A Methodology to Compare Anonymization Methods Regarding Their Risk-Utility Trade-off

  • Josep Domingo-Ferrer
  • Sara RicciEmail author
  • Jordi Soria-Comas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10571)


We present here a methodology to compare statistical disclosure control methods for microdata in terms of how they perform regarding the risk-utility trade-off. Previous comparative studies (e.g. [3]) usually start by selecting some parameter values for a set of SDC methods and evaluate the disclosure risk and the information loss yielded by the methods for those parameterizations. In contrast, here we start by setting a certain risk level (resp. utility preservation level) and then we find which parameter values are needed to attain that risk (resp. utility) under different SDC methods; finally, once we have achieved an equivalent risk (resp. utility) level across methods, we evaluate the utility (resp. the risk) provided by each method, in order to rank methods according to their utility preservation (resp. disclosure protection), given a certain level of risk (resp. utility) and a certain original data set. The novelty of this comparison is not limited to the above-described methodology: we also justify and use general utility and risk measures that differ from those used in previous comparisons. Furthermore, we present experimental results of our methodology when used to compare the utility preservation of several methods given an equivalent level of risk for all of them.


Record linkage Disclosure risk Utility preservation Privacy Permutation paradigm 


Acknowledgments and Disclaimer

The following funding sources are gratefully acknowledged: European Commission (projects H2020 644024 “CLARUS” and H2020 700540 “CANVAS”), Government of Catalonia (ICREA Acadèmia Prize to J. Domingo- Ferrer and grant 2014 SGR 537), Spanish Government (projects TIN2011-27076-C03-01 “CO-PRIVACY”, TIN2014-57364-C2-R “SmartGlacis” and TIN2016-80250-R, “Sec-MCloud”). The authors are with the UNESCO Chair in Data Privacy, but the views in this paper are their own and do not necessarily reflect those of UNESCO.


  1. 1.
    Brand, R., Domingo-Ferrer, J., Mateo-Sanz, J.M.: Reference data sets to test and compare SDC methods for protection of numerical microdata. European Project IST-2000-25069 CASC (2002)Google Scholar
  2. 2.
    Domingo-Ferrer, J., Muralidhar, K.: New directions in anonymization: permutation paradigm, verifiability by subjects and intruders, transparency to users. Inf. Sci. 337, 11–24 (2016)CrossRefGoogle Scholar
  3. 3.
    Domingo-Ferrer, J., Torra, V.: A quantitative comparison of disclosure control methods for microdata. In: Doyle, P., Lane, J.I., Theeuwes, J.J.M., Zayatz, L. (eds.) Confidentiality, Disclosure and Data Access: Theory and Practical Applications for Statistical Agencies, pp. 111–134. North-Holland, Amsterdam (2001)Google Scholar
  4. 4.
    Domingo-Ferrer, J., Torra, V.: Ordinal, continuous and heterogeneous k-anonymity through microaggregation. Data Mining Knowl. Discov. 11(2), 195–212 (2005)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006). doi: 10.1007/11787006_1 CrossRefGoogle Scholar
  6. 6.
    Höhne, J.: Varianten von Zufallsüberlagerung (in German). Working paper of the project “Faktische Anonymisierung wirtschaftsstatistischer Einzeldaten” (2004)Google Scholar
  7. 7.
    Hundepool, A., Domingo-Ferrer, J., Franconi, L., Giessing, S., Nordholt, E.S., Spicer, K., De Wolf, P.P.: Statistical Disclosure Control. Wiley, Chichester (2012)CrossRefGoogle Scholar
  8. 8.
    Rubner, Y., Tomasi, C., Guibas, L.J.: The earth mover’s distance as a metric for image retrieval. Int. J. Comput. Vis. 40(2), 99–121 (2000)CrossRefzbMATHGoogle Scholar
  9. 9.
    Samarati, P., Sweeney, L.: Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technical report, SRI International (1998)Google Scholar
  10. 10.
    Torra, V., Domingo-Ferrer, J.: Record linkage methods for multidatabase data mining. In: Torra, V. (ed.) Information Fusion in Data Mining, pp. 101–132. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-36519-8_7 CrossRefGoogle Scholar
  11. 11.
    Winkler, W.E.: Matching and Record Linkage. Wiley, New York (1995)CrossRefGoogle Scholar
  12. 12.
    Woo, M.J., Reiter, J.P., Oganian, A., Karr, A.F.: Global measures of data utility for microdata masked for disclosure limitation. J. Priv. Confidentiality 1(1), 7 (2009)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Josep Domingo-Ferrer
    • 1
  • Sara Ricci
    • 1
    Email author
  • Jordi Soria-Comas
    • 1
  1. 1.UNESCO Chair in Data Privacy, Department of Computer Science and MathematicsUniversitat Rovira i VirgiliTarragonaCatalonia

Personalised recommendations