Beyond k-Anonymity: A Decision Theoretic Framework for Assessing Privacy Risk
Guy Lebanon(a),(*), Monica Scannapieco(b), Mohamed R. Fouad(c), Elisa Bertino(c)
Transactions on Data Privacy 2:3 (2009) 153 - 183
(a) College of Computing, Georgia Institute of Technology, Atlanta, USA.
(b) Department of Systems and Computer Sciences, Rome University, Italy.
(c) Department of Computer Science, Purdue University, West Lafayette, USA.
e-mail:lebanon @cc.gatech.edu; monscan @dis.uniroma1.it; mrf @cs.purdue.edu; bertino @cs.purdue.edu
An important issue any organization or individual has to face when
managing data containing sensitive information, is the risk that can
be incurred when releasing such data. Even though data may be
sanitized before being released, it is still possible for an
adversary to reconstruct the original data using additional
information thus resulting in privacy violations. To date, however,
a systematic approach to quantify such risks is not available. In
this paper we develop a framework, based on statistical decision
theory, that assesses the relationship between the disclosed data
and the resulting privacy risk. We model the problem of deciding
which data to disclose, in terms of deciding which disclosure rule
to apply to a database. We assess the privacy risk by taking into
account both the entity identification and the sensitivity of the
disclosed information. Furthermore, we prove that, under some
conditions, the estimated privacy risk is an upper bound on the true
privacy risk. Finally, we relate our framework with the
k-anonymity disclosure method. The proposed framework makes the
assumptions behind k-anonymity explicit, quantifies them, and
extends them in several natural directions.
* Corresponding author.