metaprivBIDS: Privacy Assessment for BIDS Data
- metaprivBIDS is a privacy-assessment tool designed for auditing BIDS metadata by examining tabular files like participants.tsv and JSON sidecars for reidentification risks.
- It employs a mix of privacy metrics—including k-anonymity, l-diversity, K-global, SUDA, and PIF—to systematically evaluate vulnerabilities in demographic and clinical variables.
- The tool enables interactive mitigation strategies, such as coarsening data resolution and noise addition, to balance data utility with privacy protection.
metaprivBIDS is a neuroimaging-focused privacy-assessment tool for BIDS metadata. Introduced as a novel tool for the systematic assessment of privacy in tabular data, it is a graphical app, plus a command-line library, designed to examine tabular metadata in BIDS-style files such as participants.tsv and their JSON sidecars. Its purpose is not to inspect image data themselves, but to evaluate whether the demographic and clinical variables that accompany neuroimaging datasets could enable reidentification or reveal sensitive information. In the study introducing the tool, it was applied to six heterogeneous studies openly available on OpenNeuro, and the overall conclusion was that privacy is generally well maintained, with serious vulnerabilities being rare, although minor issues were identified in nearly all datasets. A central empirical finding was that clinical score data posed minimal reidentification risk, whereas demographic variables such as age, sex, race, income, and geolocation represented the principal privacy vulnerabilities (Kibsgaard et al., 18 Sep 2025).
1. BIDS context and the metadata substrate
metaprivBIDS operates within the ecosystem created by the Brain Imaging Data Structure (BIDS), a community-built framework for making neuroscience data and its accompanying metadata machine- and human-readable, shareable, and interoperable. BIDS organizes data as a directory-based hierarchy with strong conventions for file naming and associated sidecar metadata, and it relies heavily on lightweight formats such as NIfTI for imaging data, JSON sidecars for metadata, and TSV files for tabular information. In this framework, metadata are distributed across the folder structure, file names, and sidecar files, with conventions designed to make the dataset self-describing and easy to validate (Poldrack et al., 2023).
The relevance of this design to metaprivBIDS is direct. Because BIDS treats metadata as a first-class object, participant-level descriptors become both computationally accessible and potentially linkable. The BIDS history paper does not present a dedicated privacy framework in the legal or governance sense, but it does note that metadata-rich datasets and widespread sharing make de-identification and conversion practices important, especially for modalities exported from DICOM, which may contain sensitive information. It also notes privacy-relevant tooling such as EEG2BIDS Wizard: a flexible open-source cross-platform tool for anonymization and BIDS standardization (Poldrack et al., 2023).
Within that setting, metaprivBIDS addresses a narrower and more specific problem than general de-identification of imaging files: the privacy properties of tabular participant metadata after a dataset has already been organized for sharing. This places it at the intersection of BIDS interoperability and disclosure control.
2. Definition, design goals, and scope of analysis
The tool was developed because neuroimaging datasets often contain rich participant metadata—age, sex, handedness, education, race, clinical scores, income, geolocation, and similar variables—that can create privacy risk even when images are properly de-identified. Existing anonymization tools largely target generic tabular data, not the specific structure and conventions of neuroimaging metadata. metaprivBIDS was therefore built to support privacy checks for BIDS metadata, with awareness of JSON sidecars so it can more easily distinguish categorical and continuous variables (Kibsgaard et al., 18 Sep 2025).
Its stated functions are practical and workflow-oriented. The tool is intended to help researchers identify quasi-identifiers and sensitive attributes, detect participants or fields that create reidentification risk, modify metadata “on the fly” by grouping categories or adding noise, and document those modifications transparently for data sharing. The study reports that analyses were implemented in Jupyter notebooks for reproducibility, and it provides both the app and code (Kibsgaard et al., 18 Sep 2025).
The scope of the analysis is explicitly limited. metaprivBIDS examines tabular metadata, especially participants.tsv and JSON sidecar annotations. It does not directly evaluate imaging data identifiability. This distinction is central: the threat model is based on linkage and background-knowledge attacks against metadata fields, rather than on reconstruction or biometric identifiability from the imaging files themselves (Kibsgaard et al., 18 Sep 2025).
3. Analytical workflow and privacy metrics
The study describes a seven-step workflow for applying metaprivBIDS to a dataset (Kibsgaard et al., 18 Sep 2025):
- Load each dataset’s metadata: especially
participants.tsvand JSON sidecar annotations. - Identify quasi-identifiers: variables that can help identify a participant when combined with others.
- Identify sensitive attributes: values that should be protected because they are regulated or ethically sensitive.
- Compute privacy metrics: $k$-anonymity, $l$-diversity, K-global, SUDA scores, and PIF scores.
- Detect outliers: using SUDA and PIF, with a robust median absolute deviation (MAD) rule to flag potentially problematic individuals.
- Test mitigation strategies: such as merging categories, reducing precision, adding noise, or removing unnecessary variables.
- Check whether the privacy changes reduce utility too much.
The metric set is deliberately heterogeneous. $k$-anonymity is used as a foundational notion of reidentification risk: if $k=2$, each person is hidden among at least one other person, and larger $k$ implies stronger privacy. $l$-diversity is used to assess whether sensitive attributes remain diverse within each equivalence class, so that sensitive values cannot be inferred from a homogeneous group (Kibsgaard et al., 18 Sep 2025).
K-global is presented as a new metric introduced in the paper. It was designed to estimate how much a particular variable contributes to the dataset’s anonymity structure in the context of all other quasi-identifiers. The paper defines $U$ as the number of unique combinations of all quasi-identifiers and $U_i$ as the number of unique combinations after removing variable $i$. The interpretation given is that if removing variable $i$ greatly reduces the number of unique rows, then that variable is contributing strongly to reidentification risk, so K-global is higher (Kibsgaard et al., 18 Sep 2025).
SUDA, the Special Uniques Detection Algorithm, identifies records that become unique for certain combinations of variables. The paper gives the basic form $l$0, where $l$1 is the total number of variables and $l$2 is the number of columns in a unique combination. A row with a unique combination involving fewer variables gets a higher SUDA score, and if there are multiple unique combinations within a row, the scores are summed. PIF, the Personal Information Factor, measures information gain using Kullback–Leibler divergence, comparing prior and posterior distributions of variables when conditioning on the rest of the dataset. The paper cites a recommended safe threshold of 0.04 from PIF creators. The authors further emphasize that SUDA and PIF have high sensitivity but limited specificity: they can flag risky records, but they can also flag people who are unique without actually being exposed to meaningful risk (Kibsgaard et al., 18 Sep 2025).
4. Empirical findings across six OpenNeuro datasets
The six analyzed datasets were chosen to span different populations and study types: healthy adults, patients, children, large and small samples, and datasets with clinical scores. The paper also states that some OpenNeuro datasets appeared problematic enough to be altered and not discussed further for ethical/privacy reasons, so the six reported cases are illustrative examples of relatively safer cases rather than a formal audit of all OpenNeuro datasets (Kibsgaard et al., 18 Sep 2025).
| Dataset | Privacy structure | Selected findings |
|---|---|---|
| Amsterdam Open MRI Collection | 10 of 27 variables were quasi-identifiers; sensitive variables were sexual orientation and IST Intelligence | K-global ranged from 0.3 to 42.7, mean 17.7; SUDA/PIF found 440 outliers among 928 participants, with 6 common outliers |
| Brain Tumor Connectomics Data | 7 of 50 variables were quasi-identifiers; sensitive attribute was tumor type & grade | K-global ranged from 0.0 to 0.4, mean 0.07; SUDA and PIF were correlated, but no outliers were found |
| EEG: Alcohol imagery reinforcement learning task with light and heavy drinkers | All 6 variables were quasi-identifiers; sensitive attributes were BDI, AUDIT, and GROUP | SUDA and PIF were correlated; 4 outliers were found with PIF |
| Early stressful experiences in children | 7 of 24 variables were quasi-identifiers; sensitive attribute was Race | K-global ranged from 0.0 to 1.8, mean 0.46; 2 outliers were found with PIF |
| The Dallas Lifespan Brain Study | 8 of 35 variables were quasi-identifiers; sensitive attributes were Race and Ethnicity | K-global ranged from 0.0 to 1.6, mean 0.4; 14 outliers were found with PIF, none with SUDA |
| Midnight Scan Club | All 4 variables were quasi-identifiers; no sensitive attributes | K-global was near zero for two variables and low overall; 1 outlier was found with PIF |
The Amsterdam Open MRI Collection yielded the strongest privacy signal in the study. The strongest privacy risks came from education level, socioeconomic status, sex, handedness, age, gender identity, and sexual attraction. SUDA and PIF were highly correlated at $l$3, whereas K-global did not correlate with SUDA or PIF in this dataset. The paper’s main risk example was a participant with a minority sexual/gender identity profile and highly specific demographic values. If sexual attraction was not scientifically necessary, the authors suggest removing it; otherwise, they suggest reducing precision of age, for example by reporting year instead of finer quantiles. This reduced outliers from 440 to 102 (Kibsgaard et al., 18 Sep 2025).
Brain Tumor Connectomics Data was presented as low risk overall. SUDA and PIF were correlated at $l$4, but no outliers were found. The suggested mitigation was to merge marital status categories—“Divorced” and “widowed” into “Single,” and “Married” and “Cohabitating” into “In Relationship”—and to remove height, because it added unnecessary uniqueness and was irrelevant to imaging (Kibsgaard et al., 18 Sep 2025).
In the EEG alcohol-imagery dataset, all six variables were treated as quasi-identifiers and the sensitive attributes were BDI, AUDIT, and GROUP. Because there were no especially visible attributes, none were included in the $l$5-anonymity computation. SUDA and PIF were correlated at $l$6, and four outliers were found with PIF. The paper gives the example of a single 25-year-old female participant who could be reidentified via background knowledge, which would reveal sensitive alcohol-use status. After adding noise to age, $l$7-diversity improved to 2 for GROUP, 11 for AUDIT, and 12 for BDI (Kibsgaard et al., 18 Sep 2025).
In the dataset on early stressful experiences in children, the main vulnerability came from race and low-frequency combinations of race, income, and age. SUDA and PIF were correlated at $l$8, and two outliers were found with PIF. The example given was a 9-year-old Black male from a relatively low-income bracket who stood out because Black/African American participants were underrepresented in the dataset. The paper recommends removing income if irrelevant, or coarsening it into broader categories such as above/below median income (Kibsgaard et al., 18 Sep 2025).
For The Dallas Lifespan Brain Study, the main privacy concern was not clinical data but demographic uniqueness driven by height, age, and the combination of demographic variables. SUDA and PIF correlation was $l$9. The recommendation was to replace height with BMI, if scientifically relevant, or remove height if not needed. Removing height reduced unique rows from 350 to 159 (Kibsgaard et al., 18 Sep 2025).
Midnight Scan Club was judged effectively no-risk because it had no sensitive attributes and very few quasi-identifiers. The one flagged participant was unique mainly because of education history. Even here, however, the tool identified a residual point of uniqueness, illustrating the study’s broader conclusion that minor issues can remain present even in relatively benign metadata tables (Kibsgaard et al., 18 Sep 2025).
5. Principal risk variables and mitigation strategies
Across datasets, the paper’s central message is that the most dangerous variables were not the clinical scores, but demographic variables that are either uniquely identifying on their own or become identifying in combination. The variables most often implicated were age, sex or gender, race or ethnicity, education level or years of education, income or socioeconomic status or geolocation-like variables, height, handedness, and in one case sexual orientation or attraction or gender identity. The paper repeatedly notes that these variables matter scientifically, but their resolution is often the problem: fine-grained values make reidentification more likely (Kibsgaard et al., 18 Sep 2025).
The practical recommendations are correspondingly concrete (Kibsgaard et al., 18 Sep 2025):
- Reduce resolution of variables: report age in years rather than months or precise quantiles when appropriate; use broader age bins; coarsen income and similar variables into larger categories.
- Merge categories: combine sparse categorical levels such as marital-status categories.
- Add noise: especially to age or other quasi-identifiers; use Gaussian or Laplacian noise where appropriate.
- Remove unnecessary variables: especially variables irrelevant to the imaging analysis, such as height in some cases.
- Document all changes: state which variables were removed, indicate original versus released resolution, note where noise was added, and include this in the BIDS README or equivalent documentation.
- Consider masking values for high-risk participants: this can preserve most data while reducing exposure.
- Ensure subgroup diversity at the data-collection stage: privacy improves when no record is unique within the quasi-identifiers.
- Do not rely only on geolocation masking: linkage through other quasi-identifiers can still enable reidentification.
These measures are presented not as generic anonymization heuristics, but as operations that can be tested interactively and evaluated against utility loss. The app includes interactive tools to group values and add noise, together with real-time recomputation of privacy metrics after modifications (Kibsgaard et al., 18 Sep 2025).
6. Interpretation, limitations, and significance
The paper is explicit that privacy metrics are not a substitute for human judgment. Whether a variable is actually sensitive depends on context, and privacy assessment depends on the assumed external knowledge of an attacker; background and linkage attacks are central to the threat model. K-global is described as new and exploratory, and the authors note that it may miss subtle nonlinear interactions. SUDA and PIF can over-flag records because of their high sensitivity and lower specificity. The analysis is limited to tabular metadata and does not directly evaluate imaging data identifiability. The authors also caution that the six datasets were chosen illustratively and that dataset-specific conclusions should not be overgeneralized (Kibsgaard et al., 18 Sep 2025).
The significance of metaprivBIDS lies in the fact that it makes metadata privacy an explicit, inspectable component of BIDS-based data sharing. BIDS was designed so that data owners could prepare archives with machine-readable metadata, validation support, and interoperable organization rather than relying on archive-side manual curation (Poldrack et al., 2023). metaprivBIDS applies that same machine-readable orientation to disclosure risk, asking not whether metadata are merely present and valid, but whether they are safe to release in their current resolution and combination.
A plausible implication is that metaprivBIDS is most useful not as a one-time anonymization filter, but as a recurrent audit mechanism for participant metadata in open neuroimaging repositories. The study’s main empirical conclusion supports that interpretation: privacy was generally fairly well preserved, serious reidentification vulnerabilities were rare, but minor issues appeared in nearly every dataset, and relatively simple transformations—coarsening, grouping, noise addition, or removing irrelevant fields—could substantially reduce risk without destroying scientific value (Kibsgaard et al., 18 Sep 2025).