Person Re-identification Attack on Wearable Sensing

Person re-identification is a critical privacy attack in publicly shared healthcare data as per Health Insurance Portability and Accountability Act (HIPAA) privacy rule. In this paper, we investigate the possibility of a new type of privacy attack, Person Re-identification Attack (PRI-attack) on publicly shared privacy insensitive wearable data. We investigate user's specific biometric signature in terms of two contextual biometric traits, physiological (photoplethysmography and electrodermal activity) and physical (accelerometer) contexts. In this regard, we develop a Multi-Modal Siamese Convolutional Neural Network (mmSNN) model. The framework learns the spatial and temporal information individually and combines them together in a modified weighted cost with an objective of predicting a person's identity. We evaluated our proposed model using real-time collected data from 3 collected datasets and one publicly available dataset. Our proposed framework shows that PPG-based breathing rate and heart rate in conjunction with hand gesture contexts can be utilized by attackers to re-identify user's identity (max. 71%) from HIPAA compliant wearable data. Given publicly placed camera can estimate heart rate and breathing rate along with hand gestures remotely, person re-identification using them imposes a significant threat to future HIPAA compliant server which requires a better encryption method to store wearable healthcare data.