Inference-Aware & Privacy-Preserving Deletion in Databases

TL;DR

This paper emphasizes the importance of inference-aware, privacy-preserving deletion in databases, addressing leakage from data state and deletion patterns to ensure meaningful privacy guarantees.

Contribution

It introduces an inference-centric framework for understanding deletion, distinguishing types of deletion, and outlining design challenges for privacy-preserving mechanisms.

Findings

Identifies leakage channels from post-deletion data and deletion patterns.

Organizes the design space of deletion operations.

Highlights open research challenges for privacy guarantees.

Abstract

Deletion is a fundamental database operation, yet modern systems often fail to provide the privacy guarantee that users expect from it. A deleted value may disappear from query results and even from physical storage, yet remain inferable from dependencies, derived data, or traces exposed by the deletion event itself. Meaningful deletion, therefore, requires more than logical removal or physical erasure; it requires a privacy guarantee that limits what remains inferable after deletion. In this paper, we take an inference-centric view of deletion, focusing on two leakage channels: leakage from the post-deletion state and leakage from the deletion pattern itself. We use this lens to distinguish logical, physical, and semantic deletion, organize the design space of deletion operations, and highlight open research challenges for building deletion mechanisms with meaningful privacy guarantees in database systems.