# k-anonymity: A Model for Protecting Privacy

- Authors: Latanya Sweeney

- Reader: Djibrilla Amadou Kountche

## Abstract

- Given a data holder (hospital or bank) having privatly held of person-specific, field structured data wanting to share a version of the data: 
  - How can the data be released with a 'scientific guarrantees' that individuals who are the subjects of the data cannot be re-identified while the data remain particularly usefull ?

- The paper presents k-anonymity and a set of accompanying policies for deployment
- The paper also examines re-identification attacks that can be realized on releases that adhere to k-anaonymity unless accompanying policies are respected

### Keywords:
- data abonymity, data privacy, re-identification, data fusion, privacy, k-map, wrong-map, null-map

## The problem studied

- Exponential growth of the number and variety of data collections
- Data holders, operating autonomously and with limited knownledge, are left with the difficulty of releasing information that does not compromise the  privacy, confidentiality and national interests
- The survival of the database itself depends on the data holder's ability to produce anonymous data because not relasing such information at all may dimish the need for the data, while on the other hand, failing to provide propoer protection within a relase may create circumtances that harm the public or others
- A common practice is for organizations to realse and receive person-specific data with all explicit identifiers, such as name, address and telephone number removed on the assumption that anonymity is maintained because the resulting data look anonymous. 
- The remaining data can be use to re-identify individuals by linking or matching the data to other data or by looking at unique characteristics found in the realesead data

- How many individuals within a geographycally situated population had combinations of demographic values that occured infrequently ?
- Combinations of few characteristics often combine in polpulation to uniquely or nearly uniquely identify some individuals:
   - 87% of the U.S population reported characteristics that uniquely made them unique based only on 5 digit ZIP, gender, date of birth. 
   - Data released containing such information about these individuals should not be considered anonymous

### Exemple of re-identification
- Linking the medical data and voter list led to the identification of William Weld governor of Massachusetts. 

## The solution proposed



### Methods

- Provide a model for understanding, evaluating and constructing computational systems that control inferences
- Provides a formal framework for constructing and evaluating algorithms and systems that realease inforamtion such that the released information limit what can be revealed about properties of the entities that are to be protected

- In the paper the entities are people and the property is the identity (other properties can be protected)
- Data refers to person-specific information that is conceptually organisezd as a table of rows (or records) and columns (or fields):
  - each row is termed t-uples (are not necesseraly unique)
  - each column is called attribute (denotes a field or semantic category of information that is a set of possible values). An attribute is also a domain. Attributes are unique in a table. 
  - each row is an ordered n-tuple $(d_1, d_2, \cdots, d_n)$ such that $d_j$ is the domain of the jth column.

#### Definitions

##### Attributes

- Let $B(A_1, \cdots, A_n)$ be a table with a finite number of tuples. The finite set of attributes of $B$ are $\{A_1, \cdots, A_n\}$

- $t[A_i, \cdots, A_j]$ denote the sequence of values, $v_i, \cdots, v_j$ in $t$

- $B[A_i, \cdots, A_j]$ is the projection, maintaining duplicate tuples of attribute $A_i, \cdots, A_j$ in $B$

- each t-uple is assumed to be specific to one person and no two tuples pertain to the same person


##### Inference
- Is to come to believe a new fact on the basis of other information

##### Disclosure
- Means that explicit or inferable information about a person was released that was not intended
- Disclosure control  attempts to identify and limit disclosures in relased data (assured the disclosed data are suffisently anonymous)
- The collection holder is expected to identify all attributes in the private information that could be used for linking with external information

##### Quasi-identifiers 

A quasi-identifier of $T$, $Q_T$ is a set of attributes $\{A_i, \cdots, A_n\}$ where: $\exists p_i \in U$ such that
$f_g(f_c(p_i))[Q_T] = p_i$

Given : 
- a population of entities $U$
- an entity-specific table $T(A_1, \cdots, A_n)$
- $f_c: U \rightarrow T$
- $f_g: T \rightarrow U^{'}$ where $U \subseteq U^{'}$

The problem is to prohibit the linking of attributes available in public database and private data base.


## Assumptions

- The data holder can identify attributes in his private data that may also appear in external inforamtion and therefore, can accuratly identify quasi-identifiers. 

- If the data holder misjudges which attributes are sensitive for the linking, the released data may be less anonymous than what was required and individuals may be more easily identifiable: 
    - The data holder cannot always know what each recipient of the data knows but policies and contract, which lies outside the algorithms can help.
    - the data holder may find it necessary to releases data that are only partially anonymous. Again policies laws and contracts can provide complementary protections

- A single quasi-identifier based on attributes without weights appearing together in an external table or in a possible join of external tables 

### $k$-anonymity protection model

#### Definition

Let:

- $RT(A_1,\cdots, A_n)$ be a table and $QI_{RT}$ be the quasi-identifier associated with it

$RT$ is said to satisfy $k$-anonymity if and only if each sequence of values in $RT[QI_{RT}]$ appears with at least $k$ occurences in $RT[QI_{RT}]$.


#### Lemma
Let:

- $RT(A_1,\cdots, A_n)$ be a table and $QI_{RT}$ be the quasi-identifiers associated with it
- $(A_i,\cdots, A_j) \subseteq (A_1,\cdots, A_n)$ and RT satisfies k-anonymity

Then each sequence of values in $RT[Ax]$ appears with at least $k$ occurrences in $RT[QI_{RT}]$ for $x = i \cdots j$

#### The protection

- When RT satisfies $k$-anonymity with respect to the identifiers $QI_{PT}$ then the combination of the released data RT and the external sources on which $QI_{PT}$ was based, cannot link on $QI_{PT}$  or a subset of its attributes to match fewer than $k$ individuals
- This property holds provided that all attribute in the released table $RT$ which are externally available in  combination ($ie$ appearing together in an external table or in a possible join of external tales) are defined in the quasi-identifiers QI_PT associated with the private table PT

- This property does not guarrantee individuals cannot be identified in RT; there may exist other inference attacks that could reveal the identities of the individuals contained in the data. However, the property does protect RT against inference from linking (by direct matching) to known external sources; and in this context the solution can provide an effective guard against re-identifying individuals. 

### Attacks againts $k$-anonymity

#### unsorted matching

- is based on the order in which tuples appear in the released table
- Solution : 
   - Randomly sort the data

#### Complementary release

- It is more common that the attributes that constitue the quasi-identifiers are themselves a subset of the attributes  released as a result when a table T, which adderes to $k$-anonymity is released it should be considered as joining other external information. 

- Solution:
   - Subsequent releases of the same privatetly held information must consider all of the released attributes of T a quasi-identifier to prohibit linking on T, unless of course, subsequent releases are based on T. 


#### Temporal

- Data collections are dynamic, the releases of generalized data over time can be subject to a temporal inference attack

- Let $T_0$ be the original privatly held table at time $t=0$

- Assume $k$-anonymity solution based on $T_0$, which is called $RT_0$ is released

- Assume at time $t$, additinnal tuple were added to the privately held table $T_0$ so it becames $T_t$
- $RT_t$ is the released table at $t$
- If there is no requirements that $RT_t$ respects $RT_0$, linking the two tables may reveal sensitive information
and compromise $k$-anonymity.
- Solution:
  - either all of the attributes of $RT_0$ would be considered a quasi-identifier for subsequent releases, or subsequent releases would be based on $RT_0$. 


## Experimentation

- type : illustrations

In [None]:
## Exemple of anonymised table
import pandas as pd
import numpy as np

kanon = pd.read_csv ('../../data/example.csv',index_col='t')
kanon

In [None]:
qi = ['Race', 'Birth', 'Gender','ZIP']
k = 2


def testKanonymity(df, qi, k):
    return df[qi]


def link(source, target, attribute):
    pass


testKanonymity(kanon,qi,k)

In [None]:
### Unsorted match


In [None]:
### Complementary release
pt = pd.read_csv('../../data/example6.csv')
lt = pd.read_csv('../../data/example6lt.csv')
gt1 = pd.read_csv('../../data/example6gt1.csv')
gt3 = pd.read_csv('../../data/example6gt3.csv')

tables = [gt1, gt3]
pd.concat(tables).groupby('Problem')

In [None]:
### Temporal 
#t = 0
pt = pd.read_csv('../../data/example6.csv')

t1 = [['black', '9/7/65', 'male','02139', 'headache'], ['black', '11/4/65', 'male','02139', 'rash']]

pt1 = pt.append([pd.Series(x,index=['Race', 'Birth', 'Gender','ZIP','Problem']) for x in t1], ignore_index=True)
pt1

## Related works

### Statistical databases
- Various ways to add noise to the data while still maintaining some statistical invariant
- But often destroy the integrity of the records, or tuples and so for many new uses of data, these established techniques are not appropriate

### Multi-level databases

- Aggregation and inference in multi-level databases which concernes restricting the relases of lower classified information such that higher classified information cannot be derived
- A multi level data bases is a database having data stored at different security classifications and users having different security clearances
- Suppression is the primary technique used to control the flow of sensitive information where sensitive information and all inforamtion that allows the inference of sensitive inforamtion are simply not released.  Suppression can drastically reduce the quality of the data, and in the case of staitical use, overall statistics can be altered, rendering the data practically useless. 
- In certain case not releasing the data is possible

### Computer security

- Access control and authentication do not address disclosures based on inference that can be drawn from released data
- The more insidious problem in the work that is the subject of this paper is not so much wether the recipient can get access or not ot the information as much as  what values will constitute the information the recipient will receive

### Multiple queries can leak information

- Certains queries on certain tables can reveal sensitive information
- One solution is query restriction to prohibit such queries


## Reader's remarks


### New words:

- thwart 
- colloquial use
- wheezing
- rash

### Pros

### Cons

In [None]:
### Prints the definifion:
from bs4 import BeautifulSoup
from urllib.request import urlopen, Request
from IPython.core.display import display, HTML

website = 'https://en.wiktionary.org/w/index.php?title={}&printable=yes'
larousse = 'http://www.larousse.fr/dictionnaires/anglais-francais/{}'

    

def request(url, word):
    html = urlopen(Request(url.format(word),headers={'User-Agent': 'Mozilla'})).read().decode('UTF-8')
    soup = BeautifulSoup(html,"lxml")
    
    articles = [item for item in soup.find_all('article', attrs={'role' : True})]
   
    [display(HTML(str(article))) for article in articles]
    
words = ['overheard', 'thwart', 'colloquial','wheezing','rash']

[request(larousse, x) for x in words]