Towards a Systematic Analysis of Privacy Definitions

In statistical privacy, a privacy definition is regarded as a set of algorithms that are allowed to process sensitive data. It is often helpful to consider the complementary view that privacy definitions are also contracts that guide the behavior of algorithms that take in sensitive data and produce sanitized data. Historically, data privacy breaches have been the result of fundamental misunderstandings about what a particular privacy definition guarantees. Privacy definitions are often analyzed using a highly targeted approach: a specific attack strategy is evaluated to determine if a specific type of information can be inferred. If the attack works, one can conclude that the privacy definition is too weak. If it doesn't work, one often gains little information about its security (perhaps a slightly different attack would have worked?). Furthermore, these strategies will not identify cases where a privacy definition protects unnecessary pieces of information. On the other hand, technical results concerning generalizable and systematic analyses of privacy are few in number, but such results have significantly advanced our understanding of the design of privacy definitions. We add to this literature with a novel methodology for analyzing the Bayesian properties of a privacy definition. Its goal is to identify precisely the type of information being protected, hence making it easier to identify (and later remove) unnecessary data protections. Using privacy building blocks (which we refer to as axioms), we turn questions about semantics into mathematical problems -- the construction of a consistent normal form and the subsequent construction of the row cone (which is a geometric object that encapsulates Bayesian guarantees provided by a privacy definition). We apply these ideas to study randomized response, FRAPP/PRAM, and several algorithms that add integer-valued noise to their inputs; we show that their privacy properties can be stated in terms of the protection of various notions of parity of a dataset. Randomized response, in particular, provides unnecessarily strong protections for parity, and so we also show how our methodology can be used to relax privacy definitions.

• Publication year

  2014

• Venue

  Journal of Privacy and Confidentiality

• Publication date

  2014-02-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.29012/JPC.V5I2.631
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• A learning theory approach to noninteractive database privacy

  2013cited by this paper
• [Blank page]

  2013cited by this paper
• Worst- and average-case privacy breaches in randomization mechanisms

  2012influential reference
• Differential Privacy and Statistical Disclosure Risk Measures: An Investigation with Binary Synthetic Data

  2012cited by this paper
• The power of the dinur-nissim algorithm: breaking privacy of statistical and graph databases

  2012cited by this paper
• A rigorous and customizable framework for privacy

  2012cited by this paper
• De-anonymizing social networks

  2012cited by this paper
• An Axiomatic View of Statistical Privacy and Utility

  2012influential reference
• Reasoning about privacy using axioms

  2012cited by this paper
• No free lunch in data privacy

  2011cited by this paper
• Noiseless Database Privacy

  2011cited by this paper
• Wherefore art thou R3579X?

  2011cited by this paper
• Towards Privacy for Social Networks: A Zero-Knowledge Based Definition of Privacy

  2011cited by this paper
• Transparent anonymization: Thwarting adversaries who know the algorithm

  2010cited by this paper
• Towards an axiomatization of statistical privacy and utility

  2010influential reference
• The price of privately releasing contingency tables and the spectra of random matrices with correlated rows

  2010cited by this paper
• Purely Finitely Additive Measures are Non-Constructible Objects

  2010cited by this paper
• On the Difficulties of Disclosure Prevention in Statistical Databases or The Case for Differential Privacy

  2010cited by this paper
• Privacy-Preserving Data Publishing

  2009cited by this paper
• On the complexity of differentially private data release: efficient algorithms and hardness results

  2009cited by this paper
• Attacks on privacy and deFinetti's theorem

  2009cited by this paper
• Relationship privacy: output perturbation for queries with joins

  2009influential reference
• Composition attacks and auxiliary information in data privacy

  2008cited by this paper
• Universally utility-maximizing privacy mechanisms

  2008cited by this paper
• New Efficient Attacks on Statistical Disclosure Control Mechanisms

  2008cited by this paper
• A Survey of Attack Techniques on Privacy-Preserving Data Perturbation Methods

  2008cited by this paper
• A Note on Differential Privacy: Defining Resistance to Arbitrary Side Information

  2008influential reference
• k-Anonymization Revisited

  2008cited by this paper
• Information Leakage in Optimal Anonymized and Diversified Data

  2008cited by this paper
• A learning theory approach to non-interactive database privacy

  2008cited by this paper
• The price of privacy and the limits of LP decoding

  2007cited by this paper
• t-Closeness: Privacy Beyond k-Anonymity and l-Diversity

  2007cited by this paper
• Information disclosure under realistic assumptions: privacy versus optimality

  2007cited by this paper
• Minimality Attack in Privacy Preserving Data Publishing

  2007cited by this paper
• Anonymizing Social Networks

  2007cited by this paper
• Calibrating Noise to Sensitivity in Private Data Analysis

  2006cited by this paper
• Differential Privacy

  2006cited by this paper
• When Random Sampling Preserves Privacy

  2006cited by this paper
• A Face Is Exposed for AOL Searcher No

  2006cited by this paper
• How To Break Anonymity of the Netflix Prize Dataset

  2006cited by this paper
• `-Diversity : Privacy Beyond k-Anonymity

  2006cited by this paper
• L-diversity: privacy beyond k-anonymity

  2006cited by this paper
• Estimating Risks of Identification Disclosure in Microdata

  2005cited by this paper
• Practical privacy: the SuLQ framework

  2005cited by this paper
• Deriving private information from randomized data

  2005cited by this paper
• A framework for high-accuracy privacy-preserving mining

  2004cited by this paper
• Re-identification Methods for Masked Microdata

  2004cited by this paper
• A formal analysis of information disclosure in data exchange

  2004influential reference
• Statistical Inference

  2003cited by this paper
• Limiting privacy breaches in privacy preserving data mining

  2003influential reference
• On the privacy preserving properties of random data perturbation techniques

  2003cited by this paper
• Revealing information while preserving privacy

  2003cited by this paper
• k-Anonymity: A Model for Protecting Privacy

  2002influential reference
• Defining Privacy for Data Mining

  2002cited by this paper
• Protecting Respondents' Identities in Microdata Release

  2001cited by this paper
• Elements of Statistical Disclosure Control

  2000cited by this paper
• Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression

  1998cited by this paper
• Post randomisation for statistical disclosure control: Theory and implementation

  1997influential reference
• Statistical Disclosure Control in Practice

  1996cited by this paper
• Handbook of Analysis and Its Foundations

  1996influential reference
• Infinite Dimensional Analysis: A Hitchhiker’s Guide

  1994cited by this paper
• Journal of the Royal Statistical Society (B): Gary K. Grunwald, Adrian E. Raftery and Peter Guttorp, 1993, “Time series of continuous proportions”, 55, 103–116.☆

  1993cited by this paper
• Combinatorial Optimization

  1992cited by this paper
• The Risk of Disclosure for Microdata

  1989cited by this paper
• Real & Complex Analysis

  1987cited by this paper
• Randomized response: a survey technique for eliminating evasive answer bias.

  1965cited by this paper
• The frequency distribution of the difference between two Poisson variates belonging to different populations.

  1946influential reference

• Automated city shuttles: Mapping the key challenges in cybersecurity, privacy and standards to future developments

  2022cites this paper
• A Novel Study of Different Privacy Frameworks Metrics and Patterns

  2020cites this paper
• Bootstrap Differential Privacy

  2019cites this paper
• A New Data Collection Technique for Preserving Privacy

  2018cites this paper
• Designing statistical privacy for your data

  2015cites this paper
• A Note on Data Privacy: Past, Present, and Future

  2015cites this paper
• New Technologies for Privacy Protection in Data Collection and Analysis

  2014cites this paper