S 2.127 Inference prevention

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

To protect person related data and other confidential information stored in a database system, each user should only be allowed to access the data required for performing the tasks assigned to that particular user. All the other information in the database must be concealed from the user.

For this purpose, it must be possible to define the access rights on tables up to their individual fields. This can be done using Views and Grants (refer to S 2.129 Controlling access to database information). In this manner, users are only allowed to view and process the data intended specifically for them. Database queries issued by a user to access other information are rejected by the DBMS.

Different security requirements arise for statistical databases containing data on groups of persons, social strata etc. In a statistical database, entries related to individual persons are protected as private data, although the statistical information based on these entries is accessible by all users.

Here, measures are required to prevent information on a group of persons from being used to make inferences on individual members of the group. Steps must also be taken to prevent the anonymity of the information in the database from being circumvented through the use of database queries formulated in accordance with the data storage patterns (e.g. if the result set of a database query only contains one data record). This situation is termed "inference problem", and measures to preclude its occurrence constitute "inference prevention."

Even if the data in a statistical database is technically anonymous, methods of inference can be used to restore associations between persons and certain data records. The rejection of specific queries (e.g. queries with only one or very few result tupels) does not generally prove sufficient, as even a refusal issued by the database management system as a response to a query can contain relevant information.

The anonymity of data can also be impaired through the collection of different statistics. Such techniques of indirect attack use several statistics as a basis for drawing conclusions on the personal data of an individual. A protective measure in this case is to prohibit the release of "sensitive" statistics - this is termed "suppressed inference prevention". Another possibility is to distort such statistics through controlled rounding (identical rounding of identical statistics) or restrict queries to statistically relevant subsets with the prerequisite that identical queries must always refer to the same subsets. This technique is termed "inference prevention through distortion".

If additional demands concerning the confidentiality of data are to be met, the data must be encrypted (refer to S 4.72 Database encryption).

Additional controls:

• Have confidentiality requirements for the database system been formulated and documented?

• Are confidential data protected adequately against unauthorised access?