cotalks.dev

Keeping data private in real-time pipelines by Olena Kutsenko

(link)
Event: Voxxed Days CERN 2026 | 2026
Channel: Devoxx

Summary

Olena Kutsenko explains why privacy is hard in real-time data pipelines and why removing obvious identifiers is not enough. Using examples like the Netflix Prize dataset, AOL search logs, Strava, and New York taxi data, she shows how re-identification can happen through linkage, repeated behavior, and small combinations of attributes. The talk focuses on privacy techniques that can be applied in streaming systems such as Apache Kafka and Apache Flink, including masking, tokenization, k-anonymity, bucketing, adding noise, and synthetic data generation. The main message is that privacy controls should be applied as early as possible in the pipeline, before data fans out to multiple consumers and destinations.

Key Takeaways

  • Removing names, emails, or phone numbers is not enough to prevent re-identification.
  • Streaming pipelines amplify privacy risk because data is copied, enriched, and consumed by many downstream systems.
  • Masking and tokenization are useful, but they are not sufficient for data shared outside the company.
  • K-anonymity, bucketing, and noise can reduce identifiability for aggregated or shared datasets.
  • Synthetic data is useful for testing and UI work when real data is unnecessary.
  • Privacy decisions should be made early in the pipeline, before sensitive data spreads to many consumers.

Sections

Why privacy is difficult in data pipelines

The talk starts with the problem that data moving through modern pipelines can quickly fan out to many systems, including dashboards, training jobs, and other consumers the original producer does not control. In streaming architectures, once an event enters the pipeline it can be copied, transformed, and stored in multiple places, which makes privacy incidents harder to contain after the fact. Olena argues that it is usually easier to prevent sensitive data from spreading than to try to clean it up later.

Why removing identifiers is not enough

A key point is that deleting direct identifiers does not make a dataset safe. The Netflix Prize dataset is used as the main example: although it did not contain names, people were re-identified by matching rating patterns and dates with public IMDb data. The talk also references AOL search logs, Massachusetts employee data, Strava location data, and New York taxi data to show how indirect attributes and behavioral fingerprints can reveal identities.

Masking and tokenization in practice

Masking hides part of a value, such as leaving only the last digits of a card number or redacting parts of an email address. It preserves format and is commonly used in dashboards and support workflows. Tokenization replaces a value with a token stored separately in a token vault. The talk distinguishes tokenization from hashing and warns that hashing should not be treated as a secure replacement for sensitive values, especially if values are guessable or reversible through lookup tables.

Limitations of sharing masked or tokenized data

Masking and tokenization can help inside an organization, but they do not eliminate privacy risk when data is shared broadly. Deterministic transformations can still allow linking records across systems, and consistent identifiers can become a behavioral fingerprint. The talk emphasizes that once data is outside the company boundary, stronger privacy techniques are needed.

Stronger approaches for shared data

For datasets that need to be published or widely shared, the talk covers k-anonymity, bucketing, and adding noise. K-anonymity aims to ensure each record is indistinguishable from at least k others based on visible attributes. Bucketing reduces precision, such as replacing exact ZIP codes or GPS coordinates with broader regions. Noise can be added when the goal is aggregate analysis rather than exact per-user values.

Synthetic data for testing and development

When real data is not required, synthetic data generation is presented as a safer option. Synthetic records can match the structure and shape of production data without reusing real identifiers or behaviors. This is especially useful for testing, demos, and interface validation, though it is not a substitute for real data in machine learning training when true behavioral patterns are needed.

Practical guidance for engineers

The closing advice is to think about privacy as early as possible in pipeline design. If possible, aggregate data before it spreads, minimize storage of sensitive attributes, and justify every place where personal data is kept. The talk frames privacy as a tradeoff between usefulness and risk: the more detail retained, the more useful the data can be, but the greater the chance of re-identification and leakage.

Keywords: data privacy in streaming pipelines, apache kafka privacy, apache flink data masking, tokenization vs hashing, k-anonymity, data masking, bucketing sensitive data, adding noise to data, synthetic data generation, real-time data pipelines, re-identification attacks, netflix prize dataset privacy, aol search logs privacy, strava privacy leak, new york taxi data anonymization, gdpr data processing

note