Anonymization of Spatial Data by Gaussian Skew: Is Re-Identification Possible?

To evaluate the robustness of a spatial anonymization algorithm for syndromic surveillance data against a triangulation vulnerability attack. `BACKGROUND We have published an anonymization algorithm that takes precise point locations for patients and moves them a randomized distance according to a 2D Gaussian distribution that is inversely adjusted by the underlying population density. Before such algorithms can be integrated into live systems, assurances are needed so that patients cannot be reidentified through systematic vulnerabilities. Here we investigate the ease with which a spatial anonymization algorithm can be compromised by triangulating the original points with multiple repeated data requests. Obfuscative and cryptographic algorithms may be susceptible to weakening when it is possible for an adversary to produce output from the algorithm according to adversary-provided input. Under this threat model, an adversary could use a syndromic surveillance system to request anonymized patient data from a RHIO or other health network several different times. If the anonymized results are produced each time they are requested, triangulation of original addresses may be possible or the anonymity afforded by the algorithm may be reduced.