Databases Reference
In-Depth Information
If f is the privacy function that is represented by Fig. 5, then the version
of f at the public and private levels are denoted by f[Public] and f[Private]
respectively. These versions are defined as follows:
f[Public](u
,
v) =
{
(u
,
v+1)
}
if u
=0
{
(u
,
v
−
1)
}
if u = 0 AND v
=0
φ
(the empty set) if u = 0 AND v = 0
f[Private](u
,
v) =
{
(u
,
v+1)
}
if u
= 0 AND v
=1
{
= 0 AND v = 1
{
(u
,
v
−
1)
}
if u = 0 AND v
=0
φ
(u
,
v+1)
,
(0
,
u+1)
}
if u
(the empty set) if u = 0 AND v = 0
As a result those at the private level could infer information which the
public users cannot infer. For example, consider the privacy function illus-
trated in Fig. 5. We assume that there is only one privacy constraint, which
classifies the point (0, 0) at the Highly private level. It can be seen that:
PP
[Public] =
{
(0
,
v) : v
≥
1
}
PP
[Private] =
{
(0
,
v) : v
≥
1
}∪{
(u
,
0) : u
1
}∪{
(u
,
1) : u
1
}
PP
[Public].
All other results obtained in Sect. 2.3 are valid even if we consider privacy
functions to be multilevel. This is because these results are with respect to
a single privacy level. (Note that Theorem 1(iv) is with respect to multiple
privacy levels).
If we assume that the privacy constraints are themselves assigned different
privacy levels, then Theorem 1(iv) cannot be valid. For example, consider the
privacy function shown in Fig. 6. In this example there is only one privacy
constraint which classifies the point (0, 0) at the highly-private level. Let us
assume that the constraint itself is at the private level. This means that the
constraint does not apply at the public level. It can be seen that:
Therefore it is no longer true that
PP
[Private]
⊆
PP
[Public] = the Empty Set
PP
[Private] =
{
(0
,
v) : v
≥
1
}∪{
(u
,
0) : u
1
}∪{
(u
,
1) : u
1
}
Therefore it is no longer true that
PP
[Private]
⊆
PP
[Public]
.
