The Role of Quasi-identifiers in k-Anonymity Revisited

The concept of k-anonymity, used in the recent literature (e.g., [10, 11, 7, 5, 1]) to formally evaluate the privacy preservation of published tables, was introduced in the seminal papers of Samarati and Sweeney [10, 11] based on the notion of quasi-identifiers (or QI for short). The process of obtaining k-anonymity for a given private table is first to recognize the QIs in the table, and then to anonymize the QI values, the latter being called k-anonymization. While k-anonymization is usually rigorously validated by the authors, the definition of QI remains mostly informal, and different authors seem to have different interpretations of the concept of QI. The purpose of this short note is to provide a formal underpinning of QI and examine the correctness and incorrectness of various interpretations of QI in our formal framework. We observe that in cases where the concept has been used correctly, its application has been conservative; this note provides a formal understanding of the conservative nature in such cases. The notion of QI was perhaps first introduced by Dalenius in [3] to denote a set of attribute values in census records that may be used to re-identify a single or a group of individuals. To Dalenius, the case of multiple individuals being identified is potentially dangerous because of collusion. In [10, 11], the notion of QI is extended to a set of attributes whose (combined) values may be used to re-identify the individuals of the released information by using “external” sources. Hence, the appearance of QI attribute values in a published database