Decision makers of companies often face the dilemma of whether to release data for knowledge discovery, vis-a-vis the risk of disclosing proprietary or sensitive information. Among the various methods employed for “sanitizing” the data prior to disclosure, we focus in this article on anonymization, given its widespread use in practice. We do due diligence to the question “just how safe is the anonymized data?” We consider both those scenarios when the hacker has no information and, more realistically, when the hacker may have partial information about items in the domain. We conduct our analyses in the context of frequent set mining and address the safety question at two different levels: (i) how likely of being cracked (i.e., re-identified by a hacker), are the identities of individual items and (ii) how likely are sets of items cracked? For capturing the prior knowledge of the hacker, we propose a belief function, which amounts to an educated guess of the frequency of each item. For various classes of belief functions which correspond to different degrees of prior knowledge, we derive formulas for computing the expected number of cracks of single items and for itemsets, the probability of cracking the itemsets. While obtaining, exact values for more general situations is computationally hard, we propose a series of heuristics called the O-estimates. They are easy to compute and are shown fairly accurate, justified by empirical results on real benchmark datasets. Based on the O-estimates, we propose a recipe for the decision makers to resolve their dilemma. Our recipe operates at two different levels, depending on whether the data owner wants to reason in terms of single items or sets of items (or both). Finally, we present techniques for ascertaining a hacker's knowledge of correlation in terms of co-occurrence of items likely. This information regarding the hacker's knowledge can be incorporated into our framework of disclosure risk analysis and we present experimental results demonstrating how this knowledge affects the heuristic estimates we have developed.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Nabil R. Adam , John C. Worthmann, Security-control methods for statistical databases: a comparative study, ACM Computing Surveys (CSUR), v.21 n.4, p.515-556, Dec. 1989  [doi>10.1145/76894.76895]
	2	Dakshi Agrawal , Charu C. Aggarwal, On the design and quantification of privacy preserving data mining algorithms, Proceedings of the twentieth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, p.247-255, May 2001, Santa Barbara, California, United States  [doi>10.1145/375551.375602]
	3	Rakesh Agrawal , Ramakrishnan Srikant, Privacy-preserving data mining, Proceedings of the 2000 ACM SIGMOD international conference on Management of data, p.439-450, May 15-18, 2000, Dallas, Texas, United States
	4	Rakesh Agrawal , Tomasz Imieliński , Arun Swami, Mining association rules between sets of items in large databases, Proceedings of the 1993 ACM SIGMOD international conference on Management of data, p.207-216, May 25-28, 1993, Washington, D.C., United States
	5	Aggarwal, C. C. and Yu, P. S. 2004. A condensation approach to privacy preserving data mining. In Proceedings of the International Conference on Extending Database Technology (EDBT), 183--199.
	6	Aggarwal, G., Feder, T., Kenthapadi, K., Motwani, R., Panigrahy, R., Thomas, D., and Zhu, A. 2005. Anonymizing tables. In Proceedings of the International Conference on Database Theory (ICDT), 246--258.
	7	Alastair R. Beresford , Frank Stajano, Mix Zones: User Privacy in Location-aware Services, Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops, p.127, March 14-17, 2004
	8	Chris Clifton, Using sample size to limit exposure to data mining, Journal of Computer Security, v.8 n.4, p.281-307, Dec. 2000
	9	Josep Domingo-Ferrer , Vicenç Torra, Validating Distance-Based Record Linkage with Probabilistic Record Linkage, Proceedings of the 5th Catalonian Conference on AI: Topics in Artificial Intelligence, p.207-215, October 24-25, 2002
	10	Josep Domingo-Ferrer , Anna Oganian , Vicenç Torra, Information-Theoretic Disclosure Risk Measures in Statistical Disclosure Control of Tabular Data, Proceedings of the 14th International Conference on Scientific and Statistical Database Management, p.227-231, July 24-26, 2002  [doi>10.1109/SSDM.2002.1029724]
	11	Alexandre Evfimievski , Ramakrishnan Srikant , Rakesh Agarwal , Johannes Gehrke, Privacy preserving mining of association rules, Information Systems, v.29 n.4, p.343-364, June 2004  [doi>10.1016/j.is.2003.09.001]
	12	Stephen E. Fienberg , Aleksandra B. Slavkovic, Preserving the Confidentiality of Categorical Statistical Data Bases When Releasing Information for Association Rules*, Data Mining and Knowledge Discovery, v.11 n.2, p.155-180, September 2005  [doi>10.1007/s10618-005-0010-x]
	13	Fienberg, S. E., Makov, U. E., and Steele, R. J. 1998. Disclosure limitation using perturbation and related methods for categorical data. J. Office Statist. 14, 385--397.
	14	FIMI. 2003. The FIMI repository. http://fimi.cs.helsinki.fi/fimi03/http://fimi.cs.helsinki.fi/fimi03/.
	15	Johannes Gehrke, Models and methods for privacy-preserving data publishing and analysis: invited tutorial, Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 13-15, 2005, Baltimore, Maryland  [doi>10.1145/1065167.1065207]
	16	Hettich, S. and Bay, S. D. 1999. The UCI KDD archive. University of California, Irvine, CA. http://kdd.ics.uci.edu.
	17	Vijay S. Iyengar, Transforming data to satisfy privacy constraints, Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, July 23-26, 2002, Edmonton, Alberta, Canada  [doi>10.1145/775047.775089]
	18	Jerrum, M. and Vazirani, U. 1996. A mildly exponential approximation algorithm for the permanent. Algorithmica 16, 4-5, 392--401.
	19	Mark Jerrum , Alistair Sinclair , Eric Vigoda, A polynomial-time approximation algorithm for the permanent of a matrix with non-negative entries, Proceedings of the thirty-third annual ACM symposium on Theory of computing, p.712-721, July 2001, Hersonissos, Greece  [doi>10.1145/380752.380877]
	20	Murat Kantarcioglu , Chris Clifton, Privacy-Preserving Distributed Mining of Association Rules on Horizontally Partitioned Data, IEEE Transactions on Knowledge and Data Engineering, v.16 n.9, p.1026-1037, September 2004  [doi>10.1109/TKDE.2004.45]
	21	Alan G. Konheim, Cryptography, a Primer, John Wiley & Sons, Inc., New York, NY, 1981
	22	Laks V. S. Lakshmanan , Raymond T. Ng , Ganesh Ramesh, To do or not to do: the dilemma of disclosing anonymized data, Proceedings of the 2005 ACM SIGMOD international conference on Management of data, June 14-16, 2005, Baltimore, Maryland  [doi>10.1145/1066157.1066165]
	23	Adam Meyerson , Ryan Williams, On the complexity of optimal K-anonymity, Proceedings of the twenty-third ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 14-16, 2004, Paris, France  [doi>10.1145/1055558.1055591]
	24	Moore, R. A. 1996. Controlled data-swapping techniques for masking public use micro-data sets. In Statistical Research Division Report Series, RR 96-04, U.S. Bureau of the Census, Washington, DC.
	25	Krishnamurty Muralidhar , Rathindra Sarathy, Security of random data perturbation methods, ACM Transactions on Database Systems (TODS), v.24 n.4, p.487-493, Dec. 1999  [doi>10.1145/331983.331986]
	26	Raymond T. Ng , Laks V. S. Lakshmanan , Jiawei Han , Alex Pang, Exploratory mining and pruning optimizations of constrained associations rules, Proceedings of the 1998 ACM SIGMOD international conference on Management of data, p.13-24, June 01-04, 1998, Seattle, Washington, United States
	27	Ramesh, G. 2005. Can attackers learn from samples? In Proceedings of the Very Large Databases (VLDB) Workshop on Secure Data Management (SDM), 104--123.
	28	Rasmussen, L. E. 1994. Approximating the permanent: A simple approach. Random Structures Algor. 5, 2, 349--361.
	29	Samarati, P. and Sweeny, L. 1998. Protecting privacy when disclosing information: k-Anonymity and its enforcement through generalization and suppression. In the IEEE Symposium on Research in Security and Privacy.
	30	Latanya Sweeney, k-anonymity: a model for protecting privacy, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, v.10 n.5, p.557-570, October 2002  [doi>10.1142/S0218488502001648]
	31	Valiant, L. G. 1979. The complexity of computing the permanent. Theoret. Comput. Sci. 8, 189--201.
	32	Vassilios S. Verykios , Ahmed K. Elmagarmid , Elisa Bertino , Yucel Saygin , Elena Dasseni, Association Rule Hiding, IEEE Transactions on Knowledge and Data Engineering, v.16 n.4, p.434-447, April 2004  [doi>10.1109/TKDE.2004.1269668]
	33	Winkler, W. E. 1999. The state of record linkage and current research problems. Res. Rep., U.S. Census Bureau.
	34	Winkler, W. E. 1994. Advanced methods for record linkage. Res. Rep., U.S. Census Bureau.
	35	Winkler, W. E. 1993. Matching and record linkage. Res. Rep., U.S. Census Bureau.
	36	Xiaochun Yang , Chen Li, Secure XML publishing without information leakage in the presence of data inference, Proceedings of the Thirtieth international conference on Very large data bases, p.96-107, August 31-September 03, 2004, Toronto, Canada