Umeå University's logo

A privacy model is a privacy condition, dependent on a parameter, that guarantees an upper bound on the risk of reidentification disclosure and maybe also on the risk of attribute disclosure by an adversary. A privacy model is composable if the privacy guarantees of the model are preserved, possibly to a limited extent, after repeated independent application of the privacy model. From the opposite perspective, a privacy model is not composable if multiple independent data releases, each of them satisfying the requirements of the privacy model, may result in a privacy breach. Current privacy models are broadly classified into syntactic ones (such as k-anonymity and l-diversity) and semantic ones, which essentially refer to E-differential privacy (e-DP) and variations thereof. While e-DP and its variants offer strong composability properties, syntactic notions are not composable unless data releases are conducted by a single, centralized data holder that uses specialized notions such as m-invariance and τ -safety. In this work, we propose m-uncoordinated-syntactic-privacy (m-USP), the first syntactic notion with composability properties for the independent publication of nondisjoint data, in other words, without a centralized data holder. Theoretical results are formally proven, and experimental results demonstrate that the risk to individuals does not increase significantly, in contrast to non-composable methods, that are susceptible to attribute disclosure. In most cases, the utility degradation caused by the extra protection is less than 5% and decreases as the value of m increases.