Privacy and Anonymity in Graph Data

Anonymization of datasets is an important problem in many different scenarios: the census bureau publishes anonymized information, hospitals want to make anonymized patient records available to health researchers, or network service provides might want to publish network traces. Anonymization techniques have have been investigated widely in the past few years [Sweeney, 2002; Machanavajjhala et al., 2006], but the focus of this work has been on the anonymization of one single table, where there is a 1:1 correspondence between tuples and real-world individuals, and tuples can be treated independently. We consider datasets that cannot be modelled adequately within the single table framework. As soon as the database contains information about the interaction of real-world entities, tuples in the database are no longer independent, and convential anonymization techniques fail for several reasons. This is in fact the case for many interesting datasets: email communication traces, social networks and data sharing in the intelligence community are only a few examples. There are two fundamentally different approaches to prevent the publication of private information about individuals. If the database is stored on a central server, and all authorized parties access the data through this server, then we can add noise to query answers and thus prevent an adversary from learning too much information about individuals. This approach does not work well when the information should be made available to the general public, or the data owner does not want to maintain the necessary infrastructure. Furthermore, collusion of parties and the time-evolution of the database is not solved satisfactorily in this setting. A second and more general approach is to anonymize the database once and then publish the anonymized version. Because here we do not know anything about the specific queries that are run on the published database, we have to give privacy guarantees with respect to all possible queries. In this report, we investigate the problems associated with the second approach in a graph data context. In the section 2, we introduce the Enron email dataset as an example that is used throughout the rest of this report. A formal framework for anonymization and disclosure analysis is