Privacy engineering through obfuscation

TL;DR

This paper offers a comprehensive framework for analyzing obfuscation techniques in privacy engineering, clarifying evaluation methods and introducing utility concepts to improve privacy-preserving data operations.

Contribution

It provides a unified analysis framework, distinguishes evaluation approaches, and introduces utility concepts to advance understanding of obfuscation in privacy engineering.

Findings

Introduces a general analysis framework for obfuscation methods.

Distinguishes between mechanism-centred and attack-centred evaluation.

Highlights the role of utility in privacy-preserving obfuscation.

Abstract

Obfuscation in privacy engineering denotes a diverse set of data operations aimed at reducing the privacy loss that users incur in by participating in digital systems. Obfuscation's domain of application is vast: privacy-preserving database analysis, location-based privacy, private web search or privacy-friendly recommender systems are but a few examples of the contexts in which privacy engineers have resorted to obfuscation. Yet an understanding of the role that obfuscation, in general, plays in the engineering of privacy has so far proved elusive. Similarly, we lack a cohesive view of the wide array of privacy measures that assist the evaluation of obfuscation technologies. This paper contributes to closing these research gaps. First, we provide a general analysis framework that brings together a multiplicity of obfuscation methods under the same analytical umbrella. Second, we distinguish between mechanism-centred and attack-centred evaluation, making explicit a hierarchy of assumptions behind privacy measures that assists and demystifies obfuscation tools' evaluation. Finally, we examine the role that obfuscation technology plays in privacy engineering by introducing the concepts of personal and public utility and distinguishing between utility-degrading and utility-preserving obfuscation. We observe that public utility requirements require us to resort to utility-degrading obfuscation to arbitrarily reduce privacy loss. Conversely, personal utility requirements do not, in theory, impose such a privacy-utility trade-off, and we illustrate how to perform utility-preserving obfuscation through chaff.