anonos.com  

1    

Submitted  via  overnight  delivery  /  email  to  draft-­‐nistir-­‐deidentify@nist.gov      May  15,  2015    National  Institute  of  Standards  and  Technology  (NIST)  Attn:  Computer  Security  Division,  Information  Technology  Laboratory  100  Bureau  Drive  (Mail  Stop  8930)  Gaithersburg,  MD  20899-­‐8930  

   Re:    Draft  NISTIR  8053  De-­‐Identification  of  Personally  Identifiable  Information  

   We  appreciate  the  opportunity  to  submit  comments  to  the  National  Institute  of  Standards  and  Technology  (NIST)  in  the  context  of  the  draft  publication  entitled  Draft  NISTIR  8053  De-­‐Identification  of  Personally  Identifiable  Information  (NIST  Draft  Report).    This  letter  is  separated  into  the  following  three  sections:    

I. Proposal  to  Include  Dynamic  Data  Obscurity  in  NIST  Draft  Report;  II. History  of  the  term  Dynamic  Data  Obscurity;  and  III. The  Anonos  Just-­‐In-­‐Time-­‐Identity  (JITI)  Approach  to  Dynamic  Data  Obscurity.  

   I.   Proposal  to  Include  Dynamic  Data  Obscurity  in  NIST  Draft  Report  

We  propose  that  the  NIST  Draft  Report  include  Dynamic  Data  Obscurity  –  temporally  dynamic  data  obscuring  technology  that  actively  limits  the  risk  of  re-­‐identification.  As  noted  in  the  NIST  Draft  Report,  static  de-­‐identification  techniques  suffer  from  numerous  shortcomings;  however,  dynamic  obscuring  technology  helps  maintain  data  privacy  and  security  while  reducing  risks  involved  in  collecting,  storing,  processing,  and  analyzing  data.    

Dynamic  Data  Obscurity  turns  data  into  business  intelligence  (BI)1  by  transforming  static  access  controls  into  technologically  enforced  dynamic  permissions  applied  per-­‐element  instead  of  across  entire  records  or  applications.  This  maximizes  the  utility  of  underlying  data  by  allowing  intelligent,  adaptable,  and  compliant  permissions  while  fundamentally  enforcing  core  protections  for  personally  identifiable  and  sensitive  information.    

1  Business  intelligence  (BI)  is  an  umbrella  term  that  includes  the  applications,  infrastructure  and  tools,  and  best  practices  that  enable  access  to  and  analysis  of  information  to  improve  and  optimize  decisions  and  performance.  See  http://www.gartner.com/it-­‐glossary/business-­‐intelligence-­‐bi  

 anonos.com  

2    

Technologically  enforced  Dynamic  Data  Obscurity  rules  can  account  for  access,  use,  display,  time,  and  location  restrictions,  across  any  industry  or  regulatory  standard,  thereby  helping  to  overcome  shortcomings  of  static  de-­‐identification  such  as  the  following:  

a) Re-­‐Identification.  With  static  de-­‐identification,  as  long  as  any  utility  remains  in  the  data,  there  exists  the  possibility  that  some  information  might  result  in  re-­‐identification  of  original  identities.2    

b) Lost  Data  Value.  Generally,  privacy  protection  improves  as  more  aggressive  static  de-­‐identification  techniques  are  employed,  but  less  utility  remains  in  the  resulting  data  set3  due  to  the  fact  that  static  de-­‐identification  techniques  remove  identifying  information  from  data.4  

c) Security  Breach  Exposure.  The  scope  and  frequency  of  data  security  breaches  have  changed  the  privacy  paradigm.  Some  view  theft  of  personal  data  by  cybercriminals  as  the  number  one  threat  to  privacy.5  However,  static  de-­‐identification  techniques  are  not  designed  to  improve  data  security.  

d) International  Acceptance.  Compliance  with  privacy  laws  in  one  jurisdiction  by  relying  on  click-­‐through  terms  and  conditions  and/or  static  de-­‐identification  may  provide  insufficient  grounds  to  legally  use  data  in  other  jurisdictions.  For  example,  General  Data  Protection  Regulations,  currently  under  negotiation  between  the  European  Parliament  and  the  Council  of  the  EU,  are  expected  to  allow  EU  citizens  to  seek  redress  with  their  national  regulators  over  a  company’s  handling  of  their  data,  rather  than  being  subject  to  laws  in  the  country  where  the  company  has  its  headquarters.6  

Existing  technology  does  not  effectively  address  shortcomings  of  static  de-­‐identification  nor  does  it  adequately  reconcile  conflicts  between  protecting  personal  data  and  enabling  commerce.  Because  of  this,  companies  can  be  placed  in  the  uncomfortable  position  of  choosing  between  delivering  products  and  services  to  consumers  or  complying  with  data  privacy  laws  in:  

a) Jurisdictions  that  require  unambiguous  consent  to  use  personal  data  like  in  the  EU;  

b) Industries  subject  to  specific  regulatory  restrictions  on  data  use  like  healthcare,  education  and  finance  in  the  United  States;  and  

c) Other  data  use  scenarios  subject  to  uncertain  future.  

2  NIST  Draft  Report  at  line  151.  3  NIST  Draft  Report  at  line  150.  4  NIST  Draft  Report  at  line  76.  5  Robinson,  Teri.  “Privacy  Matters.”  SC  Magazine.  May  1,  2015.  http://www.scmagazine.com/privacy-­‐matters/article/409041/  6  Meyer,  David.  “Belgium  Targets  Facebook  Tracking.”  Politico.  May  15,  2015.  http://www.politico.eu/article/belgium-­‐targets-­‐facebook-­‐tracking/  

 anonos.com  

3    

Dynamic  Data  Obscurity  is  a  new  technological  approach  to  protecting  personal  data,  while  at  the  same  time  bridging  the  gap  between  commerce  and  regulations.  Instead  of  yet  another  application  layer  on  top  of  legacy  data  sources,  Dynamic  Data  Obscurity  can  limit  the  ability  to  infer,  single  out,  or  link  to  personally  identifiable  or  sensitive  information.  

Current  approaches  to  protecting  data  are  binary  in  nature  –  data  is  either  valuable  or  private  –  for  example:  

• Encrypted  data  is  either  protected  but  unusable  or  usable  but  unprotected  when  decrypted;  and  

• With  digital  information,  data  is  generally  not  de-­‐identified  but  available  to  customize  offerings  for  the  benefit  of  consumers,  or  is  de-­‐identified  but  unavailable  to  fully  benefit  consumers,  companies,  and  society  at  large.    

 

 

In  a  report  submitted  to  President  Obama  in  May  2014  entitled  Big  Data  and  Privacy:  A  Technological  Perspective,7  a  working  group  of  the  President's  Council  of  Advisors  on  Science  and  Technology  (PCAST)  noted:  

The  beneficial  uses  of  near-­‐ubiquitous  data  collection  are  large,  and  they  fuel  an  increasingly  important  set  of  economic  activities.  Taken  together,  these  considerations  suggest  that  a  policy  focus  on  limiting  data  collection  will  not  be  a  broadly  applicable  or  scalable  strategy  –  nor  one  likely  to  achieve  the  right  balance  between  beneficial  results  and  unintended  negative  consequences  (such  as  inhibiting  economic  growth).    

More  broadly,  PCAST  believes  that  it  is  the  use  of  data  (including  born-­‐digital  or  born-­‐analog  data  and  the  products  of  data  fusion  and  analysis)  that  is  the  locus  where  consequences  are  produced.  This  locus  is  the  technically  most  feasible  place  to  protect  privacy.  Technologies  are  emerging,  both  in  the  research  community  and  in  the  commercial  world,  

7  https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-­‐_may_2014.pdf  

 anonos.com  

4    

to  describe  privacy  policies,  to  record  the  origins  (provenance)  of  data,  their  access,  and  their  further  use  by  programs,  including  analytics,  and  to  determine  whether  those  uses  conform  to  privacy  policies.  Some  approaches  are  already  in  practical  use.  

Dynamic  Data  Obscurity  can  help  provide  flexible  technology-­‐enforced  controls  necessary  to  support  economic  growth  requiring  sophisticated  handling  of  various  data  privacy  requirements.  For  example,  the  ability  to  deliver  on  the  many  promises  of  “health  big  data”  is  predicated  on  the  ability  to  support  differing  privacy  requirements  depending  on  the  source  of  health-­‐related  data:  

• Consumer  health  data  collected  using  personal  health  record  tools,  mobile  health  applications,  and  social  networking  sites  are  subject  to  privacy  policies  /  terms  and  conditions  of  applicable  websites,  devices  and  applications;  

• Protected  health  information  (PHI)  is  subject  to  privacy  and  security  requirements  under  the  Health  Insurance  Portability  and  Accountability  Act  (HIPAA);  and  

• Health  data  from  federally  funded  research  is  subject  to  separate  privacy  requirements  of  The  Federal  Policy  for  the  Protection  of  Human  Subjects  or  “Common  Rule.”  

Each  of  the  above  categories  of  privacy  and  security  requirements  can  be  supported  via  Dynamic  Data  Obscurity  despite  differences  in  requirements  –  therefore  opening  up  new  opportunities  for  economic  growth  and  advances  in  research  and  healthcare.  

Dynamic  Data  Obscurity  could  even  be  helpful  in  resolving  the  future  of  Europe's  Safe  Harbor  Agreement  with  the  U.S.  as  well  as  data  protection  practices  of  global,  internet-­‐based  companies  operating  in  Europe  like  Apple,  Google,  Yahoo,  Skype  and  Microsoft  by  facilitating  sharing  of  personal  data  only  under  authorized  conditions  in  compliance  with  both  "lead"  and  "concerned"  Data  Protection  Authorities  thereby  accommodating  differing  requirements  in  multiple  EU  jurisdictions.  

 II.   History  of  the  term  Dynamic  Data  Obscurity  

One  of  the  earliest  mentions  of  the  power  of  obscuring  data  was  in  a  2013  California  Law  Review  article  entitled  The  Case  for  Online  Obscurity8  by  Woodrow  Hartzog  and  Frederic  Stutzman,  in  which  they  stated:  

On  the  Internet,  obscure  information  has  a  minimal  risk  of  being  discovered  or  understood  by  unintended  recipients.  Empirical  research  demonstrates  that  Internet  users  rely  on  obscurity  perhaps  more  than  anything  else  to  protect  their  privacy.  Yet,  online  obscurity  has  been  

8  http://www.californialawreview.org/wp-­‐content/uploads/2014/10/01-­‐HartzogStutzman.pdf  

 anonos.com  

5    

largely  ignored  by  courts  and  lawmakers.  In  this  Article,  we  argue  that  obscurity  is  a  critical  component  of  online  privacy,  but  it  has  not  been  embraced  by  courts  and  lawmakers  because  it  has  never  been  adequately  defined  or  conceptualized.  

The  term  Dynamic  Data  Obscurity  was  coined  in  an  October  15,  2014  blog  by  Martin  Abrams,  the  Executive  Director  of  the  Information  Accountability  Foundation,  which  stated:  

The  fact  is  that  we  data  protection  professionals  cannot  accept  the  status  quo.  We  need  to  be  able  to  demonstrate  our  trustworthiness,  and  effective  tools  are  part  of  that.  

The  Information  Accountability  Foundation’s  mission  is  research  and  education  on  policy  solutions  that  facilitate  innovation  while  protecting  individuals  from  inappropriate  processing.  As  we  have  worked  through  big  data  ethics,  it  has  reinforced  our  view  that  outside  of  the  box  technology  solutions  must  be  available.  Data  needs  to  be  visible  when  it  is  being  used  within  bounds,  and  obscured  when  it  is  not.  Technology  does  not  replace  policy  enforcement;  it  makes  the  enforcement  possible  and  actionable.  

A  number  of  us  have  been  thinking  about  the  dilemma  for  the  past  six  months  and  looking  for  solutions.  We  believe  the  solutions  are  part  of  a  field  we  have  begun  to  call  “Dynamic  Data  Obscurity.”  Dynamic  data  obscurity  involves  obscuring  data  down  to  the  element  level  when  that  level  of  security  is  necessary  and  making  sure  that  rules  which  control  when  elements  can  be  seen  are  real  and  enforced.  Dynamic  data  obscurity  is  also  about  making  the  technology  controls  harder  to  break  but  still  allowing  for  appropriate  uses.  It  requires  both  new  technologies  combined  with  effective  internal  monitoring  and  enforcement.9  

The  next  public  use  of  the  term  Dynamic  Data  Obscurity  took  place  in  an  October  20,  2014  International  Association  of  Privacy  Professionals  (IAPP)  Privacy  Perspectives  article10  written  by  Gary  LaFever,  Co-­‐Founder  and  Chief  Executive  Officer  of  Anonos  -­‐  a  pioneer  in  developing  practical  applications  of  Dynamic  Data  Obscurity  technology,  in  which  he  stated:    

We’re  not  discounting  the  value  of  anonymization;  it  powered  the  growth  of  the  Internet.  But  today,  technology,  markets,  applications  and  threats  have  evolved  while  the  protocols  to  keep  personally  identifiable  data  

9  http://informationaccountability.org/taking-­‐accountability-­‐controls-­‐to-­‐the-­‐next-­‐level-­‐dynamic-­‐data-­‐obscurity/  10  https://privacyassociation.org/news/a/what-­‐anonymization-­‐and-­‐the-­‐tsa-­‐have-­‐in-­‐common/

 anonos.com  

6    

anonymous  have  not.  If  we  are  to  mine  the  vast  potential  of  data  analytics  to  create  high-­‐value  products  and  services  that  improve  and  even  save  lives  while  meeting  the  privacy  expectations  of  the  public  and  regulators,  we  need  new  tools  and  thinking.  

 Dynamic  data  obscurity  improves  upon  static  anonymity  by  moving  beyond  protecting  data  at  the  data  record  level  to  enable  data  protection  at  the  data  element  level.  Dynamic  data  obscurity  empowers  privacy  officers  to  improve  the  “optics”  of  data  protection  for  data  subjects,  regulators  and  the  news  media  while  deploying  next-­‐generation  technology  solutions  that  deliver  more  effective  data  privacy  controls  while  maximizing  data  value.    Vibrant  and  growing  areas  of  economic  activity—the  “trust  economy,”  life  sciences  research,  personalized  medicine/education,  the  Internet  of  Things,  personalization  of  goods  and  services—are  based  on  individuals  trusting  that  their  data  is  private,  protected  and  used  only  for  authorized  purposes  that  bring  them  maximum  value.  This  trust  cannot  be  maintained  using  static  anonymity.  We  must  embrace  new  approaches  like  dynamic  data  obscurity  to  both  maintain  and  earn  trust  and  more  effectively  serve  businesses,  researchers,  healthcare  providers  and  anyone  who  relies  on  the  integrity  of  data.  

 The  Information  Accountability  Foundation  held  a  framing  discussion  in  January  2015  in  Washington  DC  at  which  invited  government,  education  and  business  leaders  discussed  that:    

Early  analytics,  dating  from  the  1980s,  were  dependent  on  anonymization  and  de-­‐identification  to  ensure  compliance  and  individual  protection.  For  example,  information  used  for  credit  marketing  needed  to  be  de-­‐identified  to  comply  with  the  Federal  Fair  Credit  Reporting  Act.  Technology  provided  the  tools  to  de-­‐identify,  and  the  assurance  came  from  the  requirements  of  the  FCRA.  Effective  de-­‐identification  and  anonymization  tools  have  always  rested  on  this  marriage  of  policy  and  technology.    Today’s  analytics,  driven  by  observation,  makes  the  mandate  for  the  “belt  and  suspenders”  of  policy  and  technology  even  more  compelling.  The  technologies  are  challenged  internally  by  organizations’  need  for  knowledge  and  externally  by  very  smart  cyber  criminals.  Even  with  the  belt  of  policy,  the  suspenders  of  technology  need  upgrading  to  match  today’s  challenges.  If  we  do  not  meet  that  challenge,  we  could  see  real  

 anonos.com  

7    

resistance  to  the  information  age’s  dual  mandates  for  innovation  and  fairness.  The  policy  community  needs  to  explore  Dynamic  Data  Obscurity  (DDO)  to  see  if  it  will  enhance  data  security  and  privacy  to  facilitate  increased  data  value  and  protection  compared  to  legacy  approaches.11    

 The  term  Dynamic  Data  Obscurity  has  since  been  used  at  international  conferences,12  in  comment  letters  submitted  to  international  data  privacy  regulators,13  and  in  White  Papers14  on  the  subject  of  Dynamic  Data  Obscurity.    

III.   The  Anonos15  Just-­‐In-­‐Time-­‐Identity  (JITI)  Approach  to  Dynamic  Data  Obscurity  

Anonos has been working on Just-­‐In-­‐Time-­‐Identity  (JITI)  technology  –  the  Anonos  approach  to  implementing  Dynamic Data Obscurity  –  since  2012.  Anonos  is  currently  engaged  in  a  Proof  of  Concept  with  an  international  Data  Protection  Authority  together  with  multinational  companies  to  show  that  Anonos  Just-­‐In-­‐Time-­‐Identity  (JITI)  technologies,  layered  on  top  of  an  underlying  information  platform,  can  deliver  three  interlinked  benefits:  

a) Role-­‐based  technical  and  organizational  measures  to  enforce  policies  for  use  of  personal  data;  

b) Functional  separation  between  low-­‐  and  high-­‐risk  data  uses  for  re-­‐identification;  and  

c) Secure  storage  of  underlying  data.  

All  three  benefits  increase  the  utility  of  the  information  platform  while  at  the  same  time  increasing  the  privacy  and  security  controls  available  to  protect  personal  data.  

Anonos  Just-­‐In-­‐Time-­‐Identity  (JITI)  is  an  architecturally  enforced  private-­‐by-­‐default  technology  that  retains  utility  under  authorized  conditions,  and  supports  all  queries  and  actions  with  centralized  audit  logging.  Policies  and  rules  can  be  customized  to  limit  or  eliminate  re-­‐identification  via  inference,  singling  out,  or  linking  of  personal  data.  

11  http://informationaccountability.org/iaf-­‐will-­‐convene-­‐ddo-­‐discussion-­‐in-­‐2015/  12  http://informationaccountability.org/video-­‐of-­‐panel-­‐on-­‐dynamic-­‐data-­‐obscurity/  13  http://www.anonos.com/anonos-­‐enabling-­‐bigdata/  14  http://www.anonos.com/anonos-­‐dynamic-­‐data-­‐obscurity/  15  Anonos,  Just-­‐In-­‐Time-­‐Identity,  JITI,  Dynamic  De-­‐Identifier,  DDID,  and  other  marks  are  trademarks  of  Anonos  Inc.  protected  under  U.S.  and  international  trademark  laws  and  treaties.  Anonos  Just-­‐In-­‐Time-­‐Identity  technology  is  protected  under  U.S.  and  international  copyright  and  patent  laws  and  treaties.  Other  marks  that  appear  in  this  letter  and  not  owned  by  Anonos  are  the  property  of  their  respective  owners.  Anonos  makes  no  claim  of  relationship  to,  or  affiliation  with,  owners  of  marks  not  owned  by  us  Anonos.

 anonos.com  

8    

 

 

 

• Anonos  data  stores  are  obscured  by  default,  and  reveal  original  or  perturbed  data  values  only  in  accordance  with  technically  enforced  rules  in  response  to  authorized  queries.  Improper  use  of  data  is  architecturally  prevented.    

• There  is  little  incentive  to  steal  Anonos-­‐enabled  data  stores  since  data  is  obscured  at  all  times.  Without  access  to  Just-­‐In-­‐Time-­‐Identify  (JITI)  dynamic  de-­‐identification  (DDID)  keys  the  data  is  minimally  valuable.    

• In  the  event  of  an  Anonos-­‐enabled  data  store  breach,  data  is  unreadable  and  unusable  to  unauthorized  parties.      

• Anonos  data  stores  can  be  created  from  scratch  or  derived  from  existing  data  stores  on  standard  platforms.    

• Anonos  data  store  controls  can  reflect  regulatory  standards  that  will  indicate  to  companies  what  flow-­‐through  protections  are  required  in  order  for  them  to  remain  compliant  when  crafting  internal  rules  and  policies.    

Complying  with  regulations  using  current  approaches  to  de-­‐identification,  data  privacy  and  security  can  be  complicated  and  expensive.  Anonos  anonymizing  capabilities  retain  full  data  value  and  utility  with  support  for  various  use  cases  –  all  while  minimizing  risk  of  data  misuse,  abuse  or  compromise  –  Anonos  refers  to  this  as  “anõnosizing”  data.  

• Anonos  data  store  level  architectural  controls  facilitate  both  internal  audits  and  external  regulator  reviews.    

• Anonos  enables  sharing  of  portable  data  stores  with  multiple  parties  having  differing  authorization  privileges  by  providing  unique  JITI  DDID  key  combinations  to  each  party,  any  of  which  may  be  revoked  manually  or  via  an  automatic  trigger  at  any  time.    

• Anonos  facilitates  compliance  with  data  privacy  laws,  rules  and  regulations  by  companies  of  all  sizes  without  requiring  them  to  have  large  in-­‐house  data  privacy  /  security  teams.  

 anonos.com  

9    

 

 anonos.com  

10    

Potential  Applications  of  Anonos  Just-­‐In-­‐Time-­‐Identity  (JITI)  Dynamic  Data  Obscurity  Technology  

Example  #1:  Internal  Data  Misuse  

Walt  Disney  offers  visitors  to  its  parks  “MagicBands”  –  wrist-­‐worn  authentication  devices,  providing  access  to  hotels,  rides,  transportation,  as  well  as  an  ability  to  pay  for  food,  beverages,  and  souvenirs  via  a  linked  payment  card.  Within  a  single  park,  there  might  be  hundreds  of  different  uses  for  a  MagicBand,  each  of  which  might  have  distinct  access  rules.  For  example,  a  ride  might  need  to  know  the  height  of  the  patron;  a  bar  might  only  allow  children  in  during  lunch;  and  payments  of  certain  types  might  require  both  the  child’s  and  parent’s  MagicBand.  Finally,  a  lost  child  with  a  MagicBand  can  be  easily  reunited  with  trusted  

family.  The  danger  in  this  system  comes  from  trusted  insiders,  because  customers  demand  full  utility  while  the  park  has  a  duty  to  manage  the  risk  of  exposing  too  much  personal  information  to  employees.  From  a  staff  management  perspective,  the  incentive  is  to  have  fewer  roles  with  greater  access  and  authority,  but  that  enables  employees  with  the  right  access  to  aggregate  the  required  data  from  different  MagicBand  uses  and  track  the  movement  of  guests,  know  when  they’re  not  in  their  hotel  rooms,  or  even  manipulate  parameters  to  create  dangerous  authorizations  for  small  children  to  go  on  adult-­‐sized  rides.  Anonos-­‐enabled  data  stores  for  each  of  these  use  cases  would  eliminate  such  risks,  because  employee  roles  would  be  defined  on  a  per-­‐use-­‐case  context  basis,  and  casual  browsing  of  the  wider  family  records  would  be  prevented.    

 

Example  #2:  Re-­‐identification  

The  January  2015  Science  journal  includes  a  3  month  study  of  credit  card  records  for  1.1  million  people  that  shows  four  spatiotemporal  points  are  enough  to  uniquely  re-­‐identify  90%  of  credit  card  customers.  Anonos  de-­‐identifiers  (DDIDs)  de-­‐identify  credit  card  customers  for  each  transaction  –  providing  a  Just-­‐In-­‐Time-­‐Identity  (JITI)  for  each  transaction.  As  a  result,  customers  cannot  be  re-­‐identified  by  means  of  correlating  static  anonymous  identifiers.  The  Anonos  approach  makes  limiting  the  ability  to  single  out,  link  or  infer  a  data  subject  a  policy  choice  instead  of  a  statistical  risk.    

See  http://www.anonos.com/unicity  for  interactive  version  of  this  example  

 anonos.com  

11    

Example  #3:  Data  Breach  

Firms  like  health  insurer  Anthem  suffer  when  their  facilities  are  breached  (as  do  their  millions  of  subscribers  /  customers  whose  identities  are  “hacked”)  and  data  is  kept  in  unencrypted  form  to  enable  use  of  the  data.  As  a  result,  attackers  can  gain  unauthorized  access  to  personal  data  in  “cleartext”  form  –  i.e.,  unencrypted  information  that  is  “in  the  clear”  and  understandable.  In  contrast  to  standard  encryption,  which  is  generally  fully  “on”  or  "off,"  or  traditional  data  masking  techniques  which  do  not  

protect  data  at  the  data  store  level,  Anonos  Just-­‐In-­‐Time-­‐Identity  (JITI)  can  protect  against  data  loss  from  external  breaches  without  losing  use  of  data  for  authorized  purposes  within  the  company.  With  JITI,  an  attacker  may  gain  access  to  data  but  would  not  gain  access  to  JITI  keys  (kept  securely  in  separate  virtual  or  physical  locations)  necessary  to  reveal  personal  information.  

   

_______________    

 

Anonos  appreciates  the  opportunity  to  submit  this  letter  to  the  National  Institute  of  Standards  and  Technology.      Respectfully  Submitted,                                              M.  Gary  LaFever                Ted  Myerson                          Co-­‐Founder                Co-­‐Founder