### To the teacher

If it is desired that the students should have a larger emphasis on learning either the code or discussion part, the notebook could easily be adapted by removing some parts. The coding questions have been made to be easy, but if the students are expected to be proficcient at python, pandas and they have some prior knowledge of the algorithms you could remove more of the solution to make the exercies harder. You could even remove the skeleton of whole functions if they are expected some write the solutions on their own based on the described algorithms.

# Jupyter notebook for Privacy in Data Storage

In this notebook we explore **privacy** and **ethics** in **Data Storage**. We will look at the concepts **k-anonymity, l-diversity, t-closeness**, but also have **discussions** about ethics you should be aware of when working with sensitive data.

The first part contains some discussions to get you started and an example of anonymization of a dataset using k-anonymity. Then you will work with implementing an algorithm to achieve k-anonymity and finally you review your learning with some reflection questions in the end.

It is preferable to do the discussions in **groups** as it could introduce more perspectives and maybe you could challenge your beliefs.

This file should be opened in **Jupyter Lab**, as it allowes for **collapsed cells** which is important for the progression of the notebook.

### Types of exercises

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
Parts that are styled like this are discussion questions where you are supposed to discuss with your group to come up with an answer and write your arguments in the cell below.
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #5661e2;background-color:#e5f2fc;">
    <span style="font-weight:bold;text-decoration:underline;">Question</span><br/>
    
Questions are part of the notebook progression. You will need to discuss and answer them to reflect on what you just have seen, but often an answer is following below, which you should check **after** you have answered.
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
You are supposed to fill in after the `### TODO` part of the code to make it work properly. You can check for correctness by running the codecell and the cells below as they often show what the output is supposed to be.
</div>

In [1]:
def example_function(a, b):
    """
    :param        a: user defined int
    :param        b: user defined int
    :       returns: a + b
    """
    ### TODO

### The goal of this notebook

1. Be able to anonymize data and analyse anonymous data for re-identification

2. Learn the concepts of k-anonymity, l-diversity, t-closeness as examples of privacy related topics

3. Identify assumptions and biases in some datasets. For example in categorising data, in particular for a categorisation that is up for discussion (e.g. gender = [male, female])

4. The students should be able to analyse the potential dangers (The impact on (vulnerable) users, society and source of the data) of working with unrestricted and controversial data like health diseases, crime or similar topics

### Prior knowledge needed

- The user should be familiar with python and jupyter notebooks

- The user should be familiar with the pandas library in python

## Introduction discussion

---

Before we go through with an example of anonymization you should discuss the following questions with you group.

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What is the meaning of **sensitive data** according to you? Could you name some?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What is the purpose of anonymization? Is it even important?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What are the issues linked to re-identification of a person?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What problems arise when a dataset contains biases and skews?
</div>

# Anonymization of data

---

In the following part we will go through an example of where anonymization could be useful and k-anonymity could help achieve anonymization.

Health information is widely acknowledged to be sensitive personal information. Information of this type may contain facts about an individual that can be used by insurance companies, future employers or others against the benefit of the person involved. For this reason, in many countries and jurisdictions, gathering, storing and publishing such data by third parties is limited by laws and regulations. In general, the goal of this type of legislation is twofold. For a third party to be allowed to process health data, either:

* the person the information is about has given permission for usage
* the data is changed in such a way that it is not possible to determine the identity of the individual


Although health data is sensitive in the sense described above, large health datasets can offer a wealth of information to scientists and researchers, for example in determining the effects of specific medication or finding correlations between lifestyle and disease. However, datasets with this type of information may not be used without satisfying either of the conditions mentioned.

Especially for large existing datasets, it can be very difficult, if not completely infeasible, to obtain permission from each individual in the dataset. In order to use this data without jeopardizing an individuals privacy and stay within legal boundaries, the data needs to be changed in such a way that it is impossible to determine the identity of individual the information is about. This process is commonly referred to as **anonymization**.

A common solution for anonymization is simply removing all values from the dataset that identify a person directly, e.g. remove a person's name and SSI. Sometimes a variant known as pseudonimization is used, where this information is not removed, but replaced by a specific ID number. This ID number can only be traced back to the person involved through a Trusted Third Party (TTP)

Depending on context, these methods have advantages and disadvantages. One important observation however, is that very often the second condition is not adequately satisfied: it is still possible to infer the identity of the person involved from the given data.

Consider the following (hypothetical) example of an anonymized dataset published by Dr. Bob for medical research:

##### Table 1

![jupyter](example.png)

#####

<div style="padding:8px 0 3px 15px;border-left:3px solid #5661e2;background-color:#e5f2fc;">
    <span style="font-weight:bold;text-decoration:underline;">Question</span><br/>
    
At first glance, no identifiable information has been leaked in this dataset. But take a moment and discuss with your group. Could there be any potential dangers for anonymity?
</div>

##### Continue by showing the cell below

Imagine you walk by Dr. Bob's office and see a person with the following characteristics:

* She is a woman
* She is quite young (at least younger than 20 by estimation)
* She has an occupation as chef or baker (or something that requires similar attire, as she wears a chef's hat)

While any of these characteristics by themselves would match multiple records in the dataset, there's only one record that satisfies all three. Therefore we can learn the medical condition of this person and Dr. Bob has revealed personal information about one of his patients.

Of course, in this example re-identifying a person is quite easy, because the dataset is relatively small. In a larger dataset, one could argue, more young, female chefs might be included, making it more difficult or even impossible to determine the exact record in the dataset depicting the person from the photo.

This argument makes sense; a real-world dataset would probably contain many more records than the example. However, such a real-world dataset usually also contains many more columns (i.e. more data per record). It's not difficult to see that more data increases the risk of re-identification again. Furthermore, many people may be indistinguishable (or equivalent) within the dataset, but some records will still have a unique combination of values. As an example, someone with a very uncommon profession and being above 100 years old is still easily re-identified in most large datasets.

#####

<div style="padding:8px 0 3px 15px;border-left:3px solid #5661e2;background-color:#e5f2fc;">
    <span style="font-weight:bold;text-decoration:underline;">Question</span><br/>
    
How can we mitigate this type of risk?
</div>

##### Continue when you have answered above

We could leave out many of the columns, but this would destroy most of the analytical value in the data, which defeats the purpose of releasing the data in the first place. A better solution would leave out as much data as needed to prevent re-identification, but not more. Such a solution would allow us to retain analytical value as much as possible, while respecting privacy for subjects involved. The trade-off we seek to optimize can be depicted a follows:

![Figure1](example2.png)

The solution for the problem described above: make sure that every record has at least one equivalent record, i.e. a record that contains the same values on all properties that are publicly known or easy to determine.

## k-anonymity

---

The concept of k-anonymity was introduced into information security and privacy back in 1998. It’s built on the idea that by combining sets of data with similar attributes, identifying information about any one of the individuals contributing to that data can be obscured. k-Anonymization is often referred to as the power of ‘hiding in the crowd.’ Individuals’ data is pooled in a larger group, meaning information in the group could correspond to any single member, thus masking the identity of the individual or individuals in question.

The k in k-anonymity refers to a variable — think of the classic ‘x’ in your high school algebra class. In this case, k refers to the number of times each combination of values appears in a data set. If k=2, the data is said to be 2-anonymous. This means the data points have been generalized enough that there are at least two sets of every combination of data in the data set.

<div style="padding:8px 0 3px 15px;border-left:3px solid #5661e2;background-color:#e5f2fc;">
    <span style="font-weight:bold;text-decoration:underline;">Question</span><br/>
    
What could be done to achieve **2-anonymity** on the dataset from Dr. Bob ([Table 1](#Table-1))?</br> Check the example below **after** you have come up with your own answer. There could be **multiple** correct answers to the question.
</div>

##### Table 2

![Table2](example3.png)

When we ignore the (presumably not publicly known) _Medical condition_ column, every record in the table above has at least one duplicate. The smallest set of equivalent records (i.e. the smallest equivalence class) in this table has size two (e.g. the set Male/50+/Yes). Thus this table can be considered 2-anonymous. Note that real-world values for _k_ are usually a lot larger.

## How to achieve k-anonymity
---

Looking at the table above, we can observe the changes that made this dataset reach the 2-anonymity level:

* One record was completely suppressed
* The age value for each record was classified into one of two categories: 50- or 50+
* The occupation value for each record was generalized into Yes or No

These observations show two common techniques regularly used in combination to achieve a certain level of anonymity:

* Suppression: leaving out records that have a very unique combination of attribute values
* Generalization: making values more generic, so that more records share the same value

In applying these techniques, decisions have to be made about which records to suppress and to what extent the columns should be generalized. These decisions can depend on the purpose the dataset is released for: age may be a relevant variable in some scientific studies, but less so in others. Very often however, datasets are released for a general purpose or the purpose may be difficult to obtain. In these cases, algorithms may be used that try to reach k-anonymity with the least amount of suppression and generalization possible. These algorithms typically involve trying a lot of combinations of generalization levels and suppression criteria, before an optimal solution is chosen.

## Implementing k-anonymity

In this notebook, we'll explore data anonymization, in particular "k-anonymity" [1]. We will implement a simple algorithm [2] to produce a k-anonymous dataset.

For more reading on the topic, please see: 

- [k-Anonymity: A Model For Protecting Privacy. Latanya Sweeney](https://epic.org/privacy/reidentification/Sweeney_Article.pdf)
- [Mondrian - Multidimensional k-Anonymity](https://www.utdallas.edu/~muratk/courses/privacy08f_files/MultiDim.pdf)

Turning a dataset into a k-anonymous (and possibly l-diverse or t-close) dataset is a complex problem, and finding the optimal partition into k-anonymous groups is an NP-hard problem. Fortunately, several practical algorithms exists that often produce "good enough" results by employing greedy search techniques.

In this tutorial we will explore the so-called "Mondrian" algorithm (see link above), which uses a greedy search algorithm to partition the original data into smaller and smaller groups (if we plot the resulting partition boundaries in 2D they resemble the pictures by Piet Mondrian, hence the name).

The algorithm assumes that we have converted all attributes into numerical or categorical values and that we're able to measure the "span" of a given data attribute $X_i$ (we'll explain that in more detail later).

### Partitioning Algorithm

The algorithm proceeds then as follows to partition the data into k-anonymous gorups:

1. Initialize the finished set of partitions to an empty set $P_{finished} = \{\}$.
2. Initialize the working set of partitions to a set containing a partition with the entire dataset $P_{working} = \{\{1, 2,\dots ,N\}\}$.
4. While there are partitions in the working set, pop one partition from it and
  * Calculate the relative spans of all columns in the partition.
  * Sort the resulting columns by their span (in descending order) and iterate over them. For each column,
      * Try to split the partition along that column using the median of the column values as the split point.
      * Check if the resulting partitions are valid according to our k-anonymity (and possibly additional) criteria.
      * If yes, add the two new partitions to the working set and break out of the loop.
  * If no column produced a valid split, add the original partition to the set of finished partitions.
5. Return the finished set of partitions

### Data Aggregation

After obtaining the partitions we still need to aggregate the values of the quasi identifiers and the sensitive attributes in each k-anonymous group. For this, we can e.g. replace numerical attributes with their range (e.g. "age: 24-28") and categorical attributes with their union (e.g. "employment-group: [self-employed, employee, worker]"), though other aggregations are possible. Methods like [Anatomy](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.156.9150&rep=rep1&type=pdf) even preserve the micro-data in each group, which increases re-identification risk though.

We can then use the anonymized data for privacy-preserving machine learning, e.g. using scikit-learn or something similar.

##

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What should you think about after you have implemented k-anonymity on a dataset?
</div>

## Programming k-anonymity

---

Let's get started with the programming!

In [2]:
# we use Pandas to work with the data as it makes working with tables of data super easy
import pandas as pd

We start by importing our dataset

In [3]:
# this is a list of the column names in our dataset (as the file doesn't contain any headers)
names = (
    'age',
    'workclass', #Private, Self-emp-not-inc, Self-emp-inc, Federal-gov, Local-gov, State-gov, Without-pay, Never-worked.
    'fnlwgt', # "weight" of that person in the dataset (i.e. how many people does that person represent) -> https://www.kansascityfed.org/research/datamuseum/cps/coreinfo/keyconcepts/weights
    'education',
    'education-num',
    'marital-status',
    'occupation',
    'relationship',
    'race',
    'sex',
    'capital-gain',
    'capital-loss',
    'hours-per-week',
    'native-country',
    'income',
)

# some fields are categorical and will require special treatment
categorical = set((
    'workclass',
    'education',
    'marital-status',
    'occupation',
    'relationship',
    'sex',
    'native-country',
    'race',
    'income',
))

df = pd.read_csv("Data/adult.all.txt", sep=", ", header=None, names=names, index_col=False, engine='python');# We load the data using Pandas

In [4]:
# Take a look at the dataset
df.tail()

Unnamed: 0,age,workclass,fnlwgt,education,education-num,marital-status,occupation,relationship,race,sex,capital-gain,capital-loss,hours-per-week,native-country,income
48837,39,Private,215419,Bachelors,13,Divorced,Prof-specialty,Not-in-family,White,Female,0,0,36,United-States,<=50k
48838,64,?,321403,HS-grad,9,Widowed,?,Other-relative,Black,Male,0,0,40,United-States,<=50k
48839,38,Private,374983,Bachelors,13,Married-civ-spouse,Prof-specialty,Husband,White,Male,0,0,50,United-States,<=50k
48840,44,Private,83891,Bachelors,13,Divorced,Adm-clerical,Own-child,Asian-Pac-Islander,Male,5455,0,40,United-States,<=50k
48841,35,Self-emp-inc,182148,Bachelors,13,Married-civ-spouse,Exec-managerial,Husband,White,Male,0,0,60,United-States,>50k


<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
Are there any potensial **biases** and **skews** you should think about when working with this dataset?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Implement a function that returns the spans (max-min for numerical columns, number of different values for categorical columns) of all columns for a partition of a dataframe. Fill in for `### TODO` in `get_spans`.
</div>

In [5]:
for name in categorical:
    df[name] = df[name].astype('category')

In [6]:
def get_spans(df, partition):
    """
    :param        df: the dataframe for which to calculate the spans
    :param partition: the partition for which to calculate the spans
    :        returns: The spans of all columns in the partition
    """
    spans = {}
    for column in df.columns:
        if column in categorical:
            span = len(df[column][partition].unique())
        else:
            span = df[column][partition].max()-df[column][partition].min()
        spans[column] = span
    return spans

In [7]:
full_spans = get_spans(df, df.index)
full_spans

{'age': 73,
 'workclass': 9,
 'fnlwgt': 1478115,
 'education': 16,
 'education-num': 15,
 'marital-status': 7,
 'occupation': 15,
 'relationship': 6,
 'race': 5,
 'sex': 2,
 'capital-gain': 99999,
 'capital-loss': 4356,
 'hours-per-week': 98,
 'native-country': 42,
 'income': 2}

The answer should be like this:

```
{'age': 73,
 'workclass': 9,
 'fnlwgt': 1478115,
 'education': 16,
 'education-num': 15,
 'marital-status': 7,
 'occupation': 15,
 'relationship': 6,
 'race': 5,
 'sex': 2,
 'capital-gain': 99999,
 'capital-loss': 4356,
 'hours-per-week': 98,
 'native-country': 42,
 'income': 2}
```

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Implement a `split` function that split the given partition such that all rows with values of the column `column` below the median are in one partition and all rows with values above or equal to the median are in the other. Fill in for `### TODO` in `split`.
</div>

In [8]:
def split(df, partition, column):
    """
    :param        df: The dataframe to split
    :param partition: The partition to split
    :param    column: The column along which to split
    :        returns: A tuple containing a split of the original partition
    """
    dfp = df[column][partition]
    if column in categorical:
        values = dfp.unique()
        lv = set(values[:len(values)//2])
        rv = set(values[len(values)//2:])
        return dfp.index[dfp.isin(lv)], dfp.index[dfp.isin(rv)]
    else:        
        median = dfp.median()
        dfl = dfp.index[dfp < median]
        dfr = dfp.index[dfp >= median]
        return (dfl, dfr)

In [9]:
# We test the split function on a subset of the dataset
partitions = split(df, df[:20].index, 'age')
partitions

(Int64Index([4, 5, 8, 10, 11, 12, 13, 15, 16, 17], dtype='int64'),
 Int64Index([0, 1, 2, 3, 6, 7, 9, 14, 18, 19], dtype='int64'))

The output should be like this:
```
(Int64Index([4, 5, 8, 10, 11, 12, 13, 15, 16, 17], dtype='int64'),
 Int64Index([0, 1, 2, 3, 6, 7, 9, 14, 18, 19], dtype='int64'))
```
It displays which of our rows belong to each partition. We can see that this particular partitioning was really even. 

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
The next helper function we need is just for detecting if a partition is big enough to satisfy our `k`.</br>Fill in for `### TODO` in `is_k_anonymous`.
</div>

In [10]:
def is_k_anonymous(df, partition, sensitive_column, k=3):
    """
    :param               df: The dataframe on which to check the partition.
    :param        partition: The partition of the dataframe to check.
    :param sensitive_column: The name of the sensitive column
    :param                k: The desired k
    :returns               : True if the partition is valid according to our k-anonymity criteria, False otherwise.
    """
    if len(partition) < k:
        return False
    return True

Now that we have all helper functions in place, we can implement the partition algorithm discussed above:

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Implement the partitioning algorithm descibed in the Partitioning Algorithm section ([here](#Partitioning-Algorithm)), using a k-anonymous criterion for the partitions you create.</br>Fill in for `### TODO` in `partition_dataset`.
</div>

In [11]:
def partition_dataset(df, feature_columns, sensitive_column, is_valid):
    """
    :param               df: The dataframe to be partitioned.
    :param  feature_columns: A list of column names along which to partition the dataset.
    :param sensitive_column: The name of the sensitive column (to be passed on to the `is_valid` function)
    :param         is_valid: A function that takes a dataframe and a partition and returns True if the partition is valid.
    :returns               : A list of valid partitions that cover the entire dataframe.
    """
    finished_partitions = []
    partitions = [df.index]
    while partitions:
        partition = partitions.pop(0)
        spans = get_spans(df[feature_columns], partition)
        # Get the columns with spans in descending order
        for column, span in sorted(spans.items(), key=lambda x:-x[1]):
            # Split the partitioned columns and check if they are of valid length
            lp, rp = split(df, partition, column)
            if not is_valid(df, lp, sensitive_column) or not is_valid(df, rp, sensitive_column):
                continue
            #if they are of valid length, add them to partitions for next iteration to check if they can be further divided
            partitions.extend((lp, rp))
            break
        else:
            finished_partitions.append(partition)
    return finished_partitions

Now let's try this on our dataset! To keep things simple, we will at first select only two columns from the dataset that we apply the partitioning to. This makes it easier to check/visualize the result and speed up the execution (the naive algorithm can take several minutes when running on the entire dataset) 

In [12]:
# we apply our partitioning method to two columns of our dataset, using "income" as the sensitive attribute
feature_columns = ['age', 'education-num']
sensitive_column = 'income'
finished_partitions = partition_dataset(df, feature_columns, sensitive_column, is_k_anonymous)

In [13]:
# we get the number of partitions that were created
len(finished_partitions)

477

The output of this should be: `477`

In [14]:
# We can check that two rows should belong in the same partition
partition = finished_partitions[0]
print(df[feature_columns].iloc[partition[0]])
print(df[feature_columns].iloc[partition[1]])

age              21
education-num    10
Name: 36, dtype: int64
age              21
education-num    10
Name: 120, dtype: int64


You should get:
```
age              21
education-num    10
Name: 36, dtype: int64
age              21
education-num    10
Name: 120, dtype: int64
```
We can see that they should both belong in the same partition, which is correct.

# Generating an k-Anonymous Dataset

Of course, to use the data we want to produce a new dataset that contains one row for each partition and value of the sensitive attribute. To do this, we need to aggregate the columns in each partition.  Let's do this!

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Define ways to aggregate the values for the final dataset. This will be the combined value of a column. For example `30, 30, 33` to `30-33` or `31` as a mean.</br>
Fill in for `### TODO` in `agg_categorical_column` and `agg_numerical_column`.
</div>

In [15]:
# Defining ways to aggregate the values for the final dataset
# Be careful about these as they could reveal all aggregated data the way they are currently implemented
def agg_categorical_column(series):
    return [','.join(set(series))]

def agg_numerical_column(series):
    return [series.mean()]

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
What are the **pros** and **cons** of your apporach in the above coding exercise?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Fill in for `### TODO` in `build_anonymized_dataset`. You might need to read it multiple times to understand what is missing. You could also look further down at what the output is supposed to be.
</div>

In [16]:
def build_anonymized_dataset(df, partitions, feature_columns, sensitive_column):
    aggregations = {}
    for column in feature_columns:
        # Define the row values for the final dataset by aggregation
        if column in categorical:
            aggregations[column] = agg_categorical_column
        else:
            aggregations[column] = agg_numerical_column
    # Here we store the generated rows
    rows = []
    for partition in partitions:
        grouped_columns = df.loc[partition].agg(aggregations, squeeze=False)
        sensitive_counts = df.loc[partition].groupby(sensitive_column).agg({sensitive_column : 'count'})
        values = {}
        for name,val in grouped_columns.items():
            values[name] = val[0]
        for sensitive_value, count in sensitive_counts[sensitive_column].items():
            # Drop empty rows
            if count == 0:
                continue
            values.update({
                sensitive_column : sensitive_value,
                'count' : count,
            })
            rows.append(values.copy())
    return pd.DataFrame(rows)

In [17]:
# Generate the k-anonymized dataset
dfn = build_anonymized_dataset(df, finished_partitions, feature_columns, sensitive_column)

In [18]:
# we sort the resulting dataframe using the feature columns and the sensitive attribute
dfn.sort_values(feature_columns+[sensitive_column])

Unnamed: 0,age,education-num,income,count
500,17.0,3.000000,<=50k,3
501,17.0,4.000000,<=50k,5
213,17.0,5.000000,<=50k,36
17,17.0,7.000000,<=50k,267
19,17.0,8.172840,<=50k,81
...,...,...,...,...
734,90.0,9.000000,>50k,4
762,90.0,10.545455,<=50k,9
763,90.0,10.545455,>50k,2
764,90.0,13.647059,<=50k,10


The output should be like this:

|     | age |	education-num |	income   |	count |
|-----|-----|-----------------|----------|--------|
| 469 |	17.0|      	3.000000  |	<=50k    |	3     |
| 615 |	17.0|      	4.000000  |	<=50k    |	5     |

## A break from coding

We have now implemented k-anonymity and checked that it works.

Here are some finishing questions to help you reflect over what you have learned and keep in touch with the goals of the notebook.

<div style="padding:8px 0 3px 15px;border-left:3px solid #5661e2;background-color:#e5f2fc;">
    <span style="font-weight:bold;text-decoration:underline;">Question</span><br/>
    
Is the dataset secure if you have achieved k-anonymity? Why or why not?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
Think about your past three days, have you encountered any situation where bias implemented by engineering had an effect on you?
</div>

## L-diversity

Take a look at the 2-anonymous dataset of Dr. Bob ([Here](#Table-2)). If you remove the first row, is it still 2-anonymous? What could be the problem for anonymity with this dataset? 

L-diversity ensures that each k-anonymous group contains at least l different values of the sensitive attribute. Therefore, even if an adversary can identify the group of a person he/she still would not be able to find out the value of that person's sensitive attribute with certainty. A problem that might happen in k-anonymity is that all people in a k-anonymous group possess the same value of the sensitive attribute. An adversary who knows that a person is in that k-anonymous group can then still learn the value of the sensitive attribute of that person with absolute certainty. This problem can be fixed by using l-diversity.

### Implementing l-diversity

Luckily, if we want to implement l-diversity there is not much that needs to be added to our code.

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Fill in for `### TODO` in `diversity`.
</div>

In [19]:
def diversity(df, partition, column):
    return len(df[column][partition].unique())

def is_l_diverse(df, partition, sensitive_column, l=2):
    """
    :param               df: The dataframe for which to check l-diversity
    :param        partition: The partition of the dataframe on which to check l-diversity
    :param sensitive_column: The name of the sensitive column
    :param                l: The minimum required diversity of sensitive attribute values in the partition
    """
    return diversity(df, partition, sensitive_column) >= l

In [21]:
# now let's apply this method to our data and see how the result changes
finished_l_diverse_partitions = partition_dataset(df, feature_columns, sensitive_column, lambda *args: is_k_anonymous(*args) and is_l_diverse(*args))

In [22]:
len(finished_l_diverse_partitions)

304

In [23]:
# again we build an anonymized dataset from the l-diverse partitions
dfl = build_anonymized_dataset(df, finished_l_diverse_partitions, feature_columns, sensitive_column)

In [26]:
# Let's see how l-diversity improves the anonymity of our dataset
dfl.sort_values(feature_columns+[sensitive_column])

Unnamed: 0,age,education-num,income,count
0,17.812087,6.376771,<=50k,1058
1,17.812087,6.376771,>50k,1
2,18.894262,8.822131,<=50k,1218
3,18.894262,8.822131,>50k,2
4,19.333333,10.054315,<=50k,1343
...,...,...,...,...
573,90.000000,9.000000,>50k,4
592,90.000000,10.545455,<=50k,9
593,90.000000,10.545455,>50k,2
594,90.000000,13.647059,<=50k,10


## T-closeness

T-closeness is a further refinement of l-diversity group based anonymization that is used to preserve privacy in data sets by reducing the granularity of a data representation. The t-closeness model extends the l-diversity model by treating the values of an attribute distinctly by taking into account the distribution of data values for that attribute. T-closeness requires that the distribution of a sensitive attribute in any equivalence class is close to the distribution of the attribute in the overall table.

For more reading on the topic, please see: 
- [t-Closeness: Privacy Beyond k-Anonymity and ℓ-Diversity](https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.158.6171)

In [27]:
# here we generate the global frequencies for the sensitive column 
global_freqs = {}
total_count = float(len(df))
group_counts = df.groupby(sensitive_column)[sensitive_column].agg('count')
for value, count in group_counts.to_dict().items():
    p = count/total_count
    global_freqs[value] = p

In [28]:
global_freqs

{'<=50k': 0.7607182343065395, '>50k': 0.23928176569346055}

In [29]:
def t_closeness(df, partition, column, global_freqs):
    total_count = float(len(partition))
    d_max = None
    group_counts = df.loc[partition].groupby(column)[column].agg('count')
    for value, count in group_counts.to_dict().items():
        p = count/total_count
        d = abs(p-global_freqs[value])
        if d_max is None or d > d_max:
            d_max = d
    return d_max


def is_t_close(df, partition, sensitive_column, global_freqs, p=0.2):
    """
    :param               df: The dataframe for which to check l-diversity
    :param        partition: The partition of the dataframe on which to check l-diversity
    :param sensitive_column: The name of the sensitive column
    :param     global_freqs: The global frequencies of the sensitive attribute values
    :param                p: The maximum allowed Kolmogorov-Smirnov distance
    """
    if not sensitive_column in categorical:
        raise ValueError("this method only works for categorical values")
    return t_closeness(df, partition, sensitive_column, global_freqs) <= p

<div style="padding:8px 0 3px 15px;border-left:3px solid #6ffc64;background-color:#e2fce0;">
    <span style="font-weight:bold;text-decoration:underline;">Coding exercise</span><br/>
    
Fill in for `### TODO` below. You should create a variable `finished_t_close_partitions` that uses `partition_dataset` with k-anonymity and t-closeness.
</div>

In [30]:
# Let's apply this to our dataset
finished_t_close_partitions = partition_dataset(df, feature_columns, sensitive_column, lambda *args: is_k_anonymous(*args) and is_t_close(*args, global_freqs))

In [31]:
len(finished_t_close_partitions)

115

In [32]:
dft = build_anonymized_dataset(df, finished_t_close_partitions, feature_columns, sensitive_column)

In [33]:
# Let's see how t-closeness fares
dft.sort_values(feature_columns+[sensitive_column])

Unnamed: 0,age,education-num,income,count
2,23.000159,11.040885,<=50k,6021
3,23.000159,11.040885,>50k,265
0,26.697666,8.124394,<=50k,10248
1,26.697666,8.124394,>50k,677
42,28.477519,13.341085,<=50k,450
...,...,...,...,...
225,90.000000,9.000000,>50k,4
226,90.000000,10.545455,<=50k,9
227,90.000000,10.545455,>50k,2
228,90.000000,13.647059,<=50k,10


## Finishing

You have now gone through a large notebook with lots of exercies, these finishing questions should help you reflect over what you have learned. And remember that what you have learned is only useful if you could use it outside of this notebook.

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
How would you explain k-anonymity, l-diversity and t-closedness to a 10-year old?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
Imagine you work for a company that needs to adhere to ethical standards. They give you a large raw dataset about crime in Switzerland and expect you to publish it to the public. What do you need to do?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
How do you check for k-anonymity and l-diversity in a dataset?
</div>

<div style="padding:8px 0 3px 15px;border-left:3px solid #a50000;background-color:#fce5e5;">
    <span style="font-weight:bold;text-decoration:underline;">Discussion</span><br/>
    
You have just implemented k-anonymity, l-diversity and t-closedness in a dataset. Is it secure?
</div>

**Congratulations!** You have reached the end!