Skip to main content
SpringerLink
Log in

On the measurement of privacy as an attacker’s estimation error

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

A wide variety of privacy metrics have been proposed in the literature to evaluate the level of protection offered by privacy-enhancing technologies. Most of these metrics are specific to concrete systems and adversarial models and are difficult to generalize or translate to other contexts. Furthermore, a better understanding of the relationships between the different privacy metrics is needed to enable more grounded and systematic approach to measuring privacy, as well as to assist system designers in selecting the most appropriate metric for a given application. In this work, we propose a theoretical framework for privacy-preserving systems, endowed with a general definition of privacy in terms of the estimation error incurred by an attacker who aims to disclose the private information that the system is designed to conceal. We show that our framework permits interpreting and comparing a number of well-known metrics under a common perspective. The arguments behind these interpretations are based on fundamental results related to the theories of information, probability, and Bayes decision.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Willenborg, L., DeWaal, T.: Elements of Statistical Disclosure Control. Springer, NewYork (2001)

    Book  MATH  Google Scholar 

  2. Jabine, T.B.: Statistical disclosure limitation practices at united states statistical agencies. J. Off. Stat. 9(2), 427–454 (1993)

    Google Scholar 

  3. Citteur, C.A.W., Willenborg, L.C.R.J.: Public use microdata files: current practices at national statistical bureaus. J. Off. Stat. 9(4), 783–794 (1993)

    Google Scholar 

  4. Domingo-Ferrer, J., Mateo-Sanz, J.M.: Practical data-oriented microaggregation for statistical disclosure control. IEEE Trans. Knowl. Data Eng. 14(1), 189–201 (2002)

    Article  Google Scholar 

  5. Domingo-Ferrer, J., Torra, V.: Ordinal, continuous and heterogenerous \(k\)-anonymity through microaggregation. Data Min. Knowl. Discov. 11(2), 195–212 (2005)

    Article  MathSciNet  Google Scholar 

  6. Solanas, A., Martínez-Ballesté, A., Domingo-Ferrer, J.: VMDAV: a multivariate microaggregation with variable group size. In: Proceedings in Computational Statistics (COMPSTAT), Springer, Rome, Italy (2006)

  7. Rebollo-Monedero, D., Forné, J., Soriano, M.: Private location-based information retrieval via \(k\)-anonymous clustering. In: Proceedings of the CNIT International Workshop on Digital Communication, Series Lecture Notes in Computer Science (LNCS), Sept. 2009, Springer, Sardinia, Italy, invited paper (2009)

  8. Sweeney, L.: \(k\)-Anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzz. Knowl. Based Syst. 10(5), 557–570 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  9. Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)

    Article  Google Scholar 

  10. Truta, T.M., Vinay, B.: Privacy protection: \(p\)-sensitive \(k\)-anonymity property. In: Proceedings of the International Workshop on Privacy Data Management (PDM), Atlanta, GA, p. 94 (2006)

  11. Machanavajjhala, A., Gehrke, J., Kiefer, D., Venkitasubramanian, M.: \(l\)-Diversity: privacy beyond \(k\)-anonymity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Atlanta, GA, Apr 2006, p. 24 (2006)

  12. Li, N., Li, T., Venkatasubramanian, S.: \(t\)-Closeness: privacy beyond \(k\)-anonymity and \(l\)-diversity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Istanbul, Turkey, Apr 2007, pp. 106–115 (2007)

  13. Brickell, J., Shmatikov, V.: The cost of privacy: Destruction of data-mining utility in anonymized data publishing. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), Las Vegas, NV, Aug 2008 (2008)

  14. Dwork, C.: Differential privacy. In: Proceedings of the International Colloquium on Automata, Languages and Programming, Springer, pp. 1–12 (2006)

  15. Rebollo-Monedero, D., Forné, J., Domingo-Ferrer, J.: From \(t\)-closeness-like privacy to postrandomization via information theory. IEEE Trans. Knowl. Data Eng., 22(11), 1623–1636, Nov. 2010. [Online]. Available: http://doi.ieeecomputersociety.org/10.1109/TKDE.2009.190 (2010)

  16. Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)

    Article  Google Scholar 

  17. Cottrell, L.: Mixmaster and remailer attacks. [Online]. Available: http://obscura.com/loki/remailer/remailer-essay.html (1994)

  18. Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: design of a type III anonymous remailer protocol. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), Berkeley, CA, pp. 2–15, May (2003)

  19. Duckham, M., Mason, K., Stell, J., Worboys, M.: A formal approach to imperfection in geographic information. Comput. Environ. Urban Syst. 25(1), 89–103 (2001)

    Article  Google Scholar 

  20. Lehmann, E.L.: Theory of Point Estimation. Springer, New York (1983)

    Book  MATH  Google Scholar 

  21. Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inform. Syst. Secur. 1(1), 66–92 (1998)

    Article  Google Scholar 

  22. Berthold, O., Pfitzmann, A., Standtke, R.: The disadvantages of free MIX routes and how to overcome them. In: Proceedings of the Designing Privacy Enhancing Technologies: Workshop Design Issues in Anonymity, Unobservability, Series Lecture Notes in Computer Science (LNCS), Springer, Berkeley, CA, July 2000, pp. 30–45 (2000)

  23. Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), vol. 2482, pp. 41–53. Springer (2002)

  24. Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 2482, pp. 54–68. Springer, Apr 2002 (2002)

  25. Tóth, G., Hornák, Z., Vajda, F.: Measuring anonymity revisited. In: Proceedings of the Nordic Workshop on Secure IT Systems, Nov, pp. 85–90 (2004)

  26. Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Proceedings of the ACM Workshop on Digital Identity Management (DIM), ACM, Fairfax, VA, Nov 2006, pp. 55–62 (2006)

  27. Syverson, P., Stubblebine, S.: Group principals and the formalization of anonymity. In: Proceedings of the World Congress on Formal Methods, pp. 814–833 (1999)

  28. Mauw, S., Verschuren, J., de Vink, E.P.: A formalization of anonymity and onion routing. In: Proceedings of the European Symposium on Research in Computer Security (ESORICS), vol. 3193. Lecture Notes in Computer Science (LNCS), pp. 109–124 (2004)

  29. Feigenbaum, J., Johnson, A., Syverson, P.: A model of onion routing with provable anonymity. In: Proceedings of the Financial Cryptography and Data Security (FI), Springer (2007)

  30. Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. IEEE J. Intell. Secur. Inform. 356–363 (2007)

  31. Gierlichs, B., Troncoso, C., Díaz, C., Preneel, B., Verbauwhede, I.: Revisiting a combinatorial approach toward measuring anonymity. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society, ACM, pp. 111–116 (2008)

  32. Bagai, R., Lu, H., Li, R., Tang, B.: An accurate system-wide anonymity metric for probabilistic attacks. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 6794, pp. 117–133, Springer (2011)

  33. Shokri, R., Freudiger, J., Jadliwala, M., Hubaux, J.P.: A distortion-based metric for location privacy. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2009)

  34. Shokri, R., Theodorakopoulos, G., Boudec, J.Y.L., Hubaux, J.P.: Quantifying location privacy. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), IEEE Comput. Soc., Washington, DC, USA, pp. 247–262 (2011)

  35. Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley, New York (2006)

  36. Berger, J.O.: Statistical Decision Theory and Bayesian Analysis. Springer, New York (1985)

    Book  MATH  Google Scholar 

  37. Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley, New York (2001)

    MATH  Google Scholar 

  38. Algoet, P.H., Cover, T.M.: A sandwich proof of the Shannon-McMillan-Breiman theorem. Ann. Prob. 16(2), 899–909 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  39. Shannon, C.E.: Coding theorems for a discrete source with a fidelity criterion. In: IRE National Convention Record, vol. 7, Part 4, pp. 142–163 (1959)

  40. Reid, D.B.: An algorithm for tracking multiple targets. IEEE Trans. Autom. Control 24(6), 843–854 (1979)

    Article  Google Scholar 

  41. Hastings, W.K.: Monte carlo sampling methods using markov chains and their applications. Biometrika 57(1), 97–109 (1970)

    Article  MATH  Google Scholar 

  42. Danezis, G.: Statistical disclosure attacks: traffic confirmation in open environments. In: Proceedings of the Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, May 2003, pp. 421–426 (2003)

Download references

Acknowledgments

This work was partly supported by the Spanish Government through projects Consolider Ingenio 2010 CSD2007-00004 “ARES”, TEC2010-20572-C02-02 “Consequence” and by the Government of Catalonia under grant 2009 SGR 1362. Additional sources of funding include IWT SBO SPION, GOA TENSE, the IAP Programme P6/26 BCRYPT, and the FWO project “Contextual privacy and the proliferation of location data”. D. Rebollo-Monedero is the recipient of a Juan de la Cierva postdoctoral fellowship, JCI-2009-05259, from the Spanish Ministry of Science and Innovation. C. Diaz is funded by an FWO postdoctoral grant.

Author information

Authors and Affiliations

  1. Department of Telematics Engineering, Universitat Politècnica de Catalunya, C. Jordi Girona 1-3, 08034 , Barcelona, Catalonia, Spain

    David Rebollo-Monedero, Javier Parra-Arnau & Jordi Forné

  2. Katholieke Universiteit Leuven, ESAT/SCD/IBBT-COSIC, Kasteelpark Arenberg 10, 3001 , Leuven-Heverlee, Belgium

    Claudia Diaz

Authors
  1. David Rebollo-Monedero
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javier Parra-Arnau
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Claudia Diaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jordi Forné
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jordi Forné.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Rebollo-Monedero, D., Parra-Arnau, J., Diaz, C. et al. On the measurement of privacy as an attacker’s estimation error. Int. J. Inf. Secur. 12, 129–149 (2013). https://doi.org/10.1007/s10207-012-0182-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0182-5

Keywords

Search

Navigation