k-Anonymity: A Model for Protecting Privacy

@article{Sweeney2002kAnonymityAM,
  title={k-Anonymity: A Model for Protecting Privacy},
  author={Latanya Sweeney},
  journal={Int. J. Uncertain. Fuzziness Knowl. Based Syst.},
  year={2002},
  volume={10},
  pages={557-570}
}
  • L. Sweeney
  • Published 1 October 2002
  • Computer Science
  • Int. J. Uncertain. Fuzziness Knowl. Based Syst.
Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version of its private data with scientific guarantees that the individuals who are the subjects of the data cannot be re-identified while the data remain practically useful? The solution provided in this paper includes a formal protection model named k… 

Figures from this paper

k-ANONYMITY: A MODEL FOR PROTECTING PRIVACY1
TLDR
The solution provided in this paper includes a formal protection model named k-anonymity and a set of accompanying policies for deployment and examines re-identification attacks that can be realized on releases that adhere to kanonymity unless accompanying policies are respected.
Achieving k-Anonymity Privacy Protection Using Generalization and Suppression
  • L. Sweeney
  • Computer Science
    Int. J. Uncertain. Fuzziness Knowl. Based Syst.
  • 2002
TLDR
This paper provides a formal presentation of combining generalization and suppression to achieve k-anonymity and shows that Datafly can over distort data and µ-Argus can additionally fail to provide adequate protection.
Weak k-Anonymity: A Low-Distortion Model for Protecting Privacy
TLDR
This paper gives a weaker definition of k-anonymity, allowing lower distortion on the anonymized data, and shows that, under the hypothesis in which the adversary is not sure a priori about the presence of a person in the table, the privacy properties are respected also in the weak k-Anonymity framework.
Anonymity : Formalisation of Privacy – k-anonymity
TLDR
It is shown, how l-diversity and t-closeness provide a stronger level of anonymity as k-anonymity, and a value generalization hierarchy based on the attributes model, device, version and network is provided.
Approximation Algorithms for k-Anonymity
TLDR
It is shown that the k-Anonymity problem is NP-hard even when the attribute values are ternary and the author provides an O(k)-approximation algorithm for the problem.
Privacy-Preserving Distributed k-Anonymity
TLDR
A key contribution is a proof that the protocol preserves k-anonymity between the sites, a fundamentally different distributed privacy definition than that of Secure Multiparty Computation, and it provides a better match with both ethical and legal views of privacy.
k-anonymity: Risks and the Reality
TLDR
This work quantifies risk as the probability of re-identification and proposes a mechanism to compute the empirical risk with respect to the cost of acquiring the knowledge about quasi-identifiers, using an real-world dataset released with some k-anonymity guarantee.
k-Anonymity in Context of Digitally Signed CDA Documents
TLDR
A novel approach based on generalized redactable signatures that realizes k-anonymity for sets of digitally signed records is proposed that allows any party to verify the original digital signatures for medical data, although these data are modified during the process of achieving k-Anonymity.
Extended K-Anonymity Model for Privacy Preserving on Micro Data
TLDR
An algorithm is proposed that fully protects the propagated micro data against identity and attribute disclosure and significantly reduces the distortion ratio during the anonymity process.
...
...

References

SHOWING 1-10 OF 33 REFERENCES
Guaranteeing anonymity when sharing medical data, the Datafly System
We present a computer program named Datafly that maintains anonymity in medical data by automatically generalizing, substituting, and removing information as appropriate without losing many of the
Enhancing Access to Microdata while Protecting Confidentiality: Prospects for the Future
TLDR
This article presents a scenario for the future of research access to federally collected microdata, as they relate to improvements in database techniques, computer and analytical method- ologies and legal and administrative arrangements for access to and protection of federal statistics.
Cryptography and Data Security
TLDR
The goal of this book is to introduce the mathematical principles of data security and to show how these principles apply to operating systems, database systems, and computer networks.
Towards the optimal suppression of details when disclosing medical data, the use of sub-combination analysis
TLDR
This work presents a new computational technique based on stepwise consideration of all sub-combinations of sensitive fields that can be used within the Datafly or m-Argus architectures to help achieve optimal disclosure and shows that doing so provides more specific data than Datafly would normally release and improves the confidentiality of results from m- Argus.
The tracker: a threat to statistical database security
TLDR
It is shown that the compromise of small query sets can in fact almost always be accomplished with the help of characteristic formulas called trackers, and security is not guaranteed by the lack of a general tracker.
Microdata disclosure limitation in statistical databases: query size and random sample query control
  • G. Duncan, S. Mukherjee
  • Computer Science
    Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy
  • 1991
TLDR
A probabilistic framework is used to assess the strengths and weaknesses of two existing disclosure control mechanisms and an alternative scheme combining query set size restriction and random sample query control results in a significant decrease in the risk of disclosure.
On the Question of Statistical Confidentiality
Abstract In Section 1 the nature of statistical confidentiality is explored, i.e., its essential role in the collection of data by statistical offices, its relationship to privacy and the need for
Detection and elimination of inference channels in multilevel relational database systems
TLDR
A global optimization approach to upgrading is suggested to block a set of inference problems that allows upgrade costs to be considered, and supports security categories as well as levels.
Aggregation and inference: facts and fallacies
  • T. Lunt
  • Computer Science
    Proceedings. 1989 IEEE Symposium on Security and Privacy
  • 1989
TLDR
It is shown that sensitive associations among entities of different types are best treated by representing the sensitive association separately and classifying the individual entities low and the relationship high, and the suggested approaches allow the mandatory reference monitor to protect the sensitive associations.
A Multilevel Relational Data Model
TLDR
The model is defined in terms of the standard relational model, but lends itself to a design and implementation that offers a high level of assurance for mandatory security.
...
...