The background description provided herein is for the purpose of generally presenting the context of the disclosure. Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Many computing systems deal in transactions involving sensitive data. For example, health care information systems frequently utilize patient data which can only be shared under carefully prescribed, secure circumstances. Similarly, financial systems, including banking, credit, and/or payroll systems, utilize account or balance information that must be secured in order to prevent misuse, such as identity theft.
Despite these security needs, however, many systems must utilize less-secure computing resources, such as cloud-based servers or storage, or even the use of less-secure communication channels in between secure systems, in order to perform necessary activities. In such circumstances, there may exist a tension between the needs for security and the need to use the less-secure resources. One solution to this problem has been to anonymize data that is sent between systems. For example, information identifying a particular patient may be stripped from a transaction request before it is sent from a secure system, while leaving information that is needed to complete a transaction request. In other techniques, information about multiple persons may be combined to generate anonymized transaction requests.
However, not all anonymization techniques always produce desired levels of anonymization. For example, if only one transaction is transmitted from a system in an hour and only one person was known to use the system that hour, user anonymity may effectively be negated for that transaction. In another example a study with data about a group of people with leg fractures may have indications of other medical conditions the people in the study have. If only one of the people in the study has coronary artery disease, and there is only one person over age 70 in the group, that person's identity may be compromised. Thus, simple anonymizing of transactions may not be sufficient to obtain a desired level of anonymity.