A Methodology to Compare Anonymization Methods Regarding Their Risk-Utility Trade-off
We present here a methodology to compare statistical disclosure control methods for microdata in terms of how they perform regarding the risk-utility trade-off. Previous comparative studies (e.g. ) usually start by selecting some parameter values for a set of SDC methods and evaluate the disclosure risk and the information loss yielded by the methods for those parameterizations. In contrast, here we start by setting a certain risk level (resp. utility preservation level) and then we find which parameter values are needed to attain that risk (resp. utility) under different SDC methods; finally, once we have achieved an equivalent risk (resp. utility) level across methods, we evaluate the utility (resp. the risk) provided by each method, in order to rank methods according to their utility preservation (resp. disclosure protection), given a certain level of risk (resp. utility) and a certain original data set. The novelty of this comparison is not limited to the above-described methodology: we also justify and use general utility and risk measures that differ from those used in previous comparisons. Furthermore, we present experimental results of our methodology when used to compare the utility preservation of several methods given an equivalent level of risk for all of them.
KeywordsRecord linkage Disclosure risk Utility preservation Privacy Permutation paradigm
Acknowledgments and Disclaimer
The following funding sources are gratefully acknowledged: European Commission (projects H2020 644024 “CLARUS” and H2020 700540 “CANVAS”), Government of Catalonia (ICREA Acadèmia Prize to J. Domingo- Ferrer and grant 2014 SGR 537), Spanish Government (projects TIN2011-27076-C03-01 “CO-PRIVACY”, TIN2014-57364-C2-R “SmartGlacis” and TIN2016-80250-R, “Sec-MCloud”). The authors are with the UNESCO Chair in Data Privacy, but the views in this paper are their own and do not necessarily reflect those of UNESCO.
- 1.Brand, R., Domingo-Ferrer, J., Mateo-Sanz, J.M.: Reference data sets to test and compare SDC methods for protection of numerical microdata. European Project IST-2000-25069 CASC (2002)Google Scholar
- 3.Domingo-Ferrer, J., Torra, V.: A quantitative comparison of disclosure control methods for microdata. In: Doyle, P., Lane, J.I., Theeuwes, J.J.M., Zayatz, L. (eds.) Confidentiality, Disclosure and Data Access: Theory and Practical Applications for Statistical Agencies, pp. 111–134. North-Holland, Amsterdam (2001)Google Scholar
- 6.Höhne, J.: Varianten von Zufallsüberlagerung (in German). Working paper of the project “Faktische Anonymisierung wirtschaftsstatistischer Einzeldaten” (2004)Google Scholar
- 9.Samarati, P., Sweeney, L.: Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technical report, SRI International (1998)Google Scholar
- 12.Woo, M.J., Reiter, J.P., Oganian, A., Karr, A.F.: Global measures of data utility for microdata masked for disclosure limitation. J. Priv. Confidentiality 1(1), 7 (2009)Google Scholar