Abstract
A wide variety of privacy metrics have been proposed in the literature to evaluate the level of protection offered by privacy-enhancing technologies. Most of these metrics are specific to concrete systems and adversarial models and are difficult to generalize or translate to other contexts. Furthermore, a better understanding of the relationships between the different privacy metrics is needed to enable more grounded and systematic approach to measuring privacy, as well as to assist system designers in selecting the most appropriate metric for a given application. In this work, we propose a theoretical framework for privacy-preserving systems, endowed with a general definition of privacy in terms of the estimation error incurred by an attacker who aims to disclose the private information that the system is designed to conceal. We show that our framework permits interpreting and comparing a number of well-known metrics under a common perspective. The arguments behind these interpretations are based on fundamental results related to the theories of information, probability, and Bayes decision.
Similar content being viewed by others
References
Willenborg, L., DeWaal, T.: Elements of Statistical Disclosure Control. Springer, NewYork (2001)
Jabine, T.B.: Statistical disclosure limitation practices at united states statistical agencies. J. Off. Stat. 9(2), 427–454 (1993)
Citteur, C.A.W., Willenborg, L.C.R.J.: Public use microdata files: current practices at national statistical bureaus. J. Off. Stat. 9(4), 783–794 (1993)
Domingo-Ferrer, J., Mateo-Sanz, J.M.: Practical data-oriented microaggregation for statistical disclosure control. IEEE Trans. Knowl. Data Eng. 14(1), 189–201 (2002)
Domingo-Ferrer, J., Torra, V.: Ordinal, continuous and heterogenerous \(k\)-anonymity through microaggregation. Data Min. Knowl. Discov. 11(2), 195–212 (2005)
Solanas, A., Martínez-Ballesté, A., Domingo-Ferrer, J.: VMDAV: a multivariate microaggregation with variable group size. In: Proceedings in Computational Statistics (COMPSTAT), Springer, Rome, Italy (2006)
Rebollo-Monedero, D., Forné, J., Soriano, M.: Private location-based information retrieval via \(k\)-anonymous clustering. In: Proceedings of the CNIT International Workshop on Digital Communication, Series Lecture Notes in Computer Science (LNCS), Sept. 2009, Springer, Sardinia, Italy, invited paper (2009)
Sweeney, L.: \(k\)-Anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzz. Knowl. Based Syst. 10(5), 557–570 (2002)
Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)
Truta, T.M., Vinay, B.: Privacy protection: \(p\)-sensitive \(k\)-anonymity property. In: Proceedings of the International Workshop on Privacy Data Management (PDM), Atlanta, GA, p. 94 (2006)
Machanavajjhala, A., Gehrke, J., Kiefer, D., Venkitasubramanian, M.: \(l\)-Diversity: privacy beyond \(k\)-anonymity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Atlanta, GA, Apr 2006, p. 24 (2006)
Li, N., Li, T., Venkatasubramanian, S.: \(t\)-Closeness: privacy beyond \(k\)-anonymity and \(l\)-diversity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Istanbul, Turkey, Apr 2007, pp. 106–115 (2007)
Brickell, J., Shmatikov, V.: The cost of privacy: Destruction of data-mining utility in anonymized data publishing. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), Las Vegas, NV, Aug 2008 (2008)
Dwork, C.: Differential privacy. In: Proceedings of the International Colloquium on Automata, Languages and Programming, Springer, pp. 1–12 (2006)
Rebollo-Monedero, D., Forné, J., Domingo-Ferrer, J.: From \(t\)-closeness-like privacy to postrandomization via information theory. IEEE Trans. Knowl. Data Eng., 22(11), 1623–1636, Nov. 2010. [Online]. Available: http://doi.ieeecomputersociety.org/10.1109/TKDE.2009.190 (2010)
Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)
Cottrell, L.: Mixmaster and remailer attacks. [Online]. Available: http://obscura.com/loki/remailer/remailer-essay.html (1994)
Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: design of a type III anonymous remailer protocol. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), Berkeley, CA, pp. 2–15, May (2003)
Duckham, M., Mason, K., Stell, J., Worboys, M.: A formal approach to imperfection in geographic information. Comput. Environ. Urban Syst. 25(1), 89–103 (2001)
Lehmann, E.L.: Theory of Point Estimation. Springer, New York (1983)
Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inform. Syst. Secur. 1(1), 66–92 (1998)
Berthold, O., Pfitzmann, A., Standtke, R.: The disadvantages of free MIX routes and how to overcome them. In: Proceedings of the Designing Privacy Enhancing Technologies: Workshop Design Issues in Anonymity, Unobservability, Series Lecture Notes in Computer Science (LNCS), Springer, Berkeley, CA, July 2000, pp. 30–45 (2000)
Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), vol. 2482, pp. 41–53. Springer (2002)
Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 2482, pp. 54–68. Springer, Apr 2002 (2002)
Tóth, G., Hornák, Z., Vajda, F.: Measuring anonymity revisited. In: Proceedings of the Nordic Workshop on Secure IT Systems, Nov, pp. 85–90 (2004)
Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Proceedings of the ACM Workshop on Digital Identity Management (DIM), ACM, Fairfax, VA, Nov 2006, pp. 55–62 (2006)
Syverson, P., Stubblebine, S.: Group principals and the formalization of anonymity. In: Proceedings of the World Congress on Formal Methods, pp. 814–833 (1999)
Mauw, S., Verschuren, J., de Vink, E.P.: A formalization of anonymity and onion routing. In: Proceedings of the European Symposium on Research in Computer Security (ESORICS), vol. 3193. Lecture Notes in Computer Science (LNCS), pp. 109–124 (2004)
Feigenbaum, J., Johnson, A., Syverson, P.: A model of onion routing with provable anonymity. In: Proceedings of the Financial Cryptography and Data Security (FI), Springer (2007)
Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. IEEE J. Intell. Secur. Inform. 356–363 (2007)
Gierlichs, B., Troncoso, C., Díaz, C., Preneel, B., Verbauwhede, I.: Revisiting a combinatorial approach toward measuring anonymity. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society, ACM, pp. 111–116 (2008)
Bagai, R., Lu, H., Li, R., Tang, B.: An accurate system-wide anonymity metric for probabilistic attacks. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 6794, pp. 117–133, Springer (2011)
Shokri, R., Freudiger, J., Jadliwala, M., Hubaux, J.P.: A distortion-based metric for location privacy. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2009)
Shokri, R., Theodorakopoulos, G., Boudec, J.Y.L., Hubaux, J.P.: Quantifying location privacy. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), IEEE Comput. Soc., Washington, DC, USA, pp. 247–262 (2011)
Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley, New York (2006)
Berger, J.O.: Statistical Decision Theory and Bayesian Analysis. Springer, New York (1985)
Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley, New York (2001)
Algoet, P.H., Cover, T.M.: A sandwich proof of the Shannon-McMillan-Breiman theorem. Ann. Prob. 16(2), 899–909 (1988)
Shannon, C.E.: Coding theorems for a discrete source with a fidelity criterion. In: IRE National Convention Record, vol. 7, Part 4, pp. 142–163 (1959)
Reid, D.B.: An algorithm for tracking multiple targets. IEEE Trans. Autom. Control 24(6), 843–854 (1979)
Hastings, W.K.: Monte carlo sampling methods using markov chains and their applications. Biometrika 57(1), 97–109 (1970)
Danezis, G.: Statistical disclosure attacks: traffic confirmation in open environments. In: Proceedings of the Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, May 2003, pp. 421–426 (2003)
Acknowledgments
This work was partly supported by the Spanish Government through projects Consolider Ingenio 2010 CSD2007-00004 “ARES”, TEC2010-20572-C02-02 “Consequence” and by the Government of Catalonia under grant 2009 SGR 1362. Additional sources of funding include IWT SBO SPION, GOA TENSE, the IAP Programme P6/26 BCRYPT, and the FWO project “Contextual privacy and the proliferation of location data”. D. Rebollo-Monedero is the recipient of a Juan de la Cierva postdoctoral fellowship, JCI-2009-05259, from the Spanish Ministry of Science and Innovation. C. Diaz is funded by an FWO postdoctoral grant.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rebollo-Monedero, D., Parra-Arnau, J., Diaz, C. et al. On the measurement of privacy as an attacker’s estimation error. Int. J. Inf. Secur. 12, 129–149 (2013). https://doi.org/10.1007/s10207-012-0182-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-012-0182-5