Databases Reference
In-Depth Information
The two corresponding lines of privacy research have evolved indepen-
dently, yielding different formalisms for stating privacy guarantees. In this
chapter, we show that privacy guarantees in view-based and generalization-
based publishing are related, being both particular cases of guarantees in
a general privacy model. We call this model the Generic Bayesian Privacy
(
GBP
) model as it offers guarantees based on the revision of the attacker's
belief about the secret between the state before and after seeing the published
data.
We start by developing in Section 2 a generic model for attacks attempt-
ing to glean knowledge about the sensitive part of the database starting from
the published part thereof, also exploiting external knowledge. In Section 3,
we show how privacy guarantees developed for view-based publishing systems
can be cast as particular cases in the
GBP
model. Then in Section 4 we
connect generalization-based publishing to the
GBP
model. Exploiting the
uniform formalization using the
GBP
model, Section 5 compares various pri-
vacy guarantees from both view-based and generalization-based publishing.
Finally, Section 6 shows how the
GBP
model can be applied to formulate
and check meaningful privacy guarantees for publishing in open-world infor-
mation integration systems.
2 GBP: A Generic Bayesian Privacy Model
The published data.
The data owner publishes part of the database
D
,
possibly after some processing such as filtering, aggregation, anonymization,
etc. For the purpose of our discussion, this processing can be modeled as a
function
(
D
) is being released.
The secret.
The owner wishes to keep sensitive data secret. Since sen-
sitivity depends on the application and is best judged by the data owner,
she must be provided with the possibility to declare which data is to be kept
secret. The secret may be a subset of the database, possibly altered by pro-
cessing, which we shall model as another function
V
, whose result
V
S
, whose result
S
(
D
)isthe
secret.
We note that in the generic model,
are arbitrary functions from
databases to databases. However, in the running example of this section, we
shall express such functions by queries. We shall see in Section 4 examples of
functions expressed differently, as anonymization functions.
V
and
S
Example 1.
Consider a database whose only relation contains tuples associat-
ing the patient with the ailment he suffered from and the doctor who treated
him:
PDA
(
patient,doctor,ailment
)
.
S
The secret
is the association between patients and their ailment, specifiable
by the owner for instance using query
S
(
p, a
):
−
PDA
(
p, d, a
)
.
