Privacy Preservation in Information Systems

Background

The first step in providing privacy to published micro-data is by data sanitization i.e. removing critical attributes related to an individual from the micro-data tables. These attributes are called identifiers as they are able to uniquely identify an individual from the database. Some common instances of these types of attributes include social security number and passport number. But in-spite of removing these identifiers, a great number of threats still persist. As shown by Sweeney (2002), even after sanitizing, an individual can be identified by ‘linking attack’. In this type of attack, an individual can be identified by correlating shared data amongst multiple databases in which the individual has participated. The attributes which link the individual between the databases are termed as quasi identifiers. The medical records of the governor of Massachusetts were easily re-identified by using this linking attack. This fact undoubtedly establishes the high level of danger that persists due to this type of attacks.

To summarize the ideas, the main objective of modern data privacy techniques is to suppress the disclosure risk of individual information as much as possible while maximizing the utility of the presented data. As mentioned by Kiyomoto (2004), there are two main approaches for evading the leakage of personal information from the released micro-data files. Although their methods for achieving privacy are different, but there principal concept is the same i.e. change or modify the original data that is to be released. These two techniques are termed as ‘generalization’ and ‘perturbation’. In the forthcoming sections we will limit our discussions on these broad categories and the techniques implementing them. A more detailed and in depth discussion of privacy preservation techniques is compiled by Fung et al. (2010).