- The paper presents A-COMPASS, a formal language that extends COMPASS to support microdata anonymity via expressive privacy transformations.
- It introduces novel constructs like REPLACE and RANDOM actions, enabling deterministic yet flexible mechanisms for enforcing k-anonymity and l-diversity.
- The verified semantics ensure soundness and compositionality, offering robust practical implications for regulatory compliance and data privacy enforcement.
Problem Context and Prior Approaches
Anonymity in microdata remains a critical concern for data privacy, given the pervasive collection and dissemination of individual-level datasets across medical, economic, and social domains. Traditional privacy models such as k-anonymity and l-diversity provide sufficient conditions to mitigate identity and attribute disclosure risks but lack robust formal verification tools to assure regulatory compliance and substantive privacy guarantees. While differential privacy models have received significant attention in verification literature, the foundational models for anonymity have limited formalization and verification support.
The Compliance Assertion Language (COMPASS) previously allowed formal specification of anonymity requirements and remedial actions in group-based (one record per group) preprocessed tables. However, it did not directly support standard microdata settings with one record per individual, nor did it facilitate comprehensive anonymization transformations.
Language Extension: A-COMPASS
A-COMPASS is introduced to address gaps in COMPASS functionality by providing a formal language and denotational semantics for microdata anonymity analysis and transformation. This extension supports one record per person schema and enables expressive composition of anonymization actions.
Syntax and Expressivity
A-COMPASS augments COMPASS with:
- REPLACE Action: Generalizes the ZERO action (COMPASS), permitting arbitrary replacements for attribute values rather than being limited to zeros.
- COUNT DISTINCT Aggregation: Facilitates l-diversity checks by directly counting different sensitive values in equivalence classes, thus enabling standard l-diversity analysis without the need for subqueries or duplicate-collapsing hacks.
- RANDOM Action: Enables probabilistic anonymization, such as randomized imputation of outlier values, with deterministic random trace modeling in the semantics for formal accountability.
- Removal of JOIN Action: Anonymization via replacement compositions obviates joins required for group-based generalization in COMPASS.
A-COMPASS covers both suppression (overwriting rare/high-risk values) and generalization (replacing attribute values with broader categories), supporting built-in constructs for both, as exemplified in the provided microdata scenarios.
Assertion Semantics
Assertions in A-COMPASS specify requirements (e.g., k-anonymity, l-diversity, suppression, generalization) and target affected records when violated. Actions transform affected records to satisfy privacy criteria or eliminate risky equivalence classes.
Denotational Semantics and Fundamental Properties
A-COMPASS semantics are inspired by SQL's formal semantics for bags/multisets [GuLi2017], adapting it with deterministic random trace modeling for RANDOM, canonical ordering to ensure determinism, and precise modeling of affected records for assertion violations.
Key Properties Proven:
- Determinism: For any requirement and initial semantic state, the output state is uniquely determined, including the REPLACE and RANDOM actions.
- Compositionality: Sequential application of requirements maps to function composition, supporting modular privacy policies.
- Soundness and Completeness: For suppression, generalization, k-anonymity, and l-diversity, the semantics assure that all remaining records, post-action, satisfy the defined privacy requirement and that maximal possible compliant subrelations are produced.
Numerical and Logical Results
A-COMPASS allows formal verification and transformation of microdata tables to satisfy:
- k-anonymity: Every equivalence class (records sharing quasi-identifiers) contains at least k members.
- l-diversity: Every equivalence class contains at least l distinct values for sensitive attributes, directly tracked via COUNT DISTINCT.
Suppression and generalization actions provably enforce indistinguishability in the relevant attribute domains, and RANDOM achieves deterministic formal modeling for stochastic imputation. For l0-anonymity and l1-diversity, REJECT actions accurately remove all violating records, ensuring both soundness (no violation remains) and completeness (no compliant record is incorrectly eliminated).
Implications and Future Developments
Practical Implications
A-COMPASS provides a robust, formally verified foundation for microdata privacy compliance, addressing GDPR and other global privacy regulations' requirements for rigorous, auditable anonymization. The language supports both assessment and transformation, enabling curators to both check and enforce anonymity constraints via formally specified policies.
Theoretical Implications
Establishing deterministic, compositional denotational semantics for microdata anonymization bridges the gap between abstract privacy models and practical database programming languages. It lays groundwork for formal reasoning about privacy policy enforcement in database systems.
Extensions and Directions
- Relational Algebra Equivalence: Establishing formal correspondence between A-COMPASS requirements and relational algebra expressions would facilitate integration with classical verification frameworks.
- Differential Privacy Integration: Extending A-COMPASS with probabilistic modeling for concrete distributions, directly supporting formal reasoning about differential privacy mechanisms and privacy budget accounting.
- Implementation: A-COMPASS is amenable to implementation as a privacy policy language for real-world database anonymization pipelines.
Conclusion
A-COMPASS sets a formal foundation for anonymity analysis and enforcement in microdata by extending the expressive capabilities of COMPASS and providing rigorous denotational semantics, proven properties, and built-in support for suppression, generalization, and randomized anonymization. The approach ensures that privacy requirements such as l2-anonymity and l3-diversity are not only verifiable but enforceable by deterministic, compositional language constructs. This work directly addresses theoretical and practical gaps in privacy-preserving data management and sets the stage for future advancements in privacy language design and formal verification (2606.20492).