Klara Stokes

Optimal configurations for peer-to-peer user-private information retrieval

User-private information retrieval systems should protect the users anonymity when performing queries against a database, or they should limit the servers capacity of profiling users. Peer-to-peer user-private information retrieval (P2P UPIR) supplies a practical solution: the users in a group help each other in doing their queries, thereby preserving their privacy without any need of the database to cooperate. One way to implement the P2P UPIR uses combinatoric configurations to administrate the keys needed for the private communication between the peers. This article is devoted to the choice of the configuration in this system. First of all we characterize the optimal configurations for the P2P UPIR and see the relationship with the projective planes as described in finite geometry. Then we give a very efficient construction of such optimal configurations, i.e. finite projective planes. We finally check that the involved graphs are Ramanujan graphs, giving an additional justification of the optimality of the constructed configurations.

n-confusion: a generalization of k-anonymity

We provide a formal framework for re-identification in general. We define n-confusion as a concept for modelling the anonymity of a database table and we prove that n-confusion is a generalization of k-anonymity. Finally we present an example to illustrate how this result can be used to augment local variance in k-anonymous protected data.

On some clustering approaches for graphs

In this paper we discuss some tools for graph perturbation with applications to data privacy. We present and analyse two different approaches. One is based on matrix decomposition and the other on graph partitioning. We discuss these methods and show that they belong to two traditions in data protection: noise addition/microaggregation and k-anonymity.

On query self-submission in peer-to-peer user-private information retrieval

User-private information retrieval (UPIR) is the art of retrieving information without telling the information holder who you are. UPIR is sometimes called anonymous keyword search. This article discusses a UPIR protocol in which the users form a peer-to-peer network over which they collaborate in protecting the privacy of each other. The protocol is known as P2P UPIR. It will be explained why the P2P UPIR protocol may have a flaw in the protection of the privacy of the client in front of the server. Two alternative variations of the protocols are discussed. One of these will prove to resolve the privacy flaw discovered in the original protocol. Hence the aim of this article is to propose a modification of the P2P UPIR protocol. It is justified why the projective planes are still the optimal configurations for P2P UPIR for the modified protocol.

Erratum to: Linear spaces and transversal designs: \(k\)-anonymous combinatorial configurations for anonymous database search

Anonymous database search protocols allow users to query a database anonymously. This can be achieved by letting the users form a peer-to-peer community and post queries on behalf of each other. In this article we discuss an application of combinatorial configurations (also known as regular and uniform partial linear spaces) to a protocol for anonymous database search, as defining the key-distribution within the user community that implements the protocol. The degree of anonymity that can be provided by the protocol is determined by properties of the neighborhoods and the closed neighborhoods of the points in the combinatorial configuration that is used. Combinatorial configurations with unique neighborhoods or unique closed neighborhoods are described and we show how to attack the protocol if such configurations are used. We apply k-anonymity arguments and present the combinatorial configurations with k-anonymous neighborhoods and with k-anonymous closed neighborhoods. The transversal designs and the linear spaces are presented as optimal configurations among the configurations with k-anonymous neighborhoods and k-anonymous closed neighborhoods, respectively.

On computational anonymity

The concern of data privacy is to mask data so that they can be transferred to untrusted third parties without leaking confidential individual information. In this work we distinguish between theoretical anonymity and computational anonymity. We present a relaxation of k-anonymity, called (k,l)-anonymity, which makes sense when it can be assumed that the knowledge of an adversary is limited. (k,l)-Anonymity can also be regarded as a quantification of the anonymity in terms of the adversarys limitations. Combinatorics, or more precisely, hypergraphs, are used to represent the anonymity relations in a (k,l)-anonymous table. Finally, we present an algorithm for the (k,l)-anonymization of tables.

MULTIPLE RELEASES OF k-ANONYMOUS DATA SETS AND k-ANONYMOUS RELATIONAL DATABASES

In data privacy, the evaluation of the disclosure risk has to take into account the fact that several releases of the same or similar information about a population are common. In this paper we discuss this issue within the scope of k-anonymity. We also show how this issue is related to the publication of privacy protected databases that consist of linked tables. We present algorithms for the implementation of k-anonymity for this type of data.

An Extension of Fuzzy Measures to Multisets and Its Relation to Distorted Probabilities

Fuzzy measures are monotonic set functions on a reference set; they generalize probabilities replacing the additivity condition by monotonicity. The typical application of these measures is with fuzzy integrals. Fuzzy integrals integrate a function with respect to a fuzzy measure, and they can be used to aggregate information from a set of sources (opinions from experts or criteria in a multicriteria decision-making problem). In this context, background knowledge on the sources is represented by means of the fuzzy measures. For example, interactions between criteria are represented by means of nonadditive measures. In this paper, we introduce fuzzy measures on multisets. We propose a general definition, and we then introduce a family of fuzzy measures for multisets which we show to be equivalent to distorted probabilities when the multisets are restricted to proper sets.

A FORMALIZATION OF RECORD LINKAGE AND ITS APPLICATION TO DATA PROTECTION

Re-identification and record linkage are tools used to measure disclosure risk in data privacy. Given two data files, record linkage establishes links between those records that correspond to the same individual. These links are often expressed in terms of probability distributions. This paper presents a review of a formalization of re-identification in terms of compatible belief functions. This formalization makes it possible to define the set of methods for re-identification that are relevant for the estimation of disclosure risk in privacy protection. Any re-identification method that does not fulfill the criteria for being in this set, may be discarded in a theoretical disclosure risk analysis. The focus in this paper is on providing examples of how this formalization can be applied in a few different scenarios in data privacy

A peer-to-peer agent community for digital oblivion in online social networks

A long list of personal tragedies, including teenage suicides, has raised the importance of managing the personal information available on the Internet. It has been argued that it should be allowed to make mistakes, and that there should be a right to be forgotten. Unfortunately, todays Internet architecture and services typically do not support such functionality. We design a system that provides digital oblivion for users of online social networks. Participants form a peer-based agent community, which agree on protecting the privacy of individuals who request images to be forgotten. The system distributes and maintains up-to-date information on oblivion requests, and implements a filtering functionality when accessing an underlying online social network. We describe digital oblivion in terms of authentication of user-to-content relations and identify two user-to-content relations that are particularly relevant for digital oblivion. Finally, we design a family of protocols that provide digital oblivion with respect to these user-to-content relations, within the community that are implementing the protocol. Our protocols leverage a combination of digital signatures, watermarking, image tags, and trust management. No collaboration is required from the social network provider, although the system could also be incorporated as a standard feature of the social network.