CVPL: A Geometric Framework for Post-Hoc Linkage Risk Assessment in Protected Tabular Data

TL;DR

CVPL introduces a geometric framework for post-hoc linkage risk assessment in protected tabular data, providing continuous risk estimates and diagnostics to better understand privacy vulnerabilities beyond traditional metrics.

Contribution

The paper presents CVPL, a novel geometric framework that quantifies linkage risk post-hoc, unifies classical linkage models, and offers interpretable diagnostics for privacy assessment.

Findings

Formal k-anonymity may not prevent linkability due to behavioral patterns.

CVPL's risk estimates align with classical models under certain assumptions.

Empirical validation shows substantial linkability even with formal privacy guarantees.

Abstract

Formal privacy metrics provide compliance-oriented guarantees but often fail to quantify actual linkability in released datasets. We introduce CVPL (Cluster-Vector-Projection Linkage), a geometric framework for post-hoc assessment of linkage risk between original and protected tabular data. CVPL represents linkage analysis as an operator pipeline comprising blocking, vectorization, latent projection, and similarity evaluation, yielding continuous, scenario-dependent risk estimates rather than binary compliance verdicts. We formally define CVPL under an explicit threat model and introduce threshold-aware risk surfaces, R(lambda, tau), that capture the joint effects of protection strength and attacker strictness. We establish a progressive blocking strategy with monotonicity guarantees, enabling anytime risk estimation with valid lower bounds. We demonstrate that the classical Fellegi-Sunter linkage emerges as a special case of CVPL under restrictive assumptions, and that violations of these assumptions can lead to systematic over-linking bias. Empirical validation on 10,000 records across 19 protection configurations demonstrates that formal k-anonymity compliance may coexist with substantial empirical linkability, with a significant portion arising from non-quasi-identifier behavioral patterns. CVPL provides interpretable diagnostics identifying which features drive linkage feasibility, supporting privacy impact assessment, protection mechanism comparison, and utility-risk trade-off analysis.