ABSTRACT
We present a novel definition of privacy in the framework of offline (retroactive) database query auditing. Given information about the database, a description of sensitive data, and assumptions about users' prior knowledge, our goal is to determine if answering a past user's query could have led to a privacy breach. According to our definition, an audited property A is private, given the disclosure of property B, if no user can gain confidence in A by learning B, subject to prior knowledge constraints. Privacy is not violated if the disclosure of B causes a loss of confidence in A. The new notion of privacy is formalized using the well-known semantics for reasoning about knowledge, where logical properties correspond to sets of possible worlds (databases) that satisfy these properties. Database users are modelled as either possibilistic agents whose knowledge is a set of possible worlds, or as probabilistic agents whose knowledge is a probability distribution on possible worlds.
We analyze the new privacy notion, show its relationship with the conventional approach, and derive criteria that allow the auditor to test privacy efficiently in some important cases. In particular, we prove characterization theorems for the possibilistic case, and study in depth the probabilistic case under the assumption that all database records are considered a-priori independent by the user, as well as under more relaxed (or absent) prior-knowledge assumptions. In the probabilistic case we show that for certain families of distributions there is no efficient algorithm to test whether an audited property A is private given the disclosure of a property B, assuming P ` NP. Nevertheless, for many interesting families, such as the family of product distributions, we obtain algorithms that are efficient both in theory and in practice.
Supplemental Material
- R. Agrawal, R. J. Bayardo, C. Faloutsos, J. Kiernan, R. Rantzau, and R. Srikant. Auditing compliance with a hippocratic database. In Proc. VLDB, pages 516--527, 2004. Google Scholar
Digital Library
- R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic databases. In Proc. VLDB, pages 143--154, 2002. Google Scholar
Digital Library
- R. Ahlswede and D. E. Daykin. An inequality for the weights of two families of sets, their unions and intersections. Z. Wahrschein. und Verw. Gebiete, 43:183--185, 1978.Google Scholar
Cross Ref
- S. Basu, R. Pollack, and M.-F. Roy. On the combinatorial and algebraic complexity of quantifier elimination. J. ACM, 43(6):1002--1045, 1996. Google Scholar
Digital Library
- A. Blum, C. Dwork, F. McSherry, and K. Nissim. Practical privacy: The SuLQ framework. In Proc. PODS, pages 128--138, 2005. Google Scholar
Digital Library
- B. Bollobás. Combinatorics. Cambridge Univ. Press, 1986.Google Scholar
- J. Canny. Improved algorithms for sign determination and existential quantifier elimination. Computer Journal, 36(5):409--418, 1993.Google Scholar
Cross Ref
- C. Caramanis. Non-convex optimization via real algebraic geometry, 2001. http://web.mit.edu/~cmcaram/www/pubs/nonconvex_opt_review.pdf.Google Scholar
- C. P. de Campos and F. G. Cozman. Computing lower and upper expectations under epistemic independence. In Proc. 4th Intl. Symp. on Imprecise Probabilities and Their Apps., 2005.Google Scholar
- I. Dinur and K. Nissim. Revealing information while preserving privacy. In Proc. PODS, pages 202--210, 2003. Google Scholar
Digital Library
- C. Dwork and K. Nissim. Privacy-preserving datamining on vertically partitioned databases. In Proc. CRYPTO, pages 528--544, 2004.Google Scholar
Cross Ref
- A. Evfimievski, J. Gehrke, and R. Srikant. Limiting privacy breaches in privacy preserving data mining. In Proc. PODS, pages 211--222, 2003. Google Scholar
Digital Library
- R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi. Reasoning About Knowledge. The MIT Press, 1995. Paperbook edition appeared in 2001. Google Scholar
Digital Library
- R. Fagin, J. Y. Halpern, and M. Y. Vardi. A model-theoretic analysis of knowledge. J. ACM, 91(2):382--428, 1991. Google Scholar
Digital Library
- S. Fujishige. Submodular Functions and Optimization, volume 58 of Annals of Discrete Mathematics. Elsevier, 2nd edition, 2005.Google Scholar
- D. Grigoriev, E. de Klerk, and D. V. Pasechnik. Finding optimum subject to few quadratic constraints in polynomial time. In Proc. Conf. on Effective Methods in Algebraic Geometry (MEGA), 2003.Google Scholar
- J. Hintikka. Knowledge and Belief. Cornell University Press, 1962.Google Scholar
- K. Kenthapadi, N. Mishra, and K. Nissim. Simulatable auditing. In Proc. PODS, pages 118--127, 2005. Google Scholar
Digital Library
- S. Kripke. A semantical analysis of modal logic I: normal modal propositional calculi. Zeitschrift für Mathematische Logik und Grundlagen der Mathematik, 9:67--96, 1963. Announced in J. of Symbolic Logic 24, 1959, p. 323.Google Scholar
Cross Ref
- L. Lovász. Submodular functions and convexity. In A. Bachem, M. Grötchel, and B. Korte, editors, Mathematical Programming -- The State of the Art, pages 235--257. Springer-Verlag, 1983.Google Scholar
- G. Miklau and D. Suciu. A formal analysis of information disclosure in data exchange. In Proc. SIGMOD, pages 575--586, 2004. Google Scholar
Digital Library
- R. Motwani, S. U. Nabar, and D. Thomas. Auditing SQL queries. In Proc. ICDE, 2008. to appear. Google Scholar
Digital Library
- S. U. Nabar, B. Marthi, K. Kenthapadi, N. Mishra, and R. Motwani. Towards robustness in query auditing. In Proc. VLDB, pages 151--162, 2006. Google Scholar
Digital Library
- P. A. Parrilo. Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization, 2000. Ph.D. Thesis, California Institute of Technology.Google Scholar
- P. A. Parrilo and B. Sturmfels. Minimizing polynomial functions. In Algorithmic and Quantitative Aspects of Real Algebraic Geometry in Mathematics and Computer Science, pages 83--100, 2001.Google Scholar
- President's Information Technology Advisory Committee. Revolutionizing health care through information technology, 2004.Google Scholar
- M. Putinar. Positive polynomials on compact semi-algebraic sets. Indiana University Math Journal, 42(3), 1993.Google Scholar
Cross Ref
- K. Schmüdgen. The k-moment problem for compact semialgebraic sets. Annals of Math, 289:203--206, 1991.Google Scholar
Cross Ref
- C. E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28-4:656--715, 1949.Google Scholar
Cross Ref
- N. Z. Shor. Class of global minimum bounds of polynomial functions. Cybernetics, 6:731--734, 1987.Google Scholar
- N. Z. Shor and P. I. Stetsyuk. The use of a modification of the r-algorithm for finding the global minimum of polynomial functions. Cybernetics and Systems Analysis, 33:482--497, 1997.Google Scholar
Cross Ref
- G. Stengle. A Nullstellensatz and a Positivstellensatz in semialgebraic geometry. Annals of Math, 207:87--97, 1974.Google Scholar
Cross Ref
- G. H. v. Wright. An Essay in Modal Logic. North-Holland, 1951.Google Scholar
Index Terms
Epistemic privacy
Recommendations
Epistemic privacy
We present a novel definition of privacy in the framework of offline (retroactive) database query auditing. Given information about the database, a description of sensitive data, and assumptions about users' prior knowledge, our goal is to determine if ...
Generalized bucketization scheme for flexible privacy settings
Bucketization is an anonymization technique for publishing sensitive data. The idea is to group records into small buckets to obscure the record-level association between sensitive information and identifying information. Compared to the traditional ...
On compositional reasoning about anonymity and privacy in epistemic logic
In this paper, we exploit epistemic logic (or the modal logic of knowledge) for multiagent systems to discuss the compositionality of several privacy-related information-hiding/disclosure properties. The properties considered here are anonymity, privacy,...






Comments