End-to-end pseudonymization of fine-tuned clinical BERT models : Privacy preservation with maintained data utility.

Many state-of-the-art results in natural language processing (NLP) rely on large pre-trained language models (PLMs). These models consist of large amounts of parameters that are tuned using vast amounts of training data. These factors cause the models to memorize parts of their training data, making them vulnerable to various privacy attacks. This is cause for concern, especially when these models are applied in the clinical domain, where data are very sensitive. Training data pseudonymization is a privacy-preserving technique that aims to mitigate these problems. This technique automatically identifies and replaces sensitive entities with realistic but non-sensitive surrogates. Pseudonymization has yielded promising results in previous studies. However, no previous study has applied pseudonymization to both the pre-training data of PLMs and the fine-tuning data used to solve clinical NLP tasks. This study evaluates the effects on the predictive performance of end-to-end pseudonymization of Swedish clinical BERT models fine-tuned for five clinical NLP tasks. A large number of statistical tests are performed, revealing minimal harm to performance when using pseudonymized fine-tuning data. The results also find no deterioration from end-to-end pseudonymization of pre-training and fine-tuning data. These results demonstrate that pseudonymizing training data to reduce privacy risks can be done without harming data utility for training PLMs.

Anonymity Assurance Using Efficient Pseudonym Consumption in Internet of Vehicles.

The Internet of vehicles (IoVs) is an innovative paradigm which ensures a safe journey by communicating with other vehicles. It involves a basic safety message (BSM) that contains sensitive information in a plain text that can be subverted by an adversary. To reduce such attacks, a pool of pseudonyms is allotted which are changed regularly in different zones or contexts. In base schemes, the BSM is sent to neighbors just by considering their speed. However, this parameter is not enough because network topology is very dynamic and vehicles can change their route at any time. This problem increases pseudonym consumption which ultimately increases communication overhead, increases traceability and has high BSM loss. This paper presents an efficient pseudonym consumption protocol (EPCP) which considers the vehicles in the same direction, and similar estimated location. The BSM is shared only to these relevant vehicles. The performance of the purposed scheme in contrast to base schemes is validated via extensive simulations. The results prove that the proposed EPCP technique outperformed compared to its counterparts in terms of pseudonym consumption, BSM loss rate and achieved traceability.

A Secure Pseudonym-Based Conditional Privacy-Preservation Authentication Scheme in Vehicular Ad Hoc Networks.

Existing identity-based schemes utilized in Vehicular Ad hoc Networks (VANETs) rely on roadside units to offer conditional privacy-preservation authentication and are vulnerable to insider attacks. Achieving rapid message signing and verification for authentication is challenging due to complex operations, such as bilinear pairs. This paper proposes a secure pseudonym-based conditional privacy-persevering authentication scheme for communication security in VANETs. The Elliptic Curve Cryptography (ECC) and secure hash cryptographic function were used in the proposed scheme for signing and verifying messages. After a vehicle receives a significant amount of pseudo-IDs and the corresponding signature key from the Trusted Authority (TA), it uses them to sign a message during the broadcasting process. Thus, the proposed scheme requires each vehicle to check all the broadcasting messages received. Besides, in the proposed scheme, the TA can revoke misbehaving vehicles from continuously broadcasting signed messages, thus preventing insider attacks. The security analysis proved that the proposed scheme fulfilled the security requirements, including identity privacy-preservation, message integrity and authenticity, unlinkability, and traceability. The proposed scheme also withstood common security attacks such as man-in-the-middle, impersonation, modification, and replay attacks. Besides, our scheme was resistant against an adaptive chosen-message attack under the random oracle model. Furthermore, our scheme did not employ bilinear pairing operations; therefore, the performance analysis and comparison showed a lower resulting overhead than other identity-based schemes. The computation costs of the message signing, individual signature authentication, and batch signature authentication were reduced by 49%, 33.3%, and 90.2%, respectively.

Underground testing: Name-altering practices as probes in electronic music.

Name-altering practices are common in many creative fields-pen names in literature, stage names in the performing arts, and aliases in music. More than just reflecting artistic habits or responding to the need for distinctive brands, these practices can also serve as test devices to probe, validate, and guide the artists' active participation in a cultural movement. At the same time, they constitute a powerful probe to negotiate the boundaries of a subculture, especially when its features are threatened by appropriation from the mass-oriented culture. Drawing evidence from electronic music, a field where name-altering practices proliferate, we outline dynamics of pseudonymity, polyonymy, and anonymity that surround the use of aliases. We argue that name-altering practices are both a tool that artists use to probe the creative environment and a device to recursively put one's creative participation to the test. In the context of creative subcultures, name-altering practices constitute a subtle but effective form of underground testing.

Pseudonymization for research data collection: is the juice worth the squeeze?

BACKGROUND: The collection of data and biospecimens which characterize patients and probands in-depth is a core element of modern biomedical research. Relevant data must be considered highly sensitive and it needs to be protected from unauthorized use and re-identification. In this context, laws, regulations, guidelines and best-practices often recommend or mandate pseudonymization, which means that directly identifying data of subjects (e.g. names and addresses) is stored separately from data which is primarily needed for scientific analyses. DISCUSSION: When (authorized) re-identification of subjects is not an exceptional but a common procedure, e.g. due to longitudinal data collection, implementing pseudonymization can significantly increase the complexity of software solutions. For example, data stored in distributed databases, need to be dynamically combined with each other, which requires additional interfaces for communicating between the various subsystems. This increased complexity may lead to new attack vectors for intruders. Obviously, this is in contrast to the objective of improving data protection. What is lacking is a standardized process of evaluating and reporting risks, threats and countermeasures, which can be used to test whether integrating pseudonymization methods into data collection systems actually improves upon the degree of protection provided by system designs that simply follow common IT security best practices and implement fine-grained role-based access control models. To demonstrate that the methods used to describe systems employing pseudonymized data management are currently heterogeneous and ad-hoc, we examined the extent to which twelve recent studies address each of the six basic security properties defined by the International Organization for Standardization (ISO) standard 27,000. We show inconsistencies across the studies, with most of them failing to mention one or more security properties. CONCLUSION: We discuss the degree of privacy protection provided by implementing pseudonymization into research data collection processes. We conclude that (1) more research is needed on the interplay of pseudonymity, information security and data protection, (2) problem-specific guidelines for evaluating and reporting risks, threats and countermeasures should be developed and that (3) future work on pseudonymized research data collection should include the results of such structured and integrated analyses.

Are Pseudonyms Ethical in (Science) Publishing? Neuroskeptic as a Case Study.

The blogosphere is full of personalities with masks, or pseudonyms. Although not a desired state of public communication, one could excuse the use of pseudonyms in blogs and social media, which are generally unregulated or weakly regulated. However, in science publishing, there are increasingly strict rules regarding the use of false identities for authors, the lack of institutional or contact details, and the lack of conflicts of interest, and such instances are generally considered to be misconduct. This is because these violations of publishing protocol decrease trust and confidence in science and bring disrepute to those scientists who conform to the rules set out by journals and publishers and abide by them. Thus, when cases are encountered where trust and protocol in publishing are breached, these deserve to be highlighted. In this letter, I focus on Neuroskeptic, a highly prominent science critic, primarily on the blogosphere and in social media, highlighting the dangers associated with the use of pseudonyms in academic publishing.

Privacy-Preserving Linkage of Distributed Pseudonymised Datasets in a Virtual European Rare Disease Platform.

Secondary use of data for research purposes is especially important in rare diseases (RD), since, per definition, data are sparse. The European Joint Programme on Rare Diseases (EJP RD) aims at developing an RD infrastructure which supports the secondary use of data. Significant amounts of RD data are a) distributed and b) available only in pseudonymised format. Privacy-Preserving Record Linkage (PPRL) concerns the linking of such distributed datasets without disclosing the participant's identities. We present a concept for linking a PPRL Service to the EJP RD Virtual Platform (VP). Level 1 (resource discovery) connection is provided by running an FDP within the PPRL Service. On Level 2 (data discoverability), the PPRL Service can represent both, an individual and a catalog endpoint. Our solution can count patients in PPRL-supporting resources, count duplicates only once, and count only patients registered to multiple resources. Currently, we are preparing the deployment within the EJP RD VP.

Integration of Trusted Third Party Software into an EDC System for Data Protection - Compliant Identity Management, Consent Management and Pseudonymization in Medical Research Studies.

INTRODUCTION: Medical research studies which involve electronic data capture of sensitive data about human subjects need to manage medical and identifying participant data in a secure manner. To protect the identity of data subjects, an independent trusted third party should be responsible for pseudonymization and management of the identifying data. METHODS: We have developed a web-based integrated solution that combines REDCap as an electronic data capture system with the trusted third party software tools of the University Medicine Greifswald, which provides study personnel with a single user interface for both clinical data entry and management of identities, pseudonyms and informed consents. RESULTS: Integration of the two platforms enables a seamless workflow of registering new participants, entering identifying and consent information, and generating pseudonyms in the trusted third party system, with subsequent capturing of medical data in the electronic data capture system, while maintaining strict separation of medical and identifying data in the two independently managed systems. CONCLUSION: Our solution enables a time-efficient data entry workflow, provides a high level of data protection by minimizing visibility of identifying information and pseudonym lists, and avoids errors introduced by manual transfer of pseudonyms between separate systems.

Pseudonymization of patient identifiers for translational research.

BACKGROUND: The usage of patient data for research poses risks concerning the patients' privacy and informational self-determination. Next-generation-sequencing technologies and various other methods gain data from biospecimen, both for translational research and personalized medicine. If these biospecimen are anonymized, individual research results from genomic research, which should be offered to patients in a clinically relevant timeframe, cannot be associated back to the individual. This raises an ethical concern and challenges the legitimacy of anonymized patient samples. In this paper we present a new approach which supports both data privacy and the possibility to give feedback to patients about their individual research results. METHODS: We examined previously published privacy concepts regarding a streamlined de-pseudonymization process and a patient-based pseudonym as applicable to research with genomic data and warehousing approaches. All concepts identified in the literature review were compared to each other and analyzed for their applicability to translational research projects. We evaluated how these concepts cope with challenges implicated by personalized medicine. Therefore, both person-centricity issues and a separation of pseudonymization and de-pseudonymization stood out as a central theme in our examination. This motivated us to enhance an existing pseudonymization method regarding a separation of duties. RESULTS: The existing concepts rely on external trusted third parties, making de-pseudonymization a multistage process involving additional interpersonal communication, which might cause critical delays in patient care. Therefore we propose an enhanced method with an asymmetric encryption scheme separating the duties of pseudonymization and de-pseudonymization. The pseudonymization service provider is unable to conclude the patient identifier from the pseudonym, but assigns this ability to an authorized third party (ombudsman) instead. To solve person-centricity issues, a collision-resistant function is incorporated into the method. These two facts combined enable us to address essential challenges in translational research. A productive software prototype was implemented to prove the functionality of the suggested translational, data privacy-preserving method. Eventually, we performed a threat analysis to evaluate potential hazards connected with this pseudonymization method. CONCLUSIONS: The proposed method offers sustainable organizational simplification regarding an ethically indicated, but secure and controlled process of de-pseudonymizing patients. A pseudonym is patient-centered to allow correlating separate datasets from one patient. Therefore, this method bridges the gap between bench and bedside in translational research while preserving patient privacy. Assigned ombudsmen are able to de-pseudonymize a patient, if an individual research result is clinically relevant.

Development of a urinometer for automatic measurement of urine flow in catheterized patients.

Urinary flow measurement and colorimetry are vital medical indicators for critically ill patients in intensive care units. However, there is a clinical need for low-cost, continuous urinary flow monitoring devices that can automatically and in real-time measure urine flow. This need led to the development of a non-invasive device that is easy to use and does not require proprietary disposables. The device operates by detecting urine flow using an infrared barrier that returns an unequivocal pattern, and it is capable of measuring the volume of liquid in real-time, storing the history with a precise date, and returning alarms to detect critical trends. The device also has the ability to detect the color of urine, allowing for extended data and detecting problems in catheterized patients such as hematuria. The device is proposed as an automated clinical decision support system that utilizes the concept of the Internet of Medical Things. It works by using a LoRa communication method with the LoRaWAN protocol to maximize the distance to access points, reducing infrastructure costs in massive deployments. The device can send data wirelessly for remote monitoring and allows for the collection of data on a dashboard in a pseudonymous way. Tests conducted on the device using a gold standard medical grade infusion pump and fluid densities within the 1.005 g/ml to 1.030 g/ml urine density range showed that droplets were satisfactorily captured in the range of flows from less than 1 ml/h to 500 ml/h, which are acceptable ranges for urinary flow. Errors ranged below 15%, when compared to the values obtained by the hospital infusion pump used as gold standard. Such values are clinically adequate to detect changes in diuresis patterns, specially at low urine output ranges, related to renal disfunction. Additionally, tests carried out with different color patterns indicate that it detects different colors of urine with a precision in detecting RGB values <5%. In conclusion, the results suggest that the device can be useful in automatically monitoring diuresis and colorimetry in real-time, which can facilitate the work of nursing and provide automatic decision-making support to intensive care physicians.

Genes r us? Making sense of genetic and non-genetic relationships following anonymous donor insemination.

This exploratory qualitative study investigates the experiences of eight adults conceived following anonymous sperm donation who had discovered the identity both of their donor and of donor half-siblings and had established contact with each other. It focuses primarily on participants' reflections on genetic and social kinship relationships. Data were collected from this group as well as from the son of the donor and the donor-conceived half-sister of one participant by means of semistructured interviews utilizing asynchronous email and digitalized voice recording. Participants discussed their experience of genetic disconnection resulting from learning of their donor-conceived status and of revising their personal biographies and developing new kinship networks as a result of discovering the identity of their donor and the existence of donor half-siblings. The study highlights participants' agency expressed through their ability to draw on both genetic and non-genetic elements of their inheritance to redefine their self-identity and extend their familial/kinship networks in meaningful ways.

Anonymous sex and HIV risk practices among men using the Internet specifically to find male partners for unprotected sex.

OBJECTIVES: To examine the popularity of anonymous sex practices among men using the Internet to find male partners for unprotected sex, and how anonymous sex relates to involvement in other HIV-related risk behaviours, and to investigate the factors associated with engaging in anonymous sex. STUDY DESIGN: Structured telephone interviews were conducted with men who used the Internet specifically to find male partners for unprotected sex. Random sampling from 16 websites was used to obtain a national sample. The data reported in this paper were based on quantitative interviews collected with a cross-sectional study design. METHODS: Between January 2008 and May 2009, confidential telephone interviews lasting approximately 1-2 h were completed with 332 men. Participants were paid $35 for their participation. RESULTS: Most of the men (67.4%) liked anonymous sex, and slightly more than half (51.2%) had engaged in the behaviour during the month prior to interview. Involvement in anonymous sex was associated with greater involvement in a variety of human immunodeficiency virus (HIV)-related risk practices, such as illegal drug use, number of sex partners, and amount of unprotected sex. Four factors were associated with having vs not having anonymous sex: (1) being HIV positive; (2) answering all of the HIV-related knowledge questions correctly; (3) deriving greater enjoyment from having sex in public places, such as parks, public toilets, or adult book shops; and (4) greater impulsivity. Seven factors were associated with greater vs lesser involvement in anonymous sex among those practising the behaviour: (1) being involved in a relationship with a long-term partner; (2) liking to have sex in public places; (3) using bareback-oriented websites to identify sex partners; (4) greater impulsivity; (5) low level of condom use self-efficacy; (6) greater knowledge about HIV/acquired immunodeficiency syndrome; and either (7a) severe childhood maltreatment or (7b) Caucasian race. CONCLUSIONS: Men in this population often sought anonymous sex, and this practice was related to involvement in a variety of risky behaviours, such as illegal drug use and the number of recent sex partners (among others). Interventionists should address anonymous sex practices among Internet-using, risk-seeking men in order to reduce the overall levels of HIV risk involvement.

[The use of sensitive data in epidemiology: remarks on the difficulties when interpreting the Italian legislation]. / Il trattamento dei dati sensibili in epidemiologia: riflessioni sulle difficoltà interpretative della normativa.

In recent years, the impact of the Italian legislation on the use of personal data (Legislative Decree 196/2003 and successive regulations) on epidemiological research has highlighted the need for reaching a balance between protecting sensitive data and making these data available for public health purposes. Complying with this legislation constitutes a number of challenges in the field of epidemiology, especially with respect to the use for research of health data that have been collected for purposes other than research. Based on the difficulties experienced by the National Center of Epidemiology, Surveillance and Health Promotion of the Italian National Institute of Health, in the present work we aim to promote what we feel is a more rational approach to the concept of "use of sensitive data". In particular, we address the importance of these data for research, the concept of identifiability as defined in current legislation, informed consent, and the lawful use of the data. Given that data networks have been replacing static archives, it is more realistic to strive for the protection of data confidentiality, as opposed to performing irreversible anonymization of data. We also stress the role that research and health institutions should play in clearly communicating to law and policy makers the importance of the data routinely collected by healthcare facilities in performing epidemiological research and surveillance, stressing the invaluable impact of these activities on the health of the population. We also emphasize the importance of strengthening the concept that public health prevention also begins with epidemiological research and surveillance.

Letting go of little Albert: disciplinary memory, history, and the uses of myth.

In 2009 American Psychologist published the account of an attempt to identify the infant "Albert B.," who participated in Watson and Rayner's study of the conditioning of human fears. Such literal interpretations of the question "Whatever happened to Little Albert?" highlight the importance of historical writing that transcends the narrowly biographical and that avoids the obsessive hunt for "facts." The author of a 1979 study of how secondary sources have told the story of Little Albert relates his attempts to purge incorrect accounts of that story from college textbooks. He renounces such efforts as misguided and suggests that myths in the history of psychology can be instructive, including the myth that the identity of Little Albert has been discovered.

Data Protection Using Polymorphic Pseudonymisation in a Large-Scale Parkinson's Disease Study.

This paper describes an advanced form of pseudonymisation in a large cohort study on Parkinson's disease, called Personalized Parkinson Project (PPP). The study collects various forms of biomedical data of study participants, including data from wearable devices with multiple sensors. The participants are all from the Netherlands, but the data will be usable by research groups worldwide on the basis of a suitable data use agreement. The data are pseudonymised, as required by Europe's General Data Protection Regulation (GDPR). The form of pseudonymisation that is used in this Parkinson project is based on cryptographic techniques and is 'polymorphic': it gives each participating research group its own 'local' pseudonyms. Still, the system is globally consistent, in the sense that if one research group adds data to PPP under its own local pseudonyms, the data become available for other groups under their pseudonyms. The paper gives an overview how this works, without going into the cryptographic details.

You can use my name; you don't have to steal my story--a critique of anonymity in indigenous studies.

Our claim in this paper is that not being identified as the data source might cause harm to a person or group. Therefore, in some cases the default of anonymisation should be replaced by a careful deliberation, together with research subjects, of how to handle the issues of identification and confidentiality. Our prime example in this article is community participatory research and similar endeavours on indigenous groups. The theme, content and aim of the research, and the question of how to handle property rights and ownership of research results, as well as who should be in charge of the research process, including the process of creating anonymity, should all be answered, before anonymity is accepted.