Dynamic Variable Anonymization

• Variable anonymization is the challenge of protecting evolving sensitive data in dynamic datasets with both external and internal updates.
• The Sensitive attribute Update Graph (SUG) model quantifies disclosure risk by evaluating transition probabilities between sensitive values over successive releases.
• The m-Distinct principle and multi-phase algorithm ensure privacy by enforcing minimum candidate set sizes and balancing data utility with known update semantics.

Variable anonymization refers to the challenge of protecting sensitive variable values in datasets that are released repeatedly over time, particularly when both records and their attribute values evolve between releases. The problem becomes acute for fully dynamic datasets—those subject to both external (record-level insertions and deletions) and internal (attribute value changes) updates—because the cumulative releases facilitate adversarial inference that can quickly undermine privacy guarantees. Traditional anonymization techniques designed for single or externally updated releases, such as l-diversity or m-invariance, prove insufficient in this context. The “Variable Anonymization Challenge” is defined by the need for provably bounded privacy risk in the presence of correlated record versions across releases, all while maintaining high data utility and manageable computational costs.

1. Privacy Framework for Fully Dynamic Datasets

A dynamic dataset is formally defined by sequences of published tables $T_1, ..., T_n$, in which records may be inserted or deleted (external updates) or have their quasi-identifier (QI) or sensitive attribute values change (internal updates). For two versions $t_i \in T_i$ and $t_j \in T_j$ of the same record (identifiable by, e.g., a stable patient ID), the variable anonymization problem arises when $QI(t_i) \ne QI(t_j)$ or $S(t_i) \ne S(t_j)$.

The paper introduces the Sensitive attribute Update Graph (SUG) as a formal adversary model. Each node in a SUG represents a possible sensitive value for a record in a given release; edges between these nodes are weighted by the transition probabilities $P_{trans}(s_1, s_2)$ that model how likely a sensitive value $s_1$ in $T_i$ is to evolve into $s_2$ in $T_{i+1}$. The feasible sub-SUG is obtained by pruning candidate nodes and edges ruled out by the observed QI and published generalizations.

Disclosure risk is then quantified as the probability that, over all observed versions and knowledge of update semantics, an adversary can correctly assign a specific sensitive value to a record:

$$r_n(t'_i) = \frac{\sum_{k_i} w(p'_{k})}{\sum_K w(p_k)}$$

where the numerator sums path weights passing through the true sensitive value, and the denominator is over all feasible SUG paths.

This framework generalizes the adversary model to account for dynamic evolution and sets the groundwork for evaluating privacy guarantees under repeated, correlated publications—thus directly addressing the variable anonymization challenge for internally-updating datasets.

2. The m-Distinct Generalization Principle

To counteract adversarial inference over time, the m-Distinct principle is introduced. It is a two-part, property:

1. Per-release m-uniqueness: Every QI group in every release must contain at least $m$ records, with all $m$ having mutually distinct sensitive values.
2. Update set consistency: For every record $t$ appearing in multiple releases—including $t_i$ in $T_i$ and $t_j$ in $T_j$—the candidate set of sensitive values for $t_j$ must be a legal update instance given the Update Set Signature (USS) of $t_i$. The USS is the multiset of possible sensitive value transitions from the prior release.

These constraints enforce that, even after internal attribute updates and the application of known external and internal update semantics, the feasible sub-SUG for any record remains sufficiently “broad”: every candidate node set must satisfy $|V'_i| \ge m$. This ensures that the probability of linking a record to its true sensitive value in any release is at most $1/m$.

A stricter variant, m-Distinct*, further demands that in the first release, candidate update sets for different sensitive values do not overlap, tightening the upper bound on risk.

Theoretical justification is provided by a lemma asserting that if m-Distinct holds through all $n$ releases, then at each stage no candidate set can shrink below $m$ elements—thus bounding disclosure risk over time.

3. Multi-Phase Anonymization Algorithm

A three-phase algorithm is detailed to perform variable anonymization while enforcing m-Distinct under both external and internal updates:

A. Bucket Creation: For each record in a new release, if it previously appeared, its USS is used to initialize a bucket. Buckets with intersectable USSs can be merged when an injective mapping between CUSs with nonempty intersection exists.

B. Record Assignment: Each record is assigned to a bucket that satisfies conditions on the allowed sensitive values (according to the current USS). The assignment is scored by a combination of two factors:

• $\epsilon = +1$ if no new counterfeit records must be generated (else $-1$).
• $\lambda$, denoting the ratio of generalized QI region area after/before assignment.

The score is given by:

• $score = 1/\lambda$ if $\epsilon = 1$, or $- \lambda$ otherwise.

Assignments optimize this score to balance privacy (minimize new counterfeits) and utility (limit generalization).

C. QI-Group Generation: Each bucket is recursively partitioned to construct QI-groups of size $m$ with all-different sensitive values. Dummy records (counterfeits) are inserted if necessary to maintain group size and m-uniqueness. A split-score—weighted by QI interval lengths—guides partitions to minimize generalization loss.

This algorithmic approach ensures robust anonymization under record insertions, deletions, and in-place modifications—capabilities not supported by prior state-of-the-art methods.

4. Experimental Design and Quantitative Results

Experiments were conducted on the OCC dataset (approx. 200,000 records) with both record-level (external) and attribute-level (internal) updates simulated over multiple releases. Key protocol elements:

• External updates: In each publication, 2,000 records are removed and 5,000 inserted.
• Internal updates: Attributes such as age, marital status, education, and occupation are updated using realistic transition semantics. The “diameter” parameter $d$ controls the breadth of possible transitions for a sensitive value.
• Baseline anonymization mechanisms: Compared m-Distinct to l-diversity and m-invariance.

Empirically:

• With 2-diversity, the disclosure risk (fraction of sensitive values becoming uniquely identifiable) can reach 66% after 20 releases—demonstrating the inadequacy of traditional methods.
• m-Distinct, however, keeps the re-publication risk bounded near $1/m$ regardless of release count.
• Query accuracy (as measured by aggregate error in downstream tasks) remains high, with utility improved further as the transition diameter $d$ grows (fewer counterfeits required, lower generalization).
• For large $m$, more dummy records are needed and generalization increases, but privacy guarantees improve accordingly.

Existing algorithms tailored only to external change (e.g., m-invariance) experience high invalidation counts—many records become ineligible for linking across releases, reflecting SUG pruning—when faced with internal updates; m-Distinct does not exhibit this failure mode.

5. Core Challenges and Their Resolution

The core challenge is the cumulative nature of adversary knowledge: each release, particularly with non-arbitrary internal updates, enables linkage attacks by adversaries who correctly model the possible update semantics. Conventional k-anonymity and related techniques assume independent or static sensitive values, which fails when, e.g., an internal attribute must change in a way that excludes previously observed values.

Published solutions detailed in the paper include:

• The SUG model, which describes all feasible sensitive attribute evolutions and provides a precise definition of disclosure events.
• The m-Distinct condition, which enforces global indistinguishability under arbitrary correlated updates.
• A partitioning and assignment algorithm that adapts to joint update patterns, minimizing the number of modifications and counterfeits necessary to maintain privacy, and recursively optimizes group formation to minimize data distortion.

Trade-offs between strictly limiting risk (choosing higher $m$) and preserving data utility (fewer dummies, less generalization) are intrinsic. Larger $m$ increases privacy at the expense of analytic usability and computation, but these trade-offs are quantifiable and can be managed via algorithmic parameters and careful selection of transition diameter $d$.

6. Implications and Future Research Directions

The proposed variable anonymization strategy using m-Distinct and SUG-based reasoning provides a provably robust framework for anonymizing records in dynamic datasets subject to arbitrary internal and external updates. It unifies privacy risk computation, group partitioning, and adversary modeling into a consistent, implementable pipeline.

A plausible implication is that privacy-preserving data publishing in environments with high-frequency attribute evolution—such as longitudinal medical or census datasets—requires the m-Distinct (or similar) property as a minimal guarantee.

Future work may focus on:

• Reducing the overhead of counterfeit record insertion and generalization under stronger privacy constraints.
• Developing practical approaches for modeling real-world attribute transitions, especially when true transition probabilities are unknown or context-dependent.
• Extending these principles to distributed or federated data publishing with dynamic, asynchronous updates across multiple data holders.

This paradigm fundamentally addresses the variable anonymization challenge by providing a rigorous foundation and practical algorithms for secure, repeated data releases where variables may evolve arbitrarily over time.