, et 3): le Discrimination Rate (DR) est une nouvelle métrique qui fournit une approche centrée sur les attributs pour la mesure de la vie privée et qui est pratique et suffisamment flexible pour s'adapter à divers domaines d'application. Le DR calcule la capacité d'un attribut (évaluée entre 0 et 1) à raffiner un ensemble de sujets; plus un attribut peut affiner un ensemble de sujets, plus son DR est élevé. Par exemple, un identifiant a un DR égal à 1 car il permet d'isoler chacun des sujets de l'ensemble. Grâce au DR, nous fournissons une première évaluation précise ainsi qu'une comparaison de deux des techniques d'anonymisation les plus utilisées, à savoir le k-anonymat et la l-diversité, Le Discrimination Rate: une métrique centrée sur les attributs pour mesurer la vie privée, vol.1, 2017.
, est une amélio-ration du DR qui prend en compte des considérations sémantiques. Le SeDR permet plus de flexibilité pour ses mesures d'anonymat et est utilisé pour comparer la l-diversité à la la t-proximité qui sont deux des meilleures techniques d'anonymisation de type k-anonymat. De plus, comme la t-proximité est considérée meilleure que la l-diversité, le SeDR montre que, selon les considérations sémantiques, la proximité t-proximité peut être pire que la l-diversité, Ce travail a été publié dans la conférence Security and Cryptography (SECRYPT) en 2017 (Sondeck, Laurent, and Frey, 2017.
, Après avoir utilisé notre métrique (SeDR) pour la mesure de l'anonymat, nous montrons comment il peut être utilisé pour fournir une évaluation de l'utilité a posteriori pré-cise pour tout type de données anonymisées. L'évaluation a posteriori est l'approche la plus pratique car elle est réalisée uniquement à partir des données anonymisées et d'un besoin prédéfini d'utilité alors que l'évaluation de type a priori vise à évaluer dans quelle mesure les données désinfectées reflètent les données originales et donc basée sur des données originales, Evaluation d'utilité a posteriori de données anonymisées avec la mesure Discrimination Rate
, ? La conclusion et les perspectives
, Evaluation du besoin d'utilité à partir du SeDR Exemple d'évaluation d'un besoin d'utilité a posteriori Nous proposons un modèle permettant de capturer un besoin d'utilité a posteriori dans une microdonnée (cf. Section A.5.1). Pour ce faire nous considérons 2 critères: ? Un ensemble d'attributs d
, Considérons l'exemple suivant pour qui illustre l'évaluation de l'utilité à posteriori où la table A.7 est un 3-anonymat de la table A.6. Considérons maintenant une étude qui vise à fournir un traitement aux sujets en fonction de leur âge et qui serait basée sur les données anonymisées de la table A.7. Ainsi, le besoin de l'utilité serait de savoir à partir de l'attribut Age* l'attribut Disease correspondant. Par conséquent, les attributs d'intérêt sont Age* et Disease et nous pouvons considérer comme partition d'intérêt la partition prédéfinie (représentée par les valeurs 2*, ? 40 et 3* tels qu'ils sont générés par le mécanisme d'anonymisation) pour évaluer le besoin d'utilité, Ces deux critères nous permettent d'exprimer notre besoin d'utilité qui est par la suite évalué avec le SeDR
, Considérant la partition prédéfinie nous pouvons évaluer le besoin de d'utilité
, Nous utilisons le SeDR pour calculer la capacité des valeurs de Age* à affiner les valeurs de Disease pour calculer ce degré de corrélation. Le résultat est représenté dans la table A.8. Nous observons que la capacité globale (SeDR) à répondre à l'utilité, c'est-à-dire de prescrire un traitement selon l'âge est 0.6. Nous pouvons également observer que la valeur "2*" fournit l'utilité la plus élevée (SeDR = 1) comme pour les sujets qui ont une vingtaine d'années, Le besoin d'utilité dans ce cas fait référence au degré de corrélation entre la partition d'intérêt de Age* et chaque valeur de l'attribut Disease
, Cette méthode s'applique a toutes les mécanismes d'anonymisation car il suffit d'avoir la microdonnée, de choisir les attributs d
, Conclusion et perspectives
, En effet, le nouveau règlement sur la protection des données (RGPD), qui entrera en vigueur en mai 2018, transformera complètement la manière dont les données de masse -reconnues comme la nouveau pétrole de notre époque -seront traitées. Le RGPD modifiera radicalement la façon dont les données sont collectées, stockées, exploitées, partagées et supprimées; avec pour les contrevenants, La protection des données n'a jamais été aussi cruciale qu'aujourd'hui
, alors que le règlement a déjà été adopté et entrera en vigueur en mai 2018, certains points restent à éclaircir, notamment: 1. Définir précisément les identifiants et donc les données personnelles
, Fournir des mesures d'anonymisation précises permettant des recommandations claires quant à l
, Fournir des mesures d'utilité précises pour calculer le degré d'utilité des données tout en prenant en compte les besoins spécifiques des processeurs de données
, Deep learning with differential privacy, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp.308-318, 2016.
, Towards semantic microaggregation of categorical data for confidential documents, International Conference on Modeling Decisions for Artificial Intelligence, pp.266-276, 2010.
, Privacy-preserving data mining, ACM Sigmod Record, vol.29, issue.2, pp.439-450, 2000.
, A Wavelet-Based Approach to Preserve Privacy for Classification Mining, Decision Sciences 37.4, pp.623-642, 2006.
, A face is exposed for AOL searcher no. 4417749, New York Times 9, p.8, 2006.
, Utility preserving query log anonymization via semantic microaggregation, Information Sciences, vol.242, pp.49-63, 2013.
, Data privacy through optimal kanonymization, Data Engineering, 2005. ICDE 2005. Proceedings. 21st International Conference on. IEEE, pp.217-228, 2005.
, Assessing the risk of disclosure of confidential categorical data, Bayesian statistics 7: Proceedings of the seventh Valencia international meeting, p.125, 2003.
, Plausible deniability for privacy-preserving data synthesis, Proceedings of the VLDB Endowment, vol.10, pp.481-492, 2017.
, Microdata protection through noise addition, Inference control in statistical databases 2316, pp.97-116, 2002.
, The cost of privacy: destruction of data-mining utility in anonymized data publishing, Proceedings of the 14th ACM SIGKDD international conference on Knowledge discovery and data mining, pp.70-78, 2008.
, A Data-swapping Technique Using Ranks: A Method for Disclosure Control, 2000.
, Publishing set-valued data via differential privacy, Proceedings of the VLDB, pp.1087-1098, 2011.
, Auditing and inference control in statistical databases, IEEE Transactions on Software Engineering, vol.6, pp.574-582, 1982.
, mzMatch-ISO: an R tool for the annotation and relative quantification of isotope-labelled mass spectrometry data, Bioinformatics 29, vol.2, pp.281-283, 2013.
, Microdata protection". In: Secure data management in decentralized systems, pp.291-321, 2007.
, On syntactic anonymity and differential privacy, IEEE 29th International Conference on. IEEE, pp.88-93, 2013.
, The invasion of privacy problem and statistics productionan overview, Statistik Tidskrift, vol.12, pp.213-225, 1974.
, Data-swapping: A technique for disclosure control, Journal of statistical planning and inference, vol.6, pp.73-85, 1982.
, Synthetic tabular data-an alternative to complementary cell suppression, Manuscript, Energy Information Administration, 2002.
, Panels of enterprises and confidentiality: the small aggregates method, Proceedings of the 1992 symposium on design and analysis of longitudinal surveys, pp.195-204, 1993.
, Inference controls, Cryptography and data security, pp.331-392, 1982.
, The tracker: A threat to statistical database security, ACM Transactions on Database Systems, pp.76-96, 1979.
, Does additional information always reduce anonymity?, In: Proceedings of the 2007 ACM workshop on Privacy in electronic society. ACM, pp.72-75, 2007.
, Microaggregation: achieving k-anonymity with quasioptimal data quality, European Conference on Quality in Survey Statistics, pp.193-202, 2006.
, A survey of inference control methods for privacy-preserving data mining". In: Privacy-preserving data mining, pp.53-80, 2008.
, A survey of inference control methods for privacy-preserving data mining". In: Privacy-preserving data mining, pp.53-80, 2008.
, Comparing SDC methods for microdata on the basis of information loss and disclosure risk, Pre-proceedings of ETK-NTTS, vol.2, pp.807-826, 2001.
, Practical data-oriented microaggregation for statistical disclosure control, IEEE Transactions on Knowledge and data Engineering, vol.14, issue.1, pp.189-201, 2002.
, Database Privacy, Privacy in a Digital, pp.9-35, 2015.
, Database Privacy, Privacy in a Digital, pp.9-35, 2015.
, A polynomialtime approximation to optimal multivariate microaggregation, Computers & Mathematics with Applications, vol.55, pp.714-732, 2008.
, A quantitative comparison of disclosure control methods for microdata, Confidentiality, disclosure and data access: theory and practical applications for statistical agencies, pp.111-134, 2001.
, Disclosure control methods and information loss for microdata, Confidentiality, disclosure, and data access: theory and practical applications for statistical agencies, pp.91-110, 2001.
, Distance-based and probabilistic record linkage for re-identification of records with categorical variables, Butlletí de lACIA, Associació Catalana dIntelligència Artificial, pp.243-250, 2002.
, Disclosure risk assessment in statistical microdata protection via advanced record linkage, Statistics and Computing, vol.13, pp.343-354, 2003.
, Ordinal, continuous and heterogeneous k-anonymity through microaggregation, Data Mining and Knowledge Discovery, vol.11, issue.2, pp.195-212, 2005.
, A critique of k-anonymity and some of its enhancements, ARES 08. Third International Conference on. IEEE, pp.990-993, 2008.
, Differential privacy: A survey of results, International Conference on Theory and Applications of Models of Computation, pp.338-340, 2008.
, Calibrating noise to sensitivity in private data analysis, Theory of Cryptography Conference, pp.265-284, 2006.
, A method for cluster analysis, Biometrics, pp.362-375, 1965.
, Record level measures of disclosure risk for survey microdata, Journal of Official Statistics, vol.22, p.525, 2006.
, A computational algorithm for handling the special uniques problem, International Journal of Uncertainty, Fuzziness and Knowledge, pp.493-509, 2002.
, Special uniques, random uniques and sticky populations: some counterintuitive effects of geographical detail on disclosure risk, Research in Official Statistics, vol.1, pp.53-67, 1998.
, Semantic microaggregation for the anonymization of query logs, International Conference on Privacy in Statistical Databases, pp.127-137, 2010.
, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, 2016.
, Private coresets, Proceedings of the forty-first annual ACM symposium on Theory of computing, pp.361-370, 2009.
, A theory for record linkage, Journal of the American Statistical Association, vol.64, pp.1183-1210, 1969.
, Complementary cell suppression for statistical disclosure control in tabular data with linear constraints, IEEE transactions on knowledge and data engineering 19.5, 2000.
, Top-down specialization for information and privacy preservation, Data Engineering, 2005. ICDE 2005. Proceedings. 21st International Conference on. IEEE, pp.205-216, 2005.
, Composition attacks and auxiliary information in data privacy, Proceedings of the 14th ACM SIGKDD international conference on Knowledge discovery and data mining, pp.265-273, 2008.
, Similarity, interactive activation, and mapping, In: Journal of Experimental Psychology: Learning, Memory, and Cognition, vol.20, p.635, 1994.
, An algorithm for Euclidean sum of squares classification, Biometrics, pp.355-362, 1977.
, Post randomisation for statistical disclosure control: Theory and implementation, Journal of official Statistics, vol.14, p.463, 1998.
, AOL removes search data on vast group of web users, New York Times, vol.8, p.4, 2006.
, Minimum sum of squares clustering in a low dimensional space, Journal of Classification, vol.15, pp.37-55, 1998.
, A polynomial algorithm for optimal univariate microaggregation, IEEE Transactions on Knowledge and Data Engineering, vol.15, pp.1043-1044, 2003.
, A simple and practical algorithm for differentially private data release, Advances in Neural Information Processing Systems, pp.2339-2347, 2012.
, µ-ARGUS version 4.0 Software and Users Manual, Statistics Netherlands, 2005.
, Josep Domingo and Vicenc Torra (Numerical micro aggregation and rank swapping) Ruth Brand and Sarah Giessing (Sullivan Masking), 2008.
, Statistical disclosure control, 2012.
, Advances in record-linkage methodology as applied to matching the 1985 census of, Journal of the American Statistical Association, vol.84, pp.414-420, 1989.
, A framework for evaluating the utility of data altered to protect confidentiality, The American Statistician, vol.60, issue.3, pp.224-232, 2006.
, A method for limiting disclosure in microdata based on random noise and transformation, Proceedings of the section on survey research methods, pp.303-308, 1986.
, On the Shannon theory of information transmission in the case of continuous signals, IRE Transactions on Information Theory, pp.102-108, 1956.
, PRAM: A method for disclosure limitation of microdata, 1997.
, Minimum spanning tree partitioning algorithm for microaggregation, IEEE Transactions on Knowledge and Data Engineering, vol.17, pp.902-911, 2005.
, How much is enough? choosing ? for differential privacy, International Conference on Information Security, pp.325-340, 2011.
, Incognito: Efficient full-domain k-anonymity, Proceedings of the 2005 ACM SIGMOD international conference on Management of data, pp.49-60, 2005.
, t-closeness: Privacy beyond k-anonymity and l-diversity, IEEE 23rd International Conference on. IEEE, pp.106-115, 2007.
, Provably private data anonymization: Or, k-anonymity meets differential privacy, 2011.
, On the tradeoff between privacy and utility in data publishing, Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp.517-526, 2009.
, Data utility and privacy protection trade-off in k-anonymisation, Proceedings of the 2008 international workshop on Privacy and anonymity in information society, pp.36-45, 2008.
, Data utility and privacy protection trade-off in k-anonymisation, Proceedings of the 2008 international workshop on Privacy and anonymity in information society, pp.36-45, 2008.
, l-diversity: Privacy beyond k-anonymity, ACM Transactions on Knowledge Discovery from Data (TKDD) 1.1, p.3, 2007.
, Privacy-utility tradeoff under statistical uncertainty, Communication, Control, and Computing (Allerton), 2013 51st Annual Allerton Conference on. IEEE, pp.1627-1634, 2013.
, Semantic adaptive microaggregation of categorical microdata, Computers & Security, vol.31, pp.653-672, 2012.
, An enhanced data perturbation approach for small data sets, Decision Sciences, vol.36, pp.513-529, 2005.
, Quantifying and measuring anonymity, Data Privacy Management and Autonomous Spontaneous Security, pp.3-13, 2014.
, Clustering and isolation in the consensus problem for partitions, In: Journal of classification, vol.3, pp.281-297, 1986.
, Clustering Based K-anonymity Algorithm for Privacy Preservation, IJ Network Security, vol.19, pp.1062-1071, 2017.
, Analysis of the univariate microaggregation disclosure risk, New generation computing 27.3, pp.197-214, 2009.
, Some results of individual ranking method on the system of enterprise accounts annual survey, Esprit SDC Project, p.1999, 1999.
, A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, 2010.
, Benefit-Risk Analysis for Big Data Projects, Future of Privacy Forum, 2014.
, Arx-a comprehensive tool for anonymizing biomedical data, AMIA Annual Symposium Proceedings, vol.2014, p.984, 2014.
, Multiple imputation for statistical disclosure limitation, Journal of official statistics, vol.19, p.1, 2003.
, Tech sector struggles to prepare for new EU data protection laws, Finacial Times, 2017.
, From tcloseness-like privacy to postrandomization via information theory, Knowledge and Data Engineering, vol.22, pp.1623-1636, 2010.
, Privacy Is Precious: On the Attempt to Lift Anonymity on the Internet to Increase Revenue, Journal of Economics & Management Strategy, vol.26, pp.318-336, 2017.
, Practical data-swapping: The first steps, ACM Transactions on Database Systems (TODS) 9, pp.20-37, 1984.
, Releasing multiply imputed, synthetic public use microdata: an illustration and empirical study, Journal of the Royal Statistical Society: Series A (Statistics in Society) 168, vol.1, pp.185-205, 2005.
, Entropy-based privacy against profiling of user mobility, Entropy 17, vol.6, pp.3913-3946, 2015.
, Discussion statistical disclosure limitation, Journal of official Statistics, vol.9, p.461, 1993.
, Recommendation with k-anonymized Ratings, 2017.
, Protecting respondents identities in microdata release, Knowledge and Data Engineering, vol.13, pp.1010-1027, 2001.
, Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression, 1998.
, Ontology-based semantic similarity: A new featurebased approach, Expert Systems with Applications 39.9, pp.7718-7728, 2012.
, Utility-privacy tradeoffs in databases: An information-theoretic approach, IEEE Transactions on Information Forensics and Security, vol.8, issue.6, pp.838-852, 2013.
, Evaluating Laplace noise addition to satisfy differential privacy for numeric data, In: Trans. Data, pp.1-17, 2011.
, Identification and retrieval of personal records from a statistical data bank, In: Methods Archive, vol.14, pp.7-13, 1975.
, The PII problem: Privacy and a new concept of personally identifiable information, NYUL rev, vol.86, p.1814, 2011.
, Privacy protection for users of location-based services, IEEE Wireless Communications, vol.19, pp.30-39, 2012.
, MASSC: A new data mask for limiting statistical information loss and disclosure, Proceedings of the Joint UN-ECE/EUROSTAT Work Session on Statistical Data Confidentiality, pp.373-394, 2003.
, Privacy Preserving Techniques in Social Networks Data Publishing-A Review, International Journal of Computer Applications, vol.87, p.15, 2014.
, Disclosure control for census microdata, Journal of Official Statistics, vol.10, p.31, 1994.
, Discrimination rate: an attribute-centric metric to measure privacy, Annals of Telecommunications, pp.1-12, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01653440
, The Semantic Discrimination Rate Metric for Privacy Measurements which Questions the Benefit of t-closeness over l-diversity, Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, vol.6, pp.285-294, 2017.
, Discrimination rate: an attributecentric metric to measure privacy, Annals of Telecommunications, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01653440
, Enhancing data utility in differential privacy via microaggregation-based k-anonymity, The VLDB Journal, vol.23, pp.771-794, 2014.
, The challenges of personal data markets and privacy, Electronic Markets 25, vol.2, pp.161-167, 2015.
, Achieving k-anonymity privacy protection using generalization and suppression, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10.05, pp.571-588, 2002.
, Introduction to statistical disclosure control (sdc)". In: Project: Relative to the testing of SDC algorithms and provision of practical SDC, 2013.
, Optimal noise addition for preserving confidentiality in multivariate data, Journal of Statistical Planning and Inference, vol.27, pp.341-353, 1991.
, A modified random perturbation method for database security, ACM Transactions on Database Systems (TODS) 19.1, pp.47-63, 1994.
, Microaggregation for categorical variables: a median based approach, Privacy in statistical databases, pp.518-518, 2004.
, Information Loss: Evaluation and Measures, Data Privacy: Foundations, New Developments and the Big Data Challenge, pp.239-253, 2017.
, Machine and Statistical Learning, pp.23-54, 2017.
, Record linkage methods for multidatabase data mining". In: Information fusion in data mining, pp.101-132, 2003.
, Evaluating fuzzy clustering algorithms for microdata protection, Privacy in Statistical Databases, vol.3050, pp.175-186, 2004.
, Measuring anonymity revisited, Proceedings of the Ninth Nordic Workshop on Secure IT Systems, pp.85-90, 2004.
, Real-time and spatio-temporal crowd-sourced social network data publishing with differential privacy, IEEE Transactions on Dependable and Secure Computing, 2016.
, A classification of location privacy attacks and approaches, Personal and Ubiquitous Computing 18.1, pp.163-175, 2014.
, Elements of statistical disclosure control, vol.155, 2012.
, Elements of statistical disclosure control, vol.155, 2012.
, Re-identification methods for masked microdata, International Workshop on Privacy in Statistical Databases, pp.216-230, 2004.
, Risk, utility and PRAM, Privacy in Statistical Databases, pp.189-204, 2006.
, (?, k)-anonymity: an enhanced k-anonymity model for privacy preserving data publishing, Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, pp.754-759, 2006.
, Anatomy: Simple and effective privacy preservation, Proceedings of the 32nd international conference on Very large data bases. VLDB Endowment, pp.139-150, 2006.
, Utility-based anonymization using local recoding, Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, pp.785-790, 2006.
, Privacy or utility in data collection? A contract theoretic approach, IEEE Journal of Selected Topics in Signal Processing, vol.9, pp.1256-1269, 2015.
, Characterizing user behaviors in location-based find-andflirt services: Anonymity and demographics". In: Peer-to-Peer Networking and Applications 10, vol.2, pp.357-367, 2017.