TY - JOUR
T1 - ℓ-diversity
T2 - Privacy beyond k-anonymity
AU - Machanavajjhala, Ashwin
AU - Kifer, Daniel
AU - Gehrke, Johannes
AU - Venkitasubramaniam, Muthuramakrishnan
N1 - Funding Information:
This research was funded by the European Commission, under contract number FP6-034362, in the ACORNS project (www.acorns-project.org).
PY - 2007/3/1
Y1 - 2007/3/1
N2 - Publishing data about individuals without revealing sensitive information about them is an important problem. In recent years, a new definition of privacy called k-anonymity has gained popularity. In a k-anonymized dataset, each record is indistinguishable from at least k - 1 other records with respect to certain identifying attributes. In this article, we show using two simple attacks that a k-anonymized dataset has some subtle but severe privacy problems. First, an attacker can discover the values of sensitive attributes when there is little diversity in those sensitive attributes. This is a known problem. Second, attackers often have background knowledge, and we show that k-anonymity does not guarantee privacy against attackers using background knowledge. We give a detailed analysis of these two attacks, and we propose a novel and powerful privacy criterion called ℓ-diversity that can defend against such attacks. In addition to building a formal foundation for ℓ-diversity, we show in an experimental evaluation that ℓ-diversity is practical and can be implemented efficiently.
AB - Publishing data about individuals without revealing sensitive information about them is an important problem. In recent years, a new definition of privacy called k-anonymity has gained popularity. In a k-anonymized dataset, each record is indistinguishable from at least k - 1 other records with respect to certain identifying attributes. In this article, we show using two simple attacks that a k-anonymized dataset has some subtle but severe privacy problems. First, an attacker can discover the values of sensitive attributes when there is little diversity in those sensitive attributes. This is a known problem. Second, attackers often have background knowledge, and we show that k-anonymity does not guarantee privacy against attackers using background knowledge. We give a detailed analysis of these two attacks, and we propose a novel and powerful privacy criterion called ℓ-diversity that can defend against such attacks. In addition to building a formal foundation for ℓ-diversity, we show in an experimental evaluation that ℓ-diversity is practical and can be implemented efficiently.
UR - http://www.scopus.com/inward/record.url?scp=34248181923&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34248181923&partnerID=8YFLogxK
U2 - 10.1145/1217299.1217302
DO - 10.1145/1217299.1217302
M3 - Article
AN - SCOPUS:34248181923
SN - 1556-4681
VL - 1
JO - ACM Transactions on Knowledge Discovery from Data
JF - ACM Transactions on Knowledge Discovery from Data
IS - 1
M1 - 1217302
ER -