Li Xiong: Researching the human elements of cybersecurity

By Carol Clark | Emory Report | Feb. 23, 2016

Story image

"Cybersecurity is vital to everyone because so much personal data is out there," says computer scientist Li Xiong. "Every single day, for almost everything that you do, data is being collected and stored somewhere digitally." Emory Photo/Video

Li Xiong is Winship Distinguished Research Associate Professor in Emory University's Department of Mathematics and Computer Science and its Department of Biomedical Informatics. She directs Emory College's Assured Information Management and Sharing (AIMS) research lab, focused on cybersecurity issues.

One of the lab's long-term goals is to improve ways to manage health-care data records that benefit biomedical research while also guaranteeing individual patient privacy.

"My research has a strong human element in the sense that it's person-oriented," Xiong says. "I want to aggregate your data in ways that protect your confidentiality and also benefit you and society as a whole. Basically, I want you to tell me everything about you, without telling me anything about you. It sounds impossible, but like most computer science problems it's really a matter of optimization."

In this interview, Xiong talks about current challenges in cybersecurity and her career as a computer scientist.

Where are you from originally?

I grew up in Wuhan, China. If you put a map of China on top of a map of the United States, Wuhan would be in roughly the same spot as Atlanta. Wuhanese like spicy food and their personalities can be a little bit spicy, too. But they are very kind and warm-hearted. 

My parents are regular, middle-class people who had and continue to have a great influence on my life. They instilled in me the notion of knowledge for the greater good. My dad works for the government and my mom works for a bank.

How did you get interested in computer science?

In high school I liked math and physics. I love logic and analysis. And I enjoy finding the fastest, most elegant, way to solve a problem. When I started applying to colleges, a recruiting professor and high school alumni from the University of Science and Technology of China (USTC) advised me to consider computer science. My dad also had a major role in my decision. He read a lot and believed that computers had a bright future.

I was accepted in the computer science department at USTC.

How did you wind up in the United States?

I actually hadn't thought about going to the United States until I had almost graduated. At that time, we were not really exposed to the outside world. These days, of course, the world is really small.

The year I graduated, in 1997, the Internet was just becoming ubiquitous. I didn't sign up for an email account until I was a senior. We had really slow Internet connections. I remember getting a big book, called Pearson's Guide, which was like the Bible for how to apply to U.S. universities. I used the limited information resources that I had and typed my applications on a typewriter.

I got accepted into the Ph.D. program at Johns Hopkins University. I sometimes call myself a Hopkins dropout because I left after 1.5 years when I finished my master's degree. It was the Internet boom period and I wanted to see what it was like to work in industry.

I worked for a few years with a private company on projects like analysis of stock market data to detect fraud and suspicious transactions. I found cybersecurity interesting, but private industry was not as intellectually challenging as research. I realized I wanted to go back to school and I was accepted at Georgia Tech.

How important is cybersecurity to the average person?

Cybersecurity is vital to everyone because so much personal data is out there. Every single day, for almost everything that you do, data is being collected and stored somewhere digitally. Information on your movements is collected on your smart phone.

When you visit a doctor, your symptoms and prescriptions are being recorded. Your Internet search terms are being tracked and recorded. So are demographics from your voter registration and details of your purchases when you shop.

All this information is a really valuable resource that can benefit you. You may receive coupons targeted for you, or good recommendations for books on Amazon. You can access maps quickly and locate nearby restaurants or get directions.

The information can also benefit society at large. Public health officials, for instance, might be able to identify an emerging flu epidemic by aggregating data streams from drugstores. They could then use an algorithm to predict where the outbreak will spread and proactively intervene.

On the other hand, there are a lot of dangers associated with misuse of data. There is the potential for theft and for an individual's rights of privacy to be violated.

As a cybersecurity expert, do you do anything differently than most consumers?

I mostly disable the location access on my phone. By default, when you download an app it asks if it can use your location. So if you go to "Settings" on your phone, then to "Privacy" and "Location Services," you will probably find that a lot of your apps are accessing your location.

Your location traces are scraped and collected and they can be used to build a profile of you. That profile could identify where you live and work, your movement patterns and even your religious and political views.

I'm not very paranoid, but I'm probably more cautious than most people. I disable the location services for most, but not all, of my apps. You may think there is no risk, but there is always some risk.

In fact, a major project of my research group is building privacy-ensuring location mechanisms. We are trying to cloak a user's location by making it a bit less precise, but still viable for applications. This is where the human element comes in. It's a tradeoff between usefulness and protecting privacy.

You recently received a $1.06 million funding award from the Patient-Centered Outcomes Research Institute. Can you talk about your lab's work on that project?

All medicine is empirical, based on certain characteristics of patients, their symptoms, their prescribed treatments, and the patient outcomes. If detailed data is collected electronically for every patient that comes into a hospital or clinic then you can build a huge dataset.

When a new patient comes in, you could type in their characteristics to compare it to this huge dataset. You could get a customized solution, so-called precision medicine, based on each individual patient's characteristics. 

We're looking at ways to do this kind of data analysis while preserving the privacy of each individual in the data. And we need to make sure that when we aggregate the data, that the quality of the data is ensured.

One way to protect an individual's privacy is to perturb the data by adding some noise. But when you perturb data, its quality suffers. So you have to figure out how to perturb it just enough to obfuscate an individual's identity without sacrificing the value of the data.

Another challenge is efficiency of use. Hospitals can encrypt data before storing it to make sure that it's not misused. But analyzing encrypted data requires a lot of computation making it impractical in the real world.

We're trying to design protocols that combine confidentiality with utility and ease of use. And instead of a one-size-fits-all approach, our project takes a patient-centered approach. We are focused on establishing data registries with formal privacy guarantees that are tailored to be useful while taking into account individual patient privacy preferences and risks.

Again, the human factor is very important: We want to enable social good without personal risk. The long-term goal is to promote sustainable and scalable biomedical research involving large amounts of health-care data while also empowering patients with more rigorous and transparent privacy control.