Allison Chan
Designer, artist, cook, and sometimes farmer from the Pacific Northwest, based in Northern California. Devoted to nurturing slowness, deep flavor, and communal abundance in all areas of life. 
Select Clients & Collaborators
Ayo Akingbade
Anti-Eviction Mapping Project
Recidiviz
Sandspiel
Permanent AgricultureIDEO CoLab
NASA JPL
Seattle Children’s Hospital
Seattle Design Festival
Internet.org Google
Cooking
State Bird Provisions, San Francisco
Kamaya, Kamiyama, Japan
Chez Panisse, Berkeley
Joodooboo, Oakland
Ramen Shop, Oakland
Contact
hi@allisonchan.info
:
:

2017
Privacy & Civil Liberties at Palantir

Designed systems to forground data privacy, minimize dragnet surveillance, and heighten accountability across healthcare, nonprofits, and other critical organizations. Productized key requirements and principles from the (then) newly published GDPR into Foundry, Palantir’s enterprise data analysis platform.

For black-box organizations like Palantir that frequently handle sensitive, personal information at scale, perhaps the most impactful principle of the GDPR is data minimization—put simply, stop using and collecting data you don’t actually need, for reasons you won’t specify.

To support this, we built a layer of oversight into the data pipeline that empowers users and regulators to better manage the flow of sensitive information in and out of their organization’s scope of work. Foundry flags when someone wants to upload or access data that might be high-risk, and prompts them to submit a clear, proportionate use case for review. Data Protection Officers (in-house regulators appointed by the GDPR) can filter out data before it ever enters, set a retention policy, and attach policy documentation to steward safe usage.



As sensitive data about people flows downstream, its audience and scope of use is likely to change. A National Health Service doctor needs to share patient data with a clinical study at a partnering university; or a Polaris analyst wants to publish an annual report on trafficking survivors in DC. How can we help organizations share meaningful data while protecting the identities of individuals it describes?

In today’s ever-expanding social graph, true anonymity is nearly impossible to achieve. Even if you scrub away name, age, race, gender, or other direct PII (personally identifiable information), surrounding data can still provide context clues and proxies for re-identification.

We introduced typeclasses to help index these connections by classifying properties of data at the column- or object-level. This granularity helps us make smart inferences about when and how data might be sensitive, and support de-identification methods like obfuscation, generalization, and pseudonymization without requiring SQL.


K-anonymity is a method of measuring the risk of re-identification in an anonymized dataset. For example, a dataset with k-3 anonymity is generic enough such that any combination of attributes appears at least 3 times—in other words, any record could correspond to at least 3 individuals. The higher the k-value, the harder it is to discern who in particular the data describes.

This method has become industry-standard for data protection, but existing tools are complex and opaque. Here, a non-technical user can easily test for k-anonymity, understand how identifiable their data is, and take action to minimize it.