k-anonymization techniques are a key component of any comprehensive solution to data privacy and have been the focus of intense research in the last few years. An important requirement for such techniques is to ensure anonymization of data while at the same time minimizing the information loss resulting from data modifications such as generalization and suppression. Current solutions, however, suffer from one or more of the following limitations: reliance on pre-defined generalization hierarchies; generation of anonymized data with high information loss and with high classification errors; and the inference channel arising from lack of diversity in the sensitive information. In this paper we propose an approach that addresses these limitations. Our approach uses the idea of clustering to minimize information loss and thus ensure good data quality. The key observation here is that data records that are naturally close with respect to each other should be part of the same equivalence class. Current clustering techniques, however, are not directly applicable in this context because they do not consider the requirement that each cluster should contain at least k records. We thus formulate a specific clustering problem, referred to as k-member clustering problem. We prove that this problem is NP-hard and present a greedy algorithm, the complexity of which is in O(n^2). As part of our approach we develop a suitable metric to estimate the information loss introduced by generalizations, which works for both numeric and categorical data. We also present extensions to our proposed algorithm that minimize classification errors in the anonymized data and eliminate the inference channel arising from lack of diversity in the sensitive attributes.

Hierarchies arise in the context of access control whenever the user population can be modeled as a set of partially ordered classes (represented as a directed graph). A user with access privileges for a class obtains access to objects stored at that class and all descendant classes in the hierarchy. The problem of key management for such hierarchies then consists in assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via an efficient key derivation process.

We propose a solution to this problem with the following properties: (i) the space complexity of the public information is the same as that of storing the hierarchy; (ii) the private information at a class consists of a single key associated with that class; (iii) updates (i.e., revocations and additions) are handled locally in the hierarchy; (iv) the scheme is provably secure against collusion; and (v) each node can derive the key of any of its descendant with a number of symmetric-key operations bounded by the length of the path between the nodes. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. The security of our scheme is based on pseudo-random functions, without reliance on the Random Oracle Model.

Another substantial contribution of this work is that for trees, we achieve a worst- and average-case key-derivation time that is exponentially better than the depth of a balanced hierarchy (double-exponentially better if the hierarchy is unbalanced, i.e., “tall and skinny”). This is obtained at the cost of only a constant factor in the space to store the hierarchy. We also show how to extend our techniques to more general hierarchies.

Finally, by making simple modifications to our scheme, we show how to handle extensions proposed by Crampton [2003] of the standard hierarchies to “limited depth” and reverse inheritance.

This study reports on the findings of a Task Force established by the Association for Computer Machinery (ACM) to look at the issues surrounding the migration of jobs worldwide within the computing and information technolog field and industry.