If, for a given k, k-anonymity is assumed to be sufficient protection, one can concentrate on minimizing information loss with the only constraint that k-anonymity should be satisfied. This is a clean way of solving the tension between data protection and data utility. Since k-anonymity is usually achieved via generalization (equivalent to global recoding, as said above) and local suppression, minimizing information loss usually translates to reducing the number and/or the magnitude of suppressions.
k-Anonymity bears some resemblance to the underlying principle of microaggregation and is a useful concept because quasi-identifiers are usually categorical or can be categorized, i.e., they take values in a finite (and ideally reduced) range. However, re-identification is not necessarily based on categorical key attributes: sometimes, numerical outcome attributes (which are continuous and often cannot be categorized) give enough clues for re-identification. Microaggregation was suggested as a possible way to achieve k-anonymity for numerical, ordinal and nominal attributes .
p-Sensitive k-anonymity is a stronger property whereby it is required that a dataset is k-anonymous and additionally that there are at least p distinct values for each confidential attribute within a group of records sharing a combination of key attributes .
- 3.Samarati P, Sweeney L. Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technicalreport, SRI International; 1998.Google Scholar
- 4.Truta TM, Vinay B. Privacy protection: p-sensitivek-anonymity property. In: Proceedings of 2nd International Workshop on Privacy Data Management; 2006. p. 94.Google Scholar