Preface
Privacy Models
Organization
How to Use This Book
Acknowledgements
Contents
1 Introduction
1.1 Motivations for Data Privacy
1.1.1 Privacy, Security and Inference
1.2 Two Motivating Examples
1.2.1 Sharing a Database
1.2.2 Sharing a Computation
1.2.3 Privacy Leakages and Risk
1.3 Privacy and Society
1.4 Terminology
1.4.1 The Framework
1.4.2 Anonymity and Unlinkability
1.4.3 Disclosure
1.4.4 Dalenius' Definitions for Attribute and Identity Disclosure
1.4.5 Plausible Deniability
1.4.6 Undetectability and Unobservability
1.4.7 Pseudonyms and Identity
1.4.8 Transparency
1.5 Privacy and Disclosure
1.6 Privacy by Design
1.7 Bibliographical Notes
2 Machine and Statistical Learning, and Cryptography
2.1 Machine and Statistical Learning
2.2 Classification of Techniques
2.3 Supervised Learning
2.3.1 Classification
2.3.2 Regression
2.3.3 Validation of Results: k-fold Cross-validation
2.4 Unsupervised Learning
2.4.1 Clustering
2.4.2 Association Rules Mining
2.4.3 Expectation-Maximization Algorithm
2.5 Cryptography
2.5.1 Symmetric Cryptography
2.5.2 Public-key Cryptography
2.5.3 Homomorphic Encryption
2.6 Bibliographical Notes
3 Disclosure, Privacy Models, and Privacy Mechanisms
3.1 Disclosure: Definition and Controversies
3.1.1 A Boolean or Measurable Condition
3.1.2 Identity Disclosure
3.1.3 Attribute Disclosure
3.1.4 Attribute Disclosure in Clusters and Cells
3.1.5 Discussion
3.2 Measures for Attribute Disclosure
3.2.1 Attribute Disclosure for Numerical Data Releases
3.2.2 Attribute Disclosure for Categorical Data Releases
3.2.3 Model-Based Attribute Disclosure
3.2.4 Attribute Disclosure for Absent Attributes
3.2.5 Discussion on Attribute Disclosure
3.2.6 Attribute Disclosure Through Membership Inference Attacks
3.3 Measures for Identity Disclosure
3.3.1 Uniqueness
3.3.2 Re-Identification for Identity Disclosure
3.4 Privacy Models
3.4.1 Privacy from Re-Identification
3.4.2 k-Anonymity
3.4.3 k-Anonymity and Anonymity Sets: k-Confusion
3.4.4 k-Anonymity and Attribute Disclosure: Attacks and Privacy Models
3.4.5 k-Anonymity and Computational Anonymity
3.4.6 Differential Privacy
3.4.7 Local Differential Privacy
3.4.8 Integral Privacy
3.4.9 Homomorphic Encryption
3.4.10 Secure Multiparty Computation
3.4.11 Result Privacy
3.4.12 Privacy Models for Clusters and Cells
3.4.13 Discussion
3.5 Classification of Privacy Mechanisms
3.5.1 On Whose Privacy Is Being Sought
3.5.2 On the Computations to Be Done
3.5.3 On the Number of Databases
3.5.4 Knowledge Intensive Data Privacy
3.5.5 Other Dimensions and Discussion
3.6 Summary
3.7 Bibliographical Notes
4 Privacy for Users
4.1 User's Privacy in Communications
4.1.1 Protecting the Identity of the User
4.1.2 Protecting the Data of the User
4.2 User's Privacy in Information Retrieval
4.2.1 Protecting the Identity of the User
4.2.2 Protecting the Query of the User
4.2.3 Private Information Retrieval
4.3 Other Contexts
4.4 Bibliographical Notes
5 Privacy for Computations, Functions, and Queries
5.1 Differential Privacy Mechanisms
5.1.1 Differential Privacy Mechanisms for Numerical Data
5.1.2 Composition Theorems
5.1.3 Differential Privacy Mechanisms for Categorical Data
5.1.4 Properties of Differential Privacy
5.1.5 Machine Learning
5.1.6 Concluding Remarks
5.2 Secure Multiparty Computation Protocols
5.2.1 Assumptions on Data and on Adversaries
5.2.2 Computing a Distributed Sum
5.2.3 Secure Multiparty Computation and Inferences
5.2.4 Computing the Exclusive OR Function
5.2.5 Secure Multiparty Computation for Other Functions
5.3 Bibliographical Notes
6 Privacy for Data: Masking Methods
6.1 Perturbative Methods
6.1.1 Data and Rank Swapping
6.1.2 Microaggregation
6.1.3 Additive and Multiplicative Noise
6.1.4 PRAM: Post-Randomization Method
6.1.5 Lossy Compression and Other Transform-Based Methods: De-Noising Data
6.2 Non-perturbative Methods
6.2.1 Generalization and Recoding
6.2.2 Suppression
6.3 Synthetic Data Generators
6.3.1 Synthetic Data Generators and Generative Adversarial Networks
6.3.2 Table-GANs
6.4 Masking Methods and k-Anonymity
6.4.1 Mondrian
6.4.2 Microaggregation and Generalization
6.4.3 Algorithms for k-Anonymity: Variants and Big Data
6.5 Data Protection Procedures for Constrained Data
6.5.1 Types of Constraints
6.6 Masking Methods and Big Data
6.7 Bibliographical Notes
7 Selection of a Data Protection Mechanism: Information Loss and Risk
7.1 Information Loss: Evaluation and Measures
7.1.1 Generic Versus Specific Information Loss
7.1.2 Information Loss Measures
7.1.3 Generic Information Loss Measures
7.1.4 Specific Information Loss
7.1.5 Information Loss and Big Data
7.2 Selection of Masking Methods
7.2.1 Aggregation: A Score
7.2.2 Visualization: R-U Maps
7.2.3 Optimization and Post-Masking
7.3 Machine Learning
7.4 Privacy in Federated Learning
7.5 Bibliographical Notes
8 Other Data-Driven Mechanisms
8.1 Result-driven Approaches
8.2 Tabular Data
8.2.1 Sensitivity Rules
8.2.2 Tabular Data Protection
8.2.3 Cell Suppression
8.2.4 Controlled Tabular Adjustment
8.3 Bibliographical Notes
9 Conclusions
9.1 Guidelines
A Matching and Integration: Record Linkage for Identity Disclosure Risk
A.1 Heterogeneous Distributed Databases
A.1.1 Data Integration
A.1.2 Schema Matching
A.1.3 Data Matching
A.1.4 Preprocessing
A.1.5 Indexing and Blocking
A.1.6 Record Pair Comparison: Distances and Similarities
A.1.7 Classification of Record Pairs
A.2 Probabilistic Record Linkage
A.3 Distance-Based Record Linkage
A.3.1 Weighted Distances
A.3.2 Distance and Normalization
A.3.3 Parameter Determination for Record Linkage
A.4 Record Linkage Without Common Attributes
A.5 Comparison of Record Linkage Algorithms
A.6 Bibliographical Notes
References
Index
