skip to main content
research-article

Epistemic privacy

Published: 21 December 2010 Publication History

Abstract

We present a novel definition of privacy in the framework of offline (retroactive) database query auditing. Given information about the database, a description of sensitive data, and assumptions about users' prior knowledge, our goal is to determine if answering a past user's query could have led to a privacy breach. According to our definition, an audited property A is private, given the disclosure of property B, if no user can gain confidence in A by learning B, subject to prior knowledge constraints. Privacy is not violated if the disclosure of B causes a loss of confidence in A. The new notion of privacy is formalized using the well-known semantics for reasoning about knowledge, where logical properties correspond to sets of possible worlds (databases) that satisfy these properties. Database users are modeled as either possibilistic agents whose knowledge is a set of possible worlds, or as probabilistic agents whose knowledge is a probability distribution on possible worlds.
We analyze the new privacy notion, show its relationship with the conventional approach, and derive criteria that allow the auditor to test privacy efficiently in some important cases. In particular, we prove characterization theorems for the possibilistic case, and study in depth the probabilistic case under the assumption that all database records are considered a-priori independent by the user, as well as under more relaxed (or absent) prior-knowledge assumptions. In the probabilistic case we show that for certain families of distributions there is no efficient algorithm to test whether an audited property A is private given the disclosure of a property B, assuming PNP. Nevertheless, for many interesting families, such as the family of product distributions, we obtain algorithms that are efficient both in theory and in practice.

References

[1]
Ackley, D. H., Hinton, G. E., and Sejnowski, T. J. 1985. A learning algorithm for Boltzmann machines. Cognit. Sci. 9, 1, 147--169.
[2]
Agrawal, R., Bayardo, R. J., Faloutsos, C., Kiernan, J., Rantzau, R., and Srikant, R. 2004. Auditing compliance with a hippocratic database. In Proceedings of the 30th International Conference on Very Large Data Bases (VLDB'04). 516--527.
[3]
Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. 2002. Hippocratic databases. In Proceedings of the 28th International Conference on Very Large Data Bases (VLDB'02). 143--154.
[4]
Aharoni, R., and Holzman, R. 1993. Two and a half remarks on the Marica-Schönheim inequality. J. London Math. Soc. 2-48, 3, 385--395.
[5]
Ahlswede, R., and Daykin, D. E. 1978. An inequality for the weights of two families of sets, their unions and intersections. Zeitschrift für Wahrscheinlichkeitstheorie und Verwandte Gebiete 43, 183--185.
[6]
Australia. 1998. Australian privacy act of 1998. http://www.privacy.gov.au/ACT/privacyact.
[7]
Basu, S., Pollack, R., and Roy, M.-F. 1996. On the combinatorial and algebraic complexity of quantifier elimination. J. ACM 43, 6, 1002--1045.
[8]
Blum, A., Dwork, C., McSherry, F., and Nissim, K. 2005. Practical privacy: The SuLQ framework. In Proceedings of the 24th ACM Symposium on Principles of Database Systems. 128--138.
[9]
Böhler, E., Creignou, N., Reith, S., and Vollmer, H. 2003. Playing with boolean blocks, part i: Posts lattice with applications to complexity theory. ACM SIGACT News 34, 4, 38--52 (Complexity Theory Column 42).
[10]
Bollobás, B. 1986. Combinatorics: Set Systems, Hypergraphs, Families of Vectors and Combinatorial Probability. Cambridge University Press.
[11]
Canada. 2000. Personal information protection and electronic documents act. 2nd Session, 36th Parliament, 48-49 Elizabeth II, 1999--2000, Statutes of Canada.
[12]
Canny, J. 1993. Improved algorithms for sign determination and existential quantifier elimination. Comput. J. 36, 5, 409--418. (Special Issue on Quantifier Elimination).
[13]
Caramanis, C. 2001. Non-convex optimization via real algebraic geometry. http://web.mit. edu/~cmcaram/www/pubs/nonconvex_opt_review.pdf.
[14]
Cover, T. M., and Thomas, J. A. 2006. Elements of Information Theory. 2nd Ed. Wiley-Interscience, Chapter 12, 409--425.
[15]
Creignou, N., Kolaitis, P., and Zanuttini, B. 2008. Structure identification of Boolean relations and plain bases for co-clones. J. Comput. Syst. Sci. 74, 7, 1103--1115.
[16]
de Campos, C. P., and Cozman, F. G. 2005. Computing lower and upper expectations under epistemic independence. In Proceedings of the 4th International Symposium on Imprecise Probabilities and Their Applications.
[17]
Dinur, I., and Nissim, K. 2003. Revealing information while preserving privacy. In Proceedings of the 22nd ACM Symposium on Principles of Database Systems. 202--210.
[18]
Dwork, C., and Nissim, K. 2004. Privacy-preserving datamining on vertically partitioned databases. In Proceedings of the 24th International Conference on Cryptology (CRYPTO). 528--544.
[19]
E.U. Parliament. 1995. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official J. European Communities L. 281, 31.
[20]
Evfimievski, A., Fagin, R., and Woodruff, D. 2008. Epistemic privacy. In Proceedings of the 27th ACM Symposium on Principles of Database Systems (PODS'08). 171--180.
[21]
Evfimievski, A., Gehrke, J., and Srikant, R. 2003. Limiting privacy breaches in privacy preserving data mining. In Proceedings of the 22nd ACM Symposium on Principles of Database Systems. 211--222.
[22]
Fagin, R., Halpern, J. Y., Moses, Y., and Vardi, M. Y. 1995. Reasoning About Knowledge. The MIT Press, Cambridge, MA. (Paperbook edition appeared in 2001.)
[23]
Fagin, R., Halpern, J. Y., and Vardi, M. Y. 1991. A model-theoretic analysis of knowledge. J. ACM 91, 2, 382--428.
[24]
Fujishige, S. 2005. Submodular functions and optimization, Annals of Discrete Mathematics, vol. 58. Elsevier Science.
[25]
Grigoriev, D., de Klerk, E., and Pasechnik, D. V. 2003. Finding optimum subject to few quadratic constraints in polynomial time. In Proceedings of the Conference on Effective Methods in Algebraic Geometry (MEGA). Universität Kaiserslautern, Germany.
[26]
Hintikka, J. 1962. Knowledge and Belief. Cornell University Press, Ithaca, N.Y.
[27]
Karp, R. M. 1972. Reducibility among combinatorial problems. In Complexity of Computer Computations.
[28]
Kenthapadi, K., Mishra, N., and Nissim, K. 2005. Simulatable auditing. In Proceedings of the 24th ACM Symposium on Principles of Database Systems. 118--127.
[29]
Kripke, S. 1963. A semantical analysis of modal logic I: normal modal propositional calculi. Zeitschrift für Mathematische Logik und Grundlagen der Mathematik 9, 67--96.
[30]
Lovász, L. 1983. Submodular functions and convexity. In Mathematical Programming—The State of the Art, A. Bachem, M. Grötchel, and B. Korte, Eds. Springer-Verlag, 235--257.
[31]
Marica, J., and Schönheim, J. 1969. Differences of sets and a problem of Graham. Canadian Math. Bull. 12, 5, 635--637.
[32]
Miklau, G., and Suciu, D. 2004. A formal analysis of information disclosure in data exchange. In Proceedings of the ACM SIGMOD International Conference on Management of Data. 575--586.
[33]
Motwani, R., Nabar, S. U., and Thomas, D. 2008. Auditing SQL queries. In Proceedings of the IEEE 24th International Conference on Data Engineering, 287--296.
[34]
Nabar, S. U., Marthi, B., Kenthapadi, K., Mishra, N., and Motwani, R. 2006. Towards robustness in query auditing. In Proceedings of the 32nd International Conference on Very Large Data Bases. 151--162.
[35]
Parrilo, P. A. 2000. Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization. Ph.D. dissertation, California Institute of Technology.
[36]
Parrilo, P. A., and Sturmfels, B. 2001. Minimizing polynomial functions. In Algorithmic and Quantitative Aspects of Real Algebraic Geometry in Mathematics and Computer Science. 83--100.
[37]
PITAC. 2004. Revolutionizing health care through information technology. U.S. President's Information Technology Advisory Committee.
[38]
Pólya, G. 1954. Mathematics and Plausible Reasoning, Volume I: Induction and Analogy in Mathematics 1st Ed. Princeton University Press.
[39]
Pólya, G. 1957. How to Solve It: A New Aspect of Mathematical Method 2nd Ed. Princeton University Press. (Expanded ed. 2004.)
[40]
Pólya, G. 1968. Mathematics and Plausible Reasoning, Volume II: Patterns of Plausible Inference 2nd Ed. Princeton University Press.
[41]
Putinar, M. 1993. Positive polynomials on compact semi-algebraic sets. Indiana Univ. Math J. 42, 3.
[42]
Schmüdgen, K. 1991. The k-moment problem for compact semialgebraic sets. Ann. Math 289, 203--206.
[43]
Shannon, C. E. 1949. Communication theory of secrecy systems. Bell System Tech. J. 28-4, 656--715.
[44]
Shor, N. Z. 1987. Class of global minimum bounds of polynomial functions. Cybernetics 6, 731--734.
[45]
Shor, N. Z., and Stetsyuk, P. I. 1997. The use of a modification of the r-algorithm for finding the global minimum of polynomial functions. Cybernetics Syst. Anal. 33, 482--497.
[46]
Stengle, G. 1974. A Nullstellensatz and a Positivstellensatz in semialgebraic geometry. Annals of Math 207, 87--97.
[47]
U. S. Congress 1996. Health insurance portability and accountability act of 1996, United States public law 104--191. http://www.hhs.gov/ocr/hipaa.
[48]
van Wright, G. H. 1951. An Essay in Modal Logic. North-Holland, Amsterdam.

Cited By

View all
  • (2020)Evaluation of Secure Remote Offering Service for Information BankProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3379526(144-146)Online publication date: 16-Mar-2020
  • (2017)Securing Databases from Probabilistic Inference2017 IEEE 30th Computer Security Foundations Symposium (CSF)10.1109/CSF.2017.30(343-359)Online publication date: Aug-2017
  • (2017)On the Classification of Protection ProceduresData Privacy: Foundations, New Developments and the Big Data Challenge10.1007/978-3-319-57358-8_3(55-87)Online publication date: 18-May-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Journal of the ACM
Journal of the ACM  Volume 58, Issue 1
December 2010
158 pages
ISSN:0004-5411
EISSN:1557-735X
DOI:10.1145/1870103
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 December 2010
Accepted: 01 September 2010
Revised: 01 April 2010
Received: 01 December 2008
Published in JACM Volume 58, Issue 1

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Auditing
  2. Positivstellensatz
  3. disclosure
  4. privacy
  5. query logs
  6. reasoning about knowledge
  7. supermodularity

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)2
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Evaluation of Secure Remote Offering Service for Information BankProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3379526(144-146)Online publication date: 16-Mar-2020
  • (2017)Securing Databases from Probabilistic Inference2017 IEEE 30th Computer Security Foundations Symposium (CSF)10.1109/CSF.2017.30(343-359)Online publication date: Aug-2017
  • (2017)On the Classification of Protection ProceduresData Privacy: Foundations, New Developments and the Big Data Challenge10.1007/978-3-319-57358-8_3(55-87)Online publication date: 18-May-2017
  • (2016)Weighted low rank approximations with provable guaranteesProceedings of the forty-eighth annual ACM symposium on Theory of Computing10.1145/2897518.2897639(250-263)Online publication date: 19-Jun-2016
  • (2011)Exploring generation of a genetic robot's personality through neural and evolutionary meansData & Knowledge Engineering10.1016/j.datak.2011.06.00270:11(923-954)Online publication date: 1-Nov-2011

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media