A. Background About the Relational/Tabular Data

The original user’s data $D$ is considered as a private table which consists of multiple records (i.e., tuples). Each record/tuple contains four types of attributes, and every record has a unique id as shown in Figure 1(a). The detailed overview of user’s attributes along with examples and their treatment in an anonymization process is illustrated in Figure 2. Based on the types of user’s attributes listed

FIGURE 2.

Description about the types of user’s attributes and their handling in an anonymization process.

Show All

in Figure 2, there exists three classes of privacy threats that can occur during published data analysis [47], which are explained below:

• Identity disclosure (i.e., unique identification): It is a well-known privacy threat in the PPDP. It occurs when an adversary can correctly associate an individual in a privacy preserved published dataset. Generally, an attacker use the information gathered from external sources (i.e., voter registration list, online repositories, and factual information) to identify an individual uniquely.

• Attribute disclosure (i.e., private information disclosure): This type of privacy threat occurs when an individual is linked with the information about his/her SA. For example, the information can be the person’s value for the SA (i.e., crime in Figure 1(a), or salary in Figure 1(b)). This type of threat can be easily launched in imbalanced datasets (i.e., the datasets lacking heterogeneity in SA’s values.).

• Membership disclosure (i.e., presence/absence disclosure): This threat occurs when an adversary can deduce that an individual’s record is present/absent in the published dataset with a very high probability. Researchers have reported many interesting scenarios in which the protection from the membership disclosure is imperative [48], [49].

• Generalization: This operation transforms the original QI’s values into less-specific but semantically-consistent values during anonymization process. For example, the value 25 of a QI age can be generalized with an interval [25 – 30] or < 30. This operation relies on the taxonomy of each QI. The existing generalization schemes can be classified to five types such as sub-tree generalization, full domain generalization, unrestricted sub-tree generalization, cell generalization, and multidimensional generalization.

• Suppression: This operation hides an original value of a QI with a special value (i.e., ’*’). For example, to anonymize the value 25 of a QI age using suppression operation, 5 can be replaced with an asterisk, resulting 2* as the suppressed value of QI. Record, value, and cell suppression are the three most widely used suppression variants in the tabular data anonymization.

• Permutation: In this operation, the records are partitioned into several groups, and values of the SA are shuffled within each group. Hence, the SA and QIs relationships are de-associated within each group. This operation may yield inaccurate analysis in terms of anonymous data utility, but user’s privacy is significantly preserved.

• Perturbation: In this operation, the original data values are replaced with some synthetically generated values. Moreover, the synthetic values are generated in a way that statistical information do not differ much in both datasets (i.e., real and synthetically generated datasets).

• Anatomization: This operation does not apply any modifications on the original data values and instead QIs and SA are separated into two tables. By doing so, the association between QIs and SA is broken, and data is released as QIs and SA tables separately. In some cases, the SA table contains the SA’s values and their frequency in the anonymized dataset for privacy preservation effectively.

Furthermore, in some cases, more than one operation are jointly used to anonymize users data set. Data publication can be done either one or multiple times depending upon the requirements and information consumer’s needs. Typical data publication scenarios include one and multiple time publication of the micro data. In the former scenario, the data is published once, and no re-publication is made even after the changes in the original data. In contrast, in the multiple releases, the anonymous data is re-published even after a single operation (insert, update, delete) that changes the original data. Both scenarios have their own advantages and disadvantages for data owners and information consumers, respectively. After DIs and NSA removal from $D$ as a standard PPDP practice, the $D$ contains only two types of user attributes, QIs and SA, represented as $D\{Q,S\}$ . We can use set $Q = \{q_{1}, q_{2}, {\dots }, q_{p}\}$ to denote the QIs, where $q_{p}$ is one type of QI such as gender or zip code. Set $S$ represents the SA which can be of single type (i.e., disease) or multiple types (i.e., disease and salary) depending upon the scenario. The multiple SA scenario is getting significant attention from the research community in recent years [51]. Plenty of solutions have been proposed for the relational data anonymization considering the available data, SA scenarios (single, multiple), and the PPDP settings. We explain most famous anonymization solutions and their variants proposed for the tabular data anonymization in Section IV.

B. Background About the Social Networks/Graphs Data

The SN user’s data can be modeled with a graph $G$ , represented as $G(V, E, A)$ . It consists of user set $V$ , social connections (i.e., friendship links) set $E$ , where $E \subseteq V \times V$ , and the set $A$ of users’ attributes. Set $A$ , where $A =\{Q,S\}$ contains QIs and SA of the SN users, respectively. The overview of $G$ along with the relevant details is depicted in Figure 1(b). In literature, $V$ , $E$ , and $A$ are also referred as nodes, edges, and labels (i.e., user profile), respectively. The SN data is extremely useful for many analytical purposes, the operational utility of the SN data can be classified into three levels $(l_{1}, l_{2}, l_{3})$ , as outlined earlier [52].

• $l_{1}$ : Exposure of the graph structure only: In this exposure level, the data owners (e.g., SN service providers) only publish the graph structure (i.e., all profiles/labels information is removed prior to data publication). Thus, the data-miners/analysts can analyze only the graph structure without any concrete information about the user’s profiles.

• $l_{2}$ : Exposure of the nodes’ profiles: In this exposure level, the data owner publishes the profiles of nodes/users but hides the graph structure. For instance, the node’s data is stored in a table/matrix, and released for the analytics and data mining purposes.

• $l_{3}$ : Exposure of both graph structure and profiles of nodes (e.g., users): In this exposure level, the data owner exposes both the graph structure and the nodes’ profiles after applying some modifications to the $G$ ’s structure and users’ profiles. This level offers much higher utility to the legitimate information consumers compared to the previous two levels.

Although SN data publishing is invaluable for accomplishing multiple research and business objectives, the SN data publishing can confront with the privacy threats of several types. Four well-known privacy threats that can happen after $G'$ publishing are summarized below.

• Identity disclosure (i.e., node re-identification): It occurs when an adversary can accurately associate/identify an individual from a privacy preserved published graph. For example, Tim ($5th$ node) identification by an adversary from the anonymous version (i.e., removing all nodes labels.) of a $G$ given in Figure 1(b) is an example of identity disclosure (i.e., node re-identification).

• Edge disclosure (i.e., relationship/connection disclosure): It reveals the relationship between users. For example, a patient-doctor relationship can be highly sensitive, and it must be protected. If a doctor is known to be an expert in cancer treatment, the relationship disclosure can occur with inference that patient might be infected with a cancer.

• Content disclosure (i.e., vertex/edge labels disclosure): It occurs when a sensitive label associated with an edge or vertex is revealed from a $G'$ , and this reveled label can be directly associated with a specific individual in an original graph (i.e., $G$ ).

• Affiliation link disclosure (i.e., whether a person $v \in / \notin $ to a particular affiliation group $h$ ): It occurs when a link between a user $v$ and an affiliation group $h$ is revealed with confidence $\geq t$ , and this revealed link can be directly associated with a $v$ . The $h$ can be prosecuted political group or a group centered around an unconventional user’s preference (i.e., sexual/drugs preferences).

• Graph modification: This operation changes the original graph’s structure by adding/deleting edges or vertices. The criteria about the graph’s elements addition/deletion depends on the objectives of data publishing, and privacy protection level data owners want. Typical graph modifications techniques are of two types-constrained and non-constrained graph modifications.

• Graph generalization: This operation does not modify the graph structure, instead, it cluster the nodes and edges into super nodes and edges. This operation works in iterations, and in each iteration the connections between the super nodes and edges are established.

• Graph computation (i.e., privacy-aware computation of graphs): This operation computes the output data in response to the data miner queries. The $G$ is not released with the data miners, instead, the graph properties (degree, centralities, size, and other useful information) are computed and released.

• Hybrid operation/approach: This operation employs combination of two or more anonymization operations simultaneously. For example, the graph generalization and modifications can be jointly used to anonymize $G$ to produce $G'$ .

Privacy in SN data publishing has become an active area of research in recent years. Pham et. al [54] explained that SN users privacy can be breached through three different ways such as user’s activities on the SNs sites, stored users data in the SNs service providers’ servers/databases, and privacy preserved SN published data. All three privacy areas in SN are visually presented in Figure 3 (a). The privacy in the first two areas can be preserved through guidelines, encryption and watermarking techniques. Meanwhile, the privacy in the third area can be guaranteed only by devising/implementing new anonymization mechanisms. This article covers recent concepts, methods, and solutions concerning the third area of privacy in the SNs (i.e., privacy preserved graph publishing).

FIGURE 3.

Overview of three privacy areas (adopted from [54]), and types of users data collected and processed in SNs.

Show All

The user data available on the SN sites is comprised of three types of information [55]. The taxonomy of the users data present on the SNs is depicted in Figure 3(b). The first type of data is related to user identity including the demographics and derived data (i.e., age). The second type of information is related to user’s socialism (i.e., friends, friends-of-friends, activities, and online communities joined by the users etc.). The third type is related to the contents users create on the SNs sites. It has three types: disclosed, entrusted, and incidental data. Disclosed data is readily made available by the SNs users. Entrusted data includes the data posted by a user on another user’s profile (i.e., comments). The last type of data is the information collected/posted by other users on someone’s profile/wall. All these data sources are invaluable for detailed analytics and appropriate information collection/analysis.

Aside from the fact that all necessary and private information needs protection from the malevolent adversaries, some de-anonymization attacks can be launched on the SNs published data to infer someone’s real identity/private-information. The revelation of such information can result in unknown user profiling, thus targeting unsuspecting users with far-reaching implications including targeted marketing, obtaining travel visas based on race or political viewpoints, deportation, or identity theft. Therefore, mining and sharing SNs data must not invade user’s privacy. To safeguard user’s privacy in SN data publishing, many privacy preserving graph publishing (PPGP) methods have been proposed. We describe most recent anonymization solutions proposed for the PPGP in Section V.

A. Phase 1: Data Collection from the Individuals

In the first phase of PPDP, relevant data from the individuals/users is collected. Due to significant technological development in recent years, the amount of data generated by sensor networks, SNs sites, healthcare applications, internet, online banking, SN integrated third party applications, and many other offline/online companies is drastically increasing. This data is collected from individuals directly or via smart devices (i.e., cell phones, laptops, and notepads etc.). For instance, if a patient visits a hospital for diagnosis, his/her personal information is collected for the better treatment. Later, the patient’s personal information combined with the disease information is saved in the hospital database for the secondary use [58]. Similarly, the account opening process in a bank is subject to the collection of basic as well as sensitive information about the customers. Aside from visiting an organization (i.e., hospital or bank), in some cases, the service providers collect relevant data from their users via questionnaires and interviews.

Recently, due to the significant development in ICTs, majority of service providers have launched their own websites for the data collection from their respective users/customers. Furthermore, in an account creation process on the SNs sites, the service providers collect and store the basic information about each user. In addition, many SNs sites collect the valuable data about users without their consent. For example, they can collect the device information, service consumption temporal information, location information, and many other useful information. Recently, with the inventions of advanced tools and technologies, many infrastructures collect and process graphs data. The nine well-known graph based data collection sources are: (i) social networks, (ii) communication data, (iii) mobility traces, (iv) healthcare and epidemiological data, (v) citation networks, (vi) collaboration network, (vii) web graphs, (viii) autonomous system graphs, and (ix) computer networks. SN data is mostly represented as a $G$ along with the entities (i.e., users) information for modeling/analysis purposes.

B. Phase 2: Collected Data Storage, Understanding and Preparation for the Anonymization

Once the relevant users’ data is collected, the next phase is collected data storage, understanding, and preparation for further operations (i.e., anonymization). Companies are using large scale databases for storing the collected users’ data/information. The well-known SN, Facebook uses MySQL database to store/manage many petabytes of data about user’s social activities such as shares, comments, and likes. Data understanding involves the analysis of the data types, different data representations, and $(key, value)$ -pair understanding. Generally, the collected data about users can contain incorrect values, outliers, missing values for some attributes, and incomplete records. Therefore, it needs preparation before the data anonymization process. The data preparation includes: removal of the outliers present in the data which are not appropriate for the analysis and can yield inaccurate results/analysis. Furthermore, it eliminates those records with unknown (i.e., missing) values from the user’s data. In some cases, the data processing model/algorithm needs user’s information in a specified format. Therefore, the appropriate formatting of the collected data, and enrichment if required for the subsequent steps is performed in the data preparation phase. With the help of data preparation/pre-processing, cleaned data can be obtained which contains complete information about each user, and it can be directly fed into the anonymization algorithm for anonymization.

C. Phase 3: Data Anonymization

Data anonymization is a practical and most widely used solution for protecting user’s privacy in data publishing. In tabular data, data anonymization sanitizes the QI’s original values to make information less specific for privacy protection and utility enhancements. In contrast, if users’ data is given in a $G$ form, anonymization changes the graph structure to protect privacy of users and their associated SA without significantly decreasing anonymous graph’s utility. In addition, anonymization can be tailored with the data owner’s privacy requirements, legitimate information consumer’s utility needs, and objectives of the data publishing. The typical anonymization process includes following four main steps. All four steps are complementary, and can be employed to produce the anonymous table $T'$ from an original table $T$ or anonymous graphs $G'$ from an original graph $G$ .

D. Anonymous Data Releasing/Publishing

The output of the anonymization process is the anonymous $G'$ or $T'$ depending upon the representation/style of original user’s data. This anonymous $G'$ or $T'$ is set to be made publicly available for the analytics. The recipients of the anonymous data can be analysts, researchers, data-miners, analytics firms, and third party applications. Before making the anonymous data publicly available, the data owners perform several checks to verify the user’s privacy protection and anonymous data utility levels, respectively. After the detailed checks, the decision about the data release is made by the data owners. In some cases, the data owners do not publish full anonymous data, instead, some parts of the anonymous data are published first. Later, the complete anonymous table or graph is published. In addition, the anonymous data can be shared only with the relevant institutes via emails or posts. However, the anonymous data is generally published over the Internet so that a large number of people can access the published data for the multi-facet analytics. Furthermore, the medium of data sharing and amount of data vary with the setting (i.e., interactive and non-interactive) of the PPDP. After releasing the data, the data owner has no control over the published data use and distributions. Meanwhile, it is assumed that published data will be used only for the intended purposes, and any problem will be explicitly reported to the data owners. In some cases, the data owners and data publishers can be two different parties. Data publishers release the anonymous data via their own mediums under the publishing agreements with the actual data owners/holders.

E. Phase 5: Published Data Analysis for Extracting Embedded Knowledge

Once anonymous data has been published, the intended recipients collect it for the analysis. In case of the hospitals data, medical students collect the data for their research. They can perform several kinds of test such as factors causing certain disease, common disease in a certain age-groups people, and symptoms of a particular disease. In addition, the banks data containing information about the loan return rating is valuable for the insurance companies. The SN data is suitable for the digital service providers and marketing firms. Recently, many companies are mining the SN data at large scale for fulfilling their scientific and business objectives. In addition, many third party applications are buying SN user’s data for fulfilling their intended objectives. The published data is not only for understanding the causes of some problems, but it can help in devising new rules and patterns that can be useful for marketing purposes. With the help of data mining algorithms, one can analyze the published data for actionable insights. Furthermore, users clustering and analysis is beneficial for recommendations, preferences mining, target marketing, information diffusion, information control, and information trustworthiness. Hence, data sharing has become a routine matter for some companies/organization due to the significant advantages in terms of improved decision making, policy enhancements, trends analysis, forecasting, predictions, and innovation.

Unfortunately, data publishing can jeopardize user’s privacy as adversaries can get copy of published data with aim to re-identify people uniquely by leveraging the large amount of auxiliary information obtained from external sources. These information can be gathered from many sources including users’ profiles from the SN sites, voter registration list, and mobility traces etc. Generally, the adversaries possess strong programming skills and tools knowledge. Therefore, with the help of auxiliary information, tools understanding, advanced programming skills, and understanding of anonymization methods enable adversaries to breach user’s privacy. Due to the advancements in ICTs, the scale and scope of the data breaches is expanding. In recent years, the adversaries are focusing for the users groups information theft for fulfillment of the intended objectives. The group identity theft can lead to the negative perceptions about certain ethnic group, discrimination based on the race/religion, and loan declining to group of people whose previous loan return rating was not satisfactory. Aside from the negative consequences of privacy breaches on the people’s life, data owners also lose their users’ trust in such circumstance. Therefore, users expect that data owners protect their sensitive information’s privacy during data release with the data-miners. Hence, the academicians and researcher are suggesting/devising new anonymization mechanisms to deal with this uprising social problem (i.e., user’s privacy protection without significantly impacting data utility/quality).

A. $k$ -Anonymity Privacy Model

The $k$ -anonymity [12] privacy model is a well-known syntatic privacy model, and it has been extensively used in the tabular data anonymization. Due to the conceptual simplicity, this privacy model has attracted significant attention from the research community, and many variants of this model have been proposed by the researchers for data anonymity. The $k$ -anonymity model [12] protects user’s privacy by placing at least $k$ users in an equivalence class (EC) with same QI’s values. Hence, the probability of re-identifying someone from $T'$ becomes ${1}/{k}$ . A table $T'$ satisfies $k$ -anonymity if for every tuple/record $t$ of $T'$ there exist at least $(k-1)$ other tuples with the same QIs in an EC. The value of $k$ is chosen by the data owners depending upon table size and privacy protection level. The $k$ -anonymity privacy model overview is shown in Figure 5. Primarily, the $k$ -anonymity privacy model was devised for the protection of identity disclosure. Meanwhile, the $k$ -anonymity privacy model is insufficient to protect the sensitive information disclosure as shown in ECs, $C_{2}$ and $C_{3}$ in Figure 5(b). The SA’s disclosure in these two ECs based on auxiliary information is 100%. Therefore, an advanced privacy model, named $\ell $ -diversity was proposed to solve the shortcomings of the $k$ -anonymity privacy model. The utility of the anonymous table $T'$ produced by the $k$ -anonymity model is relatively higher.

FIGURE 5.

2-anonymity applied to the user’s relational data with six records.

Show All

B. $\ell $ -Diversity Privacy Model

The $\ell $ -diversity privacy model [59] was proposed to solve the $k$ -anonymity model’s limitations. According to this model, an EC satisfies $\ell $ -diversity property if there are at least $\ell $ ”well-represented” values for the SA. A table $T'$ is said to have $\ell $ -diversity, if every EC of the $T'$ is $\ell $ -diverse. The $\ell $ -diversity privacy model overview is shown in Figure 6.

FIGURE 6.

2-diversity applied to the user’s relational data with four records.

Show All

The table in Figure 6(b) is an example of 2-diverse partition of the table shown in Figure 6(a). Although, $\ell $ -diversity privacy model provides superior privacy protection compared to the $k$ -anonymity model by considering the diversity in SA’s values, but it does not consider the distribution of the SA’s values. Hence, it is prone to the privacy breaches in ECs in which one particular SA value is dominate over others (i.e., $C_{1}$ ). For example, an EC $C_{i}$ with ten users can satisfy 2-diversity property with SA’s values ratio of $1: 9$ . Although, $C_{i}$ is 2-diverse, but the SA values of someone’s can be learned with 90% accuracy. The similar case is presented in Figure 6(b), where the SA’s value, ’conservative’ disclosure is 75% with accurate mapping of someone based on the QI’s values. However, many variants of $\ell $ -diversity model have been proposed to solve these limitations. In addition, $\ell $ -diversity cannot be applied to the highly imbalanced (i.e., the data sets in which SA’s values distributions is not uniform.) databases. In addition, $\ell $ -diversity privacy model degrades anonymous data utility significantly by not considering QIs distributions and similarities during anonymization.

TABLE 1 Detailed Comparisons of the Different PPDP Solutions Used for Relational Data Anonymization

C. $t$ -Closeness Privacy Model

The $t$ -closeness privacy model [60] is a syntactic privacy approach used for the tabular data anonymization. It was proposed to solve the limitations of both $k$ -anonymity and $\ell $ -diversity models in terms of privacy protection. A table $T$ satisfies $t$ -closeness if its records/tuples are split into ECs such that the distribution of SA in the whole $T$ and the ECs of a $t$ -close table $T'$ are within $t$ distance units of each other. The $t$ -closeness privacy model suggests that the SA’s values distribution in any EC of $T'$ differs from the overall SA’s values distribution in $T$ by at most threshold $t$ . The value of $t$ can be determined by considering the protection level of the sensitive information and objectives of data publishing. The table shown in Figure 7(b) (adapted from [61]) is 0.278-close w.r.t disease SA. The table shown in Figure 7(b) is also 3-diverse (i.e., it contains three different values of SA in each EC.). The $t$ -closeness privacy model significantly improves the user’s privacy, but it severely reduces the utility of the released data. All of the above three privacy models are among the most famous syntactic privacy models, and many variants of these models have been proposed to resolve their limitations in the PPDP. In addition, many algorithms as an extension of these three privacy models have been proposed to combat with some specific types of threats that emerge from data sharing.

FIGURE 7.

$t$ -closeness (where $t=0.278$ ) applied to the user’s relational data with nine records.

Show All

There exist many attacks that are possible, and can be easily launched on the $T'$ . We can classify those attacks into two categories: (i) background knowledge attack, and (ii) flaws in an anonymization methods. In the former category of privacy attacks, the adversary has some known information about the target victim. For example, the QIs of an individual or some other information about existence of someone’s data in a $T'$ . The adversary uses such information to cause a privacy breach. In the latter category of privacy attacks, the flaws in an anonymization methods assist adversary in causing a privacy breach. For example, the homogeneity (i.e., no heterogeneity in SA’s values in an EC) attack of the $k$ -anonymity privacy model, skewness attack (i.e., no considerations of the SA’s values’ distribution in an EC) of the $\ell $ -diversity privacy model, and no semantic consideration (i.e., all disease information present in an EC belong to a same part/organ of a human body) in $t$ -closeness privacy model lead to explicit privacy breaches in presence of the auxiliary information. All these attacks are practical, and can be launched on a $T'$ . Hence, many improved variants of these three privacy models, and adversarial modeling based methods have been proposed to resolve these problems.

D. Differential Privacy Model

Differential privacy (DP) [18] is a well-known and mathematical definition-based privacy protection model. It is mostly used for privacy protection in an interactive settings of the PPDP. It protects the privacy of user by adding noise to the original user’s data and it does not make assumptions about the intruder scenarios. The DP belongs to the semantic class of privacy models, and it yields superior privacy protection in PPDP compared to the syntactic privacy models. Considering the effectiveness of the DP model, U.S. census Bearu is planning to use the DP in their 2020 census, and all future data products [62]. It has been reported in the literature that DP provides a mathematically provable guarantee on privacy preservation against many privacy attacks such as differencing, linkage, and reconstruction attacks. DP concept can be defined as: given a dataset $D_{1}$ , and a neighbour dataset $D_{2}$ . Both data-sets differ in one and only one record, defined as $||D_{1}|-|D_{2}|| = 1$ . In addition, a random function $F$ with a range $S$ , defined as $S \subseteq Range(F)$ , satisfies DP if \begin{equation*} Pr[F(x) \in S] \leq exp(\epsilon)Pr[F(y) \in S] + \delta \tag{1}\end{equation*} View Source\begin{equation*} Pr[F(x) \in S] \leq exp(\epsilon)Pr[F(y) \in S] + \delta \tag{1}\end{equation*} In equation 1, variable $x, y \in D_{1}, D_{2}$ ; $\epsilon $ is a parameter; $\delta $ indicates a degree of the relaxation, and the probability is taking over the randomness of function $F$ . In equation 1, if $\delta = 0$ then $F$ satisfies $\epsilon $ -differentially private. In case of the query response ($R_{s}$ ), the probability $Pr$ of DP model will be.\begin{equation*} \frac {Pr (A(D_{1})=R_{s})}{Pr (A(D_{2})=R_{s})} \leq e^{\epsilon } \tag{2}\end{equation*} View Source\begin{equation*} \frac {Pr (A(D_{1})=R_{s})}{Pr (A(D_{2})=R_{s})} \leq e^{\epsilon } \tag{2}\end{equation*} In equation 2, $A$ represents an anonymization algorithm, $\epsilon $ is a parameter, and its value is chosen by the data owners. Generally, the smaller value of $\epsilon $ is suitable for better privacy preservation in the PPDP.

In DP method, noise is added using the Laplace mechanism. DP mathematically ensures that any analyst/data-miner seeing the result of a differentially private analysis will make the same conclusion about any individual’s private information, whether or not that individual’s private information is included in the input to the analysis. The overview of the DP is presented in Figure 8. Due to the strong privacy guarantees, the DP model has been extended by many studies for further improvements.

FIGURE 8.

Functional overview of the differential privacy (DP) model used in the PPDP.

Show All

Many latest studies adopted DP concept for resolving the privacy issues in the both interactive and non-interactive settings of the PPDP. There exist numerous anonymization techniques which are ramifications of the four privacy models explained above. We summarize the approaches that extended the concepts of these four models in Table 1. We categorize the anonymization approaches into four main categories: (i) the $k$ -anonymity model and its ramifications, (ii) the $\ell $ -diversity model and its ramifications, (iii) the $t$ -closeness model and its ramifications, and (iv) the $DP$ model and its ramifications.

We compare the existing approaches with each other based on six different parameters. The abbreviation used in Table 1 are: ID = identity disclosure, AD = attribute disclosure, MD = membership disclosure, IL = information loss, Sy. & Se. = syntactic and semantic, Bk = background knowledge, CoD = curse of dimensionality, Pr. = probability, SA = sensitive attribute, MSA = multiple sensitive attribute, LA = linkage attack, DMAR = discovering and maintaining association rules, DA = data analysis, ECs = equivalence classes, GPS = global positioning system, and QIs = quasi identifiers.

Some studies have used the combinations of more than one privacy models (e.g., $k$ -anonymity and $\ell $ -diversity) to protect the user’s privacy in data publishing. Majeed et al. [104] extended the $k$ -anonymity model to effectively resolve the privacy and utility trade-off in the PPDP. The proposed scheme performs adaptive data generalization considering both the vulnerability of the QIs and the diversity of the SA to anonymize data. Jordi et al. [105] suggested that $t$ -closeness can be extended to the DP model when $t = exp(\epsilon)$ . The authors proposed a method for achieving both $t$ -closeness and DP, respectively. As a result, higher utility was retained in the anonymous data compared to the noise addition methods. Rasool et al. [106] used the $k$ -anonymity concept in the clustering process to produce anonymous data set for publishing. The proposed SBC algorithm significantly reduces information loss and retains better semantics of the original dataset. Recently, the $k$ -anonymity concept has been extended in combination with entropy concept to protect the users’ groups privacy in data publishing [107]. The proposed anonymization method effectively resolves the users’ groups privacy issues stemming from the low diverse ECs, and highly susceptible QIs present in a person-specific dataset.

E. Metrics Used for the Evaluation of Privacy and Utility of Relational Data Anonymization Techniques

F. Privacy Preserving Dynamic Data Publication

Privacy preserving dynamic data publication (PPDDP) allows organizations to publish a dataset multiple times. PPDDP enables organizations to share up-to-date data with multiple recipients statically or after some modifications (i.e., update, delete or insert). In contrast, privacy preserving static data publication (PPSDP) focused only on one time publication of a dataset, and many approaches have been proposed for the PPSDP in literature [12], [59], [60]. Meanwhile, PPDDP opens a new era in PPDP research, and many organizations are publishing their users data dynamically. Kabou et al. [108] presented a comprehensive survey about the PPDDP, and summarized different studies used for the PPDDP. Shi et al. [109] presented a method for PPDDP using distance and information entropy concepts. The proposed method ensures that individual privacy is preserved after the data has been subjected to multiple releases. The $m$ -invariance privacy model [110] was proposed to limit the risk of privacy disclosure in data re-publication. The proposed approach jointly uses the $m$ -invariance and counterfeited generalization concepts to solve the PPDDP problem. Anjum et al. [111] proposed a $\tau $ -safety privacy model for the PPDDP. The proposed approach performs better in the presence of external and internal updates. Zhu et al. [112] proposed a $\tau $ -safe $(\ell, k)$ -diversity privacy model for sequential publication. The proposed privacy model guarantees that each record’s signatures/values keep consistency or have no intersection in all data releases. This model can be applied to the data in which individual has multiple records. The proposed algorithm performs better compared to the $m$ -invariance and $\tau $ -safety privacy models. Considering the widespread applications/uses of the privacy preserved published data, the PPDDP has become an emerging area of research in recent years.

G. Challenges in the Relational Data Anonymization

The representation of tabular data is relatively simpler than the SN data. In relational data, each row/tuple represents one real world entity/individual. We identify following five challenges that make the relational data anonymization challenging. First, selection of the user’s attributes that are regarded as QIs. In relational data, a small subset of the users’ attributes are chosen as QIs. However, some QIs can behave as SA (i.e., profession) in practice. Thus, appropriate selection of QIs prior to data sanitization is imperative. Second, over reliance on the custom made QI’s values generalization taxonomies. The relational anonymization is performed with the help of pre-defined taxonomies of the QIs. Meanwhile, these taxonomies do not truly reflect the privacy and utility trade-off. Thus, devising the appropriate taxonomies with in-depth analysis of QI’s domain values in relational anonymization is challenging. Third, tabular data anonymization in multiple SAs (MSAs) scenarios. In some cases, the tabular data contains multiple SAs about individuals. Anonymizing the tabular data having MSAs is harder compared to the single SA scenarios due to the high risk of user’s private information disclosures. Fourth, quantifying the impact of QIs on both user’s privacy and anonymous data utility. Since each QI affects the privacy and utility differently, and some QIs can be highly vulnerable in terms of privacy and some QIs have higher utility. Thus, quantifying each QI’s statistics related to privacy and utility is very challenging in the PPDP. Fifth, accurate estimation of the subjects’ re-identification risk. The existing PPDP methods often assume worst-case scenarios regarding attackers, and apply heavy changes in the data that impact the shared data utility and often limit data sharing on a wider scale. Thus, accurate and novel adversarial modeling methods are needed to support PPDP in big data era. Aside from the five potential challenge explained above, in some cases, an adversary can possibly link the whole published dataset (e.g., $T'$ ) by leveraging the auxiliary information [113]. Hence, devising algorithms/method which can estimate the users’ privacy disclosure risk as accurate as possible during published data analytics is a vibrant area of research.

A. Metrics Used for the Evaluation of Privacy and Utility of Structural Anonymization Techniques

B. De-Anonymization Methods Employed By the Adversaries to Jeopardize Users Privacy in SN Published Data

Due to the phenomenal growth in SNs adoption around the globe, the SN data has become more reliable for conducting research and achieving multiple business/scientific objectives. The data-miners and analysts can extract the enormous amount of information embedded in the published $G'$ . Aside from collecting the relevant information regarding some custom rules or desired communities from the published graph, the data-miners try to reveal true identities/private-information of the users for fulfilling multiple hidden objectives such as personalized service recommendation, user’s profiling, and preference based digital contents selling. Interestingly, in some cases, the embedded knowledge extraction enables firms to be competitive in the market for long-run. Due to increase in information surges, availability of the various SNs, maturity of the machine learning and data mining tools, advancement in computing technologies, and attacker capabilities have made the personal information retrieval much easier. Due to the public access of the SNs and lack of user’s awareness about the online privacy, the protection of privacy on the SN sites is very challenging. Therefore, it has become an active area of research in recent years. Adversaries are not only able to get multiple users information but also they can re-identify people uniquely with the help of multiple auxiliary sources. There exist several de-anonymization approaches in literature that were employed on the published graphs to infer the true identity or SA of the SN users. For instance, Azizy et al. [169] summarized and classified various de-anonymization approaches used by the adversaries. We summarize the recent de-anonymization approaches with examples in Figure 15.

FIGURE 15.

Description about de-anonymization approaches used by the malevolent adversaries for privacy breaches.

Show All

Aside from the de-anonymization approaches explained above, Beigi et al. [170] summarized various seed-based and seed-free de-anonymization methods employed by the adversaries for privacy breaches in published SN data. Authors provided a detailed overview of latest SN data anonymization and de-anonymization approaches, and theoretical analysis about the graph’s de-anonymization. In addition, various user’s attributes inference methods have been reported by the authors with examples. Apart from the de-anonymization approaches explained in Figure 15 and previous studies, we summarize the key items that enable unique identifications of an individual/groups or SA disclosures from the privacy preserved graph data publishing in Table 5.

TABLE 5 Description About the Key Items That are Exploited by the Adversaries to Breach User’s Privacy

These items are usually exploited by the adversaries to jeopardize user’s privacy in SN published data to infer/predict true identities of users or their SAs. Each item assists in compromising an individual or community privacy when exploited by the adversaries. Various approaches based on these items/features have been proposed to compromise people’s privacy by leveraging the single or multiple SNs’ data (a.k.a across SNs). Drawing on the reviewed graph de-anonymization techniques, majority of the techniques enable adversaries to compromise users’ privacy successfully.

The privacy items and corresponding de-anonymization methods summarized in Table 5 pose serious threats to the SN user’s privacy in the PPGP. Apart from the well-known methods summarized above, the user’s privacy can also be breached through the information acquisition about the changing interest of a user overtime and predictions about the user’s private information through side channels of various types (i.e., interests). Recently, due to availability of the excessive amount of auxiliary information and advanced data mining tools, the scale and the scope of privacy breaches is expanding from an individual identification or SA disclosure to groups identity theft for achieving multiple scientific and business objectives, and identifying communities in SNs having common characteristics or common interests for accurate recommendations.

Furthermore, when a group of SN users form an online community, the SN service providers have access to more information including political viewpoints, preferences, relationship status or financial status because a user often readily shares more about him or herself in an online community. Accordingly, this goldmine of data when shared with the data-miners can lead to privacy breaches. In addition, social connection information prediction about a user with advanced data mining tools, and identifying an individual and users groups by contents analysis and activities has become serious challenge for SN service providers [122]. Hence, SNs users data sharing can endanger user’s privacy in unexpected ways, and researchers are devising many domain and attacks specific, and general PPGP methods to combat with this uprising social problem (e.g., safeguarding SN users privacy).

C. Structural Anonymization Approaches Used for Application-Specific Scenarios in SN Data Publishing

In Table 4, we summarized the generic structural anonymization approaches used in the PPGP. In this subsection, we summarize the recent structural anonymization approaches used in application-specific scenarios of SN data publishing. These scenarios include, anonymization approaches for friends recommendation, community clustering/detection, collaborative filtering, topic modelling, and SN’s users behavior analysis etc. Aside from the structural modifications in graphs, the anonymization approaches used in application-specific scenarios also consider the features of the applications for which the data is being anonymized. For example, Xu et al. [29] proposed a framework for discovering the privacy-preserved communities in the SNs. The proposed framework enables the formation/detection of different communities without revealing sensitive link information. In this work, we summarize the state-of-the art structural anonymization approaches used in application-specific scenarios of the SN in Table 6. The anonymization approaches summarized in Table 6 consider the features of the related application during anonymization process. Furthermore, some approaches have been used for multiple/heterogeneous applications due to overlapped properties/characteristics between them.

TABLE 6 Description About the Anonymization Approaches Used in SN Application-Specific Scenarios

Recently, due to the phenomenal growth in opportunities offered by SNs data, researches have turned their attention to devise new and realistic anonymization methods leveraging advanced artificial intelligence (AI) techniques. Li et al. [226] designed a deep learning (DL) model that combines multiple factors such as attribute information, graph structure, and behaviour characteristics while avoiding tedious calculation procedures to measure the privacy in SNs. The proposed model considers the deep relationship between all three factors (user attributes information, graph structure, and behaviour characteristics) to accurately obtain the privacy score.

Alemany et al. [227] devised two metrics (Audience and Reachability) for assessment of privacy in information sharing scenario in the SNs. The authors performed rigorous simulations in different SN topologies and considering different layers, and concluded that network topology in SNs has a direct effect on the outreach of the information. Pensa et al. [228] described a knowledge-driven approach for enhancing privacy awareness in SNs. The proposed approach has ability to measure the privacy risk of the users and inform them whenever their privacy is breached or at risk. Also, it helps the exposed users to customize their privacy level semi-automatically by limiting the number of manual operations. Li et al. [229] suggested that private information in the SNs sites is time-sensitive, which means that information held by the users who are no longer in the same environment/place as the target user may no longer be reliable/true and have lost its value. The authors combined behavioral characteristics and structural similarity to accurately filter the user groups who hold the current private information of a target user for measuring a user’s privacy status. Ruggero et al. [230] suggested that user’s privacy in SNs can be influenced by many external factors (e.g., the position of the user within the social graph, the relative risk of the network). To solve this problem, the authors devised a network-aware privacy score metric that accurately measure the user’s privacy risk according to the characteristics of the network (i.e., $G$ ).

A semi-supervised framework based on structural embedding for account correlation was proposed by Zhou et al. [231]. It learns the latent and structural semantics for accounts correlation between networks. It correlates accounts with high accuracy by leveraging the semantic information among accounts through random walks approach. Furthermore, the user’s identity disclosure/matches problems with limited profile items have also been reported in the literature [232], [233]. In recent years, federated learning (FL) based privacy preserving approaches have been proposed for anonymous data publishing with legitimate third-parties [234]–​[238]. Furthermore, many anonymization approaches have been proposed to preserve the users’ privacy in sequential publication of the SNs data [239]–​[241].

D. Challenges in Social Network Data Anonymization

SN data is usually represented as a graph, and structural anonymization approach is applied to sanitize it before releasing with data-miners. Anonymizing SN data is much more challenging compared to tabular data due to complex structure and variety of information embedded in graphs about the entities (i.e., users). The three well-known challenges related to SN data anonymization are, (i) modeling background knowledge (BK) of the adversaries (in SNs, the appropriate modeling of the adversaries’ BK is harder compared to the tabular data because adversaries can have access to the multiple pieces of information about an individual, and he/she can re-identify target individual from the $G'$ by leveraging the BK.), (ii) devising a new structural anonymization method (devising a new anonymization method for SN data is very hard compared to the tabular data due to the structural dependence of entities on each other. In SN, a slight modification in the graph structure can affect the whole network. Hence, the adhoc solutions based on ”divide and conquer” approach cannot be directly applied on the SN data), and (iii) quantifying the utility of the anonymous graph (in SN data, measuring the usefulness offered by an anonymous graph is not straightforward. The differences in $G$ and $G'$ properties are difficult to quantify. In addition, by adding new edges and vertices to increase privacy protection can often lead to excessive information loss in the PPGP.). Aside from the three key challenges explained above, the structural anonymization of massively large scale graphs involving many entities data is very challenging. Furthermore, in SN, amount and variety of data collected about entities increase exponentially with the passage of time. Thus, devising new structural anonymization approaches to solve these problems from both practical and theoretical perspectives have become imperative while benefiting from the SNs users data.