chapter6summarisesthepreviousdiscussionsandprovidesthemainconclusions

andrecommendationsforallrelatedstakeholders.

ThisreportispartoftheworkofENISAintheareaofprivacyanddataprotection8,which

focusesonanalysingtechnicalsolutionsfortheimplementationofGDPR,privacybydesignand

securityofpersonaldataprocessing.

https://www.enisa.europa.eu/topics/data-protection

2.PSEUDONYMISATIONBASICS

Asmentionedin(ENISA,2019-2),themostobviousbenefitofpseudonymisationistohidethe

identityofthedatasubjectsfromanythirdparty(otherthanthePseudonymisationEntity,i.e.the

entityresponsibleforpseudonymisation).Still,pseudonymisationcangobeyondhidingreal

identitiesanddataminimisationintosupportingthedataprotectiongoalofunlinkabilityand

contributingtowardsdataaccuracy.

Whenimplementingpseudonymisation,itisimportanttoclarifyasafirststeptheapplication

scenarioandthedifferentrolesinvolved,inparticulartheroleofthePseudonymisationEntity

(PE),whichcanbeattributedtodifferententities(e.g.adatacontroller,adataprocessor,a

TrustedThirdPartyorthedatasubject),dependingonthecase.Underaspecificscenario,itis

thenrequiredtoconsiderthebestpossiblepseudonymisationtechniqueandpolicythatcanbe

applied,giventhebenefitsandpitfallsthateachoneofthosetechniquesorpoliciesentails.

Obviously,thereisnotaone-size-fits-allapproachandriskanalysisshouldinallcasesbe

involved,consideringprivacyprotection,utility,scalability,etc.

Inthatregard,thisChapterprovidesabriefoverviewofthebasicpseudonymisationscenarios

andtechniques,astheseareoutlinedin(ENISA,2019-2),whichw川bethenfurther

complementedandanalysedinthenextChaptersofthereport.

2.1PSEUDONYMISATIONSCENARIOS

Sixdifferentpseudonynimisationscenariosarediscussedin(ENISA,2019-2)andare

presentedinFigure1below.Thedefiningdifferencebetweenthescenariosisfirstlytheactor

whotakestheroleofthePseudonymisationEntity(PE)andsecondlytheotherpotentialactors

thatmaybeinvolved(andtheirroles).

Clearly,inallthreefirstscenariosinFigure1,thedatacontrolleristhePE,eitheractingalone

(scenario1)orinvolvingaprocessorbeforepseudonymisation(scenario2)orafter

pseudonymisation(scenario3).Inscenario4,thePEistheprocessorthatperforms

pseudonymisationonbehalfofthecontroller(thus,controllermaintainingstillcontroloverthe

originaldata).Scenario5setsaTrustedThirdPartyentity,outsidethecontrolofthedata

controller,asPE,thereforeinvolvinganintermediarytosafeguardthepseudonymisation

process.Lastly,scenario6providesfordatasubjectstobethePEand,thus,controlan

importantpartofthepseudonymisationprocess.

Laterinthisreportwewillexplorethepracticalapplicationofthesescenariosinspecificcases,

especiallyscenarios1and3undercybersecurityusecases(Chapter5)andscenarios5and6

underhealthcareusecases(Chapter4).Forthescenario5particularlywewillfurtherdetailthe

notionoftheTrustedThirdParty(datacustodian)andtheformsthatitcouldtakeinthe

healthcaresector.

Figure1:Basicpseudonymisationscenarios

PseudonymlsatlonScenario1

DATACONTROLLER&DATACONTROLLER&

DATADATAPSEUDONYMISATIONDATAPSEUDONYMISATIONDATA

SUBJECTSPROCESSORENTITYSUBJECTSENTITYCONTROLLER

BetaInc.AlphaCorp.AlphaCorp.BetaInc.

PseudonymisationSecretPseudonymisationSecret

IdentifierPseudonymIdentifierPseudonym

Alice15Alice15

Bob28Bob28

Charly3Charly3

PscudonymiMtlonScenario2PseudonymisationScenario3

DATADATA

CONTROLLERCONTROLLER

AlphaCorp.AlphaCorp.

PseudonyvniMtionScvnario4PieudonyniisationScenario5

taeudon^vrikMtlonSecret

Alice15

IdtnclfltrPMiid❹nyni

Hob28

Charly3

PseudonymlMtlonScenario6

2.2PSEUDONYMISATIONTECHNIQUESANDPOLICIES

Thebasicpseudonymisationtechniquesthatcanbeappliedinpractice,asalsodiscussedin

(ENISA,2019-2)areasfollows:

•Counter:thesimplestpseudonymisationfunction,wheretheidentifiersaresubstituted

byanumberchosenbyamonotoniccounter.Itsadvantagesrestwithitssimplicity,

whichmakeitagoodcandidateforsmallandnotcomplexdatasets.Itprovidesfor

pseudonymswithnoconnectiontotheinitialidentifiers(althoughthesequential

characterofthecountercanstillprovideinformationontheorderofthedatawithina

dataset).However,thesolutionmayhaveimplementationandscalabilityissuesin

casesoflargeandmoresophisticateddatasets.

•RandomNumberGenerator(RNG):asimilarapproachtothecounterwiththe

differencethatarandomnumberisassignedtotheidentifier.Itprovidesstrongdata

protection(as,contrarytothecounter,arandomnumberisusedtocreateeach

pseudonym,thusitisdifficulttoextractinformationregardingtheinitialidentifier,

unlessthemappingtableiscompromised).Collisions,however,maybeanissue9,as

wellasscalability,dependingontheimplementationscenario.

•Cryptographichashfunction:directlyappliedtoanidentifiertoobtainthe

correspondingpseudonymwiththepropertiesofbeinga)one-wayandb)collision

free10.Whileahashfunctioncansignificantlycontributetowardsdataintegrity,itis

generallyconsideredweakasapseudonymisationtechnique,asitispronetobrute

forceanddictionaryattacks(ENISA,2019-2).

•Messageauthenticationcode(MAC):similartoacryptographichashfunctionexcept

thatasecretkeyisintroducedtogeneratethepseudonym.Withouttheknowledgeof

thiskey,itisnotpossibletomaptheidentifiersandthepseudonyms.MACisgenerally

consideredasarobustpseudonymisationtechniquefromadataprotectionpointof

view.Recoverymightbeanissueinsomecases(i.e.iftheoriginalidentifiersarenot

beingstored).Differentvariationsofthemethodmayapplywithdifferentutilityand

scalabilityrequirements.HMAC(Bellare,Canetti,&Krawczyk,1996)isbyfarthemost

populardesignofmessageauthenticationcodeusedinInternetprotocols.

•Symmetricencryption:theblockcipherisusedtoencryptanidentifierusingasecret

key,whichisboththepseudonymisationsecretandtherecoverysecret.Usingblock

ciphersforpseudonymisationrequirestodealwiththeblocksize.Symmetricencryption

isarobustpseudonymisationtechnique,withseveralpropertiesbeingsimilartoMAC

(i.e.theaforementionedpropertiesofthesecretkey).Onepossibleissueintermsof

dataminimisationisthatthePEcanalwaysreversethepseudonyms,evenifthereis

noneedtostoretheinitialindividuals'identifiers.

9Still,itshouldbenotedthatcryptography-basedconstructionsofpseudo-randomnumbergeneratorsareavailable,whichcan

avoidcollisionsiftheyareproperlyconfiguredandcouldbepossiblysimilarlyusedtoprovidepseudonyms(e.g.discretelogarithm

basedconstructions(Blum,Feldman,&Micali,1984).

10Thisholdsundertheassumptionthatacryptographicallystronghashfunctionisused.Moreover,itisessentialthathashing

shouldbeappliedtoappropriateindividual'sidentifiers(e.g.hashingthefirstnameandlastnamemaynotavoidcollisions,ifthis

combinationdoesnotconstituteanidentifierinaspecificcontext-i.e.theremaybetwoindividualswiththesamefistnameand

lastname).Moredetailsaregivenin(ENISA,2019-1)(ENISA,2019-2).

Independentlyofthechoiceofthetechnique,thepseudonymisationpolicy(i.e.thepractical

implementationofthetechnique)isalsocriticaltotheimplementationinpractice.Threedifferent

pseudonymisationpolicieshavebeenconsideredtothatend:

•Deterministicpseudonymisation:inallthedatabasesandeachtimeitappears,Idis

alwaysreplacedbythesamepseudonympseudo.

•Documentrandomisedpseudonymisation:eachtimeIdappearsinadatabase,itis

substitutedwithadifferentpseudonym(pseudoi,pseudo2i...)-,however,Idisalways

mappedtothesamecollectionof(pseudoi,pseudo^inthedatasetAandB.

•Fullyrandomisedpseudonymisation:foranyoccurrencesofIdwithinada