# Banking demo

To run this notebook locally you need `psycopg2` and `ipython-sql` installed. For the meta-commands you need `pgspecial`.

Below you can find connection details for 2 users in this database instance:

- `banking` has direct access to data.
- `banking_publish` is restricted to anonymized access.

In [103]:
%load_ext sql
%sql postgresql://banking:demo@demo-pg.open-diffix.org/banking
%sql postgresql://banking_publish:demo@demo-pg.open-diffix.org/banking
%config SqlMagic.displaycon = False # No connection string in output.
%config SqlMagic.feedback = False   # No Done, rows affected.
print('Connected to database.')

The sql extension is already loaded. To reload it, use:
  %reload_ext sql
Connected to database.


The dataset has the following tables:

In [104]:
%sql \dt

Schema,Name,Type,Owner
public,accounts,table,postgres
public,accounts_receivables,table,postgres
public,clients,table,postgres
public,credit_cards,table,postgres
public,dispositions,table,postgres
public,loans,table,postgres
public,loss_events,table,postgres
public,orders,table,postgres
public,transactions,table,postgres


You can explore columns of tables with `\d <table>`

In [105]:
%sql \d loans

Column,Type,Modifiers
loan_id,integer,not null
account_id,integer,
date,text,
amount,integer,
duration,integer,
payments,double precision,
status,text,


## Current capabilities

The current version of the `pg_diffix` PostgreSQL extension supports a limited set of SQL.
More concretely, what is currently supported is the `count` aggregator over a single table at a time.

### Examples

Let's see what it looks like when data is queried by the 2 different users:

In [106]:
%%sql banking@banking
SELECT status, count(*) as real_count
FROM loans
GROUP BY status
ORDER BY status ASC

status,real_count
A,203
B,31
C,403
D,45


In [107]:
%%sql banking_publish@banking
SELECT status, count(*) as anon_count
FROM loans
GROUP BY status
ORDER BY status ASC

status,anon_count
A,204
B,31
C,403
D,44


The two queries above were identical (bar the difference in the alias for the `count` aggregator), but as you notice the results differ.
The difference is due to the anonymization that took place.

The anonymization has three core principles:

- adding noise
- suppressing infrequent (and potentially identifying) values
- flattening the impact of individuals that exhibit extreme behavior

These points seem rather abstract, so let's take a closer look at each in turn.

### Adding noise

`pg_diffix` adds some noise to the results of aggregators. You can notice this noise being present by comparing the results of the `count` aggregator
in the previous two queries. Note for example that the count of loans with a status of `A` is 203 in the unanonymized query, whereas it was adjusted to
204 in the anonymized result.

The magnitude of the noise is set in such a way that it prevents you from determining whether a particular individual is present or absent in a result.
Additionally it is constructed in such a way that it remains the same even if you re-run a query. The specifics about how it is constructed is outside the 
scope of this notebook.

### Suppressing infrequent values

Let us take another look at the `loans` table we queried above.
If we query for the amounts that were lent to individuals we will notice that a lot of them are in fact unique:

In [108]:
%%sql banking@banking
SELECT amount, count(*)
FROM loans
GROUP BY amount
HAVING count(*) = 1
LIMIT 10

amount,count
111384,1
84120,1
162576,1
150912,1
56100,1
141648,1
38520,1
321360,1
100080,1
148140,1


In fact 611 out of the 645 loans in the table (or approximately 95%) had an amount that only appeared once:

In [109]:
%%sql banking@banking
SELECT count(*) num_occurrences, count_individuals_sharing_amount
FROM (
  SELECT amount, count(*) count_individuals_sharing_amount
  FROM loans
  GROUP BY amount
) t
GROUP BY count_individuals_sharing_amount
ORDER BY count(*) DESC

num_occurrences,count_individuals_sharing_amount
611,1
32,2
1,3
1,4


This means that if we knew how much someone was lent, we could most likely use that information as a vector to learn anything else we want about a particular person's loan application and loan status:

In [110]:
%%sql banking@banking
SELECT date, duration, payments, status
FROM loans
WHERE amount = 111384

date,duration,payments,status
940705,24,4641.0,A


When `pg_diffix` is used to anonymize the data, the system detects that `amount` is usually an identifying property.
That is not to say that we cannot use `amount` as a property in our queries - we certainly can. What is being prevented is us leaking information about individual loan amounts.

Let's see this in practice by repeating two of the queries we just ran on the raw dataset. First to get a list of amounts, and secondly the one to extract information about a given loan:

In [111]:
%%sql banking@banking_publish
SELECT amount, count(*)
FROM loans
GROUP BY amount
HAVING count(*) = 1
LIMIT 10

amount,count


In [112]:
%%sql banking@banking_publish
SELECT date, duration, payments, status
FROM loans
WHERE amount = 111384

date,duration,payments,status


In both instances the results are suppressed as it is detected that the information they would reveal could be identifying.

A crucial feature of `pg_diffix` is that it does not make the decision about whether something is revealing or not based on an understanding of the underlying data. 
The fact that the amount we queried is the magnitude of a loan is not important. What is important is that specific amounts appear so infrequently that they could be used to indentify someone. This is a property of the distribution of the data, not of the type of data. All this is to say that `pg_diffix` does not rely on an administrator classifying whether a column is sensitive or PII. This is detected automatically based on the context of a given query.
To make this point clearer, recall that there were in fact a number of loan amounts that appeared with some frequency. These can safely be revealed by `pg_diffix`, as they are not by themselves identifying:

In [113]:
%%sql banking@banking_publish
SELECT amount, count(*)
FROM loans
GROUP BY amount

amount,count
30276,
84288,
86184,
87216,
165960,
213300,
265320,


A `count` of `None` in this instance is an indication that while there were enough loantakers sharing these particular amounts, there were not enough of them to allow `pg_diffix` to produce meaningful anonymous counts.

If we repeat the same query but try to extract more information related to these loan amounts we see that the resultset shrinks. This is a result of most amounts when seen in combination with other attributes becoming identifying:

In [114]:
%%sql banking@banking_publish
SELECT amount, payments, status, count(*)
FROM loans
GROUP BY amount, payments, status

amount,payments,status,count
84288,1756.0,C,


and if we try to drill down yet again, then the resultset ends up being empty

In [115]:
%%sql banking@banking_publish
SELECT amount, date, payments, status, count(*)
FROM loans
GROUP BY amount, date, payments, status

amount,date,payments,status,count


#### Flattening extreme values

The third way in which `pg_diffix` protects individuals is by reducing the effect of extreme outliers. We call this flattening.

Unfortunately there is no good example or flattening in action in the banking dataset we have available here.
Please bear with me as I make up an example to explain how this mechanism works.

Let's take a look at the `transactions` table.

In [116]:
%%sql banking@banking
SELECT count(*) FROM transactions

count
1056320


It contains a total of ~1M transactions.

Let's for a moment pretend there is one prolific spender in this dataset. He or she might have clocked a total of 10000 (or 1% of the total) bank transactions, 
whereas the second most prolific spender has less than 700.

Below are the transactions excluding those of the prolific spender:

In [117]:
%%sql banking@banking
SELECT account_id, count(*)
FROM transactions
GROUP BY account_id
ORDER BY count(*) DESC
LIMIT 10 OFFSET 1 -- skipping the imagined prolific spender

account_id,count
3834,665
96,661
2932,655
9307,649
9265,643
5215,637
2762,634
1801,633
5952,628
866,628


The presence or absence of the large spender would have an outsize (and most likely) noticeable impact on a `count` aggregate calculated across multiple individuals.
`pg_diffix` notices this and eliminates this effect. The elimination is done by replacing the contributions of the individual with the extreme behavior (in this case a count of 10000 transactions) with a contribution that more closely resembles that of the other large spender (roughly 670 transactions). If the unanonymized count total of transactions was 1000000 the flattened count would be around 990670 (1000000 - 10000 + 670).

In reality `pg_diffix` would usually not only flatten the value of the most extreme individual, but rather replace those of the cohort of the most extreme individuals.


### Summary

As you have seen in the queries we have run above, `pg_diffix` allows you to write and run queries much like you would in your regular work with Postgres.
Very little attention has to be paid to whether a result is safe to share or not. This is all handled transparently by `pg_diffix`.

While this early version of `pg_diffix` only offers limited functionality, we are constantly looking to expand what the software can do, and the environments in which it could be safely deployed.

For more information, please consider taking a look at the [Frequently Asked Questions](https://www.open-diffix.org/faq/) section of our website.