Advertisement

Measures of Anonymity

  • Suresh Venkatasubramanian
Part of the Advances in Database Systems book series (ADBS, volume 34)

To design a privacy-preserving data publishing system, we must first quantify the very notion of privacy, or information loss. In the past few years, there has been a proliferation of measures of privacy, some based on statistical considerations, others based on Bayesian or information-theoretic notions of information, and even others designed around the limitations of bounded adversaries. In this chapter, we review the various approaches to capturing privacy. We will find that although one can define privacy from different standpoints, there are many structural similarities in the way different approaches have evolved. It will also become clear that the notions of privacy and utility (the useful information one can extract from published data) are intertwined in ways that are yet to be fully resolved.

Keywords

Measures of privacy statistics Bayes inference information theory cryptography 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Proceedings of the 23rd International Conference on Data Engineering, ICDE 2007, April 15-20, 2007, The Marmara Hotel, Istanbul, Turkey (2007), IEEE.Google Scholar
  2. 2.
    Agrawal, D., and Aggarwal, C. C. On the design and quantification of privacy preserving data mining algorithms. In Proceedings of the twentieth ACM SIGMOD-SIGACT-SIGART symposium on Principles of Database Systems (Santa Barbara, CA, 2001), pp. 247–255.Google Scholar
  3. 3.
    Agrawal, R., and Srikant, R. Privacy preserving data mining. In Proceedings of the ACM SIGMOD Conference on Management of Data (Dallas, TX, May 2000), pp. 439–450.Google Scholar
  4. 4.
    Agrawal, S., and Haritsa, J. R. FRAPP: A framework for high-accuracy privacy-preserving mining. In ICDE ’05: Proceedings of the 21st International Conference on Data Engineering (ICDE’05) (Washington, DC, USA, 2005), IEEE Computer Society, pp. 193–204.Google Scholar
  5. 5.
    Bayardo, Jr., R. J., and Agrawal, R. Data privacy through optimal k-anonymization. In ICDE (2005), IEEE Computer Society, pp. 217–228.Google Scholar
  6. 6.
    Blum, A., Dwork, C., McSherry, F., and Nissim, K. Practical privacy: the sulq framework. In PODS ’05: Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (New York, NY, USA, 2005), ACM Press, pp. 128–138.CrossRefGoogle Scholar
  7. 7.
    Byun, J.-W., Kamra, A., Bertino, E., and Li, N. Efficient -anonymization using clustering techniques. In DASFAA (2007), K. Ramamohanarao, P. R. Krishna, M. K. Mohania, and E. Nantajeewarawat, Eds., vol. 4443 of Lecture Notes in Computer Science, Springer, pp. 188–200.Google Scholar
  8. 8.
    Chawla, S., Dwork, C., McSherry, F., Smith, A., and Wee, H. Toward privacy in public databases. In TCC (2005), J. Kilian, Ed., vol. 3378 of Lecture Notes in Computer Science, Springer, pp. 363–385.Google Scholar
  9. 9.
    Chawla, S., Dwork, C., McSherry, F., and Talwar, K. On privacy-preserving histograms. In UAI (2005), AUAI Press.Google Scholar
  10. 10.
    de Jonge, W. Compromising statistical databases responding to queries about means. ACM Trans. Database Syst. 8, 1 (1983), 60–80.zbMATHCrossRefGoogle Scholar
  11. 11.
    DeCew, J. Privacy. In The Stanford Encyclopedia of Philosophy, E. N. Zalta, Ed. Fall 2006.Google Scholar
  12. 12.
    Denning, D. E., Denning, P. J., and Schwartz, M. D. The tracker: A threat to statistical database security. ACM Trans. Database Syst. 4, 1 (1979), 76–96.CrossRefGoogle Scholar
  13. 13.
    Denning, D. E., and Schlörer, J. A fast procedure for finding a tracker in a statistical database. ACM Trans. Database Syst. 5, 1 (1980), 88–102.CrossRefGoogle Scholar
  14. 14.
    Dinur, I., and Nissim, K. Revealing information while preserving privacy. In PODS ’03: Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (New York, NY, USA, 2003), ACM Press, pp. 202–210.CrossRefGoogle Scholar
  15. 15.
    Duncan, G. T., and Mukherjee, S. Optimal disclosure limitation strategy in statistical databases: Deterring tracker attacks through additive noise. Journal of the American Statistical Association 95, 451 (2000), 720.CrossRefGoogle Scholar
  16. 16.
    Dwork, C. Differential privacy. In Proc. 33rd Intnl. Conf. Automata, Languages and Programming (ICALP) (2006), pp. 1–12. Invited paper.Google Scholar
  17. 17.
    Dwork, C., McSherry, F., Nissim, K., and Smith, A. Calibrating noise to sensitivity in private data analysis. In TCC (2006), S. Halevi and T. Rabin, Eds., vol. 3876 of Lecture Notes in Computer Science, Springer, pp. 265–284.Google Scholar
  18. 18.
    Dwork, C., and Nissim, K. Privacy-preserving datamining on vertically partitioned databases. In CRYPTO (2004), M. K. Franklin, Ed., vol. 3152 of Lecture Notes in Computer Science, Springer, pp. 528–544.Google Scholar
  19. 19.
    Evfimevski, A., Gehrke, J., and Srikant, R. Limiting privacy breaches in privacy preserving data mining. In Proceedings of the ACM SIGMOD/PODS Conference (San Diego, CA, June 2003), pp. 211–222.Google Scholar
  20. 20.
    Evfimievski, A., Srikant, R., Agrawal, R., and Gehrke, J. Privacy preserving mining of association rules. In KDD ’02: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining (New York, NY, USA, 2002), ACM Press, pp. 217–228.CrossRefGoogle Scholar
  21. 21.
    Fellegi, I. P. On the question of statistical confidentiality. J. Am. Stat. Assoc 67, 337 (1972), 7–18.zbMATHCrossRefGoogle Scholar
  22. 22.
    Friedman, A. D., and Hoffman, L. J. Towards a fail-safe approach to secure databases. In Proc. IEEE Symp. Security and Privacy (1980).Google Scholar
  23. 23.
    Gavison, R. Privacy and the limits of the law. The Yale Law Journal 89, 3 (January 1980), 421–471.CrossRefGoogle Scholar
  24. 24.
    Givens, C. R., and Shortt, R. M. A class of Wasserstein metrics for probability distributions. Michigan Math J. 31 (1984), 231–240.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Hoffman, L. J., and Miller, W. F. Getting a personal dossier from a statistical data bank. Datamation 16, 5 (1970), 74–75.Google Scholar
  26. 26.
    Iyengar, V. S. Transforming data to satisfy privacy constraints. In KDD ’02: Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining (New York, NY, USA, 2002), ACM Press, pp. 279–288.CrossRefGoogle Scholar
  27. 27.
    Kargupta, H., Datta, S., Wang, Q., and Sivakumar, K. On the privacy preserving properties of random data perturbation techniques. In Proceedings of the IEEE International Conference on Data Mining (Melbourne, FL, November 2003), p. 99.Google Scholar
  28. 28.
    Kifer, D., and Gehrke, J. Injecting utility into anonymized datasets. In SIGMOD ’06: Proceedings of the 2006 ACM SIGMOD international conference on Management of data (New York, NY, USA, 2006), ACM Press, pp. 217–228.CrossRefGoogle Scholar
  29. 29.
    Koch, C., Gehrke, J., Garofalakis, M. N., Srivastava, D., Aberer, K., Deshpande, A., Florescu, D., Chan, C. Y., Ganti, V., Kanne, C.-C., Klas, W., and Neuhold, E. J., Eds. Proceedings of the 33rd International Conference on Very Large Data Bases, University of Vienna, Austria, September 23-27, 2007 (2007), ACM.Google Scholar
  30. 30.
    LeFevre, K., DeWitt, D. J., and Ramakrishnan, R. Mondrian multidimensional k-anonymity. In ICDE ’06: Proceedings of the 22nd International Conference on Data Engineering (ICDE’06) (Washington, DC, USA, 2006), IEEE Computer Society, p. 25.Google Scholar
  31. 31.
    Li, N., Li, T., and Venkatasubramanian, S. t-closeness: Privacy beyond k-anonymity and -diversity. In IEEE International Conference on Data Engineering (this proceedings) (2007).Google Scholar
  32. 32.
    Machanavajjhala, A., Gehrke, J., Kifer, D., and Venkitasubramaniam, M. l-diversity: Privacy beyond k-anonymity. In Proceedings of the 22nd International Conference on Data Engineering (ICDE’06) (2006), p. 24.Google Scholar
  33. 33.
    Martin, D. J., Kifer, D., Machanavajjhala, A., Gehrke, J., and Halpern, J. Y. Worst-case background knowledge for privacy-preserving data publishing. In ICDE [1], pp. 126–135.Google Scholar
  34. 34.
    Nakashima, E. AOL Search Queries Open Window Onto Users’ Worlds. The Washington Post (August 17 2006).Google Scholar
  35. 35.
    Nergiz, M. E., and Clifton, C. Thoughts on k-anonymization. In ICDE Workshops (2006), R. S. Barga and X. Zhou, Eds., IEEE Computer Society, p. 96.Google Scholar
  36. 36.
    Nissim, K., Raskhodnikova, S., and Smith, A. Smooth sensitivity and sampling in private data analysis. In STOC ’07: Proceedings of the thirty-ninth annual ACM symposium on Theory of computing (New York, NY, USA, 2007), ACM Press, pp. 75–84.CrossRefGoogle Scholar
  37. 37.
    Rastogi, V., Hong, S., and Suciu, D. The boundary between privacy and utility in data publishing. In Koch et al. [29], pp. 531–542.Google Scholar
  38. 38.
    Rizvi, S. J., and Haritsa, J. R. Maintaining data privacy in association rule mining. In VLDB ’2002: Proceedings of the 28th international conference on Very Large Data Bases (2002), VLDB Endowment, pp. 682–693.Google Scholar
  39. 39.
    Rubner, Y., Tomasi, C., and Guibas, L. J. The earth mover’s distance as a metric for image retrieval. Int. J. Comput. Vision 40, 2 (2000), 99–121.zbMATHCrossRefGoogle Scholar
  40. 40.
    Schlörer, J. Identification and retrieval of personal records from a statistical data bank. Methods Info. Med. 14, 1 (1975), 7–13.Google Scholar
  41. 41.
    Schwartz, M. D., Denning, D. E., and Denning, P. J. Linear queries in statistical databases. ACM Trans. Database Syst. 4, 2 (1979), 156–167.CrossRefGoogle Scholar
  42. 42.
    Sweeney, L. Achieving k-anonymity privacy protection using generalization and suppression. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10, 5 (2002), 571–588.zbMATHCrossRefMathSciNetGoogle Scholar
  43. 43.
    Truta, T. M., and Vinay, B. Privacy protection: p-sensitive k-anonymity property. In ICDEW ’06: Proceedings of the 22nd International Conference on Data Engineering Workshops (ICDEW’06) (Washington, DC, USA, 2006), IEEE Computer Society, p. 94.CrossRefGoogle Scholar
  44. 44.
    U. S. Department of Health and Human Services. Office for Civil Rights - HIPAA. http://www.hhs.gov/ocr/hipaa/.
  45. 45.
    Wang, K., Fung, B. C. M., and Yu, P. S. Handicapping attacker’s confidence: an alternative to k-anonymization. Knowl. Inf. Syst. 11, 3 (2007), 345–368.CrossRefGoogle Scholar
  46. 46.
    Wong, R. C.-W., Fu, A. W.-C., Wang, K., and Pei, J. Minimality attack in privacy preserving data publishing. In Koch et al. [29], pp. 543–554.Google Scholar
  47. 47.
    Wong, R. C.-W., Li, J., Fu, A. W.-C., and Wang, K. (α, k)-anonymity: an enhanced k-anonymity model for privacy preserving data publishing. In KDD ’06: Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining (New York, NY, USA, 2006), ACM Press, pp. 754–759.Google Scholar
  48. 48.
    Xiao, X., and Tao, Y. Personalized privacy preservation. In SIGMOD ’06: Proceedings of the 2006 ACM SIGMOD international conference on Management of data (New York, NY, USA, 2006), ACM Press, pp. 229–240.CrossRefGoogle Scholar
  49. 49.
    Yao, A. C. Protocols for secure computations. In Proc. IEEE Foundations of Computer Science (1982), pp. 160–164.Google Scholar
  50. 50.
    Zhang, Q., Koudas, N., Srivastava, D., and Yu, T. Aggregate query answering on anonymized tables. In ICDE [1], pp. 116–125.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Suresh Venkatasubramanian
    • 1
  1. 1.School of ComputingUniversity of UtahMcLeanUSA

Personalised recommendations