(p, N)-identifiability: Anonymity under Practical Adversaries

Personal data has great potential for building an efficient and sustainable society; thus several privacy preserving techniques have been proposed to solve the essential issue of maintaining privacy in the use of personal data. Anonymization techniques are promising techniques applicable to huge-size personal data in order to reduce its re-identification risk. However, there is a trade-off between the utility of anonymized datasets and the risk of re-identification of individuals from the anonymized dataset, and so far no perfect solution has been provided. In previous studies, ideal adversaries in possession of all records of an original dataset have been considered in risk analyses, because an anonymized dataset is assumed to be publicly accessible, and once the record of a target is re-identified, privacy breaches are serious and may be uncontrollable. However, anonymized datasets are assumed to be distributed between organizations via secure channels in typical business situations. In this paper, we consider the actual risk to anonymized datasets and propose an analysis method that yields more stringent risk estimation in real settings with real adversaries. Furthermore, we present some experimental results using medical records. Our method is practical and useful for anonymized datasets generated by common anonymization methods such as generalization, noise addition and sampling, and can lead to generate more useful anonymized datasets.