International Journal of Information Security

, Volume 12, Issue 2, pp 129–149 | Cite as

On the measurement of privacy as an attacker’s estimation error

  • David Rebollo-Monedero
  • Javier Parra-Arnau
  • Claudia Diaz
  • Jordi Forné
Regular Contribution


A wide variety of privacy metrics have been proposed in the literature to evaluate the level of protection offered by privacy-enhancing technologies. Most of these metrics are specific to concrete systems and adversarial models and are difficult to generalize or translate to other contexts. Furthermore, a better understanding of the relationships between the different privacy metrics is needed to enable more grounded and systematic approach to measuring privacy, as well as to assist system designers in selecting the most appropriate metric for a given application. In this work, we propose a theoretical framework for privacy-preserving systems, endowed with a general definition of privacy in terms of the estimation error incurred by an attacker who aims to disclose the private information that the system is designed to conceal. We show that our framework permits interpreting and comparing a number of well-known metrics under a common perspective. The arguments behind these interpretations are based on fundamental results related to the theories of information, probability, and Bayes decision.


Privacy Criteria Metrics Estimation Bayes decision theory Statistical disclosure control Anonymous communication systems Location-based services 



This work was partly supported by the Spanish Government through projects Consolider Ingenio 2010 CSD2007-00004 “ARES”, TEC2010-20572-C02-02 “Consequence” and by the Government of Catalonia under grant 2009 SGR 1362. Additional sources of funding include IWT SBO SPION, GOA TENSE, the IAP Programme P6/26 BCRYPT, and the FWO project “Contextual privacy and the proliferation of location data”. D. Rebollo-Monedero is the recipient of a Juan de la Cierva postdoctoral fellowship, JCI-2009-05259, from the Spanish Ministry of Science and Innovation. C. Diaz is funded by an FWO postdoctoral grant.


  1. 1.
    Willenborg, L., DeWaal, T.: Elements of Statistical Disclosure Control. Springer, NewYork (2001)MATHCrossRefGoogle Scholar
  2. 2.
    Jabine, T.B.: Statistical disclosure limitation practices at united states statistical agencies. J. Off. Stat. 9(2), 427–454 (1993)Google Scholar
  3. 3.
    Citteur, C.A.W., Willenborg, L.C.R.J.: Public use microdata files: current practices at national statistical bureaus. J. Off. Stat. 9(4), 783–794 (1993)Google Scholar
  4. 4.
    Domingo-Ferrer, J., Mateo-Sanz, J.M.: Practical data-oriented microaggregation for statistical disclosure control. IEEE Trans. Knowl. Data Eng. 14(1), 189–201 (2002)CrossRefGoogle Scholar
  5. 5.
    Domingo-Ferrer, J., Torra, V.: Ordinal, continuous and heterogenerous \(k\)-anonymity through microaggregation. Data Min. Knowl. Discov. 11(2), 195–212 (2005)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Solanas, A., Martínez-Ballesté, A., Domingo-Ferrer, J.: VMDAV: a multivariate microaggregation with variable group size. In: Proceedings in Computational Statistics (COMPSTAT), Springer, Rome, Italy (2006)Google Scholar
  7. 7.
    Rebollo-Monedero, D., Forné, J., Soriano, M.: Private location-based information retrieval via \(k\)-anonymous clustering. In: Proceedings of the CNIT International Workshop on Digital Communication, Series Lecture Notes in Computer Science (LNCS), Sept. 2009, Springer, Sardinia, Italy, invited paper (2009)Google Scholar
  8. 8.
    Sweeney, L.: \(k\)-Anonymity: a model for protecting privacy. Int. J. Uncertain. Fuzz. Knowl. Based Syst. 10(5), 557–570 (2002)MathSciNetMATHCrossRefGoogle Scholar
  9. 9.
    Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)CrossRefGoogle Scholar
  10. 10.
    Truta, T.M., Vinay, B.: Privacy protection: \(p\)-sensitive \(k\)-anonymity property. In: Proceedings of the International Workshop on Privacy Data Management (PDM), Atlanta, GA, p. 94 (2006)Google Scholar
  11. 11.
    Machanavajjhala, A., Gehrke, J., Kiefer, D., Venkitasubramanian, M.: \(l\)-Diversity: privacy beyond \(k\)-anonymity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Atlanta, GA, Apr 2006, p. 24 (2006)Google Scholar
  12. 12.
    Li, N., Li, T., Venkatasubramanian, S.: \(t\)-Closeness: privacy beyond \(k\)-anonymity and \(l\)-diversity. In: Proceedings of the IEEE International Conference on Data Engineering (ICDE), Istanbul, Turkey, Apr 2007, pp. 106–115 (2007)Google Scholar
  13. 13.
    Brickell, J., Shmatikov, V.: The cost of privacy: Destruction of data-mining utility in anonymized data publishing. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), Las Vegas, NV, Aug 2008 (2008)Google Scholar
  14. 14.
    Dwork, C.: Differential privacy. In: Proceedings of the International Colloquium on Automata, Languages and Programming, Springer, pp. 1–12 (2006)Google Scholar
  15. 15.
    Rebollo-Monedero, D., Forné, J., Domingo-Ferrer, J.: From \(t\)-closeness-like privacy to postrandomization via information theory. IEEE Trans. Knowl. Data Eng., 22(11), 1623–1636, Nov. 2010. [Online]. Available: (2010)
  16. 16.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  17. 17.
    Cottrell, L.: Mixmaster and remailer attacks. [Online]. Available: (1994)
  18. 18.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: design of a type III anonymous remailer protocol. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), Berkeley, CA, pp. 2–15, May (2003)Google Scholar
  19. 19.
    Duckham, M., Mason, K., Stell, J., Worboys, M.: A formal approach to imperfection in geographic information. Comput. Environ. Urban Syst. 25(1), 89–103 (2001)CrossRefGoogle Scholar
  20. 20.
    Lehmann, E.L.: Theory of Point Estimation. Springer, New York (1983)MATHCrossRefGoogle Scholar
  21. 21.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inform. Syst. Secur. 1(1), 66–92 (1998)CrossRefGoogle Scholar
  22. 22.
    Berthold, O., Pfitzmann, A., Standtke, R.: The disadvantages of free MIX routes and how to overcome them. In: Proceedings of the Designing Privacy Enhancing Technologies: Workshop Design Issues in Anonymity, Unobservability, Series Lecture Notes in Computer Science (LNCS), Springer, Berkeley, CA, July 2000, pp. 30–45 (2000)Google Scholar
  23. 23.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), vol. 2482, pp. 41–53. Springer (2002)Google Scholar
  24. 24.
    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 2482, pp. 54–68. Springer, Apr 2002 (2002)Google Scholar
  25. 25.
    Tóth, G., Hornák, Z., Vajda, F.: Measuring anonymity revisited. In: Proceedings of the Nordic Workshop on Secure IT Systems, Nov, pp. 85–90 (2004)Google Scholar
  26. 26.
    Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Proceedings of the ACM Workshop on Digital Identity Management (DIM), ACM, Fairfax, VA, Nov 2006, pp. 55–62 (2006)Google Scholar
  27. 27.
    Syverson, P., Stubblebine, S.: Group principals and the formalization of anonymity. In: Proceedings of the World Congress on Formal Methods, pp. 814–833 (1999)Google Scholar
  28. 28.
    Mauw, S., Verschuren, J., de Vink, E.P.: A formalization of anonymity and onion routing. In: Proceedings of the European Symposium on Research in Computer Security (ESORICS), vol. 3193. Lecture Notes in Computer Science (LNCS), pp. 109–124 (2004) Google Scholar
  29. 29.
    Feigenbaum, J., Johnson, A., Syverson, P.: A model of onion routing with provable anonymity. In: Proceedings of the Financial Cryptography and Data Security (FI), Springer (2007)Google Scholar
  30. 30.
    Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. IEEE J. Intell. Secur. Inform. 356–363 (2007)Google Scholar
  31. 31.
    Gierlichs, B., Troncoso, C., Díaz, C., Preneel, B., Verbauwhede, I.: Revisiting a combinatorial approach toward measuring anonymity. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society, ACM, pp. 111–116 (2008)Google Scholar
  32. 32.
    Bagai, R., Lu, H., Li, R., Tang, B.: An accurate system-wide anonymity metric for probabilistic attacks. In: Proceedings of the Workshop on Privacy Enhancing Technologies (PET), Series Lecture Notes in Computer Science (LNCS), vol. 6794, pp. 117–133, Springer (2011)Google Scholar
  33. 33.
    Shokri, R., Freudiger, J., Jadliwala, M., Hubaux, J.P.: A distortion-based metric for location privacy. In: Proceedings of the ACM Workshop on Privacy in the Electronic Society (2009)Google Scholar
  34. 34.
    Shokri, R., Theodorakopoulos, G., Boudec, J.Y.L., Hubaux, J.P.: Quantifying location privacy. In: Proceedings of the IEEE Symposium on Security and Privacy (SP), IEEE Comput. Soc., Washington, DC, USA, pp. 247–262 (2011)Google Scholar
  35. 35.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley, New York (2006)Google Scholar
  36. 36.
    Berger, J.O.: Statistical Decision Theory and Bayesian Analysis. Springer, New York (1985)MATHCrossRefGoogle Scholar
  37. 37.
    Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley, New York (2001)MATHGoogle Scholar
  38. 38.
    Algoet, P.H., Cover, T.M.: A sandwich proof of the Shannon-McMillan-Breiman theorem. Ann. Prob. 16(2), 899–909 (1988)MathSciNetMATHCrossRefGoogle Scholar
  39. 39.
    Shannon, C.E.: Coding theorems for a discrete source with a fidelity criterion. In: IRE National Convention Record, vol. 7, Part 4, pp. 142–163 (1959)Google Scholar
  40. 40.
    Reid, D.B.: An algorithm for tracking multiple targets. IEEE Trans. Autom. Control 24(6), 843–854 (1979)CrossRefGoogle Scholar
  41. 41.
    Hastings, W.K.: Monte carlo sampling methods using markov chains and their applications. Biometrika 57(1), 97–109 (1970)MATHCrossRefGoogle Scholar
  42. 42.
    Danezis, G.: Statistical disclosure attacks: traffic confirmation in open environments. In: Proceedings of the Security and Privacy in the Age of Uncertainty (SEC), Athens, Greece, May 2003, pp. 421–426 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • David Rebollo-Monedero
    • 1
  • Javier Parra-Arnau
    • 1
  • Claudia Diaz
    • 2
  • Jordi Forné
    • 1
  1. 1.Department of Telematics EngineeringUniversitat Politècnica de CatalunyaBarcelona, CataloniaSpain
  2. 2.Katholieke Universiteit LeuvenESAT/SCD/IBBT-COSICLeuven-HeverleeBelgium

Personalised recommendations