Non-reversible privacy transformations

Abstract

This paper discusses techniques for maintaining security in statistical databases. Statistical databases are those from which aggregate information about subsets of the database is to be obtained, as opposed to information concerning individual entities. The problem of security in such databases is one of maintaining individual privacy. Many statistical databases are designed to answer queries concerning groups of individuals. For the system to be totally secure, it must be able to insure that any individual’s information is protected. That is, even if the system is designed to return only group statistics and never individual records, it must be difficult to obtain any individual entry of the database. The degree of difficulty in doing this is a measure of the security of the system. It has been shown that in many statistical database sytems, with enough a priori information it is possible to obtain restricted information concerning an individual (see Schwartz[ 19761, Denning[ 19771, Hoffman[ 19771).