TY - GEN
T1 - Empirical privacy and empirical utility of anonymized data
AU - Cormode, Graham
AU - Procopiuc, Cecilia M.
AU - Shen, Entong
AU - Srivastava, Divesh
AU - Yu, Ting
PY - 2013
Y1 - 2013
N2 - Procedures to anonymize data sets are vital for companies, government agencies and other bodies to meet their obligations to share data without compromising the privacy of the individuals contributing to it. Despite much work on this topic, the area has not yet reached stability. Early models (k-anonymity and ℓ-diversity) are now thought to offer insufficient privacy. Noise-based methods like differential privacy are seen as providing stronger privacy, but less utility. However, across all methods sensitive information of some individuals can often be inferred with relatively high accuracy. In this paper, we reverse the idea of a 'privacy attack,' by incorporating it into a measure of privacy. Hence, we advocate the notion of empirical privacy, based on the posterior beliefs of an adversary, and their ability to draw inferences about sensitive values in the data. This is not a new model, but rather a unifying view: it allows us to study several well-known privacy models which are not directly comparable otherwise. We also consider an empirical approach to measuring utility, based on a workload of queries. Consequently, we are able to place different privacy models including differential privacy and early syntactic models on the same scale, and compare their privacy/utility tradeoff. We learn that, in practice, the difference between differential privacy and various syntactic models is less dramatic than previously thought, but there are still clear domination relations between them.
AB - Procedures to anonymize data sets are vital for companies, government agencies and other bodies to meet their obligations to share data without compromising the privacy of the individuals contributing to it. Despite much work on this topic, the area has not yet reached stability. Early models (k-anonymity and ℓ-diversity) are now thought to offer insufficient privacy. Noise-based methods like differential privacy are seen as providing stronger privacy, but less utility. However, across all methods sensitive information of some individuals can often be inferred with relatively high accuracy. In this paper, we reverse the idea of a 'privacy attack,' by incorporating it into a measure of privacy. Hence, we advocate the notion of empirical privacy, based on the posterior beliefs of an adversary, and their ability to draw inferences about sensitive values in the data. This is not a new model, but rather a unifying view: it allows us to study several well-known privacy models which are not directly comparable otherwise. We also consider an empirical approach to measuring utility, based on a workload of queries. Consequently, we are able to place different privacy models including differential privacy and early syntactic models on the same scale, and compare their privacy/utility tradeoff. We learn that, in practice, the difference between differential privacy and various syntactic models is less dramatic than previously thought, but there are still clear domination relations between them.
UR - http://www.scopus.com/inward/record.url?scp=84881395512&partnerID=8YFLogxK
U2 - 10.1109/ICDEW.2013.6547431
DO - 10.1109/ICDEW.2013.6547431
M3 - Conference contribution
AN - SCOPUS:84881395512
SN - 9781467353021
T3 - Proceedings - International Conference on Data Engineering
SP - 77
EP - 82
BT - 2013 IEEE 29th International Conference on Data Engineering Workshops, ICDEW 2013
T2 - 2013 IEEE 29th International Conference on Data Engineering Workshops, ICDEW 2013
Y2 - 8 April 2013 through 11 April 2013
ER -