Anatomy: Privacy and Correlation Preserving Publication

This article presents the anatomy technique for anonymized publication of sensitive data. Anatomy releases all the quasi-identifier and sensitive values directly in two separate tables. Combined with a grouping mechanism, this approach effectively protects privacy, and captures a large amount of correlation in the microdata. We propose an efficient algorithm for computing anatomized tables that fulfill the l-diversity anonymity requirement, and minimize the error of reconstructing the microdata, according to any Lp norm, the KL-divergence, and the discernability metrics. The algorithm is accompanied by optional heuristics that continuously enhance the data utility of anatomy, until a user-specified time limit has been reached. We also provide detailed explanations about how to leverage anatomized tables to understand the characteristics of the microdata. Extensive experiments confirm that anatomy allows significantly more accurate data analysis than conventional anonymization methods based on generalization and data swapping. The short version of this article appeared in VLDB 06. The current submission improves our preliminary work by (i) including a thorough discussion of the previous methods, (ii) extending the analysis of anatomy to several other metrics of information loss (i.e., generic Lp norm, KL-divergence, and discernability), (iii) elaborating how to deploy the anonymized data for statistical studies, (iv) presenting a new algorithm for computing anatomized tables, and (v) featuring a more comprehensive experimental evaluation.